That is true... Back to "LibvirtHybridOVSBridgeDriver", Security Groups is working again...
On 6 November 2013 15:03, Simon Pasquier <[email protected]> wrote: > Answering myself as I investigated a little further and cross-posting to > openstack-dev because I'd like to get feedback from Nova/Neutron devs. > > Users running Havana should configure libvirt_vif_driver=nova.virt. > libvirt.vif.LibvirtHybridOVSBridgeDriver. > This driver is still available in the Havana release although deprecated. > AFAIU, this is the only option if you want effective security groups with > KVM & OVS. > > For people using the master branch of nova, sorry but security groups are > currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). Joe > Gordon asked the Neutron devs about it few weeks ago [1] but no answer and > in another review [2], the conclusion was that the Tempest tests passed > with Neutron. However I don't see anywhere in the tests ([3], [4]) that we > check if the security rules allow/block traffic. > > It would be nice if core devs could confirm or refute. > > Regards, > > Simon > > [0] https://review.openstack.org/#/c/49660/ > [1] http://lists.openstack.org/pipermail/openstack-dev/2013- > October/016886.html > [2] https://review.openstack.org/#/c/44349 > [3] https://github.com/openstack/tempest/blob/master/tempest/ > api/network/test_security_groups.py > [4] https://github.com/openstack/tempest/blob/master/tempest/ > api/network/test_security_groups_negative.py > > Le 05/11/2013 14:57, Simon Pasquier a écrit : > > Hi all, >> >> I'm struggling with security groups on Havana with Neutron and OVS >> plugin (GRE tunnels). No problem to create/delete security group rules >> but even though iptables configuration is updated, traffic to my >> instances is never filtered [0]. >> >> I'm running DevStack on 2 nodes (1 controller + 1 compute): >> - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository. >> - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0 >> - libvirt package version: 1.1.1-0ubuntu8~cloud2 >> - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files >> pasted at [1] (I didn't modify any of these files after the DevStack run) >> >> According to [2], [3] and [4], iptables is not compatible with TAP >> devices connectd directly to Open vSwitch ports, this is why there used >> to be the additional veth + bridge interfaces [5]. But in my setup, this >> is not the case anymore as shown in [6] ('ovs-vsctl show' + >> 'iptables-save' ouptut). I've also pasted the libvirt XML configuration >> [7] that shows that the instance is directly connected to the Open >> vSwitch. >> >> Are the security groups supposed to work when the instance is directly >> connected to OVS? If yes, what am I doing wrong? >> >> Regards, >> >> [0] http://paste.openstack.org/show/50490/ >> [1] http://paste.openstack.org/show/50448/ >> [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html >> [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html >> [4] >> http://docs.openstack.org/havana/config-reference/content/under_the_hood_ >> openvswitch.html >> >> [5] >> http://docs.openstack.org/havana/config-reference/ >> content/figures/7/a/a/common/figures/under-the-hood- >> scenario-2-ovs-compute.png >> >> [6] http://paste.openstack.org/show/50486/ >> [7] http://paste.openstack.org/show/50487/ >> > > > -- > Simon Pasquier > Software Engineer > Bull, Architect of an Open World > Phone: + 33 4 76 29 71 49 > http://www.bull.com > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack >
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
