nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11 ERROR: Network requires port_security_enabled and subnet associated in order to apply security groups. (HTTP 400) (Request-ID: req-94cb2d54-858b-4843-af53-b373c88bcdc0)
security group is exists # quantum security-group-list +--------------------------------------+---------+------------------+ | id | name | description | +--------------------------------------+---------+------------------+ | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default | | 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall | +--------------------------------------+---------+------------------+ Daniels Cai http://dnscai.com 2013/6/8 Aaron Rosen <aro...@nicira.com> > You said: > > >it works, but when i try to attach a security group to an exist vm , api > throw an error :"Network requires >port_security_enabled and subnet > associated in order to apply security groups." > > What command are you running to generate that error? > > > > On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danx...@gmail.com> wrote: > >> Aaron , thanks for you answers, i see it. >> >> we are not useing nvp in our environemnt >> yet. >> >> my vm is boot with a subnet_id specified >> . >> i am sure about it . >> here is more info: >> >> vm has an ip "192.168.6.100" , this ip belongs to subnet >> 83afd693-7e36-41e9-b896-9d8b0d89d255 >> , this subnet belongs to network "iaas-net", network id is >> 5332f0f7-3156-4961-aa67-0b8507265fa5 >> >> # nova list >> >> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | >> ACTIVE | iaas-net=192.168.6.100 >> >> here is quantum network info : >> >> # quantum net-list >> >> +--------------------------------------+------------------+-------------------------------------------------------+ >> | id | name | subnets >> | >> >> +--------------------------------------+------------------+-------------------------------------------------------+ >> | >> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net | >> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 | >> | | | >> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24 | >> | | | >> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24 | >> | | | >> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 | >> | | | >> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 | >> | | | >> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 | >> >> >> i enabled the following features in quantum >> 1. namespace >> 2. overlap ips >> >> if any more info needed for debug, i will attach >> >> >> >> Daniels Cai >> http://dnscai.com >> >> >> 2013/6/8 Aaron Rosen <aro...@nicira.com> >> > >> > There is no port_security_enabled config option. This is an attribute >> on a port that is used if the plugin you are using implements the >> port_security_extension (which is only nvp at the time). >> > >> > I'm guessing your issue is the network you are trying to boot an >> instance on does not have a subnet associated with it. >> > >> > Aaron >> > >> > >> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai <danx...@gmail.com> wrote: >> >> >> >> hi Aaron >> >> i set the following in nova.conf >> >> >> >> security_group_api=quantum >> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver >> >> >> >> it works, but when i try to attach a security group to an exist vm , >> api throw an error : >> >> >> >> "Network requires port_security_enabled and subnet associated in order >> to apply security groups." >> >> >> >> the i add port_security_enabled in quantum.conf in all nodes. >> >> "port_security_enabled=True" >> >> >> >> with no luck, it still doesn't work . >> >> >> >> Any advice ? does quantum security group support this feature? >> >> >> >> Daniels Cai >> >> http://dnscai.com >> >> >> >> >> >> 2013/6/8 Aaron Rosen <aro...@nicira.com> >> >>> >> >>> Hi Joe, >> >>> >> >>> I thought setting firewall_driver = >> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs >> plugin does not do any mac spoof filtering at the OVS level. Those are all >> done in iptables. >> >>> >> >>> Aaron >> >>> >> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu <joseph.b...@rackspace.com> >> wrote: >> >>>> >> >>>> Hello, >> >>>> >> >>>> Is there a way to create a quantum l2 network using OVS that does >> not have MAC and IP spoofing enabled either in iptables or OVS? One >> workaround that we found was to set the OVS plugin firewall_driver = >> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova >> however this is far from ideal and doesn't solve the problem of MAC spoof >> filtering at the OVS level. >> >>>> >> >>>> Thanks for any help >> >>>> >> >>>> >> >>>> _______________________________________________ >> >>>> Mailing list: https://launchpad.net/~openstack >> >>>> Post to : openstack@lists.launchpad.net >> >>>> Unsubscribe : https://launchpad.net/~openstack >> >>>> More help : https://help.launchpad.net/ListHelp >> >>> >> >>> >> >>> >> >>> _______________________________________________ >> >>> Mailing list: https://launchpad.net/~openstack >> >>> Post to : openstack@lists.launchpad.net >> >>> Unsubscribe : https://launchpad.net/~openstack >> >>> More help : https://help.launchpad.net/ListHelp >> >>> >> >> >> > >> > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
