At nova.conf, firewall_driver is under [DEFAULT].
On 29 October 2013 20:58, Martinx - ジェームズ <thiagocmarti...@gmail.com> wrote: > Hello my friend! =) > > Yes, firewall_driver is under [securitygroup]. > > --- > root@net-node-1:~# grep -v ^$ > /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini | grep -v ^# > [ovs] > tenant_network_type = vxlan > enable_tunneling = True > tunnel_type = vxlan > tunnel_id_ranges = 1:1000 > integration_bridge = br-int > tunnel_bridge = br-tun > local_ip = 10.20.2.52 > > [agent] > polling_interval = 2 > tunnel_types = vxlan > > [securitygroup] > firewall_driver = > neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver > > [database] > connection = mysql:// > neutronUser:pofs4433...@controller-1.yourdomain.com/neutron > --- > > Aaron, your "nova.conf" that you pasted, IS your ovs_neutron_plugin.ini > ... Can you re-paste it, please? > > Tks! > Thiago > > > On 29 October 2013 19:50, Aaron Rosen <aro...@nicira.com> wrote: > >> Hi Martinx, >> >> can you confirm that firewall_driver is under the securitygroup section? >> I can confirm that the following nova.conf and ovs_neutron_plugin.ini work >> with security groups: >> >> nova.conf http://codepad.org/vH3aIs8f >> ovs_neutron_plugin.ini - http://codepad.org/vH3aIs8f >> >> Aaron >> >> >> On Mon, Oct 28, 2013 at 8:41 PM, Martinx - ジェームズ < >> thiagocmarti...@gmail.com> wrote: >> >>> The only way I'm seeing to protect your Havana cloud right now (topology >>> Per-Tenants Router with Private Networks), is by enabling FWaaS... >>> >>> That's it! FWaaS installed, Tenant network protected. >>> >>> I think that there is a bug with Security Groups in Havana / Neutron... >>> >>> Comments?! >>> >>> Regards, >>> Thiago >>> >>> >>> On 28 October 2013 22:18, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: >>> >>>> Guys, >>>> >>>> A new test to see that the packages currently did not mach any iptables >>>> rules at the compute node, completely bypassing "Security Groups", look: >>>> >>>> >>>> * Instance with ONLY port 80 TCP open: >>>> >>>> --- >>>> root@hypervisor-1:~# *iptables -L neutron-openvswi-i2fa3cfab-a -nv* >>>> Chain neutron-openvswi-i2fa3cfab-a (1 references) >>>> pkts bytes target prot opt in out source >>>> destination >>>> 0 0 DROP all -- * * 0.0.0.0/0 >>>> 0.0.0.0/0 state INVALID >>>> 0 0 RETURN all -- * * 0.0.0.0/0 >>>> 0.0.0.0/0 state RELATED,ESTABLISHED >>>> 0 0 RETURN tcp -- * * 0.0.0.0/0 >>>> 0.0.0.0/0 tcp dpt:80 >>>> 0 0 RETURN udp -- * * 192.168.50.3 >>>> 0.0.0.0/0 udp spt:67 dpt:68 >>>> 0 0 neutron-openvswi-sg-fallback all -- * * >>>> 0.0.0.0/0 0.0.0.0/0 >>>> --- >>>> >>>> Starting dumping TCP data directly on instance port: >>>> >>>> --- >>>> root@hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3* >>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>>> decode >>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size >>>> 65535 bytes >>>> .... >>>> --- >>>> >>>> ....and trying to connect at its port 22 from the Internet (not >>>> allowed!!): >>>> >>>> --- >>>> thiago@desktop-1:~$ *telnet 189.8.93.69 22* >>>> Trying 189.8.93.69... >>>> Connected to 189.8.93.69. >>>> Escape character is '^]'. >>>> SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 >>>> --- >>>> >>>> NOTE: *189.8.93.69* is the 'Floating IP' attached to that Instance and >>>> *192.168.50.2* is the Instance IP. >>>> >>>> --- >>>> root@hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3* >>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>>> decode >>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture size >>>> 65535 bytes >>>> 22:13:40.800122 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [S], >>>> seq 2257975349, win 29200, options [mss 1460,sackOK,TS val 52435018 >>>> ecr 0,nop,wscale 7], length 0 >>>> 22:13:40.800525 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [S.], >>>> seq 2704020835, ack 2257975350, win 14480, options [mss 1460,sackOK,TS >>>> val 703831 ecr 52435018,nop,wscale 2], length 0 >>>> 22:13:40.805484 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.], >>>> ack 1, win 229, options [nop,nop,TS val 52435019 ecr 703831], length 0 >>>> 22:13:40.821804 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags [P.], >>>> seq 1:42, ack 1, win 3620, options [nop,nop,TS val 703837 ecr 52435019], >>>> length 41 >>>> 22:13:40.826058 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags [.], >>>> ack 42, win 229, options [nop,nop,TS val 52435025 ecr 703837], length 0 >>>> --- >>>> >>>> See?! Security Groups are being ignored. >>>> >>>> Please, help! >>>> >>>> Thanks! =) >>>> Thiago >>>> >>>> >>>> On 28 October 2013 22:03, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: >>>> >>>>> Okay, I think I got it... >>>>> >>>>> Nova should proxy 'Security Groups' calls to Neutron (and not do it