Hi Adhi,
Do you use devstack to deploy XenServer + Kilo or manually?
Current Kilo release does not support XenServer + Neutron security group,
because security group is implemented via iptables on Linux bridge, however,
there is no Linux bridge created when booting a new instance.
But we now have a new fix to support neutron security group, we have tested
that it can work, this will be implemented as a blue print
https://review.openstack.org/#/c/251271/
So, if you want to use neutron security group in Kilo, you should add some
patch for your code and also please make the configurations as below:
1. In nova.conf, two configurations should be set
[DEFAULT]
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron
[xenserver]
ovs_integration_bridge =
vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver
If you don't know how to configure ovs_integration_bridge, then
you can refer this blog
https://www.citrix.com/blogs/2015/11/30/integrating-xenserver-rdo-and-neutron/
2. In neutron, check configurations ml2_conf.ini in compute node which
is used for neutron L2 agent
[agent]
minimize_polling = False
root_helper_daemon =
root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0
/etc/neutron/rootwrap.conf
[ovs]
integration_bridge =
bridge_mappings =
Also for ovs configuration items, if you don't clear on how to
configure them, refer the blog
3. In neutron, check configurations /etc/neutron/rootwrap.conf in compute
node
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=
xenapi_connection_username=
xenapi_connection_password=
Best Regards//Huan
-------- Original Message --------
Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron &
XenServer
From: Adhi Priharmanto
To: [email protected]<mailto:[email protected]>
CC:
Hi all,
I had Openstack Kilo installed on my lab, for Compute Hypervisor I use
XenServer 6.5, and networking Using Neutron OVS. For Controller, Network, and
Compute node I'm using Ubuntu 14.04.
My problem was Security Groups rules doesn't applied to the instance that
created. For example, there is no rule for SSH port 22 in security group i
defined to the instance, but instance with floating IP able to login by ssh
from external network.
I've already add this option on my nova.conf
firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver
and also defined firewall_driver on my ml2_conf.ini at Controller, Network, and
Compute node
[ovs]
enable_security_group = True
enable_ipset = True
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
can somebody help me with this problem ?
--
Cheers,
Adhi Priharmanto
about.me/a_dhi
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
