[Openstack] quantum l2 networks
Ashok Kumaran
ashokkumaran.b at gmail.com
Tue Aug 13 18:09:55 UTC 2013
I guess it's already back-ported to Grizzly 2013.1.3 cycle
https://review.openstack.org/#/c/32679
Best
Ashok
Sent from my iPhone
On 13-Aug-2013, at 6:24 PM, Francois Deppierraz <francois at ctrlaltdel.ch>
wrote:
Hi Aaron,
Thanks for the patch!
I was experiencing the same issue than the OP with grizzly installed
from the Ubuntu Cloud Archive with quantum and openvswitch. Adding
security groups to a running instance works well now.
Is there any plan to have it included in the havana release, or even
better patched in grizzly?
Cheers,
François
On 08. 06. 13 11:40, Aaron Rosen wrote:
Hi Daniel,
That's for finding this! This is a bug. The code wasn't accounting if
the plugin didn't implement port_security_enabled. Here's a patch that
fixes the issue in the meantime.
Best,
Aaron
--- a/nova/network/security_group/quantum_driver.py
+++ b/nova/network/security_group/quantum_driver.py
@@ -340,8 +340,9 @@ class
SecurityGroupAPI(security_group_base.SecurityGroupBase):
has_ip = port.get('fixed_ips')
if port_security_enabled and has_ip:
return True
- else:
- return False
+ elif 'port_security_enabled' not in port and has_ip:
+ return True
+ return False
@wrap_check_security_groups_policy
def add_to_instance(self, context, instance, security_group_name):
On Sat, Jun 8, 2013 at 2:14 AM, daniels cai <danxcai at gmail.com
<mailto:danxcai at gmail.com <danxcai at gmail.com>>> wrote:
nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11
ERROR: Network requires port_security_enabled and subnet associated
in order to apply security groups. (HTTP 400) (Request-ID:
req-94cb2d54-858b-4843-af53-b373c88bcdc0)
security group is exists
# quantum security-group-list
+--------------------------------------+---------+------------------+
| id | name | description |
+--------------------------------------+---------+------------------+
| 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default |
| 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall |
+--------------------------------------+---------+------------------+
Daniels Cai
http://dnscai.com
2013/6/8 Aaron Rosen <arosen at nicira.com
<mailto:arosen at nicira.com<arosen at nicira.com>
>>
You said:
it works, but when i try to attach a security group to an exist
vm , api throw an error :"Network requires
port_security_enabled and subnet associated in order to apply
security groups."
What command are you running to generate that error?
On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai at gmail.com
<mailto:danxcai at gmail.com <danxcai at gmail.com>>> wrote:
Aaron , thanks for you answers, i see it.
we are not useing nvp in our environemnt
yet.
my vm is boot with a subnet_id specified
.
i am sure about it .
here is more info:
vm has an ip "192.168.6.100" , this ip belongs to subnet
83afd693-7e36-41e9-b896-9d8b0d89d255
, this subnet belongs to network "iaas-net", network id is
5332f0f7-3156-4961-aa67-0b8507265fa5
# nova list
| 24891d97-8d0e-4e99-9537-c8f8291913d0 |
ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100
here is quantum network info :
# quantum net-list
+--------------------------------------+------------------+-------------------------------------------------------+
| id | name |
subnets |
+--------------------------------------+------------------+-------------------------------------------------------+
|
5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net |
329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24
<http://192.168.202.0/24> |
| | |
83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24
<http://192.168.6.0/24> |
| | |
bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24
<http://192.168.7.0/24> |
| | |
d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24
<http://192.168.188.0/24> |
| | |
dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24
<http://192.168.193.0/24> |
| | |
e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24
<http://192.168.192.0/24> |
i enabled the following features in quantum
1. namespace
2. overlap ips
if any more info needed for debug, i will attach
Daniels Cai
http://dnscai.com
2013/6/8 Aaron Rosen <arosen at nicira.com
<mailto:arosen at nicira.com <arosen at nicira.com>>>
There is no port_security_enabled config option. This is
an attribute on a port that is used if the plugin you are
using implements the port_security_extension (which is only
nvp at the time).
I'm guessing your issue is the network you are trying to
boot an instance on does not have a subnet associated with it.
Aaron
On Sat, Jun 8, 2013 at 12:37 AM, daniels cai
<danxcai at gmail.com <mailto:danxcai at gmail.com <danxcai at gmail.com>>>
wrote:
hi Aaron
i set the following in nova.conf
security_group_api=quantum
firewall_driver=nova.virt.firewall.NoopFirewallDriver
it works, but when i try to attach a security group to an
exist vm , api throw an error :
"Network requires port_security_enabled and subnet
associated in order to apply security groups."
the i add port_security_enabled in quantum.conf in all nodes.
"port_security_enabled=True"
with no luck, it still doesn't work .
Any advice ? does quantum security group support this
feature?
Daniels Cai
http://dnscai.com
2013/6/8 Aaron Rosen <arosen at nicira.com
<mailto:arosen at nicira.com <arosen at nicira.com>>>
Hi Joe,
I thought setting firewall_driver =
quantum.agent.firewall.NoopFirewallDriver would do the
trick? Also, the ovs plugin does not do any mac spoof
filtering at the OVS level. Those are all done in iptables.
Aaron
On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu
<joseph.breu at rackspace.com
<mailto:joseph.breu at rackspace.com <joseph.breu at rackspace.com>>>
wrote:
Hello,
Is there a way to create a quantum l2 network using OVS
that does not have MAC and IP spoofing enabled either in
iptables or OVS? One workaround that we found was to set
the OVS plugin firewall_driver =
quantum.agent.firewall.NoopFirewallDriver to
security_group_api=nova however this is far from ideal and
doesn't solve the problem of MAC spoof filtering at the OVS
level.
Thanks for any help
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack at lists.launchpad.net
<mailto:openstack at lists.launchpad.net<openstack at lists.launchpad.net>
>
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack at lists.launchpad.net
<mailto:openstack at lists.launchpad.net<openstack at lists.launchpad.net>
>
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack at lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130813/d2ba5be2/attachment.html>
More information about the Openstack
mailing list