[Openstack] [Neutron] [Nova] Nova with flat network configuration without networking node does not apply security group settings properly

Марк Федурин mark at promobit.ru
Fri Aug 7 09:42:17 UTC 2015

Err, I'm terribly sorry that I forgot to set the topic. It's been a 
while since I
posted to mailing lists and I've noticed it only at the very last moment 
when it
was already too late. I hope I'm not getting too annoying.


On 08/07/2015 03:25 PM, Марк Федурин wrote:
> Hello,
> This is quite a long story and I hope I could get feedback from 
> someone in similar position
> because despite all the efforts I'm really lost in configuration and 
> documentation.
> I work for a hosting provider as an administrator and I've recently 
> been checking out
> OpenStack as a replacement for our current no-so-very-flexible VM 
> management
> solution. It's not very important what was wrong with it but OpenStack 
> seemed to be
> a good replacement so I decided to give it a try.
> It indeed turned out to be sort of what we were looking for but after 
> setting up a test
> multi-host deployment I realized that things get complicated with flat 
> provider networks.
> The problems I encountered so far are inability to properly set up 
> provider network using
> VLANs (because then DHCP server fails to assign IP for reason I could 
> not reliably
> determine, possibly due to incorrect configuration of hardware but I 
> double-checked
> and it seemed to be valid) and broken MAC/IP/ARP spoofing protection.
> I don't really care about VLANs because each instance is gonna have 
> fixed public IP
> address anyway and I have separate interface for external networking 
> so the problem
> that bothers me is security. I did some scouting around and I found 
> out the following
> things:
> * Nova adds filtering rules to FORWARD table but the packets don't 
> pass this table
> (because they go though bridge). Instead, rules should be added though 
> ebtables but
> they, apparently, aren't.
> * While libvirt provides a way to configure such a filtering, 
> OpenStack doesn't make
> use of it. I don't even quite get how it's supposed to work.
> * Despite br-int (being integration bridge) and br-provider (being 
> provider interface bridge)
> being down, the networking in instances seems to work fine (they can 
> even access the
> Internet).
> So, about configuration.
> The networking was configured according to CentOS setup guide:
> http://docs.openstack.org/kilo/install-guide/install/yum/content/ch_preface.html 
> with an exception that then the configuration was changed to something 
> similar to what is provided there:
> http://docs.openstack.org/networking-guide/scenario_provider_ovs.html
> Only the basic configuration was set up with two nodes: one being 
> controller node,
> the other being compute node.
> Controller node is running Postgres, RabbitMQ, MongoDB, Keystone and the
> corresponding controller components of Nova, Glance, Cinder, 
> Ceilometer and
> Neutron.
> The compute node is running the corresponding compute components of
> Nova, Neutron, Ceilometer and Cinder.
> Sorry, if I've missed something. I don't want to copy-paste everything 
> here
> so feel free to request specific parts, if needed.
> I hope there's someone out there in similar or at least remotely 
> similar situation.
> I would very much like to hear about their experience setting up this 
> configuration.
> Thanks in advance,
> Mark

More information about the Openstack mailing list