[Openstack] quantum l2 networks
daniels cai
danxcai at gmail.com
Sat Jun 8 09:14:55 UTC 2013
nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11
ERROR: Network requires port_security_enabled and subnet associated in
order to apply security groups. (HTTP 400) (Request-ID:
req-94cb2d54-858b-4843-af53-b373c88bcdc0)
security group is exists
# quantum security-group-list
+--------------------------------------+---------+------------------+
| id | name | description |
+--------------------------------------+---------+------------------+
| 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default |
| 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall |
+--------------------------------------+---------+------------------+
Daniels Cai
http://dnscai.com
2013/6/8 Aaron Rosen <arosen at nicira.com>
> You said:
>
> >it works, but when i try to attach a security group to an exist vm , api
> throw an error :"Network requires >port_security_enabled and subnet
> associated in order to apply security groups."
>
> What command are you running to generate that error?
>
>
>
> On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai at gmail.com> wrote:
>
>> Aaron , thanks for you answers, i see it.
>>
>> we are not useing nvp in our environemnt
>> yet.
>>
>> my vm is boot with a subnet_id specified
>> .
>> i am sure about it .
>> here is more info:
>>
>> vm has an ip "192.168.6.100" , this ip belongs to subnet
>> 83afd693-7e36-41e9-b896-9d8b0d89d255
>> , this subnet belongs to network "iaas-net", network id is
>> 5332f0f7-3156-4961-aa67-0b8507265fa5
>>
>> # nova list
>>
>> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 |
>> ACTIVE | iaas-net=192.168.6.100
>>
>> here is quantum network info :
>>
>> # quantum net-list
>>
>> +--------------------------------------+------------------+-------------------------------------------------------+
>> | id | name | subnets
>> |
>>
>> +--------------------------------------+------------------+-------------------------------------------------------+
>> |
>> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net |
>> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
>> | | |
>> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24 |
>> | | |
>> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24 |
>> | | |
>> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
>> | | |
>> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
>> | | |
>> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |
>>
>>
>> i enabled the following features in quantum
>> 1. namespace
>> 2. overlap ips
>>
>> if any more info needed for debug, i will attach
>>
>>
>>
>> Daniels Cai
>> http://dnscai.com
>>
>>
>> 2013/6/8 Aaron Rosen <arosen at nicira.com>
>> >
>> > There is no port_security_enabled config option. This is an attribute
>> on a port that is used if the plugin you are using implements the
>> port_security_extension (which is only nvp at the time).
>> >
>> > I'm guessing your issue is the network you are trying to boot an
>> instance on does not have a subnet associated with it.
>> >
>> > Aaron
>> >
>> >
>> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai <danxcai at gmail.com> wrote:
>> >>
>> >> hi Aaron
>> >> i set the following in nova.conf
>> >>
>> >> security_group_api=quantum
>> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>> >>
>> >> it works, but when i try to attach a security group to an exist vm ,
>> api throw an error :
>> >>
>> >> "Network requires port_security_enabled and subnet associated in order
>> to apply security groups."
>> >>
>> >> the i add port_security_enabled in quantum.conf in all nodes.
>> >> "port_security_enabled=True"
>> >>
>> >> with no luck, it still doesn't work .
>> >>
>> >> Any advice ? does quantum security group support this feature?
>> >>
>> >> Daniels Cai
>> >> http://dnscai.com
>> >>
>> >>
>> >> 2013/6/8 Aaron Rosen <arosen at nicira.com>
>> >>>
>> >>> Hi Joe,
>> >>>
>> >>> I thought setting firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
>> plugin does not do any mac spoof filtering at the OVS level. Those are all
>> done in iptables.
>> >>>
>> >>> Aaron
>> >>>
>> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu <joseph.breu at rackspace.com>
>> wrote:
>> >>>>
>> >>>> Hello,
>> >>>>
>> >>>> Is there a way to create a quantum l2 network using OVS that does
>> not have MAC and IP spoofing enabled either in iptables or OVS? One
>> workaround that we found was to set the OVS plugin firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>> however this is far from ideal and doesn't solve the problem of MAC spoof
>> filtering at the OVS level.
>> >>>>
>> >>>> Thanks for any help
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Mailing list: https://launchpad.net/~openstack
>> >>>> Post to : openstack at lists.launchpad.net
>> >>>> Unsubscribe : https://launchpad.net/~openstack
>> >>>> More help : https://help.launchpad.net/ListHelp
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Mailing list: https://launchpad.net/~openstack
>> >>> Post to : openstack at lists.launchpad.net
>> >>> Unsubscribe : https://launchpad.net/~openstack
>> >>> More help : https://help.launchpad.net/ListHelp
>> >>>
>> >>
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130608/1a2ebcdf/attachment.html>
More information about the Openstack
mailing list