[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated
Lorin Hochstein
lorin at nimbisservices.com
Thu Sep 5 16:09:39 UTC 2013
Richard:
Yes, Linux bridging is required for all security groups to be applied via iptables, and that's exactly why brcompat needs to be disabled.
When "brcompat" is enabled, when OpenStack Neutron does "brctl addbr" to create a Linux bridge, Linux actually creates an openvswitch bridge instead(!). That's why everything breaks.
So, to ensure that the "brctl addbr" commands actually create Linux bridges and not openvswitch bridges, brcompat shouldn't be running. This will ensure that Neutron can properly create Linux bridges when it needs to.
I think brcompat is actually going away altogether, according to this comment on a question I asked on unix.stackexchange.com [1]. While brcompat used to be documented in the openvswitch FAQ [2], it's not in the FAQ anymore [3].
[1]: http://unix.stackexchange.com/questions/89408/equivalent-of-openvswitch-brcompat-on-fedora-rhel-centos
[2]: http://openvswitch.org/pipermail/dev/2012-June/018214.html
[3]: http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD
Take care,
Lorin
--
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
On Sep 5, 2013, at 11:46 AM, Richard Boswell <richard.boswell at gmail.com> wrote:
> @Lorin, if brcompat is removed how does one use GRE tunnels then? My understanding (or misunderstanding?) from the code is that Linux bridging is required to all for the security groups to be applied via iptables.
>
>
> On Thu, Sep 5, 2013 at 8:00 AM, <openstack-operators-request at lists.openstack.org> wrote:
> Send OpenStack-operators mailing list submissions to
> openstack-operators at lists.openstack.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
> or, via email, send a message with subject or body 'help' to
> openstack-operators-request at lists.openstack.org
>
> You can reach the person managing the list at
> openstack-operators-owner at lists.openstack.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OpenStack-operators digest..."
>
>
> Today's Topics:
>
> 1. Re: Quantum Security Groups not working - iptables rules are
> not Evaluated (Lorin Hochstein)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 4 Sep 2013 11:20:46 -0400
> From: Lorin Hochstein <lorin at nimbisservices.com>
> To: Sebastian Porombka <porombka at uni-paderborn.de>
> Cc: Holger Nitsche <hn at uni-paderborn.de>,
> "openstack-operators at lists.openstack.org"
> <openstack-operators at lists.openstack.org>
> Subject: Re: [Openstack-operators] Quantum Security Groups not working
> - iptables rules are not Evaluated
> Message-ID:
> <CADzpNMUQT--UcOk1-Q9k-yBj7vMvppz20SHS7xyXR6xOgiAqug at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Darragh updated the docs, there's now a warning here:
>
> http://docs.openstack.org/trunk/openstack-network/admin/content/install_neutron_agent_ovs.html
>
>
>
> On Mon, Sep 2, 2013 at 3:12 PM, Sebastian Porombka <
> porombka at uni-paderborn.de> wrote:
>
> > Hi
> >
> > Yes, openvswitch-brcompat (as ubuntu package) was installed.
> > Uninstalling the package removes the qbr* interfaces in
> > 'ovs-vsctl show' and solved the problem. Big thanks to you.
> >
> > Maybe a short sentence in the documentation would be nice. :)
> >
> > Greetings
> > Sebastian
> >
> > --
> > Sebastian Porombka, M.Sc.
> > Zentrum f?r Informations- und Medientechnologien (IMT)
> > Universit?t Paderborn
> >
> > E-Mail: porombka at uni-paderborn.de
> > Tel.: 05251/60-5999
> > Fax: 05251/60-48-5999
> > Raum: N5.314
> >
> > --------------------------------------------
> > Q: Why is this email five sentences or less?
> > A: http://five.sentenc.es
> >
> > Please consider the environment before printing this email.
> >
> >
> >
> >
> >
> > Am 02.09.13 17:28 schrieb "Darragh O'Reilly" unter
> > <dara2002-openstack at yahoo.com>:
> >
> > >Hi Lorin,
> > >
> > >sure, sorry for the beverity. It seems the brcompat is being used because
> > >qbr0188455b-25 appears in the 'ovs-vsctl show' output - so it was created
> > >as an OVS bridge, but it should have been created as a Linux bridge. I
> > >have never used brcompat, but I believe it intercepts calls from brctl
> > >and configures OVS bridges instead of Linux bridges. I'm not sure how to
> > >uninstall/disable it - it's probably an Operating System package.
> > >
> > >I don't think any Openstack doc says to install/enable it.
> > >
> > >Re,
> > >Darragh.
> > >
> > >>________________________________
> > >> From: Lorin Hochstein <lorin at nimbisservices.com>
> > >>To: Darragh O'Reilly <dara2002-openstack at yahoo.com>
> > >>Cc: Sebastian Porombka <porombka at uni-paderborn.de>;
> > >>"openstack-operators at lists.openstack.org"
> > >><openstack-operators at lists.openstack.org>
> > >>Sent: Monday, 2 September 2013, 16:00
> > >>Subject: Re: [Openstack-operators] Quantum Security Groups not working -
> > >>iptables rules are not Evaluated
> > >>
> > >>
> > >>
> > >>Darragh:
> > >>
> > >>
> > >>Can you elaborate on this a little more? Do you mean that the "brcompat"
> > >>kernel module has been loaded, and this breaks security groups with the
> > >>ovs plugin? Should we add something in the documentation about this?
> > >>
> > >>
> > >>Lorin
> > >>
> > >>
> > >>
> > >>
> > >>Do you mean that the problem is that the ovs-brcompatd service is
> > >>running?
> > >>
> > >>
> > >>openvswitch-brcompat package is installed?
> > >>
> > >>
> > >>
> > >>On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly
> > >><dara2002-openstack at yahoo.com> wrote:
> > >>
> > >>
> > >>>it is not working because you are using the ovs bridge compatibility
> > >>>module.
> > >>>
> > >>>Re,
> > >>>Darragh.
> > >>>
> > >>>>________________________________
> > >>>> From: Sebastian Porombka <porombka at uni-paderborn.de>
> > >>>>To: "openstack-operators at lists.openstack.org"
> > >>>><openstack-operators at lists.openstack.org>
> > >>>>Sent: Monday, 2 September 2013, 14:48
> > >>>>Subject: [Openstack-operators] Quantum Security Groups not working -
> > >>>>iptables rules are not Evaluated
> > >>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>Hi folks.
> > >>>>
> > >>>>
> > >>>>We're currently on the way to deploy an openstack (grizzly) cloud
> > >>>>environment
> > >>>>and suffering in problems implementing the security groups like
> > >>>>described in [1].
> > >>>>
> > >>>>
> > >>>>The (hopefully) relevant configuration settings are:
> > >>>>
> > >>>>
> > >>>>/etc/nova/nova.conf
> > >>>>[?]
> > >>>>security_group_api=quantum
> > >>>>network_api_class=nova.network.quantumv2.api.API
> > >>>>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
> > >>>>firewall_driver=nova.virt.firewall.NoopFirewallDriver
> > >>>>[?]
> > >>>>
> > >>>>
> > >>>>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
> > >>>>[?]
> > >>>>firewall_driver =
> > >>>>quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> > >>>>[?]
> > >>>>
> > >>>>
> > >>>>The Networks for the vm's are attached to the compute-nodes via VLAN
> > >>>>encapsulation and correctly mapped to the vm's.
> > >>>>
> > >>>>
> > >>>>From our point of view - we're understanding the need of the
> > >>>>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <>
> > >>>>vm"-construction
> > >>>>and observed the single components in our deployment. See [2]
> > >>>>
> > >>>>
> > >>>>Everything is working except the security groups.
> > >>>>We observed that ip-tables rules are generated for the
> > >>>>quantum-openvswi-* chains of iptables.
> > >>>>And the traffic arriving untagged (native vlan for management) on the
> > >>>>machine is processed by iptables but not
> > >>>>the traffic which arrived encapsulated.
> > >>>>
> > >>>>
> > >>>>The traffic which is unpacked by openvswitch and is bridged via the
> > >>>>veth and the tap into
> > >>>>the machine isn't processed by the iptables rules.
> > >>>>
> > >>>>
> > >>>>We have no remaining clue/idea how to solve this issue? :(
> > >>>>
> > >>>>
> > >>>>Greetings
> > >>>> Sebastian
> > >>>>
> > >>>>
> > >>>>[1]
> > >>>>
> > http://docs.openstack.org/trunk/openstack-network/admin/content/under_t
> > >>>>he_hood_openvswitch.html
> > >>>>[2] http://pastebin.com/WXMH6y4A
> > >>>>
> > >>>>
> > >>>>--
> > >>>>Sebastian Porombka, M.Sc.
> > >>>>Zentrum f?r Informations- und Medientechnologien (IMT)
> > >>>>Universit?t Paderborn
> > >>>>
> > >>>>
> > >>>>E-Mail: porombka at uni-paderborn.de
> > >>>>Tel.: 05251/60-5999
> > >>>>Fax: 05251/60-48-5999
> > >>>>Raum: N5.314
> > >>>>
> > >>>>
> > >>>>--------------------------------------------
> > >>>>Q: Why is this email five sentences or less?
> > >>>>A: http://five.sentenc.es
> > >>>>
> > >>>>
> > >>>>Please consider the environment before printing this email.
> > >>>>_______________________________________________
> > >>>>OpenStack-operators mailing list
> > >>>>OpenStack-operators at lists.openstack.org
> > >>>>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>>_______________________________________________
> > >>>OpenStack-operators mailing list
> > >>>OpenStack-operators at lists.openstack.org
> > >>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > >>>
> > >>
> > >>
> > >>
> > >>--
> > >>
> > >>Lorin Hochstein
> > >>
> > >>Lead Architect - Cloud Services
> > >>Nimbis Services, Inc.
> > >>www.nimbisservices.com
> > >>
> > >>
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
> >
>
>
> --
> Lorin Hochstein
> Lead Architect - Cloud Services
> Nimbis Services, Inc.
> www.nimbisservices.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130904/b53856f5/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
> End of OpenStack-operators Digest, Vol 35, Issue 5
> **************************************************
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130905/9f33a1e3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130905/9f33a1e3/attachment-0001.bin>
More information about the OpenStack-operators
mailing list