← Back to team overview

openstack team mailing list archive

Re: quantum l2 networks

 

nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11

ERROR: Network requires port_security_enabled and subnet associated in
order to apply security groups. (HTTP 400) (Request-ID:
req-94cb2d54-858b-4843-af53-b373c88bcdc0)


security group is exists

# quantum security-group-list
+--------------------------------------+---------+------------------+
| id                                   | name    | description      |
+--------------------------------------+---------+------------------+
| 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default          |
| 5902febc-e793-4b09-8073-567226d83d79 | d11     | des for firewall |
+--------------------------------------+---------+------------------+



Daniels Cai
http://dnscai.com


2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>

> You said:
>
> >it works, but when i try to attach a security group to an exist vm , api
> throw an error :"Network requires >port_security_enabled and subnet
> associated in order to apply security groups."
>
> What command are you running to generate that error?
>
>
>
> On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai@xxxxxxxxx> wrote:
>
>> Aaron , thanks for you answers, i see it.
>>
>> we are not useing nvp in our environemnt
>> yet.
>>
>> my vm is boot with a subnet_id specified
>> .
>> i am sure about it .
>> here is more info:
>>
>> vm has an ip "192.168.6.100" , this ip belongs to subnet
>> 83afd693-7e36-41e9-b896-9d8b0d89d255
>> , this subnet belongs to network "iaas-net", network id is
>> 5332f0f7-3156-4961-aa67-0b8507265fa5
>>
>> # nova list
>>
>> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 |
>> ACTIVE  | iaas-net=192.168.6.100
>>
>> here is quantum network info :
>>
>> # quantum net-list
>>
>> +--------------------------------------+------------------+-------------------------------------------------------+
>> | id                                   | name             | subnets
>>                                         |
>>
>> +--------------------------------------+------------------+-------------------------------------------------------+
>> |
>> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net         |
>> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
>> |                                      |                  |
>> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24   |
>> |                                      |                  |
>> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24   |
>> |                                      |                  |
>> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
>> |                                      |                  |
>> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
>> |                                      |                  |
>> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |
>>
>>
>> i enabled the following features in quantum
>> 1. namespace
>> 2. overlap ips
>>
>> if any more info needed for debug, i will attach
>>
>>
>>
>> Daniels Cai
>> http://dnscai.com
>>
>>
>> 2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>
>> >
>> > There is no port_security_enabled config option. This is an attribute
>> on a port that is used if the plugin you are using implements the
>> port_security_extension (which is only nvp at the time).
>> >
>> > I'm guessing your issue is the network you are trying to boot an
>> instance on does not have a subnet associated with it.
>> >
>> > Aaron
>> >
>> >
>> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai <danxcai@xxxxxxxxx> wrote:
>> >>
>> >> hi Aaron
>> >> i set the following in nova.conf
>> >>
>> >> security_group_api=quantum
>> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>> >>
>> >> it works, but when i try to attach a security group to an exist vm ,
>> api throw an error :
>> >>
>> >> "Network requires port_security_enabled and subnet associated in order
>> to apply security groups."
>> >>
>> >> the i add port_security_enabled in quantum.conf in all nodes.
>> >> "port_security_enabled=True"
>> >>
>> >>  with no luck, it still doesn't work .
>> >>
>> >> Any advice ? does quantum security group support this feature?
>> >>
>> >> Daniels Cai
>> >> http://dnscai.com
>> >>
>> >>
>> >> 2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>
>> >>>
>> >>> Hi Joe,
>> >>>
>> >>> I thought setting firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
>> plugin does not do any mac spoof filtering at the OVS level. Those are all
>> done in iptables.
>> >>>
>> >>> Aaron
>> >>>
>> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu <joseph.breu@xxxxxxxxxxxxx>
>> wrote:
>> >>>>
>> >>>> Hello,
>> >>>>
>> >>>> Is there a way to create a quantum l2 network using OVS that does
>> not have MAC and IP spoofing enabled either in iptables or OVS?  One
>> workaround that we found was to set the OVS plugin firewall_driver =
>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>> however this is far from ideal and doesn't solve the problem of MAC spoof
>> filtering at the OVS level.
>> >>>>
>> >>>> Thanks for any help
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Mailing list: https://launchpad.net/~openstack
>> >>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> >>>> Unsubscribe : https://launchpad.net/~openstack
>> >>>> More help   : https://help.launchpad.net/ListHelp
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Mailing list: https://launchpad.net/~openstack
>> >>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> >>> Unsubscribe : https://launchpad.net/~openstack
>> >>> More help   : https://help.launchpad.net/ListHelp
>> >>>
>> >>
>> >
>>
>
>

Follow ups

References