Re: [openstack-dev] [Openstack] [Neutron] Security groups issue when running latest libvirt?
Le 07/11/2013 03:18, Martinx - ジェームズ a écrit :
That is true... Back to LibvirtHybridOVSBridgeDriver, Security Groups
is working again...
Thanks for the feedback Thiago. I've opened a bug on Launchpad:
https://bugs.launchpad.net/nova/+bug/1248859
On 6 November 2013 15:03, Simon Pasquier simon.pasqu...@bull.net
mailto:simon.pasqu...@bull.net wrote:
Answering myself as I investigated a little further and
cross-posting to openstack-dev because I'd like to get feedback from
Nova/Neutron devs.
Users running Havana should configure
libvirt_vif_driver=nova.virt.__libvirt.vif.__LibvirtHybridOVSBridgeDriver.
This driver is still available in the Havana release although
deprecated. AFAIU, this is the only option if you want effective
security groups with KVM OVS.
For people using the master branch of nova, sorry but security
groups are currently broken because LibvirtHybridOVSBridgeDriver is
gone ([0]). Joe Gordon asked the Neutron devs about it few weeks ago
[1] but no answer and in another review [2], the conclusion was that
the Tempest tests passed with Neutron. However I don't see anywhere
in the tests ([3], [4]) that we check if the security rules
allow/block traffic.
It would be nice if core devs could confirm or refute.
Regards,
Simon
[0] https://review.openstack.org/#__/c/49660/
https://review.openstack.org/#/c/49660/
[1]
http://lists.openstack.org/__pipermail/openstack-dev/2013-__October/016886.html
http://lists.openstack.org/pipermail/openstack-dev/2013-October/016886.html
[2] https://review.openstack.org/#__/c/44349
https://review.openstack.org/#/c/44349
[3]
https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups.py
https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups.py
[4]
https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups_negative.py
https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups_negative.py
Le 05/11/2013 14:57, Simon Pasquier a écrit :
Hi all,
I'm struggling with security groups on Havana with Neutron and OVS
plugin (GRE tunnels). No problem to create/delete security group
rules
but even though iptables configuration is updated, traffic to my
instances is never filtered [0].
I'm running DevStack on 2 nodes (1 controller + 1 compute):
- OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
- Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
- libvirt package version: 1.1.1-0ubuntu8~cloud2
- localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files
pasted at [1] (I didn't modify any of these files after the
DevStack run)
According to [2], [3] and [4], iptables is not compatible with TAP
devices connectd directly to Open vSwitch ports, this is why
there used
to be the additional veth + bridge interfaces [5]. But in my
setup, this
is not the case anymore as shown in [6] ('ovs-vsctl show' +
'iptables-save' ouptut). I've also pasted the libvirt XML
configuration
[7] that shows that the instance is directly connected to the
Open vSwitch.
Are the security groups supposed to work when the instance is
directly
connected to OVS? If yes, what am I doing wrong?
Regards,
[0] http://paste.openstack.org/__show/50490/
http://paste.openstack.org/show/50490/
[1] http://paste.openstack.org/__show/50448/
http://paste.openstack.org/show/50448/
[2]
http://www.spinics.net/linux/__fedora/libvirt-users/msg05384.__html
http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
[3]
http://openvswitch.org/__pipermail/discuss/2013-__October/011461.html
http://openvswitch.org/pipermail/discuss/2013-October/011461.html
[4]
http://docs.openstack.org/__havana/config-reference/__content/under_the_hood___openvswitch.html
http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html
[5]
http://docs.openstack.org/__havana/config-reference/__content/figures/7/a/a/common/__figures/under-the-hood-__scenario-2-ovs-compute.png
http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png
[6] http://paste.openstack.org/__show/50486/
http://paste.openstack.org/show/50486/
[7] http://paste.openstack.org/__show/50487/
http://paste.openstack.org/show/50487/
--
Simon Pasquier
Software Engineer
Bull, Architect of an Open World
Phone: + 33 4 76 29 71 49 tel:%2B%2033%204%2076%2029%2071%2049
http://www.bull.com
Re: [openstack-dev] [Openstack] [Neutron] Security groups issue when running latest libvirt?
Answering myself as I investigated a little further and cross-posting to
openstack-dev because I'd like to get feedback from Nova/Neutron devs.
Users running Havana should configure
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver.
This driver is still available in the Havana release although
deprecated. AFAIU, this is the only option if you want effective
security groups with KVM OVS.
For people using the master branch of nova, sorry but security groups
are currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]).
Joe Gordon asked the Neutron devs about it few weeks ago [1] but no
answer and in another review [2], the conclusion was that the Tempest
tests passed with Neutron. However I don't see anywhere in the tests
([3], [4]) that we check if the security rules allow/block traffic.
It would be nice if core devs could confirm or refute.
