[Openstack] Security groups on XenServer
Randy
amps at djlab.com
Thu Jun 12 19:34:36 UTC 2014
I have successfully got XenServer 6.2 up and running with VMs on
VLAN/FLAT networks (Icehouse). DHCP is working too. Looking at the
IPtables rules generated on Dom0 I would think security groups should be
working, but no matter what I do, even deleting all rules, the VMs are
100% wide open -- and can even even use other IPs not assigned to them.
I have doubt over the 'tap' bridge references (e.g. tap6be30d08-87) in
iptables. There are no corresponding bridges with 'tap' names in
ifconfig or ovs-vsctl.
I found these 'warnings' on the compute node:
Command: ['neutron-rootwrap-xen-dom0', '/etc/neutron/rootwrap.conf',
'iptables-restore', '-c']
Exit code: 0
Stdout: "Warning: wierd character in interface `tap6be30d08-87' (No
aliases, :, ! or *).\nWarning: wierd character in interface
`tap6be30d08-87' (No aliases, :, ! or *).\nWarning: wierd character in
interface `tap6be30d08-87' (No aliases, :, ! or *).\nWarning: wierd
character in interface `tap6be30d08-87' (No aliases, :, ! or
*).\nWarning: wierd character in interface `tap6be30d08-87' (No aliases,
:, ! or *).\n\n"
And here is the iptables on Dom0:
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-openvswi-local all -- anywhere anywhere
Chain neutron-openvswi-FORWARD (1 references)
target prot opt source destination
neutron-openvswi-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-out tap6be30d08-87 --physdev-is-bridged
neutron-openvswi-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-in tap6be30d08-87 --physdev-is-bridged
Chain neutron-openvswi-INPUT (1 references)
target prot opt source destination
neutron-openvswi-o6be30d08-8 all -- anywhere anywhere
PHYSDEV match --physdev-in tap6be30d08-87 --physdev-is-bridged
Chain neutron-openvswi-OUTPUT (1 references)
target prot opt source destination
Chain neutron-openvswi-i6be30d08-8 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED
RETURN tcp -- anywhere anywhere tcp
dpt:mysql
RETURN tcp -- anywhere anywhere tcp
dpt:pop3
RETURN udp -- 198.98.181.228 anywhere udp
spt:bootps dpt:bootpc
neutron-openvswi-sg-fallback all -- anywhere anywhere
Chain neutron-openvswi-local (1 references)
target prot opt source destination
Chain neutron-openvswi-o6be30d08-8 (2 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp
spt:bootpc dpt:bootps
neutron-openvswi-s6be30d08-8 all -- anywhere anywhere
DROP udp -- anywhere anywhere udp
spt:bootps dpt:bootpc
DROP all -- anywhere anywhere state
INVALID
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED
neutron-openvswi-sg-fallback all -- anywhere anywhere
Chain neutron-openvswi-s6be30d08-8 (1 references)
target prot opt source destination
RETURN all -- 198.98.181.230 anywhere MAC
FA:16:3E:5F:CA:31
DROP all -- anywhere anywhere
Chain neutron-openvswi-sg-chain (2 references)
target prot opt source destination
neutron-openvswi-i6be30d08-8 all -- anywhere anywhere
PHYSDEV match --physdev-out tap6be30d08-87 --physdev-is-bridged
neutron-openvswi-o6be30d08-8 all -- anywhere anywhere
PHYSDEV match --physdev-in tap6be30d08-87 --physdev-is-bridged
ACCEPT all -- anywhere anywhere
Chain neutron-openvswi-sg-fallback (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
--
~Randy
More information about the Openstack
mailing list