Hi! I'm back to "LibvirtHybridOVSBridgeDriver" and Security Groups are working again... I did some of cleanups / reboots to make sure and it is okay now.
Tks! Thiago On 30 October 2013 19:48, Martinx - ジェームズ <thiagocmarti...@gmail.com> wrote: > No problem... =) > > My nova.conf [DEFAULT] section have: > > --- > firewall_driver = nova.virt.firewall.NoopFirewallDriver > security_group_api = neutron > libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtOpenVswitchDriver > --- > > But, even with "libvirt_vif_driver = > nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver", it doesn't work as > expected... I can fallback to HybridOVS, if required / recommended (but the > non-hybrid is faster). > > Tks, > Thiago > > > On 30 October 2013 16:14, Aaron Rosen <aro...@nicira.com> wrote: > >> Whoops sorry about that: nova.conf - http://codepad.org/howA9b1E >> >> The only settings matter for this would be: >> >> firewall_driver=nova.virt.firewall.NoopFirewallDriversecurity_group_api=quantumlibvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver >> >> >> >> >> On Tue, Oct 29, 2013 at 4:17 PM, Martinx - ジェームズ < >> thiagocmarti...@gmail.com> wrote: >> >>> At nova.conf, firewall_driver is under [DEFAULT]. >>> >>> >>> On 29 October 2013 20:58, Martinx - ジェームズ <thiagocmarti...@gmail.com>wrote: >>> >>>> Hello my friend! =) >>>> >>>> Yes, firewall_driver is under [securitygroup]. >>>> >>>> --- >>>> root@net-node-1:~# grep -v ^$ >>>> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini | grep -v ^# >>>> [ovs] >>>> tenant_network_type = vxlan >>>> enable_tunneling = True >>>> tunnel_type = vxlan >>>> tunnel_id_ranges = 1:1000 >>>> integration_bridge = br-int >>>> tunnel_bridge = br-tun >>>> local_ip = 10.20.2.52 >>>> >>>> [agent] >>>> polling_interval = 2 >>>> tunnel_types = vxlan >>>> >>>> [securitygroup] >>>> firewall_driver = >>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver >>>> >>>> [database] >>>> connection = mysql:// >>>> neutronUser:pofs4433...@controller-1.yourdomain.com/neutron >>>> --- >>>> >>>> Aaron, your "nova.conf" that you pasted, IS your ovs_neutron_plugin.ini >>>> ... Can you re-paste it, please? >>>> >>>> Tks! >>>> Thiago >>>> >>>> >>>> On 29 October 2013 19:50, Aaron Rosen <aro...@nicira.com> wrote: >>>> >>>>> Hi Martinx, >>>>> >>>>> can you confirm that firewall_driver is under the securitygroup >>>>> section? I can confirm that the following nova.conf and >>>>> ovs_neutron_plugin.ini work with security groups: >>>>> >>>>> nova.conf http://codepad.org/vH3aIs8f >>>>> ovs_neutron_plugin.ini - http://codepad.org/vH3aIs8f >>>>> >>>>> Aaron >>>>> >>>>> >>>>> On Mon, Oct 28, 2013 at 8:41 PM, Martinx - ジェームズ < >>>>> thiagocmarti...@gmail.com> wrote: >>>>> >>>>>> The only way I'm seeing to protect your Havana cloud right now >>>>>> (topology Per-Tenants Router with Private Networks), is by enabling >>>>>> FWaaS... >>>>>> >>>>>> That's it! FWaaS installed, Tenant network protected. >>>>>> >>>>>> I think that there is a bug with Security Groups in Havana / >>>>>> Neutron... >>>>>> >>>>>> Comments?! >>>>>> >>>>>> Regards, >>>>>> Thiago >>>>>> >>>>>> >>>>>> On 28 October 2013 22:18, Martinx - ジェームズ >>>>>> <thiagocmarti...@gmail.com>wrote: >>>>>> >>>>>>> Guys, >>>>>>> >>>>>>> A new test to see that the packages currently did not mach any >>>>>>> iptables rules at the compute node, completely bypassing "Security >>>>>>> Groups", >>>>>>> look: >>>>>>> >>>>>>> >>>>>>> * Instance with ONLY port 80 TCP open: >>>>>>> >>>>>>> --- >>>>>>> root@hypervisor-1:~# *iptables -L neutron-openvswi-i2fa3cfab-a -nv* >>>>>>> Chain neutron-openvswi-i2fa3cfab-a (1 references) >>>>>>> pkts bytes target prot opt in out source >>>>>>> destination >>>>>>> 0 0 DROP all -- * * 0.0.0.0/0 >>>>>>> 0.0.0.0/0 state INVALID >>>>>>> 0 0 RETURN all -- * * 0.0.0.0/0 >>>>>>> 0.0.0.0/0 state RELATED,ESTABLISHED >>>>>>> 0 0 RETURN tcp -- * * 0.0.0.0/0 >>>>>>> 0.0.0.0/0 tcp dpt:80 >>>>>>> 0 0 RETURN udp -- * * 192.168.50.3 >>>>>>> 0.0.0.0/0 udp spt:67 dpt:68 >>>>>>> 0 0 neutron-openvswi-sg-fallback all -- * * >>>>>>> 0.0.0.0/0 0.0.0.0/0 >>>>>>> --- >>>>>>> >>>>>>> Starting dumping TCP data directly on instance port: >>>>>>> >>>>>>> --- >>>>>>> root@hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3* >>>>>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned >>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>>>>>> decode >>>>>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture >>>>>>> size 65535 bytes >>>>>>> .... >>>>>>> --- >>>>>>> >>>>>>> ....and trying to connect at its port 22 from the Internet (not >>>>>>> allowed!!): >>>>>>> >>>>>>> --- >>>>>>> thiago@desktop-1:~$ *telnet 189.8.93.69 22 <189.8.93.69%2022>* >>>>>>> Trying 189.8.93.69... >>>>>>> Connected to 189.8.93.69. >>>>>>> Escape character is '^]'. >>>>>>> SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 >>>>>>> --- >>>>>>> >>>>>>> NOTE: *189.8.93.69* is the 'Floating IP' attached to that Instance >>>>>>> and *192.168.50.2* is the Instance IP. >>>>>>> >>>>>>> --- >>>>>>> root@hypervisor-1:~# *tcpdump -ni tap2fa3cfab-a3* >>>>>>> tcpdump: WARNING: tap2fa3cfab-a3: no IPv4 address assigned >>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>>>>>> decode >>>>>>> listening on tap2fa3cfab-a3, link-type EN10MB (Ethernet), capture >>>>>>> size 65535 bytes >>>>>>> 22:13:40.800122 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags >>>>>>> [S], seq 2257975349, win 29200, options [mss 1460,sackOK,TS val >>>>>>> 52435018 ecr 0,nop,wscale 7], length 0 >>>>>>> 22:13:40.800525 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags >>>>>>> [S.], seq 2704020835, ack 2257975350, win 14480, options [mss >>>>>>> 1460,sackOK,TS val 703831 ecr 52435018,nop,wscale 2], length 0 >>>>>>> 22:13:40.805484 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags >>>>>>> [.], ack 1, win 229, options [nop,nop,TS val 52435019 ecr 703831], >>>>>>> length 0 >>>>>>> 22:13:40.821804 IP 192.168.50.2.22 > 200.232.113.107.7955: Flags >>>>>>> [P.], seq 1:42, ack 1, win 3620, options [nop,nop,TS val 703837 ecr >>>>>>> 52435019], length 41 >>>>>>> 22:13:40.826058 IP 200.232.113.107.7955 > 192.168.50.2.22: Flags >>>>>>> [.], ack 42, win 229, options [nop,nop,TS val 52435025 ecr 703837], >>>>>>> length 0 >>>>>>> --- >>>>>>> >>>>>>> See?! Security Groups are being ignored. >>>>>>> >>>>>>> Please, help! >>>>>>> >>>>>>> Thanks! =) >>>>>>> Thiago >>>>>>> >>>>>>> >>>>>>> On 28 October 2013 22:03, Martinx - ジェームズ <thiagocmarti...@gmail.com >>>>>>> > wrote: >>>>>>> >>>>>>>> Okay, I think I got it... >>>>>>>> >>>>>>>> Nova should proxy 'Security Groups' calls to Neutron (and not do it >>>>>>>> by itself), so, it must have: >>>>>>>> >>>>>>>> --- nova.conf --- >>>>>>>> firewall_driver = nova.virt.firewall.NoopFirewallDriver >>>>>>>> security_group_api = neutron >>>>>>>> --- >>>>>>>> >>>>>>>> At Neutron OVS Agent (ovs_neutron_plugin.ini), you must set: >>>>>>>> >>>>>>>> --- >>>>>>>> firewall_driver = >>>>>>>> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver >>>>>>>> --- >>>>>>>> >>>>>>>> Source: >>>>>>>> http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plugin.ovs.html >>>>>>>> >>>>>>>> BUT, it doesn't work. >>>>>>>> >>>>>>>> All my Security Groups rules are just being ignored. They are all >>>>>>>> applied at the Compute Node OVS ports but, no effect at all. >>>>>>>> >>>>>>>> Thanks! >>>>>>>> Thiago >>>>>>>> >>>>>>>> >>>>>>>> On 28 October 2013 21:26, Martinx - ジェームズ < >>>>>>>> thiagocmarti...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Well, >>>>>>>>> >>>>>>>>> Now I'm using "firewall_driver = >>>>>>>>> nova.virt.firewall.NoopFirewallDriver" for both Nova and Neutron (Open >>>>>>>>> vSwitch Agent) but, Security Groups rules are applied but ignored. >>>>>>>>> >>>>>>>>> Tips!? >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> Thiago >>>>>>>>> >>>>>>>>> >>>>>>>>> On 28 October 2013 21:13, Martinx - ジェームズ < >>>>>>>>> thiagocmarti...@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Guys, >>>>>>>>>> >>>>>>>>>> I'm back using "libvirt_vif_driver = >>>>>>>>>> nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver" >>>>>>>>>> (nova-compute.conf) but >>>>>>>>>> the problem persist for "tenant1". >>>>>>>>>> >>>>>>>>>> My nova.conf contains: >>>>>>>>>> >>>>>>>>>> --- >>>>>>>>>> # Network settings >>>>>>>>>> network_api_class = nova.network.neutronv2.api.API >>>>>>>>>> neutron_url = http://contrller-1.mydomain.com:9696 >>>>>>>>>> neutron_auth_strategy = keystone >>>>>>>>>> neutron_admin_tenant_name = service >>>>>>>>>> neutron_admin_username = neutron >>>>>>>>>> neutron_admin_password = 123test123 >>>>>>>>>> neutron_admin_auth_url = >>>>>>>>>> http://controller-1.mydomain.com:35357/v2.0 >>>>>>>>>> >>>>>>>>>> linuxnet_interface_driver = >>>>>>>>>> nova.network.linux_net.LinuxOVSInterfaceDriver >>>>>>>>>> >>>>>>>>>> # If you want Neutron + Nova Security groups >>>>>>>>>> firewall_driver = nova.virt.firewall.NoopFirewallDriver >>>>>>>>>> security_group_api = neutron >>>>>>>>>> --- >>>>>>>>>> >>>>>>>>>> Is that a valid configuration for Havana?! I'm get it from my >>>>>>>>>> previous Grizzly setup. >>>>>>>>>> >>>>>>>>>> Also, I just realized that, there are two places to configure the >>>>>>>>>> "firewall_driver", first one is located at nova.conf, the second is >>>>>>>>>> located >>>>>>>>>> at "ovs_neutron_plugin.ini" under [securitygroups], of course, I >>>>>>>>>> believe, >>>>>>>>>> they must "match", I mean, I must be the same for both services, >>>>>>>>>> right?! >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> Thiago >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 28 October 2013 20:30, Martinx - ジェームズ < >>>>>>>>>> thiagocmarti...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Stackers! >>>>>>>>>>> >>>>>>>>>>> I'm trying to configure my Security Groups and, I'm seeing that >>>>>>>>>>> the rules are being applied at the Compute Node OVS ports (iptables >>>>>>>>>>> / >>>>>>>>>>> ip6tables) BUT, it does have no effect (or just being ignored?). >>>>>>>>>>> >>>>>>>>>>> I'm using Ubuntu 12.04.3 + Havana from Cloud Archive. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> For example: >>>>>>>>>>> >>>>>>>>>>> I have 1 Instance with 1 Floating IP attached to it, open port >>>>>>>>>>> is: 80. >>>>>>>>>>> >>>>>>>>>>> Look: >>>>>>>>>>> >>>>>>>>>>> --- >>>>>>>>>>> root@hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 >>>>>>>>>>> -nv >>>>>>>>>>> Chain neutron-openvswi-i9cf07c24-7 (1 references) >>>>>>>>>>> pkts bytes target prot opt in out source >>>>>>>>>>> destination >>>>>>>>>>> 0 0 DROP all -- * * 0.0.0.0/0 >>>>>>>>>>> 0.0.0.0/0 state INVALID >>>>>>>>>>> 0 0 RETURN all -- * * 0.0.0.0/0 >>>>>>>>>>> 0.0.0.0/0 state RELATED,ESTABLISHED >>>>>>>>>>> 0 0 RETURN tcp -- * * 0.0.0.0/0 >>>>>>>>>>> 0.0.0.0/0 tcp dpt:80 >>>>>>>>>>> 0 0 RETURN udp -- * * 192.168.50.3 >>>>>>>>>>> 0.0.0.0/0 udp spt:67 dpt:68 >>>>>>>>>>> 0 0 neutron-openvswi-sg-fallback all -- * * >>>>>>>>>>> 0.0.0.0/0 0.0.0.0/0 >>>>>>>>>>> --- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> The problem is that the respective Instance still answers SSH to >>>>>>>>>>> the Internet. I mean, ALL ports are OPEN!! Regardless of what I >>>>>>>>>>> typed at >>>>>>>>>>> its Security Groups. >>>>>>>>>>> >>>>>>>>>>> I created one "Security Group", called "web", only with TCP port >>>>>>>>>>> 80 on it, nothing more, nothing less. This Instance doesn't belong >>>>>>>>>>> to the >>>>>>>>>>> "default" Security Group", only "web". >>>>>>>>>>> >>>>>>>>>>> Recently I've changed the *libvirt_vif_driver* from >>>>>>>>>>> *nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to >>>>>>>>>>> *nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is >>>>>>>>>>> the cause?! >>>>>>>>>>> >>>>>>>>>>> Any tips!? >>>>>>>>>>> >>>>>>>>>>> Thanks! >>>>>>>>>>> Thiago >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Mailing list: >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> Post to : openstack@lists.openstack.org >>>>>> Unsubscribe : >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
