openstack team mailing list archive

Thread
Date
Re: quantum l2 networks

To: daniels cai <danxcai@xxxxxxxxx>
From: Aaron Rosen <arosen@xxxxxxxxxx>
Date: Sat, 8 Jun 2013 02:40:41 -0700
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAPzkz-ZtV4DGBL_LzLod3jZaq5ijg3pHp0-GFvJ0s9-xGSz8_A@mail.gmail.com>
Hi Daniel,

That's for finding this! This is a bug. The code wasn't accounting if the
plugin didn't implement port_security_enabled.  Here's a patch that fixes
the issue in the meantime.

Best,

Aaron

--- a/nova/network/security_group/quantum_driver.py
+++ b/nova/network/security_group/quantum_driver.py
@@ -340,8 +340,9 @@ class
SecurityGroupAPI(security_group_base.SecurityGroupBase):
         has_ip = port.get('fixed_ips')
         if port_security_enabled and has_ip:
             return True
-        else:
-            return False
+        elif 'port_security_enabled' not in port and has_ip:
+            return True
+        return False

     @wrap_check_security_groups_policy
     def add_to_instance(self, context, instance, security_group_name):



On Sat, Jun 8, 2013 at 2:14 AM, daniels cai <danxcai@xxxxxxxxx> wrote:

