[Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer
Adhi Priharmanto
adhi.pri at gmail.com
Thu Sep 22 03:46:32 UTC 2016
Hi,
an update from my-test , why even I empty group rule with no rule defined,
I still can reach (ping & ssh) my instance from outside ?
On Wed, Sep 21, 2016 at 5:18 PM, Adhi Priharmanto <adhi.pri at gmail.com>
wrote:
> Hi Huan Xie,
>
>
> Thanks for your fast response, I applied those patch into my Dom0 and DomU
> (nova-compute) , then restarting neutron-openvswitch-agent and nova-compute
> service.
>
> the error on neutron-openvswitch-agent doesn't appear anymore, now I'm
> still try Security Group Rules variation for instance, I'll update results
> as soon .
>
>
>
> On Wed, Sep 21, 2016 at 2:11 PM, Huan Xie <huan.xie at citrix.com> wrote:
>
>> Hi Adhi,
>>
>>
>>
>> 1. From http://pastebin.com/gwf1wdEb, we can see you have set
>> “conntrack” command in netwrap, but seems the whole patch is not applied, I
>> mean you need apply the whole patch https://review.openstack.org/#
>> /c/341304/ in neutron.
>>
>> netwrap locates in Dom0 /etc/xapi.d/plugins
>>
>> neutron-rootwrap-xen-dom0 locates in DomU, maybe
>> /usr/local/bin/neutron-rootwrap-xen-dom0 or other path like that,
>> depends on how you install it, you maybe need to apply the patch to the
>> source file
>>
>> 1. With this rule, I'm still able to ping instance
>> 2. Also please check neutron-openvswitch-agent error list when I
>> remove rule and terminate instance.
>>
>> ð For the two, since the patch seems not applied completely, so you
>> maybe can still ping the VM. Also you need to install conntrack-tools in
>> Dom0 because the command “conntrack” in netwrap is send to Dom0, otherwise
>> the real “conntrack” command is not take effect.
>>
>>
>>
>> Hope these checks can help you.
>>
>>
>>
>> Thanks,
>>
>> Huan
>>
>>
>>
>>
>>
>> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
>> *Sent:* Wednesday, September 21, 2016 1:59 PM
>>
>> *To:* Huan Xie
>> *Cc:* openstack at lists.openstack.org
>> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
>> Neutron & XenServer
>>
>>
>>
>> Hi All....
>>
>>
>>
>> Sorry for my late reply..
>>
>>
>>
>> @Bob, I Installed liberty manually, not using devstack, packstack, etc
>>
>>
>>
>> Here Is my node service configuration.
>>
>>
>>
>>
>>
>>
>>
>> =============================
>>
>> NETWORK-NODE
>>
>> =============================
>>
>> Configuration : http://pastebin.com/6DLqUbjU
>>
>>
>>
>>
>>
>> =============================
>>
>> COMPUTE-NODE
>>
>> =============================
>>
>> Configuration : http://pastebin.com/RhGBvNbA
>>
>> Error list : http://pastebin.com/xHQSb625
>>
>>
>>
>> =============================
>>
>> XENSERVER-NODE
>>
>> =============================
>>
>> Configuration : http://pastebin.com/gwf1wdEb
>>
>> Error list : http://pastebin.com/wNzbhcPi
>>
>>
>>
>> for Xenserver,
>>
>> - I also setup of Multi Tenancy Networking Protections in XenServer,
>> following this guide https://github.com/opens
>> tack/nova/blob/master/plugins/xenserver/doc/networking.rst
>> <https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst>
>> - I also setup sysctl.conf (see config at xenserver-node pastebin),
>> but it's like no br_netfilter module available at xenserver.
