[Openstack-operators] Quantum Security Groups not working - iptables rules are not Evaluated
Lorin Hochstein
lorin at nimbisservices.com
Fri Sep 6 01:42:56 UTC 2013
Richard:
I suspect that's an OVS version issue, but I've never encountered this
myself so I'm not sure.
There's a question about this on ask openstack:
https://ask.openstack.org/en/question/1427/ovs-plugin-error-failed-to-create-ovs-patch-port/
Lorin
On Thu, Sep 5, 2013 at 3:22 PM, Richard Boswell
<richard.boswell at gmail.com>wrote:
> Thanks Lorin, I knew brcompat was going away but here's another question
> for you, I have configured Quantum to use GRE without brcompat and I get an
> error message, my assumption up to now is that when brcompat is enabled and
> the module is loaded this error is resolved --> ERROR
> [quantum.plugins.openvswitch.agent.ovs_quantum_agent] Failed to create OVS
> patch port. Cannot have tunneling enabled on this agent, since this version
> of OVS does not support tunnels or patch ports. Agent terminated!
>
> Sooooo I think I'm missing something here. Is this a brcompat error or an
> issue where OVS isn't at the correct version?
>
>
>
> On Thu, Sep 5, 2013 at 12:09 PM, Lorin Hochstein <lorin at nimbisservices.com
> > wrote:
>
>> Richard:
>>
>> Yes, Linux bridging is required for all security groups to be applied via
>> iptables, and that's exactly why brcompat needs to be disabled.
>>
>> When "brcompat" is enabled, when OpenStack Neutron does "brctl addbr" to
>> create a Linux bridge, Linux actually creates an openvswitch bridge
>> instead(!). That's why everything breaks.
>>
>> So, to ensure that the "brctl addbr" commands actually create Linux
>> bridges and not openvswitch bridges, brcompat shouldn't be running. This
>> will ensure that Neutron can properly create Linux bridges when it needs to.
>>
>> I think brcompat is actually going away altogether, according to this
>> comment on a question I asked on unix.stackexchange.com [1]. While
>> brcompat used to be documented in the openvswitch FAQ [2], it's not in the
>> FAQ anymore [3].
>>
>> [1]:
>> http://unix.stackexchange.com/questions/89408/equivalent-of-openvswitch-brcompat-on-fedora-rhel-centos
>> [2]: http://openvswitch.org/pipermail/dev/2012-June/018214.html
>> [3]:
>> http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD
>>
>> Take care,
>>
>> Lorin
>> --
>> Lorin Hochstein
>> Lead Architect - Cloud Services
>> Nimbis Services, Inc.
>> www.nimbisservices.com
>>
>>
>>
>>
>>
>> On Sep 5, 2013, at 11:46 AM, Richard Boswell <richard.boswell at gmail.com>
>> wrote:
>>
>> @Lorin, if brcompat is removed how does one use GRE tunnels then? My
>> understanding (or misunderstanding?) from the code is that Linux bridging
>> is required to all for the security groups to be applied via iptables.
>>
>>
>> On Thu, Sep 5, 2013 at 8:00 AM, <
>> openstack-operators-request at lists.openstack.org> wrote:
>>
>>> Send OpenStack-operators mailing list submissions to
>>> openstack-operators at lists.openstack.org
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>> or, via email, send a message with subject or body 'help' to
>>> openstack-operators-request at lists.openstack.org
>>>
>>> You can reach the person managing the list at
>>> openstack-operators-owner at lists.openstack.org
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of OpenStack-operators digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: Quantum Security Groups not working - iptables rules are
>>> not Evaluated (Lorin Hochstein)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Wed, 4 Sep 2013 11:20:46 -0400
>>> From: Lorin Hochstein <lorin at nimbisservices.com>
>>> To: Sebastian Porombka <porombka at uni-paderborn.de>
>>> Cc: Holger Nitsche <hn at uni-paderborn.de>,
>>> "openstack-operators at lists.openstack.org"
>>> <openstack-operators at lists.openstack.org>
>>> Subject: Re: [Openstack-operators] Quantum Security Groups not working
>>> - iptables rules are not Evaluated
>>> Message-ID:
>>> <
>>> CADzpNMUQT--UcOk1-Q9k-yBj7vMvppz20SHS7xyXR6xOgiAqug at mail.gmail.com>
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Darragh updated the docs, there's now a warning here:
>>>
>>>
>>> http://docs.openstack.org/trunk/openstack-network/admin/content/install_neutron_agent_ovs.html
>>>
>>>
>>>
>>> On Mon, Sep 2, 2013 at 3:12 PM, Sebastian Porombka <
>>> porombka at uni-paderborn.de> wrote:
>>>
>>> > Hi
>>> >
>>> > Yes, openvswitch-brcompat (as ubuntu package) was installed.
