[ironic][neutron] Security groups on bare metal instances

Jason Anderson jasonanderson at uchicago.edu
Tue Jun 11 15:33:49 UTC 2019

Hi all,

We've been scratching our heads for a while, trying to figure out how security groups for bare metal instances are supposed to work. The configuration guide for Networking<https://docs.openstack.org/ironic/latest/install/configure-networking.html>[1] implies that using the 'iptables_hybrid' firewall driver should work. We are using Neutron tenant networks<https://docs.openstack.org/ironic/latest/install/configure-tenant-networks.html>[2] with Ironic. My understanding is that the iptables_hybrid driver creates a new OVS port (with prefix qvo), logically connects that to the integration bridge, and then creates a veth pair inside a new network namespace, and that veth device then gets some iptables rules to handle the security group rules. It is not clear to me how or when that qvo "hybrid" port is even created; I've combed through the Neutron code base for a while looking for clues.

We had tried using the "pure" OVS firewall solution, where security group rules are expessed using OpenFlow flows. However, this doesn't work, as there is not OVS port for a bare metal instance (at least, not in our setup.) We are using networking-generic-switch<https://docs.openstack.org/networking-generic-switch/latest/>[3], which provisions ports on a physical switch with a VLAN tag on the provider network. From OVS' perspective, the traffic exits OVS with that VLAN tag and that's that; OVS in this situation is only responsible for handling routing between provider networks and performing NAT for egress and ingress via Floating IP assignments.

So, I'm wondering if others have had success getting security groups to work in a bare metal environment, and have any clues we could follow to get this working nicely. I'm beginning to suspect our problems have to do with the fact that we're doing VLAN isolation predominately via configuring physical switches, and as such there isn't a clear point where security groups can be inserted. The problem we are trying to solve is limiting ingress traffic on a Floating IP, so we only allow SSH from a given host, or only allow ports X and Y to be open externally, etc.

Thanks in advance, as usual, for any insights!


[1]: https://docs.openstack.org/ironic/latest/install/configure-networking.html
[2]: https://docs.openstack.org/ironic/latest/install/configure-tenant-networks.html
[3]: https://docs.openstack.org/networking-generic-switch/latest/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190611/7ed35b47/attachment.html>

More information about the openstack-discuss mailing list