Re: [openstack-dev] [Openstack] [Neutron] Security groups issue when running latest libvirt?
Le 07/11/2013 03:18, Martinx - ジェームズ a écrit : That is true... Back to LibvirtHybridOVSBridgeDriver, Security Groups is working again... Thanks for the feedback Thiago. I've opened a bug on Launchpad: https://bugs.launchpad.net/nova/+bug/1248859 On 6 November 2013 15:03, Simon Pasquier simon.pasqu...@bull.net mailto:simon.pasqu...@bull.net wrote: Answering myself as I investigated a little further and cross-posting to openstack-dev because I'd like to get feedback from Nova/Neutron devs. Users running Havana should configure libvirt_vif_driver=nova.virt.__libvirt.vif.__LibvirtHybridOVSBridgeDriver. This driver is still available in the Havana release although deprecated. AFAIU, this is the only option if you want effective security groups with KVM OVS. For people using the master branch of nova, sorry but security groups are currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). Joe Gordon asked the Neutron devs about it few weeks ago [1] but no answer and in another review [2], the conclusion was that the Tempest tests passed with Neutron. However I don't see anywhere in the tests ([3], [4]) that we check if the security rules allow/block traffic. It would be nice if core devs could confirm or refute. Regards, Simon [0] https://review.openstack.org/#__/c/49660/ https://review.openstack.org/#/c/49660/ [1] http://lists.openstack.org/__pipermail/openstack-dev/2013-__October/016886.html http://lists.openstack.org/pipermail/openstack-dev/2013-October/016886.html [2] https://review.openstack.org/#__/c/44349 https://review.openstack.org/#/c/44349 [3] https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups.py https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups.py [4] https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups_negative.py https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups_negative.py Le 05/11/2013 14:57, Simon Pasquier a écrit : Hi all, I'm struggling with security groups on Havana with Neutron and OVS plugin (GRE tunnels). No problem to create/delete security group rules but even though iptables configuration is updated, traffic to my instances is never filtered [0]. I'm running DevStack on 2 nodes (1 controller + 1 compute): - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository. - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0 - libvirt package version: 1.1.1-0ubuntu8~cloud2 - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run) According to [2], [3] and [4], iptables is not compatible with TAP devices connectd directly to Open vSwitch ports, this is why there used to be the additional veth + bridge interfaces [5]. But in my setup, this is not the case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). I've also pasted the libvirt XML configuration [7] that shows that the instance is directly connected to the Open vSwitch. Are the security groups supposed to work when the instance is directly connected to OVS? If yes, what am I doing wrong? Regards, [0] http://paste.openstack.org/__show/50490/ http://paste.openstack.org/show/50490/ [1] http://paste.openstack.org/__show/50448/ http://paste.openstack.org/show/50448/ [2] http://www.spinics.net/linux/__fedora/libvirt-users/msg05384.__html http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html [3] http://openvswitch.org/__pipermail/discuss/2013-__October/011461.html http://openvswitch.org/pipermail/discuss/2013-October/011461.html [4] http://docs.openstack.org/__havana/config-reference/__content/under_the_hood___openvswitch.html http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html [5] http://docs.openstack.org/__havana/config-reference/__content/figures/7/a/a/common/__figures/under-the-hood-__scenario-2-ovs-compute.png http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png [6] http://paste.openstack.org/__show/50486/ http://paste.openstack.org/show/50486/ [7] http://paste.openstack.org/__show/50487/ http://paste.openstack.org/show/50487/ -- Simon Pasquier Software Engineer Bull, Architect of an Open World Phone: + 33 4 76 29 71 49 tel:%2B%2033%204%2076%2029%2071%2049 http://www.bull.com
Re: [openstack-dev] [Openstack] [Neutron] Security groups issue when running latest libvirt?
Answering myself as I investigated a little further and cross-posting to openstack-dev because I'd like to get feedback from Nova/Neutron devs. Users running Havana should configure libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver. This driver is still available in the Havana release although deprecated. AFAIU, this is the only option if you want effective security groups with KVM OVS. For people using the master branch of nova, sorry but security groups are currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). Joe Gordon asked the Neutron devs about it few weeks ago [1] but no answer and in another review [2], the conclusion was that the Tempest tests passed with Neutron. However I don't see anywhere in the tests ([3], [4]) that we check if the security rules allow/block traffic. It would be nice if core devs could confirm or refute. Regards, Simon [0] https://review.openstack.org/#/c/49660/ [1] http://lists.openstack.org/pipermail/openstack-dev/2013-October/016886.html [2] https://review.openstack.org/#/c/44349 [3] https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups.py [4] https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups_negative.py Le 05/11/2013 14:57, Simon Pasquier a écrit : Hi all, I'm struggling with security groups on Havana with Neutron and OVS plugin (GRE tunnels). No problem to create/delete security group rules but even though iptables configuration is updated, traffic to my instances is never filtered [0]. I'm running DevStack on 2 nodes (1 controller + 1 compute): - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository. - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0 - libvirt package version: 1.1.1-0ubuntu8~cloud2 - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run) According to [2], [3] and [4], iptables is not compatible with TAP devices connectd directly to Open vSwitch ports, this is why there used to be the additional veth + bridge interfaces [5]. But in my setup, this is not the case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). I've also pasted the libvirt XML configuration [7] that shows that the instance is directly connected to the Open vSwitch. Are the security groups supposed to work when the instance is directly connected to OVS? If yes, what am I doing wrong? Regards, [0] http://paste.openstack.org/show/50490/ [1] http://paste.openstack.org/show/50448/ [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html [4] http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html [5] http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png [6] http://paste.openstack.org/show/50486/ [7] http://paste.openstack.org/show/50487/ -- Simon Pasquier Software Engineer Bull, Architect of an Open World Phone: + 33 4 76 29 71 49 http://www.bull.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack] [Neutron] Security groups issue when running latest libvirt?
That is true... Back to LibvirtHybridOVSBridgeDriver, Security Groups is working again... On 6 November 2013 15:03, Simon Pasquier simon.pasqu...@bull.net wrote: Answering myself as I investigated a little further and cross-posting to openstack-dev because I'd like to get feedback from Nova/Neutron devs. Users running Havana should configure libvirt_vif_driver=nova.virt. libvirt.vif.LibvirtHybridOVSBridgeDriver. This driver is still available in the Havana release although deprecated. AFAIU, this is the only option if you want effective security groups with KVM OVS. For people using the master branch of nova, sorry but security groups are currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). Joe Gordon asked the Neutron devs about it few weeks ago [1] but no answer and in another review [2], the conclusion was that the Tempest tests passed with Neutron. However I don't see anywhere in the tests ([3], [4]) that we check if the security rules allow/block traffic. It would be nice if core devs could confirm or refute. Regards, Simon [0] https://review.openstack.org/#/c/49660/ [1] http://lists.openstack.org/pipermail/openstack-dev/2013- October/016886.html [2] https://review.openstack.org/#/c/44349 [3] https://github.com/openstack/tempest/blob/master/tempest/ api/network/test_security_groups.py [4] https://github.com/openstack/tempest/blob/master/tempest/ api/network/test_security_groups_negative.py Le 05/11/2013 14:57, Simon Pasquier a écrit : Hi all, I'm struggling with security groups on Havana with Neutron and OVS plugin (GRE tunnels). No problem to create/delete security group rules but even though iptables configuration is updated, traffic to my instances is never filtered [0]. I'm running DevStack on 2 nodes (1 controller + 1 compute): - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository. - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0 - libvirt package version: 1.1.1-0ubuntu8~cloud2 - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run) According to [2], [3] and [4], iptables is not compatible with TAP devices connectd directly to Open vSwitch ports, this is why there used to be the additional veth + bridge interfaces [5]. But in my setup, this is not the case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). I've also pasted the libvirt XML configuration [7] that shows that the instance is directly connected to the Open vSwitch. Are the security groups supposed to work when the instance is directly connected to OVS? If yes, what am I doing wrong? Regards, [0] http://paste.openstack.org/show/50490/ [1] http://paste.openstack.org/show/50448/ [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html [4] http://docs.openstack.org/havana/config-reference/content/under_the_hood_ openvswitch.html [5] http://docs.openstack.org/havana/config-reference/ content/figures/7/a/a/common/figures/under-the-hood- scenario-2-ovs-compute.png [6] http://paste.openstack.org/show/50486/ [7] http://paste.openstack.org/show/50487/ -- Simon Pasquier Software Engineer Bull, Architect of an Open World Phone: + 33 4 76 29 71 49 http://www.bull.com ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ openstack Post to : openst...@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ openstack ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev