[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated

Sebastian Porombka porombka at uni-paderborn.de
Mon Sep 2 13:48:08 UTC 2013 

Hi folks.

We're currently on the way to deploy an openstack (grizzly) cloud
environment 
and suffering in problems implementing the security groups like described in
[1].

The (hopefully) relevant configuration settings are:

/etc/nova/nova.conf
[Š]
security_group_api=quantum
network_api_class=nova.network.quantumv2.api.API
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
[Š]

/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
[Š]
firewall_driver = 
quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
[Š]

The Networks for the vm's are attached to the compute-nodes via VLAN
encapsulation and correctly mapped to the vm's.

>From our point of view - we're understanding the need of the
"ovs-bridge <> veth glue <> linux-bridge (for filtering) <> vm"-construction
and observed the single components in our deployment. See [2]

Everything is working except the security groups.
We observed that ip-tables rules are generated for the quantum-openvswi-*
chains of iptables.
And the traffic arriving untagged (native vlan for management) on the
machine is processed by iptables but not
the traffic which arrived encapsulated.

The traffic which is unpacked by openvswitch and is bridged via the veth and
the tap into 
the machine isn't processed by the iptables rules.

We have no remaining clue/idea how to solve this issueŠ :(

Greetings
   Sebastian

[1] 
http://docs.openstack.org/trunk/openstack-network/admin/content/under_the_ho
od_openvswitch.html
[2] http://pastebin.com/WXMH6y4A

--
Sebastian Porombka, M.Sc.
Zentrum für Informations- und Medientechnologien (IMT)
Universität Paderborn

E-Mail: porombka at uni-paderborn.de
Tel.: 05251/60-5999
Fax: 05251/60-48-5999
Raum: N5.314 

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es <http://five.sentenc.es/>

Please consider the environment before printing this email.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130902/83f01473/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5443 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130902/83f01473/attachment.bin>

More information about the OpenStack-operators mailing list