yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1248859] Re: Security groups don't work with LibvirtGenericVIFDriver driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Yaguang Tang <yaguang.tang@xxxxxxxxxxxxx>
Date: Wed, 13 Nov 2013 11:15:16 -0000
Reply-to: Bug 1248859 <1248859@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

you need to config  firewall_driver =
nova.virt.libvirt.firewall.IptablesFirewallDriver, unfortunately a
default  devstack install now config it  as
firewall_driver="nova.virt.firewall.NoopFirewallDriver when using
Neutron. so this may be a devstack bug.


** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1248859

Title:
  Security groups don't work with LibvirtGenericVIFDriver driver

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  Security groups on master branch using Neutron and OVS plugin are
  broken. No problem to create/delete security group rules but even
  though iptables configuration is updated, traffic to my instances is
  never filtered [0].

  I'm running DevStack on 2 nodes (1 controller + 1 compute):
  - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
  - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
  - libvirt package version: 1.1.1-0ubuntu8~cloud2
  - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run)

  According to [2], [3] and [4], iptables is not compatible with TAP
  devices connected directly to Open vSwitch ports, this is why there
  used to be the additional veth + bridge interfaces [5]. But in my
  setup, this is not the case anymore as shown in [6] ('ovs-vsctl show'
  + 'iptables-save' ouptut). I've also pasted the libvirt XML
  configuration [7] that shows that the instance is directly connected
  to the Open vSwitch.

  
  [0] http://paste.openstack.org/show/50490/
  [1] http://paste.openstack.org/show/50448/
  [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
  [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
  [4] http://docs.openstack.org/havana/configreference/content/under_the_hood_openvswitch.html
  [5] http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png
  [6] http://paste.openstack.org/show/50486/
  [7] http://paste.openstack.org/show/50487/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1248859/+subscriptions