subject:"\"\\\[Openstack\\\] quantum l2 networks\""

Re: [Openstack] quantum l2 networks

2013-06-08 Thread Aaron Rosen

Hi Joe,

Just curious what's your use case, why do you need to disable these?

Aaron


On Sat, Jun 8, 2013 at 12:01 PM, Joe Breu  wrote:

>  Hi Aaron,
>
>  Thanks for the response.  It looks like it is the nwfilters in
> nova-compute that are making this a pain for me.
>
>
>
>  On Jun 7, 2013, at 11:11 PM, Aaron Rosen wrote:
>
>  Hi Joe,
>
>  I thought setting firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
> plugin does not do any mac spoof filtering at the OVS level. Those are all
> done in iptables.
>
> Aaron
>
> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu wrote:
>
>> Hello,
>>
>> Is there a way to create a quantum l2 network using OVS that does not
>> have MAC and IP spoofing enabled either in iptables or OVS?  One workaround
>> that we found was to set the OVS plugin firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>> however this is far from ideal and doesn't solve the problem of MAC spoof
>> filtering at the OVS level.
>>
>> Thanks for any help
>>
>>
>> ___
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

2013-06-08 Thread Aaron Rosen

Settting this in nova.conf should disable that but then your security
groups won't work.
firewall_driver = nova.virt.firewall.NoopFirewallDriver



On Sat, Jun 8, 2013 at 12:01 PM, Joe Breu  wrote:

>  Hi Aaron,
>
>  Thanks for the response.  It looks like it is the nwfilters in
> nova-compute that are making this a pain for me.
>
>
>
>  On Jun 7, 2013, at 11:11 PM, Aaron Rosen wrote:
>
>  Hi Joe,
>
>  I thought setting firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
> plugin does not do any mac spoof filtering at the OVS level. Those are all
> done in iptables.
>
> Aaron
>
> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu wrote:
>
>> Hello,
>>
>> Is there a way to create a quantum l2 network using OVS that does not
>> have MAC and IP spoofing enabled either in iptables or OVS?  One workaround
>> that we found was to set the OVS plugin firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>> however this is far from ideal and doesn't solve the problem of MAC spoof
>> filtering at the OVS level.
>>
>> Thanks for any help
>>
>>
>> ___
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

2013-06-08 Thread Joe Breu

Hi Aaron,

Thanks for the response.  It looks like it is the nwfilters in nova-compute 
that are making this a pain for me.



On Jun 7, 2013, at 11:11 PM, Aaron Rosen wrote:

Hi Joe,

I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver 
would do the trick? Also, the ovs plugin does not do any mac spoof filtering at 
the OVS level. Those are all done in iptables.

Aaron

On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu 
mailto:joseph.b...@rackspace.com>> wrote:
Hello,

Is there a way to create a quantum l2 network using OVS that does not have MAC 
and IP spoofing enabled either in iptables or OVS?  One workaround that we 
found was to set the OVS plugin firewall_driver = 
quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however 
this is far from ideal and doesn't solve the problem of MAC spoof filtering at 
the OVS level.

Thanks for any help


___
Mailing list: https://launchpad.net/~openstack
Post to : 
openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

2013-06-08 Thread Aaron Rosen

Hi Daniel,

That's for finding this! This is a bug. The code wasn't accounting if the
plugin didn't implement port_security_enabled.  Here's a patch that fixes
the issue in the meantime.

Best,

Aaron

--- a/nova/network/security_group/quantum_driver.py
+++ b/nova/network/security_group/quantum_driver.py
@@ -340,8 +340,9 @@ class
SecurityGroupAPI(security_group_base.SecurityGroupBase):
 has_ip = port.get('fixed_ips')
 if port_security_enabled and has_ip:
 return True
-else:
-return False
+elif 'port_security_enabled' not in port and has_ip:
+return True
+return False

 @wrap_check_security_groups_policy
 def add_to_instance(self, context, instance, security_group_name):



On Sat, Jun 8, 2013 at 2:14 AM, daniels cai  wrote:

