I've found neutron linuxbridge agent does not create VXLAN in creating a LXD instance.
Does not yet nova-compute-lxd support/cooperate with neutron linuxbridge agent? On Thu, Jun 9, 2016 at 1:55 PM, HIROSE Masaaki <[email protected]> wrote: > Hi, > > I've changed security group of LXD instance on OpenStack, but no effect. > > - still can access to LXD instance > - no change iptables -nL on compute node of LXD instance > - no log message from neutron linuxbridge agent > > nova-lxd does not support security group? > > * Environment > > Ubuntu 16.04 > OpenStack Mitaka > lxd 2.0.2-0ubuntu1~16.04.1 > nova-compute-lxd 13.0.0-0ubuntu3 > > * Reproduce > > create security group `allow-SSH` which allows only SSH access. > > $ nova secgroup-list-rules allow-SSH > +-------------+-----------+---------+-----------+--------------+ > | IP Protocol | From Port | To Port | IP Range | Source Group | > +-------------+-----------+---------+-----------+--------------+ > | tcp | 22 | 22 | 0.0.0.0/0 | | > +-------------+-----------+---------+-----------+--------------+ > > change security group of LXD instance into this `allow-SSH`. > > $ nova remove-secgroup lxd1 default > $ nova add-secgroup lxd1 allow-SSH > $ nova list-secgroup lxd1 > +--------------------------------------+-----------+-------------+ > | Id | Name | Description | > +--------------------------------------+-----------+-------------+ > | 665407b4-aac0-4d41-afba-7476a2bedb75 | allow-SSH | | > +--------------------------------------+-----------+-------------+ > > then, still can ping to LXD instance. > > `allow-SSH` rule does not exist in iptables -nL on LXD compute node. > > # iptables -nL | grep 22 > ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate > RELATED,ESTABLISHED > ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 > > No log message in /var/log/neutron/neutron-linuxbridge-agent.log. > > 2016-06-09 13:32:16.141 14315 INFO neutron.agent.securitygroups_rpc > [req-5df0f708-166d-4589-9ef0-0b0a475f6046 > 0980e79abec74a83a4c315bf9cc280be 98efb10842184d05aab967d266610958 - - > -] Security group member updated > [u'665407b4-aac0-4d41-afba-7476a2bedb75'] > > On the other hand, /var/log/neutron/neutron-linuxbridge-agent.log on > KVM compute node is following: > > 2016-06-09 13:02:49.205 2392 INFO neutron.agent.securitygroups_rpc > [req-4901c8c9 > -5440-4a88-b07a-1fa11bb3ef7c 0980e79abec74a83a4c315bf9cc280be > 98efb10842184d05aa > b967d266610958 - - -] Security group member updated > [u'e0e48207-8657-4c1a-ba5a-f > 4e8b4432a3b'] > 2016-06-09 13:02:51.095 2392 INFO neutron.agent.securitygroups_rpc > [req-d507249c > -6946-46f6-9258-b4b173e7568f - - - - -] Refresh firewall rules > 2016-06-09 13:02:51.829 2392 INFO > neutron.plugins.ml2.drivers.agent._common_agen > t [req-d507249c-6946-46f6-9258-b4b173e7568f - - - - -] Port tap7397d348-f5 > updat > ed. Details: {u'profile': {}, u'network_qos_policy_id': None, > u'qos_policy_id': > None, u'allowed_address_pairs': [], u'admin_state_up': True, u'network_id': > u'd3 > cfb761-7be2-4f53-99df-c911e2842a84', u'segmentation_id': 7, u'device_owner': > u'c > ompute:nova', u'physical_network': None, u'mac_address': > u'fa:16:3e:5e:ba:11', u > 'device': u'tap7397d348-f5', u'port_security_enabled': True, u'port_id': > u'7397d > 348-f5e9-428b-9800-bb09927a8c34', u'fixed_ips': [{u'subnet_id': > u'894fe18b-b67b- > 4909-a0cd-8f904c87b104', u'ip_address': u'192.168.201.53'}], u'network_type': > u' > vxlan', u'security_groups': []} -- ひろせ _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
