Ask Your Question

Sam Whitlock's profile - activity

2015-02-24 04:36:32 -0500 received badge  Supporter (source)
2015-02-17 14:26:41 -0500 received badge  Scholar (source)
2015-02-17 10:33:22 -0500 commented answer DHCP port binding fails on flat provider network

I literally just googled this error and got my own answer again! Thanks, me from the past!

2014-11-09 04:06:19 -0500 received badge  Famous Question (source)
2014-11-09 04:06:19 -0500 received badge  Notable Question (source)
2014-11-09 04:06:19 -0500 received badge  Popular Question (source)
2014-11-04 06:15:09 -0500 received badge  Good Question (source)
2014-10-30 15:01:49 -0500 commented answer How can I specify a customised Security Group when creating tenant?

Not sure what the best way to do this would be. Best bet would be to look at the Keystone source code to see what it does when creating a tenant or user. You can probably locate its construction of the default security group somewhere in this process.

2014-10-30 08:01:01 -0500 asked a question Neutron agent port population

I'm writing a Neutron agent that is different from the other main agents (e.g. OVS, Linux bridge, SR-IOV) in 2 ways

  • It does not run on a compute node (it has a separate control channel to another network switch; as long as it can talk to AMQP and this other control channel, it can reside anywhere)
  • It needs to have all the firewall rules for all networks and ports.

The most often used agents (OVS) poll for local changes to detect new ports: Nova will plug a port into the integration bridge, and then Neutron will notice it on an OVSDB query and request port information for it.

I need my agent to get updates from Neutron server of all port updates, or at least the 'device' attribute so I can make a query through the security group API. The port_update channel in AMQP never receives messages (or so it seems, when I watched it with amqp-spy), and I need the port info so I can respond when I receive a notification on the security rules update channel (which only pushes the UUID of the security group).

Any ideas on how I might populate/retrieve this info?

I think I may be missing some AMQP topic subscription, or something else in the server <-> agent API, but I'm having a hard time searching for solutions.

2014-10-28 13:20:17 -0500 received badge  Teacher (source)
2014-10-27 13:53:24 -0500 received badge  Famous Question (source)
2014-10-24 15:36:05 -0500 received badge  Popular Question (source)
2014-10-24 15:36:05 -0500 received badge  Notable Question (source)
2014-10-23 12:37:23 -0500 received badge  Famous Question (source)
2014-10-23 07:19:54 -0500 answered a question How can I specify a customised Security Group when creating tenant?

This is not possible from the python-keystoneclient command line tool. This can be inconvenient, but the idea is to keep each bit of functionality small and make it only do one thing (e.g. create a tenant, modify a security group's rules).

2014-10-23 06:58:58 -0500 asked a question SR-IOV and policy enforcement with a firewall

I like the new SR-IOV stuff for Neutron / Nova in Juno, but in this wiki page, it says that the NoopFirewallDriver must be used. This makes sense because the iptables-based mechanisms won't work in the SR-IOV context.

How can I have a firewalled environment while using SR-IOV?

My setup is flexible, but I can have a "network node" (another server) running the OVS agent in between several SR-IOV-based compute nodes (not running OVS and the iptables firewall), acting as a software switch (i.e. without a physical switch in between; a direct cable). However, the OVS agent only applies rules for ports that are on the same box.

Essentially, I want to basically have a firewall by moving the integration bridge off the compute nodes and putting it one hop away in on a directly-connected server running Open vSwitch. Is this possible, and if so, how can I do it (at least at a high level)?

2014-10-20 10:56:05 -0500 received badge  Famous Question (source)
2014-10-03 17:46:03 -0500 received badge  Nice Question (source)
2014-10-03 17:41:39 -0500 received badge  Popular Question (source)
2014-10-03 17:41:39 -0500 received badge  Notable Question (source)
2014-09-24 13:05:50 -0500 received badge  Student (source)
2014-09-24 08:38:09 -0500 asked a question firewall semantics and connection tracking in Neutron

I'm trying to implement my own firewall (for a research project) to replace the IpTables firewall, and I'm not sure if about the semantics of the firewall interface.

My question is specifically this: does the firewall (agent.firewall.Firewall) require stateful (e.g., connection tracking) semantics?

The only example I can find, IpTables firewall and the OVS derivative, take advantage of the conntrack module for iptables (the INVALID and RELATED,ESTABLISHED rules in the neutron chains). This is more secure because it doesn't rely on the VMs to be trusted entities. As a counter example, a stateless firewall would (likely) allow packets through from an invalid TCP stream if 2 VMs have been subverted (e.g. by sending each other valid packets wrt port number and IP range, but without starting a SYN connection). The IpTables firewall does _not_ exhibit this behavior.

I couldn't find a lot of documentation on the architecture and the code seems a little ambiguous.

2014-08-27 14:04:25 -0500 received badge  Notable Question (source)
2014-08-27 04:29:51 -0500 received badge  Popular Question (source)
2014-08-07 08:41:12 -0500 edited question DHCP port binding fails on flat provider network

I have a flat provider network in Neutron using the ML2 plugin. I run the DHCP plugin on the network, but the port is unknown to the agent plugin, and it gets the "dead" 4095 VLAN tag on my integration bridge.

Here is the log line on the node running the DHCP agent (from the OVS Neutron agent trying to configure the port):

WARNING neutron.plugins.openvswitch.agent.ovs_neutron_agent [-] Device 66b395cc-86e9-4cf4-8e0c-49df157fd887 not defined on plugin

When I look at Neutron Server, I see the following log message

 WARNING neutron.plugins.ml2.rpc [req-000dd350-72fe-4da7-9064-726890c9d75c None None] Device 66b395cc-86e9-4cf4-8e0c-49df157fd887 requested by agent ovs66201834824c on network e2a8d8b6-2fac-47f0-8982-9da41f4838c2 not bound, vif_type: binding_failed

I'm trying to track down how this happens, and I think it is a configuration bug somewhere, but I'm not sure where to look.

I can add more logging and configuration to this question, but I'm not sure which is relevant.

  • http://paste.openstack.org/show/91436/ (neutron.conf)
  • http://paste.openstack.org/show/91438/ (ml2_conf.ini)
  • http://paste.openstack.org/show/91439/ (dhcp_agent.ini)

A note about the setup: my machines have a management network (on eth0) and a data network (on a port called cu1, which is bridged in my configs as br-cu1; this is usually know as br-ex in other folks' configs).

I'm set up the network initially with Devstack, but I have modified it since then. I create the sole provider network with

neutron net-create --provider:network_type=flat --provider:physical_network=physnet1 --router:external=true public-net --shared

and I create the sole subnet with

neutron subnet-create  --no-gateway --enable-dhcp --allocation-pool=start=192.168.10.100,end=192.168.10.200 --name public-subnet public-net 192.168.0.0/16

Thanks in advance!

2014-08-07 08:41:12 -0500 received badge  Editor (source)
2014-07-22 07:56:02 -0500 received badge  Enthusiast