[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated

Lorin Hochstein lorin at nimbisservices.com
Wed Sep 4 15:20:46 UTC 2013


Darragh updated the docs, there's now a warning here:

http://docs.openstack.org/trunk/openstack-network/admin/content/install_neutron_agent_ovs.html



On Mon, Sep 2, 2013 at 3:12 PM, Sebastian Porombka <
porombka at uni-paderborn.de> wrote:

> Hi
>
> Yes, openvswitch-brcompat (as ubuntu package) was installed.
> Uninstalling the package removes the qbr* interfaces in
> 'ovs-vsctl show' and solved the problem. Big thanks to you.
>
> Maybe a short sentence in the documentation would be nice. :)
>
> Greetings
>   Sebastian
>
> --
> Sebastian Porombka, M.Sc.
> Zentrum für Informations- und Medientechnologien (IMT)
> Universität Paderborn
>
> E-Mail: porombka at uni-paderborn.de
> Tel.: 05251/60-5999
> Fax: 05251/60-48-5999
> Raum: N5.314
>
> --------------------------------------------
> Q: Why is this email five sentences or less?
> A: http://five.sentenc.es
>
> Please consider the environment before printing this email.
>
>
>
>
>
> Am 02.09.13 17:28 schrieb "Darragh O'Reilly" unter
> <dara2002-openstack at yahoo.com>:
>
> >Hi Lorin,
> >
> >sure, sorry for the beverity. It seems the brcompat is being used because
> >qbr0188455b-25 appears in the 'ovs-vsctl show' output - so it was created
> >as an OVS bridge, but it should have been created as a Linux bridge. I
> >have never used brcompat, but I believe it intercepts calls from brctl
> >and configures OVS bridges instead of Linux bridges. I'm not sure how to
> >uninstall/disable it - it's probably an Operating System package.
> >
> >I don't think any Openstack doc says to install/enable it.
> >
> >Re,
> >Darragh.
> >
> >>________________________________
> >> From: Lorin Hochstein <lorin at nimbisservices.com>
> >>To: Darragh O'Reilly <dara2002-openstack at yahoo.com>
> >>Cc: Sebastian Porombka <porombka at uni-paderborn.de>;
> >>"openstack-operators at lists.openstack.org"
> >><openstack-operators at lists.openstack.org>
> >>Sent: Monday, 2 September 2013, 16:00
> >>Subject: Re: [Openstack-operators] Quantum Security Groups not working -
> >>iptables rules are not Evaluated
> >>
> >>
> >>
> >>Darragh:
> >>
> >>
> >>Can you elaborate on this a little more? Do you mean that the "brcompat"
> >>kernel module has been loaded, and this breaks security groups with the
> >>ovs plugin? Should we add something in the documentation about this?
> >>
> >>
> >>Lorin
> >>
> >>
> >>
> >>
> >>Do you mean that the problem is that the ovs-brcompatd service is
> >>running?
> >>
> >>
> >>openvswitch-brcompat package is installed?
> >>
> >>
> >>
> >>On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly
> >><dara2002-openstack at yahoo.com> wrote:
> >>
> >>
> >>>it is not working because you are using the ovs bridge compatibility
> >>>module.
> >>>
> >>>Re,
> >>>Darragh.
> >>>
> >>>>________________________________
> >>>> From: Sebastian Porombka <porombka at uni-paderborn.de>
> >>>>To: "openstack-operators at lists.openstack.org"
> >>>><openstack-operators at lists.openstack.org>
> >>>>Sent: Monday, 2 September 2013, 14:48
> >>>>Subject: [Openstack-operators] Quantum Security Groups not working -
> >>>>iptables rules are not Evaluated
> >>>
> >>>>
> >>>>
> >>>>
> >>>>Hi folks.
> >>>>
> >>>>
> >>>>We're currently on the way to deploy an openstack (grizzly) cloud
> >>>>environment
> >>>>and suffering in problems implementing the security groups like
> >>>>described in [1].
> >>>>
> >>>>
> >>>>The (hopefully) relevant configuration settings are:
> >>>>
> >>>>
> >>>>/etc/nova/nova.conf
> >>>>[Š]
> >>>>security_group_api=quantum
> >>>>network_api_class=nova.network.quantumv2.api.API
> >>>>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
> >>>>firewall_driver=nova.virt.firewall.NoopFirewallDriver
> >>>>[Š]
> >>>>
> >>>>
> >>>>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
> >>>>[Š]
> >>>>firewall_driver =
> >>>>quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> >>>>[Š]
> >>>>
> >>>>
> >>>>The Networks for the vm's are attached to the compute-nodes via VLAN
> >>>>encapsulation and correctly mapped to the vm's.
> >>>>
> >>>>
> >>>>From our point of view - we're understanding the need of the
> >>>>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <>
> >>>>vm"-construction
> >>>>and observed the single components in our deployment. See [2]
> >>>>
> >>>>
> >>>>Everything is working except the security groups.
> >>>>We observed that ip-tables rules are generated for the
> >>>>quantum-openvswi-* chains of iptables.
> >>>>And the traffic arriving untagged (native vlan for management) on the
> >>>>machine is processed by iptables but not
> >>>>the traffic which arrived encapsulated.
> >>>>
> >>>>
> >>>>The traffic which is unpacked by openvswitch and is bridged via the
> >>>>veth and the tap into
> >>>>the machine isn't processed by the iptables rules.
> >>>>
> >>>>
> >>>>We have no remaining clue/idea how to solve this issueŠ :(
> >>>>
> >>>>
> >>>>Greetings
> >>>>   Sebastian
> >>>>
> >>>>
> >>>>[1]
> >>>>
> http://docs.openstack.org/trunk/openstack-network/admin/content/under_t
> >>>>he_hood_openvswitch.html
> >>>>[2] http://pastebin.com/WXMH6y4A
> >>>>
> >>>>
> >>>>--
> >>>>Sebastian Porombka, M.Sc.
> >>>>Zentrum für Informations- und Medientechnologien (IMT)
> >>>>Universität Paderborn
> >>>>
> >>>>
> >>>>E-Mail: porombka at uni-paderborn.de
> >>>>Tel.: 05251/60-5999
> >>>>Fax: 05251/60-48-5999
> >>>>Raum: N5.314
> >>>>
> >>>>
> >>>>--------------------------------------------
> >>>>Q: Why is this email five sentences or less?
> >>>>A: http://five.sentenc.es
> >>>>
> >>>>
> >>>>Please consider the environment before printing this email.
> >>>>_______________________________________________
> >>>>OpenStack-operators mailing list
> >>>>OpenStack-operators at lists.openstack.org
> >>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >>>>
> >>>>
> >>>>
> >>>
> >>>_______________________________________________
> >>>OpenStack-operators mailing list
> >>>OpenStack-operators at lists.openstack.org
> >>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >>>
> >>
> >>
> >>
> >>--
> >>
> >>Lorin Hochstein
> >>
> >>Lead Architect - Cloud Services
> >>Nimbis Services, Inc.
> >>www.nimbisservices.com
> >>
> >>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>


-- 
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130904/b53856f5/attachment.html>


More information about the OpenStack-operators mailing list