Re: [Openstack] quantum l2 networks
hi Aaron i set the following in nova.conf security_group_api=quantum firewall_driver=nova.virt.firewall.NoopFirewallDriver it works, but when i try to attach a security group to an exist vm , api throw an error : Network requires port_security_enabled and subnet associated in order to apply security groups. the i add port_security_enabled in quantum.conf in all nodes. port_security_enabled=True with no luck, it still doesn't work . Any advice ? does quantum security group support this feature? Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.comwrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] quantum l2 networks
There is no port_security_enabled config option. This is an attribute on a port that is used if the plugin you are using implements the port_security_extension (which is only nvp at the time). I'm guessing your issue is the network you are trying to boot an instance on does not have a subnet associated with it. Aaron On Sat, Jun 8, 2013 at 12:37 AM, daniels cai danx...@gmail.com wrote: hi Aaron i set the following in nova.conf security_group_api=quantum firewall_driver=nova.virt.firewall.NoopFirewallDriver it works, but when i try to attach a security group to an exist vm , api throw an error : Network requires port_security_enabled and subnet associated in order to apply security groups. the i add port_security_enabled in quantum.conf in all nodes. port_security_enabled=True with no luck, it still doesn't work . Any advice ? does quantum security group support this feature? Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.comwrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] quantum l2 networks
Aaron , thanks for you answers, i see it. we are not useing nvp in our environemnt yet. my vm is boot with a subnet_id specified . i am sure about it . here is more info: vm has an ip 192.168.6.100 , this ip belongs to subnet 83afd693-7e36-41e9-b896-9d8b0d89d255 , this subnet belongs to network iaas-net, network id is 5332f0f7-3156-4961-aa67-0b8507265fa5 # nova list | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100 here is quantum network info : # quantum net-list +--+--+---+ | id | name | subnets | +--+--+---+ | 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net | 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 | | | | 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24 | | | | bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24 | | | | d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 | | | | dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 | | | | e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 | i enabled the following features in quantum 1. namespace 2. overlap ips if any more info needed for debug, i will attach Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com There is no port_security_enabled config option. This is an attribute on a port that is used if the plugin you are using implements the port_security_extension (which is only nvp at the time). I'm guessing your issue is the network you are trying to boot an instance on does not have a subnet associated with it. Aaron On Sat, Jun 8, 2013 at 12:37 AM, daniels cai danx...@gmail.com wrote: hi Aaron i set the following in nova.conf security_group_api=quantum firewall_driver=nova.virt.firewall.NoopFirewallDriver it works, but when i try to attach a security group to an exist vm , api throw an error : Network requires port_security_enabled and subnet associated in order to apply security groups. the i add port_security_enabled in quantum.conf in all nodes. port_security_enabled=True with no luck, it still doesn't work . Any advice ? does quantum security group support this feature? Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.com wrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] quantum l2 networks
You said: it works, but when i try to attach a security group to an exist vm , api throw an error :Network requires port_security_enabled and subnet associated in order to apply security groups. What command are you running to generate that error? On Sat, Jun 8, 2013 at 1:45 AM, daniels cai danx...@gmail.com wrote: Aaron , thanks for you answers, i see it. we are not useing nvp in our environemnt yet. my vm is boot with a subnet_id specified . i am sure about it . here is more info: vm has an ip 192.168.6.100 , this ip belongs to subnet 83afd693-7e36-41e9-b896-9d8b0d89d255 , this subnet belongs to network iaas-net, network id is 5332f0f7-3156-4961-aa67-0b8507265fa5 # nova list | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100 here is quantum network info : # quantum net-list +--+--+---+ | id | name | subnets | +--+--+---+ | 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net | 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 | | | | 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24 | | | | bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24 | | | | d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 | | | | dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 | | | | e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 | i enabled the following features in quantum 1. namespace 2. overlap ips if any more info needed for debug, i will attach Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com There is no port_security_enabled config option. This is an attribute on a port that is used if the plugin you are using implements the port_security_extension (which is only nvp at the time). I'm guessing your issue is the network you are trying to boot an instance on does not have a subnet associated with it. Aaron On Sat, Jun 8, 2013 at 12:37 AM, daniels cai danx...@gmail.com wrote: hi Aaron i set the following in nova.conf security_group_api=quantum firewall_driver=nova.virt.firewall.NoopFirewallDriver it works, but when i try to attach a security group to an exist vm , api throw an error : Network requires port_security_enabled and subnet associated in order to apply security groups. the i add port_security_enabled in quantum.conf in all nodes. port_security_enabled=True with no luck, it still doesn't work . Any advice ? does quantum security group support this feature? Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.com wrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] quantum l2 networks
nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11 ERROR: Network requires port_security_enabled and subnet associated in order to apply security groups. (HTTP 400) (Request-ID: req-94cb2d54-858b-4843-af53-b373c88bcdc0) security group is exists # quantum security-group-list +--+-+--+ | id | name| description | +--+-+--+ | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default | | 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall | +--+-+--+ Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com You said: it works, but when i try to attach a security group to an exist vm , api throw an error :Network requires port_security_enabled and subnet associated in order to apply security groups. What command are you running to generate that error? On Sat, Jun 8, 2013 at 1:45 AM, daniels cai danx...@gmail.com wrote: Aaron , thanks for you answers, i see it. we are not useing nvp in our environemnt yet. my vm is boot with a subnet_id specified . i am sure about it . here is more info: vm has an ip 192.168.6.100 , this ip belongs to subnet 83afd693-7e36-41e9-b896-9d8b0d89d255 , this subnet belongs to network iaas-net, network id is 5332f0f7-3156-4961-aa67-0b8507265fa5 # nova list | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100 here is quantum network info : # quantum net-list +--+--+---+ | id | name | subnets | +--+--+---+ | 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net | 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 | | | | 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24 | | | | bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24 | | | | d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 | | | | dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 | | | | e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 | i enabled the following features in quantum 1. namespace 2. overlap ips if any more info needed for debug, i will attach Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com There is no port_security_enabled config option. This is an attribute on a port that is used if the plugin you are using implements the port_security_extension (which is only nvp at the time). I'm guessing your issue is the network you are trying to boot an instance on does not have a subnet associated with it. Aaron On Sat, Jun 8, 2013 at 12:37 AM, daniels cai danx...@gmail.com wrote: hi Aaron i set the following in nova.conf security_group_api=quantum firewall_driver=nova.virt.firewall.NoopFirewallDriver it works, but when i try to attach a security group to an exist vm , api throw an error : Network requires port_security_enabled and subnet associated in order to apply security groups. the i add port_security_enabled in quantum.conf in all nodes. port_security_enabled=True with no luck, it still doesn't work . Any advice ? does quantum security group support this feature? Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.com wrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list:
Re: [Openstack] quantum l2 networks
Hi Daniel, That's for finding this! This is a bug. The code wasn't accounting if the plugin didn't implement port_security_enabled. Here's a patch that fixes the issue in the meantime. Best, Aaron --- a/nova/network/security_group/quantum_driver.py +++ b/nova/network/security_group/quantum_driver.py @@ -340,8 +340,9 @@ class SecurityGroupAPI(security_group_base.SecurityGroupBase): has_ip = port.get('fixed_ips') if port_security_enabled and has_ip: return True -else: -return False +elif 'port_security_enabled' not in port and has_ip: +return True +return False @wrap_check_security_groups_policy def add_to_instance(self, context, instance, security_group_name): On Sat, Jun 8, 2013 at 2:14 AM, daniels cai danx...@gmail.com wrote: nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11 ERROR: Network requires port_security_enabled and subnet associated in order to apply security groups. (HTTP 400) (Request-ID: req-94cb2d54-858b-4843-af53-b373c88bcdc0) security group is exists # quantum security-group-list +--+-+--+ | id | name| description | +--+-+--+ | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default | | 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall | +--+-+--+ Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com You said: it works, but when i try to attach a security group to an exist vm , api throw an error :Network requires port_security_enabled and subnet associated in order to apply security groups. What command are you running to generate that error? On Sat, Jun 8, 2013 at 1:45 AM, daniels cai danx...@gmail.com wrote: Aaron , thanks for you answers, i see it. we are not useing nvp in our environemnt yet. my vm is boot with a subnet_id specified . i am sure about it . here is more info: vm has an ip 192.168.6.100 , this ip belongs to subnet 83afd693-7e36-41e9-b896-9d8b0d89d255 , this subnet belongs to network iaas-net, network id is 5332f0f7-3156-4961-aa67-0b8507265fa5 # nova list | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100 here is quantum network info : # quantum net-list +--+--+---+ | id | name | subnets | +--+--+---+ | 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net | 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 | | | | 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24 | | | | bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24 | | | | d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 | | | | dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 | | | | e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 | i enabled the following features in quantum 1. namespace 2. overlap ips if any more info needed for debug, i will attach Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com There is no port_security_enabled config option. This is an attribute on a port that is used if the plugin you are using implements the port_security_extension (which is only nvp at the time). I'm guessing your issue is the network you are trying to boot an instance on does not have a subnet associated with it. Aaron On Sat, Jun 8, 2013 at 12:37 AM, daniels cai danx...@gmail.com wrote: hi Aaron i set the following in nova.conf security_group_api=quantum firewall_driver=nova.virt.firewall.NoopFirewallDriver it works, but when i try to attach a security group to an exist vm , api throw an error : Network requires port_security_enabled and subnet associated in order to apply security groups. the i add port_security_enabled in quantum.conf in all nodes. port_security_enabled=True with no luck, it still doesn't work . Any advice ? does quantum security group support this feature? Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen aro...@nicira.com Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are
Re: [Openstack] quantum l2 networks
Hi Aaron, Thanks for the response. It looks like it is the nwfilters in nova-compute that are making this a pain for me. On Jun 7, 2013, at 11:11 PM, Aaron Rosen wrote: Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.commailto:joseph.b...@rackspace.com wrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] quantum l2 networks
Settting this in nova.conf should disable that but then your security groups won't work. firewall_driver = nova.virt.firewall.NoopFirewallDriver On Sat, Jun 8, 2013 at 12:01 PM, Joe Breu joseph.b...@rackspace.com wrote: Hi Aaron, Thanks for the response. It looks like it is the nwfilters in nova-compute that are making this a pain for me. On Jun 7, 2013, at 11:11 PM, Aaron Rosen wrote: Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.comwrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] quantum l2 networks
Hi Joe, I thought setting firewall_driver = quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs plugin does not do any mac spoof filtering at the OVS level. Those are all done in iptables. Aaron On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu joseph.b...@rackspace.com wrote: Hello, Is there a way to create a quantum l2 network using OVS that does not have MAC and IP spoofing enabled either in iptables or OVS? One workaround that we found was to set the OVS plugin firewall_driver = quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova however this is far from ideal and doesn't solve the problem of MAC spoof filtering at the OVS level. Thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp