[Openstack] [openstack-dev] [NOVA][NEUTRON] Whats the correct firewall driver and interface driver to use neutron sec groups in havana

Leandro Reox leandro.reox at gmail.com
Thu Oct 24 14:08:26 UTC 2013 

Yup lovely BUT... i already tried out that combination and rules are not
getting applied on nova, if you take a look at what i uploaded im using
containers with DockerIO, i was wondering if theres an issue just there,
that security groups with neutron are not working with containers yet or
the rules should be applied on the proper container namespace ...

I tried :

firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
firewall_driver =
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

And the noop both on nova conf and ovs plugin.ini without luck thats why i
was asking this to the list, cause i run out of ideas/docs to look up to

Best


On Wed, Oct 23, 2013 at 11:58 PM, Robert Collins
<robertc at robertcollins.net>wrote:

> (dropping -dev, this is a deployment question).
>
> firewall_driver=neutron.agent.firewall.NoopFirewallDriver
>
> ^ thats your problem. It's a no-op driver, which means no firewall
> rules are applied.
>
>
> http://docs.openstack.org/havana/install-guide/install/yum/content/install-neutron.install-plugin-compute.ovs.html
>
> (applies to apt etc as well - just the first hit from google :))
> covers this part of the setup.
>
> -Rob
>
> On 24 October 2013 01:57, Leandro Reox <leandro.reox at gmail.com> wrote:
> > Hi guys,
> >
> > Seem that i cant find the right combination to get neutron security
> groups
> > working with nova and OVS
> >
> > - I see the logs on the ovs agent like sec group updated or rule updated
> > - I can configure the rules on neutron without an issue
> >
> > BUT
> >
> > Seems like nova is not doing anything with the the rules itself, i dont
> see
> > any root-wrap event trying to apply an iptables chain, its like the the
> > agent is not passing the order to apply the rules to nova
> >
> > Here is all the nova.conf stuff, and agent logs, and iptables chains:
> > http://pastebin.com/RMgQxFyN
> >
> >
> > I dont know what to try to get this working , maybe im using the wrong
> > firewall driver or something ? or do i need for example that neutron and
> > nova connects to the same queue??
> >
> > Best
> > Lean
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
>
> --
> Robert Collins <rbtcollins at hp.com>
> Distinguished Technologist
> HP Converged Cloud
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131024/2b93a0d3/attachment.html>

More information about the Openstack mailing list