[Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer
Adhi Priharmanto
adhi.pri at gmail.com
Mon Mar 14 12:21:23 UTC 2016
Oh I forgot, I deployed openstack from Ubuntu package following of
openstack docs here
http://docs.openstack.org/kilo/install-guide/install/apt/content/
On Mar 14, 2016 3:47 PM, "Huan Xie" <huan.xie at citrix.com> wrote:
> Hi Adhi,
>
>
>
> Do you use devstack to deploy XenServer + Kilo or manually?
>
> Current Kilo release does not support XenServer + Neutron security group,
> because security group is implemented via iptables on Linux bridge,
> however, there is no Linux bridge created when booting a new instance.
>
> But we now have a new fix to support neutron security group, we have
> tested that it can work, this will be implemented as a blue print
> https://review.openstack.org/#/c/251271/
>
> So, if you want to use neutron security group in Kilo, you should add some
> patch for your code and also please make the configurations as below:
>
>
>
> 1. In nova.conf, two configurations should be set
>
> [DEFAULT]
>
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>
> security_group_api=neutron
>
>
>
> [xenserver]
>
> ovs_integration_bridge =
>
> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
>
>
>
> If you don’t know how to configure ovs_integration_bridge,
> then you can refer this blog
> https://www.citrix.com/blogs/2015/11/30/integrating-xenserver-rdo-and-neutron/
>
>
>
> 2. In neutron, check configurations ml2_conf.ini in compute node
> which is used for neutron L2 agent
>
> [agent]
>
> minimize_polling = False
>
> root_helper_daemon =
>
> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
> /etc/neutron/rootwrap.conf
>
>
>
> [ovs]
>
> integration_bridge =
>
> bridge_mappings =
>
>
>
> Also for ovs configuration items, if you don’t clear on
> how to configure them, refer the blog
>
>
>
> 3. In neutron, check configurations /etc/neutron/rootwrap.conf in
> compute node
>
> [xenapi]
>
> # XenAPI configuration is only required by the L2 agent if it is to
>
> # target a XenServer/XCP compute host's dom0.
>
> xenapi_connection_url=
>
> xenapi_connection_username=
>
> xenapi_connection_password=
>
>
>
> Best Regards//Huan
>
>
>
> -------- Original Message --------
> Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron &
> XenServer
> From: Adhi Priharmanto
> To: openstack at lists.openstack.org
> CC:
>
> Hi all,
>
> I had Openstack Kilo installed on my lab, for Compute Hypervisor I use
> XenServer 6.5, and networking Using Neutron OVS. For Controller, Network,
> and Compute node I'm using Ubuntu 14.04.
>
>
>
> My problem was Security Groups rules doesn't applied to the instance that
> created. For example, there is no rule for SSH port 22 in security group i
> defined to the instance, but instance with floating IP able to login by ssh
> from external network.
>
>
> I've already add this option on my nova.conf
>
>
>
> firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver
>
>
>
> and also defined firewall_driver on my ml2_conf.ini at Controller,
> Network, and Compute node
>
>
>
> [ovs]
>
> enable_security_group = True
>
> enable_ipset = True
>
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
>
>
> can somebody help me with this problem ?
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160314/7fcd8253/attachment.html>
More information about the Openstack
mailing list