Open Stack

Le 07/11/2013 03:18, Martinx - ジェームズ a écrit :
> That is true... Back to "LibvirtHybridOVSBridgeDriver", Security Groups
> is working again...

Thanks for the feedback Thiago. I've opened a bug on Launchpad:
https://bugs.launchpad.net/nova/+bug/1248859

>
> On 6 November 2013 15:03, Simon Pasquier <simon.pasquier at bull.net
> <mailto:simon.pasquier at bull.net>> wrote:
>
>     Answering myself as I investigated a little further and
>     cross-posting to openstack-dev because I'd like to get feedback from
>     Nova/Neutron devs.
>
>     Users running Havana should configure
>     libvirt_vif_driver=nova.virt.__libvirt.vif.__LibvirtHybridOVSBridgeDriver.
>     This driver is still available in the Havana release although
>     deprecated. AFAIU, this is the only option if you want effective
>     security groups with KVM & OVS.
>
>     For people using the master branch of nova, sorry but security
>     groups are currently broken because LibvirtHybridOVSBridgeDriver is
>     gone ([0]). Joe Gordon asked the Neutron devs about it few weeks ago
>     [1] but no answer and in another review [2], the conclusion was that
>     the Tempest tests passed with Neutron. However I don't see anywhere
>     in the tests ([3], [4]) that we check if the security rules
>     allow/block traffic.
>
>     It would be nice if core devs could confirm or refute.
>
>     Regards,
>
>     Simon
>
>     [0] https://review.openstack.org/#__/c/49660/
>     <https://review.openstack.org/#/c/49660/>
>     [1]
>     http://lists.openstack.org/__pipermail/openstack-dev/2013-__October/016886.html
>     <http://lists.openstack.org/pipermail/openstack-dev/2013-October/016886.html>
>     [2] https://review.openstack.org/#__/c/44349
>     <https://review.openstack.org/#/c/44349>
>     [3]
>     https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups.py
>     <https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups.py>
>     [4]
>     https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups_negative.py
>     <https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups_negative.py>
>
>     Le 05/11/2013 14:57, Simon Pasquier a écrit :
>
>         Hi all,
>
>         I'm struggling with security groups on Havana with Neutron and OVS
>         plugin (GRE tunnels). No problem to create/delete security group
>         rules
>         but even though iptables configuration is updated, traffic to my
>         instances is never filtered [0].
>
>         I'm running DevStack on 2 nodes (1 controller + 1 compute):
>         - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
>         - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
>         - libvirt package version: 1.1.1-0ubuntu8~cloud2
>         - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files
>         pasted at [1] (I didn't modify any of these files after the
>         DevStack run)
>
>         According to [2], [3] and [4], iptables is not compatible with TAP
>         devices connectd directly to Open vSwitch ports, this is why
>         there used
>         to be the additional veth + bridge interfaces [5]. But in my
>         setup, this
>         is not the case anymore as shown in [6] ('ovs-vsctl show' +
>         'iptables-save' ouptut). I've also pasted the libvirt XML
>         configuration
>         [7] that shows that the instance is directly connected to the
>         Open vSwitch.
>
>         Are the security groups supposed to work when the instance is
>         directly
>         connected to OVS? If yes, what am I doing wrong?
>
>         Regards,
>
>         [0] http://paste.openstack.org/__show/50490/
>         <http://paste.openstack.org/show/50490/>
>         [1] http://paste.openstack.org/__show/50448/
>         <http://paste.openstack.org/show/50448/>
>         [2]
>         http://www.spinics.net/linux/__fedora/libvirt-users/msg05384.__html
>         <http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html>
>         [3]
>         http://openvswitch.org/__pipermail/discuss/2013-__October/011461.html
>         <http://openvswitch.org/pipermail/discuss/2013-October/011461.html>
>         [4]
>         http://docs.openstack.org/__havana/config-reference/__content/under_the_hood___openvswitch.html
>         <http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html>
>
>         [5]
>         http://docs.openstack.org/__havana/config-reference/__content/figures/7/a/a/common/__figures/under-the-hood-__scenario-2-ovs-compute.png
>         <http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png>
>
>         [6] http://paste.openstack.org/__show/50486/
>         <http://paste.openstack.org/show/50486/>
>         [7] http://paste.openstack.org/__show/50487/
>         <http://paste.openstack.org/show/50487/>
>
>
>
>     --
>     Simon Pasquier
>     Software Engineer
>     Bull, Architect of an Open World
>     Phone: + 33 4 76 29 71 49 <tel:%2B%2033%204%2076%2029%2071%2049>
>     http://www.bull.com
>
>     _________________________________________________
>     Mailing list:
>     http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>     Post to     : openstack at lists.openstack.org
>     <mailto:openstack at lists.openstack.org>
>     Unsubscribe :
>     http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack
>     <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>
>


-- 
Simon Pasquier
Software Engineer
Bull, Architect of an Open World
Phone: + 33 4 76 29 71 49
http://www.bull.com