[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated

Richard Boswell richard.boswell at gmail.com
Thu Sep 5 19:22:12 UTC 2013


Thanks Lorin, I knew brcompat was going away but here's another question
for you, I have configured Quantum to use GRE without brcompat and I get an
error message, my assumption up to now is that when brcompat is enabled and
the module is loaded this error is resolved --> ERROR
[quantum.plugins.openvswitch.agent.ovs_quantum_agent] Failed to create OVS
patch port. Cannot have tunneling enabled on this agent, since this version
of OVS does not support tunnels or patch ports. Agent terminated!

Sooooo I think I'm missing something here. Is this a brcompat error or an
issue where OVS isn't at the correct version?



On Thu, Sep 5, 2013 at 12:09 PM, Lorin Hochstein
<lorin at nimbisservices.com>wrote:

> Richard:
>
> Yes, Linux bridging is required for all security groups to be applied via
> iptables, and that's exactly why brcompat needs to be disabled.
>
> When "brcompat" is enabled, when OpenStack Neutron does "brctl addbr" to
> create a Linux bridge, Linux actually creates an openvswitch bridge
> instead(!). That's why everything breaks.
>
> So, to ensure that the "brctl addbr" commands actually create Linux
> bridges and not openvswitch bridges, brcompat shouldn't be running. This
> will ensure that Neutron can properly create Linux bridges when it needs to.
>
> I think brcompat is actually going away altogether, according to this
> comment on a question I asked on unix.stackexchange.com [1]. While
> brcompat used to be documented in the openvswitch FAQ [2], it's not in the
> FAQ  anymore [3].
>
> [1]:
> http://unix.stackexchange.com/questions/89408/equivalent-of-openvswitch-brcompat-on-fedora-rhel-centos
> [2]: http://openvswitch.org/pipermail/dev/2012-June/018214.html
> [3]:
> http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD
>
> Take care,
>
> Lorin
> --
> Lorin Hochstein
> Lead Architect - Cloud Services
> Nimbis Services, Inc.
> www.nimbisservices.com
>
>
>
>
>
> On Sep 5, 2013, at 11:46 AM, Richard Boswell <richard.boswell at gmail.com>
> wrote:
>
> @Lorin, if brcompat is removed how does one use GRE tunnels then? My
> understanding (or misunderstanding?) from the code is that Linux bridging
> is required to all for the security groups to be applied via iptables.
>
>
> On Thu, Sep 5, 2013 at 8:00 AM, <
> openstack-operators-request at lists.openstack.org> wrote:
>
>> Send OpenStack-operators mailing list submissions to
>>         openstack-operators at lists.openstack.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>> or, via email, send a message with subject or body 'help' to
>>         openstack-operators-request at lists.openstack.org
>>
>> You can reach the person managing the list at
>>         openstack-operators-owner at lists.openstack.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of OpenStack-operators digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: Quantum Security Groups not working - iptables rules are
>>       not Evaluated (Lorin Hochstein)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 4 Sep 2013 11:20:46 -0400
>> From: Lorin Hochstein <lorin at nimbisservices.com>
>> To: Sebastian Porombka <porombka at uni-paderborn.de>
>> Cc: Holger Nitsche <hn at uni-paderborn.de>,
>>         "openstack-operators at lists.openstack.org"
>>         <openstack-operators at lists.openstack.org>
>> Subject: Re: [Openstack-operators] Quantum Security Groups not working
>>         - iptables rules are not Evaluated
>> Message-ID:
>>         <
>> CADzpNMUQT--UcOk1-Q9k-yBj7vMvppz20SHS7xyXR6xOgiAqug at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Darragh updated the docs, there's now a warning here:
>>
>>
