Hi Martinx, can you confirm that firewall_driver is under the securitygroup section? I can confirm that the following nova.conf and ovs_neutron_plugin.ini work with security groups:
nova.conf http://codepad.org/vH3aIs8f ovs_neutron_plugin.ini - http://codepad.org/vH3aIs8f Aaron On Mon, Oct 28, 2013 at 8:41 PM, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: > The only way I'm seeing to protect your Havana cloud right now (topology > Per-Tenants Router with Private Networks), is by enabling FWaaS... > > That's it! FWaaS installed, Tenant network protected. > > I think that there is a bug with Security Groups in Havana / Neutron... > > Comments?! > > Regards, > Thiago > > > On 28 October 2013 22:18, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: > >> Guys, >> >> A new test to see that the packages currently did not mach any iptables >> rules at the compute node, completely bypassing "Security Groups", look: >> >> >> * Instance with ONLY port 80 TCP open: >> >> --- >> root@hypervisor-1:~# *iptables -L neutron-openvswi-i2fa3cfab-a -nv* >> Chain neutron-openvswi-i2fa3cfab-a (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state INVALID >> 0 0 RETURN all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 0 0 RETURN tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:80 >> 0 0 RETURN udp -- * * 192.168.50.3 >> 0.0.0.0/0 udp spt:67 dpt:68 >> 0 0 neutron-openvswi-sg-fallback all -- * * >> 0.0.0.0/0 0.0.0.0/0 >> --- >> >> Starting dumping TCP data directly on instance port: >> >> --- >> root@hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3* >> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size >> 65535 bytes >> .... >> --- >> >> ....and trying to connect at its port 22 from the Internet (not >> allowed!!): >> >> --- >> thiago@desktop-1:~$ *telnet 189.8.93.69 22* >> Trying 189.8.93.69... >> Connected to 189.8.93.69. >> Escape character is '^]'. >> SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 >> --- >> >> NOTE: *189.8.93.69* is the 'Floating IP' attached to that Instance and * >> 192.168.50.2* is the Instance IP. >> >> --- >> root@hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3* >> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size >> 65535 bytes >> 22:13:40.800122 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [S], seq >> 2257975349, win 29200, options [mss 1460,sackOK,TS val 52435018 ecr >> 0,nop,wscale 7], length 0 >> 22:13:40.800525 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [S.], >> seq 2704020835, ack 2257975350, win 14480, options [mss 1460,sackOK,TS >> val 703831 ecr 52435018,nop,wscale 2], length 0 >> 22:13:40.805484 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.], ack >> 1, win 229, options [nop,nop,TS val 52435019 ecr 703831], length 0 >> 22:13:40.821804 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [P.], >> seq 1:42, ack 1, win 3620, options [nop,nop,TS val 703837 ecr 52435019], >> length 41 >> 22:13:40.826058 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.], ack >> 42, win 229, options [nop,nop,TS val 52435025 ecr 703837], length 0 >> --- >> >> See?! Security Groups are being ignored. >> >> Please, help! >> >> Thanks! =) >> Thiago >> >> >> On 28 October 2013 22:03, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: >> >>> Okay, I think I got it... >>> >>> Nova should proxy 'Security Groups' calls to Neutron (and not do it by >>> itself), so, it must have: >>> >>> --- nova.conf --- >>> firewall_driver = nova.virt.firewall.NoopFirewallDriver >>> security_group_api = neutron >>> --- >>> >>> At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set: >>> >>> --- >>> firewall_driver = >>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver >>> --- >>> >>> Source: >>> http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html >>> >>> BUT, it doesn't work. >>> >>> All my Security Groups rules are just being ignored. They are all >>> applied at the Compute Node OVS ports but, no effect at all. >>> >>> Thanks! >>> Thiago >>> >>> >>> On 28 October 2013 21:26, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: >>> >>>> Well, >>>> >>>> Now I'm using "firewall_driver = nova.virt.firewall.NoopFirewallDriver" >>>> for both Nova and Neutron (Open vSwitch Agent) but, Security Groups rules >>>> are applied but ignored. >>>> >>>> Tips!? >>>> >>>> Thanks! >>>> Thiago >>>> >>>> >>>> On 28 October 2013 21:13, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: >>>> >>>>> Guys, >>>>> >>>>> I'm back using "libvirt_vif_driver = >>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) >>>>> but >>>>> the problem persist for "tenant1". >>>>> >>>>> My nova.conf contains: >>>>> >>>>> --- >>>>> # Network settings >>>>> network_api_class = nova.network.neutronv2.api.API >>>>> neutron_url = http://contrller-1.mydomain.com:9696 >>>>> neutron_auth_strategy = keystone >>>>> neutron_admin_tenant_name = service >>>>> neutron_admin_username = neutron >>>>> neutron_admin_password = 123test123 >>>>> neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0 >>>>> >>>>> linuxnet_interface_driver = >>>>> nova.network.linux_net.LinuxOVSInterfaceDriver >>>>> >>>>> # If you want Neutron + Nova Security groups >>>>> firewall_driver = nova.virt.firewall.NoopFirewallDriver >>>>> security_group_api = neutron >>>>> --- >>>>> >>>>> Is that a valid configuration for Havana?! I'm get it from my previous >>>>> Grizzly setup. >>>>> >>>>> Also, I just realized that, there are two places to configure the >>>>> "firewall_driver", first one is located at nova.conf, the second is >>>>> located >>>>> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I believe, >>>>> they must "match", I mean, I must be the same for both services, right?! >>>>> >>>>> Thanks! >>>>> Thiago >>>>> >>>>> >>>>> On 28 October 2013 20:30, Martinx - ジェームズ >>>>> <thiagocmarti...@gmail.com>wrote: >>>>> >>>>>> Stackers! >>>>>> >>>>>> I'm trying to configure my Security Groups and, I'm seeing that the >>>>>> rules are being applied at the Compute Node OVS ports (iptables / >>>>>> ip6tables) BUT, it does have no effect (or just being ignored?). >>>>>> >>>>>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive. >>>>>> >>>>>> >>>>>> For example: >>>>>> >>>>>> I have 1 Instance with 1 Floating IP attached to it, open port is: 80. >>>>>> >>>>>> Look: >>>>>> >>>>>> --- >>>>>> root@hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv >>>>>> Chain neutron-openvswi-i9cf07c24-7 (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 0 0 DROP all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 state INVALID >>>>>> 0 0 RETURN all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 state RELATED,ESTABLISHED >>>>>> 0 0 RETURN tcp -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 tcp dpt:80 >>>>>> 0 0 RETURN udp -- * * 192.168.50.3 >>>>>> 0.0.0.0/0 udp spt:67 dpt:68 >>>>>> 0 0 neutron-openvswi-sg-fallback all -- * * >>>>>> 0.0.0.0/0 0.0.0.0/0 >>>>>> --- >>>>>> >>>>>> >>>>>> The problem is that the respective Instance still answers SSH to the >>>>>> Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its >>>>>> Security Groups. >>>>>> >>>>>> I created one "Security Group", called "web", only with TCP port 80 >>>>>> on it, nothing more, nothing less. This Instance doesn't belong to the >>>>>> "default" Security Group", only "web". >>>>>> >>>>>> Recently I've changed the *libvirt_vif_driver* from * >>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to * >>>>>> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the >>>>>> cause?! >>>>>> >>>>>> Any tips!? >>>>>> >>>>>> Thanks! >>>>>> Thiago >>>>>> >>>>> >>>>> >>>> >>> >> > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
