<div dir="ltr">You said: <div><br></div><div><div>>it works, but when i try to attach a security group to an exist vm , api throw an error :<span style="font-family:arial,sans-serif;font-size:12.666666984558105px">"Network requires >port_security_enabled and subnet associated in order to apply security groups."</span></div>
<div><span style="font-family:arial,sans-serif;font-size:12.666666984558105px"><br></span></div><div style><span style="font-family:arial,sans-serif;font-size:12.666666984558105px">What command are you running to generate that error? </span></div>
<br style="font-family:arial,sans-serif;font-size:12.666666984558105px"></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <span dir="ltr"><<a href="mailto:danxcai@gmail.com" target="_blank">danxcai@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Aaron , thanks for you answers, i see it.<br><br>we are not useing nvp in our environemnt<div style="font-family:arial,helvetica,sans-serif;font-size:large;color:rgb(51,51,51);display:inline" class="gmail_default">
</div>yet.<br><br>my vm is boot with a subnet_id specified<div style="font-family:arial,helvetica,sans-serif;font-size:large;color:rgb(51,51,51);display:inline" class="gmail_default">. </div>i am sure about it .<div>here is more info:<br>
<br>vm has an ip "192.168.6.100" , this ip belongs to subnet <br>83afd693-7e36-41e9-b896-9d8b0d89d255<br>, this subnet belongs to network "iaas-net", network id is<br>5332f0f7-3156-4961-aa67-0b8507265fa5<br>
<br># nova list<br><br>| 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100<br><br>here is quantum network info :<br><br># quantum net-list<br>+--------------------------------------+------------------+-------------------------------------------------------+<br>
| id | name | subnets |<br>+--------------------------------------+------------------+-------------------------------------------------------+<br>
|<br>5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net | 329ca377-6193-4a0c-9320-471cd5ff762f <a href="http://192.168.202.0/24" target="_blank">192.168.202.0/24</a> |<br>| | |<br>
83afd693-7e36-41e9-b896-9d8b0d89d255 <a href="http://192.168.6.0/24" target="_blank">192.168.6.0/24</a> |<br>| | | bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 <a href="http://192.168.7.0/24" target="_blank">192.168.7.0/24</a> |<br>
| | | d59794df-bb49-4924-a19f-cbdec0ce24df <a href="http://192.168.188.0/24" target="_blank">192.168.188.0/24</a> |<br>| | | dca45033-e506-42e4-bf05-aaccd0591c55 <a href="http://192.168.193.0/24" target="_blank">192.168.193.0/24</a> |<br>
| | | e8a9be74-2f39-4d7e-9287-c5b85b573cca <a href="http://192.168.192.0/24" target="_blank">192.168.192.0/24</a> |<br><br><br>i enabled the following features in quantum<br>
1. namespace<br>
2. overlap ips<br><span style="color:rgb(51,51,51);font-family:arial,helvetica,sans-serif;font-size:large"><br></span><div>if any more info needed for debug, i will attach<div><div class="h5"><br><br><br>Daniels Cai<br><a href="http://dnscai.com" target="_blank">http://dnscai.com</a><br>
<br><br>2013/6/8 Aaron Rosen <<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>><br>><br>> There is no port_security_enabled config option. This is an attribute on a port that is used if the plugin you are using implements the port_security_extension (which is only nvp at the time).<br>
><br>> I'm guessing your issue is the network you are trying to boot an instance on does not have a subnet associated with it.<br>><br>> Aaron<br>><br>><br>> On Sat, Jun 8, 2013 at 12:37 AM, daniels cai <<a href="mailto:danxcai@gmail.com" target="_blank">danxcai@gmail.com</a>> wrote:<br>
>><br>>> hi Aaron<br>>> i set the following in nova.conf<br>>><br>>> security_group_api=quantum<br>>> firewall_driver=nova.virt.firewall.NoopFirewallDriver<br>>><br>>> it works, but when i try to attach a security group to an exist vm , api throw an error :<br>
>><br>>> "Network requires port_security_enabled and subnet associated in order to apply security groups."<br>>><br>>> the i add port_security_enabled in quantum.conf in all nodes.<br>>> "port_security_enabled=True"<br>
>><br>>> with no luck, it still doesn't work .<br>>><br>>> Any advice ? does quantum security group support this feature?<br>>><br>>> Daniels Cai<br>>> <a href="http://dnscai.com" target="_blank">http://dnscai.com</a><br>
>><br>>><br>>> 2013/6/8 Aaron Rosen <<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>><br>>>><br>>>> Hi Joe,<br>>>><br>>>> I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables.<br>
>>><br>>>> Aaron<br>>>><br>>>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu <<a href="mailto:joseph.breu@rackspace.com" target="_blank">joseph.breu@rackspace.com</a>> wrote:<br>>>>><br>
>>>> Hello,<br>
>>>><br>>>>> Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level.<br>
>>>><br>>>>> Thanks for any help<br>>>>><br>>>>><br>>>>> _______________________________________________<br>>>>> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>>>> Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>>>>> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>>>> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>>>><br>>>><br>>>><br>>>> _______________________________________________<br>
>>> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>>>> Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
>>> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>>>> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
>>><br>>><br>></div></div></div></div></div>
</blockquote></div><br></div>