[Openstack] Security Groups rules applied but ignored...
Martinx - ジェームズ
thiagocmartinsc at gmail.com
Mon Oct 28 23:26:41 UTC 2013
Now I'm using "firewall_driver = nova.virt.firewall.NoopFirewallDriver" for
both Nova and Neutron (Open vSwitch Agent) but, Security Groups rules are
applied but ignored.
On 28 October 2013 21:13, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:
> I'm back using "libvirt_vif_driver =
> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but
> the problem persist for "tenant1".
> My nova.conf contains:
> # Network settings
> network_api_class = nova.network.neutronv2.api.API
> neutron_url = http://contrller-1.mydomain.com:9696
> neutron_auth_strategy = keystone
> neutron_admin_tenant_name = service
> neutron_admin_username = neutron
> neutron_admin_password = 123test123
> neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0
> linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
> # If you want Neutron + Nova Security groups
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
> security_group_api = neutron
> Is that a valid configuration for Havana?! I'm get it from my previous
> Grizzly setup.
> Also, I just realized that, there are two places to configure the
> "firewall_driver", first one is located at nova.conf, the second is located
> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe,
> they must "match", I mean, I must be the same for both services, right?!
> On 28 October 2013 20:30, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>> I'm trying to configure my Security Groups and, I'm seeing that the rules
>> are being applied at the Compute Node OVS ports (iptables / ip6tables) BUT,
>> it does have no effect (or just being ignored?).
>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
>> For example:
>> I have 1 Instance with 1 Floating IP attached to it, open port is: 80.
>> root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
>> Chain neutron-openvswi-i9cf07c24-7 (1 references)
>> pkts bytes target prot opt in out source
>> 0 0 DROP all -- * * 0.0.0.0/0
>> 0.0.0.0/0 state INVALID
>> 0 0 RETURN all -- * * 0.0.0.0/0
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>> 0 0 RETURN tcp -- * * 0.0.0.0/0
>> 0.0.0.0/0 tcp dpt:80
>> 0 0 RETURN udp -- * * 192.168.50.3
>> 0.0.0.0/0 udp spt:67 dpt:68
>> 0 0 neutron-openvswi-sg-fallback all -- * *
>> 0.0.0.0/0 0.0.0.0/0
>> The problem is that the respective Instance still answers SSH to the
>> Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its
>> Security Groups.
>> I created one "Security Group", called "web", only with TCP port 80 on
>> it, nothing more, nothing less. This Instance doesn't belong to the
>> "default" Security Group", only "web".
>> Recently I've changed the *libvirt_vif_driver* from *
>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
>> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?!
>> Any tips!?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openstack