Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

RDO packstack: qbr missing with LibvirtGenericVIFDriver

I'm troubleshooting why RDO packstack "allinone" behaves in a non-deterministic way and sometimes configures "qbr" and sometimes not. I did some research and find out that qbr is needed to enforce security groups.

In my case I have TWO setups and with RH i have qbr and in F20 i do not....

Here are my findings:

  • two setups RH 6.4 & Fedora 20

  • installed with packstack --allinone

  • RH 6.4: /etc/nova/nova.conf:libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

  • F20: /etc/nova/nova.conf:libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver

  • as expected in F20 qbr is missing. I

  • did some research and looks like LibvirtHybridOVSBridgeDriver is depreciated and we should use LibvirtGenericVIFDriver

When I look into the code: /nova/virt/libvirt/vif.py I can see that LibvirtGenericVIFDriver is enough to enforce security groups:

class LibvirtGenericVIFDriver(LibvirtBaseVIFDriver):
    """Generic VIF driver for libvirt networking."""



    def get_firewall_required(self):
        # TODO(berrange): Extend this to use information from VIF model
        # which can indicate whether the network provider (eg Neutron)
        # has already applied firewall filtering itself.
        if CONF.firewall_driver != "nova.virt.firewall.NoopFirewallDriver":
            return True
        return False
  • Here's configuration:

RH /etc/nova/nova.conf:firewall_driver=nova.virt.firewall.NoopFirewallDriver /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver /etc/neutron/plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

F20: /etc/nova/nova.conf:firewall_driver=nova.virt.firewall.NoopFirewallDriver /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver /etc/neutron/plugin.ini - is MISSING!

Questions

  • why /etc/neutron/plugin.ini is missing?
  • what should I do to enable security groups on F20?

S.

RDO packstack: qbr missing with LibvirtGenericVIFDriver

I'm troubleshooting why RDO packstack "allinone" behaves in a non-deterministic way and sometimes configures "qbr" and sometimes not. I did some research and find out that qbr is needed to enforce security groups.

In my case I have TWO setups and with RH i have qbr and in F20 i do not....

Here are my findings:

  • two setups RH 6.4 & Fedora 20

  • installed with packstack --allinone

  • RH 6.4: /etc/nova/nova.conf:libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

  • F20: /etc/nova/nova.conf:libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver

  • as expected in F20 qbr is missing. I

  • did some research and looks like LibvirtHybridOVSBridgeDriver is depreciated and we should use LibvirtGenericVIFDriver

When I look into the code: /nova/virt/libvirt/vif.py I can see that LibvirtGenericVIFDriver is enough to enforce security groups:

class LibvirtGenericVIFDriver(LibvirtBaseVIFDriver):
    """Generic VIF driver for libvirt networking."""



    def get_firewall_required(self):
        # TODO(berrange): Extend this to use information from VIF model
        # which can indicate whether the network provider (eg Neutron)
        # has already applied firewall filtering itself.
        if CONF.firewall_driver != "nova.virt.firewall.NoopFirewallDriver":
            return True
        return False
  • Here's configuration:

RH RH

/etc/nova/nova.conf:firewall_driver=nova.virt.firewall.NoopFirewallDriver
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
/etc/neutron/plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

F20: /etc/neutron/plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

F20:

/etc/nova/nova.conf:firewall_driver=nova.virt.firewall.NoopFirewallDriver
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
/etc/neutron/plugin.ini - is MISSING!

MISSING!

Questions

  • why /etc/neutron/plugin.ini is missing?
  • what should I do to enable security groups on F20?

S.