Answering my own question: I found out why rules were not working. There
were no "firewall bridges" on compute nodes to which the rules would apply.
The reason for it was that compute nodes in nova.conf used the new:
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver
instead of the old and deprecated:
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
The latter one was used by my old cloud and therefore everything was
working.
The fixed for me right now is to use the deprecated driver which forces
creation of "firewall bridges". However, as I understand, the
GenericVIFDriver should create the bridge if an appropriate meta
information exists. This information should exists if security groups
are used but it is not happening.
Is there any extra configuration required to make GenericVIFDriver
create bridges? I am sure it is possible as the other drivers are
removed in Icehouse.
Best Regards,
Daniel
On 3/5/2014 9:59 AM, Daniel Speichert wrote:
Hello,
I have a problem with Neutron security groups and I hoped you could
provide some ideas.
I have two different cloud installation based on OpenStack Havana,
they both use Neutron setup with multiple tenants and routers.
First cloud is based on Ubuntu and has both Neutron and Nova security
groups enabled (a mistake in configuraiton, I did not add
"firewall_driver=nova.virt.firewall.NoopFirewallDriver" to nova.conf.
On its compute nodes it has neutron-openvswitch-* iptables chains and
nova-instance* chains.
Rules from all of these chains seem to get hits and security groups
work properly. This cloud uses GRE tunnels.
Second cloud is based on CentOS 6.5 with RDO. It has the same Neutron
setup and nova security groups disabled and
"security_group_api=neutron". It does not have iptables chains
nova-instance* but neutron chains are properly applied. None of these
chains get any hits at all and all traffic to instances is allowed.
This cloud used VXLANs but I switched to GRE which did not help.
On both clouds there are no additional iptables rules besides the ones
generated by OpenStack - I flushed all the rules and chains and forced
sync by adding a security group rule.
Do you have any idea why security groups don't work, i.e. the chains
don't get traffic? It seems to me that the rules in chains
neutron-openvswi-FORWARD and neutron-openvswi-INPUT don't get any hits
at all on my second cloud installation.
--
Best Regards,
Daniel
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list