>
> nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11
>
> ERROR: Network requires port_security_enabled and subnet associated in
> order to apply security groups. (HTTP 400) (Request-ID:
> req-94cb2d54-858b-4843-af53-b373c88bcdc0)
>
>
> security group is exists
>
> # quantum security-group-list
> +--+-+--+
> | id   | name| description  |
> +--+-+--+
> | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default  |
> | 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall |
> +--+-+--+
>
>
>
> Daniels Cai
> http://dnscai.com
>
>
> 2013/6/8 Aaron Rosen 
>
>> You said:
>>
>> >it works, but when i try to attach a security group to an exist vm , api
>> throw an error :"Network requires >port_security_enabled and subnet
>> associated in order to apply security groups."
>>
>> What command are you running to generate that error?
>>
>>
>>
>> On Sat, Jun 8, 2013 at 1:45 AM, daniels cai  wrote:
>>
>>> Aaron , thanks for you answers, i see it.
>>>
>>> we are not useing nvp in our environemnt
>>> yet.
>>>
>>> my vm is boot with a subnet_id specified
>>> .
>>> i am sure about it .
>>> here is more info:
>>>
>>> vm has an ip "192.168.6.100" , this ip belongs to subnet
>>> 83afd693-7e36-41e9-b896-9d8b0d89d255
>>> , this subnet belongs to network "iaas-net", network id is
>>> 5332f0f7-3156-4961-aa67-0b8507265fa5
>>>
>>> # nova list
>>>
>>> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 |
>>> ACTIVE  | iaas-net=192.168.6.100
>>>
>>> here is quantum network info :
>>>
>>> # quantum net-list
>>>
>>> +--+--+---+
>>> | id   | name | subnets
>>>   |
>>>
>>> +--+--+---+
>>> |
>>> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net |
>>> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
>>> |  |  |
>>> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24   |
>>> |  |  |
>>> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24   |
>>> |  |  |
>>> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
>>> |  |  |
>>> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
>>> |  |  |
>>> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |
>>>
>>>
>>> i enabled the following features in quantum
>>> 1. namespace
>>> 2. overlap ips
>>>
>>> if any more info needed for debug, i will attach
>>>
>>>
>>>
>>> Daniels Cai
>>> http://dnscai.com
>>>
>>>
>>> 2013/6/8 Aaron Rosen 
>>> >
>>> > There is no port_security_enabled config option. This is an attribute
>>> on a port that is used if the plugin you are using implements the
>>> port_security_extension (which is only nvp at the time).
>>> >
>>> > I'm guessing your issue is the network you are trying to boot an
>>> instance on does not have a subnet associated with it.
>>> >
>>> > Aaron
>>> >
>>> >
>>> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai 
>>> wrote:
>>> >>
>>> >> hi Aaron
>>> >> i set the following in nova.conf
>>> >>
>>> >> security_group_api=quantum
>>> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>>> >>
>>> >> it works, but when i try to attach a security group to an exist vm ,
>>> api throw an error :
>>> >>
>>> >> "Network requires port_security_enabled and subnet associated in
>>> order to apply security groups."
>>> >>
>>> >> the i add port_security_enabled in quantum.conf in all nodes.
>>> >> "port_security_enabled=True"
>>> >>
>>> >>  with no luck, it still doesn't work .
>>> >>
>>> >> Any advice ? does quantum security group support this feat

Re: [Openstack] quantum l2 networks

2013-06-08 Thread daniels cai

nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11

ERROR: Network requires port_security_enabled and subnet associated in
order to apply security groups. (HTTP 400) (Request-ID:
req-94cb2d54-858b-4843-af53-b373c88bcdc0)


security group is exists

# quantum security-group-list
+--+-+--+
| id   | name| description  |
+--+-+--+
| 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default  |
| 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall |
+--+-+--+