>> http://docs.openstack.org/trunk/openstack-network/admin/content/install_neutron_agent_ovs.html
>>
>>
>>
>> On Mon, Sep 2, 2013 at 3:12 PM, Sebastian Porombka <
>> porombka at uni-paderborn.de> wrote:
>>
>> > Hi
>> >
>> > Yes, openvswitch-brcompat (as ubuntu package) was installed.
>> > Uninstalling the package removes the qbr* interfaces in
>> > 'ovs-vsctl show' and solved the problem. Big thanks to you.
>> >
>> > Maybe a short sentence in the documentation would be nice. :)
>> >
>> > Greetings
>> >   Sebastian
>> >
>> > --
>> > Sebastian Porombka, M.Sc.
>> > Zentrum f?r Informations- und Medientechnologien (IMT)
>> > Universit?t Paderborn
>> >
>> > E-Mail: porombka at uni-paderborn.de
>> > Tel.: 05251/60-5999
>> > Fax: 05251/60-48-5999
>> > Raum: N5.314
>> >
>> > --------------------------------------------
>> > Q: Why is this email five sentences or less?
>> > A: http://five.sentenc.es
>> >
>> > Please consider the environment before printing this email.
>> >
>> >
>> >
>> >
>> >
>> > Am 02.09.13 17:28 schrieb "Darragh O'Reilly" unter
>> > <dara2002-openstack at yahoo.com>:
>> >
>> > >Hi Lorin,
>> > >
>> > >sure, sorry for the beverity. It seems the brcompat is being used
>> because
>> > >qbr0188455b-25 appears in the 'ovs-vsctl show' output - so it was
>> created
>> > >as an OVS bridge, but it should have been created as a Linux bridge. I
>> > >have never used brcompat, but I believe it intercepts calls from brctl
>> > >and configures OVS bridges instead of Linux bridges. I'm not sure how
>> to
>> > >uninstall/disable it - it's probably an Operating System package.
>> > >
>> > >I don't think any Openstack doc says to install/enable it.
>> > >
>> > >Re,
>> > >Darragh.
>> > >
>> > >>________________________________
>> > >> From: Lorin Hochstein <lorin at nimbisservices.com>
>> > >>To: Darragh O'Reilly <dara2002-openstack at yahoo.com>
>> > >>Cc: Sebastian Porombka <porombka at uni-paderborn.de>;
>> > >>"openstack-operators at lists.openstack.org"
>> > >><openstack-operators at lists.openstack.org>
>> > >>Sent: Monday, 2 September 2013, 16:00
>> > >>Subject: Re: [Openstack-operators] Quantum Security Groups not
>> working -
>> > >>iptables rules are not Evaluated
>> > >>
>> > >>
>> > >>
>> > >>Darragh:
>> > >>
>> > >>
>> > >>Can you elaborate on this a little more? Do you mean that the
>> "brcompat"
>> > >>kernel module has been loaded, and this breaks security groups with
>> the
>> > >>ovs plugin? Should we add something in the documentation about this?
>> > >>
>> > >>
>> > >>Lorin
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>Do you mean that the problem is that the ovs-brcompatd service is
>> > >>running?
>> > >>
>> > >>
>> > >>openvswitch-brcompat package is installed?
>> > >>
>> > >>
>> > >>
>> > >>On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly
>> > >><dara2002-openstack at yahoo.com> wrote:
>> > >>
>> > >>
>> > >>>it is not working because you are using the ovs bridge compatibility
>> > >>>module.
>> > >>>
>> > >>>Re,
>> > >>>Darragh.
>> > >>>
>> > >>>>________________________________
>> > >>>> From: Sebastian Porombka <porombka at uni-paderborn.de>
>> > >>>>To: "openstack-operators at lists.openstack.org"
>> > >>>><openstack-operators at lists.openstack.org>
>> > >>>>Sent: Monday, 2 September 2013, 14:48
>> > >>>>Subject: [Openstack-operators] Quantum Security Groups not working -
>> > >>>>iptables rules are not Evaluated
>> > >>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>Hi folks.
>> > >>>>
>> > >>>>
>> > >>>>We're currently on the way to deploy an openstack (grizzly) cloud
>> > >>>>environment
>> > >>>>and suffering in problems implementing the security groups like
>> > >>>>described in [1].
>> > >>>>
>> > >>>>
>> > >>>>The (hopefully) relevant configuration settings are:
>> > >>>>
>> > >>>>
