[Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer
Adhi Priharmanto
adhi.pri at gmail.com
Fri Sep 23 08:22:10 UTC 2016
Hi,
Here we go, my instance property (include nova&neutron security group list):
http://pastebin.com/etZ51g31
and here is my iptables of,
xenserver : http://pastebin.com/skURDdaM
Compute node (nova) : http://pastebin.com/fnnugbZj
Network node : http://pastebin.com/WXrEKWB6
On Fri, Sep 23, 2016 at 2:04 PM, Huan Xie <huan.xie at citrix.com> wrote:
> Hi,
>
> There are several parts to check,
>
> 1. When you empty security group rules, was this security group
> used for the instances you were testing?
>
> 2. Can you double check the iptables rules or paste them somewhere
> then we can check those rules?
>
>
>
> Thanks,
>
> Huan
>
>
>
> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
> *Sent:* Thursday, September 22, 2016 11:47 AM
>
> *To:* Huan Xie
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
> Neutron & XenServer
>
>
>
> Hi,
>
>
>
> an update from my-test , why even I empty group rule with no rule defined,
> I still can reach (ping & ssh) my instance from outside ?
>
>
>
> On Wed, Sep 21, 2016 at 5:18 PM, Adhi Priharmanto <adhi.pri at gmail.com>
> wrote:
>
> Hi Huan Xie,
>
>
>
>
>
> Thanks for your fast response, I applied those patch into my Dom0 and DomU
> (nova-compute) , then restarting neutron-openvswitch-agent and nova-compute
> service.
>
>
>
> the error on neutron-openvswitch-agent doesn't appear anymore, now I'm
> still try Security Group Rules variation for instance, I'll update results
> as soon .
>
>
>
>
>
>
>
> On Wed, Sep 21, 2016 at 2:11 PM, Huan Xie <huan.xie at citrix.com> wrote:
>
> Hi Adhi,
>
>
>
> 1. From http://pastebin.com/gwf1wdEb, we can see you have set
> “conntrack” command in netwrap, but seems the whole patch is not applied, I
> mean you need apply the whole patch https://review.openstack.org/#
> /c/341304/ in neutron.
>
> netwrap locates in Dom0 /etc/xapi.d/plugins
>
> neutron-rootwrap-xen-dom0 locates in DomU, maybe /usr/local/bin/neutron-rootwrap-xen-dom0
> or other path like that, depends on how you install it, you maybe need to
> apply the patch to the source file
>
> 1. With this rule, I'm still able to ping instance
> 2. Also please check neutron-openvswitch-agent error list when I
> remove rule and terminate instance.
>
> ð For the two, since the patch seems not applied completely, so you
> maybe can still ping the VM. Also you need to install conntrack-tools in
> Dom0 because the command “conntrack” in netwrap is send to Dom0, otherwise
> the real “conntrack” command is not take effect.
>
>
>
> Hope these checks can help you.
>
>
>
> Thanks,
>
> Huan
>
>
>
>
>
> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
> *Sent:* Wednesday, September 21, 2016 1:59 PM
>
>
> *To:* Huan Xie
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
> Neutron & XenServer
>
>
>
> Hi All....
>
>
>
> Sorry for my late reply..
>
>
>
> @Bob, I Installed liberty manually, not using devstack, packstack, etc
>
>
>
> Here Is my node service configuration.
>
>
>
>
>
>
>
> =============================
>
> NETWORK-NODE
>
> =============================
>
> Configuration : http://pastebin.com/6DLqUbjU
>
>
>
>
>
> =============================
>
> COMPUTE-NODE
>
> =============================
>
> Configuration : http://pastebin.com/RhGBvNbA
>
> Error list : http://pastebin.com/xHQSb625
>
>
>
> =============================
>
> XENSERVER-NODE
>
> =============================
>
> Configuration : http://pastebin.com/gwf1wdEb
>
> Error list : http://pastebin.com/wNzbhcPi
>
>
>
> for Xenserver,
>
> - I also setup of Multi Tenancy Networking Protections in XenServer,
> following this guide https://github.com/openstack/nova/blob/master/
> plugins/xenserver/doc/networking.rst
> <https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst>
> - I also setup sysctl.conf (see config at xenserver-node pastebin),
> but it's like no br_netfilter module available at xenserver.
