[Openstack] Security Groups rules applied but ignored...

Martinx - ジェームズ thiagocmartinsc at gmail.com
Wed Oct 30 21:48:14 UTC 2013


No problem...    =)

My nova.conf [DEFAULT] section have:

---
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtOpenVswitchDriver
---

But, even with "libvirt_vif_driver =
nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver", it doesn't work as
expected... I can fallback to HybridOVS, if required / recommended (but the
non-hybrid is faster).

Tks,
Thiago


On 30 October 2013 16:14, Aaron Rosen <arosen at nicira.com> wrote:

> Whoops sorry about that: nova.conf - http://codepad.org/howA9b1E
>
> The only settings matter for this would be:
>
> firewall_driver=nova.virt.firewall.NoopFirewallDriversecurity_group_api=quantumlibvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
>
>
>
>
> On Tue, Oct 29, 2013 at 4:17 PM, Martinx - ジェームズ <
> thiagocmartinsc at gmail.com> wrote:
>
>> At nova.conf, firewall_driver is under [DEFAULT].
>>
>>
>> On 29 October 2013 20:58, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>
>>> Hello my friend!   =)
>>>
>>> Yes, firewall_driver is under [securitygroup].
>>>
>>> ---
>>> root at net-node-1:~# grep -v ^$
>>> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini | grep -v ^#
>>> [ovs]
>>> tenant_network_type = vxlan
>>> enable_tunneling = True
>>> tunnel_type = vxlan
>>> tunnel_id_ranges = 1:1000
>>> integration_bridge = br-int
>>> tunnel_bridge = br-tun
>>> local_ip = 10.20.2.52
>>>
>>> [agent]
>>> polling_interval = 2
>>> tunnel_types = vxlan
>>>
>>> [securitygroup]
>>> firewall_driver =
>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>
>>> [database]
>>> connection = mysql://
>>> neutronUser:pofs4433gEW at controller-1.yourdomain.com/neutron
>>> ---
>>>
>>> Aaron, your "nova.conf" that you pasted, IS your ovs_neutron_plugin.ini
>>> ... Can you re-paste it, please?
>>>
>>> Tks!
>>> Thiago
>>>
>>>
>>> On 29 October 2013 19:50, Aaron Rosen <arosen at nicira.com> wrote:
>>>
>>>> Hi Martinx,
>>>>
>>>> can you confirm that firewall_driver is under the securitygroup
>>>> section?  I can confirm that the following nova.conf and
>>>> ovs_neutron_plugin.ini work with security groups:
>>>>
>>>> nova.conf http://codepad.org/vH3aIs8f
>>>> ovs_neutron_plugin.ini - http://codepad.org/vH3aIs8f
>>>>
>>>> Aaron
>>>>
>>>>
>>>> On Mon, Oct 28, 2013 at 8:41 PM, Martinx - ジェームズ <
>>>> thiagocmartinsc at gmail.com> wrote:
>>>>
>>>>> The only way I'm seeing to protect your Havana cloud right now
>>>>> (topology Per-Tenants Router with Private Networks), is by enabling FWaaS...
>>>>>
>>>>> That's it! FWaaS installed, Tenant network protected.
>>>>>
>>>>> I think that there is a bug with Security Groups in Havana / Neutron...
>>>>>
>>>>> Comments?!
>>>>>
>>>>> Regards,
>>>>> Thiago
>>>>>
>>>>>
>>>>> On 28 October 2013 22:18, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>>>>
>>>>>> Guys,
>>>>>>
>>>>>> A new test to see that the packages currently did not mach any
>>>>>> iptables rules at the compute node, completely bypassing "Security Groups",
>>>>>> look:
>>>>>>
>>>>>>
>>>>>> * Instance with ONLY port 80 TCP open:
>>>>>>
>>>>>> ---
>>>>>> root at hypervisor-1:~# *iptables -L neutron-openvswi-i2fa3cfab-a -nv*
>>>>>> Chain neutron-openvswi-i2fa3cfab-a (1 references)
>>>>>>   pkts bytes target     prot opt in     out     source
>>>>>> destination
>>>>>>     0     0 DROP       all  --  *      *       0.0.0.0/0
>>>>>> 0.0.0.0/0            state INVALID
>>>>>>     0     0 RETURN     all  --  *      *       0.0.0.0/0
>>>>>> 0.0.0.0/0            state RELATED,ESTABLISHED
>>>>>>     0     0 RETURN     tcp  --  *      *       0.0.0.0/0
>>>>>> 0.0.0.0/0            tcp dpt:80
>>>>>>     0     0 RETURN     udp  --  *      *       192.168.50.3
>>>>>> 0.0.0.0/0            udp spt:67 dpt:68
>>>>>>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
>>>>>> 0.0.0.0/0            0.0.0.0/0
