Hello Ashok, Thanks for your reply!
My libvirt_vif_driver parameter setting at compute node is nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver. Thanks, Chandler 2013/6/18 Ashok Kumaran <ashokkumara...@gmail.com> > Hi Chandler, > > whats your libvirt_vif_driver set in nova-compute.conf? > > > On Tue, Jun 18, 2013 at 1:08 PM, Chandler Li <lichandler...@gmail.com>wrote: > >> Hi, Aaron, >> >> Sorry for my unclear explanation. >> >> I can ping or ssh into the VM with default security group even there are >> no rules setting... >> >> Here is my security group information, >> >> [root@controller ~]# nova secgroup-list >> +---------+-------------+ >> | Name | Description | >> +---------+-------------+ >> | default | default | >> +---------+-------------+ >> [root@controller ~]# nova secgroup-list-rules default >> >> [root@controller ~]# >> >> >> After I created a VM with default security group, I checked the iptables >> at compute node: >> >> [root@compute1 ~]# iptables -L -v -n >> Chain INPUT (policy ACCEPT 26495 packets, 22M bytes) >> pkts bytes target prot opt in out source >> destination >> 289 120K nova-compute-INPUT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 >> 0.0.0.0/0 udp dpt:53 >> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:53 >> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 >> 0.0.0.0/0 udp dpt:67 >> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:67 >> 1036 64284 ACCEPT tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:5900 >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 nova-filter-top all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 >> 192.168.122.0/24 state RELATED,ESTABLISHED >> 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 >> 0.0.0.0/0 >> 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 >> 0.0.0.0/0 >> 0 0 REJECT all -- * virbr0 0.0.0.0/0 >> 0.0.0.0/0 reject-with icmp-port-unreachable >> 0 0 REJECT all -- virbr0 * 0.0.0.0/0 >> 0.0.0.0/0 reject-with icmp-port-unreachable >> >> Chain OUTPUT (policy ACCEPT 30821 packets, 14M bytes) >> pkts bytes target prot opt in out source >> destination >> 30218 14M nova-filter-top all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 261 80864 nova-compute-OUTPUT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain nova-compute-FORWARD (1 references) >> pkts bytes target prot opt in out source >> destination >> >> Chain nova-compute-INPUT (1 references) >> pkts bytes target prot opt in out source >> destination >> >> Chain nova-compute-OUTPUT (1 references) >> pkts bytes target prot opt in out source >> destination >> >> Chain nova-compute-inst-783 (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state INVALID >> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 0 0 nova-compute-provider all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 0 0 ACCEPT udp -- * * 30.0.0.2 >> 0.0.0.0/0 udp spt:67 dpt:68 >> 0 0 ACCEPT all -- * * 30.0.0.0/24 >> 0.0.0.0/0 >> 0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain nova-compute-local (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 nova-compute-inst-783 all -- * * 0.0.0.0/0 >> 30.0.0.5 >> >> Chain nova-compute-provider (1 references) >> pkts bytes target prot opt in out source >> destination >> >> Chain nova-compute-sg-fallback (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain nova-filter-top (2 references) >> pkts bytes target prot opt in out source >> destination >> 261 80864 nova-compute-local all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> >> If I add rules to security group default: >> >> [root@controller ~]# nova secgroup-list-rules default >> +-------------+-----------+---------+-----------+--------------+ >> | IP Protocol | From Port | To Port | IP Range | Source Group | >> +-------------+-----------+---------+-----------+--------------+ >> | icmp | -1 | -1 | 0.0.0.0/0 | | >> | tcp | 22 | 22 | 0.0.0.0/0 | | >> +-------------+-----------+---------+-----------+--------------+ >> >> >> the Chain nova-compute-inst-783 will be : >> >> Chain nova-compute-inst-783 (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state INVALID >> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 0 0 nova-compute-provider all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 0 0 ACCEPT udp -- * * 30.0.0.2 >> 0.0.0.0/0 udp spt:67 dpt:68 >> 0 0 ACCEPT all -- * * 30.0.0.0/24 >> 0.0.0.0/0 >> * 0 0* ACCEPT tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:22 >> *0 0* ACCEPT icmp -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> 0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> >> The iptables chain rule can reflect the security group rules correctly >> but there are no packets go through this iptables chain rule. >> >> Thanks, >> Chandler >> >> >> >> 2013/6/18 Aaron Rosen <aro...@nicira.com> >> >>> Hi, >>> >>> I think it would also be helpful if you attached the output of: >>> >>> nova secgroup-list >>> then: nova secgroup-list-rules for each group so we could see what rules >>> you have set in nova. >>> >>> Aaron >>> >>> >>> On Mon, Jun 17, 2013 at 6:22 PM, Chandler Li <lichandler...@gmail.com>wrote: >>> >>>> Hi Aaron, >>>> >>>> Thanks for your reply! >>>> >>>> Yes, I have set /etc/nova/nova.conf as follows, but it seems not >>>> working. >>>> >>>> libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver >>>> firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver >>>> libvirt_use_virtio_for_bridges=True >>>> >>>> I can't figure out why network packets didn't follow the rules of >>>> iptables created by nova. >>>> >>>> There are no traffic in FORWARD chain rule and nova-compute-local >>>> chain rule as I posted before. >>>> >>>> Thanks again! >>>> >>>> Chandler >>>> >>>> >>>> >>>> 2013/6/18 Aaron Rosen <aro...