Hi, an update from my-test , why even I empty group rule with no rule defined, I still can reach (ping & ssh) my instance from outside ?
On Wed, Sep 21, 2016 at 5:18 PM, Adhi Priharmanto <adhi....@gmail.com> wrote: > Hi Huan Xie, > > > Thanks for your fast response, I applied those patch into my Dom0 and DomU > (nova-compute) , then restarting neutron-openvswitch-agent and nova-compute > service. > > the error on neutron-openvswitch-agent doesn't appear anymore, now I'm > still try Security Group Rules variation for instance, I'll update results > as soon . > > > > On Wed, Sep 21, 2016 at 2:11 PM, Huan Xie <huan....@citrix.com> wrote: > >> Hi Adhi, >> >> >> >> 1. From http://pastebin.com/gwf1wdEb, we can see you have set >> “conntrack” command in netwrap, but seems the whole patch is not applied, I >> mean you need apply the whole patch https://review.openstack.org/# >> /c/341304/ in neutron. >> >> netwrap locates in Dom0 /etc/xapi.d/plugins >> >> neutron-rootwrap-xen-dom0 locates in DomU, maybe >> /usr/local/bin/neutron-rootwrap-xen-dom0 or other path like that, >> depends on how you install it, you maybe need to apply the patch to the >> source file >> >> 1. With this rule, I'm still able to ping instance >> 2. Also please check neutron-openvswitch-agent error list when I >> remove rule and terminate instance. >> >> ð For the two, since the patch seems not applied completely, so you >> maybe can still ping the VM. Also you need to install conntrack-tools in >> Dom0 because the command “conntrack” in netwrap is send to Dom0, otherwise >> the real “conntrack” command is not take effect. >> >> >> >> Hope these checks can help you. >> >> >> >> Thanks, >> >> Huan >> >> >> >> >> >> *From:* Adhi Priharmanto [mailto:adhi....@gmail.com] >> *Sent:* Wednesday, September 21, 2016 1:59 PM >> >> *To:* Huan Xie >> *Cc:* openstack@lists.openstack.org >> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with >> Neutron & XenServer >> >> >> >> Hi All.... >> >> >> >> Sorry for my late reply.. >> >> >> >> @Bob, I Installed liberty manually, not using devstack, packstack, etc >> >> >> >> Here Is my node service configuration. >> >> >> >> >> >> >> >> ============================= >> >> NETWORK-NODE >> >> ============================= >> >> Configuration : http://pastebin.com/6DLqUbjU >> >> >> >> >> >> ============================= >> >> COMPUTE-NODE >> >> ============================= >> >> Configuration : http://pastebin.com/RhGBvNbA >> >> Error list : http://pastebin.com/xHQSb625 >> >> >> >> ============================= >> >> XENSERVER-NODE >> >> ============================= >> >> Configuration : http://pastebin.com/gwf1wdEb >> >> Error list : http://pastebin.com/wNzbhcPi >> >> >> >> for Xenserver, >> >> - I also setup of Multi Tenancy Networking Protections in XenServer, >> following this guide https://github.com/opens >> tack/nova/blob/master/plugins/xenserver/doc/networking.rst >> >> <https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst> >> - I also setup sysctl.conf (see config at xenserver-node pastebin), >> but it's like no br_netfilter module available at xenserver. >> >> ============================= >> >> neutron security-group-rule-list >> >> ============================= >> >> # neutron security-group-rule-list >> >> +--------------------------------------+----------------+--- >> --------+-----------+---------------+-----------------+ >> >> | id | security_group | direction | >> ethertype | protocol/port | remote | >> >> +--------------------------------------+----------------+--- >> --------+-----------+---------------+-----------------+ >> >> | 310fb8eb-bcf7-4425-83a3-f2f3f1335958 | default | egress | >> IPv6 | any | any | >> >> | 42e8b7e8-1262-4673-8547-55fa6b33d4f1 | default | egress | >> IPv4 | any | any | >> >> | 4e8bde5b-344a-4c6a-b09d-223d9fec72bf | default | ingress | >> IPv4 | any | default (group) | >> >> | cd8f3aaa-9882-42a0-b713-87489cfff22c | default | ingress | >> IPv6 | any | default (group) | >> >> | d884ff2f-71e8-4647-b45d-e8f92ad87261 | default | egress | >> IPv4 | any | any | >> >> | f4f85fae-6a15-4a85-ae51-5f34536bb72e | default | ingress | >> IPv6 | any | default (group) | >> >> | f6e3929a-3df4-4209-8486-7ce0b0047771 | default | egress | >> IPv6 | any | any | >> >> | fbb2a744-de01-49c7-b875-8cdfbc4fdd7f | default | ingress | >> IPv4 | any | default (group) | >> >> +--------------------------------------+----------------+--- >> --------+-----------+---------------+-----------------+ >> >> - With this rule, I'm still able to ping instance >> - Also please check neutron-openvswitch-agent error list when I >> remove rule and terminate instance. >> >> >> >> I hope anyone can guide me with this problem, thanks before. >> >> >> >> >> >> On Sun, Sep 18, 2016 at 8:16 AM, Huan Xie <huan....@citrix.com> wrote: >> >> Hi, >> >> >> >> After applied these change, is your neutron ml2 configuration correct? >> Mainly the below parts: >> >> If still cannot work, could you please describe the errors? >> >> Beside these, we find xenserver dom0 lacks of conntrack support for >> neutron-ovs-agent in compute node, there is a fix waiting for review >> https://review.openstack.org/#/c/341304/ >> >> 1. In nova.conf, two configurations should be set >> >> [DEFAULT] >> >> firewall_driver = nova.virt.firewall.NoopFirewallDriver >> >> security_group_api=neutron >> >> use_neutron = True >> >> [xenserver] >> >> ovs_integration_bridge = >> >> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver >> >> 2. In neutron, check configurations ml2_conf.ini in compute node >> which is used for neutron L2 agent >> >> [agent] >> >> minimize_polling = False >> >> root_helper_daemon = >> >> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 >> /etc/neutron/rootwrap.conf >> >> [ovs] >> >> integration_bridge = >> >> bridge_mappings = >> >> Thanks, >> >> Huan >> >> >> >> *From:* Adhi Priharmanto [mailto:adhi....@gmail.com] >> *Sent:* Thursday, September 15, 2016 3:48 PM >> >> >> *To:* Huan Xie >> *Cc:* openstack@lists.openstack.org >> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with >> Neutron & XenServer >> >> >> >> Hi, I still no luck for this problem, even I using liberty release, >> Security groups still not applied on network. can you help me again ? >> >> >> >> On Thu, Mar 17, 2016 at 10:55 AM, Adhi Priharmanto <adhi....@gmail.com> >> wrote: >> >> Ok, 'll try to patched my neutron >> >> >> >> On Tue, Mar 15, 2016 at 8:52 AM, Huan Xie <huan....@citrix.com> wrote: >> >> Hi, >> >> For apply the patch, you need to download the changed file with this >> https://review.openstack.org/#/c/251271/ and its dependent changes, you >> can find its dependent changes in the right corner(Related Changes) in you >> open the link. >> >> For files that you need edit, in the middle of the code review page, you >> can find a section called “Files”, this part shows you which files are >> changed. >> >> >> >> Best Regards//Huan >> >> >> >> *From:* Adhi Priharmanto [mailto:adhi....@gmail.com] >> *Sent:* Monday, March 14, 2016 6:21 PM >> *To:* Huan Xie >> *Cc:* openstack@lists.openstack.org >> *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with >> Neutron & XenServer >> >> >> >> Hi Xie, >> >> >> >> I also commented on your post at blog.citrix :) , for step 1 - 3 was >> clear for me. I still confused about patched code in >> https://review.openstack.org/#/c/251271/ for some file, could you more >> explain how to, which file that I should edit ? >> >> >> >> Thanks before >> >> >> >> On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan....@citrix.com> wrote: >> >> Hi Adhi, >> >> >> >> Do you use devstack to deploy XenServer + Kilo or manually? >> >> Current Kilo release does not support XenServer + Neutron security group, >> because security group is implemented via iptables on Linux bridge, >> however, there is no Linux bridge created when booting a new instance. >> >> But we now have a new fix to support neutron security group, we have >> tested that it can work, this will be implemented as a blue print >> https://review.openstack.org/#/c/251271/ >> >> So, if you want to use neutron security group in Kilo, you should add >> some patch for your code and also please make the configurations as below: >> >> >> >> 1. In nova.conf, two configurations should be set >> >> [DEFAULT] >> >> firewall_driver = nova.virt.firewall.NoopFirewallDriver >> >> security_group_api=neutron >> >> >> >> [xenserver] >> >> ovs_integration_bridge = >> >> vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver >> >> >> >> If you don’t know how to configure >> ovs_integration_bridge, then you can refer this blog >> https://www.citrix.com/blogs/2015/11/30/integrating-xenserve >> r-rdo-and-neutron/ >> >> >> >> 2. In neutron, check configurations ml2_conf.ini in compute node >> which is used for neutron L2 agent >> >> [agent] >> >> minimize_polling = False >> >> root_helper_daemon = >> >> root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 >> /etc/neutron/rootwrap.conf >> >> >> >> [ovs] >> >> integration_bridge = >> >> bridge_mappings = >> >> >> >> Also for ovs configuration items, if you don’t clear on >> how to configure them, refer the blog >> >> >> >> 3. In neutron, check configurations /etc/neutron/rootwrap.conf in >> compute node >> >> [xenapi] >> >> # XenAPI configuration is only required by the L2 agent if it is to >> >> # target a XenServer/XCP compute host's dom0. >> >> xenapi_connection_url= >> >> xenapi_connection_username= >> >> xenapi_connection_password= >> >> >> >> Best Regards//Huan >> >> >> >> -------- Original Message -------- >> Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron & >> XenServer >> From: Adhi Priharmanto >> To: openstack@lists.openstack.org >> CC: >> >> Hi all, >> >> I had Openstack Kilo installed on my lab, for Compute Hypervisor I use >> XenServer 6.5, and networking Using Neutron OVS. For Controller, Network, >> and Compute node I'm using Ubuntu 14.04. >> >> >> >> My problem was Security Groups rules doesn't applied to the instance that >> created. For example, there is no rule for SSH port 22 in security group i >> defined to the instance, but instance with floating IP able to login by ssh >> from external network. >> >> >> I've already add this option on my nova.conf >> >> >> >> firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver >> >> >> >> and also defined firewall_driver on my ml2_conf.ini at Controller, >> Network, and Compute node >> >> >> >> [ovs] >> >> enable_security_group = True >> >> enable_ipset = True >> >> firewall_driver = neutron.agent.linux.iptables_f >> irewall.OVSHybridIptablesFirewallDriver >> >> >> >> can somebody help me with this problem ? >> >> >> >> >> >> -- >> >> Cheers, >> >> >> >> *Adhi Priharmanto* >> >> about.me/a_dhi >> >> >> >> >> >> >> >> >> _______________________________________________ >> Mailing list: http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> Post to : openstack@lists.openstack.org >> Unsubscribe : http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> >> >> >> >> >> -- >> >> Cheers, >> >> >> >> *Adhi Priharmanto* >> >> about.me/a_dhi >> >> >> >> +62-812-82121584 >> >> >> >> >> >> >> >> -- >> >> Cheers, >> >> >> >> *Adhi Priharmanto* >> >> about.me/a_dhi >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> Cheers, >> >> >> >> *Adhi Priharmanto* >> >> about.me/a_dhi >> >> >> >> +62-812-82121584 >> >> >> >> >> >> >> >> -- >> >> Cheers, >> >> >> >> *Adhi Priharmanto* >> >> about.me/a_dhi >> >> >> >> +62-812-82121584 >> >> >> > > > > -- > Cheers, > > > > [image: --] > Adhi Priharmanto > [image: http://]about.me/a_dhi > <http://about.me/a_dhi?promo=email_sig> > +62-812-82121584 > > -- Cheers, [image: --] Adhi Priharmanto [image: http://]about.me/a_dhi <http://about.me/a_dhi?promo=email_sig> +62-812-82121584
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack