Hi Xie, I also commented on your post at blog.citrix :) , for step 1 - 3 was clear for me. I still confused about patched code in https://review.openstack.org/#/c/251271/ for some file, could you more explain how to, which file that I should edit ?
Thanks before On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan....@citrix.com> wrote: > Hi Adhi, > > > > Do you use devstack to deploy XenServer + Kilo or manually? > > Current Kilo release does not support XenServer + Neutron security group, > because security group is implemented via iptables on Linux bridge, > however, there is no Linux bridge created when booting a new instance. > > But we now have a new fix to support neutron security group, we have > tested that it can work, this will be implemented as a blue print > https://review.openstack.org/#/c/251271/ > > So, if you want to use neutron security group in Kilo, you should add some > patch for your code and also please make the configurations as below: > > > > 1. In nova.conf, two configurations should be set > > [DEFAULT] > > firewall_driver = nova.virt.firewall.NoopFirewallDriver > > security_group_api=neutron > > > > [xenserver] > > ovs_integration_bridge = > > vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver > > > > If you don’t know how to configure ovs_integration_bridge, > then you can refer this blog > https://www.citrix.com/blogs/2015/11/30/integrating-xenserver-rdo-and-neutron/ > > > > 2. In neutron, check configurations ml2_conf.ini in compute node > which is used for neutron L2 agent > > [agent] > > minimize_polling = False > > root_helper_daemon = > > root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 > /etc/neutron/rootwrap.conf > > > > [ovs] > > integration_bridge = > > bridge_mappings = > > > > Also for ovs configuration items, if you don’t clear on > how to configure them, refer the blog > > > > 3. In neutron, check configurations /etc/neutron/rootwrap.conf in > compute node > > [xenapi] > > # XenAPI configuration is only required by the L2 agent if it is to > > # target a XenServer/XCP compute host's dom0. > > xenapi_connection_url= > > xenapi_connection_username= > > xenapi_connection_password= > > > > Best Regards//Huan > > > > -------- Original Message -------- > Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron & > XenServer > From: Adhi Priharmanto > To: openstack@lists.openstack.org > CC: > > Hi all, > > I had Openstack Kilo installed on my lab, for Compute Hypervisor I use > XenServer 6.5, and networking Using Neutron OVS. For Controller, Network, > and Compute node I'm using Ubuntu 14.04. > > > > My problem was Security Groups rules doesn't applied to the instance that > created. For example, there is no rule for SSH port 22 in security group i > defined to the instance, but instance with floating IP able to login by ssh > from external network. > > > I've already add this option on my nova.conf > > > > firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver > > > > and also defined firewall_driver on my ml2_conf.ini at Controller, > Network, and Compute node > > > > [ovs] > > enable_security_group = True > > enable_ipset = True > > firewall_driver = > neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver > > > > can somebody help me with this problem ? > > > > > > -- > > Cheers, > > > > *Adhi Priharmanto* > > about.me/a_dhi > > > > > > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > -- Cheers, [image: --] Adhi Priharmanto [image: http://]about.me/a_dhi <http://about.me/a_dhi?promo=email_sig> +62-812-82121584
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
