Ask Your Question
1

RDO packstack: qbr missing with LibvirtGenericVIFDriver

asked 2014-03-13 06:48:57 -0500

sebastian gravatar image

updated 2014-03-14 12:56:58 -0500

smaffulli gravatar image

I'm troubleshooting why RDO packstack "allinone" behaves in a non-deterministic way and sometimes configures "qbr" and sometimes not. I did some research and find out that qbr is needed to enforce security groups.

In my case I have TWO setups and with RH i have qbr and in F20 i do not....

Here are my findings:

  • two setups RH 6.4 & Fedora 20

  • installed with packstack --allinone

  • RH 6.4: /etc/nova/nova.conf:libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

  • F20: /etc/nova/nova.conf:libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver

  • as expected in F20 qbr is missing. I

  • did some research and looks like LibvirtHybridOVSBridgeDriver is depreciated and we should use LibvirtGenericVIFDriver

When I look into the code: /nova/virt/libvirt/vif.py I can see that LibvirtGenericVIFDriver is enough to enforce security groups:

class LibvirtGenericVIFDriver(LibvirtBaseVIFDriver):
    """Generic VIF driver for libvirt networking."""



    def get_firewall_required(self):
        # TODO(berrange): Extend this to use information from VIF model
        # which can indicate whether the network provider (eg Neutron)
        # has already applied firewall filtering itself.
        if CONF.firewall_driver != "nova.virt.firewall.NoopFirewallDriver":
            return True
        return False
  • Here's configuration:

RH

/etc/nova/nova.conf:firewall_driver=nova.virt.firewall.NoopFirewallDriver
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
/etc/neutron/plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

F20:

/etc/nova/nova.conf:firewall_driver=nova.virt.firewall.NoopFirewallDriver
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
/etc/neutron/plugin.ini - is MISSING!

Questions

  • why /etc/neutron/plugin.ini is missing?
  • what should I do to enable security groups on F20?
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-03-24 13:01:31 -0500

The script in Kashyap's blog post at http://kashyapc.com/2013/12/13/script... contains, among other things, the command lines for enabling security groups in F20

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Get to know Ask OpenStack

Resources for moderators

Question Tools

Follow
1 follower

Stats

Asked: 2014-03-13 06:48:57 -0500

Seen: 191 times

Last updated: Mar 24 '14