Well, Now I'm using "firewall_driver = nova.virt.firewall.NoopFirewallDriver" for both Nova and Neutron (Open vSwitch Agent) but, Security Groups rules are applied but ignored.
Tips!? Thanks! Thiago On 28 October 2013 21:13, Martinx - ジェームズ <thiagocmarti...@gmail.com> wrote: > Guys, > > I'm back using "libvirt_vif_driver = > nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) but > the problem persist for "tenant1". > > My nova.conf contains: > > --- > # Network settings > network_api_class = nova.network.neutronv2.api.API > neutron_url = http://contrller-1.mydomain.com:9696 > neutron_auth_strategy = keystone > neutron_admin_tenant_name = service > neutron_admin_username = neutron > neutron_admin_password = 123test123 > neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0 > > linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver > > # If you want Neutron + Nova Security groups > firewall_driver = nova.virt.firewall.NoopFirewallDriver > security_group_api = neutron > --- > > Is that a valid configuration for Havana?! I'm get it from my previous > Grizzly setup. > > Also, I just realized that, there are two places to configure the > "firewall_driver", first one is located at nova.conf, the second is located > at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe, > they must "match", I mean, I must be the same for both services, right?! > > Thanks! > Thiago > > > On 28 October 2013 20:30, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: > >> Stackers! >> >> I'm trying to configure my Security Groups and, I'm seeing that the rules >> are being applied at the Compute Node OVS ports (iptables / ip6tables) BUT, >> it does have no effect (or just being ignored?). >> >> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive. >> >> >> For example: >> >> I have 1 Instance with 1 Floating IP attached to it, open port is: 80. >> >> Look: >> >> --- >> root@hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv >> Chain neutron-openvswi-i9cf07c24-7 (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state INVALID >> 0 0 RETURN all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 0 0 RETURN tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:80 >> 0 0 RETURN udp -- * * 192.168.50.3 >> 0.0.0.0/0 udp spt:67 dpt:68 >> 0 0 neutron-openvswi-sg-fallback all -- * * >> 0.0.0.0/0 0.0.0.0/0 >> --- >> >> >> The problem is that the respective Instance still answers SSH to the >> Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its >> Security Groups. >> >> I created one "Security Group", called "web", only with TCP port 80 on >> it, nothing more, nothing less. This Instance doesn't belong to the >> "default" Security Group", only "web". >> >> Recently I've changed the *libvirt_vif_driver* from * >> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to * >> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?! >> >> Any tips!? >> >> Thanks! >> Thiago >> > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
