Ask Your Question
6

Default Neutron security group is ineffective

asked 2013-11-21 10:36:06 -0500

rg3 gravatar image

updated 2013-11-22 07:14:21 -0500

darragh-oreilly gravatar image

Good afternoon everybody, How are you? I hope you are fine.

I'm new in the new openstack world. My first step was install the Openstack on the computers with ubuntu following the tutorial found in the http://docs.openstack.org/havana/install-guide/install/apt/content/ . Also I use the openvswitch.

After verify if the services are actives and enable, I created one external network, a networks with subnet, both of them connected a one router, further I set the gateway to the router on the external network (following the example in the docs.openstack). By the other hand, I launch one VM and associate a flooting IP the external network, further verify the connectivity between the router, the VM and the DHCP, all of them work well. After I try to ping the floating IP from the other computer, external the testbed, and that my surprise that i can ping. I supposed that not possible because don't exists rules about this traffic. Thus I verified the security groups rules and found the group Default with 4 rules that allowing access the traffic IPv4 and IPv6 (eggress and ingress). I guessed this rules are responsible for ensure the connectivity between openstack and VMs. But anyway delete this rules and try the ping again from the external PC and the ping work again.

The configuration about nova.conf, nova-compute conf and neutron_plugin_ovs are:

nova.conf:

[DEFAULT]
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
verbose=True
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=ec2,osapi_compute,metadata


#Network Settings

network_api_class=nova.network.neutronv2.api.API
neutron_url=http://controller:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=password
neutron_admin_auth_url=http://controller:35357/v2.0
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
linuxnet_interface_driver=nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron

nova-compute.conf

[DEFAULT]
libvirt_type=kvm
compute_driver=libvirt.LibvirtDriver

ovs_neutron plugin:

[securitygroup]
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
# Example: 
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Thanks an advance. Sorry for bother you.

Best Regards, Rafael.

edit retag flag offensive close merge delete

Comments

Check that you have not installed the ovs bridge compatibility package. If you are not sure what that is, please append the output of 'sudo ovs-vsctl show' from the compute node to the question.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-11-21 13:38:58 -0500 )edit

Ok, good, it is not installed as ovs-vsctl show does not have any qbr-xxxxxx-xx bridges. Can you run 'iptables-save' and 'brctl show' and 'ip link', and put their output on paste.openstack.com. Then edit the original question above and append the link to it.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-11-22 07:05:15 -0500 )edit

Ok thanks for your help :). The output are: iptables-save = http://paste.openstack.org/show/53813/ brctl show = http://paste.openstack.org/show/53814/ ip link = http://paste.openstack.org/show/53815/

rg3 gravatar imagerg3 ( 2013-11-22 08:36:06 -0500 )edit

I don't think you had an instance running when you ran those commands? Can you repeat with an instance running.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-11-22 09:09:25 -0500 )edit

Yes you're right. I don't know why my instance don't running. I only answer you today because I have a other problem right now with the instance that is I can ping the instance from my controller node, but since my instance I can't ping the router and the dhcp interface and i understand very well why. I see the logs, then I found this in the openvswitch log: http://paste.openstack.org/show/53854/ After that I went to google and the ask openstack to found similar errors but I can't have a conclusion about it. If you can help I will be gratefully. Best Regards Rafael

rg3 gravatar imagerg3 ( 2013-11-23 11:09:52 -0500 )edit

5 answers

Sort by ยป oldest newest most voted
1

answered 2014-04-15 10:12:15 -0500

SGPJ gravatar image

Remove all the rules, then try ping after deleting the flows using ovs-ofctl del-flows and check whether flows are getting added again.

edit flag offensive delete link more

Comments

Also you can use firewall as a service to add rules & policies.

SGPJ gravatar imageSGPJ ( 2014-04-19 08:43:43 -0500 )edit
1

answered 2015-03-03 06:22:35 -0500

alex leonhardt gravatar image

After Icehouse, please see this bug report: https://bugs.launchpad.net/openstack-manuals/+bug/1359691 (https://bugs.launchpad.net/openstack-...)

See my comments at the bottom of it, add those kernel params in and reload neutron-openvswitch-agent on the compute and network nodes.

Alex

edit flag offensive delete link more
0

answered 2014-07-09 18:50:27 -0500

the security rules are getting applied directly onto br-int (which is not yet compatible with iptables rules). Going forward there would be a firewall driver which could leverage OpenFlow and inject the rules directly into the OVS bridge.

edit flag offensive delete link more
-1

answered 2014-04-07 07:53:13 -0500

Emrecan gravatar image

I have the same problem (with the default security group used, I can ping and ssh to the vm (cirros image)). Do you have any idea about how to resolve the issue?

Please, help.

edit flag offensive delete link more
-1

answered 2014-04-15 09:31:58 -0500

mewald gravatar image

Nobody? I have the same issue! Security Groups seem to be completely useless!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

5 followers

Stats

Asked: 2013-11-21 10:36:06 -0500

Seen: 1,480 times

Last updated: Mar 03 '15