Hello Matthew,
*Some background:*
Neutron supported "Port Security" extension in releases prior to Mitaka.
But there was a Bug [1] in Nova, due to which, we were disabling the
Security Groups completely for IPv6 Service VM use-case.
Nova bug[1] was fixed recently and is back-ported to stable/mitaka. So, if
you are using the stable/Mitaka branch (which includes the fix [2]), then
there is no need to disable Security Groups completely.
We can have Security Groups enabled in the setup and while creating the
networks we can disable port_security on the individual networks (like we
are doing in [3]).
The following blog [4] explains about Neutron ML2 port security very well.
I had a look at the logs [5], it only says that ping6 is failing. I'm not
able to figure out any issue in port-creation. Am I missing something?
I just tried the IPv6 ServiceVM use-case on my laptop with latest
stable/mitaka branch and its working fine (Security Groups are enabled, but
port_security is disabled on the networks)
A small note: When a port is updated with "--no-security-groups", Neutron
does not remove the Anti-Spoofing rules on the ports. It simply disables
any ACL rules that were applied to the port.
I have few questions.
1. Are you running the tests in a pure OpenStack environment or
OpenStack+ODL environment?
2. The port status would be DOWN when the port is initially created. But
after the VM is spawned (using this port), the port status would be made as
ACTIVE.
You mentioned that you are seeing the port status as DOWN, is it after
the VM is booted? Can you also check if VM boots fine (i.e., vRouter, VM1
and VM2) - you can use nova console-log vRouter)
3. As you know ext-net should be properly configured in the setup. This is
because vRouter VM would download and install certain packages like radvd.
In case there is an issue with external connectivity, vRouter will not be
able to act as an IPv6 Router. Please take a look at this.
[1] https://bugs.launchpad.net/nova/+bug/1175464
[2] https://review.openstack.org/#/c/306470/
[3]
https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n27
[4] http://kimizhang.com/neutron-ml2-port-security/
[5]
https://build.opnfv.org/ci/view/yardstick/job/yardstick-compass-baremetal-daily-master/190/consoleFull
Thanks,
--Sridhar.
On Fri, Aug 12, 2016 at 1:32 PM, Lijun (Matthew) <[email protected]>
wrote:
> Hi Bin
>
>
>
> Thanks for your suggestion.
>
>
>
> All those I have tried and they fails, port status is still DOWN
>
>
>
> Yep In Mitaka
>
> - Line 27 and 28: the parameter “--port_security_enabled=False”
> should be moved
>
>
>
> /MatthewLi
>
>
>
> *发件人:* HU, BIN [mailto:[email protected]]
> *发送时间:* 2016年8月12日 14:31
> *收件人:* Lijun (Matthew); [email protected]; Gaoliang (kubi)
> *抄送:* [email protected]
> *主题:* RE: [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka
>
>
>
> BTW, Matthew,
>
>
>
> I checked Mitaka’s docs, and it seems that they deprecated
> “security_group_api” in nova.conf in Mitaka (should still work though until
> Newton where it will be removed).
>
>
>
> So another way is to change:
>
>
>
> - Line 27 and 28: remove the parameter “
> --port_security_enabled=False”
>
> - Line 54 and 55: add one more parameter “--no-security-groups”
>
>
>
> Can you also try this?
>
>
>
> Thanks
>
> Bin
>
>
>
> *From:* HU, BIN
> *Sent:* Thursday, August 11, 2016 11:02 PM
> *To:* 'Lijun (Matthew)' <[email protected]>;
> [email protected]; Gaoliang (kubi) <[email protected]>
> *Cc:* [email protected]
> *Subject:* RE: [ipv6][yardstick][mitaka] ipv6 test case failure with
> Mitaka
>
>
>
> Matthew,
>
>
>
> Thank you for letting us know. The failure of Line 27 (and 28) result in
> the failure of Line 54 (and 55).
>
>
>
> We need to disable Security Groups in ML2 Setup first. See
> http://artifacts.opnfv.org/opnfvdocs/brahmaputra/docs/
> configguide/featureconfig-ipv6.html#id2, *OPNFV-SEC-1*, *OPNFV-SEC-2* and
> *OPNFV-SEC-3.*
>
>
>
> Can you double check the above settings in Mitaka deployment?
>
>
>
> Thanks
>
> Bin
>
> *From:* Lijun (Matthew) [mailto:[email protected]
> <[email protected]>]
> *Sent:* Thursday, August 11, 2016 6:59 PM
> *To:* HU, BIN <[email protected]>; [email protected]; Gaoliang
> (kubi) <[email protected]>
> *Cc:* [email protected]
> *Subject:* [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka
>
>
>
> Hi
>
>
>
> Recently, I am running the test case in compass(Mitaka version), by
> running https://git.opnfv.org/cgit/yardstick/tree/yardstick/
> benchmark/scenarios/networking/ping6_setup.bash it fails,
>
>
>
> Also in the CI logs, if fails https://build.opnfv.org/ci/
> view/yardstick/job/yardstick-compass-baremetal-daily-
> master/190/consoleFull (although vm ssh timeoout, it is caused by port
> creation error)
>
>
>
> It worked with Liberity version, with Mitaka it has some problems,
> https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n27
>
> line 27 --port_security_enabled=False doesn’t support now
>
>
>
> https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n54
> line 54 the port creation status is DOWN, so the VM can’t be created after
> this procedure.
>
>
>
> @sridhar, do you have any ideas?
>
>
>
>
>
> /MatthewLi
>
_______________________________________________
opnfv-tech-discuss mailing list
[email protected]
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
