Actually - running the Noop driver when neutron is enabled is intended, as nova
would let Neutron configure security groups.
I guess that Simon's configuration was working before the switch to the new
generic drivers.
It will be good to check what the port binding extension is returning
for your neutron ports. It should instruct the generic driver to used
the 'hybrid' mode (chaining a LB bridge onto the OVS integration
bridge). If it just uses OVS integration bridge, sec groups won't be
enforced at all in gre mode, and enforced only at the uplink in vlan
mode.
Moving to incomplete waiting for more input.
** Changed in: nova
Status: Invalid => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1248859
Title:
Security groups don't work with LibvirtGenericVIFDriver driver
Status in OpenStack Compute (Nova):
Incomplete
Bug description:
Security groups on master branch using Neutron and OVS plugin are
broken. No problem to create/delete security group rules but even
though iptables configuration is updated, traffic to my instances is
never filtered [0].
I'm running DevStack on 2 nodes (1 controller + 1 compute):
- OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
- Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
- libvirt package version: 1.1.1-0ubuntu8~cloud2
- localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at
[1] (I didn't modify any of these files after the DevStack run)
According to [2], [3] and [4], iptables is not compatible with TAP
devices connected directly to Open vSwitch ports, this is why there
used to be the additional veth + bridge interfaces [5]. But in my
setup, this is not the case anymore as shown in [6] ('ovs-vsctl show'
+ 'iptables-save' ouptut). I've also pasted the libvirt XML
configuration [7] that shows that the instance is directly connected
to the Open vSwitch.
[0] http://paste.openstack.org/show/50490/
[1] http://paste.openstack.org/show/50448/
[2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
[3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
[4]
http://docs.openstack.org/havana/configreference/content/under_the_hood_openvswitch.html
[5]
http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png
[6] http://paste.openstack.org/show/50486/
[7] http://paste.openstack.org/show/50487/
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1248859/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
