puppet-neutron

Missing firewall_driver with ml2 breaks neutron securitygroups API

Bug #1262678 reported by Doug Schaapveld
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Emilien Macchi
neutron 2014.1 "icehouse"
openstack-manuals
Fix Released
High
Emilien Macchi
puppet-neutron
Fix Released
High
Emilien Macchi
puppet-neutron 4.0.0 "4.0.0"
Havana
Fix Released
High
Unassigned
puppet-neutron 3.0.0

Bug Description

When using nova 'security_group_api=neutron' and neutron 'core_plugin=neutron.plugins.ml2.plugin.Ml2Plugin' with the 'vlan' type_driver/tenant_network_type, no securitygroup/firewall_driver is set in /etc/neutron/plugins.ini (which is symlinked to /etc/neutron/plugins/ml2/ml2_conf.ini). This causes the 'neutron security-group-list' command to return 404 Not Found.

Adding these two lines to ml2_conf.ini and restarting neutron-server causes the 'neutron security-group-list' command to function properly:

[securitygroup]
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

I have NOT confirmed full functionality (firewall operation) with this change -- I've only tested that the API now exists.

Environment: Using RDO Havana on CentOS 6.5 with very recent patches. nova-api and neutron-server on the same machine, deployed entirely via puppet.

Revision history for this message
Emilien Macchi (emilienm) wrote :

Conversation with one of the ML2 developper (Rober Kukura): http://paste.openstack.org/show/DjXvwenkOI2p4QINaN5t/

Changed in puppet-neutron:
assignee: nobody → Emilien Macchi (emilienm)
importance: Undecided → High
Emilien Macchi (emilienm)
Changed in puppet-neutron:
status: New → In Progress
Revision history for this message
Robert Kukura (rkukura) wrote :

Since the ML2 plugin can concurrently support different L2 agents (or other mechanisms) with different configurations, I recommend setting the following in ml2_conf.ini:

[securitygroup]
firewall_driver = dummy_value_to_enable_security_groups_in_server

Each L2 agent config file (such as ovs_neutron_plugin.ini) should contain the appropriate firewall_driver value for that agent.

Revision history for this message
Greg C (agregc) wrote :

I can report that setting [securitygroup]/firewall_driver in ml2_conf.ini on my ubuntu install has cleared the 404 error problem for me as well. I've been stuck on this issue for weeks now. There's a great lack of ml2+vlan how-to documentation. In fact, I pulled my ml2_conf.ini from a dev-stack config reference. There's nothing on ML2 in the havana install guide.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/63228

Emilien Macchi (emilienm)
Changed in openstack-manuals:
assignee: nobody → Emilien Macchi (emilienm)
importance: Undecided → High
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/63233

Emilien Macchi (emilienm)
Changed in neutron:
assignee: nobody → Emilien Macchi (emilienm)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/63240

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/63233
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=4c5d9ba37bb2cebedb05aabab3452a5e0005f985
Submitter: Jenkins
Branch: master

commit 4c5d9ba37bb2cebedb05aabab3452a5e0005f985
Author: Emilien Macchi <email address hidden>
Date: Thu Dec 19 23:50:35 2013 +0100

    Document security group when using ML2 plugin

    Since the ML2 plugin can concurrently support different L2 agents (or
    other mechanisms) with different configurations, Neutron developpers
    recommend setting firewall_driver flag in ml2 configuration.

    Change-Id: I7f97128a955ded99400e25a5ef9a990260df3bf7
    Closes-bug: #1262678
    backport: havana
    Signed-off-by: Emilien Macchi <email address hidden>

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/63572

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (stable/havana)

Reviewed: https://review.openstack.org/63572
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=3f04cf54ba979058ea4c6b14cce2a6fc68c28cc8
Submitter: Jenkins
Branch: stable/havana

commit 3f04cf54ba979058ea4c6b14cce2a6fc68c28cc8
Author: Emilien Macchi <email address hidden>
Date: Thu Dec 19 23:50:35 2013 +0100

    Document security group when using ML2 plugin

    Since the ML2 plugin can concurrently support different L2 agents (or
    other mechanisms) with different configurations, Neutron developpers
    recommend setting firewall_driver flag in ml2 configuration.

    Change-Id: I7f97128a955ded99400e25a5ef9a990260df3bf7
    Closes-bug: #1262678
    backport: havana
    Signed-off-by: Emilien Macchi <email address hidden>
    (cherry picked from commit 4c5d9ba37bb2cebedb05aabab3452a5e0005f985)

tags: added: in-stable-havana
Emilien Macchi (emilienm)
Changed in puppet-neutron:
status: In Progress → Fix Committed
Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-neutron (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/66200

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-neutron (master)

Reviewed: https://review.openstack.org/63228
Committed: https://git.openstack.org/cgit/stackforge/puppet-neutron/commit/?id=59cf3eb0a22c220509ec80c345bbf064f85374ad
Submitter: Jenkins
Branch: master

commit 59cf3eb0a22c220509ec80c345bbf064f85374ad
Author: Emilien Macchi <email address hidden>
Date: Thu Dec 19 23:21:20 2013 +0100

    Configure security group when using ML2 plugin

    Since the ML2 plugin can concurrently support different L2 agents (or
    other mechanisms) with different configurations, Neutron developpers recommend
    setting firewall_driver flag in ml2 configuration.

    Change-Id: I62d0d1b2aac88a11e5f3e80e98953c71cfc98629
    Closes-bug: #1262678
    Signed-off-by: Emilien Macchi <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-neutron (stable/havana)

Reviewed: https://review.openstack.org/66200
Committed: https://git.openstack.org/cgit/stackforge/puppet-neutron/commit/?id=c23b95273747083b664cdaa25326d8962f2484a6
Submitter: Jenkins
Branch: stable/havana

commit c23b95273747083b664cdaa25326d8962f2484a6
Author: Emilien Macchi <email address hidden>
Date: Thu Dec 19 23:21:20 2013 +0100

    Configure security group when using ML2 plugin

    Since the ML2 plugin can concurrently support different L2 agents (or
    other mechanisms) with different configurations, Neutron developpers recommend
    setting firewall_driver flag in ml2 configuration.

    Change-Id: I62d0d1b2aac88a11e5f3e80e98953c71cfc98629
    Closes-bug: #1262678
    Signed-off-by: Emilien Macchi <email address hidden>
    (cherry picked from commit 59cf3eb0a22c220509ec80c345bbf064f85374ad)

Mathieu Gagné (mgagne)
Changed in puppet-neutron:
milestone: none → 3.0.0
Mathieu Gagné (mgagne)
Changed in puppet-neutron:
milestone: 3.0.0 → none
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → icehouse-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: icehouse-2 → 2014.1
Mathieu Gagné (mgagne)
Changed in puppet-neutron:
milestone: none → 4.0.0
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.