On Thu, Apr 4, 2019 at 2:04 PM Gianluca Cecchi <[email protected]> wrote: > > On Thu, Apr 4, 2019 at 12:07 PM Miguel Duarte de Mora Barroso > <[email protected]> wrote: >> >> >> > Questions: >> > - what is the role of the "Network port security" option for an OVN >> > network? >> >> It means that newly created ports under that network will inherit the >> port security value from the network - e.g. if the network's port >> security attribute is active, so will the newly created port's port >> security. >> >> Port security on a port means 2 things: >> #1 - security group rules *will* apply to the VM having that port attached >> #2 - only the specified mac address will be allowed to send/receive >> through that port. MAC spoofing protection is applied. >> >> > - what is the meaning of "Undefined" option for it other than "Enabled" >> > and "Disabled"? >> >> It means that the network will inherit the value from the provider's >> configuration - you can check what it translates to in >> /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > > Thanks for clarifications. Digging around RHV 4.2 vs 4.3beta docs I see now > that "Network Port Security" will be also one of the new features for it > In 4.3 beta the third option is explictly defined as "Inherited" (reflecting > your explanation) and not "Undefined" as in current oVirt 4.3.2) > >> >> >> > - it seems I cannot edit the value for "Network port security" option of >> > an existing OVN network, is it correct? >> >> You cannot do it *through the UI*. You can use ansible / REST api to >> update the network - or ports - port_security_enabled value. > > > >> >> >> I am working on creating a couple of playbooks for this; hopefully I >> can provide those early next week. It would be helpful to agilize this >> process. >> > > Indeed. Because in Openstack web mgmt interface all the settings related to > security groups are simplified and intuitive, but here we have not... > Also because it seems from rhv 4.3beta manual that creation of security > groups themselves will not be possible through web gui... > >> >> There is a notion of 'default' group, that ensures connectivity to all >> VMs whose ports belong to that group - and all ports with active port >> security, by default do. >> >> I'm not sure how you reached that situation, but let's first make sure >> of a couple of things; please provider the output of: >> - ovn-nbctl list logical_switch_port # this will feature info of the >> port security value, and of which groups the port belongs to - the >> latter in the 'external_ids' column. >> - ovn-nbctl list port_group # this is where the security groups are >> stored; it has associations to the ACLs belonging to the group, and of >> the ports that are using it >> - ovn-nbctl list address_set # this is where the IPs per group are >> stored. security groups are an L3 concept. >> >> A pastebin with the aforementioned info is welcome. > > > See here: > https://drive.google.com/file/d/1hgXMGttMgb0oaDEy5k6aWFdb01dYsjwq/view?usp=sharing
From the data you supply, everything looks as is should: both the ports are members of the default port group, and both their IPs are featured in the ip4 address set. Mind sharing the created ACLs ? (which I'm quite positive will be the default ones, but I just have to be sure). Can be done via "ovn-nbctl list acl" . With that I can check the ACLs assigned to the default group, and assure they are correct. > > Gianluca _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/MLBMI2GVJPFJKCT52AQLIOGUOP3HLMGN/
