[Openstack] Security Groups rules applied but ignored...
Martinx - ジェームズ
thiagocmartinsc at gmail.com
Tue Oct 29 00:03:20 UTC 2013
Okay, I think I got it...
Nova should proxy 'Security Groups' calls to Neutron (and not do it by
itself), so, it must have:
--- nova.conf ---
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron
---
At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set:
---
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
---
Source:
http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html
BUT, it doesn't work.
All my Security Groups rules are just being ignored. They are all applied
at the Compute Node OVS ports but, no effect at all.
Thanks!
Thiago
On 28 October 2013 21:26, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:
> Well,
>
> Now I'm using "firewall_driver = nova.virt.firewall.NoopFirewallDriver"
> for both Nova and Neutron (Open vSwitch Agent) but, Security Groups rules
> are applied but ignored.
>
> Tips!?
>
> Thanks!
> Thiago
>
>
> On 28 October 2013 21:13, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>
>> Guys,
>>
>> I'm back using "libvirt_vif_driver =
>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but
>> the problem persist for "tenant1".
>>
>> My nova.conf contains:
>>
>> ---
>> # Network settings
>> network_api_class = nova.network.neutronv2.api.API
>> neutron_url = http://contrller-1.mydomain.com:9696
>> neutron_auth_strategy = keystone
>> neutron_admin_tenant_name = service
>> neutron_admin_username = neutron
>> neutron_admin_password = 123test123
>> neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0
>>
>> linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
>>
>> # If you want Neutron + Nova Security groups
>> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>> security_group_api = neutron
>> ---
>>
>> Is that a valid configuration for Havana?! I'm get it from my previous
>> Grizzly setup.
>>
>> Also, I just realized that, there are two places to configure the
>> "firewall_driver", first one is located at nova.conf, the second is located
>> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe,
>> they must "match", I mean, I must be the same for both services, right?!
>>
>> Thanks!
>> Thiago
>>
>>
>> On 28 October 2013 20:30, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>
>>> Stackers!
>>>
>>> I'm trying to configure my Security Groups and, I'm seeing that the
>>> rules are being applied at the Compute Node OVS ports (iptables /
>>> ip6tables) BUT, it does have no effect (or just being ignored?).
>>>
>>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
>>>
>>>
>>> For example:
>>>
>>> I have 1 Instance with 1 Floating IP attached to it, open port is: 80.
>>>
>>> Look:
>>>
>>> ---
>>> root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
>>> Chain neutron-openvswi-i9cf07c24-7 (1 references)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 DROP all -- * * 0.0.0.0/0
>>> 0.0.0.0/0 state INVALID
>>> 0 0 RETURN all -- * * 0.0.0.0/0
>>> 0.0.0.0/0 state RELATED,ESTABLISHED
>>> 0 0 RETURN tcp -- * * 0.0.0.0/0
>>> 0.0.0.0/0 tcp dpt:80
>>> 0 0 RETURN udp -- * * 192.168.50.3
>>> 0.0.0.0/0 udp spt:67 dpt:68
>>> 0 0 neutron-openvswi-sg-fallback all -- * *
>>> 0.0.0.0/0 0.0.0.0/0
>>> ---
>>>
>>>
>>> The problem is that the respective Instance still answers SSH to the
>>> Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its
>>> Security Groups.
>>>
>>> I created one "Security Group", called "web", only with TCP port 80 on
>>> it, nothing more, nothing less. This Instance doesn't belong to the
>>> "default" Security Group", only "web".
>>>
>>> Recently I've changed the *libvirt_vif_driver* from *
>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
>>> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?!
>>>
>>> Any tips!?
>>>
>>> Thanks!
>>> Thiago
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131028/0e5a63e5/attachment.html>
More information about the Openstack
mailing list