[Openstack] Icehouse ML2 + OVS security group problems

Mariusz Gronczewski mariusz.gronczewski at efigence.com
Mon Aug 25 09:05:45 UTC 2014 

Hi,

I've managed to set up every other component, but neutron security
groups dont want to work. I have connectivity between all machines but
nothing ever hits iptables rules.

I see that on compute nodes I get correct firewall rules:

:neutron-openvswi-ic2c7ef23-2 - [0:0]
:neutron-openvswi-oc2c7ef23-2 - [0:0]
:neutron-openvswi-sc2c7ef23-2 - [0:0]
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-sg-chain 
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-sg-chain 
-A neutron-openvswi-INPUT -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2 
-A neutron-openvswi-ic2c7ef23-2 -m state --state INVALID -j DROP 
-A neutron-openvswi-ic2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN 
-A neutron-openvswi-ic2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN 
-A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN 
-A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.4/32 -p udp -m udp --sport 67 --dport 68 -j RETURN 
-A neutron-openvswi-ic2c7ef23-2 -j neutron-openvswi-sg-fallback 
-A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 68 --dport 67 -j RETURN 
-A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sc2c7ef23-2 
-A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 67 --dport 68 -j DROP 
-A neutron-openvswi-oc2c7ef23-2 -m state --state INVALID -j DROP 
-A neutron-openvswi-oc2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN 
-A neutron-openvswi-oc2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN 
-A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sg-fallback 
-A neutron-openvswi-sc2c7ef23-2 -s 10.3.0.5/32 -m mac --mac-source FA:16:3E:F5:ED:16 -j RETURN 
-A neutron-openvswi-sc2c7ef23-2 -j DROP 
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-ic2c7ef23-2 
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2 

and openvswitch config also seems ok:

97e21921-f8e5-4156-8f9b-b976bc6ed278
    Bridge br-int
        fail_mode: secure
        Port int-vm_st_mgmt
            Interface int-vm_st_mgmt
        ....
        Port "qvoc2c7ef23-2d"
            tag: 4
            Interface "qvoc2c7ef23-2d"
        Port "qvo50e4e17b-ea"
            tag: 3
            Interface "qvo50e4e17b-ea"
        ...

and I also see it as linux bridge:
~☠ brctl show qbrc2c7ef23-2d
bridge name	bridge id		STP enabled	interfaces
qbrc2c7ef23-2d		8000.1a3cb28c1f78	no		qvbc2c7ef23-2d
							tapc2c7ef23-2d


Yet no packet ever hits IPTables rules. tunneling works fine, I can make any connection between all machines, DHCP/L3 works, I can see traffic on tap

Chain neutron-openvswi-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 neutron-openvswi-o5c1b8fd3-0  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap5c1b8fd3-04 --physdev-is-bridged 
    0     0 neutron-openvswi-oeece6804-f  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tapeece6804-f4 --physdev-is-bridged 
    0     0 neutron-openvswi-oc2c7ef23-2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tapc2c7ef23-2d --physdev-is-bridged 
    0     0 neutron-openvswi-o50e4e17b-e  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap50e4e17b-ea --physdev-is-bridged 
    0     0 neutron-openvswi-o19204ab8-4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap19204ab8-4d --physdev-is-bridged 
    0     0 neutron-openvswi-o187624fb-e  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap187624fb-e4 --physdev-is-bridged 

Chain INPUT (policy ACCEPT 86M packets, 79G bytes)
 pkts bytes target     prot opt in     out     source               destination         
  86M   79G neutron-openvswi-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0 

My configuration:
  
kernel  3.15.7-1.el6.elrepo.x86_64

☠ rpm -qa |grep -P '(nova|neutron)'
openstack-neutron-2014.1.2-1.el6.noarch
openstack-nova-compute-2014.1.1-3.el6.noarch
python-nova-2014.1.1-3.el6.noarch
python-novaclient-2.17.0-2.el6.noarch
python-neutronclient-2.3.4-1.el6.noarch
openstack-nova-common-2014.1.1-3.el6.noarch
python-neutron-2014.1.2-1.el6.noarch
openstack-neutron-openvswitch-2014.1.2-1.el6.noarch

nova.conf:

vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver # tried with legacy OVS one, didnt help
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver

ovs_neutron_plugin:

[securitygroup]
                                                                                                     
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True


[OVS]
enable_tunneling=False
integration_bridge=br-int
local_ip=172.16.125.25
tunnel_bridge=br-tun
tunnel_type=vxlan
tenant_network_type=vxlan
tunnel_id_ranges=8192:16384
bridge_mappings=vm_st_mgmt:vm_st_mgmt

[AGENT]
polling_interval=2
tunnel_types=vxlan

neutron plugin.ini:
[ml2]
tenant_network_types = vxlan
mechanism_drivers =openvswitch,linuxbridge

[ml2_type_vxlan]
                                                                                                                                                   
vni_ranges =8192:16384

[securitygroup]
# Controls if neutron security group is enabled or not.                                                                                                           
# It should be false when you use nova security group.                                                                                                            
# enable_security_group = True                                                                                                                                    
enable_security_group = True
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver


I attached dumps from iptables/ovs/brctl

-- 
Mariusz Gronczewski, Administrator

Efigence S. A.
ul. Wołoska 9a, 02-583 Warszawa
T: [+48] 22 380 13 13
F: [+48] 22 380 13 14
E: mariusz.gronczewski at efigence.com
<mailto:mariusz.gronczewski at efigence.com>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: brctl.txt
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140825/ed0600e5/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: iptables.txt
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140825/ed0600e5/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openvswitch.txt
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140825/ed0600e5/attachment-0002.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140825/ed0600e5/attachment.sig>

More information about the Openstack mailing list