Le 07/11/2013 03:18, Martinx - ジェームズ a écrit :
That is true... Back to "LibvirtHybridOVSBridgeDriver", Security Groups is working again...
Thanks for the feedback Thiago. I've opened a bug on Launchpad: https://bugs.launchpad.net/nova/+bug/1248859
On 6 November 2013 15:03, Simon Pasquier <simon.pasqu...@bull.net <mailto:simon.pasqu...@bull.net>> wrote: Answering myself as I investigated a little further and cross-posting to openstack-dev because I'd like to get feedback from Nova/Neutron devs. Users running Havana should configure libvirt_vif_driver=nova.virt.__libvirt.vif.__LibvirtHybridOVSBridgeDriver. This driver is still available in the Havana release although deprecated. AFAIU, this is the only option if you want effective security groups with KVM & OVS. For people using the master branch of nova, sorry but security groups are currently broken because LibvirtHybridOVSBridgeDriver is gone ([0]). Joe Gordon asked the Neutron devs about it few weeks ago [1] but no answer and in another review [2], the conclusion was that the Tempest tests passed with Neutron. However I don't see anywhere in the tests ([3], [4]) that we check if the security rules allow/block traffic. It would be nice if core devs could confirm or refute. Regards, Simon [0] https://review.openstack.org/#__/c/49660/ <https://review.openstack.org/#/c/49660/> [1] http://lists.openstack.org/__pipermail/openstack-dev/2013-__October/016886.html <http://lists.openstack.org/pipermail/openstack-dev/2013-October/016886.html> [2] https://review.openstack.org/#__/c/44349 <https://review.openstack.org/#/c/44349> [3] https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups.py <https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups.py> [4] https://github.com/openstack/__tempest/blob/master/tempest/__api/network/test_security___groups_negative.py <https://github.com/openstack/tempest/blob/master/tempest/api/network/test_security_groups_negative.py> Le 05/11/2013 14:57, Simon Pasquier a écrit : Hi all, I'm struggling with security groups on Havana with Neutron and OVS plugin (GRE tunnels). No problem to create/delete security group rules but even though iptables configuration is updated, traffic to my instances is never filtered [0]. I'm running DevStack on 2 nodes (1 controller + 1 compute): - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository. - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0 - libvirt package version: 1.1.1-0ubuntu8~cloud2 - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run) According to [2], [3] and [4], iptables is not compatible with TAP devices connectd directly to Open vSwitch ports, this is why there used to be the additional veth + bridge interfaces [5]. But in my setup, this is not the case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). I've also pasted the libvirt XML configuration [7] that shows that the instance is directly connected to the Open vSwitch. Are the security groups supposed to work when the instance is directly connected to OVS? If yes, what am I doing wrong? Regards, [0] http://paste.openstack.org/__show/50490/ <http://paste.openstack.org/show/50490/> [1] http://paste.openstack.org/__show/50448/ <http://paste.openstack.org/show/50448/> [2] http://www.spinics.net/linux/__fedora/libvirt-users/msg05384.__html <http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html> [3] http://openvswitch.org/__pipermail/discuss/2013-__October/011461.html <http://openvswitch.org/pipermail/discuss/2013-October/011461.html> [4] http://docs.openstack.org/__havana/config-reference/__content/under_the_hood___openvswitch.html <http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html> [5] http://docs.openstack.org/__havana/config-reference/__content/figures/7/a/a/common/__figures/under-the-hood-__scenario-2-ovs-compute.png <http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png> [6] http://paste.openstack.org/__show/50486/ <http://paste.openstack.org/show/50486/> [7] http://paste.openstack.org/__show/50487/ <http://paste.openstack.org/show/50487/> -- Simon Pasquier Software Engineer Bull, Architect of an Open World Phone: + 33 4 76 29 71 49 <tel:%2B%2033%204%2076%2029%2071%2049> http://www.bull.com _________________________________________________ Mailing list: http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack> Post to : openst...@lists.openstack.org <mailto:openst...@lists.openstack.org> Unsubscribe : http://lists.openstack.org/__cgi-bin/mailman/listinfo/__openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
-- Simon Pasquier Software Engineer Bull, Architect of an Open World Phone: + 33 4 76 29 71 49 http://www.bull.com _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
