Ask Your Question
0

Disabling security groups in Horizon

asked 2013-12-27 14:35:03 -0500

bswrchrd gravatar image

updated 2014-01-22 15:13:08 -0500

Evgeny gravatar image

Anyone know how to disable the use of the securitygroup API in Horizon (or if it is even possible)? We are running Havana/Ubuntu/ML2/OVS agent/GRE without iptables (via the neutron.agent.firewall.NoopFirewallDriver driver) but are receiving the Error: Unable to retrieve security groups error in Horizon when a customer tries to provision a new VM.

There is a comment in Horizon's Django local_settings.py config file that I am interpreting as the ability to switch off "security groups" via a config entry like 'enable_secgroups': False but I can't find any reference to the correct property anywhere in the code. 

# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
# services provided by neutron. Options currenly available are load
# balancer service, security groups, quotas, VPN service.
OPENSTACK_NEUTRON_NETWORK = {
    'enable_lb': False,
    'enable_firewall': False,
    'enable_quotas': True,
    'enable_vpn': False,
    # The profile_support option is used to detect if an external router can be
    # configured via the dashboard. When using specific plugins the
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',
}

The enable_firewall property enables/disables FWaaS which is not what we need.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2013-12-27 20:27:59 -0500

dheeru gravatar image

updated 2013-12-27 20:32:02 -0500 

If you do not want to use a firewall in Compute or Networking, you need to edit both(nova and neutron) configuration files and set 
firewall_driver=nova.virt.firewall.NoopFirewallDriver. 
Also, edit the /etc/nova/nova.conf file and comment out or remove the 
security_group_api=neutron statement.

Files to be edited /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini and /etc/nova/nova.con

edit flag offensive delete link more

Comments

Since he is running OVS he will have to set the `firewall_driver=` in his OVS plugin configuration file. He said he set "neutron.agent.firewall.NoopFirewallDriver" in his nova.conf already.

SamYaple gravatar imageSamYaple ( 2013-12-27 20:31:27 -0500 )edit
1

True also, he need to disable neutron security configuration in nova.conf

dheeru gravatar imagedheeru ( 2013-12-27 20:33:07 -0500 )edit

Agreed. Upvotes all around!

SamYaple gravatar imageSamYaple ( 2013-12-27 20:37:01 -0500 )edit
add a comment
0

answered 2013-12-27 20:27:48 -0500

SamYaple gravatar image

updated 2013-12-27 20:36:43 -0500

In your /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file you need to set firewall_driver under [securitygroup] to neutron.agent.firewall.NoopFirewall

See below

#/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
[securitygroup]
firewall_driver=neutron.agent.firewall.NoopFirewall

Also, dheeru mentioned in his answer, make sure you set below in your /etc/nova/nova.conf file

#/etc/nova/nova.conf 
[DEFAULT]
firewall_driver=nova.virt.firewall.NoopFirewallDriver
#security_group_api=neutron

Notice the different firewall_driver names for each conf file.

edit flag offensive delete link more

Comments

we answered at same time :)

dheeru gravatar imagedheeru ( 2013-12-27 20:28:40 -0500 )edit

I saw that! :)

SamYaple gravatar imageSamYaple ( 2013-12-27 20:32:18 -0500 )edit

Sorry guys, I should have been more descriptive. firewall_driver=NoopFirewall already set in both ML2 config file and nova.conf. The issue is with Horizon and Nova CLI, I can't figure out how to get around selecting a sec.group in Access & Security tab in the Launch Instance window or nova boot cmd.

bswrchrd gravatar imagebswrchrd ( 2013-12-30 12:47:06 -0500 )edit

Hi! I see this bug https://review.openstack.org/#/c/145455/ and looks like it's still actual in Juno.

Bobych gravatar imageBobych ( 2015-05-15 09:36:26 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-12-27 14:35:03 -0500

Seen: 4,871 times

Last updated: Dec 27 '13

Related questions

Etymology of OpenStack Components

horizon.d3_line_chart (inside 59722976ae97.js) modifiable?

checking version of openstack components?

Octavia LBaaSv2 driver error

IPv6 Support in Ocata

RDO: how to disable remote vnc?

neutron dhcp issues

Neutron Vpnaas

Password to be given for horizon

Neutron Port Create