Regards,
Simon
[0] https://review.openstack.org/#/c/49660/
[1]
http://lists.openstack.org/pipermail/openstack-dev/2013-October/016886.html
[2] https://review.openstack.org/#/c/44349
[3]
https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups.py
[4]
https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups_negative.py
Le 05/11/2013 14:57, Simon Pasquier a écrit :
Hi all,
I'm struggling with security groups on Havana with Neutron and OVS
plugin (GRE tunnels). No problem to create/delete security group rules
but even though iptables configuration is updated, traffic to my
instances is never filtered [0].
I'm running DevStack on 2 nodes (1 controller + 1 compute):
- OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
- Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
- libvirt package version: 1.1.1-0ubuntu8~cloud2
- localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files
pasted at [1] (I didn't modify any of these files after the DevStack run)
According to [2], [3] and [4], iptables is not compatible with TAP
devices connectd directly to Open vSwitch ports, this is why there used
to be the additional veth + bridge interfaces [5]. But in my setup, this
is not the case anymore as shown in [6] ('ovs-vsctl show' +
'iptables-save' ouptut). I've also pasted the libvirt XML configuration
[7] that shows that the instance is directly connected to the Open vSwitch.
Are the security groups supposed to work when the instance is directly
connected to OVS? If yes, what am I doing wrong?
Regards,
[0] http://paste.openstack.org/show/50490/
[1] http://paste.openstack.org/show/50448/
[2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
[3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
[4]
http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html
[5]
http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png
[6] http://paste.openstack.org/show/50486/
[7] http://paste.openstack.org/show/50487/
--
Simon Pasquier
Software Engineer
Bull, Architect of an Open World
Phone: + 33 4 76 29 71 49
http://www.bull.com
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack] [Neutron] Security groups issue when running latest libvirt?
That is true... Back to LibvirtHybridOVSBridgeDriver, Security Groups is
working again...
On 6 November 2013 15:03, Simon Pasquier simon.pasqu...@bull.net wrote:
Answering myself as I investigated a little further and cross-posting to
openstack-dev because I'd like to get feedback from Nova/Neutron devs.
Users running Havana should configure libvirt_vif_driver=nova.virt.
libvirt.vif.LibvirtHybridOVSBridgeDriver.
This driver is still available in the Havana release although deprecated.
AFAIU, this is the only option if you want effective security groups with
KVM OVS.
For people using the master branch of nova, sorry but security groups are
currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). Joe
Gordon asked the Neutron devs about it few weeks ago [1] but no answer and
in another review [2], the conclusion was that the Tempest tests passed
with Neutron. However I don't see anywhere in the tests ([3], [4]) that we
check if the security rules allow/block traffic.
It would be nice if core devs could confirm or refute.
Regards,
Simon
[0] https://review.openstack.org/#/c/49660/
[1] http://lists.openstack.org/pipermail/openstack-dev/2013-
October/016886.html
[2] https://review.openstack.org/#/c/44349
[3] https://github.com/openstack/tempest/blob/master/tempest/
api/network/test_security_groups.py
[4] https://github.com/openstack/tempest/blob/master/tempest/
api/network/test_security_groups_negative.py
Le 05/11/2013 14:57, Simon Pasquier a écrit :
Hi all,
I'm struggling with security groups on Havana with Neutron and OVS
plugin (GRE tunnels). No problem to create/delete security group rules
but even though iptables configuration is updated, traffic to my
instances is never filtered [0].
I'm running DevStack on 2 nodes (1 controller + 1 compute):
- OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
- Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
- libvirt package version: 1.1.1-0ubuntu8~cloud2
- localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files
pasted at [1] (I didn't modify any of these files after the DevStack run)
According to [2], [3] and [4], iptables is not compatible with TAP
devices connectd directly to Open vSwitch ports, this is why there used
to be the additional veth + bridge interfaces [5]. But in my setup, this
is not the case anymore as shown in [6] ('ovs-vsctl show' +
'iptables-save' ouptut). I've also pasted the libvirt XML configuration
[7] that shows that the instance is directly connected to the Open
vSwitch.
Are the security groups supposed to work when the instance is directly
connected to OVS? If yes, what am I doing wrong?
Regards,
[0] http://paste.openstack.org/show/50490/
[1] http://paste.openstack.org/show/50448/
[2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
[3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
[4]
http://docs.openstack.org/havana/config-reference/content/under_the_hood_
openvswitch.html
[5]
http://docs.openstack.org/havana/config-reference/
content/figures/7/a/a/common/figures/under-the-hood-
scenario-2-ovs-compute.png
[6] http://paste.openstack.org/show/50486/
[7] http://paste.openstack.org/show/50487/
--
Simon Pasquier
Software Engineer
Bull, Architect of an Open World
Phone: + 33 4 76 29 71 49
http://www.bull.com
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
openstack
Post to : openst...@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
openstack
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
