[Openstack] quantum l2 networks

Aaron Rosen arosen at nicira.com
Tue Aug 13 18:47:22 UTC 2013 

Yup, it is.

Aaron


On Tue, Aug 13, 2013 at 11:09 AM, Ashok Kumaran <ashokkumaran.b at gmail.com>wrote:

> I guess it's already back-ported to Grizzly 2013.1.3 cycle
>
> https://review.openstack.org/#/c/32679
>
>
> Best
> Ashok
>
> Sent from my iPhone
>
> On 13-Aug-2013, at 6:24 PM, Francois Deppierraz <francois at ctrlaltdel.ch>
> wrote:
>
> Hi Aaron,
>
> Thanks for the patch!
>
> I was experiencing the same issue than the OP with grizzly installed
> from the Ubuntu Cloud Archive with quantum and openvswitch. Adding
> security groups to a running instance works well now.
>
> Is there any plan to have it included in the havana release, or even
> better patched in grizzly?
>
> Cheers,
>
> François
>
> On 08. 06. 13 11:40, Aaron Rosen wrote:
>
> Hi Daniel,
>
>
> That's for finding this! This is a bug. The code wasn't accounting if
>
> the plugin didn't implement port_security_enabled.  Here's a patch that
>
> fixes the issue in the meantime.
>
>
> Best,
>
>
> Aaron
>
>
> --- a/nova/network/security_group/quantum_driver.py
>
> +++ b/nova/network/security_group/quantum_driver.py
>
> @@ -340,8 +340,9 @@ class
>
> SecurityGroupAPI(security_group_base.SecurityGroupBase):
>
>          has_ip = port.get('fixed_ips')
>
>         if port_security_enabled and has_ip:
>
>             return True
>
> -        else:
>
> -            return False
>
> +        elif 'port_security_enabled' not in port and has_ip:
>
> +            return True
>
> +        return False
>
>
>      @wrap_check_security_groups_policy
>
>     def add_to_instance(self, context, instance, security_group_name):
>
>
>
>
> On Sat, Jun 8, 2013 at 2:14 AM, daniels cai <danxcai at gmail.com
>
> <mailto:danxcai at gmail.com <danxcai at gmail.com>>> wrote:
>
>
>
>    nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11
>
>
>     ERROR: Network requires port_security_enabled and subnet associated
>
>    in order to apply security groups. (HTTP 400) (Request-ID:
>
>     req-94cb2d54-858b-4843-af53-b373c88bcdc0)
>
>
>
>    security group is exists
>
>
>    # quantum security-group-list
>
>    +--------------------------------------+---------+------------------+
>
>    | id                                   | name    | description      |
>
>    +--------------------------------------+---------+------------------+
>
>    | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default          |
>
>    | 5902febc-e793-4b09-8073-567226d83d79 | d11     | des for firewall |
>
>    +--------------------------------------+---------+------------------+
>
>
>
>
>    Daniels Cai
>
>    http://dnscai.com
>
>
>
>    2013/6/8 Aaron Rosen <arosen at nicira.com <mailto:arosen at nicira.com<arosen at nicira.com>
> >>
>
>
>        You said:
>
>
> it works, but when i try to attach a security group to an exist
>
>        vm , api throw an error :"Network requires
>
> port_security_enabled and subnet associated in order to apply
>
>        security groups."
>
>
>        What command are you running to generate that error?
>
>
>
>
>        On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai at gmail.com
>
>        <mailto:danxcai at gmail.com <danxcai at gmail.com>>> wrote:
>
>
>             Aaron , thanks for you answers, i see it.
>
>
>            we are not useing nvp in our environemnt
>
>            yet.
>
>
>            my vm is boot with a subnet_id specified
>
>            .
>
>            i am sure about it .
>
>            here is more info:
>
>
>            vm has an ip "192.168.6.100" , this ip belongs to subnet
>
>             83afd693-7e36-41e9-b896-9d8b0d89d255
>
>            , this subnet belongs to network "iaas-net", network id is
>
>             5332f0f7-3156-4961-aa67-0b8507265fa5
>
>
>            # nova list
>
>
>            | 24891d97-8d0e-4e99-9537-c8f8291913d0 |
>
>            ubuntu-1304-server-amd64 | ACTIVE  | iaas-net=192.168.6.100
>
>
>            here is quantum network info :
>
>
>             # quantum net-list
>
>
>            +--------------------------------------+------------------+-------------------------------------------------------+
>
>            | id                                   | name             |
>
>            subnets                                               |
>
>
>            +--------------------------------------+------------------+-------------------------------------------------------+
>
>            |
>
>            5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net         |
>
>            329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24
>
