neutron

Security groups cannot be used with XenAPI + OVS plugin

Bug #1245809 reported by Simon Pasquier
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Expired
Undecided
Unassigned

Bug Description

When using the Nova XenAPI driver with Neutron (Open vSwitch with VLAN), it is not possible to use another firewall_driver than NoopFirewallDriver ([SECURITYGROUP] section of the plugin configuration file). With the OVSHybridIptablesFirewallDriver driver, the OVS agent running on the compute node won't configure the flows on the OVS ports.

The XenAPI plugin [1] doesn't manage standard input which seems to be a blocker for running the iptables-save and iptables-restore commands [2]. Some work has been done in the past for nova-network [3] and I guess that something similar should be implemented for Neutron.

[1] https://github.com/openstack/neutron/blob/master/neutron/plugins/openvswitch/agent/xenapi/etc/xapi.d/plugins/netwrap
[2] https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_manager.py#L346
[3] https://review.openstack.org/#/c/2071

Tags: xenserver
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/54509

Changed in neutron:
assignee: nobody → Simon Pasquier (simon-pasquier)
status: New → In Progress
Simon Pasquier (simon-pasquier)
Changed in neutron:
assignee: Simon Pasquier (simon-pasquier) → nobody
status: In Progress → Confirmed
Revision history for this message
Simon Pasquier (simon-pasquier) wrote :

I stopped working on this patch since the implementation of security groups with iptables + XenAPI + OVS requires heavy changes to the XenAPI VIF driver (iptables doesn't work with OVS ports).

As an alternative solution, Amir is working on a blueprint to implement security groups with OpenFlow flows: https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver

Simon Pasquier (simon-pasquier)
tags: added: xenserver
Revision history for this message
Itsuro Oda (oda-g) wrote :

Simon,

ovs-firewall-driver presupposes OVS 2.1.0 but OVS in XenServer 6.2.0 is 1.4.6.
Are there any plans to fill this gap?

Revision history for this message
Vishal Thapar (vthapar) wrote :

Itsuro: Support for reflexive learning was added in1.3.0 so should be available in XenServer. However, it will not be very performant because of limited no. of kernel flows.

Revision history for this message
Itsuro Oda (oda-g) wrote :

Vishal,
Thank you for a reply.
Now I am thinking upgrading OVS to 2.1.x on XenServer.
It seems there is no problem technically. Just a problem is that it may lost Citrix support.

Revision history for this message
Cedric Brandily (cbrandily) wrote :

This bug is > 365 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.