Cisco Openstack

Security groups don't appear to work

Bug #1195312 reported by Chris Ricker on 2013-06-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cisco Openstack	Fix Released	High	Chris Ricker	Cisco Openstack g.1
	Grizzly	Fix Released	High	Chris Ricker	Cisco Openstack g.1

Bug Description

With g0, security groups don't appear to be configured in a default deny stance out of the box

I see rules but they're blank:

root@ci-os-con1:~# for i in `quantum security-group-rule-list | grep default | awk '{ print $2 }'` ; do quantum security-group-rule-show "$i" ; done
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | egress |
| ethertype | IPv4 |
| id | 17a706e6-5527-4401-be55-6af16f9bb540 |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | |
| security_group_id | bb236971-5485-43a7-8109-243aee2fd6c0 |
| tenant_id | 959675d2ff7a4b35ac3e9d13efc29b8e |
+-------------------+--------------------------------------+
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv6 |
| id | 644f06ce-a6fc-4dcb-ba11-b28fd65890ea |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | bb236971-5485-43a7-8109-243aee2fd6c0 |
| remote_ip_prefix | |
| security_group_id | bb236971-5485-43a7-8109-243aee2fd6c0 |
| tenant_id | 959675d2ff7a4b35ac3e9d13efc29b8e |
+-------------------+--------------------------------------+
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | egress |
| ethertype | IPv6 |
| id | da7e330d-a8b4-46b1-b8f7-89507f43c180 |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | |
| remote_ip_prefix | |
| security_group_id | bb236971-5485-43a7-8109-243aee2fd6c0 |
| tenant_id | 959675d2ff7a4b35ac3e9d13efc29b8e |
+-------------------+--------------------------------------+
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | e6e89214-485c-4ca4-b370-3edbbf4657fd |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_group_id | bb236971-5485-43a7-8109-243aee2fd6c0 |
| remote_ip_prefix | |
| security_group_id | bb236971-5485-43a7-8109-243aee2fd6c0 |
| tenant_id | 959675d2ff7a4b35ac3e9d13efc29b8e |
+-------------------+--------------------------------------+
root@ci-os-con1:~#

Chris Ricker (chris-ricker) on 2013-06-27

Changed in openstack-cisco:
milestone:	none → g.1

Revision history for this message

Chris Ricker (chris-ricker) wrote on 2013-07-17:

To fix, we need to add

firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

to the [SECURITYGROUP] stanza of the ovs_quantum_plugin.ini file on compute nodes

and switch the libvirt_vif_driver back to nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

Revision history for this message

Mark T. Voelker (mvoelker) wrote on 2013-07-18:

Pull request:
https://github.com/CiscoSystems/grizzly-manifests/pull/92

Revision history for this message

Daneyon Hansen (danehans) wrote on 2013-07-18:

Chris,

The firewall driver is set on Compute Nodes in my HA environment because they act as network gateways, but I don't understand why this is needed in a standard deployment since the Controller is the network gateway and the firewall driver is set by default. I also do not understand why this does not work with the newer vif driver. Are bugs filed for these two issues with the community?

Thanks,
Daneyon

Revision history for this message

Chris Ricker (chris-ricker) wrote on 2013-07-19:

I read the grizzly version of nova/virt/libvirt as only the HybridOVS vif driver has quantum security group support. Looking at the havana version it looks like the GenericVIF vif driver has support when we move to Havana

In our topology the agent has to have the driver and be running on the computes. The actual iptables rules that get created by a quantum security-group-rule-create are being put on each compute node, not on the controller. I thought that's how it's supposed to work in grizzly quantum, so no upstream bug

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.