[Openstack] [Neutron] Security groups issue when running latest libvirt?

Martinx - ジェームズ thiagocmartinsc at gmail.com
Tue Nov 5 18:08:57 UTC 2013


Hi!

I'm facing the same problem, Security Groups are there, at the OVS ports
(iptables rules) but, no effect.

Ubuntu 12.04.3 + Havana from Cloud Archive - Topology "Per-Tenant Router
with Private Networks".

Reference:
https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/OVS_MultiNode/OpenStack_Grizzly_Install_Guide.rst

Best,
Thiago


On 5 November 2013 11:57, Simon Pasquier <simon.pasquier at bull.net> wrote:

> Hi all,
>
> I'm struggling with security groups on Havana with Neutron and OVS plugin
> (GRE tunnels). No problem to create/delete security group rules but even
> though iptables configuration is updated, traffic to my instances is never
> filtered [0].
>
> I'm running DevStack on 2 nodes (1 controller + 1 compute):
> - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
> - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
> - libvirt package version: 1.1.1-0ubuntu8~cloud2
> - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted
> at [1] (I didn't modify any of these files after the DevStack run)
>
> According to [2], [3] and [4], iptables is not compatible with TAP devices
> connectd directly to Open vSwitch ports, this is why there used to be the
> additional veth + bridge interfaces [5]. But in my setup, this is not the
> case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut).
> I've also pasted the libvirt XML configuration [7] that shows that the
> instance is directly connected to the Open vSwitch.
>
> Are the security groups supposed to work when the instance is directly
> connected to OVS? If yes, what am I doing wrong?
>
> Regards,
>
> [0] http://paste.openstack.org/show/50490/
> [1] http://paste.openstack.org/show/50448/
> [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
> [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
> [4] http://docs.openstack.org/havana/config-reference/
> content/under_the_hood_openvswitch.html
> [5] http://docs.openstack.org/havana/config-reference/
> content/figures/7/a/a/common/figures/under-the-hood-
> scenario-2-ovs-compute.png
> [6] http://paste.openstack.org/show/50486/
> [7] http://paste.openstack.org/show/50487/
> --
> Simon Pasquier
> Software Engineer
> Bull, Architect of an Open World
> Phone: + 33 4 76 29 71 49
> http://www.bull.com
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131105/fc521b59/attachment.html>


More information about the Openstack mailing list