Ask Your Question
0

Disabling security groups in Horizon

asked 2013-12-27 14:35:03 -0500

bswrchrd gravatar image

updated 2014-01-22 15:13:08 -0500

Evgeny gravatar image

Anyone know how to disable the use of the securitygroup API in Horizon (or if it is even possible)? We are running Havana/Ubuntu/ML2/OVS agent/GRE without iptables (via the neutron.agent.firewall.NoopFirewallDriver driver) but are receiving the Error: Unable to retrieve security groups error in Horizon when a customer tries to provision a new VM.

There is a comment in Horizon's Django local_settings.py config file that I am interpreting as the ability to switch off "security groups" via a config entry like 'enable_secgroups': False but I can't find any reference to the correct property anywhere in the code. 

# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
# services provided by neutron. Options currenly available are load
# balancer service, security groups, quotas, VPN service.
OPENSTACK_NEUTRON_NETWORK = {
    'enable_lb': False,
    'enable_firewall': False,
    'enable_quotas': True,
    'enable_vpn': False,
    # The profile_support option is used to detect if an external router can be
    # configured via the dashboard. When using specific plugins the
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',
}

The enable_firewall property enables/disables FWaaS which is not what we need.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2013-12-27 20:27:59 -0500

dheeru gravatar image

updated 2013-12-27 20:32:02 -0500 

If you do not want to use a firewall in Compute or Networking, you need to edit both(nova and neutron) configuration files and set 
firewall_driver=nova.virt.firewall.NoopFirewallDriver. 
Also, edit the /etc/nova/nova.conf file and comment out or remove the 
security_group_api=neutron statement.

Files to be edited /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini and /etc/nova/nova.con

edit flag offensive delete link more

Comments

Since he is running OVS he will have to set the `firewall_driver=` in his OVS plugin configuration file. He said he set "neutron.agent.firewall.NoopFirewallDriver" in his nova.conf already.

SamYaple gravatar imageSamYaple ( 2013-12-27 20:31:27 -0500 )edit
1

True also, he need to disable neutron security configuration in nova.conf

dheeru gravatar imagedheeru ( 2013-12-27 20:33:07 -0500 )edit

Agreed. Upvotes all around!

SamYaple gravatar imageSamYaple ( 2013-12-27 20:37:01 -0500 )edit
add a comment
0

answered 2013-12-27 20:27:48 -0500

SamYaple gravatar image

updated 2013-12-27 20:36:43 -0500

In your /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file you need to set firewall_driver under [securitygroup] to neutron.agent.firewall.NoopFirewall

See below

#/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
[securitygroup]
firewall_driver=neutron.agent.firewall.NoopFirewall

Also, dheeru mentioned in his answer, make sure you set below in your /etc/nova/nova.conf file

#/etc/nova/nova.conf 
[DEFAULT]
firewall_driver=nova.virt.firewall.NoopFirewallDriver
#security_group_api=neutron

Notice the different firewall_driver names for each conf file.

edit flag offensive delete link more

Comments

we answered at same time :)

dheeru gravatar imagedheeru ( 2013-12-27 20:28:40 -0500 )edit

I saw that! :)

SamYaple gravatar imageSamYaple ( 2013-12-27 20:32:18 -0500 )edit

Sorry guys, I should have been more descriptive. firewall_driver=NoopFirewall already set in both ML2 config file and nova.conf. The issue is with Horizon and Nova CLI, I can't figure out how to get around selecting a sec.group in Access & Security tab in the Launch Instance window or nova boot cmd.

bswrchrd gravatar imagebswrchrd ( 2013-12-30 12:47:06 -0500 )edit

Hi! I see this bug https://review.openstack.org/#/c/145455/ and looks like it's still actual in Juno.

Bobych gravatar imageBobych ( 2015-05-15 09:36:26 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-12-27 14:35:03 -0500

Seen: 4,599 times

Last updated: Dec 27 '13

Related questions

Improving neutron openvswitch performance

Can't get keystone token: "HTTP Unable to establish connection"

NotRegistered: Panel with slug "overview" is not registered with Dashboard "admin".

devstack local.conf

Neutron OVS ERROR on controller

WARNING keystone.common.wsgi [-] Authorization failed. [closed]

can't create a firewall for a tenant

DVR: Failed updating arp entry

Horizone and VNC with corporate SSL certificate (Packstack)

Adding a drop down tab on Dashboard