>
> =============================
>
> neutron security-group-rule-list
>
> =============================
>
> # neutron security-group-rule-list
>
> +--------------------------------------+----------------+---
> --------+-----------+---------------+-----------------+
>
> | id | security_group | direction |
> ethertype | protocol/port | remote |
>
> +--------------------------------------+----------------+---
> --------+-----------+---------------+-----------------+
>
> | 310fb8eb-bcf7-4425-83a3-f2f3f1335958 | default | egress |
> IPv6 | any | any |
>
> | 42e8b7e8-1262-4673-8547-55fa6b33d4f1 | default | egress |
> IPv4 | any | any |
>
> | 4e8bde5b-344a-4c6a-b09d-223d9fec72bf | default | ingress |
> IPv4 | any | default (group) |
>
> | cd8f3aaa-9882-42a0-b713-87489cfff22c | default | ingress |
> IPv6 | any | default (group) |
>
> | d884ff2f-71e8-4647-b45d-e8f92ad87261 | default | egress |
> IPv4 | any | any |
>
> | f4f85fae-6a15-4a85-ae51-5f34536bb72e | default | ingress |
> IPv6 | any | default (group) |
>
> | f6e3929a-3df4-4209-8486-7ce0b0047771 | default | egress |
> IPv6 | any | any |
>
> | fbb2a744-de01-49c7-b875-8cdfbc4fdd7f | default | ingress |
> IPv4 | any | default (group) |
>
> +--------------------------------------+----------------+---
> --------+-----------+---------------+-----------------+
>
> - With this rule, I'm still able to ping instance
> - Also please check neutron-openvswitch-agent error list when I remove
> rule and terminate instance.
>
>
>
> I hope anyone can guide me with this problem, thanks before.
>
>
>
>
>
> On Sun, Sep 18, 2016 at 8:16 AM, Huan Xie <huan.xie at citrix.com> wrote:
>
> Hi,
>
>
>
> After applied these change, is your neutron ml2 configuration correct?
> Mainly the below parts:
>
> If still cannot work, could you please describe the errors?
>
> Beside these, we find xenserver dom0 lacks of conntrack support for
> neutron-ovs-agent in compute node, there is a fix waiting for review
> https://review.openstack.org/#/c/341304/
>
> 1. In nova.conf, two configurations should be set
>
> [DEFAULT]
>
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>
> security_group_api=neutron
>
> use_neutron = True
>
> [xenserver]
>
> ovs_integration_bridge =
>
> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
>
> 2. In neutron, check configurations ml2_conf.ini in compute node
> which is used for neutron L2 agent
>
> [agent]
>
> minimize_polling = False
>
> root_helper_daemon =
>
> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
> /etc/neutron/rootwrap.conf
>
> [ovs]
>
> integration_bridge =
>
> bridge_mappings =
>
> Thanks,
>
> Huan
>
>
>
> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
> *Sent:* Thursday, September 15, 2016 3:48 PM
>
>
> *To:* Huan Xie
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
> Neutron & XenServer
>
>
>
> Hi, I still no luck for this problem, even I using liberty release,
> Security groups still not applied on network. can you help me again ?
>
>
>
> On Thu, Mar 17, 2016 at 10:55 AM, Adhi Priharmanto <adhi.pri at gmail.com>
> wrote:
>
> Ok, 'll try to patched my neutron
>
>
>
> On Tue, Mar 15, 2016 at 8:52 AM, Huan Xie <huan.xie at citrix.com> wrote:
>
> Hi,
>
> For apply the patch, you need to download the changed file with this
> https://review.openstack.org/#/c/251271/ and its dependent changes, you
> can find its dependent changes in the right corner(Related Changes) in you
> open the link.
>
> For files that you need edit, in the middle of the code review page, you
> can find a section called “Files”, this part shows you which files are
> changed.
>
>
>
> Best Regards//Huan
>
>
>
> *From:* Adhi Priharmanto [mailto:adhi.pri at gmail.com]
> *Sent:* Monday, March 14, 2016 6:21 PM
> *To:* Huan Xie
> *Cc:* openstack at lists.openstack.org
> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with
> Neutron & XenServer
>
>
>
> Hi Xie,
>
>
>
> I also commented on your post at blog.citrix :) , for step 1 - 3 was clear
> for me. I still confused about patched code in
> https://review.openstack.org/#/c/251271/ for some file, could you more
> explain how to, which file that I should edit ?
>
>
>
> Thanks before
>
>
>
> On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan.xie at citrix.com> wrote:
>
> Hi Adhi,
>
>
>
> Do you use devstack to deploy XenServer + Kilo or manually?
>
> Current Kilo release does not support XenServer + Neutron security group,
> because security group is implemented via iptables on Linux bridge,
> however, there is no Linux bridge created when booting a new instance.
>
> But we now have a new fix to support neutron security group, we have
> tested that it can work, this will be implemented as a blue print
> https://review.openstack.org/#/c/251271/
>
> So, if you want to use neutron security group in Kilo, you should add some
> patch for your code and also please make the configurations as below:
>
>
>
> 1. In nova.conf, two configurations should be set
>
> [DEFAULT]
>
> firewall_driver = nova.virt.firewall.NoopFirewallDriver
>
> security_group_api=neutron
>
>
>
> [xenserver]
>
> ovs_integration_bridge =
>
> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
>
>
>
> If you don’t know how to configure ovs_integration_bridge,
> then you can refer this blog https://www.citrix.com/blogs/
> 2015/11/30/integrating-xenserver-rdo-and-neutron/
>
>
>
> 2. In neutron, check configurations ml2_conf.ini in compute node
> which is used for neutron L2 agent
>
> [agent]
>
> minimize_polling = False
>
> root_helper_daemon =
>
> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
> /etc/neutron/rootwrap.conf
>
>
>
> [ovs]
>
> integration_bridge =
>
> bridge_mappings =
>
>
>
> Also for ovs configuration items, if you don’t clear on
> how to configure them, refer the blog
>
>
>
> 3. In neutron, check configurations /etc/neutron/rootwrap.conf in
> compute node
>
> [xenapi]
>
> # XenAPI configuration is only required by the L2 agent if it is to
>
> # target a XenServer/XCP compute host's dom0.
>
> xenapi_connection_url=
>
> xenapi_connection_username=
>
> xenapi_connection_password=
>
>
>
> Best Regards//Huan
>
>
>
> -------- Original Message --------
> Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron &
> XenServer
> From: Adhi Priharmanto
> To: openstack at lists.openstack.org
> CC:
>
> Hi all,
>
> I had Openstack Kilo installed on my lab, for Compute Hypervisor I use
> XenServer 6.5, and networking Using Neutron OVS. For Controller, Network,
> and Compute node I'm using Ubuntu 14.04.
>
>
>
> My problem was Security Groups rules doesn't applied to the instance that
> created. For example, there is no rule for SSH port 22 in security group i
> defined to the instance, but instance with floating IP able to login by ssh
> from external network.
>
>
> I've already add this option on my nova.conf
>
>
>
> firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver
>
>
>
> and also defined firewall_driver on my ml2_conf.ini at Controller,
> Network, and Compute node
>
>
>
> [ovs]
>
> enable_security_group = True
>
> enable_ipset = True
>
> firewall_driver = neutron.agent.linux.iptables_firewall.
> OVSHybridIptablesFirewallDriver
>
>
>
> can somebody help me with this problem ?
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
>
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
> +62-812-82121584
>
>
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
>
>
>
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
> +62-812-82121584
>
>
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
> +62-812-82121584
>
>
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
> +62-812-82121584
>
>
>
>
>
>
>
> --
>
> Cheers,
>
>
>
> *Adhi Priharmanto*
>
> about.me/a_dhi
>
>
>
> +62-812-82121584
>
>
>
--
Cheers,
[image: --]
Adhi Priharmanto
[image: http://]about.me/a_dhi
<http://about.me/a_dhi?promo=email_sig>
+62-812-82121584
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160923/af31f4de/attachment.html>
More information about the Openstack
mailing list