>>>>>> ---
>>>>>>
>>>>>> Starting dumping TCP data directly on instance port:
>>>>>>
>>>>>> ---
>>>>>> root at hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3*
>>>>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned
>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>>>> decode
>>>>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture
>>>>>> size 65535 bytes
>>>>>> ....
>>>>>> ---
>>>>>>
>>>>>> ....and trying to connect at its port 22 from the Internet (not
>>>>>> allowed!!):
>>>>>>
>>>>>> ---
>>>>>> thiago at desktop-1:~$ *telnet 189.8.93.69 22*
>>>>>> Trying 189.8.93.69...
>>>>>> Connected to 189.8.93.69.
>>>>>> Escape character is '^]'.
>>>>>> SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
>>>>>> ---
>>>>>>
>>>>>> NOTE: *189.8.93.69* is the 'Floating IP' attached to that Instance
>>>>>> and *192.168.50.2* is the Instance IP.
>>>>>>
>>>>>> ---
>>>>>> root at hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3*
>>>>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned
>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>>>> decode
>>>>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture
>>>>>> size 65535 bytes
>>>>>> 22:13:40.800122 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [S],
>>>>>> seq 2257975349, win 29200, options [mss 1460,sackOK,TS val 52435018
>>>>>> ecr 0,nop,wscale 7], length 0
>>>>>> 22:13:40.800525 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags
>>>>>> [S.], seq 2704020835, ack 2257975350, win 14480, options [mss
>>>>>> 1460,sackOK,TS val 703831 ecr 52435018,nop,wscale 2], length 0
>>>>>> 22:13:40.805484 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.],
>>>>>> ack 1, win 229, options [nop,nop,TS val 52435019 ecr 703831], length 0
>>>>>> 22:13:40.821804 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags
>>>>>> [P.], seq 1:42, ack 1, win 3620, options [nop,nop,TS val 703837 ecr
>>>>>> 52435019], length 41
>>>>>> 22:13:40.826058 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.],
>>>>>> ack 42, win 229, options [nop,nop,TS val 52435025 ecr 703837], length 0
>>>>>> ---
>>>>>>
>>>>>> See?! Security Groups are being ignored.
>>>>>>
>>>>>> Please, help!
>>>>>>
>>>>>> Thanks!   =)
>>>>>> Thiago
>>>>>>
>>>>>>
>>>>>> On 28 October 2013 22:03, Martinx - ジェームズ <thiagocmartinsc at gmail.com>wrote:
>>>>>>
>>>>>>> Okay, I think I got it...
>>>>>>>
>>>>>>> Nova should proxy 'Security Groups' calls to Neutron (and not do it
>>>>>>> by itself), so, it must have:
>>>>>>>
>>>>>>> --- nova.conf ---
>>>>>>>  firewall_driver = nova.virt.firewall.NoopFirewallDriver
>>>>>>> security_group_api = neutron
>>>>>>> ---
>>>>>>>
>>>>>>> At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set:
>>>>>>>
>>>>>>>  ---
>>>>>>> firewall_driver =
>>>>>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>>>>> ---
>>>>>>>
>>>>>>> Source:
>>>>>>> http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html
>>>>>>>
>>>>>>> BUT, it doesn't work.
>>>>>>>
>>>>>>> All my Security Groups rules are just being ignored. They are all
>>>>>>> applied at the Compute Node OVS ports but, no effect at all.
>>>>>>>
>>>>>>> Thanks!
>>>>>>> Thiago
>>>>>>>
>>>>>>>
>>>>>>> On 28 October 2013 21:26, Martinx - ジェームズ <thiagocmartinsc at gmail.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Well,
>>>>>>>>
>>>>>>>> Now I'm using "firewall_driver =
>>>>>>>> nova.virt.firewall.NoopFirewallDriver" for both Nova and Neutron (Open
>>>>>>>> vSwitch Agent) but, Security Groups rules are applied but ignored.
>>>>>>>>
>>>>>>>> Tips!?
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Thiago
>>>>>>>>
>>>>>>>>
>>>>>>>> On 28 October 2013 21:13, Martinx - ジェームズ <
>>>>>>>> thiagocmartinsc at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Guys,
>>>>>>>>>
>>>>>>>>> I'm back using "libvirt_vif_driver =
>>>>>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but
>>>>>>>>> the problem persist for "tenant1".
>>>>>>>>>
>>>>>>>>> My nova.conf contains:
>>>>>>>>>
>>>>>>>>> ---
>>>>>>>>> # Network settings
>>>>>>>>> network_api_class = nova.network.neutronv2.api.API
>>>>>>>>> neutron_url = http://contrller-1.mydomain.com:9696
>>>>>>>>> neutron_auth_strategy = keystone
>>>>>>>>> neutron_admin_tenant_name = service
>>>>>>>>> neutron_admin_username = neutron
>>>>>>>>> neutron_admin_password = 123test123
>>>>>>>>> neutron_admin_auth_url =
>>>>>>>>> http://controller-1.mydomain.com:35357/v2.0
>>>>>>>>>
>>>>>>>>> linuxnet_interface_driver =
>>>>>>>>> nova.network.linux_net.LinuxOVSInterfaceDriver
>>>>>>>>>
>>>>>>>>> # If you want Neutron + Nova Security groups
>>>>>>>>> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>>>>>>>>> security_group_api = neutron
>>>>>>>>> ---
>>>>>>>>>
>>>>>>>>> Is that a valid configuration for Havana?! I'm get it from my
>>>>>>>>> previous Grizzly setup.
>>>>>>>>>
>>>>>>>>> Also, I just realized that, there are two places to configure the
>>>>>>>>> "firewall_driver", first one is located at nova.conf, the second is located
>>>>>>>>> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe,
>>>>>>>>> they must "match", I mean, I must be the same for both services, right?!
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>> Thiago
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 28 October 2013 20:30, Martinx - ジェームズ <
>>>>>>>>> thiagocmartinsc at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Stackers!
>>>>>>>>>>
>>>>>>>>>> I'm trying to configure my Security Groups and, I'm seeing that
>>>>>>>>>> the rules are being applied at the Compute Node OVS ports (iptables /
>>>>>>>>>> ip6tables) BUT, it does have no effect (or just being ignored?).
>>>>>>>>>>
>>>>>>>>>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> For example:
>>>>>>>>>>
>>>>>>>>>> I have 1 Instance with 1 Floating IP attached to it, open port
>>>>>>>>>> is: 80.
>>>>>>>>>>
>>>>>>>>>> Look:
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>> root at hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7
>>>>>>>>>> -nv
>>>>>>>>>> Chain neutron-openvswi-i9cf07c24-7 (1 references)
>>>>>>>>>>  pkts bytes target     prot opt in     out     source
>>>>>>>>>>   destination
>>>>>>>>>>     0     0 DROP       all  --  *      *       0.0.0.0/0
>>>>>>>>>>    0.0.0.0/0            state INVALID
>>>>>>>>>>     0     0 RETURN     all  --  *      *       0.0.0.0/0
>>>>>>>>>>    0.0.0.0/0            state RELATED,ESTABLISHED
>>>>>>>>>>     0     0 RETURN     tcp  --  *      *       0.0.0.0/0
>>>>>>>>>>    0.0.0.0/0            tcp dpt:80
>>>>>>>>>>     0     0 RETURN     udp  --  *      *       192.168.50.3
>>>>>>>>>>   0.0.0.0/0            udp spt:67 dpt:68
>>>>>>>>>>     0     0 neutron-openvswi-sg-fallback  all  --  *      *
>>>>>>>>>> 0.0.0.0/0            0.0.0.0/0
>>>>>>>>>> ---
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> The problem is that the respective Instance still answers SSH to
>>>>>>>>>> the Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at
>>>>>>>>>> its Security Groups.
>>>>>>>>>>
>>>>>>>>>> I created one "Security Group", called "web", only with TCP port
>>>>>>>>>> 80 on it, nothing more, nothing less. This Instance doesn't belong to the
>>>>>>>>>> "default" Security Group", only "web".
>>>>>>>>>>
>>>>>>>>>> Recently I've changed the *libvirt_vif_driver* from *
>>>>>>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
>>>>>>>>>> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the
>>>>>>>>>> cause?!
>>>>>>>>>>
>>>>>>>>>> Any tips!?
>>>>>>>>>>
>>>>>>>>>> Thanks!
>>>>>>>>>> Thiago
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list:
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>> Post to     : openstack at lists.openstack.org
>>>>> Unsubscribe :
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131030/108fda68/attachment.html>


More information about the Openstack mailing list