openstack team mailing list archive

Thread
Date

Re: quantum l2 networks

To: daniels cai <danxcai@xxxxxxxxx>
From: Aaron Rosen <arosen@xxxxxxxxxx>
Date: Sat, 8 Jun 2013 01:59:18 -0700
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAPzkz-Y_wHA8vsJFYQ0vnSij0LnqcTTXOnZ0DPAMKfh9UQzA0g@mail.gmail.com>

You said:

>it works, but when i try to attach a security group to an exist vm , api
throw an error :"Network requires >port_security_enabled and subnet
associated in order to apply security groups."

What command are you running to generate that error?



On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai@xxxxxxxxx> wrote:

> Aaron , thanks for you answers, i see it.
>
> we are not useing nvp in our environemnt
> yet.
>
> my vm is boot with a subnet_id specified
> .
> i am sure about it .
> here is more info:
>
> vm has an ip "192.168.6.100" , this ip belongs to subnet
> 83afd693-7e36-41e9-b896-9d8b0d89d255
> , this subnet belongs to network "iaas-net", network id is
> 5332f0f7-3156-4961-aa67-0b8507265fa5
>
> # nova list
>
> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 | ACTIVE
>  | iaas-net=192.168.6.100
>
> here is quantum network info :
>
> # quantum net-list
>
> +--------------------------------------+------------------+-------------------------------------------------------+
> | id                                   | name             | subnets
>                                         |
>
> +--------------------------------------+------------------+-------------------------------------------------------+
> |
> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net         |
> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
> |                                      |                  |
> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24   |
> |                                      |                  |
> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24   |
> |                                      |                  |
> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
> |                                      |                  |
> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
> |                                      |                  |
> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |
>
>
> i enabled the following features in quantum
> 1. namespace
> 2. overlap ips
>
> if any more info needed for debug, i will attach
>
>
>
> Daniels Cai
> http://dnscai.com
>
>
> 2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>
> >
> > There is no port_security_enabled config option. This is an attribute on
> a port that is used if the plugin you are using implements the
> port_security_extension (which is only nvp at the time).
> >
> > I'm guessing your issue is the network you are trying to boot an
> instance on does not have a subnet associated with it.
> >
> > Aaron
> >
> >
> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai <danxcai@xxxxxxxxx> wrote:
> >>
> >> hi Aaron
> >> i set the following in nova.conf
> >>
> >> security_group_api=quantum
> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
> >>
> >> it works, but when i try to attach a security group to an exist vm ,
> api throw an error :
> >>
> >> "Network requires port_security_enabled and subnet associated in order
> to apply security groups."
> >>
> >> the i add port_security_enabled in quantum.conf in all nodes.
> >> "port_security_enabled=True"
> >>
> >>  with no luck, it still doesn't work .
> >>
> >> Any advice ? does quantum security group support this feature?
> >>
> >> Daniels Cai
> >> http://dnscai.com
> >>
> >>
> >> 2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>
> >>>
> >>> Hi Joe,
> >>>
> >>> I thought setting firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
> plugin does not do any mac spoof filtering at the OVS level. Those are all
> done in iptables.
> >>>
> >>> Aaron
> >>>
> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu <joseph.breu@xxxxxxxxxxxxx>
> wrote:
> >>>>
> >>>> Hello,
> >>>>
> >>>> Is there a way to create a quantum l2 network using OVS that does not
> have MAC and IP spoofing enabled either in iptables or OVS?  One workaround
> that we found was to set the OVS plugin firewall_driver =
> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
> however this is far from ideal and doesn't solve the problem of MAC spoof
> filtering at the OVS level.
> >>>>
> >>>> Thanks for any help
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Mailing list: https://launchpad.net/~openstack
> >>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> >>>> Unsubscribe : https://launchpad.net/~openstack
> >>>> More help   : https://help.launchpad.net/ListHelp
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Mailing list: https://launchpad.net/~openstack
> >>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> >>> Unsubscribe : https://launchpad.net/~openstack
> >>> More help   : https://help.launchpad.net/ListHelp
> >>>
> >>
> >
>

Follow ups

Re: quantum l2 networks
From: daniels cai, 2013-06-08

References

quantum l2 networks
From: Joe Breu, 2013-06-08
Re: quantum l2 networks
From: Aaron Rosen, 2013-06-08
Re: quantum l2 networks
From: daniels cai, 2013-06-08
Re: quantum l2 networks
From: Aaron Rosen, 2013-06-08
Re: quantum l2 networks
From: daniels cai, 2013-06-08