[Openstack] Security Groups rules applied but ignored...

Martinx - ジェームズ thiagocmartinsc at gmail.com
Tue Oct 29 23:17:58 UTC 2013


At nova.conf, firewall_driver is under [DEFAULT].


On 29 October 2013 20:58, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:

> Hello my friend!   =)
>
> Yes, firewall_driver is under [securitygroup].
>
> ---
> root at net-node-1:~# grep -v ^$
> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini | grep -v ^#
> [ovs]
> tenant_network_type = vxlan
> enable_tunneling = True
> tunnel_type = vxlan
> tunnel_id_ranges = 1:1000
> integration_bridge = br-int
> tunnel_bridge = br-tun
> local_ip = 10.20.2.52
>
> [agent]
> polling_interval = 2
> tunnel_types = vxlan
>
> [securitygroup]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
> [database]
> connection = mysql://
> neutronUser:pofs4433gEW at controller-1.yourdomain.com/neutron
> ---
>
> Aaron, your "nova.conf" that you pasted, IS your ovs_neutron_plugin.ini
> ... Can you re-paste it, please?
>
> Tks!
> Thiago
>
>
> On 29 October 2013 19:50, Aaron Rosen <arosen at nicira.com> wrote:
>
>> Hi Martinx,
>>
>> can you confirm that firewall_driver is under the securitygroup section?
>>  I can confirm that the following nova.conf and ovs_neutron_plugin.ini work
>> with security groups:
>>
>> nova.conf http://codepad.org/vH3aIs8f
>> ovs_neutron_plugin.ini - http://codepad.org/vH3aIs8f
>>
>> Aaron
>>
>>
>> On Mon, Oct 28, 2013 at 8:41 PM, Martinx - ジェームズ <
>> thiagocmartinsc at gmail.com> wrote:
>>
>>> The only way I'm seeing to protect your Havana cloud right now (topology
>>> Per-Tenants Router with Private Networks), is by enabling FWaaS...
>>>
>>> That's it! FWaaS installed, Tenant network protected.
>>>
>>> I think that there is a bug with Security Groups in Havana / Neutron...
>>>
>>> Comments?!
>>>
>>> Regards,
>>> Thiago
>>>
>>>
>>> On 28 October 2013 22:18, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>>
>>>> Guys,
>>>>
>>>> A new test to see that the packages currently did not mach any iptables
>>>> rules at the compute node, completely bypassing "Security Groups", look:
>>>>
>>>>
>>>> * Instance with ONLY port 80 TCP open:
>>>>
>>>> ---
>>>> root at hypervisor-1:~# *iptables -L neutron-openvswi-i2fa3cfab-a -nv*
>>>> Chain neutron-openvswi-i2fa3cfab-a (1 references)
>>>>   pkts bytes target     prot opt in     out     source
>>>> destination
>>>>     0     0 DROP       all  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0            state INVALID
>>>>     0     0 RETURN     all  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0            state RELATED,ESTABLISHED
>>>>     0     0 RETURN     tcp  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0            tcp dpt:80
>>>>     0     0 RETURN     udp  --  *      *       192.168.50.3
>>>> 0.0.0.0/0            udp spt:67 dpt:68
>>>>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
>>>> 0.0.0.0/0            0.0.0.0/0
>>>> ---
>>>>
>>>> Starting dumping TCP data directly on instance port:
>>>>
>>>> ---
>>>> root at hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3*
>>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned
>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>> decode
>>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size
>>>> 65535 bytes
>>>> ....
>>>> ---
>>>>
>>>> ....and trying to connect at its port 22 from the Internet (not
>>>> allowed!!):
>>>>
>>>> ---
>>>> thiago at desktop-1:~$ *telnet 189.8.93.69 22*
>>>> Trying 189.8.93.69...
>>>> Connected to 189.8.93.69.
>>>> Escape character is '^]'.
>>>> SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
>>>> ---
>>>>
>>>> NOTE: *189.8.93.69* is the 'Floating IP' attached to that Instance and
>>>> *192.168.50.2* is the Instance IP.
>>>>
>>>> ---
>>>> root at hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3*
>>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned
>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>> decode
>>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size
>>>> 65535 bytes
>>>> 22:13:40.800122 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [S],
>>>> seq 2257975349, win 29200, options [mss 1460,sackOK,TS val 52435018
>>>> ecr 0,nop,wscale 7], length 0
>>>> 22:13:40.800525 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [S.],
>>>> seq 2704020835, ack 2257975350, win 14480, options [mss 1460,sackOK,TS
>>>> val 703831 ecr 52435018,nop,wscale 2], length 0
>>>> 22:13:40.805484 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.],
>>>> ack 1, win 229, options [nop,nop,TS val 52435019 ecr 703831], length 0
>>>> 22:13:40.821804 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [P.],
>>>> seq 1:42, ack 1, win 3620, options [nop,nop,TS val 703837 ecr 52435019],
>>>> length 41
>>>> 22:13:40.826058 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.],
>>>> ack 42, win 229, options [nop,nop,TS val 52435025 ecr 703837], length 0
>>>> ---
>>>>
>>>> See?! Security Groups are being ignored.
>>>>
>>>> Please, help!
>>>>
>>>> Thanks!   =)
>>>> Thiago
>>>>
>>>>
>>>> On 28 October 2013 22:03, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>>>
>>>>> Okay, I think I got it...
>>>>>
>>>>> Nova should proxy 'Security Groups' calls to Neutron (and not do it by
>>>>> itself), so, it must have:
>>>>>
>>>>> --- nova.conf ---
>>>>>  firewall_driver = nova.virt.firewall.NoopFirewallDriver
>>>>> security_group_api = neutron
>>>>> ---
>>>>>
>>>>> At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set:
>>>>>
>>>>>  ---
>>>>> firewall_driver =
>>>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>>> ---
>>>>>
>>>>> Source:
>>>>> http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html
>>>>>
>>>>> BUT, it doesn't work.
>>>>>
>>>>> All my Security Groups rules are just being ignored. They are all
>>>>> applied at the Compute Node OVS ports but, no effect at all.
>>>>>
>>>>> Thanks!
>>>>> Thiago
>>>>>
>>>>>
>>>>> On 28 October 2013 21:26, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>>>>
>>>>>> Well,
>>>>>>
>>>>>> Now I'm using "firewall_driver =
>>>>>> nova.virt.firewall.NoopFirewallDriver" for both Nova and Neutron (Open
>>>>>> vSwitch Agent) but, Security Groups rules are applied but ignored.
>>>>>>
>>>>>> Tips!?
>>>>>>
>>>>>> Thanks!
>>>>>> Thiago
>>>>>>
>>>>>>
>>>>>> On 28 October 2013 21:13, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>>>>>
>>>>>>> Guys,
>>>>>>>
>>>>>>> I'm back using "libvirt_vif_driver =
>>>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but
>>>>>>> the problem persist for "tenant1".
>>>>>>>
>>>>>>> My nova.conf contains:
>>>>>>>
>>>>>>> ---
>>>>>>> # Network settings
>>>>>>> network_api_class = nova.network.neutronv2.api.API
>>>>>>> neutron_url = http://contrller-1.mydomain.com:9696
>>>>>>> neutron_auth_strategy = keystone
>>>>>>> neutron_admin_tenant_name = service
>>>>>>> neutron_admin_username = neutron
>>>>>>> neutron_admin_password = 123test123
>>>>>>> neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0
>>>>>>>
>>>>>>> linuxnet_interface_driver =
>>>>>>> nova.network.linux_net.LinuxOVSInterfaceDriver
>>>>>>>
>>>>>>> # If you want Neutron + Nova Security groups
>>>>>>> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>>>>>>> security_group_api = neutron
>>>>>>> ---
>>>>>>>
>>>>>>> Is that a valid configuration for Havana?! I'm get it from my
>>>>>>> previous Grizzly setup.
>>>>>>>
>>>>>>> Also, I just realized that, there are two places to configure the
>>>>>>> "firewall_driver", first one is located at nova.conf, the second is located
>>>>>>> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe,
>>>>>>> they must "match", I mean, I must be the same for both services, right?!
>>>>>>>
>>>>>>> Thanks!
>>>>>>> Thiago
>>>>>>>
>>>>>>>
>>>>>>> On 28 October 2013 20:30, Martinx - ジェームズ <thiagocmartinsc at gmail.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Stackers!
>>>>>>>>
>>>>>>>> I'm trying to configure my Security Groups and, I'm seeing that the
>>>>>>>> rules are being applied at the Compute Node OVS ports (iptables /
>>>>>>>> ip6tables) BUT, it does have no effect (or just being ignored?).
>>>>>>>>
>>>>>>>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
>>>>>>>>
>>>>>>>>
>>>>>>>> For example:
>>>>>>>>
>>>>>>>> I have 1 Instance with 1 Floating IP attached to it, open port is:
>>>>>>>> 80.
>>>>>>>>
>>>>>>>> Look:
>>>>>>>>
>>>>>>>> ---
>>>>>>>> root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
>>>>>>>> Chain neutron-openvswi-i9cf07c24-7 (1 references)
>>>>>>>>  pkts bytes target     prot opt in     out     source
>>>>>>>> destination
>>>>>>>>     0     0 DROP       all  --  *      *       0.0.0.0/0
>>>>>>>>  0.0.0.0/0            state INVALID
>>>>>>>>     0     0 RETURN     all  --  *      *       0.0.0.0/0
>>>>>>>>  0.0.0.0/0            state RELATED,ESTABLISHED
>>>>>>>>     0     0 RETURN     tcp  --  *      *       0.0.0.0/0
>>>>>>>>  0.0.0.0/0            tcp dpt:80
>>>>>>>>     0     0 RETURN     udp  --  *      *       192.168.50.3
>>>>>>>> 0.0.0.0/0            udp spt:67 dpt:68
>>>>>>>>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
>>>>>>>> 0.0.0.0/0            0.0.0.0/0
>>>>>>>> ---
>>>>>>>>
>>>>>>>>
>>>>>>>> The problem is that the respective Instance still answers SSH to
>>>>>>>> the Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at
>>>>>>>> its Security Groups.
>>>>>>>>
>>>>>>>> I created one "Security Group", called "web", only with TCP port 80
>>>>>>>> on it, nothing more, nothing less. This Instance doesn't belong to the
>>>>>>>> "default" Security Group", only "web".
>>>>>>>>
>>>>>>>> Recently I've changed the *libvirt_vif_driver* from *
>>>>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
>>>>>>>> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the
>>>>>>>> cause?!
>>>>>>>>
>>>>>>>> Any tips!?
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Thiago
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131029/3bd03aed/attachment.html>


More information about the Openstack mailing list