Ask Your Question
0

Disabling security groups in Horizon

asked 2013-12-27 14:35:03 -0500

bswrchrd gravatar image

updated 2014-01-22 15:13:08 -0500

Evgeny gravatar image

Anyone know how to disable the use of the securitygroup API in Horizon (or if it is even possible)? We are running Havana/Ubuntu/ML2/OVS agent/GRE without iptables (via the neutron.agent.firewall.NoopFirewallDriver driver) but are receiving the Error: Unable to retrieve security groups error in Horizon when a customer tries to provision a new VM.

There is a comment in Horizon's Django local_settings.py config file that I am interpreting as the ability to switch off "security groups" via a config entry like 'enable_secgroups': False but I can't find any reference to the correct property anywhere in the code. 

# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
# services provided by neutron. Options currenly available are load
# balancer service, security groups, quotas, VPN service.
OPENSTACK_NEUTRON_NETWORK = {
    'enable_lb': False,
    'enable_firewall': False,
    'enable_quotas': True,
    'enable_vpn': False,
    # The profile_support option is used to detect if an external router can be
    # configured via the dashboard. When using specific plugins the
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',
}

The enable_firewall property enables/disables FWaaS which is not what we need.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2013-12-27 20:27:59 -0500

dheeru gravatar image

updated 2013-12-27 20:32:02 -0500 

If you do not want to use a firewall in Compute or Networking, you need to edit both(nova and neutron) configuration files and set 
firewall_driver=nova.virt.firewall.NoopFirewallDriver. 
Also, edit the /etc/nova/nova.conf file and comment out or remove the 
security_group_api=neutron statement.

Files to be edited /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini and /etc/nova/nova.con

edit flag offensive delete link more

Comments

Since he is running OVS he will have to set the `firewall_driver=` in his OVS plugin configuration file. He said he set "neutron.agent.firewall.NoopFirewallDriver" in his nova.conf already.

SamYaple gravatar imageSamYaple ( 2013-12-27 20:31:27 -0500 )edit
1

True also, he need to disable neutron security configuration in nova.conf

dheeru gravatar imagedheeru ( 2013-12-27 20:33:07 -0500 )edit

Agreed. Upvotes all around!

SamYaple gravatar imageSamYaple ( 2013-12-27 20:37:01 -0500 )edit
add a comment
0

answered 2013-12-27 20:27:48 -0500

SamYaple gravatar image

updated 2013-12-27 20:36:43 -0500

In your /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file you need to set firewall_driver under [securitygroup] to neutron.agent.firewall.NoopFirewall

See below

#/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
[securitygroup]
firewall_driver=neutron.agent.firewall.NoopFirewall

Also, dheeru mentioned in his answer, make sure you set below in your /etc/nova/nova.conf file

#/etc/nova/nova.conf 
[DEFAULT]
firewall_driver=nova.virt.firewall.NoopFirewallDriver
#security_group_api=neutron

Notice the different firewall_driver names for each conf file.

edit flag offensive delete link more

Comments

we answered at same time :)

dheeru gravatar imagedheeru ( 2013-12-27 20:28:40 -0500 )edit

I saw that! :)

SamYaple gravatar imageSamYaple ( 2013-12-27 20:32:18 -0500 )edit

Sorry guys, I should have been more descriptive. firewall_driver=NoopFirewall already set in both ML2 config file and nova.conf. The issue is with Horizon and Nova CLI, I can't figure out how to get around selecting a sec.group in Access & Security tab in the Launch Instance window or nova boot cmd.

bswrchrd gravatar imagebswrchrd ( 2013-12-30 12:47:06 -0500 )edit

Hi! I see this bug https://review.openstack.org/#/c/145455/ and looks like it's still actual in Juno.

Bobych gravatar imageBobych ( 2015-05-15 09:36:26 -0500 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-12-27 14:35:03 -0500

Seen: 5,314 times

Last updated: Dec 27 '13

Related questions

Instance unable to get ip from dhcp. (Havana with neutron gre)

Cannot create instance via Horizon

Error deploying VMs in Havana "Timeout while waiting on RPC response"

Metadata proxy 500 error from instances havana

Bridge configured in network node - But ip not allocate in VMs

Single Node Havana Setup

Neutron uses wrong os-auth-url

Tacker Installation Error

Adding a drop down tab on Dashboard

Failed to ping from linux bridge's gw ip