[Openstack] quantum l2 networks
Francois Deppierraz
francois at ctrlaltdel.ch
Tue Aug 13 12:43:52 UTC 2013
Hi Aaron,
Thanks for the patch!
I was experiencing the same issue than the OP with grizzly installed
from the Ubuntu Cloud Archive with quantum and openvswitch. Adding
security groups to a running instance works well now.
Is there any plan to have it included in the havana release, or even
better patched in grizzly?
Cheers,
François
On 08. 06. 13 11:40, Aaron Rosen wrote:
> Hi Daniel,
>
> That's for finding this! This is a bug. The code wasn't accounting if
> the plugin didn't implement port_security_enabled. Here's a patch that
> fixes the issue in the meantime.
>
> Best,
>
> Aaron
>
> --- a/nova/network/security_group/quantum_driver.py
> +++ b/nova/network/security_group/quantum_driver.py
> @@ -340,8 +340,9 @@ class
> SecurityGroupAPI(security_group_base.SecurityGroupBase):
> has_ip = port.get('fixed_ips')
> if port_security_enabled and has_ip:
> return True
> - else:
> - return False
> + elif 'port_security_enabled' not in port and has_ip:
> + return True
> + return False
>
> @wrap_check_security_groups_policy
> def add_to_instance(self, context, instance, security_group_name):
>
>
>
> On Sat, Jun 8, 2013 at 2:14 AM, daniels cai <danxcai at gmail.com
> <mailto:danxcai at gmail.com>> wrote:
>
>
> nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11
>
> ERROR: Network requires port_security_enabled and subnet associated
> in order to apply security groups. (HTTP 400) (Request-ID:
> req-94cb2d54-858b-4843-af53-b373c88bcdc0)
>
>
> security group is exists
>
> # quantum security-group-list
> +--------------------------------------+---------+------------------+
> | id | name | description |
> +--------------------------------------+---------+------------------+
> | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default |
> | 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall |
> +--------------------------------------+---------+------------------+
>
>
>
> Daniels Cai
> http://dnscai.com
>
>
> 2013/6/8 Aaron Rosen <arosen at nicira.com <mailto:arosen at nicira.com>>
>
> You said:
>
> >it works, but when i try to attach a security group to an exist
> vm , api throw an error :"Network requires
> >port_security_enabled and subnet associated in order to apply
> security groups."
>
> What command are you running to generate that error?
>
>
>
> On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai at gmail.com
> <mailto:danxcai at gmail.com>> wrote:
>
> Aaron , thanks for you answers, i see it.
>
> we are not useing nvp in our environemnt
> yet.
>
> my vm is boot with a subnet_id specified
> .
> i am sure about it .
> here is more info:
>
> vm has an ip "192.168.6.100" , this ip belongs to subnet
> 83afd693-7e36-41e9-b896-9d8b0d89d255
> , this subnet belongs to network "iaas-net", network id is
> 5332f0f7-3156-4961-aa67-0b8507265fa5
>
> # nova list
>
> | 24891d97-8d0e-4e99-9537-c8f8291913d0 |
> ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100
>
> here is quantum network info :
>
> # quantum net-list
> +--------------------------------------+------------------+-------------------------------------------------------+
> | id | name |
> subnets |
> +--------------------------------------+------------------+-------------------------------------------------------+
> |
> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net |
> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24
> <http://192.168.202.0/24> |
> | | |
> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24
> <http://192.168.6.0/24> |
> | | |
> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24
> <http://192.168.7.0/24> |
> | | |
> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24
> <http://192.168.188.0/24> |
> | | |
> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24
> <http://192.168.193.0/24> |
> | | |
> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24
> <http://192.168.192.0/24> |
>
>
> i enabled the following features in quantum
> 1. namespace
> 2. overlap ips
>
> if any more info needed for debug, i will attach
>
>
>
> Daniels Cai
> http://dnscai.com
>
>
> 2013/6/8 Aaron Rosen <arosen at nicira.com
> <mailto:arosen at nicira.com>>
> >
> > There is no port_security_enabled config option. This is
> an attribute on a port that is used if the plugin you are
> using implements the port_security_extension (which is only
> nvp at the time).
> >
> > I'm guessing your issue is the network you are trying to
> boot an instance on does not have a subnet associated with it.
> >
> > Aaron
> >
> >
> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai
> <danxcai at gmail.com <mailto:danxcai at gmail.com>> wrote:
> >>
> >> hi Aaron
> >> i set the following in nova.conf
> >>
> >> security_group_api=quantum
> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
> >>
> >> it works, but when i try to attach a security group to an
> exist vm , api throw an error :
> >>
> >> "Network requires port_security_enabled and subnet
> associated in order to apply security groups."
> >>
> >> the i add port_security_enabled in quantum.conf in all nodes.
> >> "port_security_enabled=True"
> >>
> >> with no luck, it still doesn't work .
> >>
> >> Any advice ? does quantum security group support this
> feature?
> >>
> >> Daniels Cai
> >> http://dnscai.com
> >>
> >>
> >> 2013/6/8 Aaron Rosen <arosen at nicira.com
> <mailto:arosen at nicira.com>>
> >>>
> >>> Hi Joe,
> >>>
> >>> I thought setting firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver would do the
> trick? Also, the ovs plugin does not do any mac spoof
> filtering at the OVS level. Those are all done in iptables.
> >>>
> >>> Aaron
> >>>
> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu
> <joseph.breu at rackspace.com
> <mailto:joseph.breu at rackspace.com>> wrote:
> >>>>
> >>>> Hello,
> >>>>
> >>>> Is there a way to create a quantum l2 network using OVS
> that does not have MAC and IP spoofing enabled either in
> iptables or OVS? One workaround that we found was to set
> the OVS plugin firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver to
> security_group_api=nova however this is far from ideal and
> doesn't solve the problem of MAC spoof filtering at the OVS
> level.
> >>>>
> >>>> Thanks for any help
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Mailing list: https://launchpad.net/~openstack
> >>>> Post to : openstack at lists.launchpad.net
> <mailto:openstack at lists.launchpad.net>
> >>>> Unsubscribe : https://launchpad.net/~openstack
> >>>> More help : https://help.launchpad.net/ListHelp
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Mailing list: https://launchpad.net/~openstack
> >>> Post to : openstack at lists.launchpad.net
> <mailto:openstack at lists.launchpad.net>
> >>> Unsubscribe : https://launchpad.net/~openstack
> >>> More help : https://help.launchpad.net/ListHelp
> >>>
> >>
> >
>
>
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
More information about the Openstack
mailing list