tested on kilo, juno and liberty. This breaks creating instances in horizon - on liberty anyway, maybe older too.
People usually want to do this because the anti-spoofing rules are dropping packets transmitted by Nova instances that do not have the source MAC or IP address that was allocated to the instance. Note: allowed-addresses-pairs or port-security extension can fix that. Also there is a performance drop using the hybrid plugging strategy (veth+linuxbridge+iptables).
But Nova needs a security groups API or it will refuse to start instances. It needs to be configured to use its own or Neutron's. Here we configure it to use the Nova security groups API, but disable nova-compute (and the Neutron L2 agent - just to be sure) from applying any iptables rules.
# /etc/neutron/plugins/ml2/ml2_conf.ini
[securitygroup]
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
To stop nova-compute from creating the iptables rules, configure it to use its Noop driver:
# /etc/nova/nova.conf
[DEFAULT]
security_group_api = nova
firewall_driver = nova.virt.firewall.NoopFirewallDriver
Restart all neutron-server, neutron-openvswitch-agent, nova-api and nova-compute services.
Now Neutron will creates ports with:
# neutron port-show 2a771f08-8758-43c5-b30c-71ec5a141ce0 | grep binding:vif_details
| binding:vif_details | {"port_filter": false, "ovs_hybrid_plug": false}
When using the OVS agent, that should also stop Nova from using the hybrid VIF plugging strategy, where it places a Linux Bridge in-line between the instance's tap and br-int. Instead, it should plug the VIF straight into br-int.
<interface type='bridge'>
<mac address='fa:16:3e:15:93:85'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'>
<parameters interfaceid='7fda07e4-de58-44da-a71f-d137a68d6c60'/>
</virtualport>
<target dev='tap7fda07e4-de'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
Hello,
Applying above in Mitaka, I cannot instantiate any VM anymore. Details bellow:
Message Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 9fa74ae2-0fcc-49b1-ad09-67051adbc1e9. Last exception: 404 Not Found The resource could not be found. Neutron server returns request_ids: ['req-37351093-5a67-4128-861
Code 500
Details File "/usr/lib/python2.7/dist-packages/nova/conductor/manager.py", line 388, in build_instances filter_properties, instances[0].uuid) File "/usr/lib/python2.7/dist-packages/nova/scheduler/utils.py", line 186, in populate_retry raise exception.MaxRetriesExceeded(reason=msg)
Is there something different in Mitaka? Any thoughts?
thank you.