[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated

Sebastian Porombka porombka at uni-paderborn.de
Mon Sep 2 19:12:40 UTC 2013


Hi

Yes, openvswitch-brcompat (as ubuntu package) was installed.
Uninstalling the package removes the qbr* interfaces in
'ovs-vsctl show' and solved the problem. Big thanks to you.

Maybe a short sentence in the documentation would be nice. :)

Greetings
  Sebastian

--
Sebastian Porombka, M.Sc.
Zentrum für Informations- und Medientechnologien (IMT)
Universität Paderborn

E-Mail: porombka at uni-paderborn.de
Tel.: 05251/60-5999
Fax: 05251/60-48-5999
Raum: N5.314 

--------------------------------------------
Q: Why is this email five sentences or less?
A: http://five.sentenc.es

Please consider the environment before printing this email.





Am 02.09.13 17:28 schrieb "Darragh O'Reilly" unter
<dara2002-openstack at yahoo.com>:

>Hi Lorin,
>
>sure, sorry for the beverity. It seems the brcompat is being used because
>qbr0188455b-25 appears in the 'ovs-vsctl show' output - so it was created
>as an OVS bridge, but it should have been created as a Linux bridge. I
>have never used brcompat, but I believe it intercepts calls from brctl
>and configures OVS bridges instead of Linux bridges. I'm not sure how to
>uninstall/disable it - it's probably an Operating System package.
>
>I don't think any Openstack doc says to install/enable it.
>
>Re,
>Darragh.
>
>>________________________________
>> From: Lorin Hochstein <lorin at nimbisservices.com>
>>To: Darragh O'Reilly <dara2002-openstack at yahoo.com>
>>Cc: Sebastian Porombka <porombka at uni-paderborn.de>;
>>"openstack-operators at lists.openstack.org"
>><openstack-operators at lists.openstack.org>
>>Sent: Monday, 2 September 2013, 16:00
>>Subject: Re: [Openstack-operators] Quantum Security Groups not working -
>>iptables rules are not Evaluated
>> 
>>
>>
>>Darragh:
>>
>>
>>Can you elaborate on this a little more? Do you mean that the "brcompat"
>>kernel module has been loaded, and this breaks security groups with the
>>ovs plugin? Should we add something in the documentation about this?
>>
>>
>>Lorin
>>
>>
>>
>>
>>Do you mean that the problem is that the ovs-brcompatd service is
>>running? 
>>
>>
>>openvswitch-brcompat package is installed?
>>
>>
>>
>>On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly
>><dara2002-openstack at yahoo.com> wrote:
>>
>>
>>>it is not working because you are using the ovs bridge compatibility
>>>module.
>>>
>>>Re,
>>>Darragh.
>>>
>>>>________________________________
>>>> From: Sebastian Porombka <porombka at uni-paderborn.de>
>>>>To: "openstack-operators at lists.openstack.org"
>>>><openstack-operators at lists.openstack.org>
>>>>Sent: Monday, 2 September 2013, 14:48
>>>>Subject: [Openstack-operators] Quantum Security Groups not working -
>>>>iptables rules are not Evaluated
>>>
>>>>
>>>>
>>>>
>>>>Hi folks.
>>>>
>>>>
>>>>We're currently on the way to deploy an openstack (grizzly) cloud
>>>>environment 
>>>>and suffering in problems implementing the security groups like
>>>>described in [1].
>>>>
>>>>
>>>>The (hopefully) relevant configuration settings are:
>>>>
>>>>
>>>>/etc/nova/nova.conf
>>>>[Š]
>>>>security_group_api=quantum
>>>>network_api_class=nova.network.quantumv2.api.API
>>>>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
>>>>firewall_driver=nova.virt.firewall.NoopFirewallDriver
>>>>[Š]
>>>>
>>>>
>>>>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
>>>>[Š]
>>>>firewall_driver =
>>>>quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>>[Š]
>>>>
>>>>
>>>>The Networks for the vm's are attached to the compute-nodes via VLAN
>>>>encapsulation and correctly mapped to the vm's.
>>>>
>>>>
>>>>From our point of view - we're understanding the need of the
>>>>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <>
>>>>vm"-construction
>>>>and observed the single components in our deployment. See [2]
>>>>
>>>>
>>>>Everything is working except the security groups.
>>>>We observed that ip-tables rules are generated for the
>>>>quantum-openvswi-* chains of iptables.
>>>>And the traffic arriving untagged (native vlan for management) on the
>>>>machine is processed by iptables but not
>>>>the traffic which arrived encapsulated.
>>>>
>>>>
>>>>The traffic which is unpacked by openvswitch and is bridged via the
>>>>veth and the tap into
>>>>the machine isn't processed by the iptables rules.
>>>>
>>>>
>>>>We have no remaining clue/idea how to solve this issueŠ :(
>>>>
>>>>
>>>>Greetings
>>>>   Sebastian
>>>>
>>>>
>>>>[1] 
>>>>http://docs.openstack.org/trunk/openstack-network/admin/content/under_t
>>>>he_hood_openvswitch.html
>>>>[2] http://pastebin.com/WXMH6y4A
>>>>
>>>>
>>>>--
>>>>Sebastian Porombka, M.Sc.
>>>>Zentrum für Informations- und Medientechnologien (IMT)
>>>>Universität Paderborn
>>>>
>>>>
>>>>E-Mail: porombka at uni-paderborn.de
>>>>Tel.: 05251/60-5999
>>>>Fax: 05251/60-48-5999
>>>>Raum: N5.314 
>>>>
>>>>
>>>>--------------------------------------------
>>>>Q: Why is this email five sentences or less?
>>>>A: http://five.sentenc.es
>>>>
>>>>
>>>>Please consider the environment before printing this email.
>>>>_______________________________________________
>>>>OpenStack-operators mailing list
>>>>OpenStack-operators at lists.openstack.org
>>>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>>
>>>>
>>>>
>>>
>>>_______________________________________________
>>>OpenStack-operators mailing list
>>>OpenStack-operators at lists.openstack.org
>>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>
>>
>>
>>-- 
>>
>>Lorin Hochstein
>>
>>Lead Architect - Cloud Services
>>Nimbis Services, Inc.
>>www.nimbisservices.com
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5443 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130902/30940657/attachment.bin>


More information about the OpenStack-operators mailing list