Hi Gianluca, First of, sorry for the late reply, been very busy this past week.
Regarding the lack of security group support on oVirt, I agree it's unfortunate. Please take a look at this repo [0]; you'll find playbooks to update the port's / networks port security, security groups, and a couple of examples on how to create new security groups and rules via ansible. You can follow the README, it features all the information you need to install the requirements, and use the playbooks. Comments are welcome. You can find answers to your questions inline. [0] - https://github.com/maiqueb/ovirt-security-groups-demo/ On Fri, Apr 5, 2019 at 10:25 AM Gianluca Cecchi <gianluca.cec...@gmail.com> wrote: > > On Fri, Apr 5, 2019 at 9:56 AM Miguel Duarte de Mora Barroso > <mdbarr...@redhat.com> wrote: >> >> >> >> Mind sharing the created ACLs ? (which I'm quite positive will be the >> default ones, but I just have to be sure). Can be done via "ovn-nbctl >> list acl" . With that I can check the ACLs assigned to the default >> group, and assure they are correct. >> > > The question is: previous networks (in the sense of already existing before > the port security feature had been introduced in 4.3) seems inherited the > "Enabled" option and this prevents communication between VMs on the same OVN > network. > Is this expected? Previous networks are unchanged; nothing updates any of those during the upgrade. Now, newly created ports on existing networks *will* inherit the value from the configuration - since the network itself doesn't have the port security attribute set. Can you share what's the current port-security-enabled value on your configuration ? (/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf) > Otherwise other people in 4.2 using OVN will have the same problem migrating > to 4.3 > If I create now n 4.3.2 a new OVN based network, if I select "Create an > external provider", I get as default "ovirt-provider-ovn" as External > Provider and "Enabled" as Network Port Security. Is this expected? Yes. > Is it expected that a new OVN network with default values (Enabled port > security) is made so that by default 2 VMs don't communicate if I don't set a > special security group rule (that in tis moment requires REST api)? No, the exact purpose of the default group is for the VMs to communicate out of the box. The ACLs you provide match all the ACLs present on the port groups you've previously shared, and ; from my perspective, your VMs should be able to communicate. Could you share the output of 'ovs-ofctl dump-flows br-int' on the ovirt node where your VMs are located ? That could indicate why the packets are being dropped. Please provide that in a pastebin (this email is already hard to follow). A further question: your cluster switch type is ovs, right? This would only matter if your VMs run in different nodes, but hey, best to get that sorted out early. Lastly, are your VMs able to receive an IP address via dhcp ? > > As far as ACLs currently in place are concerned, here they are for my current > environment. > > [root@ovmgr1 ~]# ovn-nbctl list acl > _uuid : 239f0fa4-a66e-4cce-8df2-05630f11e052 > action : drop > direction : to-lport > external_ids : {description="drop all ingress ip traffic", > ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"} > log : false > match : "outport == @DropAll && ip" > meter : [] > name : "" > priority : 1000 > severity : alert > > _uuid : 141aa336-0549-47d0-b09f-c2cb0dd78dd2 > action : allow-related > direction : from-lport > external_ids : {description="automatically added allow all egress ip > traffic", ovirt_ethertype="IPv4", > ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} > log : false > match : "inport == @Default && ip4" > meter : [] > name : "" > priority : 1001 > severity : alert > > _uuid : ac7d5a16-a596-43dc-88ec-e9d47512e7ce > action : drop > direction : from-lport > external_ids : {description="drop all egress ip traffic", > ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"} > log : false > match : "inport == @DropAll && ip" > meter : [] > name : "" > priority : 1000 > severity : alert > > _uuid : ef7f32f2-8b78-433f-a831-0e801c9d8b3e > action : allow-related > direction : to-lport > external_ids : {ovirt_ethertype="IPv4", > ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616", > ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} > log : false > match : "outport == @Default && ip4 && ip4.src == > $pg_ip4_Default" > meter : [] > name : "" > priority : 1001 > severity : alert > > _uuid : 70c7114b-1be6-49c1-9bbd-966c52751e79 > action : allow-related > direction : from-lport > external_ids : {description="automatically added allow all egress ip > traffic", ovirt_ethertype="IPv6", > ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} > log : false > match : "inport == @Default && ip6" > meter : [] > name : "" > priority : 1001 > severity : alert > > _uuid : 264111cf-4f66-4b4c-b3c9-693bbca53a70 > action : allow-related > direction : to-lport > external_ids : {ovirt_ethertype="IPv6", > ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616", > ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} > log : false > match : "outport == @Default && ip6 && ip6.src == > $pg_ip6_Default" > meter : [] > name : "" > priority : 1001 > severity : alert > [root@ovmgr1 ~]# > > Gianluca _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/ZIJGLRSGU3MMH5KJI56OAURWWYGQXLYW/
