[ironic][neutron] Security groups on bare metal instances

Sean Mooney smooney at redhat.com
Tue Jun 11 16:00:38 UTC 2019

On Tue, 2019-06-11 at 15:33 +0000, Jason Anderson wrote:
> Hi all,
> We've been scratching our heads for a while, trying to figure out how security groups for bare metal instances are
> supposed to work. The configuration guide for Networking<
> https://docs.openstack.org/ironic/latest/install/configure-networking.html>[1] implies that using the
> 'iptables_hybrid' firewall driver should work. We are using Neutron tenant networks<
> https://docs.openstack.org/ironic/latest/install/configure-tenant-networks.html>[2] with Ironic. My understanding is
> that the iptables_hybrid driver creates a new OVS port (with prefix qvo), logically connects that to the integration
> bridge, and then creates a veth pair inside a new network namespace, and that veth device then gets some iptables
> rules to handle the security group rules. It is not clear to me how or when that qvo "hybrid" port is even created;
> I've combed through the Neutron code base for a while looking for clues.
> We had tried using the "pure" OVS firewall solution, where security group rules are expessed using OpenFlow flows.
> However, this doesn't work, as there is not OVS port for a bare metal instance (at least, not in our setup.) We are
> using networking-generic-switch<https://docs.openstack.org/networking-generic-switch/latest/>[3], which provisions
> ports on a physical switch with a VLAN tag on the provider network. From OVS' perspective, the traffic exits OVS with
> that VLAN tag and that's that; OVS in this situation is only responsible for handling routing between provider
> networks and performing NAT for egress and ingress via Floating IP assignments.
> So, I'm wondering if others have had success getting security groups to work in a bare metal environment, and have any
> clues we could follow to get this working nicely.
in a baremetal enviornment the only way to implement security groups for the baremetal instance is to rely on an ml2
driver that supports implementing security groups at the top of rack switch.

the iptables and and openvswtich firewall dirvers can only be used in a vm deployment.

>  I'm beginning to suspect our problems have to do with the fact that we're doing VLAN isolation predominately via
> configuring physical switches, and as such there isn't a clear point where security groups can be inserted.
some switch vendors can implement security gorups directly in the TOR i belive either arrista or cisco support this
in there top of rack swtich driver. e.g. 

>  The problem we are trying to solve is limiting ingress traffic on a Floating IP, so we only allow SSH from a given
> host, or only allow ports X and Y to be open externally, etc.
as an alternitive you migth be able to use the firewall as a service api to implemtn traffic filtering in the neutorn
routers rather than at the port level.
> Thanks in advance, as usual, for any insights!
> /Jason
> [1]: https://docs.openstack.org/ironic/latest/install/configure-networking.html
> [2]: https://docs.openstack.org/ironic/latest/install/configure-tenant-networks.html
> [3]: https://docs.openstack.org/networking-generic-switch/latest/

More information about the openstack-discuss mailing list