[openstack-dev] [Nova][Neutron] Neutron + Nova + OVS security group fix

Nachi Ueno nachi at ntti3.com
Tue Mar 25 22:58:45 UTC 2014


Hi Nova, Neturon Team

I would like to discuss issue of Neutron + Nova + OVS security group fix.
We have a discussion in IRC today, but the issue is complicated so we will have
a conf call tomorrow 17:00 UST (10AM PDT). #openstack-neutron
(I'll put conf call information in IRC)

<-- Please let me know if this time won't work with you.

Bug Report
https://bugs.launchpad.net/neutron/+bug/1297469

Background of this issue:
ML2 + OVSDriver + IptablesBasedFirewall combination is a default
plugin setting in the Neutron.
In this case, we need a special handing in VIF. Because OpenVSwitch
don't support iptables, we are
using linuxbride + openvswitch bridge. We are calling this as hybrid driver.

On the other discussion, we generalized the Nova  side VIF plugging to
the Libvirt GenericVIFDriver.
The idea is let neturon tell the VIF plugging configration details to
the GenericDriver, and GerericDriver
takes care of it.

Unfortunatly, HybridDriver is removed before GenericDriver is ready
for security group.
This makes ML2 + OVSDriver + IptablesBasedFirewall combination unfunctional.
We were working on realfix, but we can't make it until Icehouse
release due to design discussions [1].
# Even if neturon side patch isn't merged yet.

So we are proposing a workaround fix to Nova side.
In this fix, we are adding special version of the GenericVIFDriver
which can work with the combination.
There is two point on this new Driver.
(1) It prevent set conf.filtername. Because we should use
NoopFirewallDriver, we need conf.filtername should be None
when we use it.
(2) use plug_ovs_hybrid and unplug_ovs_hybrid by enforcing
get_require_firewall as True.

Here is patchs with UT.

Workaournd fix:
Nova
https://review.openstack.org/#/c/82904/

Devstack patch for ML2 (Tested with 82904)
https://review.openstack.org/#/c/82937/

We have tested the patch 82904 with following test, and this works.

- Launch VM
- Assign floating ip
- make sure ping to the floating ip is failing from GW
- modify security group rule to allow ping from anywhere
- make sure ping is working

[1] Real fix: (defered to Juno)

Improve vif attributes related with firewalling
https://review.openstack.org/#/c/21946/

Support binding:vif_security parameter in neutron
https://review.openstack.org/#/c/44596/

--> I'll put latest update on here
https://etherpad.openstack.org/p/neturon_security_group_fix_workaround_icehouse

Best
Nachi



More information about the OpenStack-dev mailing list