>>
>> =============================
>>
>> neutron security-group-rule-list
>>
>> =============================
>>
>> # neutron security-group-rule-list
>>
>> +--------------------------------------+----------------+---
>> --------+-----------+---------------+-----------------+
>>
>> | id | security_group | direction |
>> ethertype | protocol/port | remote |
>>
>> +--------------------------------------+----------------+---
>> --------+-----------+---------------+-----------------+
>>
>> | 310fb8eb-bcf7-4425-83a3-f2f3f1335958 | default | egress |
>> IPv6 | any | any |
>>
>> | 42e8b7e8-1262-4673-8547-55fa6b33d4f1 | default | egress |
>> IPv4 | any | any |
>>
>> | 4e8bde5b-344a-4c6a-b09d-223d9fec72bf | default | ingress |
>> IPv4 | any | default (group) |
>>
>> | cd8f3aaa-9882-42a0-b713-87489cfff22c | default | ingress |
>> IPv6 | any | default (group) |
>>
>> | d884ff2f-71e8-4647-b45d-e8f92ad87261 | default | egress |
>> IPv4 | any | any |
>>
>> | f4f85fae-6a15-4a85-ae51-5f34536bb72e | default | ingress |
>> IPv6 | any | default (group) |
>>
>> | f6e3929a-3df4-4209-8486-7ce0b0047771 | default | egress |
>> IPv6 | any | any |
>>
>> | fbb2a744-de01-49c7-b875-8cdfbc4fdd7f | default | ingress |
>> IPv4 | any | default (group) |
>>
>> +--------------------------------------+----------------+---
>> --------+-----------+---------------+-----------------+
>>
>> - With this rule, I'm still able to ping instance
>> - Also please check neutron-openvswitch-agent error list when I
>> remove rule and terminate instance.
>>
>>
>>
>> I hope anyone can guide me with this problem, thanks before.
>>
>>
>>
>>
>>
>> On Sun, Sep 18, 2016 at 8:16 AM, Huan Xie <huan.xie at citrix.com> wrote:
>>
>> Hi,
>>
>>
>>
>> After applied these change, is your neutron ml2 configuration correct?
>> Mainly the below parts:
>>
>> If still cannot work, could you please describe the errors?
>>
>> Beside these, we find xenserver dom0 lacks of conntrack support for
>> neutron-ovs-agent in compute node, there is a fix waiting for review
>> https://review.openstack.org/#/c/341304/
>>
>> 1. In nova.conf, two configurations should be set
>>
>> [DEFAULT]
>>
>> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>>
>> security_group_api=neutron
>>
>> use_neutron = True
>>
>> [xenserver]
>>
>> ovs_integration_bridge =
>>
>> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
>>
>> 2. In neutron, check configurations ml2_conf.ini in compute node
>> which is used for neutron L2 agent
>>
>> [agent]
>>
>> minimize_polling = False
>>
>> root_helper_daemon =
>>
>> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
>> /etc/neutron/rootwrap.conf
>>
>> [ovs]
>>
>> integration_bridge =
>>
>> bridge_mappings =
>>
>> Thanks,
>>
>> Huan
>>
>>
>>
>> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
>> *Sent:* Thursday, September 15, 2016 3:48 PM
>>
>>
>> *To:* Huan Xie
>> *Cc:* openstack at lists.openstack.org
>> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
>> Neutron & XenServer
>>
>>
>>
>> Hi, I still no luck for this problem, even I using liberty release,
>> Security groups still not applied on network. can you help me again ?
>>
>>
>>
>> On Thu, Mar 17, 2016 at 10:55 AM, Adhi Priharmanto <adhi.pri at gmail.com>
>> wrote:
>>
>> Ok, 'll try to patched my neutron
>>
>>
>>
>> On Tue, Mar 15, 2016 at 8:52 AM, Huan Xie <huan.xie at citrix.com> wrote:
>>
>> Hi,
>>
>> For apply the patch, you need to download the changed file with this
>> https://review.openstack.org/#/c/251271/ and its dependent changes, you
>> can find its dependent changes in the right corner(Related Changes) in you
>> open the link.
>>
>> For files that you need edit, in the middle of the code review page, you
>> can find a section called “Files”, this part shows you which files are
>> changed.
>>
>>
>>
>> Best Regards//Huan
>>
>>
>>
>> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
>> *Sent:* Monday, March 14, 2016 6:21 PM
>> *To:* Huan Xie
>> *Cc:* openstack at lists.openstack.org
>> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
>> Neutron & XenServer
>>
>>
>>
>> Hi Xie,
>>
>>
>>
>> I also commented on your post at blog.citrix :) , for step 1 - 3 was
>> clear for me. I still confused about patched code in
>> https://review.openstack.org/#/c/251271/ for some file, could you more
>> explain how to, which file that I should edit ?
>>
>>
>>
>> Thanks before
>>
>>
>>
>> On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan.xie at citrix.com> wrote:
>>
>> Hi Adhi,
>>
>>
>>
>> Do you use devstack to deploy XenServer + Kilo or manually?
>>
>> Current Kilo release does not support XenServer + Neutron security group,
>> because security group is implemented via iptables on Linux bridge,
>> however, there is no Linux bridge created when booting a new instance.
