[Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer

Adhi Priharmanto adhi.pri at gmail.com
Wed Sep 21 05:58:38 UTC 2016 

Hi All....

Sorry for my late reply..

@Bob, I Installed liberty manually, not using devstack, packstack, etc

Here Is my node service configuration.



=============================
NETWORK-NODE
=============================
Configuration : http://pastebin.com/6DLqUbjU


=============================
COMPUTE-NODE
=============================
Configuration : http://pastebin.com/RhGBvNbA
Error list : http://pastebin.com/xHQSb625

=============================
XENSERVER-NODE
=============================
Configuration : http://pastebin.com/gwf1wdEb
Error list : http://pastebin.com/wNzbhcPi

for Xenserver,

   - I also setup of Multi Tenancy Networking Protections in XenServer,
   following this guide https://github.com/openstack/nova/blob/master/
   plugins/xenserver/doc/networking.rst
   <https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst>
   - I also setup sysctl.conf (see config at xenserver-node pastebin), but
   it's like no br_netfilter module available at xenserver.

=============================
neutron security-group-rule-list
=============================
 # neutron security-group-rule-list
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+
| id                                   | security_group | direction |
ethertype | protocol/port | remote          |
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+
| 310fb8eb-bcf7-4425-83a3-f2f3f1335958 | default        | egress    | IPv6
     | any           | any             |
| 42e8b7e8-1262-4673-8547-55fa6b33d4f1 | default        | egress    | IPv4
     | any           | any             |
| 4e8bde5b-344a-4c6a-b09d-223d9fec72bf | default        | ingress   | IPv4
     | any           | default (group) |
| cd8f3aaa-9882-42a0-b713-87489cfff22c | default        | ingress   | IPv6
     | any           | default (group) |
| d884ff2f-71e8-4647-b45d-e8f92ad87261 | default        | egress    | IPv4
     | any           | any             |
| f4f85fae-6a15-4a85-ae51-5f34536bb72e | default        | ingress   | IPv6
     | any           | default (group) |
| f6e3929a-3df4-4209-8486-7ce0b0047771 | default        | egress    | IPv6
     | any           | any             |
| fbb2a744-de01-49c7-b875-8cdfbc4fdd7f | default        | ingress   | IPv4
     | any           | default (group) |
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+

   - With this rule, I'm still able to ping instance
   - Also please check neutron-openvswitch-agent error list when I remove
   rule and terminate instance.


I hope anyone can guide me with this problem, thanks before.


On Sun, Sep 18, 2016 at 8:16 AM, Huan Xie <huan.xie at citrix.com> wrote:

