Hi Adhi,
1. From http://pastebin.com/gwf1wdEb, we can see you have set “conntrack” command in netwrap, but seems the whole patch is not applied, I mean you need apply the whole patch https://review.openstack.org/#/c/341304/ in neutron. netwrap locates in Dom0 /etc/xapi.d/plugins neutron-rootwrap-xen-dom0 locates in DomU, maybe /usr/local/bin/neutron-rootwrap-xen-dom0 or other path like that, depends on how you install it, you maybe need to apply the patch to the source file 1. With this rule, I'm still able to ping instance 2. Also please check neutron-openvswitch-agent error list when I remove rule and terminate instance. ð For the two, since the patch seems not applied completely, so you maybe can still ping the VM. Also you need to install conntrack-tools in Dom0 because the command “conntrack” in netwrap is send to Dom0, otherwise the real “conntrack” command is not take effect. Hope these checks can help you. Thanks, Huan From: Adhi Priharmanto [mailto:adhi....@gmail.com] Sent: Wednesday, September 21, 2016 1:59 PM To: Huan Xie Cc: openstack@lists.openstack.org Subject: Re: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer Hi All.... Sorry for my late reply.. @Bob, I Installed liberty manually, not using devstack, packstack, etc Here Is my node service configuration. ============================= NETWORK-NODE ============================= Configuration : http://pastebin.com/6DLqUbjU ============================= COMPUTE-NODE ============================= Configuration : http://pastebin.com/RhGBvNbA Error list : http://pastebin.com/xHQSb625 ============================= XENSERVER-NODE ============================= Configuration : http://pastebin.com/gwf1wdEb Error list : http://pastebin.com/wNzbhcPi for Xenserver, * I also setup of Multi Tenancy Networking Protections in XenServer, following this guide https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst * I also setup sysctl.conf (see config at xenserver-node pastebin), but it's like no br_netfilter module available at xenserver. ============================= neutron security-group-rule-list ============================= # neutron security-group-rule-list +--------------------------------------+----------------+-----------+-----------+---------------+-----------------+ | id | security_group | direction | ethertype | protocol/port | remote | +--------------------------------------+----------------+-----------+-----------+---------------+-----------------+ | 310fb8eb-bcf7-4425-83a3-f2f3f1335958 | default | egress | IPv6 | any | any | | 42e8b7e8-1262-4673-8547-55fa6b33d4f1 | default | egress | IPv4 | any | any | | 4e8bde5b-344a-4c6a-b09d-223d9fec72bf | default | ingress | IPv4 | any | default (group) | | cd8f3aaa-9882-42a0-b713-87489cfff22c | default | ingress | IPv6 | any | default (group) | | d884ff2f-71e8-4647-b45d-e8f92ad87261 | default | egress | IPv4 | any | any | | f4f85fae-6a15-4a85-ae51-5f34536bb72e | default | ingress | IPv6 | any | default (group) | | f6e3929a-3df4-4209-8486-7ce0b0047771 | default | egress | IPv6 | any | any | | fbb2a744-de01-49c7-b875-8cdfbc4fdd7f | default | ingress | IPv4 | any | default (group) | +--------------------------------------+----------------+-----------+-----------+---------------+-----------------+ * With this rule, I'm still able to ping instance * Also please check neutron-openvswitch-agent error list when I remove rule and terminate instance. I hope anyone can guide me with this problem, thanks before. On Sun, Sep 18, 2016 at 8:16 AM, Huan Xie <huan....@citrix.com<mailto:huan....@citrix.com>> wrote: Hi, After applied these change, is your neutron ml2 configuration correct? Mainly the below parts: If still cannot work, could you please describe the errors? Beside these, we find xenserver dom0 lacks of conntrack support for neutron-ovs-agent in compute node, there is a fix waiting for review https://review.openstack.org/#/c/341304/ 1. In nova.conf, two configurations should be set [DEFAULT] firewall_driver = nova.virt.firewall.NoopFirewallDriver security_group_api=neutron use_neutron = True [xenserver] ovs_integration_bridge = vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver 2. In neutron, check configurations ml2_conf.ini in compute node which is used for neutron L2 agent [agent] minimize_polling = False root_helper_daemon = root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 /etc/neutron/rootwrap.conf [ovs] integration_bridge = bridge_mappings = Thanks, Huan From: Adhi Priharmanto [mailto:adhi....@gmail.com<mailto:adhi....