Daniels Cai
http://dnscai.com


2013/6/8 Aaron Rosen 

> You said:
>
> >it works, but when i try to attach a security group to an exist vm , api
> throw an error :"Network requires >port_security_enabled and subnet
> associated in order to apply security groups."
>
> What command are you running to generate that error?
>
>
>
> On Sat, Jun 8, 2013 at 1:45 AM, daniels cai  wrote:
>
>> Aaron , thanks for you answers, i see it.
>>
>> we are not useing nvp in our environemnt
>> yet.
>>
>> my vm is boot with a subnet_id specified
>> .
>> i am sure about it .
>> here is more info:
>>
>> vm has an ip "192.168.6.100" , this ip belongs to subnet
>> 83afd693-7e36-41e9-b896-9d8b0d89d255
>> , this subnet belongs to network "iaas-net", network id is
>> 5332f0f7-3156-4961-aa67-0b8507265fa5
>>
>> # nova list
>>
>> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 |
>> ACTIVE  | iaas-net=192.168.6.100
>>
>> here is quantum network info :
>>
>> # quantum net-list
>>
>> +--+--+---+
>> | id   | name | subnets
>> |
>>
>> +--+--+---+
>> |
>> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net |
>> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
>> |  |  |
>> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24   |
>> |  |  |
>> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24   |
>> |  |  |
>> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
>> |  |  |
>> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
>> |  |  |
>> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |
>>
>>
>> i enabled the following features in quantum
>> 1. namespace
>> 2. overlap ips
>>
>> if any more info needed for debug, i will attach
>>
>>
>>
>> Daniels Cai
>> http://dnscai.com
>>
>>
>> 2013/6/8 Aaron Rosen 
>> >
>> > There is no port_security_enabled config option. This is an attribute
>> on a port that is used if the plugin you are using implements the
>> port_security_extension (which is only nvp at the time).
>> >
>> > I'm guessing your issue is the network you are trying to boot an
>> instance on does not have a subnet associated with it.
>> >
>> > Aaron
>> >
>> >
>> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai  wrote:
>> >>
>> >> hi Aaron
>> >> i set the following in nova.conf
>> >>
>> >> security_group_api=quantum
>> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>> >>
>> >> it works, but when i try to attach a security group to an exist vm ,
>> api throw an error :
>> >>
>> >> "Network requires port_security_enabled and subnet associated in order
>> to apply security groups."
>> >>
>> >> the i add port_security_enabled in quantum.conf in all nodes.
>> >> "port_security_enabled=True"
>> >>
>> >>  with no luck, it still doesn't work .
>> >>
>> >> Any advice ? does quantum security group support this feature?
>> >>
>> >> Daniels Cai
>> >> http://dnscai.com
>> >>
>> >>
>> >> 2013/6/8 Aaron Rosen 
>> >>>
>> >>> Hi Joe,
>> >>>
>> >>> I thought setting firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
>> plugin does not do any mac spoof filtering at the OVS level. Those are all
>> done in iptables.
>> >>>
>> >>> Aaron
>> >>>
>> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu 
>> wrote:
>> 
>>  Hello,
>> 
>>  Is there a way to create a quantum l2 network using OVS that does
>> not have MAC and IP spoofing enabled either in iptables or OVS?  One
>> workaround that we found was to set the OVS plugin firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>> however this is far from ideal and doesn't solve the problem of MAC spoof
>> filtering at the OVS level.
>> 
>>  Thanks for any help
>> 
>> 
>>  ___
>

Re: [Openstack] quantum l2 networks

2013-06-08 Thread Aaron Rosen

You said:

>it works, but when i try to attach a security group to an exist vm , api
throw an error :"Network requires >port_security_enabled and subnet
associated in order to apply security groups."

What command are you running to generate that error?



On Sat, Jun 8, 2013 at 1:45 AM, daniels cai  wrote:

