| 2014-03-25 19:06:21 |
Nachi Ueno |
bug |
|
|
added bug |
| 2014-03-25 19:06:29 |
Nachi Ueno |
neutron: importance |
Undecided |
Critical |
|
| 2014-03-25 19:06:33 |
Nachi Ueno |
neutron: status |
New |
Confirmed |
|
| 2014-03-25 19:56:08 |
Nachi Ueno |
description |
Because of this bug.
https://review.openstack.org/#/c/49660/5
In order to fix this bug we need to fix https://launchpad.net/bugs/1112912, however it looks too late for
Icehouse.
In this bug, we simply revert this commit. |
Because of this bug.
https://review.openstack.org/#/c/49660/5
In order to fix this bug we need to fix https://launchpad.net/bugs/1112912, however it looks too late for
Icehouse.
In this bug fix, we will add new VIF driver which works with Neutron + OVS |
|
| 2014-03-25 20:22:40 |
Russell Bryant |
bug task added |
|
nova |
|
| 2014-03-25 20:22:48 |
Russell Bryant |
nova: status |
New |
Confirmed |
|
| 2014-03-25 20:22:53 |
Russell Bryant |
nova: importance |
Undecided |
High |
|
| 2014-03-25 20:22:58 |
Russell Bryant |
nova: status |
Confirmed |
In Progress |
|
| 2014-03-25 20:23:33 |
Russell Bryant |
nova: assignee |
|
Nachi Ueno (nati-ueno) |
|
| 2014-03-25 20:23:39 |
Russell Bryant |
nova: milestone |
|
icehouse-rc1 |
|
| 2014-03-26 01:48:25 |
gustavo panizzo |
bug |
|
|
added subscriber gustavo panizzo |
| 2014-03-26 04:36:34 |
Sandeep Raman |
information type |
Public |
Public Security |
|
| 2014-03-26 15:58:24 |
Sam Whyte |
bug |
|
|
added subscriber Sam Whyte |
| 2014-03-26 16:32:44 |
Thierry Carrez |
bug task added |
|
ossa |
|
| 2014-03-26 16:33:07 |
Thierry Carrez |
ossa: status |
New |
Incomplete |
|
| 2014-03-26 16:39:24 |
Salvatore Orlando |
attachment added |
|
hack.patch https://bugs.launchpad.net/neutron/+bug/1297469/+attachment/4045149/+files/hack.patch |
|
| 2014-03-26 16:39:43 |
Salvatore Orlando |
attachment added |
|
vif_type_nova.patch https://bugs.launchpad.net/neutron/+bug/1297469/+attachment/4045150/+files/vif_type_nova.patch |
|
| 2014-03-26 16:40:04 |
Salvatore Orlando |
attachment added |
|
vif_type_neutron.patch https://bugs.launchpad.net/neutron/+bug/1297469/+attachment/4045151/+files/vif_type_neutron.patch |
|
| 2014-03-26 17:03:27 |
Nachi Ueno |
description |
Because of this bug.
https://review.openstack.org/#/c/49660/5
In order to fix this bug we need to fix https://launchpad.net/bugs/1112912, however it looks too late for
Icehouse.
In this bug fix, we will add new VIF driver which works with Neutron + OVS |
Background of this issue:
ML2 + OVSDriver + IptablesBasedFirewall combination is a default plugin setting in the Neutron.
In this case, we need a special handing in VIF. Because OpenVSwitch don't support iptables, we are
using linuxbride + openvswitch bridge. We are calling this as hybrid driver.
On the other discussion, we generalized the Nova side VIF plugging to the Libvirt GenericVIFDriver.
The idea is let neturon tell the VIF plugging configration details to the GenericDriver, and GerericDriver
takes care of it.
Unfortunatly, HybridDriver is removed before GenericDriver is ready for security group.
This makes ML2 + OVSDriver + IptablesBasedFirewall combination unfunctional.
We were working on realfix, but we can't make it until Icehouse release due to design discussions [1].
# Even if neturon side patch isn't merged yet.
So we are proposing a workaround fix to Nova side.
In this fix, we are adding special version of the GenericVIFDriver which can work with the combination.
There is two point on this new Driver.
(1) It prevent set conf.filtername. Because we should use NoopFirewallDriver, we need conf.filtername should be None
when we use it.
(2) use plug_ovs_hybrid and unplug_ovs_hybrid by enforcing get_require_firewall as True.
Here is patchs with UT.
Workaournd fix:
Nova
https://review.openstack.org/#/c/82904/
Devstack patch for ML2 (Tested with 82904)
https://review.openstack.org/#/c/82937/
We have tested the patch 82904 with following test, and this works.
- Launch VM
- Assign floating ip
- make sure ping to the floating ip is failing from GW
- modify security group rule to allow ping from anywhere
- make sure ping is working
[1] Real fix: (defered to Juno)
Improve vif attributes related with firewalling
https://review.openstack.org/#/c/21946/
Support binding:vif_security parameter in neutron
https://review.openstack.org/#/c/44596/ |
|
| 2014-03-27 20:33:16 |
Russell Bryant |
marked as duplicate |
|
1112912 |
|
| 2014-03-27 21:27:45 |
OpenStack Infra |
nova: status |
In Progress |
Fix Committed |
|