>>> > Uninstalling the package removes the qbr* interfaces in
>>> > 'ovs-vsctl show' and solved the problem. Big thanks to you.
>>> >
>>> > Maybe a short sentence in the documentation would be nice. :)
>>> >
>>> > Greetings
>>> > Sebastian
>>> >
>>> > --
>>> > Sebastian Porombka, M.Sc.
>>> > Zentrum f?r Informations- und Medientechnologien (IMT)
>>> > Universit?t Paderborn
>>> >
>>> > E-Mail: porombka at uni-paderborn.de
>>> > Tel.: 05251/60-5999
>>> > Fax: 05251/60-48-5999
>>> > Raum: N5.314
>>> >
>>> > --------------------------------------------
>>> > Q: Why is this email five sentences or less?
>>> > A: http://five.sentenc.es
>>> >
>>> > Please consider the environment before printing this email.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > Am 02.09.13 17:28 schrieb "Darragh O'Reilly" unter
>>> > <dara2002-openstack at yahoo.com>:
>>> >
>>> > >Hi Lorin,
>>> > >
>>> > >sure, sorry for the beverity. It seems the brcompat is being used
>>> because
>>> > >qbr0188455b-25 appears in the 'ovs-vsctl show' output - so it was
>>> created
>>> > >as an OVS bridge, but it should have been created as a Linux bridge. I
>>> > >have never used brcompat, but I believe it intercepts calls from brctl
>>> > >and configures OVS bridges instead of Linux bridges. I'm not sure how
>>> to
>>> > >uninstall/disable it - it's probably an Operating System package.
>>> > >
>>> > >I don't think any Openstack doc says to install/enable it.
>>> > >
>>> > >Re,
>>> > >Darragh.
>>> > >
>>> > >>________________________________
>>> > >> From: Lorin Hochstein <lorin at nimbisservices.com>
>>> > >>To: Darragh O'Reilly <dara2002-openstack at yahoo.com>
>>> > >>Cc: Sebastian Porombka <porombka at uni-paderborn.de>;
>>> > >>"openstack-operators at lists.openstack.org"
>>> > >><openstack-operators at lists.openstack.org>
>>> > >>Sent: Monday, 2 September 2013, 16:00
>>> > >>Subject: Re: [Openstack-operators] Quantum Security Groups not
>>> working -
>>> > >>iptables rules are not Evaluated
>>> > >>
>>> > >>
>>> > >>
>>> > >>Darragh:
>>> > >>
>>> > >>
>>> > >>Can you elaborate on this a little more? Do you mean that the
>>> "brcompat"
>>> > >>kernel module has been loaded, and this breaks security groups with
>>> the
>>> > >>ovs plugin? Should we add something in the documentation about this?
>>> > >>
>>> > >>
>>> > >>Lorin
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >>Do you mean that the problem is that the ovs-brcompatd service is
>>> > >>running?
>>> > >>
>>> > >>
>>> > >>openvswitch-brcompat package is installed?
>>> > >>
>>> > >>
>>> > >>
>>> > >>On Mon, Sep 2, 2013 at 10:21 AM, Darragh O'Reilly
>>> > >><dara2002-openstack at yahoo.com> wrote:
>>> > >>
>>> > >>
>>> > >>>it is not working because you are using the ovs bridge compatibility
>>> > >>>module.
>>> > >>>
>>> > >>>Re,
>>> > >>>Darragh.
>>> > >>>
>>> > >>>>________________________________
>>> > >>>> From: Sebastian Porombka <porombka at uni-paderborn.de>
>>> > >>>>To: "openstack-operators at lists.openstack.org"
>>> > >>>><openstack-operators at lists.openstack.org>
>>> > >>>>Sent: Monday, 2 September 2013, 14:48
>>> > >>>>Subject: [Openstack-operators] Quantum Security Groups not working
>>> -
>>> > >>>>iptables rules are not Evaluated
>>> > >>>
>>> > >>>>
>>> > >>>>
>>> > >>>>
>>> > >>>>Hi folks.
>>> > >>>>
>>> > >>>>
>>> > >>>>We're currently on the way to deploy an openstack (grizzly) cloud
>>> > >>>>environment
>>> > >>>>and suffering in problems implementing the security groups like
>>> > >>>>described in [1].
>>> > >>>>
>>> > >>>>
>>> > >>>>The (hopefully) relevant configuration settings are:
>>> > >>>>
>>> > >>>>
>>> > >>>>/etc/nova/nova.conf
>>> > >>>>[?]
>>> > >>>>security_group_api=quantum
>>> > >>>>network_api_class=nova.network.quantumv2.api.API
>>> >
>>> >>>>libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
>>> > >>>>firewall_driver=nova.virt.firewall.NoopFirewallDriver
>>> > >>>>[?]
>>> > >>>>
>>> > >>>>
>>> > >>>>/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
>>> > >>>>[?]
>>> > >>>>firewall_driver =
>>> >
>>> >>>>quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>> > >>>>[?]
>>> > >>>>
>>> > >>>>
>>> > >>>>The Networks for the vm's are attached to the compute-nodes via
>>> VLAN
>>> > >>>>encapsulation and correctly mapped to the vm's.
>>> > >>>>
>>> > >>>>
>>> > >>>>From our point of view - we're understanding the need of the
>>> > >>>>"ovs-bridge <> veth glue <> linux-bridge (for filtering) <>
>>> > >>>>vm"-construction
>>> > >>>>and observed the single components in our deployment. See [2]
>>> > >>>>
>>> > >>>>
>>> > >>>>Everything is working except the security groups.
>>> > >>>>We observed that ip-tables rules are generated for the
>>> > >>>>quantum-openvswi-* chains of iptables.
>>> > >>>>And the traffic arriving untagged (native vlan for management) on
>>> the
>>> > >>>>machine is processed by iptables but not
>>> > >>>>the traffic which arrived encapsulated.
>>> > >>>>
>>> > >>>>
>>> > >>>>The traffic which is unpacked by openvswitch and is bridged via the
>>> > >>>>veth and the tap into
>>> > >>>>the machine isn't processed by the iptables rules.
>>> > >>>>
>>> > >>>>
>>> > >>>>We have no remaining clue/idea how to solve this issue? :(
>>> > >>>>
>>> > >>>>
>>> > >>>>Greetings
>>> > >>>> Sebastian
>>> > >>>>
>>> > >>>>
>>> > >>>>[1]
>>> > >>>>
>>> >
>>> http://docs.openstack.org/trunk/openstack-network/admin/content/under_t
>>> > >>>>he_hood_openvswitch.html
>>> > >>>>[2] http://pastebin.com/WXMH6y4A
>>> > >>>>
>>> > >>>>
>>> > >>>>--
>>> > >>>>Sebastian Porombka, M.Sc.
>>> > >>>>Zentrum f?r Informations- und Medientechnologien (IMT)
>>> > >>>>Universit?t Paderborn
>>> > >>>>
>>> > >>>>
>>> > >>>>E-Mail: porombka at uni-paderborn.de
>>> > >>>>Tel.: 05251/60-5999
>>> > >>>>Fax: 05251/60-48-5999
>>> > >>>>Raum: N5.314
>>> > >>>>
>>> > >>>>
>>> > >>>>--------------------------------------------
>>> > >>>>Q: Why is this email five sentences or less?
>>> > >>>>A: http://five.sentenc.es
>>> > >>>>
>>> > >>>>
>>> > >>>>Please consider the environment before printing this email.
>>> > >>>>_______________________________________________
>>> > >>>>OpenStack-operators mailing list
>>> > >>>>OpenStack-operators at lists.openstack.org
>>> > >>>>
>>> >
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>> > >>>>
>>> > >>>>
>>> > >>>>
>>> > >>>
>>> > >>>_______________________________________________
>>> > >>>OpenStack-operators mailing list
>>> > >>>OpenStack-operators at lists.openstack.org
>>> > >>>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>> > >>>
>>> > >>
>>> > >>
>>> > >>
>>> > >>--
>>> > >>
>>> > >>Lorin Hochstein
>>> > >>
>>> > >>Lead Architect - Cloud Services
>>> > >>Nimbis Services, Inc.
>>> > >>www.nimbisservices.com
>>> > >>
>>> > >>
>>> >
>>> > _______________________________________________
>>> > OpenStack-operators mailing list
>>> > OpenStack-operators at lists.openstack.org
>>> >
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>> >
>>> >
>>>
>>>
>>> --
>>> Lorin Hochstein
>>> Lead Architect - Cloud Services
>>> Nimbis Services, Inc.
>>> www.nimbisservices.com
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <
>>> http://lists.openstack.org/pipermail/openstack-operators/attachments/20130904/b53856f5/attachment-0001.html
>>> >
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>
>>>
>>> End of OpenStack-operators Digest, Vol 35, Issue 5
>>> **************************************************
>>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>>
>>
>
--
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20130905/ed17b268/attachment.html>
More information about the OpenStack-operators
mailing list