> Hi,
>
>
>
> After applied these change, is your neutron ml2 configuration correct?
> Mainly the below parts:
>
> If still cannot work, could you please describe the errors?
>
> Beside these, we find xenserver dom0 lacks of conntrack support for
> neutron-ovs-agent in compute node, there is a fix waiting for review
> https://review.openstack.org/#/c/341304/
>
> 1.       In nova.conf, two configurations should be set
>
> [DEFAULT]
>
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>
> security_group_api=neutron
>
> use_neutron = True
>
> [xenserver]
>
> ovs_integration_bridge =
>
> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
>
>  2.       In neutron,  check configurations ml2_conf.ini in compute node
> which is used for neutron L2 agent
>
> [agent]
>
> minimize_polling = False
>
> root_helper_daemon =
>
> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
> /etc/neutron/rootwrap.conf
>
> [ovs]
>
> integration_bridge =
>
> bridge_mappings =
>
> Thanks,
>
> Huan
>
>
>
> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
> *Sent:* Thursday, September 15, 2016 3:48 PM
>
> *To:* Huan Xie
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
> Neutron & XenServer
>
>
>
> Hi, I still no luck for this problem, even I using liberty release,
> Security groups still not applied on network. can you help me again ?
>
>
>
> On Thu, Mar 17, 2016 at 10:55 AM, Adhi Priharmanto <adhi.pri at gmail.com>
> wrote:
>
> Ok, 'll try to patched my neutron
>
>
>
> On Tue, Mar 15, 2016 at 8:52 AM, Huan Xie <huan.xie at citrix.com> wrote:
>
> Hi,
>
> For apply the patch, you need to download the changed file with this
> https://review.openstack.org/#/c/251271/ and its dependent changes, you
> can find its dependent changes in the right corner(Related Changes) in you
> open the link.
>
> For files that you need edit, in the middle of the code review page, you
> can find a section called “Files”, this part shows you which files are
> changed.
>
>
>
> Best Regards//Huan
>
>
>
> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
> *Sent:* Monday, March 14, 2016 6:21 PM
> *To:* Huan Xie
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
> Neutron & XenServer
>
>
>
> Hi Xie,
>
>
>
> I also commented on your post at blog.citrix :) , for step 1 - 3 was clear
> for me. I still confused about patched code in
> https://review.openstack.org/#/c/251271/ for some file, could you more
> explain how to, which file that I should edit ?
>
>
>
> Thanks before
>
>
>
> On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan.xie at citrix.com> wrote:
>
> Hi Adhi,
>
>
>
> Do you use devstack to deploy XenServer + Kilo or manually?
>
> Current Kilo release does not support XenServer + Neutron security group,
> because security group is implemented via iptables on Linux bridge,
> however, there is no Linux bridge created when booting a new instance.
>
> But we now have a new fix to support neutron security group, we have
> tested that it can work, this will be implemented as a blue print
> https://review.openstack.org/#/c/251271/
>
> So, if you want to use neutron security group in Kilo, you should add some
> patch for your code and also please make the configurations as below:
>
>
>
> 1.       In nova.conf, two configurations should be set
>
> [DEFAULT]
>
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>
> security_group_api=neutron
>
>
>
> [xenserver]
>
> ovs_integration_bridge =
>
> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
>
>
>
>                 If you don’t know how to configure ovs_integration_bridge,
> then you can refer this blog https://www.citrix.com/blogs/
> 2015/11/30/integrating-xenserver-rdo-and-neutron/
>
>
>
> 2.       In neutron,  check configurations ml2_conf.ini in compute node
> which is used for neutron L2 agent
>
> [agent]
>
> minimize_polling = False
>
> root_helper_daemon =
>
> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
> /etc/neutron/rootwrap.conf
>
>
>
> [ovs]
>
> integration_bridge =
>
> bridge_mappings =
>
>
>
>                 Also for ovs configuration items, if you don’t clear on
> how to configure them, refer the blog
>
>
>
> 3.       In neutron, check configurations /etc/neutron/rootwrap.conf in
> compute node
>
> [xenapi]
>
> # XenAPI configuration is only required by the L2 agent if it is to
>
> # target a XenServer/XCP compute host's dom0.
>
> xenapi_connection_url=
>
> xenapi_connection_username=
>
> xenapi_connection_password=
>
>
>
> Best Regards//Huan
>
>
>
> -------- Original Message --------
> Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron &
> XenServer
> From: Adhi Priharmanto
> To: openstack at lists.openstack.org
> CC:
>
> Hi all,
>
> I had Openstack Kilo installed on my lab, for Compute Hypervisor I use
> XenServer 6.5, and networking Using Neutron OVS. For Controller, Network,
> and Compute node I'm using Ubuntu 14.04.
>
>
>
> My problem was Security Groups rules doesn't applied to the instance that
> created. For example, there is no rule for SSH port 22 in security group i
> defined to the instance, but instance with floating IP able to login by ssh
> from external network.
>
>
> I've already add this option on my nova.conf
>
>
>
> firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver
>
>
>
> and also defined firewall_driver on my ml2_conf.ini at Controller,
> Network, and Compute node
>
>
>
> [ovs]
>
> enable_security_group = True
>
> enable_ipset = True
>
> firewall_driver = neutron.agent.linux.iptables_firewall.
> OVSHybridIptablesFirewallDriver
>
>
>
> can somebody help me with this problem ?
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
>
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
> +62-812-82121584
>
>
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
> +62-812-82121584
>
>
>



-- 
Cheers,



[image: --]
Adhi Priharmanto
[image: http://]about.me/a_dhi
<http://about.me/a_dhi?promo=email_sig>
+62-812-82121584
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160921/6a382557/attachment.html>

More information about the Openstack mailing list