> Aaron , thanks for you answers, i see it.
>
> we are not useing nvp in our environemnt
> yet.
>
> my vm is boot with a subnet_id specified
> .
> i am sure about it .
> here is more info:
>
> vm has an ip "192.168.6.100" , this ip belongs to subnet
> 83afd693-7e36-41e9-b896-9d8b0d89d255
> , this subnet belongs to network "iaas-net", network id is
> 5332f0f7-3156-4961-aa67-0b8507265fa5
>
> # nova list
>
> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE
>  | iaas-net=192.168.6.100
>
> here is quantum network info :
>
> # quantum net-list
>
> +--+--+---+
> | id   | name | subnets
> |
>
> +--+--+---+
> |
> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net |
> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
> |  |  |
> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24   |
> |  |  |
> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24   |
> |  |  |
> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
> |  |  |
> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
> |  |  |
> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |
>
>
> i enabled the following features in quantum
> 1. namespace
> 2. overlap ips
>
> if any more info needed for debug, i will attach
>
>
>
> Daniels Cai
> http://dnscai.com
>
>
> 2013/6/8 Aaron Rosen 
> >
> > There is no port_security_enabled config option. This is an attribute on
> a port that is used if the plugin you are using implements the
> port_security_extension (which is only nvp at the time).
> >
> > I'm guessing your issue is the network you are trying to boot an
> instance on does not have a subnet associated with it.
> >
> > Aaron
> >
> >
> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai  wrote:
> >>
> >> hi Aaron
> >> i set the following in nova.conf
> >>
> >> security_group_api=quantum
> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
> >>
> >> it works, but when i try to attach a security group to an exist vm ,
> api throw an error :
> >>
> >> "Network requires port_security_enabled and subnet associated in order
> to apply security groups."
> >>
> >> the i add port_security_enabled in quantum.conf in all nodes.
> >> "port_security_enabled=True"
> >>
> >>  with no luck, it still doesn't work .
> >>
> >> Any advice ? does quantum security group support this feature?
> >>
> >> Daniels Cai
> >> http://dnscai.com
> >>
> >>
> >> 2013/6/8 Aaron Rosen 
> >>>
> >>> Hi Joe,
> >>>
> >>> I thought setting firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
> plugin does not do any mac spoof filtering at the OVS level. Those are all
> done in iptables.
> >>>
> >>> Aaron
> >>>
> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu 
> wrote:
> 
>  Hello,
> 
>  Is there a way to create a quantum l2 network using OVS that does not
> have MAC and IP spoofing enabled either in iptables or OVS?  One workaround
> that we found was to set the OVS plugin firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
> however this is far from ideal and doesn't solve the problem of MAC spoof
> filtering at the OVS level.
> 
>  Thanks for any help
> 
> 
>  ___
>  Mailing list: https://launchpad.net/~openstack
>  Post to : openstack@lists.launchpad.net
>  Unsubscribe : https://launchpad.net/~openstack
>  More help   : https://help.launchpad.net/ListHelp
> >>>
> >>>
> >>>
> >>> ___
> >>> Mailing list: https://launchpad.net/~openstack
> >>> Post to : openstack@lists.launchpad.net
> >>> Unsubscribe : https://launchpad.net/~openstack
> >>> More help   : https://help.launchpad.net/ListHelp
> >>>
> >>
> >
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

2013-06-08 Thread daniels cai

Aaron , thanks for you answers, i see it.

we are not useing nvp in our environemnt
yet.

my vm is boot with a subnet_id specified
.
i am sure about it .
here is more info:

vm has an ip "192.168.6.100" , this ip belongs to subnet
83afd693-7e36-41e9-b896-9d8b0d89d255
, this subnet belongs to network "iaas-net", network id is
5332f0f7-3156-4961-aa67-0b8507265fa5

# nova list

| 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE
 | iaas-net=192.168.6.100

here is quantum network info :

# quantum net-list
+--+--+---+
| id   | name | subnets
  |
+--+--+---+
|
5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net |
329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
|  |  |
83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24   |
|  |  |
bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24   |
|  |  |
d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
|  |  |
dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
|  |  |
e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |


i enabled the following features in quantum
1. namespace
2. overlap ips

if any more info needed for debug, i will attach


Daniels Cai
http://dnscai.com


2013/6/8 Aaron Rosen 
>
> There is no port_security_enabled config option. This is an attribute on
a port that is used if the plugin you are using implements the
port_security_extension (which is only nvp at the time).
>
> I'm guessing your issue is the network you are trying to boot an instance
on does not have a subnet associated with it.
>
> Aaron
>
>
> On Sat, Jun 8, 2013 at 12:37 AM, daniels cai  wrote:
>>
>> hi Aaron
>> i set the following in nova.conf
>>
>> security_group_api=quantum
>> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>>
>> it works, but when i try to attach a security group to an exist vm , api
throw an error :
>>
>> "Network requires port_security_enabled and subnet associated in order
to apply security groups."
>>
>> the i add port_security_enabled in quantum.conf in all nodes.
>> "port_security_enabled=True"
>>
>>  with no luck, it still doesn't work .
>>
>> Any advice ? does quantum security group support this feature?
>>
>> Daniels Cai
>> http://dnscai.com
>>
>>
>> 2013/6/8 Aaron Rosen 
>>>
>>> Hi Joe,
>>>
>>> I thought setting firewall_driver =
quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
plugin does not do any mac spoof filtering at the OVS level. Those are all
done in iptables.
>>>
>>> Aaron
>>>
>>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu 
wrote:

 Hello,

 Is there a way to create a quantum l2 network using OVS that does not
have MAC and IP spoofing enabled either in iptables or OVS?  One workaround
that we found was to set the OVS plugin firewall_driver =
quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
however this is far from ideal and doesn't solve the problem of MAC spoof
filtering at the OVS level.

