[lxc-users] nova-lxd does not support security group?

HIROSE Masaaki hirose31 at gmail.com
Wed Jun 22 07:58:02 UTC 2016


I've found neutron linuxbridge agent does not create VXLAN in creating
a LXD instance.

Does not yet nova-compute-lxd support/cooperate with neutron linuxbridge agent?





On Thu, Jun 9, 2016 at 1:55 PM, HIROSE Masaaki <hirose31 at gmail.com> wrote:
> Hi,
>
> I've changed security group of LXD instance on OpenStack, but no effect.
>
> - still can access to LXD instance
> - no change iptables -nL on compute node of LXD instance
> - no log message from neutron linuxbridge agent
>
> nova-lxd does not support security group?
>
> * Environment
>
> Ubuntu 16.04
> OpenStack Mitaka
> lxd 2.0.2-0ubuntu1~16.04.1
> nova-compute-lxd 13.0.0-0ubuntu3
>
> * Reproduce
>
> create security group `allow-SSH` which allows only SSH access.
>
> $ nova secgroup-list-rules allow-SSH
> +-------------+-----------+---------+-----------+--------------+
> | IP Protocol | From Port | To Port | IP Range  | Source Group |
> +-------------+-----------+---------+-----------+--------------+
> | tcp         | 22        | 22      | 0.0.0.0/0 |              |
> +-------------+-----------+---------+-----------+--------------+
>
> change security group of LXD instance into this `allow-SSH`.
>
> $ nova remove-secgroup lxd1 default
> $ nova add-secgroup lxd1 allow-SSH
> $ nova list-secgroup lxd1
> +--------------------------------------+-----------+-------------+
> | Id                                   | Name      | Description |
> +--------------------------------------+-----------+-------------+
> | 665407b4-aac0-4d41-afba-7476a2bedb75 | allow-SSH |             |
> +--------------------------------------+-----------+-------------+
>
> then, still can ping to LXD instance.
>
> `allow-SSH` rule does not exist in iptables -nL on LXD compute node.
>
> # iptables -nL | grep 22
> ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate
> RELATED,ESTABLISHED
> ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0
>
> No log message in /var/log/neutron/neutron-linuxbridge-agent.log.
>
> 2016-06-09 13:32:16.141 14315 INFO neutron.agent.securitygroups_rpc
> [req-5df0f708-166d-4589-9ef0-0b0a475f6046
> 0980e79abec74a83a4c315bf9cc280be 98efb10842184d05aab967d266610958 - -
> -] Security group member updated
> [u'665407b4-aac0-4d41-afba-7476a2bedb75']
>
> On the other hand, /var/log/neutron/neutron-linuxbridge-agent.log on
> KVM compute node is following:
>
> 2016-06-09 13:02:49.205 2392 INFO neutron.agent.securitygroups_rpc [req-4901c8c9
> -5440-4a88-b07a-1fa11bb3ef7c 0980e79abec74a83a4c315bf9cc280be 98efb10842184d05aa
> b967d266610958 - - -] Security group member updated [u'e0e48207-8657-4c1a-ba5a-f
> 4e8b4432a3b']
> 2016-06-09 13:02:51.095 2392 INFO neutron.agent.securitygroups_rpc [req-d507249c
> -6946-46f6-9258-b4b173e7568f - - - - -] Refresh firewall rules
> 2016-06-09 13:02:51.829 2392 INFO neutron.plugins.ml2.drivers.agent._common_agen
> t [req-d507249c-6946-46f6-9258-b4b173e7568f - - - - -] Port tap7397d348-f5 updat
> ed. Details: {u'profile': {}, u'network_qos_policy_id': None, u'qos_policy_id':
> None, u'allowed_address_pairs': [], u'admin_state_up': True, u'network_id': u'd3
> cfb761-7be2-4f53-99df-c911e2842a84', u'segmentation_id': 7, u'device_owner': u'c
> ompute:nova', u'physical_network': None, u'mac_address': u'fa:16:3e:5e:ba:11', u
> 'device': u'tap7397d348-f5', u'port_security_enabled': True, u'port_id': u'7397d
> 348-f5e9-428b-9800-bb09927a8c34', u'fixed_ips': [{u'subnet_id': u'894fe18b-b67b-
> 4909-a0cd-8f904c87b104', u'ip_address': u'192.168.201.53'}], u'network_type': u'
> vxlan', u'security_groups': []}



-- 
ひろせ


More information about the lxc-users mailing list