[Openstack] [Neutron] Security groups issue when running latest libvirt?
Martinx - ジェームズ
thiagocmartinsc at gmail.com
Thu Nov 7 02:18:00 UTC 2013
That is true... Back to "LibvirtHybridOVSBridgeDriver", Security Groups is
working again...
On 6 November 2013 15:03, Simon Pasquier <simon.pasquier at bull.net> wrote:
> Answering myself as I investigated a little further and cross-posting to
> openstack-dev because I'd like to get feedback from Nova/Neutron devs.
>
> Users running Havana should configure libvirt_vif_driver=nova.virt.
> libvirt.vif.LibvirtHybridOVSBridgeDriver.
> This driver is still available in the Havana release although deprecated.
> AFAIU, this is the only option if you want effective security groups with
> KVM & OVS.
>
> For people using the master branch of nova, sorry but security groups are
> currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). Joe
> Gordon asked the Neutron devs about it few weeks ago [1] but no answer and
> in another review [2], the conclusion was that the Tempest tests passed
> with Neutron. However I don't see anywhere in the tests ([3], [4]) that we
> check if the security rules allow/block traffic.
>
> It would be nice if core devs could confirm or refute.
>
> Regards,
>
> Simon
>
> [0] https://review.openstack.org/#/c/49660/
> [1] http://lists.openstack.org/pipermail/openstack-dev/2013-
> October/016886.html
> [2] https://review.openstack.org/#/c/44349
> [3] https://github.com/openstack/tempest/blob/master/tempest/
> api/network/test_security_groups.py
> [4] https://github.com/openstack/tempest/blob/master/tempest/
> api/network/test_security_groups_negative.py
>
> Le 05/11/2013 14:57, Simon Pasquier a écrit :
>
> Hi all,
>>
>> I'm struggling with security groups on Havana with Neutron and OVS
>> plugin (GRE tunnels). No problem to create/delete security group rules
>> but even though iptables configuration is updated, traffic to my
>> instances is never filtered [0].
>>
>> I'm running DevStack on 2 nodes (1 controller + 1 compute):
>> - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
>> - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
>> - libvirt package version: 1.1.1-0ubuntu8~cloud2
>> - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files
>> pasted at [1] (I didn't modify any of these files after the DevStack run)
>>
>> According to [2], [3] and [4], iptables is not compatible with TAP
>> devices connectd directly to Open vSwitch ports, this is why there used
>> to be the additional veth + bridge interfaces [5]. But in my setup, this
>> is not the case anymore as shown in [6] ('ovs-vsctl show' +
>> 'iptables-save' ouptut). I've also pasted the libvirt XML configuration
>> [7] that shows that the instance is directly connected to the Open
>> vSwitch.
>>
>> Are the security groups supposed to work when the instance is directly
>> connected to OVS? If yes, what am I doing wrong?
>>
>> Regards,
>>
>> [0] http://paste.openstack.org/show/50490/
>> [1] http://paste.openstack.org/show/50448/
>> [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
>> [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
>> [4]
>> http://docs.openstack.org/havana/config-reference/content/under_the_hood_
>> openvswitch.html
>>
>> [5]
>> http://docs.openstack.org/havana/config-reference/
>> content/figures/7/a/a/common/figures/under-the-hood-
>> scenario-2-ovs-compute.png
>>
>> [6] http://paste.openstack.org/show/50486/
>> [7] http://paste.openstack.org/show/50487/
>>
>
>
> --
> Simon Pasquier
> Software Engineer
> Bull, Architect of an Open World
> Phone: + 33 4 76 29 71 49
> http://www.bull.com
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131107/48e080f1/attachment.html>
More information about the Openstack
mailing list