>> > >>>>/etc/nova/nova.conf
>> > >>>>[?]
>> > >>>>security_group_api=quantum
>> > >>>>network_api_class=nova.network.quantumv2.api.API
>> >
>> >>>>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
>> > >>>>firewall_driver=nova.virt.firewall.NoopFirewallDriver
>> > >>>>[?]
>> > >>>>
>> > >>>>
>> > >>>>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
>> > >>>>[?]
>> > >>>>firewall_driver =
>> >
>> >>>>quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>> > >>>>[?]
>> > >>>>
>> > >>>>
>> > >>>>The Networks for the vm's are attached to the compute-nodes via VLAN
>> > >>>>encapsulation and correctly mapped to the vm's.
>> > >>>>
>> > >>>>
>> > >>>>From our point of view - we're understanding the need of the
>> > >>>>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <>
>> > >>>>vm"-construction
>> > >>>>and observed the single components in our deployment. See [2]
>> > >>>>
>> > >>>>
>> > >>>>Everything is working except the security groups.
>> > >>>>We observed that ip-tables rules are generated for the
>> > >>>>quantum-openvswi-* chains of iptables.
>> > >>>>And the traffic arriving untagged (native vlan for management) on
>> the
>> > >>>>machine is processed by iptables but not
>> > >>>>the traffic which arrived encapsulated.
>> > >>>>
>> > >>>>
>> > >>>>The traffic which is unpacked by openvswitch and is bridged via the
>> > >>>>veth and the tap into
>> > >>>>the machine isn't processed by the iptables rules.
>> > >>>>
>> > >>>>
>> > >>>>We have no remaining clue/idea how to solve this issue? :(
>> > >>>>
>> > >>>>
>> > >>>>Greetings
>> > >>>>   Sebastian
>> > >>>>
>> > >>>>
>> > >>>>[1]
>> > >>>>
>> > http://docs.openstack.org/trunk/openstack-network/admin/content/under_t
>> > >>>>he_hood_openvswitch.html
>> > >>>>[2] http://pastebin.com/WXMH6y4A
>> > >>>>
>> > >>>>
>> > >>>>--
>> > >>>>Sebastian Porombka, M.Sc.
>> > >>>>Zentrum f?r Informations- und Medientechnologien (IMT)
>> > >>>>Universit?t Paderborn
>> > >>>>
>> > >>>>
>> > >>>>E-Mail: porombka at uni-paderborn.de
>> > >>>>Tel.: 05251/60-5999
>> > >>>>Fax: 05251/60-48-5999
>> > >>>>Raum: N5.314
>> > >>>>
>> > >>>>
>> > >>>>--------------------------------------------
>> > >>>>Q: Why is this email five sentences or less?
>> > >>>>A: http://five.sentenc.es
>> > >>>>
>> > >>>>
>> > >>>>Please consider the environment before printing this email.
>> > >>>>_______________________________________________
>> > >>>>OpenStack-operators mailing list
>> > >>>>OpenStack-operators at lists.openstack.org
>> > >>>>
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>
>> > >>>_______________________________________________
>> > >>>OpenStack-operators mailing list
>> > >>>OpenStack-operators at lists.openstack.org
>> > >>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>> > >>>
>> > >>
>> > >>
>> > >>
>> > >>--
>> > >>
>> > >>Lorin Hochstein
>> > >>
>> > >>Lead Architect - Cloud Services
>> > >>Nimbis Services, Inc.
>> > >>www.nimbisservices.com
>> > >>
>> > >>
>> >
>> > _______________________________________________
>> > OpenStack-operators mailing list
>> > OpenStack-operators at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>> >
>> >
>>
>>
>> --
>> Lorin Hochstein
>> Lead Architect - Cloud Services
>> Nimbis Services, Inc.
>> www.nimbisservices.com
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.openstack.org/pipermail/openstack-operators/attachments/20130904/b53856f5/attachment-0001.html
>> >
>>
>> ------------------------------
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>>
>> End of OpenStack-operators Digest, Vol 35, Issue 5
>> **************************************************
>>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130905/c973f4c4/attachment.html>


More information about the OpenStack-operators mailing list