>>
>> But we now have a new fix to support neutron security group, we have
>> tested that it can work, this will be implemented as a blue print
>> https://review.openstack.org/#/c/251271/
>>
>> So, if you want to use neutron security group in Kilo, you should add
>> some patch for your code and also please make the configurations as below:
>>
>>
>>
>> 1. In nova.conf, two configurations should be set
>>
>> [DEFAULT]
>>
>> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>>
>> security_group_api=neutron
>>
>>
>>
>> [xenserver]
>>
>> ovs_integration_bridge =
>>
>> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
>>
>>
>>
>> If you don’t know how to configure
>> ovs_integration_bridge, then you can refer this blog
>> https://www.citrix.com/blogs/2015/11/30/integrating-xenserve
>> r-rdo-and-neutron/
>>
>>
>>
>> 2. In neutron, check configurations ml2_conf.ini in compute node
>> which is used for neutron L2 agent
>>
>> [agent]
>>
>> minimize_polling = False
>>
>> root_helper_daemon =
>>
>> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
>> /etc/neutron/rootwrap.conf
>>
>>
>>
>> [ovs]
>>
>> integration_bridge =
>>
>> bridge_mappings =
>>
>>
>>
>> Also for ovs configuration items, if you don’t clear on
>> how to configure them, refer the blog
>>
>>
>>
>> 3. In neutron, check configurations /etc/neutron/rootwrap.conf in
>> compute node
>>
>> [xenapi]
>>
>> # XenAPI configuration is only required by the L2 agent if it is to
>>
>> # target a XenServer/XCP compute host's dom0.
>>
>> xenapi_connection_url=
>>
>> xenapi_connection_username=
>>
>> xenapi_connection_password=
>>
>>
>>
>> Best Regards//Huan
>>
>>
>>
>> -------- Original Message --------
>> Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron &
>> XenServer
>> From: Adhi Priharmanto
>> To: openstack at lists.openstack.org
>> CC:
>>
>> Hi all,
>>
>> I had Openstack Kilo installed on my lab, for Compute Hypervisor I use
>> XenServer 6.5, and networking Using Neutron OVS. For Controller, Network,
>> and Compute node I'm using Ubuntu 14.04.
>>
>>
>>
>> My problem was Security Groups rules doesn't applied to the instance that
>> created. For example, there is no rule for SSH port 22 in security group i
>> defined to the instance, but instance with floating IP able to login by ssh
>> from external network.
>>
>>
>> I've already add this option on my nova.conf
>>
>>
>>
>> firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver
>>
>>
>>
>> and also defined firewall_driver on my ml2_conf.ini at Controller,
>> Network, and Compute node
>>
>>
>>
>> [ovs]
>>
>> enable_security_group = True
>>
>> enable_ipset = True
>>
>> firewall_driver = neutron.agent.linux.iptables_f
>> irewall.OVSHybridIptablesFirewallDriver
>>
>>
>>
>> can somebody help me with this problem ?
>>
>>
>>
>>
>>
>> --
>>
>> Cheers,
>>
>>
>>
>> *Adhi Priharmanto*
>>
>> about.me/a_dhi
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>>
>>
>>
>>
>>
>> --
>>
>> Cheers,
>>
>>
>>
>> *Adhi Priharmanto*
>>
>> about.me/a_dhi
>>
>>
>>
>> +62-812-82121584
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Cheers,
>>
>>
>>
>> *Adhi Priharmanto*
>>
>> about.me/a_dhi
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Cheers,
>>
>>
>>
>> *Adhi Priharmanto*
>>
>> about.me/a_dhi
>>
>>
>>
>> +62-812-82121584
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Cheers,
>>
>>
>>
>> *Adhi Priharmanto*
>>
>> about.me/a_dhi
>>
>>
>>
>> +62-812-82121584
>>
>>
>>
>
>
>
> --
> Cheers,
>
>
>
> [image: --]
> Adhi Priharmanto
> [image: http://]about.me/a_dhi
> <http://about.me/a_dhi?promo=email_sig>
> +62-812-82121584
>
>
--
Cheers,
[image: --]
Adhi Priharmanto
[image: http://]about.me/a_dhi
<http://about.me/a_dhi?promo=email_sig>
+62-812-82121584
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160922/939cecc6/attachment.html>
More information about the Openstack
mailing list