Hi,General answer:if you check your processes running on the host you will see which config files are used:$ ps -ef |grep neutron-serverlajoska+ 32072 1 2 09:51 ? 00:00:03 /usr/bin/python3.6 /usr/local/bin/neutron-server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/taas_plugin.ini....Similarly you can check your ovs-agent:$ ps -ef |grep neutron-openvswitch-agent....For the documentation of the config files check the configuration reference:https://docs.openstack.org/neutron/latest/configuration/config.html (this is the latest, so I suppose you need some older one like train or similar)RegardsLajos<ahmed.zaky.abdallah@gmail.com> ezt írta (időpont: 2019. dec. 27., P, 15:42):Thank you very much, Slawek.
In case I have multiple configuration files, how to know which one is currently loaded in neutron?
For example, in my environment I have:
- ml2_conf.ini
- ml2_conf_odl.ini
- ml2_conf_sriov.ini
- openvswitch_agent.ini
- sriov_agent.ini
[root@overcloud-controller-0 cbis-admin]# cd /etc/neutron/plugins/ml2/
[root@overcloud-controller-0 ml2]# ls
ml2_conf.ini ml2_conf_odl.ini ml2_conf_sriov.ini openvswitch_agent.ini sriov_agent.ini
Which one of these is used?
Cheers,
Ahmed
-----Original Message-----
From: Slawek Kaplonski <skaplons@redhat.com>
Sent: Friday, December 27, 2019 10:28 AM
To: ahmed.zaky.abdallah@gmail.com
Cc: openstack-discuss@lists.openstack.org
Subject: Re: About the use of security groups with neutron ports
Hi,
> On 27 Dec 2019, at 00:14, ahmed.zaky.abdallah@gmail.com wrote:
>
> Hi All,
>
> I am trying to wrap my head around something I came across in one of the OpenStack deployments. I am running Telco VNFs one of them is having different VMs using SR-IOV interfaces.
>
> On one of my VNFs on Openstack, I defined a wrong IPv6 Gm bearer interface to be exactly the same as the IPv6 Gateway. As I hate re-onboarding, I decided to embark on a journey of changing the IPv6 of the Gm bearer interface manually on the application side, everything went on fine.
>
> After two weeks, my customer started complaining about one way RTP flow. The customer was reluctant to blame the operation I carried out because everything worked smooth after my modification.
> After days of investigation, I remembered that I have port-security enabled and this means AAP “Allowed-Address-Pairs” are defined per vPort (AAP contain the floating IP address of the VM so that the security to allow traffic to and from this VIP). I gave it a try and edited AAP “Allowed-Address-Pairs” to include the correct new IPv6 address. Doing that everything started working fine.
>
> The only logical explanation at that time is security group rules are really invoked.
>
> Now, I am trying to understand how the iptables are really invoked. I did some digging and it seems like we can control the firewall drivers on two levels:
>
> • Nova compute
> • ML2 plugin
>
> I was curious to check nova.conf and it has already the following line: firewall_driver=nova.virt.firewall.NoopFirewallDriver
>
> However, checking the ml2 plugin configuration, the following is found:
>
> 230 [securitygroup]
> 231
> 232 #
> 233 # From neutron.ml2
> 234 #
> 235
> 236 # Driver for security groups firewall in the L2 agent (string value)
> 237 #firewall_driver = <None>
> 238 firewall_driver = openvswitch
>
> So, I am jumping to a conclusion that ml2 plugin is the one responsible for enforcing the firewall rules in my case.
>
> Have you had a similar experience?
> Is my assumption correct: If I comment out the ml2 plugin firewall driver then the port security carries no sense at all and security groups won’t be invoked?
Firewall_driver config option has to be set to some value. You can set “noop” as firewall_driver to completely disable this feature for all ports.
But please remember that You need to set it on agent’s side so it’s on compute nodes, not on neutron-server side.
Also, if You want to disable it only for some ports, You can set “port_security_enabled” to False and than SG will not be applied for such port and You will not need to configure any additional IPs in allowed address pairs for this port.
>
> Cheers,
> Ahmed
—
Slawek Kaplonski
Senior software engineer
Red Hat