Yup, it is. Aaron
On Tue, Aug 13, 2013 at 11:09 AM, Ashok Kumaran <ashokkumara...@gmail.com>wrote: > I guess it's already back-ported to Grizzly 2013.1.3 cycle > > https://review.openstack.org/#/c/32679 > > > Best > Ashok > > Sent from my iPhone > > On 13-Aug-2013, at 6:24 PM, Francois Deppierraz <franc...@ctrlaltdel.ch> > wrote: > > Hi Aaron, > > Thanks for the patch! > > I was experiencing the same issue than the OP with grizzly installed > from the Ubuntu Cloud Archive with quantum and openvswitch. Adding > security groups to a running instance works well now. > > Is there any plan to have it included in the havana release, or even > better patched in grizzly? > > Cheers, > > François > > On 08. 06. 13 11:40, Aaron Rosen wrote: > > Hi Daniel, > > > That's for finding this! This is a bug. The code wasn't accounting if > > the plugin didn't implement port_security_enabled. Here's a patch that > > fixes the issue in the meantime. > > > Best, > > > Aaron > > > --- a/nova/network/security_group/quantum_driver.py > > +++ b/nova/network/security_group/quantum_driver.py > > @@ -340,8 +340,9 @@ class > > SecurityGroupAPI(security_group_base.SecurityGroupBase): > > has_ip = port.get('fixed_ips') > > if port_security_enabled and has_ip: > > return True > > - else: > > - return False > > + elif 'port_security_enabled' not in port and has_ip: > > + return True > > + return False > > > @wrap_check_security_groups_policy > > def add_to_instance(self, context, instance, security_group_name): > > > > > On Sat, Jun 8, 2013 at 2:14 AM, daniels cai <danx...@gmail.com > > <mailto:danx...@gmail.com <danx...@gmail.com>>> wrote: > > > > nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11 > > > ERROR: Network requires port_security_enabled and subnet associated > > in order to apply security groups. (HTTP 400) (Request-ID: > > req-94cb2d54-858b-4843-af53-b373c88bcdc0) > > > > security group is exists > > > # quantum security-group-list > > +--------------------------------------+---------+------------------+ > > | id | name | description | > > +--------------------------------------+---------+------------------+ > > | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default | > > | 5902febc-e793-4b09-8073-567226d83d79 | d11 | des for firewall | > > +--------------------------------------+---------+------------------+ > > > > > Daniels Cai > > http://dnscai.com > > > > 2013/6/8 Aaron Rosen <aro...@nicira.com > <mailto:aro...@nicira.com<aro...@nicira.com> > >> > > > You said: > > > it works, but when i try to attach a security group to an exist > > vm , api throw an error :"Network requires > > port_security_enabled and subnet associated in order to apply > > security groups." > > > What command are you running to generate that error? > > > > > On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danx...@gmail.com > > <mailto:danx...@gmail.com <danx...@gmail.com>>> wrote: > > > Aaron , thanks for you answers, i see it. > > > we are not useing nvp in our environemnt > > yet. > > > my vm is boot with a subnet_id specified > > . > > i am sure about it . > > here is more info: > > > vm has an ip "192.168.6.100" , this ip belongs to subnet > > 83afd693-7e36-41e9-b896-9d8b0d89d255 > > , this subnet belongs to network "iaas-net", network id is > > 5332f0f7-3156-4961-aa67-0b8507265fa5 > > > # nova list > > > | 24891d97-8d0e-4e99-9537-c8f8291913d0 | > > ubuntu-1304-server-amd64 | ACTIVE | iaas-net=192.168.6.100 > > > here is quantum network info : > > > # quantum net-list > > > > +--------------------------------------+------------------+-------------------------------------------------------+ > > | id | name | > > subnets | > > > > +--------------------------------------+------------------+-------------------------------------------------------+ > > | > > 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net | > > 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 > > <http://192.168.202.0/24> | > > | | | > > 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24 > > <http://192.168.6.0/24> | > > | | | > > bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24 > > <http://192.168.7.0/24> | > > | | | > > d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 > > <http://192.168.188.0/24> | > > | | | > > dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 > > <http://192.168.193.0/24> | > > | | | > > e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 > > <http://192.168.192.0/24> | > > > > i enabled the following features in quantum > > 1. namespace > > 2. overlap ips > > > if any more info needed for debug, i will attach > > > > > Daniels Cai > > http://dnscai.com > > > > 2013/6/8 Aaron Rosen <aro...@nicira.com > > <mailto:aro...@nicira.com <aro...@nicira.com>>> > > > There is no port_security_enabled config option. This is > > an attribute on a port that is used if the plugin you are > > using implements the port_security_extension (which is only > > nvp at the time). > > > I'm guessing your issue is the network you are trying to > > boot an instance on does not have a subnet associated with it. > > > Aaron > > > > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai > > <danx...@gmail.com <mailto:danx...@gmail.com<danx...@gmail.com>>> > wrote: > > > hi Aaron > > i set the following in nova.conf > > > security_group_api=quantum > > firewall_driver=nova.virt.firewall.NoopFirewallDriver > > > it works, but when i try to attach a security group to an > > exist vm , api throw an error : > > > "Network requires port_security_enabled and subnet > > associated in order to apply security groups." > > > the i add port_security_enabled in quantum.conf in all nodes. > > "port_security_enabled=True" > > > with no luck, it still doesn't work . > > > Any advice ? does quantum security group support this > > feature? > > > Daniels Cai > > http://dnscai.com > > > > 2013/6/8 Aaron Rosen <aro...@nicira.com > > <mailto:aro...@nicira.com <aro...@nicira.com>>> > > > Hi Joe, > > > I thought setting firewall_driver = > > quantum.agent.firewall.NoopFirewallDriver would do the > > trick? Also, the ovs plugin does not do any mac spoof > > filtering at the OVS level. Those are all done in iptables. > > > Aaron > > > On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu > > <joseph.b...@rackspace.com > > <mailto:joseph.b...@rackspace.com <joseph.b...@rackspace.com>>> > wrote: > > > Hello, > > > Is there a way to create a quantum l2 network using OVS > > that does not have MAC and IP spoofing enabled either in > > iptables or OVS? One workaround that we found was to set > > the OVS plugin firewall_driver = > > quantum.agent.firewall.NoopFirewallDriver to > > security_group_api=nova however this is far from ideal and > > doesn't solve the problem of MAC spoof filtering at the OVS > > level. > > > Thanks for any help > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openst...@lists.launchpad.net > > > <mailto:openst...@lists.launchpad.net<openst...@lists.launchpad.net> > > > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openst...@lists.launchpad.net > > > <mailto:openst...@lists.launchpad.net<openst...@lists.launchpad.net> > > > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > > > > > > > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openst...@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
