[Openstack] Icehouse ML2 + OVS security group problems

Mariusz Gronczewski mariusz.gronczewski at efigence.com
Thu Aug 28 12:51:33 UTC 2014 

If anyone had similiar problem; CentOS 6 have retarded default settings
in /etc/sysctl.conf that disable iptables on bridges, change it to

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

and it will work


On Mon, 25 Aug 2014 11:05:45 +0200, Mariusz Gronczewski
<mariusz.gronczewski at efigence.com> wrote:

> Hi,
> 
> I've managed to set up every other component, but neutron security
> groups dont want to work. I have connectivity between all machines but
> nothing ever hits iptables rules.
> 
> I see that on compute nodes I get correct firewall rules:
> 
> :neutron-openvswi-ic2c7ef23-2 - [0:0]
> :neutron-openvswi-oc2c7ef23-2 - [0:0]
> :neutron-openvswi-sc2c7ef23-2 - [0:0]
> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-sg-chain 
> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-sg-chain 
> -A neutron-openvswi-INPUT -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2 
> -A neutron-openvswi-ic2c7ef23-2 -m state --state INVALID -j DROP 
> -A neutron-openvswi-ic2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN 
> -A neutron-openvswi-ic2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN 
> -A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN 
> -A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.4/32 -p udp -m udp --sport 67 --dport 68 -j RETURN 
> -A neutron-openvswi-ic2c7ef23-2 -j neutron-openvswi-sg-fallback 
> -A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 68 --dport 67 -j RETURN 
> -A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sc2c7ef23-2 
> -A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 67 --dport 68 -j DROP 
> -A neutron-openvswi-oc2c7ef23-2 -m state --state INVALID -j DROP 
> -A neutron-openvswi-oc2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN 
> -A neutron-openvswi-oc2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN 
> -A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sg-fallback 
> -A neutron-openvswi-sc2c7ef23-2 -s 10.3.0.5/32 -m mac --mac-source FA:16:3E:F5:ED:16 -j RETURN 
> -A neutron-openvswi-sc2c7ef23-2 -j DROP 
> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-ic2c7ef23-2 
> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2 
> 
> and openvswitch config also seems ok:
> 
> 97e21921-f8e5-4156-8f9b-b976bc6ed278
>     Bridge br-int
>         fail_mode: secure
>         Port int-vm_st_mgmt
>             Interface int-vm_st_mgmt
>         ....
>         Port "qvoc2c7ef23-2d"
>             tag: 4
>             Interface "qvoc2c7ef23-2d"
>         Port "qvo50e4e17b-ea"
>             tag: 3
>             Interface "qvo50e4e17b-ea"
>         ...
> 
> and I also see it as linux bridge:
> ~☠ brctl show qbrc2c7ef23-2d
> bridge name	bridge id		STP enabled	interfaces
> qbrc2c7ef23-2d		8000.1a3cb28c1f78	no		qvbc2c7ef23-2d
> 							tapc2c7ef23-2d
> 
> 
> Yet no packet ever hits IPTables rules. tunneling works fine, I can make any connection between all machines, DHCP/L3 works, I can see traffic on tap
> 
> Chain neutron-openvswi-INPUT (1 references)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 neutron-openvswi-o5c1b8fd3-0  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap5c1b8fd3-04 --physdev-is-bridged 
>     0     0 neutron-openvswi-oeece6804-f  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tapeece6804-f4 --physdev-is-bridged 
>     0     0 neutron-openvswi-oc2c7ef23-2  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tapc2c7ef23-2d --physdev-is-bridged 
>     0     0 neutron-openvswi-o50e4e17b-e  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap50e4e17b-ea --physdev-is-bridged 
>     0     0 neutron-openvswi-o19204ab8-4  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap19204ab8-4d --physdev-is-bridged 
>     0     0 neutron-openvswi-o187624fb-e  all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in tap187624fb-e4 --physdev-is-bridged 
> 
> Chain INPUT (policy ACCEPT 86M packets, 79G bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>   86M   79G neutron-openvswi-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0 
> 
> My configuration:
>   
> kernel  3.15.7-1.el6.elrepo.x86_64
> 
> ☠ rpm -qa |grep -P '(nova|neutron)'
> openstack-neutron-2014.1.2-1.el6.noarch
> openstack-nova-compute-2014.1.1-3.el6.noarch
> python-nova-2014.1.1-3.el6.noarch
> python-novaclient-2.17.0-2.el6.noarch
> python-neutronclient-2.3.4-1.el6.noarch
> openstack-nova-common-2014.1.1-3.el6.noarch
> python-neutron-2014.1.2-1.el6.noarch
> openstack-neutron-openvswitch-2014.1.2-1.el6.noarch
> 
> nova.conf:
> 
> vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver # tried with legacy OVS one, didnt help
> linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
> firewall_driver=nova.virt.firewall.NoopFirewallDriver
> 
> ovs_neutron_plugin:
> 
> [securitygroup]
>                                                                                                      
> firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> enable_security_group = True
> 
> 
> [OVS]
> enable_tunneling=False
> integration_bridge=br-int
> local_ip=172.16.125.25
> tunnel_bridge=br-tun
> tunnel_type=vxlan
> tenant_network_type=vxlan
> tunnel_id_ranges=8192:16384
> bridge_mappings=vm_st_mgmt:vm_st_mgmt
> 
> [AGENT]
> polling_interval=2
> tunnel_types=vxlan
> 
> neutron plugin.ini:
> [ml2]
> tenant_network_types = vxlan
> mechanism_drivers =openvswitch,linuxbridge
> 
> [ml2_type_vxlan]
>                                                                                                                                                    
> vni_ranges =8192:16384
> 
> [securitygroup]
> # Controls if neutron security group is enabled or not.                                                                                                           
> # It should be false when you use nova security group.                                                                                                            
> # enable_security_group = True                                                                                                                                    
> enable_security_group = True
> firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> 
> 
> I attached dumps from iptables/ovs/brctl
> 



-- 
Mariusz Gronczewski, Administrator

Efigence S. A.
ul. Wołoska 9a, 02-583 Warszawa
T: [+48] 22 380 13 13
F: [+48] 22 380 13 14
E: mariusz.gronczewski at efigence.com
<mailto:mariusz.gronczewski at efigence.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140828/dfe3146a/attachment.sig>

More information about the Openstack mailing list