[Openstack] fully disabling security groups on IceHouse

Randy Krenz randy.krenz at overturenetworks.com
Thu May 8 20:50:08 UTC 2014

We are working with an IceHouse packstack install on CentOS, using OVS.  We are trying to converge on an IceHouse configuration that is analogous to a previous Grizzly configuration we have in which security groups are disabled AND no Linux bridge is inserted between VM nics and OVS.  In Grizzly, we principally accomplished this by setting "libvirt_vif_driver" in nova.conf to ".../LibvirtOpenVswitchVirtualPortDriver".  It appears setting "libvirt_vif_driver" to "../LibvirtGenericVIFDriver" is the principal choice in IceHouse.

In IceHouse, we have experimented with using the NoopFirewallDriver and related configurations in both nova.conf and Neutron plugin.ini.  While it appears we can disable security group functionality, we were not successful (through pure OpenStack configuration) in preventing the Linux bridge from being inserted in the data path.  In one experiment, we additionally changed "portbindings.OVS_HYBRID_PLUG" from a hard-coded "True" to "False" in ovs_neutron_plugin.py and this appeared to have the desired effect.

While kind of hackey, is there anything wrong with this approach?  Can anyone suggest a configuration alternative we might have missed?


This email and attachments may contain privileged or confidential information intended only for the addressee(s) indicated. The sender does not waive any of its rights, privileges or protections respecting this information. If you are not the named addressee, an employee, or agent responsible for sending this message to the named addressee (or this message was received by mistake), you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If received in error, please notify us immediately by e-mail, discard any paper copies and delete all electronic files of the email.

Computer viruses can be transmitted via email. The recipient should check this email and any attachments for viruses. Email transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender accepts no liability for any damage caused by any transmitted viruses or errors or omissions in the contents of this message.

Overture Networks, Inc. 637 Davis Drive, Morrisville, NC USA 27560 www.overturenetworks.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140508/e5d036ea/attachment.html>

More information about the Openstack mailing list