[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated
Darragh O'Reilly
dara2002-openstack at yahoo.com
Mon Sep 2 15:28:37 UTC 2013
Hi Lorin,
sure, sorry for the beverity. It seems the brcompat is being used because qbr0188455b-25 appears in the 'ovs-vsctl show' output - so it was created as an OVS bridge, but it should have been created as a Linux bridge. I have never used brcompat, but I believe it intercepts calls from brctl and configures OVS bridges instead of Linux bridges. I'm not sure how to uninstall/disable it - it's probably an Operating System package.
I don't think any Openstack doc says to install/enable it.
Re,
Darragh.
>________________________________
> From: Lorin Hochstein <lorin at nimbisservices.com>
>To: Darragh O'Reilly <dara2002-openstack at yahoo.com>
>Cc: Sebastian Porombka <porombka at uni-paderborn.de>; "openstack-operators at lists.openstack.org" <openstack-operators at lists.openstack.org>
>Sent: Monday, 2 September 2013, 16:00
>Subject: Re: [Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated
>
>
>
>Darragh:
>
>
>Can you elaborate on this a little more? Do you mean that the "brcompat" kernel module has been loaded, and this breaks security groups with the ovs plugin? Should we add something in the documentation about this?
>
>
>Lorin
>
>
>
>
>Do you mean that the problem is that the ovs-brcompatd service is running?
>
>
>openvswitch-brcompat package is installed?
>
>
>
>On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly <dara2002-openstack at yahoo.com> wrote:
>
>
>>it is not working because you are using the ovs bridge compatibility module.
>>
>>Re,
>>Darragh.
>>
>>>________________________________
>>> From: Sebastian Porombka <porombka at uni-paderborn.de>
>>>To: "openstack-operators at lists.openstack.org" <openstack-operators at lists.openstack.org>
>>>Sent: Monday, 2 September 2013, 14:48
>>>Subject: [Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated
>>
>>>
>>>
>>>
>>>Hi folks.
>>>
>>>
>>>We're currently on the way to deploy an openstack (grizzly) cloud environment
>>>and suffering in problems implementing the security groups like described in [1].
>>>
>>>
>>>The (hopefully) relevant configuration settings are:
>>>
>>>
>>>/etc/nova/nova.conf
>>>[…]
>>>security_group_api=quantum
>>>network_api_class=nova.network.quantumv2.api.API
>>>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
>>>firewall_driver=nova.virt.firewall.NoopFirewallDriver
>>>[…]
>>>
>>>
>>>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
>>>[…]
>>>firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>[…]
>>>
>>>
>>>The Networks for the vm's are attached to the compute-nodes via VLAN
>>>encapsulation and correctly mapped to the vm's.
>>>
>>>
>>>From our point of view - we're understanding the need of the
>>>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <> vm"-construction
>>>and observed the single components in our deployment. See [2]
>>>
>>>
>>>Everything is working except the security groups.
>>>We observed that ip-tables rules are generated for the quantum-openvswi-* chains of iptables.
>>>And the traffic arriving untagged (native vlan for management) on the machine is processed by iptables but not
>>>the traffic which arrived encapsulated.
>>>
>>>
>>>The traffic which is unpacked by openvswitch and is bridged via the veth and the tap into
>>>the machine isn't processed by the iptables rules.
>>>
>>>
>>>We have no remaining clue/idea how to solve this issue… :(
>>>
>>>
>>>Greetings
>>> Sebastian
>>>
>>>
>>>[1] http://docs.openstack.org/trunk/openstack-network/admin/content/under_the_hood_openvswitch.html
>>>[2] http://pastebin.com/WXMH6y4A
>>>
>>>
>>>--
>>>Sebastian Porombka, M.Sc.
>>>Zentrum für Informations- und Medientechnologien (IMT)
>>>Universität Paderborn
>>>
>>>
>>>E-Mail: porombka at uni-paderborn.de
>>>Tel.: 05251/60-5999
>>>Fax: 05251/60-48-5999
>>>Raum: N5.314
>>>
>>>
>>>--------------------------------------------
>>>Q: Why is this email five sentences or less?
>>>A: http://five.sentenc.es
>>>
>>>
>>>Please consider the environment before printing this email.
>>>_______________________________________________
>>>OpenStack-operators mailing list
>>>OpenStack-operators at lists.openstack.org
>>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>>
>>>
>>
>>_______________________________________________
>>OpenStack-operators mailing list
>>OpenStack-operators at lists.openstack.org
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
>
>
>--
>
>Lorin Hochstein
>
>Lead Architect - Cloud Services
>Nimbis Services, Inc.
>www.nimbisservices.com
>
>
More information about the OpenStack-operators
mailing list