>
> nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11
>
> ERROR: Network requires port_security_enabled and subnet associated in
> order to apply security groups. (HTTP 400) (Request-ID:
> req-94cb2d54-858b-4843-af53-b373c88bcdc0)
>
>
> security group is exists
>
> # quantum security-group-list
> +--------------------------------------+---------+------------------+
> | id                                   | name    | description      |
> +--------------------------------------+---------+------------------+
> | 0acc8258-bd9f-4f87-b051-a94dbc1504eb | default | default          |
> | 5902febc-e793-4b09-8073-567226d83d79 | d11     | des for firewall |
> +--------------------------------------+---------+------------------+
>
>
>
> Daniels Cai
> http://dnscai.com
>
>
> 2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>
>
>> You said:
>>
>> >it works, but when i try to attach a security group to an exist vm , api
>> throw an error :"Network requires >port_security_enabled and subnet
>> associated in order to apply security groups."
>>
>> What command are you running to generate that error?
>>
>>
>>
>> On Sat, Jun 8, 2013 at 1:45 AM, daniels cai <danxcai@xxxxxxxxx> wrote:
>>
>>> Aaron , thanks for you answers, i see it.
>>>
>>> we are not useing nvp in our environemnt
>>> yet.
>>>
>>> my vm is boot with a subnet_id specified
>>> .
>>> i am sure about it .
>>> here is more info:
>>>
>>> vm has an ip "192.168.6.100" , this ip belongs to subnet
>>> 83afd693-7e36-41e9-b896-9d8b0d89d255
>>> , this subnet belongs to network "iaas-net", network id is
>>> 5332f0f7-3156-4961-aa67-0b8507265fa5
>>>
>>> # nova list
>>>
>>> | 24891d97-8d0e-4e99-9537-c8f8291913d0 | ubuntu-1304-server-amd64 |
>>> ACTIVE  | iaas-net=192.168.6.100
>>>
>>> here is quantum network info :
>>>
>>> # quantum net-list
>>>
>>> +--------------------------------------+------------------+-------------------------------------------------------+
>>> | id                                   | name             | subnets
>>>                                           |
>>>
>>> +--------------------------------------+------------------+-------------------------------------------------------+
>>> |
>>> 5332f0f7-3156-4961-aa67-0b8507265fa5 | iaas-net         |
>>> 329ca377-6193-4a0c-9320-471cd5ff762f 192.168.202.0/24 |
>>> |                                      |                  |
>>> 83afd693-7e36-41e9-b896-9d8b0d89d255 192.168.6.0/24   |
>>> |                                      |                  |
>>> bb1afb2d-ab59-4ba4-8a76-8b5b426b8e33 192.168.7.0/24   |
>>> |                                      |                  |
>>> d59794df-bb49-4924-a19f-cbdec0ce24df 192.168.188.0/24 |
>>> |                                      |                  |
>>> dca45033-e506-42e4-bf05-aaccd0591c55 192.168.193.0/24 |
>>> |                                      |                  |
>>> e8a9be74-2f39-4d7e-9287-c5b85b573cca 192.168.192.0/24 |
>>>
>>>
>>> i enabled the following features in quantum
>>> 1. namespace
>>> 2. overlap ips
>>>
>>> if any more info needed for debug, i will attach
>>>
>>>
>>>
>>> Daniels Cai
>>> http://dnscai.com
>>>
>>>
>>> 2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>
>>> >
>>> > There is no port_security_enabled config option. This is an attribute
>>> on a port that is used if the plugin you are using implements the
>>> port_security_extension (which is only nvp at the time).
>>> >
>>> > I'm guessing your issue is the network you are trying to boot an
>>> instance on does not have a subnet associated with it.
>>> >
>>> > Aaron
>>> >
>>> >
>>> > On Sat, Jun 8, 2013 at 12:37 AM, daniels cai <danxcai@xxxxxxxxx>
>>> wrote:
>>> >>
>>> >> hi Aaron
>>> >> i set the following in nova.conf
>>> >>
>>> >> security_group_api=quantum
>>> >> firewall_driver=nova.virt.firewall.NoopFirewallDriver
>>> >>
>>> >> it works, but when i try to attach a security group to an exist vm ,
>>> api throw an error :
>>> >>
>>> >> "Network requires port_security_enabled and subnet associated in
>>> order to apply security groups."
>>> >>
>>> >> the i add port_security_enabled in quantum.conf in all nodes.
>>> >> "port_security_enabled=True"
>>> >>
>>> >>  with no luck, it still doesn't work .
>>> >>
>>> >> Any advice ? does quantum security group support this feature?
>>> >>
>>> >> Daniels Cai
>>> >> http://dnscai.com
>>> >>
>>> >>
>>> >> 2013/6/8 Aaron Rosen <arosen@xxxxxxxxxx>
>>> >>>
>>> >>> Hi Joe,
>>> >>>
>>> >>> I thought setting firewall_driver =
>>> quantum.agent.firewall.NoopFirewallDriver would do the trick? Also, the ovs
>>> plugin does not do any mac spoof filtering at the OVS level. Those are all
>>> done in iptables.
>>> >>>
>>> >>> Aaron
>>> >>>
>>> >>> On Fri, Jun 7, 2013 at 8:22 PM, Joe Breu <joseph.breu@xxxxxxxxxxxxx>
>>> wrote:
>>> >>>>
>>> >>>> Hello,
>>> >>>>
>>> >>>> Is there a way to create a quantum l2 network using OVS that does
>>> not have MAC and IP spoofing enabled either in iptables or OVS?  One
>>> workaround that we found was to set the OVS plugin firewall_driver =
>>> quantum.agent.firewall.NoopFirewallDriver to security_group_api=nova
>>> however this is far from ideal and doesn't solve the problem of MAC spoof
>>> filtering at the OVS level.
>>> >>>>
>>> >>>> Thanks for any help
>>> >>>>
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> Mailing list: https://launchpad.net/~openstack
>>> >>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> >>>> Unsubscribe : https://launchpad.net/~openstack
>>> >>>> More help   : https://help.launchpad.net/ListHelp
>>> >>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Mailing list: https://launchpad.net/~openstack
>>> >>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> >>> Unsubscribe : https://launchpad.net/~openstack
>>> >>> More help   : https://help.launchpad.net/ListHelp
>>> >>>
>>> >>
>>> >
>>>
>>
>>
>
References

quantum l2 networks
From: Joe Breu, 2013-06-08
Re: quantum l2 networks
From: Aaron Rosen, 2013-06-08
Re: quantum l2 networks
From: daniels cai, 2013-06-08
Re: quantum l2 networks
From: Aaron Rosen, 2013-06-08
Re: quantum l2 networks
From: daniels cai, 2013-06-08
Re: quantum l2 networks
From: Aaron Rosen, 2013-06-08
Re: quantum l2 networks
From: daniels cai, 2013-06-08