Default Neutron security group is ineffective
Good afternoon everybody, How are you? I hope you are fine.
I'm new in the new openstack world. My first step was install the Openstack on the computers with ubuntu following the tutorial found in the http://docs.openstack.org/havana/install-guide/install/apt/content/ . Also I use the openvswitch.
After verify if the services are actives and enable, I created one external network, a networks with subnet, both of them connected a one router, further I set the gateway to the router on the external network (following the example in the docs.openstack). By the other hand, I launch one VM and associate a flooting IP the external network, further verify the connectivity between the router, the VM and the DHCP, all of them work well. After I try to ping the floating IP from the other computer, external the testbed, and that my surprise that i can ping. I supposed that not possible because don't exists rules about this traffic. Thus I verified the security groups rules and found the group Default with 4 rules that allowing access the traffic IPv4 and IPv6 (eggress and ingress). I guessed this rules are responsible for ensure the connectivity between openstack and VMs. But anyway delete this rules and try the ping again from the external PC and the ping work again.
The configuration about nova.conf, nova-compute conf and neutron_plugin_ovs are:
nova.conf:
[DEFAULT]
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
verbose=True
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=ec2,osapi_compute,metadata
#Network Settings
network_api_class=nova.network.neutronv2.api.API
neutron_url=http://controller:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=password
neutron_admin_auth_url=http://controller:35357/v2.0
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron
nova-compute.conf
[DEFAULT]
libvirt_type=kvm
compute_driver=libvirt.LibvirtDriver
ovs_neutron plugin:
[securitygroup]
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
# Example:
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
Thanks an advance. Sorry for bother you.
Best Regards, Rafael.
Check that you have not installed the ovs bridge compatibility package. If you are not sure what that is, please append the output of 'sudo ovs-vsctl show' from the compute node to the question.
Ok, good, it is not installed as ovs-vsctl show does not have any qbr-xxxxxx-xx bridges. Can you run 'iptables-save' and 'brctl show' and 'ip link', and put their output on paste.openstack.com. Then edit the original question above and append the link to it.
Ok thanks for your help :). The output are: iptables-save = http://paste.openstack.org/show/53813/ brctl show = http://paste.openstack.org/show/53814/ ip link = http://paste.openstack.org/show/53815/
I don't think you had an instance running when you ran those commands? Can you repeat with an instance running.
Yes you're right. I don't know why my instance don't running. I only answer you today because I have a other problem right now with the instance that is I can ping the instance from my controller node, but since my instance I can't ping the router and the dhcp interface and i understand very well why. I see the logs, then I found this in the openvswitch log: http://paste.openstack.org/show/53854/ After that I went to google and the ask openstack to found similar errors but I can't have a conclusion about it. If you can help I will be gratefully. Best Regards Rafael