New Question
0

neutron-ovs-agent and security groups

asked 2017-01-12 14:45:57 +0300

mario-sommer gravatar image

Does neutron-ovs-agent with OVS 2.6 support security groups? I can't find anything except for the "enablesecuritygroup=false" line in the blogpost. What would be the correct firewall_driver value?

edit retag flag offensive close merge delete

4 answers

Sort by » oldest newest most voted
1

answered 2017-01-13 01:29:52 +0300

abalutoiu gravatar image

updated 2017-01-13 01:31:34 +0300

Hello! Unfortunately it seems that you need the enhanced RPC support to use firewall_driver with neutron OVS agent. This was implemented in Mitaka, you can either upgrade your environment, either try to backport to mitaka this patch https://review.openstack.org/#/c/263865 .

edit flag offensive delete link more
0

answered 2017-01-12 17:52:33 +0300

abalutoiu gravatar image

The firewall_driver=openvswitch can only be used since the Mitaka release, please upgrade your environment to Mitaka or above to be able to use this option.

Regarding the first issue, I think you're missing this commit https://github.com/openstack/networki... If that's the case, you need to add the commit on your Windows node. Here are the details on how you can achieve that:

git clone https://github.com/openstack/networking-hyperv
cd networking-hyperv
git checkout liberty-eol
net stop neutron-ovs-agent
pip install .
net start neutron-ovs-agent
edit flag offensive delete link more

Comments

Still no luck with that. pip install said "Successfully installed networking-hyperv-1.0.5.dev5" and I see the new files under hyperv\neutron. But after restarting neutron-ovs-agent I still get the same NotImplementedError as before.

mario-sommer gravatar imagemario-sommer ( 2017-01-12 19:29:48 +0300 )edit
0

answered 2017-01-12 16:53:30 +0300

mario-sommer gravatar image

I tried both.

firewalldriver=neutron.plugins.hyperv.agent.securitygroups_driver.HyperVSecurityGroupsDriver leads to...

2017-01-12 15:38:49.619 9352 INFO neutron.agent.securitygroups_rpc [req-c0cbda72-00ef-4b68-b7e2-59a016bf74f8 - - - - -] Preparing filters for devices set([u'397417cc-b531-48bc-aa0c-78943d63542a', u'37a063ab-9bb2-4721-893b-b4fda26268ff'])
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-c0cbda72-00ef-4b68-b7e2-59a016bf74f8 - - - - -] Error while processing VIF ports
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\plugins\ml2\drivers\openvswitch\agent\ovs_neutron_agent.py", line 1756, in rpc_loop
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     ovs_restarted)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\plugins\ml2\drivers\openvswitch\agent\ovs_neutron_agent.py", line 1510, in process_network_ports
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     port_info.get('updated', set()))
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\securitygroups_rpc.py", line 286, in setup_port_filters
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.prepare_devices_filter(new_devices)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\securitygroups_rpc.py", line 142, in decorated_function
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     *args, **kwargs)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\securitygroups_rpc.py", line 167, in prepare_devices_filter
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     security_groups, security_group_member_ips)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\securitygroups_rpc.py", line 173, in _update_security_group_info
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.firewall.update_security_group_rules(sg_id, sg_rules)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\firewall.py", line 118, in update_security_group_rules
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     raise NotImplementedError()
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent NotImplementedError

With firewall_driver=openvswitch the agent doesn't even start

2017-01-12 15:36:04.611 5040 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-47dd3401-0bb9-4012-ae0f-0d45a46ff071 - - - - -] Empty module name Agent terminated!

I'm using Openstack Liberty and GRE Tunnels. Everything else works fine with Hyper-V and the OVS agent.

edit flag offensive delete link more
0

answered 2017-01-12 16:32:43 +0300

aserdean gravatar image

For OVS 2.5 you could use the following:

[SECURITYGROUP]
firewall_driver=neutron.plugins.hyperv.agent.security_groups_driver.HyperVSecurityGroupsDriver
enable_security_group=true

The above will use Windows ACL's (https://technet.microsoft.com/en-us/l...)

For OVS 2.6 you have two options. One is the above and the other is:

[SECURITYGROUP]
enable_security_group=true
firewall_driver = openvswitch

This will use conntrack from OVS. Small caveat it does not support IPv6 and also does not support IPv4 fragments.

Thanks, Alin.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-01-12 14:45:57 +0300

Seen: 841 times

Last updated: Jan 12 '17