 Thanks for any help


 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>>
>>> ___
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack@lists.launchpad.net
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

2013-06-08 Thread Aaron Rosen

There is no port_security_enabled config option. This is an attribute on a
port that is used if the plugin you are using implements the
port_security_extension (which is only nvp at the time).

I'm guessing your issue is the network you are trying to boot an instance
on does not have a subnet associated with it.

Aaron


On Sat, Jun 8, 2013 at 12:37 AM, daniels cai  wrote:

> hi Aaron
> i set the following in nova.conf
>
> security_group_api=quantum
> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>
> it works, but when i try to attach a security group to an exist vm , api
> throw an error :
>
> "Network requires port_security_enabled and subnet associated in order to
> apply security groups."
>
> the i add port_security_enabled in quantum.conf in all nodes.
> "port_security_enabled=True"
>
>  with no luck, it still doesn't work .
>
> Any advice ? does quantum security group support this feature?
>
> Daniels Cai
> http://dnscai.com
>
>
> 2013/6/8 Aaron Rosen 
>
>> Hi Joe,
>>
>> I thought setting firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
>> plugin does not do any mac spoof filtering at the OVS level. Those are all
>> done in iptables.
>>
>> Aaron
>>
>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu wrote:
>>
>>> Hello,
>>>
>>> Is there a way to create a quantum l2 network using OVS that does not
>>> have MAC and IP spoofing enabled either in iptables or OVS?  One workaround
>>> that we found was to set the OVS plugin firewall_driver =
>>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>>> however this is far from ideal and doesn't solve the problem of MAC spoof
>>> filtering at the OVS level.
>>>
>>> Thanks for any help
>>>
>>>
>>> ___
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack@lists.launchpad.net
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>
>>
>> ___
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

2013-06-08 Thread daniels cai

hi Aaron
i set the following in nova.conf

security_group_api=quantum
firewall_driver=nova.virt.firewall.NoopFirewallDriver

it works, but when i try to attach a security group to an exist vm , api
throw an error :

"Network requires port_security_enabled and subnet associated in order to
apply security groups."

the i add port_security_enabled in quantum.conf in all nodes.
"port_security_enabled=True"

 with no luck, it still doesn't work .

Any advice ? does quantum security group support this feature?

Daniels Cai
http://dnscai.com


2013/6/8 Aaron Rosen 

> Hi Joe,
>
> I thought setting firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
> plugin does not do any mac spoof filtering at the OVS level. Those are all
> done in iptables.
>
> Aaron
>
> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu wrote:
>
>> Hello,
>>
>> Is there a way to create a quantum l2 network using OVS that does not
>> have MAC and IP spoofing enabled either in iptables or OVS?  One workaround
>> that we found was to set the OVS plugin firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>> however this is far from ideal and doesn't solve the problem of MAC spoof
>> filtering at the OVS level.
>>
>> Thanks for any help
>>
>>
>> ___
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

2013-06-07 Thread Aaron Rosen

Hi Joe,

I thought setting firewall_driver =
quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
plugin does not do any mac spoof filtering at the OVS level. Those are all
done in iptables.

Aaron

On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu  wrote:

> Hello,
>
> Is there a way to create a quantum l2 network using OVS that does not have
> MAC and IP spoofing enabled either in iptables or OVS?  One workaround that
> we found was to set the OVS plugin firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
> however this is far from ideal and doesn't solve the problem of MAC spoof
> filtering at the OVS level.
>
> Thanks for any help
>
>
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

[Openstack] quantum l2 networks

2013-06-07 Thread Joe Breu

Hello,

Is there a way to create a quantum l2 network using OVS that does not have MAC 
and IP spoofing enabled either in iptables or OVS?  One workaround that we 
found was to set the OVS plugin firewall_driver = 
quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however 
this is far from ideal and doesn't solve the problem of MAC spoof filtering at 
the OVS level.

Thanks for any help


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

Re: [Openstack] quantum l2 networks

[Openstack] quantum l2 networks

11 matches

Site Navigation

Mail list logo

Footer information