Hi Huan Xie,
Thanks for your fast response, I applied those patch into my Dom0 and DomU (nova-compute) , then restarting neutron-openvswitch-agent and nova-compute service. the error on neutron-openvswitch-agent doesn't appear anymore, now I'm still try Security Group Rules variation for instance, I'll update results as soon . On Wed, Sep 21, 2016 at 2:11 PM, Huan Xie <huan....@citrix.com> wrote: > Hi Adhi, > > > > 1. From http://pastebin.com/gwf1wdEb, we can see you have set > “conntrack” command in netwrap, but seems the whole patch is not applied, I > mean you need apply the whole patch https://review.openstack.org/# > /c/341304/ in neutron. > > netwrap locates in Dom0 /etc/xapi.d/plugins > > neutron-rootwrap-xen-dom0 locates in DomU, maybe > /usr/local/bin/neutron-rootwrap-xen-dom0 > or other path like that, depends on how you install it, you maybe need to > apply the patch to the source file > > 1. With this rule, I'm still able to ping instance > 2. Also please check neutron-openvswitch-agent error list when I > remove rule and terminate instance. > > ð For the two, since the patch seems not applied completely, so you > maybe can still ping the VM. Also you need to install conntrack-tools in > Dom0 because the command “conntrack” in netwrap is send to Dom0, otherwise > the real “conntrack” command is not take effect. > > > > Hope these checks can help you. > > > > Thanks, > > Huan > > > > > > *From:* Adhi Priharmanto [mailto:adhi....@gmail.com] > *Sent:* Wednesday, September 21, 2016 1:59 PM > > *To:* Huan Xie > *Cc:* openstack@lists.openstack.org > *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with > Neutron & XenServer > > > > Hi All.... > > > > Sorry for my late reply.. > > > > @Bob, I Installed liberty manually, not using devstack, packstack, etc > > > > Here Is my node service configuration. > > > > > > > > ============================= > > NETWORK-NODE > > ============================= > > Configuration : http://pastebin.com/6DLqUbjU > > > > > > ============================= > > COMPUTE-NODE > > ============================= > > Configuration : http://pastebin.com/RhGBvNbA > > Error list : http://pastebin.com/xHQSb625 > > > > ============================= > > XENSERVER-NODE > > ============================= > > Configuration : http://pastebin.com/gwf1wdEb > > Error list : http://pastebin.com/wNzbhcPi > > > > for Xenserver, > > - I also setup of Multi Tenancy Networking Protections in XenServer, > following this guide https://github.com/openstack/nova/blob/master/ > plugins/xenserver/doc/networking.rst > > <https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst> > - I also setup sysctl.conf (see config at xenserver-node pastebin), > but it's like no br_netfilter module available at xenserver. > > ============================= > > neutron security-group-rule-list > > ============================= > > # neutron security-group-rule-list > > +--------------------------------------+----------------+--- > --------+-----------+---------------+-----------------+ > > | id | security_group | direction | > ethertype | protocol/port | remote | > > +--------------------------------------+----------------+--- > --------+-----------+---------------+-----------------+ > > | 310fb8eb-bcf7-4425-83a3-f2f3f1335958 | default | egress | > IPv6 | any | any | > > | 42e8b7e8-1262-4673-8547-55fa6b33d4f1 | default | egress | > IPv4 | any | any | > > | 4e8bde5b-344a-4c6a-b09d-223d9fec72bf | default | ingress | > IPv4 | any | default (group) | > > | cd8f3aaa-9882-42a0-b713-87489cfff22c | default | ingress | > IPv6 | any | default (group) | > > | d884ff2f-71e8-4647-b45d-e8f92ad87261 | default | egress | > IPv4 | any | any | > > | f4f85fae-6a15-4a85-ae51-5f34536bb72e | default | ingress | > IPv6 | any | default (group) | > > | f6e3929a-3df4-4209-8486-7ce0b0047771 | default | egress | > IPv6 | any | any | > > | fbb2a744-de01-49c7-b875-8cdfbc4fdd7f | default | ingress | > IPv4 | any | default (group) | > > +--------------------------------------+----------------+--- > --------+-----------+---------------+-----------------+ > > - With this rule, I'm still able to ping instance > - Also please check neutron-openvswitch-agent error list when I remove > rule and terminate instance. > > > > I hope anyone can guide me with this problem, thanks before. > > > > > > On Sun, Sep 18, 2016 at 8:16 AM, Huan Xie <huan....@citrix.com> wrote: > > Hi, > > > > After applied these change, is your neutron ml2 configuration correct? > Mainly the below parts: > > If still cannot work, could you please describe the errors? > > Beside these, we find xenserver dom0 lacks of conntrack support for > neutron-ovs-agent in compute node, there is a fix waiting for review > https://review.openstack.org/#/c/341304/ > > 1. In nova.conf, two configurations should be set > > [DEFAULT] > > firewall_driver = nova.virt.firewall.NoopFirewallDriver > > security_group_api=neutron > > use_neutron = True > > [xenserver] > > ovs_integration_bridge = > > vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver > > 2. In neutron, check configurations ml2_conf.ini in compute node > which is used for neutron L2 agent > > [agent] > > minimize_polling = False > > root_helper_daemon = > > root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 > /etc/neutron/rootwrap.conf > > [ovs] > > integration_bridge = > > bridge_mappings = > > Thanks, > > Huan > > > > *From:* Adhi Priharmanto [mailto:adhi....