<div dir="ltr">Hi!<div><br><div><span style="font-family:arial,sans-serif;font-size:12.800000190734863px">I'm back to "LibvirtHybridOVSBridgeDriver" and</span><span style="font-family:arial,sans-serif;font-size:12.800000190734863px"> Security Groups are working again... I did some of cleanups / reboots to make sure and it is okay now.</span><br>
</div></div><div><span style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:12.800000190734863px">Tks!</span></div><div><span style="font-family:arial,sans-serif;font-size:12.800000190734863px">Thiago</span></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On 30 October 2013 19:48, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">No problem... =)<div><br></div><div>My nova.conf [DEFAULT] section have:</div><div class="im"><div><br>
</div><div>---</div><div><div>firewall_driver = nova.virt.firewall.NoopFirewallDriver</div><div>security_group_api = neutron</div>
</div></div><div>libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtOpenVswitchDriver<br></div><div>---</div><div><br></div><div>But, even with "libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver", it doesn't work as expected... I can fallback to HybridOVS, if required / recommended (but the non-hybrid is faster).</div>
<div><br></div><div>Tks,</div><div>Thiago</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On 30 October 2013 16:14, Aaron Rosen <span dir="ltr"><<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Whoops sorry about that: nova.conf - <a href="http://codepad.org/howA9b1E" target="_blank">http://codepad.org/howA9b1E</a> <div>
<br></div><div>The only settings matter for this would be: </div><div><pre style="line-height:1.1em;background-color:rgb(246,246,246);margin-bottom:0.5em;margin-top:0.5em;padding:0px"><span>firewall_driver</span><span>=</span><span>nova</span><span>.</span><span>virt</span><span>.</span><span>firewall</span><span>.</span><span>NoopFirewallDriver</span>
<span>security_group_api</span><span>=</span><span>quantum</span>
<span>libvirt_vif_driver</span><span>=</span><span>nova</span><span>.</span><span>virt</span><span>.</span><span>libvirt</span><span>.</span><span>vif</span><span>.</span><span>LibvirtHybridOVSBridgeDriver</span></pre>
</div><div><br></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 29, 2013 at 4:17 PM, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">At nova.conf, firewall_driver is under [DEFAULT].</div><div><div><div class="gmail_extra">
<br><br><div class="gmail_quote">On 29 October 2013 20:58, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello my friend! =)<div><br></div><div>Yes, firewall_driver is under [securitygroup].</div><div><br></div>
<div>---</div><div><div>root@net-node-1:~# grep -v ^$ /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini | grep -v ^#</div>
<div>[ovs]</div><div>tenant_network_type = vxlan</div><div>enable_tunneling = True</div><div>tunnel_type = vxlan</div><div>tunnel_id_ranges = 1:1000</div><div>integration_bridge = br-int</div><div>tunnel_bridge = br-tun</div>
<div>local_ip = 10.20.2.52</div><div><br></div><div>[agent]</div><div>polling_interval = 2</div><div>tunnel_types = vxlan</div><div><br></div><div>[securitygroup]</div><div>firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</div>
<div><br></div><div>[database]</div><div>connection = mysql://<a href="http://neutronUser:pofs4433gEW@controller-1.yourdomain.com/neutron" target="_blank">neutronUser:pofs4433gEW@controller-1.yourdomain.com/neutron</a></div>
</div><div>---</div>
<div><br></div><div>Aaron, your "nova.conf" that you pasted, IS your ovs_neutron_plugin.ini ... Can you re-paste it, please?</div><div><br></div><div>Tks!</div><div>Thiago</div></div><div><div>
<div class="gmail_extra"><br>
<br><div class="gmail_quote">On 29 October 2013 19:50, Aaron Rosen <span dir="ltr"><<a href="mailto:arosen@nicira.com" target="_blank">arosen@nicira.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Martinx, <div><br></div><div>can you confirm that firewall_driver is under the securitygroup section? I can confirm that the following nova.conf and ovs_neutron_plugin.ini work with security groups: </div>
<div><br></div><div>nova.conf <a href="http://codepad.org/vH3aIs8f" target="_blank">http://codepad.org/vH3aIs8f</a></div><div>ovs_neutron_plugin.ini - <a href="http://codepad.org/vH3aIs8f" target="_blank">http://codepad.org/vH3aIs8f</a></div>
<div><br>Aaron</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>On Mon, Oct 28, 2013 at 8:41 PM, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">The only way I'm seeing to protect your Havana cloud right now (topology Per-Tenants Router with Private Networks), is by enabling FWaaS...<div>