@nicira.com> >>>> >>>>> Do you have: >>>>> >>>>> firewall_driver=nova.virt.firewall.IptablesFirewallDriver >>>>> >>>>> in your nova.conf? In folsom, quantum leveraged nova security groups >>>>> implementation directly so you need that. (looks like you have that set >>>>> though by your output). >>>>> >>>>> Aaron >>>>> >>>>> >>>>> >>>>> On Sun, Jun 16, 2013 at 7:38 PM, Chandler Li >>>>> <lichandler...@gmail.com>wrote: >>>>> >>>>>> Hi, >>>>>> I checked the compute node's iptables rules and found out the >>>>>> nova-compute-inst-xxx have no traffic flow. >>>>>> The traffic flow stopped at nova-filter-top chain rule, so security >>>>>> group is not working. >>>>>> Any idea how to resolve this problem? >>>>>> >>>>>> Thanks, >>>>>> Chandler >>>>>> >>>>>> [root@compute1 ~]# iptables -L -v -n >>>>>> Chain INPUT (policy ACCEPT 714 packets, 335K bytes) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 369 117K nova-compute-INPUT all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 >>>>>> 0.0.0.0/0 udp dpt:53 >>>>>> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 >>>>>> 0.0.0.0/0 tcp dpt:53 >>>>>> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 >>>>>> 0.0.0.0/0 udp dpt:67 >>>>>> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 >>>>>> 0.0.0.0/0 tcp dpt:67 >>>>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 tcp dpt:5900 >>>>>> >>>>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 0 0 nova-filter-top all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 >>>>>> 192.168.122.0/24 state RELATED,ESTABLISHED >>>>>> 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 >>>>>> 0.0.0.0/0 >>>>>> 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 0 0 REJECT all -- * virbr0 0.0.0.0/0 >>>>>> 0.0.0.0/0 reject-with icmp-port-unreachable >>>>>> 0 0 REJECT all -- virbr0 * 0.0.0.0/0 >>>>>> 0.0.0.0/0 reject-with icmp-port-unreachable >>>>>> >>>>>> Chain OUTPUT (policy ACCEPT 779 packets, 378K bytes) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 437 233K nova-filter-top all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 396 216K nova-compute-OUTPUT all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> >>>>>> Chain nova-compute-FORWARD (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> >>>>>> Chain nova-compute-INPUT (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> >>>>>> Chain nova-compute-OUTPUT (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> >>>>>> Chain nova-compute-inst-767 (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 0 0 DROP all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 state INVALID >>>>>> 0 0 ACCEPT all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 state RELATED,ESTABLISHED >>>>>> 0 0 nova-compute-provider all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 0 0 ACCEPT udp -- * * 30.0.0.2 >>>>>> 0.0.0.0/0 udp spt:67 dpt:68 >>>>>> 0 0 ACCEPT all -- * * 30.0.0.0/24 >>>>>> 0.0.0.0/0 >>>>>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 tcp dpt:22 >>>>>> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 0 0 nova-compute-sg-fallback all -- * * >>>>>> 0.0.0.0/0 0.0.0.0/0 >>>>>> >>>>>> Chain nova-compute-local (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 0 0 nova-compute-inst-767 all -- * * 0.0.0.0/0 >>>>>> 30.0.0.5 >>>>>> >>>>>> Chain nova-compute-provider (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> >>>>>> Chain nova-compute-sg-fallback (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 0 0 DROP all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> >>>>>> Chain nova-filter-top (2 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 396 216K nova-compute-local all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> >>>>>> >>>>>> >>>>>> 2013/6/14 Chandler Li <lichandler...@gmail.com> >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm trying to use security group of Quantum ovs plugin(Folsom) in >>>>>>> CentOS 6.3 (2012.2.3-1.el6@epel). >>>>>>> >>>>>>> Everything looks good, except security group, >>>>>>> >>>>>>> and there are no error message in /var/log/nova/compute.log file. >>>>>>> >>>>>>> After I created VM, I can see the bridges and interfaces have been >>>>>>> created normally. >>>>>>> >>>>>>> [root@compute1 ~]# brctl show >>>>>>> bridge name bridge id STP enabled >>>>>>> interfaces >>>>>>> br-int 0000.3eca2e714b4d no >>>>>>> qvo756ead5d-32 >>>>>>> br-tun 0000.824651aab541 no >>>>>>> qbr756ead5d-32 0000.ca57ea41484c no >>>>>>> qvb756ead5d-32 >>>>>>> vnet0 >>>>>>> >>>>>>> The chain rules in filter table of iptables can reflect security >>>>>>> group rules correctly too. >>>>>>> >>>>>>> Chain nova-compute-inst-749 (1 references) >>>>>>> num target prot opt source destination >>>>>>> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 >>>>>>> state INVALID >>>>>>> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 >>>>>>> state RELATED,ESTABLISHED >>>>>>> 3 nova-compute-provider all -- 0.0.0.0/0 >>>>>>> 0.0.0.0/0 >>>>>>> 4 ACCEPT udp -- 10.0.0.2 0.0.0.0/0 >>>>>>> udp spt:67 dpt:68 >>>>>>> 5 ACCEPT all -- 10.0.0.0/24 0.0.0.0/0 >>>>>>> 6 nova-compute-sg-fallback all -- 0.0.0.0/0 >>>>>>> 0.0.0.0/0 >>>>>>> >>>>>>> Obviously, the packets do not follow these rules correctly. >>>>>>> >>>>>>> Please advise me how to resolve this problem. >>>>>>> >>>>>>> Thanks a lot, >>>>>>> Chandler >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Mailing list: https://launchpad.net/~openstack >>>>>> Post to : openstack@lists.launchpad.net >>>>>> Unsubscribe : https://launchpad.net/~openstack >>>>>> More help : https://help.launchpad.net/ListHelp >>>>>> >>>>>> >>>>> >>>> >>> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> > > > -- > Regds, > > Ashok , > Delivery Consultant, > HP. >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
