[Openstack] quantum l2 networks

Francois Deppierraz francois at ctrlaltdel.ch
Tue Aug 13 12:43:52 UTC 2013


Hi Aaron,

Thanks for the patch!

I was experiencing the same issue than the OP with grizzly installed
from the Ubuntu Cloud Archive with quantum and openvswitch. Adding
security groups to a running instance works well now.

Is there any plan to have it included in the havana release, or even
better patched in grizzly?

Cheers,

Fran├žois

On 08. 06. 13 11:40, Aaron Rosen wrote:
> Hi Daniel, 
> 
> That's for finding this! This is a bug. The code wasn't accounting if
> the plugin didn't implement port_security_enabled.  Here's a patch that
> fixes the issue in the meantime. 
> 
> Best, 
> 
> Aaron 
> 
> --- a/nova/network/security_group/quantum_driver.py
> +++ b/nova/network/security_group/quantum_driver.py
> @@ -340,8 +340,9 @@ class
> SecurityGroupAPI(security_group_base.SecurityGroupBase):
>          has_ip = port.get('fixed_ips')
>          if port_security_enabled and has_ip:
>              return True
> -        else:
> -            return False
> +        elif 'port_security_enabled' not in port and has_ip:
> +            return True
> +        return False
>  
>      @wrap_check_security_groups_policy
>      def add_to_instance(self, context, instance, security_group_name):
> 
> 
> 
> On Sat, Jun 8, 2013 at 2:14 AM, daniels cai <danxcai at gmail.com
> <mailto:danxcai at gmail.com>> wrote:
> 
>      
>     nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11
> 
>     ERROR: Network requires port_security_enabled and subnet associated
>     in order to apply security groups. (HTTP 400) (Request-ID:
>     req-94cb2d54-858b-4843-af53-b373c88bcdc0)
> 
> 
>     security group is exists 
> 
>     # quantum security-group-list 
>     +--------------------------------------+---------+------------------+
>     | id                                   | name    | description      |
>     +--------------------------------------+---------+------------------+
>     | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default          |
>     | 5902febc-e793-4b09-8073-567226d83d79 | d11     | des for firewall |
>     +--------------------------------------+---------+------------------+
> 
> 
> 
>     Daniels Cai
>     http://dnscai.com
> 
> 
>     2013/6/8 Aaron Rosen <arosen at nicira.com <mailto:arosen at nicira.com>>
> 
>         You said: 
> 
>         >it works, but when i try to attach a security group to an exist
>         vm , api throw an error :"Network requires
>         >port_security_enabled and subnet associated in order to apply
>         security groups."
> 
>         What command are you running to generate that error? 
> 
> 
> 
>         On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai at gmail.com
>         <mailto:danxcai at gmail.com>> wrote:
> 
>             Aaron , thanks for you answers, i see it.
> 
>             we are not useing nvp in our environemnt
>             yet.
> 
>             my vm is boot with a subnet_id specified
>             . 
>             i am sure about it .
>             here is more info:
> 
>             vm has an ip "192.168.6.100" , this ip belongs to subnet
>             83afd693-7e36-41e9-b896-9d8b0d89d255
>             , this subnet belongs to network "iaas-net", network id is
>             5332f0f7-3156-4961-aa67-0b8507265fa5
> 
>             # nova list
> 
>             | 24891d97-8d0e-4e99-9537-c8f8291913d0 |
>             ubuntu-1304-server-amd64 | ACTIVE  | iaas-net=192.168.6.100
> 
>             here is quantum network info :
> 
>             # quantum net-list
>             +--------------------------------------+------------------+-------------------------------------------------------+
>             | id                                   | name             |
>             subnets                                               |
>             +--------------------------------------+------------------+-------------------------------------------------------+
>             |
>             5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net         |
>             329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24
>             <http://192.168.202.0/24> |
>             |                                      |                  |
>             83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24
>             <http://192.168.6.0/24>   |
>             |                                      |                  |
>             bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24
>             <http://192.168.7.0/24>   |
>             |                                      |                  |
>             d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24
>             <http://192.168.188.0/24> |
>             |                                      |                  |
>             dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24
>             <http://192.168.193.0/24> |
>             |                                      |                  |
>             e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24
>             <http://192.168.192.0/24> |
> 
> 
>             i enabled the following features in quantum
>             1. namespace
>             2. overlap ips
> 
>             if any more info needed for debug, i will attach
> 
> 
> 
>             Daniels Cai
>             http://dnscai.com
> 
> 
>             2013/6/8 Aaron Rosen <arosen at nicira.com
>             <mailto:arosen at nicira.com>>
>             >
>             > There is no port_security_enabled config option. This is
>             an attribute on a port that is used if the plugin you are
>             using implements the port_security_extension (which is only
>             nvp at the time).
>             >
>             > I'm guessing your issue is the network you are trying to
>             boot an instance on does not have a subnet associated with it.
>             >
>             > Aaron
>             >
>             >
>             > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai
>             <danxcai at gmail.com <mailto:danxcai at gmail.com>> wrote:
>             >>
>             >> hi Aaron
>             >> i set the following in nova.conf
>             >>
>             >> security_group_api=quantum
>             >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>             >>
>             >> it works, but when i try to attach a security group to an
>             exist vm , api throw an error :
>             >>
>             >> "Network requires port_security_enabled and subnet
>             associated in order to apply security groups."
>             >>
>             >> the i add port_security_enabled in quantum.conf in all nodes.
>             >> "port_security_enabled=True"
>             >>
>             >>  with no luck, it still doesn't work .
>             >>
>             >> Any advice ? does quantum security group support this
>             feature?
>             >>
>             >> Daniels Cai
>             >> http://dnscai.com
>             >>
>             >>
>             >> 2013/6/8 Aaron Rosen <arosen at nicira.com
>             <mailto:arosen at nicira.com>>
>             >>>
>             >>> Hi Joe,
>             >>>
>             >>> I thought setting firewall_driver =
>             quantum.agent.firewall.NoopFirewallDriver would do the
>             trick? Also, the ovs plugin does not do any mac spoof
>             filtering at the OVS level. Those are all done in iptables.
>             >>>
>             >>> Aaron
>             >>>
>             >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu
>             <joseph.breu at rackspace.com
>             <mailto:joseph.breu at rackspace.com>> wrote:
>             >>>>
>             >>>> Hello,
>             >>>>
>             >>>> Is there a way to create a quantum l2 network using OVS
>             that does not have MAC and IP spoofing enabled either in
>             iptables or OVS?  One workaround that we found was to set
>             the OVS plugin firewall_driver =
>             quantum.agent.firewall.NoopFirewallDriver to
>             security_group_api=nova however this is far from ideal and
>             doesn't solve the problem of MAC spoof filtering at the OVS
>             level.
>             >>>>
>             >>>> Thanks for any help
>             >>>>
>             >>>>
>             >>>> _______________________________________________
>             >>>> Mailing list: https://launchpad.net/~openstack
>             >>>> Post to     : openstack at lists.launchpad.net
>             <mailto:openstack at lists.launchpad.net>
>             >>>> Unsubscribe : https://launchpad.net/~openstack
>             >>>> More help   : https://help.launchpad.net/ListHelp
>             >>>
>             >>>
>             >>>
>             >>> _______________________________________________
>             >>> Mailing list: https://launchpad.net/~openstack
>             >>> Post to     : openstack at lists.launchpad.net
>             <mailto:openstack at lists.launchpad.net>
>             >>> Unsubscribe : https://launchpad.net/~openstack
>             >>> More help   : https://help.launchpad.net/ListHelp
>             >>>
>             >>
>             >
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 





More information about the Openstack mailing list