yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1248859] Re: Security groups don't work with LibvirtGenericVIFDriver driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Salvatore Orlando <1248859@xxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Nov 2013 11:26:23 -0000
Reply-to: Bug 1248859 <1248859@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Actually - running the Noop driver when neutron is enabled is intended, as nova would let Neutron configure security groups.
I guess that Simon's configuration was working before the switch to the new generic drivers.

It will be good to check what the port binding extension is returning
for your neutron ports. It should instruct the generic driver to used
the 'hybrid' mode (chaining a LB bridge onto the OVS integration
bridge). If it just uses OVS integration bridge, sec groups won't be
enforced at all in gre mode, and enforced only at the uplink in vlan
mode.

Moving to incomplete waiting for more input.

** Changed in: nova
       Status: Invalid => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1248859

Title:
  Security groups don't work with LibvirtGenericVIFDriver driver

Status in OpenStack Compute (Nova):
  Incomplete

Bug description:
  Security groups on master branch using Neutron and OVS plugin are
  broken. No problem to create/delete security group rules but even
  though iptables configuration is updated, traffic to my instances is
  never filtered [0].

  I'm running DevStack on 2 nodes (1 controller + 1 compute):
  - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
  - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
  - libvirt package version: 1.1.1-0ubuntu8~cloud2
  - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run)

  According to [2], [3] and [4], iptables is not compatible with TAP
  devices connected directly to Open vSwitch ports, this is why there
  used to be the additional veth + bridge interfaces [5]. But in my
  setup, this is not the case anymore as shown in [6] ('ovs-vsctl show'
  + 'iptables-save' ouptut). I've also pasted the libvirt XML
  configuration [7] that shows that the instance is directly connected
  to the Open vSwitch.

  
  [0] http://paste.openstack.org/show/50490/
  [1] http://paste.openstack.org/show/50448/
  [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
  [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
  [4] http://docs.openstack.org/havana/configreference/content/under_the_hood_openvswitch.html
  [5] http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png
  [6] http://paste.openstack.org/show/50486/
  [7] http://paste.openstack.org/show/50487/

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1248859/+subscriptions