[Openstack] quantum l2 networks

Ashok Kumaran ashokkumaran.b at gmail.com
Tue Aug 13 18:09:55 UTC 2013


I guess it's already back-ported to Grizzly 2013.1.3 cycle

https://review.openstack.org/#/c/32679


Best
Ashok

Sent from my iPhone

On 13-Aug-2013, at 6:24 PM, Francois Deppierraz <francois at ctrlaltdel.ch>
wrote:

Hi Aaron,

Thanks for the patch!

I was experiencing the same issue than the OP with grizzly installed
from the Ubuntu Cloud Archive with quantum and openvswitch. Adding
security groups to a running instance works well now.

Is there any plan to have it included in the havana release, or even
better patched in grizzly?

Cheers,

Fran├žois

On 08. 06. 13 11:40, Aaron Rosen wrote:

Hi Daniel,


That's for finding this! This is a bug. The code wasn't accounting if

the plugin didn't implement port_security_enabled.  Here's a patch that

fixes the issue in the meantime.


Best,


Aaron


--- a/nova/network/security_group/quantum_driver.py

+++ b/nova/network/security_group/quantum_driver.py

@@ -340,8 +340,9 @@ class

SecurityGroupAPI(security_group_base.SecurityGroupBase):

        has_ip = port.get('fixed_ips')

        if port_security_enabled and has_ip:

            return True

-        else:

-            return False

+        elif 'port_security_enabled' not in port and has_ip:

+            return True

+        return False


    @wrap_check_security_groups_policy

    def add_to_instance(self, context, instance, security_group_name):




On Sat, Jun 8, 2013 at 2:14 AM, daniels cai <danxcai at gmail.com

<mailto:danxcai at gmail.com <danxcai at gmail.com>>> wrote:



   nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11


   ERROR: Network requires port_security_enabled and subnet associated

   in order to apply security groups. (HTTP 400) (Request-ID:

   req-94cb2d54-858b-4843-af53-b373c88bcdc0)



   security group is exists


   # quantum security-group-list

   +--------------------------------------+---------+------------------+

   | id                                   | name    | description      |

   +--------------------------------------+---------+------------------+

   | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default          |

   | 5902febc-e793-4b09-8073-567226d83d79 | d11     | des for firewall |

   +--------------------------------------+---------+------------------+




   Daniels Cai

   http://dnscai.com



   2013/6/8 Aaron Rosen <arosen at nicira.com
<mailto:arosen at nicira.com<arosen at nicira.com>
>>


       You said:


it works, but when i try to attach a security group to an exist

       vm , api throw an error :"Network requires

port_security_enabled and subnet associated in order to apply

       security groups."


       What command are you running to generate that error?




       On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai at gmail.com

       <mailto:danxcai at gmail.com <danxcai at gmail.com>>> wrote:


           Aaron , thanks for you answers, i see it.


           we are not useing nvp in our environemnt

           yet.


           my vm is boot with a subnet_id specified

           .

           i am sure about it .

           here is more info:


           vm has an ip "192.168.6.100" , this ip belongs to subnet

           83afd693-7e36-41e9-b896-9d8b0d89d255

           , this subnet belongs to network "iaas-net", network id is

           5332f0f7-3156-4961-aa67-0b8507265fa5


           # nova list


           | 24891d97-8d0e-4e99-9537-c8f8291913d0 |

           ubuntu-1304-server-amd64 | ACTIVE  | iaas-net=192.168.6.100


           here is quantum network info :


           # quantum net-list

           +--------------------------------------+------------------+-------------------------------------------------------+

           | id                                   | name             |

           subnets                                               |

           +--------------------------------------+------------------+-------------------------------------------------------+

           |

           5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net         |

           329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24

           <http://192.168.202.0/24> |

           |                                      |                  |

           83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24

           <http://192.168.6.0/24>   |

           |                                      |                  |

           bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24

           <http://192.168.7.0/24>   |

           |                                      |                  |

           d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24

           <http://192.168.188.0/24> |

           |                                      |                  |

           dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24

           <http://192.168.193.0/24> |

           |                                      |                  |

           e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24

           <http://192.168.192.0/24> |



           i enabled the following features in quantum

           1. namespace

           2. overlap ips


           if any more info needed for debug, i will attach




           Daniels Cai

           http://dnscai.com



           2013/6/8 Aaron Rosen <arosen at nicira.com

           <mailto:arosen at nicira.com <arosen at nicira.com>>>


There is no port_security_enabled config option. This is

           an attribute on a port that is used if the plugin you are

           using implements the port_security_extension (which is only

           nvp at the time).


I'm guessing your issue is the network you are trying to

           boot an instance on does not have a subnet associated with it.


Aaron



On Sat, Jun 8, 2013 at 12:37 AM, daniels cai

           <danxcai at gmail.com <mailto:danxcai at gmail.com <danxcai at gmail.com>>>
wrote:


hi Aaron

i set the following in nova.conf


security_group_api=quantum

firewall_driver=nova.virt.firewall.NoopFirewallDriver


it works, but when i try to attach a security group to an

           exist vm , api throw an error :


"Network requires port_security_enabled and subnet

           associated in order to apply security groups."


the i add port_security_enabled in quantum.conf in all nodes.

"port_security_enabled=True"


with no luck, it still doesn't work .


Any advice ? does quantum security group support this

           feature?


Daniels Cai

http://dnscai.com



2013/6/8 Aaron Rosen <arosen at nicira.com

           <mailto:arosen at nicira.com <arosen at nicira.com>>>


Hi Joe,


I thought setting firewall_driver =

           quantum.agent.firewall.NoopFirewallDriver would do the

           trick? Also, the ovs plugin does not do any mac spoof

           filtering at the OVS level. Those are all done in iptables.


Aaron


On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu

           <joseph.breu at rackspace.com

           <mailto:joseph.breu at rackspace.com <joseph.breu at rackspace.com>>>
wrote:


Hello,


Is there a way to create a quantum l2 network using OVS

           that does not have MAC and IP spoofing enabled either in

           iptables or OVS?  One workaround that we found was to set

           the OVS plugin firewall_driver =

           quantum.agent.firewall.NoopFirewallDriver to

           security_group_api=nova however this is far from ideal and

           doesn't solve the problem of MAC spoof filtering at the OVS

           level.


Thanks for any help



_______________________________________________

Mailing list: https://launchpad.net/~openstack

Post to     : openstack at lists.launchpad.net

           <mailto:openstack at lists.launchpad.net<openstack at lists.launchpad.net>
>

Unsubscribe : https://launchpad.net/~openstack

More help   : https://help.launchpad.net/ListHelp




_______________________________________________

Mailing list: https://launchpad.net/~openstack

Post to     : openstack at lists.launchpad.net

           <mailto:openstack at lists.launchpad.net<openstack at lists.launchpad.net>
>

Unsubscribe : https://launchpad.net/~openstack

More help   : https://help.launchpad.net/ListHelp










_______________________________________________

Mailing list: https://launchpad.net/~openstack

Post to     : openstack at lists.launchpad.net

Unsubscribe : https://launchpad.net/~openstack

More help   : https://help.launchpad.net/ListHelp




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130813/d2ba5be2/attachment.html>


More information about the Openstack mailing list