Security groups don't work with LibvirtGenericVIFDriver driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Incomplete
|
Undecided
|
Salvatore Orlando |
Bug Description
Security groups on master branch using Neutron and OVS plugin are broken. No problem to create/delete security group rules but even though iptables configuration is updated, traffic to my instances is never filtered [0].
I'm running DevStack on 2 nodes (1 controller + 1 compute):
- OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
- Open vSwitch package version: 1.10.2-
- libvirt package version: 1.1.1-0ubuntu8~
- localrc, nova.conf, neutron.conf and ovs_neutron_
According to [2], [3] and [4], iptables is not compatible with TAP devices connected directly to Open vSwitch ports, this is why there used to be the additional veth + bridge interfaces [5]. But in my setup, this is not the case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). I've also pasted the libvirt XML configuration [7] that shows that the instance is directly connected to the Open vSwitch.
[0] http://
[1] http://
[2] http://
[3] http://
[4] http://
[5] http://
[6] http://
[7] http://
summary: |
- Security groups don't work with the latest libvirt VIF driver + Security groups don't work with LibvirtGenericVIFDriver driver |
Changed in nova: | |
importance: | Undecided → High |
assignee: | nobody → Yaguang Tang (heut2008) |
importance: | High → Undecided |
assignee: | Yaguang Tang (heut2008) → nobody |
The LibvirtHybridOV SBridgeDriver driver is gone on the master branch ([0]). Joe Gordon asked the Neutron devs about it few weeks ago [1] but no answer and in another review [2], the conclusion was that the Tempest tests passed with Neutron. However I don't see anywhere in the tests ([3], [4]) that we check if the security rules allow/block traffic.
[0] https:/ /review. openstack. org/#/c/ 49660/ lists.openstack .org/pipermail/ openstack- dev/2013- October/ 016886. html /review. openstack. org/#/c/ 44349 /github. com/openstack/ tempest/ blob/master/ tempest/ api/network/ test_security_ groups. py /github. com/openstack/ tempest/ blob/master/ tempest/ api/network/ test_security_ groups_ negative. py
[1] http://
[2] https:/
[3] https:/
[4] https:/