[Openstack] Security Groups rules applied but ignored...

Martinx - ジェームズ thiagocmartinsc at gmail.com
Mon Oct 28 23:13:27 UTC 2013 

Guys,

I'm back using "libvirt_vif_driver =
nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but
the problem persist for "tenant1".

My nova.conf contains:

---
# Network settings
network_api_class = nova.network.neutronv2.api.API
neutron_url = http://contrller-1.mydomain.com:9696
neutron_auth_strategy = keystone
neutron_admin_tenant_name = service
neutron_admin_username = neutron
neutron_admin_password = 123test123
neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0

linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver

# If you want Neutron + Nova Security groups
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron
---

Is that a valid configuration for Havana?! I'm get it from my previous
Grizzly setup.

Also, I just realized that, there are two places to configure the
"firewall_driver", first one is located at nova.conf, the second is located
at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe,
they must "match", I mean, I must be the same for both services, right?!

Thanks!
Thiago


On 28 October 2013 20:30, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:

> Stackers!
>
> I'm trying to configure my Security Groups and, I'm seeing that the rules
> are being applied at the Compute Node OVS ports (iptables / ip6tables) BUT,
> it does have no effect (or just being ignored?).
>
> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
>
>
> For example:
>
> I have 1 Instance with 1 Floating IP attached to it, open port is: 80.
>
> Look:
>
> ---
> root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
> Chain neutron-openvswi-i9cf07c24-7 (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state INVALID
>     0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state RELATED,ESTABLISHED
>     0     0 RETURN     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80
>     0     0 RETURN     udp  --  *      *       192.168.50.3
> 0.0.0.0/0            udp spt:67 dpt:68
>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
> 0.0.0.0/0            0.0.0.0/0
> ---
>
>
> The problem is that the respective Instance still answers SSH to the
> Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its
> Security Groups.
>
> I created one "Security Group", called "web", only with TCP port 80 on it,
> nothing more, nothing less. This Instance doesn't belong to the "default"
> Security Group", only "web".
>
> Recently I've changed the *libvirt_vif_driver* from *
> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?!
>
> Any tips!?
>
> Thanks!
> Thiago
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131028/0fd8fda7/attachment.html>

More information about the Openstack mailing list