<br></div><div>That's it! FWaaS installed, Tenant network protected.</div>
<div><br></div><div>I think that there is a bug with Security Groups in Havana / Neutron...</div><div><br></div><div>Comments?!</div><div><br></div><div>Regards,</div><div>Thiago</div></div><div><div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On 28 October 2013 22:18, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Guys,<div><br></div><div>A new test to see that the packages currently did not mach any iptables rules at the compute node, completely bypassing "Security Groups", look:</div><div><br></div><div>
<br>
</div><div>* Instance with ONLY port 80 TCP open:</div><div><br></div><div>---</div><div><div>root@hypervisor-1:~# <b>iptables -L neutron-openvswi-i2fa3cfab-a -nv</b></div><div>Chain neutron-openvswi-i2fa3cfab-a (1 references)</div>
<div>
<div> pkts bytes target prot opt in out source destination </div><div> 0 0 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state INVALID</div>
<div> 0 0 RETURN all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED</div><div>
0 0 RETURN tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:80</div>
<div> 0 0 RETURN udp -- * * 192.168.50.3 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:67 dpt:68</div><div> 0 0 neutron-openvswi-sg-fallback all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> </div>
</div></div><div>---<br></div><div><br></div><div>Starting dumping TCP data directly on instance port:</div><div><br></div><div>---</div><div><div>root@hypervisor-1:~# <b>tcpdump -ni tap2fa3cfab-a3</b></div><div>tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned</div>
<div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div><div>listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size 65535 bytes</div></div><div>....</div><div>---</div><div><br>
</div><div>....and trying to connect at its port 22 from the Internet (not allowed!!):</div><div><br></div><div>---</div><div><div>thiago@desktop-1:~$ <b>telnet <a href="tel:189.8.93.69%2022" value="+551898936922" target="_blank">189.8.93.69 22</a></b></div>
<div>Trying 189.8.93.69...</div><div>
Connected to 189.8.93.69.</div><div>Escape character is '^]'.</div><div>SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1</div></div><div>---<br></div><div><br></div><div>NOTE: <b>189.8.93.69</b> is the 'Floating IP' attached to that Instance and <b>192.168.50.2</b> is the Instance IP.</div>
<div><br></div><div>---</div><div><div>root@hypervisor-1:~# <b>tcpdump -ni tap2fa3cfab-a3</b></div><div>tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned</div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div>
<div>listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size 65535 bytes</div><div>22:13:40.800122 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [S], seq <a href="tel:2257975349" value="+552257975349" target="_blank">2257975349</a>, win 29200, options [mss 1460,sackOK,TS val 52435018 ecr 0,nop,wscale 7], length 0</div>
<div>22:13:40.800525 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [S.], seq <a href="tel:2704020835" value="+12704020835" target="_blank">2704020835</a>, ack <a href="tel:2257975350" value="+552257975350" target="_blank">2257975350</a>, win 14480, options [mss 1460,sackOK,TS val 703831 ecr 52435018,nop,wscale 2], length 0</div>
<div>22:13:40.805484 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.], ack 1, win 229, options [nop,nop,TS val 52435019 ecr 703831], length 0</div>
<div>22:13:40.821804 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [P.], seq 1:42, ack 1, win 3620, options [nop,nop,TS val 703837 ecr 52435019], length 41</div><div>22:13:40.826058 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.], ack 42, win 229, options [nop,nop,TS val 52435025 ecr 703837], length 0</div>
</div><div>---</div><div><br></div><div>See?! Security Groups are being ignored.</div><div><br></div><div>Please, help!</div><div><br></div><div>Thanks! =)</div><div>Thiago<br></div></div><div><div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote">On 28 October 2013 22:03, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Okay, I think I got it...<div><br></div><div>Nova should proxy 'Security Groups' calls to Neutron (and not do it by itself), so, it must have:</div><div><br></div><div>--- nova.conf ---</div><div>
<div><div>
firewall_driver = nova.virt.firewall.NoopFirewallDriver</div><div>security_group_api = neutron</div></div><div>---</div><div><br></div></div><div>At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set:</div><div><br>
</div>
<div>---</div><div>firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver<br></div><div>---</div><div><br></div><div>Source: <a href="http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html" target="_blank">http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html</a></div>
<div><br></div><div>BUT, it doesn't work.</div><div><br></div><div>All my Security Groups rules are just being ignored. They are all applied at the Compute Node OVS ports but, no effect at all.</div><div><br></div><div>
Thanks!</div><div>Thiago</div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On 28 October 2013 21:26, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Well,<div><br></div><div>Now I'm using "firewall_driver = nova.virt.firewall.NoopFirewallDriver" for both Nova and Neutron (Open vSwitch Agent) but, Security Groups rules are applied but ignored.</div>
<div><br></div><div>Tips!?</div><div><br></div><div>Thanks!</div><div>Thiago</div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On 28 October 2013 21:13, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Guys,<div><br></div><div>I'm back using "libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but the problem persist for "tenant1".</div>
<div>
<br></div><div>My nova.conf contains:</div><div><br></div><div>---</div><div><div># Network settings</div><div>network_api_class = nova.network.neutronv2.api.API</div><div>neutron_url = <a href="http://contrller-1.mydomain.com:9696" target="_blank">http://contrller-1.mydomain.com:9696</a></div>
<div>neutron_auth_strategy = keystone</div><div>neutron_admin_tenant_name = service</div><div>neutron_admin_username = neutron</div><div>neutron_admin_password = 123test123</div><div>neutron_admin_auth_url = <a href="http://controller-1.mydomain.com:35357/v2.0" target="_blank">http://controller-1.mydomain.com:35357/v2.0</a></div>
<div><br></div><div>linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver</div><div><br></div><div># If you want Neutron + Nova Security groups</div><div>firewall_driver = nova.virt.firewall.NoopFirewallDriver</div>
<div>security_group_api = neutron</div></div><div>---</div><div><br></div><div>Is that a valid configuration for Havana?! I'm get it from my previous Grizzly setup.</div><div><br></div><div>Also, I just realized that, there are two places to configure the "firewall_driver", first one is located at nova.conf, the second is located at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe, they must "match", I mean, I must be the same for both services, right?!</div>
<div><br></div><div>Thanks!</div><div>Thiago</div>
</div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On 28 October 2013 20:30, Martinx - �$B%8%'!<%`%:�(B <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Stackers!<div><br></div><div>I'm trying to configure my Security Groups and, I'm seeing that the rules are being applied at the Compute Node OVS ports (iptables / ip6tables) BUT, it does have no effect (or just being ignored?).</div>
<div>
<br></div><div>I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.</div><div><br></div><div><br></div><div>For example:</div><div><br></div><div>I have 1 Instance with 1 Floating IP attached to it, open port is: 80.</div>
<div><br></div><div>Look:</div><div><br></div><div>---</div><div><div>root@hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv </div><div>Chain neutron-openvswi-i9cf07c24-7 (1 references)</div><div> pkts bytes target prot opt in out source destination </div>
<div> 0 0 DROP all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state INVALID</div><div> 0 0 RETURN all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state RELATED,ESTABLISHED</div>
<div> 0 0 RETURN tcp -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:80</div><div> 0 0 RETURN udp -- * * 192.168.50.3 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp spt:67 dpt:68</div>
<div> 0 0 neutron-openvswi-sg-fallback all -- * * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> </div><div>---</div>
</div><div><br></div><div><br>
</div><div>The problem is that the respective Instance still answers SSH to the Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its Security Groups.</div><div><br></div><div>I created one "Security Group", called "web", only with TCP port 80 on it, nothing more, nothing less. This Instance doesn't belong to the "default" Security Group", only "web".</div>
<div><br></div><div>Recently I've changed the <b>libvirt_vif_driver</b> from <b>nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver</b> to <b>nova.virt.libvirt.vif.LibvirtOpenVswitchDriver</b>, maybe it is the cause?!</div>
<div><br></div><div><div>Any tips!?</div></div><div><br></div><div>Thanks!</div><div>Thiago</div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br></div></div>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>