@gmail.com>] Sent: Thursday, September 15, 2016 3:48 PM To: Huan Xie Cc: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer Hi, I still no luck for this problem, even I using liberty release, Security groups still not applied on network. can you help me again ? On Thu, Mar 17, 2016 at 10:55 AM, Adhi Priharmanto <adhi....@gmail.com<mailto:adhi....@gmail.com>> wrote: Ok, 'll try to patched my neutron On Tue, Mar 15, 2016 at 8:52 AM, Huan Xie <huan....@citrix.com<mailto:huan....@citrix.com>> wrote: Hi, For apply the patch, you need to download the changed file with this https://review.openstack.org/#/c/251271/ and its dependent changes, you can find its dependent changes in the right corner(Related Changes) in you open the link. For files that you need edit, in the middle of the code review page, you can find a section called “Files”, this part shows you which files are changed. Best Regards//Huan From: Adhi Priharmanto [mailto:adhi....@gmail.com<mailto:adhi....@gmail.com>] Sent: Monday, March 14, 2016 6:21 PM To: Huan Xie Cc: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer Hi Xie, I also commented on your post at blog.citrix :) , for step 1 - 3 was clear for me. I still confused about patched code in https://review.openstack.org/#/c/251271/ for some file, could you more explain how to, which file that I should edit ? Thanks before On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan....@citrix.com<mailto:huan....@citrix.com>> wrote: Hi Adhi, Do you use devstack to deploy XenServer + Kilo or manually? Current Kilo release does not support XenServer + Neutron security group, because security group is implemented via iptables on Linux bridge, however, there is no Linux bridge created when booting a new instance. But we now have a new fix to support neutron security group, we have tested that it can work, this will be implemented as a blue print https://review.openstack.org/#/c/251271/ So, if you want to use neutron security group in Kilo, you should add some patch for your code and also please make the configurations as below: 1. In nova.conf, two configurations should be set [DEFAULT] firewall_driver = nova.virt.firewall.NoopFirewallDriver security_group_api=neutron [xenserver] ovs_integration_bridge = vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver If you don’t know how to configure ovs_integration_bridge, then you can refer this blog https://www.citrix.com/blogs/2015/11/30/integrating-xenserver-rdo-and-neutron/ 2. In neutron, check configurations ml2_conf.ini in compute node which is used for neutron L2 agent [agent] minimize_polling = False root_helper_daemon = root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 /etc/neutron/rootwrap.conf [ovs] integration_bridge = bridge_mappings = Also for ovs configuration items, if you don’t clear on how to configure them, refer the blog 3. In neutron, check configurations /etc/neutron/rootwrap.conf in compute node [xenapi] # XenAPI configuration is only required by the L2 agent if it is to # target a XenServer/XCP compute host's dom0. xenapi_connection_url= xenapi_connection_username= xenapi_connection_password= Best Regards//Huan -------- Original Message -------- Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer From: Adhi Priharmanto To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> CC: Hi all, I had Openstack Kilo installed on my lab, for Compute Hypervisor I use XenServer 6.5, and networking Using Neutron OVS. For Controller, Network, and Compute node I'm using Ubuntu 14.04. My problem was Security Groups rules doesn't applied to the instance that created. For example, there is no rule for SSH port 22 in security group i defined to the instance, but instance with floating IP able to login by ssh from external network. I've already add this option on my nova.conf firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver and also defined firewall_driver on my ml2_conf.ini at Controller, Network, and Compute node [ovs] enable_security_group = True enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver can somebody help me with this problem ? -- Cheers, Adhi Priharmanto about.me/a_dhi<http://about.me/a_dhi> _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -- Cheers, Adhi Priharmanto about.me/a_dhi<http://about.me/a_dhi> +62-812-82121584<tel:%2B62-812-82121584> -- Cheers, Adhi Priharmanto about.me/a_dhi<http://about.me/a_dhi> -- Cheers, Adhi Priharmanto about.me/a_dhi<http://about.me/a_dhi> +62-812-82121584<tel:%2B62-812-82121584> -- Cheers, Adhi Priharmanto about.me/a_dhi +62-812-82121584
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
