Hi Adhi, Ccould you provide more details about how you’re installing Liberty, including your local.conf (if using devstack) and the nova / neutron configuration files? Also details about how you’re booting the instance and what security groups you’re expecting to be applied.
Thanks, Bob From: Adhi Priharmanto [mailto:adhi....@gmail.com] Sent: 15 September 2016 08:48 To: Huan Xie <huan....@citrix.com> Cc: openstack@lists.openstack.org Subject: Re: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer Hi, I still no luck for this problem, even I using liberty release, Security groups still not applied on network. can you help me again ? On Thu, Mar 17, 2016 at 10:55 AM, Adhi Priharmanto <adhi....@gmail.com<mailto:adhi....@gmail.com>> wrote: Ok, 'll try to patched my neutron On Tue, Mar 15, 2016 at 8:52 AM, Huan Xie <huan....@citrix.com<mailto:huan....@citrix.com>> wrote: Hi, For apply the patch, you need to download the changed file with this https://review.openstack.org/#/c/251271/ and its dependent changes, you can find its dependent changes in the right corner(Related Changes) in you open the link. For files that you need edit, in the middle of the code review page, you can find a section called “Files”, this part shows you which files are changed. Best Regards//Huan From: Adhi Priharmanto [mailto:adhi....@gmail.com<mailto:adhi....@gmail.com>] Sent: Monday, March 14, 2016 6:21 PM To: Huan Xie Cc: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer Hi Xie, I also commented on your post at blog.citrix :) , for step 1 - 3 was clear for me. I still confused about patched code in https://review.openstack.org/#/c/251271/ for some file, could you more explain how to, which file that I should edit ? Thanks before On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan....@citrix.com<mailto:huan....@citrix.com>> wrote: Hi Adhi, Do you use devstack to deploy XenServer + Kilo or manually? Current Kilo release does not support XenServer + Neutron security group, because security group is implemented via iptables on Linux bridge, however, there is no Linux bridge created when booting a new instance. But we now have a new fix to support neutron security group, we have tested that it can work, this will be implemented as a blue print https://review.openstack.org/#/c/251271/ So, if you want to use neutron security group in Kilo, you should add some patch for your code and also please make the configurations as below: 1. In nova.conf, two configurations should be set [DEFAULT] firewall_driver = nova.virt.firewall.NoopFirewallDriver security_group_api=neutron [xenserver] ovs_integration_bridge = vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver If you don’t know how to configure ovs_integration_bridge, then you can refer this blog https://www.citrix.com/blogs/2015/11/30/integrating-xenserver-rdo-and-neutron/ 2. In neutron, check configurations ml2_conf.ini in compute node which is used for neutron L2 agent [agent] minimize_polling = False root_helper_daemon = root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 /etc/neutron/rootwrap.conf [ovs] integration_bridge = bridge_mappings = Also for ovs configuration items, if you don’t clear on how to configure them, refer the blog 3. In neutron, check configurations /etc/neutron/rootwrap.conf in compute node [xenapi] # XenAPI configuration is only required by the L2 agent if it is to # target a XenServer/XCP compute host's dom0. xenapi_connection_url= xenapi_connection_username= xenapi_connection_password= Best Regards//Huan -------- Original Message -------- Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron & XenServer From: Adhi Priharmanto To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> CC: Hi all, I had Openstack Kilo installed on my lab, for Compute Hypervisor I use XenServer 6.5, and networking Using Neutron OVS. For Controller, Network, and Compute node I'm using Ubuntu 14.04. My problem was Security Groups rules doesn't applied to the instance that created. For example, there is no rule for SSH port 22 in security group i defined to the instance, but instance with floating IP able to login by ssh from external network. I've already add this option on my nova.conf firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver and also defined firewall_driver on my ml2_conf.ini at Controller, Network, and Compute node [ovs] enable_security_group = True enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver can somebody help me with this problem ? -- Cheers, Adhi Priharmanto about.me/a_dhi<http://about.me/a_dhi> _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -- Cheers, Adhi Priharmanto about.me/a_dhi<http://about.me/a_dhi> +62-812-82121584<tel:%2B62-812-82121584> -- Cheers, Adhi Priharmanto about.me/a_dhi -- Cheers, Adhi Priharmanto about.me/a_dhi +62-812-82121584
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
