How to attach a port without any IP and firewall to an instance?
Hello!
I just deployed my first openstack Ocata cloud.
I want to delegate L3 networking (including routing, Firewall, NAT, DHCP) to an external router. I want openstack to do only L2-bridging.
Therefore I've tried to attach an interface without IP to an instance, but i got an error: "ERROR (BadRequest): Network requires port_security_enabled and subnet associated in order to apply security groups"
My network and port config:
(openstack) network show vlan3022 +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | nova | | created_at | 2017-06-30T15:13:15Z | | description | | | dns_domain | None | | id | f974e568-c8e6-4960-bd9b-e62f3fc47646 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | mtu | 1500 | | name | vlan3022 | | port_security_enabled | False | | project_id | a9906466fdb54d24999e1c36e4af4b99 | | provider:network_type | vlan | | provider:physical_network | provider | | provider:segmentation_id | 3022 | | qos_policy_id | None | | revision_number | 6 | | router:external | External | | segments | None | | shared | True | | status | ACTIVE | | subnets | | | updated_at | 2017-06-30T16:43:53Z | +---------------------------+--------------------------------------+ (openstack) port show test1 +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | | | binding_profile | | | binding_vif_details | | | binding_vif_type | unbound | | binding_vnic_type | normal | | created_at | 2017-06-30T16:44:12Z | | description | | | device_id | | | device_owner | | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | | | id | 80b55620-2fd1-48c2-8fd0-fd6a579341ec | | ip_address | None | | mac_address | fa:16:3e:0e:06:00 | | name | test1 | | network_id | f974e568-c8e6-4960-bd9b-e62f3fc47646 | | option_name | None | | option_value | None | | port_security_enabled | False | | project_id | a9906466fdb54d24999e1c36e4af4b99 | | qos_policy_id | None | | revision_number | 3 | | security_groups | b02fc3c1-891b-4cce-98a4-87a3a11505a7 | | status | DOWN | | subnet_id | None | | updated_at | 2017-06-30T16:44:12Z | +-----------------------+--------------------------------------+
Is it possible to attach an interface without any IPs and security groups to an instance?
Thank you!
You probably have to change the
firewall_driverconfig setting in the openvswitch or linuxbridge agent config file (whichever agent you are using). Perhaps a value of none works? Unfortunately I don't see this documented very well.This might help: https://gist.github.com/djoreilly/db9.... If not, google some more for "firewall_driver".
Thanks for advice. There are no problem to disable Firewall. My real problem: i can't attach an interface without IP. Of course I can attach fake IP which not be used, but i guess it's not good solution(
Ports without IP address are possible starting with Newton: http://specs.openstack.org/openstack/...
Aaah, but perhaps Nova doesn't like such ports. I don't know what's the status of this bug: https://bugs.launchpad.net/nova/+bug/...