>            <http://192.168.202.0/24> |
>
>            |                                      |                  |
>
>            83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24
>
>            <http://192.168.6.0/24>   |
>
>            |                                      |                  |
>
>            bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24
>
>            <http://192.168.7.0/24>   |
>
>            |                                      |                  |
>
>            d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24
>
>            <http://192.168.188.0/24> |
>
>            |                                      |                  |
>
>            dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24
>
>            <http://192.168.193.0/24> |
>
>            |                                      |                  |
>
>            e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24
>
>            <http://192.168.192.0/24> |
>
>
>
>            i enabled the following features in quantum
>
>             1. namespace
>
>            2. overlap ips
>
>
>             if any more info needed for debug, i will attach
>
>
>
>
>            Daniels Cai
>
>            http://dnscai.com
>
>
>
>            2013/6/8 Aaron Rosen <arosen at nicira.com
>
>            <mailto:arosen at nicira.com <arosen at nicira.com>>>
>
>
> There is no port_security_enabled config option. This is
>
>            an attribute on a port that is used if the plugin you are
>
>            using implements the port_security_extension (which is only
>
>            nvp at the time).
>
>
> I'm guessing your issue is the network you are trying to
>
>             boot an instance on does not have a subnet associated with it.
>
>
> Aaron
>
>
>
> On Sat, Jun 8, 2013 at 12:37 AM, daniels cai
>
>            <danxcai at gmail.com <mailto:danxcai at gmail.com<danxcai at gmail.com>>>
> wrote:
>
>
> hi Aaron
>
> i set the following in nova.conf
>
>
> security_group_api=quantum
>
> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>
>
> it works, but when i try to attach a security group to an
>
>            exist vm , api throw an error :
>
>
> "Network requires port_security_enabled and subnet
>
>             associated in order to apply security groups."
>
>
> the i add port_security_enabled in quantum.conf in all nodes.
>
> "port_security_enabled=True"
>
>
>  with no luck, it still doesn't work .
>
>
> Any advice ? does quantum security group support this
>
>            feature?
>
>
> Daniels Cai
>
> http://dnscai.com
>
>
>
> 2013/6/8 Aaron Rosen <arosen at nicira.com
>
>            <mailto:arosen at nicira.com <arosen at nicira.com>>>
>
>
> Hi Joe,
>
>
> I thought setting firewall_driver =
>
>            quantum.agent.firewall.NoopFirewallDriver would do the
>
>            trick? Also, the ovs plugin does not do any mac spoof
>
>            filtering at the OVS level. Those are all done in iptables.
>
>
> Aaron
>
>
> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu
>
>             <joseph.breu at rackspace.com
>
>            <mailto:joseph.breu at rackspace.com <joseph.breu at rackspace.com>>>
> wrote:
>
>
> Hello,
>
>
> Is there a way to create a quantum l2 network using OVS
>
>            that does not have MAC and IP spoofing enabled either in
>
>            iptables or OVS?  One workaround that we found was to set
>
>            the OVS plugin firewall_driver =
>
>            quantum.agent.firewall.NoopFirewallDriver to
>
>            security_group_api=nova however this is far from ideal and
>
>            doesn't solve the problem of MAC spoof filtering at the OVS
>
>            level.
>
>
> Thanks for any help
>
>
>
> _______________________________________________
>
> Mailing list: https://launchpad.net/~openstack
>
> Post to     : openstack at lists.launchpad.net
>
>            <mailto:openstack at lists.launchpad.net<openstack at lists.launchpad.net>
> >
>
> Unsubscribe : https://launchpad.net/~openstack
>
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
>
> Mailing list: https://launchpad.net/~openstack
>
> Post to     : openstack at lists.launchpad.net
>
>            <mailto:openstack at lists.launchpad.net<openstack at lists.launchpad.net>
> >
>
> Unsubscribe : https://launchpad.net/~openstack
>
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> Mailing list: https://launchpad.net/~openstack
>
> Post to     : openstack at lists.launchpad.net
>
> Unsubscribe : https://launchpad.net/~openstack
>
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130813/5aa32335/attachment.html>

More information about the Openstack mailing list