@gmail.com] > *Sent:* Thursday, September 15, 2016 3:48 PM > > > *To:* Huan Xie > *Cc:* openstack@lists.openstack.org > *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with > Neutron & XenServer > > > > Hi, I still no luck for this problem, even I using liberty release, > Security groups still not applied on network. can you help me again ? > > > > On Thu, Mar 17, 2016 at 10:55 AM, Adhi Priharmanto <adhi....@gmail.com> > wrote: > > Ok, 'll try to patched my neutron > > > > On Tue, Mar 15, 2016 at 8:52 AM, Huan Xie <huan....@citrix.com> wrote: > > Hi, > > For apply the patch, you need to download the changed file with this > https://review.openstack.org/#/c/251271/ and its dependent changes, you > can find its dependent changes in the right corner(Related Changes) in you > open the link. > > For files that you need edit, in the middle of the code review page, you > can find a section called “Files”, this part shows you which files are > changed. > > > > Best Regards//Huan > > > > *From:* Adhi Priharmanto [mailto:adhi....@gmail.com] > *Sent:* Monday, March 14, 2016 6:21 PM > *To:* Huan Xie > *Cc:* openstack@lists.openstack.org > *Subject:* Re: [Openstack] Security Groups Can't Apply in Kilo with > Neutron & XenServer > > > > Hi Xie, > > > > I also commented on your post at blog.citrix :) , for step 1 - 3 was clear > for me. I still confused about patched code in > https://review.openstack.org/#/c/251271/ for some file, could you more > explain how to, which file that I should edit ? > > > > Thanks before > > > > On Mon, Mar 14, 2016 at 3:34 PM, Huan Xie <huan....@citrix.com> wrote: > > Hi Adhi, > > > > Do you use devstack to deploy XenServer + Kilo or manually? > > Current Kilo release does not support XenServer + Neutron security group, > because security group is implemented via iptables on Linux bridge, > however, there is no Linux bridge created when booting a new instance. > > But we now have a new fix to support neutron security group, we have > tested that it can work, this will be implemented as a blue print > https://review.openstack.org/#/c/251271/ > > So, if you want to use neutron security group in Kilo, you should add some > patch for your code and also please make the configurations as below: > > > > 1. In nova.conf, two configurations should be set > > [DEFAULT] > > firewall_driver = nova.virt.firewall.NoopFirewallDriver > > security_group_api=neutron > > > > [xenserver] > > ovs_integration_bridge = > > vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver > > > > If you don’t know how to configure ovs_integration_bridge, > then you can refer this blog https://www.citrix.com/blogs/ > 2015/11/30/integrating-xenserver-rdo-and-neutron/ > > > > 2. In neutron, check configurations ml2_conf.ini in compute node > which is used for neutron L2 agent > > [agent] > > minimize_polling = False > > root_helper_daemon = > > root_helper = /usr/local/bin/neutron-rootwrap-xen-dom0 > /etc/neutron/rootwrap.conf > > > > [ovs] > > integration_bridge = > > bridge_mappings = > > > > Also for ovs configuration items, if you don’t clear on > how to configure them, refer the blog > > > > 3. In neutron, check configurations /etc/neutron/rootwrap.conf in > compute node > > [xenapi] > > # XenAPI configuration is only required by the L2 agent if it is to > > # target a XenServer/XCP compute host's dom0. > > xenapi_connection_url= > > xenapi_connection_username= > > xenapi_connection_password= > > > > Best Regards//Huan > > > > -------- Original Message -------- > Subject: [Openstack] Security Groups Can't Apply in Kilo with Neutron & > XenServer > From: Adhi Priharmanto > To: openstack@lists.openstack.org > CC: > > Hi all, > > I had Openstack Kilo installed on my lab, for Compute Hypervisor I use > XenServer 6.5, and networking Using Neutron OVS. For Controller, Network, > and Compute node I'm using Ubuntu 14.04. > > > > My problem was Security Groups rules doesn't applied to the instance that > created. For example, there is no rule for SSH port 22 in security group i > defined to the instance, but instance with floating IP able to login by ssh > from external network. > > > I've already add this option on my nova.conf > > > > firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver > > > > and also defined firewall_driver on my ml2_conf.ini at Controller, > Network, and Compute node > > > > [ovs] > > enable_security_group = True > > enable_ipset = True > > firewall_driver = neutron.agent.linux.iptables_firewall. > OVSHybridIptablesFirewallDriver > > > > can somebody help me with this problem ? > > > > > > -- > > Cheers, > > > > *Adhi Priharmanto* > > about.me/a_dhi > > > > > > > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > > > > > > -- > > Cheers, > > > > *Adhi Priharmanto* > > about.me/a_dhi > > > > +62-812-82121584 > > > > > > > > -- > > Cheers, > > > > *Adhi Priharmanto* > > about.me/a_dhi > > > > > > > > > > > > -- > > Cheers, > > > > *Adhi Priharmanto* > > about.me/a_dhi > > > > +62-812-82121584 > > > > > > > > -- > > Cheers, > > > > *Adhi Priharmanto* > > about.me/a_dhi > > > > +62-812-82121584 > > > -- Cheers, [image: --] Adhi Priharmanto [image: http://]about.me/a_dhi <http://about.me/a_dhi?promo=email_sig> +62-812-82121584
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
