Ask Your Question
0

Disabling security groups in Horizon

asked 2013-12-27 14:35:03 -0600

bswrchrd gravatar image

updated 2014-01-22 15:13:08 -0600

Evgeny gravatar image

Anyone know how to disable the use of the securitygroup API in Horizon (or if it is even possible)? We are running Havana/Ubuntu/ML2/OVS agent/GRE without iptables (via the neutron.agent.firewall.NoopFirewallDriver driver) but are receiving the Error: Unable to retrieve security groups error in Horizon when a customer tries to provision a new VM.

There is a comment in Horizon's Django local_settings.py config file that I am interpreting as the ability to switch off "security groups" via a config entry like 'enable_secgroups': False but I can't find any reference to the correct property anywhere in the code. 

# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
# services provided by neutron. Options currenly available are load
# balancer service, security groups, quotas, VPN service.
OPENSTACK_NEUTRON_NETWORK = {
    'enable_lb': False,
    'enable_firewall': False,
    'enable_quotas': True,
    'enable_vpn': False,
    # The profile_support option is used to detect if an external router can be
    # configured via the dashboard. When using specific plugins the
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',
}

The enable_firewall property enables/disables FWaaS which is not what we need.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2013-12-27 20:27:59 -0600

dheeru gravatar image

updated 2013-12-27 20:32:02 -0600 

If you do not want to use a firewall in Compute or Networking, you need to edit both(nova and neutron) configuration files and set 
firewall_driver=nova.virt.firewall.NoopFirewallDriver. 
Also, edit the /etc/nova/nova.conf file and comment out or remove the 
security_group_api=neutron statement.

Files to be edited /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini and /etc/nova/nova.con

edit flag offensive delete link more

Comments

Since he is running OVS he will have to set the `firewall_driver=` in his OVS plugin configuration file. He said he set "neutron.agent.firewall.NoopFirewallDriver" in his nova.conf already.

SamYaple gravatar imageSamYaple ( 2013-12-27 20:31:27 -0600 )edit
1

True also, he need to disable neutron security configuration in nova.conf

dheeru gravatar imagedheeru ( 2013-12-27 20:33:07 -0600 )edit

Agreed. Upvotes all around!

SamYaple gravatar imageSamYaple ( 2013-12-27 20:37:01 -0600 )edit
add a comment
0

answered 2013-12-27 20:27:48 -0600

SamYaple gravatar image

updated 2013-12-27 20:36:43 -0600

In your /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file you need to set firewall_driver under [securitygroup] to neutron.agent.firewall.NoopFirewall

See below

#/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
[securitygroup]
firewall_driver=neutron.agent.firewall.NoopFirewall

Also, dheeru mentioned in his answer, make sure you set below in your /etc/nova/nova.conf file

#/etc/nova/nova.conf 
[DEFAULT]
firewall_driver=nova.virt.firewall.NoopFirewallDriver
#security_group_api=neutron

Notice the different firewall_driver names for each conf file.

edit flag offensive delete link more

Comments

we answered at same time :)

dheeru gravatar imagedheeru ( 2013-12-27 20:28:40 -0600 )edit

I saw that! :)

SamYaple gravatar imageSamYaple ( 2013-12-27 20:32:18 -0600 )edit

Sorry guys, I should have been more descriptive. firewall_driver=NoopFirewall already set in both ML2 config file and nova.conf. The issue is with Horizon and Nova CLI, I can't figure out how to get around selecting a sec.group in Access & Security tab in the Launch Instance window or nova boot cmd.

bswrchrd gravatar imagebswrchrd ( 2013-12-30 12:47:06 -0600 )edit

Hi! I see this bug https://review.openstack.org/#/c/145455/ and looks like it's still actual in Juno.

Bobych gravatar imageBobych ( 2015-05-15 09:36:26 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-12-27 14:35:03 -0600

Seen: 4,719 times

Last updated: Dec 27 '13

Related questions

dnsmasq: unrecognized service

Instance interfaces not getting the neutron assigned ip

No EC2 credential download in Horizon?

Small Horizon dashboard modifications

No tenant network is available for allocation.

port forwarding via dashboard

Nova Detach/Attach Interface via Dashboard

Horizon's ip address

Can we set admin password return on horizon for every new instance create?

neutron auth failure