[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated

Darragh O'Reilly dara2002-openstack at yahoo.com
Mon Sep 2 14:21:10 UTC 2013


it is not working because you are using the ovs bridge compatibility module.

Re, 
Darragh.

>________________________________
> From: Sebastian Porombka <porombka at uni-paderborn.de>
>To: "openstack-operators at lists.openstack.org" <openstack-operators at lists.openstack.org> 
>Sent: Monday, 2 September 2013, 14:48
>Subject: [Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated
> 
>
>
>Hi folks.
>
>
>We're currently on the way to deploy an openstack (grizzly) cloud environment 
>and suffering in problems implementing the security groups like described in [1].
>
>
>The (hopefully) relevant configuration settings are:
>
>
>/etc/nova/nova.conf
>[…]
>security_group_api=quantum
>network_api_class=nova.network.quantumv2.api.API
>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
>firewall_driver=nova.virt.firewall.NoopFirewallDriver
>[…]
>
>
>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
>[…]
>firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>[…]
>
>
>The Networks for the vm's are attached to the compute-nodes via VLAN 
>encapsulation and correctly mapped to the vm's.
>
>
>From our point of view - we're understanding the need of the 
>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <> vm"-construction 
>and observed the single components in our deployment. See [2]
>
>
>Everything is working except the security groups. 
>We observed that ip-tables rules are generated for the quantum-openvswi-* chains of iptables. 
>And the traffic arriving untagged (native vlan for management) on the machine is processed by iptables but not 
>the traffic which arrived encapsulated.
>
>
>The traffic which is unpacked by openvswitch and is bridged via the veth and the tap into 
>the machine isn't processed by the iptables rules.
>
>
>We have no remaining clue/idea how to solve this issue… :(
>
>
>Greetings
>   Sebastian
>
>
>[1] http://docs.openstack.org/trunk/openstack-network/admin/content/under_the_hood_openvswitch.html
>[2] http://pastebin.com/WXMH6y4A
>
>
>--
>Sebastian Porombka, M.Sc. 
>Zentrum für Informations- und Medientechnologien (IMT)
>Universität Paderborn
>
>
>E-Mail: porombka at uni-paderborn.de
>Tel.: 05251/60-5999
>Fax: 05251/60-48-5999
>Raum: N5.314 
>
>
>--------------------------------------------
>Q: Why is this email five sentences or less?
>A: http://five.sentenc.es
>
>
>Please consider the environment before printing this email.
>_______________________________________________
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>



More information about the OpenStack-operators mailing list