by >>>>> itself), so, it must have: >>>>> >>>>> --- nova.conf --- >>>>> firewall_driver = nova.virt.firewall.NoopFirewallDriver >>>>> security_group_api = neutron >>>>> --- >>>>> >>>>> At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set: >>>>> >>>>> --- >>>>> firewall_driver = >>>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver >>>>> --- >>>>> >>>>> Source: >>>>> http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html >>>>> >>>>> BUT, it doesn't work. >>>>> >>>>> All my Security Groups rules are just being ignored. They are all >>>>> applied at the Compute Node OVS ports but, no effect at all. >>>>> >>>>> Thanks! >>>>> Thiago >>>>> >>>>> >>>>> On 28 October 2013 21:26, Martinx - ジェームズ >>>>> <thiagocmarti...@gmail.com>wrote: >>>>> >>>>>> Well, >>>>>> >>>>>> Now I'm using "firewall_driver = >>>>>> nova.virt.firewall.NoopFirewallDriver" for both Nova and Neutron (Open >>>>>> vSwitch Agent) but, Security Groups rules are applied but ignored. >>>>>> >>>>>> Tips!? >>>>>> >>>>>> Thanks! >>>>>> Thiago >>>>>> >>>>>> >>>>>> On 28 October 2013 21:13, Martinx - ジェームズ >>>>>> <thiagocmarti...@gmail.com>wrote: >>>>>> >>>>>>> Guys, >>>>>>> >>>>>>> I'm back using "libvirt_vif_driver = >>>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" (nova-compute.conf) >>>>>>> but >>>>>>> the problem persist for "tenant1". >>>>>>> >>>>>>> My nova.conf contains: >>>>>>> >>>>>>> --- >>>>>>> # Network settings >>>>>>> network_api_class = nova.network.neutronv2.api.API >>>>>>> neutron_url = http://contrller-1.mydomain.com:9696 >>>>>>> neutron_auth_strategy = keystone >>>>>>> neutron_admin_tenant_name = service >>>>>>> neutron_admin_username = neutron >>>>>>> neutron_admin_password = 123test123 >>>>>>> neutron_admin_auth_url = http://controller-1.mydomain.com:35357/v2.0 >>>>>>> >>>>>>> linuxnet_interface_driver = >>>>>>> nova.network.linux_net.LinuxOVSInterfaceDriver >>>>>>> >>>>>>> # If you want Neutron + Nova Security groups >>>>>>> firewall_driver = nova.virt.firewall.NoopFirewallDriver >>>>>>> security_group_api = neutron >>>>>>> --- >>>>>>> >>>>>>> Is that a valid configuration for Havana?! I'm get it from my >>>>>>> previous Grizzly setup. >>>>>>> >>>>>>> Also, I just realized that, there are two places to configure the >>>>>>> "firewall_driver", first one is located at nova.conf, the second is >>>>>>> located >>>>>>> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I >>>>>>> believe, >>>>>>> they must "match", I mean, I must be the same for both services, right?! >>>>>>> >>>>>>> Thanks! >>>>>>> Thiago >>>>>>> >>>>>>> >>>>>>> On 28 October 2013 20:30, Martinx - ジェームズ <thiagocmarti...@gmail.com >>>>>>> > wrote: >>>>>>> >>>>>>>> Stackers! >>>>>>>> >>>>>>>> I'm trying to configure my Security Groups and, I'm seeing that the >>>>>>>> rules are being applied at the Compute Node OVS ports (iptables / >>>>>>>> ip6tables) BUT, it does have no effect (or just being ignored?). >>>>>>>> >>>>>>>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive. >>>>>>>> >>>>>>>> >>>>>>>> For example: >>>>>>>> >>>>>>>> I have 1 Instance with 1 Floating IP attached to it, open port is: >>>>>>>> 80. >>>>>>>> >>>>>>>> Look: >>>>>>>> >>>>>>>> --- >>>>>>>> root@hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv >>>>>>>> Chain neutron-openvswi-i9cf07c24-7 (1 references) >>>>>>>> pkts bytes target prot opt in out source >>>>>>>> destination >>>>>>>> 0 0 DROP all -- * * 0.0.0.0/0 >>>>>>>> 0.0.0.0/0 state INVALID >>>>>>>> 0 0 RETURN all -- * * 0.0.0.0/0 >>>>>>>> 0.0.0.0/0 state RELATED,ESTABLISHED >>>>>>>> 0 0 RETURN tcp -- * * 0.0.0.0/0 >>>>>>>> 0.0.0.0/0 tcp dpt:80 >>>>>>>> 0 0 RETURN udp -- * * 192.168.50.3 >>>>>>>> 0.0.0.0/0 udp spt:67 dpt:68 >>>>>>>> 0 0 neutron-openvswi-sg-fallback all -- * * >>>>>>>> 0.0.0.0/0 0.0.0.0/0 >>>>>>>> --- >>>>>>>> >>>>>>>> >>>>>>>> The problem is that the respective Instance still answers SSH to >>>>>>>> the Internet. I mean, ALL ports are OPEN!! Regardless of what I typed >>>>>>>> at >>>>>>>> its Security Groups. >>>>>>>> >>>>>>>> I created one "Security Group", called "web", only with TCP port 80 >>>>>>>> on it, nothing more, nothing less. This Instance doesn't belong to the >>>>>>>> "default" Security Group", only "web". >>>>>>>> >>>>>>>> Recently I've changed the *libvirt_vif_driver* from * >>>>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to * >>>>>>>> nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the >>>>>>>> cause?! >>>>>>>> >>>>>>>> Any tips!? >>>>>>>> >>>>>>>> Thanks! >>>>>>>> Thiago >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Mailing list: >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> Post to : openstack@lists.openstack.org >>> Unsubscribe : >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> >>> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
