<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
@font-face
{font-family:inherit;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:723260299;
mso-list-type:hybrid;
mso-list-template-ids:189959554 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi Adhi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Do you use devstack to deploy XenServer + Kilo or manually?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Current Kilo release does not support XenServer + Neutron security group, because security group is implemented via iptables on Linux bridge, however, there is
no Linux bridge created when booting a new instance.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">But we now have a new fix to support neutron security group, we have tested that it can work, this will be implemented as a blue print
<a href="https://review.openstack.org/#/c/251271/">https://review.openstack.org/#/c/251271/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">So, if you want to use neutron security group in Kilo, you should add some patch for your code and also please make the configurations as below:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In nova.conf, two configurations should be set
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">[DEFAULT]
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">firewall_driver = nova.virt.firewall.NoopFirewallDriver<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">security_group_api=neutron<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">[xenserver]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">ovs_integration_bridge =<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.75in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> If you don’t know how to configure ovs_integration_bridge, then you can refer this blog
<a href="https://www.citrix.com/blogs/2015/11/30/integrating-xenserver-rdo-and-neutron/">
https://www.citrix.com/blogs/2015/11/30/integrating-xenserver-rdo-and-neutron/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In neutron, check configurations ml2_conf.ini in compute node which is used for neutron L2 agent<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">[agent]<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">minimize_polling = False<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">root_helper_daemon =<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 /etc/neutron/rootwrap.conf<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">[ovs]<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">integration_bridge =<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">bridge_mappings =<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> Also for ovs configuration items, if you don’t clear on how to configure them, refer the blog<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In neutron, check configurations /etc/neutron/rootwrap.conf in compute node<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">[xenapi]<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"># XenAPI configuration is only required by the L2 agent if it is to<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"># target a XenServer/XCP compute host's dom0.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">xenapi_connection_url=<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">xenapi_connection_username=<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">xenapi_connection_password=
<o:p></o:p></span></p>
<p class="MsoListParagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Best Regards//Huan<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
-------- Original Message --------<br>
Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer<br>
From: Adhi Priharmanto <br>
To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
CC: <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Hi all, <br>
<br>
I had Openstack Kilo installed on my lab, for Compute Hypervisor I use XenServer 6.5, and networking Using Neutron OVS. For Controller, Network, and Compute node I'm using Ubuntu 14.04.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My problem was Security Groups rules doesn't applied to the instance that created. For example, there is no rule for SSH port 22 in security group i defined to the instance, but instance with floating IP able to login by ssh from external
network.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
I've already add this option on my nova.conf<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">and also defined firewall_driver on my ml2_conf.ini at Controller, Network, and Compute node<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">[ovs]<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">enable_security_group = True<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">enable_ipset = True<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">can somebody help me with this problem ?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif">Cheers,</span><o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="outline:0px;border-spacing:0px">
<tbody>
<tr style="height:22.5pt;outline:0px;font-weight:inherit;font-style:inherit">
<td width="0" valign="bottom" style="width:.3pt;padding:0in 0in 0in 0in;height:22.5pt;outline:0px;font-style:inherit">
<p class="MsoNormal" style="line-height:13.65pt"><span style="font-size:1.0pt;font-family:"inherit",serif;color:#333333"> <o:p></o:p></span></p>
</td>
</tr>
<tr style="outline:0px;font-weight:inherit;font-style:inherit">
<td width="0" valign="bottom" style="width:.3pt;padding:0in 0in 0in 0in;outline:0px;font-style:inherit">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="outline:0px;font-weight:inherit;font-style:inherit;border-spacing:0px">
<tbody>
<tr style="outline:0px;font-style:inherit">
<td width="0" valign="top" style="width:.3pt;padding:0in 0in 0in 0in;outline:0px;font-weight:inherit;font-style:inherit;display:inline-block">
<p class="MsoNormal"><span style="font-family:"inherit",serif"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="vertical-align:baseline"><b><span style="font-size:13.5pt;font-family:"Helvetica",sans-serif;color:#333333">Adhi Priharmanto<o:p></o:p></span></b></p>
</div>
<div style="margin-top:2.25pt;outline:0px;font-weight:inherit;font-style:inherit">
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#2B82AD">about.me/a_dhi<o:p></o:p></span></p>
</div>
</td>
</tr>
<tr style="outline:0px;font-weight:inherit;font-style:inherit">
<td width="0" valign="top" style="width:.3pt;padding:6.0pt 0in 0in 0in;outline:0px;font-style:inherit">
<p class="MsoNormal" align="right" style="text-align:right;background:#C5D0E0;vertical-align:baseline">
<span style="font-family:"inherit",serif"><img border="0" width="88" height="4" id="_x0000_i1025" src="http://d13pix9kaak6wt.cloudfront.net/signature/colorbar.png"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="line-height:0%;vertical-align:baseline"><span style="font-size:10.5pt;font-family:"inherit",serif;color:#333333">
<o:p></o:p></span></p>
</td>
</tr>
<tr style="height:15.0pt;outline:0px;font-weight:inherit;font-style:inherit">
<td width="0" valign="bottom" style="width:.3pt;padding:0in 0in 0in 0in;height:15.0pt;outline:0px;font-style:inherit">
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>