Open Stack

Okay, I think I got it...

Nova should proxy 'Security Groups' calls to Neutron (and not do it by
itself), so, it must have:

--- nova.conf ---
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron
---

At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set:

---
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
---

Source:
http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html

BUT, it doesn't work.

All my Security Groups rules are just being ignored. They are all applied
at the Compute Node OVS ports but, no effect at all.

Thanks!
Thiago


On 28 October 2013 21:26, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:

> Well,
>
> Now I'm using "firewall_driver = nova.virt.firewall.NoopFirewallDriver"
> for both Nova and Neutron (Open vSwitch Agent) but, Security Groups rules
> are applied but ignored.
>
> Tips!?
>
> Thanks!
> Thiago
>
>
> On 28 October 2013 21:13, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>
>> Guys,
>>
>> I'm back using "libvirt_vif_driver =
>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but
>> the problem persist for "tenant1".
>>
>> My nova.conf contains:
>>
>> ---
>> # Network settings
>> network_api_class = nova.network.neutronv2.api.API
>> neutron_url = http://contrller-1.mydomain.com:9696
>> neutron_auth_strategy = keystone
>> neutron_admin_tenant_name = service
>> neutron_admin_username = neutron
>> neutron_admin_password = 123test123
>> neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0
>>
>> linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
>>
>> # If you want Neutron + Nova Security groups
>> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>> security_group_api = neutron
>> ---
>>
>> Is that a valid configuration for Havana?! I'm get it from my previous
>> Grizzly setup.
>>
>> Also, I just realized that, there are two places to configure the
>> "firewall_driver", first one is located at nova.conf, the second is located
>> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe,
>> they must "match", I mean, I must be the same for both services, right?!
>>
>> Thanks!
>> Thiago
>>
>>
>> On 28 October 2013 20:30, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>
>>> Stackers!
>>>
>>> I'm trying to configure my Security Groups and, I'm seeing that the
>>> rules are being applied at the Compute Node OVS ports (iptables /
>>> ip6tables) BUT, it does have no effect (or just being ignored?).
>>>
>>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
>>>
>>>
>>> For example:
>>>
>>> I have 1 Instance with 1 Floating IP attached to it, open port is: 80.
>>>
>>> Look:
>>>
>>> ---
>>> root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
>>> Chain neutron-openvswi-i9cf07c24-7 (1 references)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>>     0     0 DROP       all  --  *      *       0.0.0.0/0
>>> 0.0.0.0/0            state INVALID
>>>     0     0 RETURN     all  --  *      *       0.0.0.0/0
>>> 0.0.0.0/0            state RELATED,ESTABLISHED
>>>     0     0 RETURN     tcp  --  *      *       0.0.0.0/0
>>> 0.0.0.0/0            tcp dpt:80
>>>     0     0 RETURN     udp  --  *      *       192.168.50.3
>>> 0.0.0.0/0            udp spt:67 dpt:68
>>>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
>>> 0.0.0.0/0            0.0.0.0/0
>>> ---
>>>
>>>
>>> The problem is that the respective Instance still answers SSH to the
>>> Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its
>>> Security Groups.
>>>
>>> I created one "Security Group", called "web", only with TCP port 80 on
>>> it, nothing more, nothing less. This Instance doesn't belong to the
>>> "default" Security Group", only "web".
>>>
>>> Recently I've changed the *libvirt_vif_driver* from *
>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
>>> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?!
>>>
>>> Any tips!?
>>>
>>> Thanks!
>>> Thiago
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131028/0e5a63e5/attachment.html>