Skip to content

Instantly share code, notes, and snippets.

@djoreilly

djoreilly/disable_OS_firewalls.md

Last active December 29, 2023 07:07
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save djoreilly/db9c2d32a473c6643551 to your computer and use it in GitHub Desktop.
Save djoreilly/db9c2d32a473c6643551 to your computer and use it in GitHub Desktop.
Download ZIP
Howto disable OpenStack firewalls
Raw
disable_OS_firewalls.md

Howto disable OpenStack firewalls

tested on kilo, juno and liberty. This breaks creating instances in horizon - on liberty anyway, maybe older too.

People usually want to do this because the anti-spoofing rules are dropping packets transmitted by Nova instances that do not have the source MAC or IP address that was allocated to the instance. Note: allowed-addresses-pairs or port-security extension can fix that. Also there is a performance drop using the hybrid plugging strategy (veth+linuxbridge+iptables).

But Nova needs a security groups API or it will refuse to start instances. It needs to be configured to use its own or Neutron's. Here we configure it to use the Nova security groups API, but disable nova-compute (and the Neutron L2 agent - just to be sure) from applying any iptables rules.

On each controller and compute node, change:

# /etc/neutron/plugins/ml2/ml2_conf.ini
[securitygroup]
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver

To stop nova-compute from creating the iptables rules, configure it to use its Noop driver:

# /etc/nova/nova.conf
[DEFAULT]
security_group_api = nova
firewall_driver = nova.virt.firewall.NoopFirewallDriver

Restart all neutron-server, neutron-openvswitch-agent, nova-api and nova-compute services.

Now Neutron will creates ports with:

# neutron port-show 2a771f08-8758-43c5-b30c-71ec5a141ce0 | grep binding:vif_details
| binding:vif_details | {"port_filter": false, "ovs_hybrid_plug": false}

When using the OVS agent, that should also stop Nova from using the hybrid VIF plugging strategy, where it places a Linux Bridge in-line between the instance's tap and br-int. Instead, it should plug the VIF straight into br-int.

   <interface type='bridge'>
      <mac address='fa:16:3e:15:93:85'/>
      <source bridge='br-int'/>
      <virtualport type='openvswitch'>
        <parameters interfaceid='7fda07e4-de58-44da-a71f-d137a68d6c60'/>
      </virtualport>
      <target dev='tap7fda07e4-de'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
@dvladisl
Copy link

Hello,

Applying above in Mitaka, I cannot instantiate any VM anymore. Details bellow:

Message Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 9fa74ae2-0fcc-49b1-ad09-67051adbc1e9. Last exception: 404 Not Found The resource could not be found. Neutron server returns request_ids: ['req-37351093-5a67-4128-861
Code 500
Details File "/usr/lib/python2.7/dist-packages/nova/conductor/manager.py", line 388, in build_instances filter_properties, instances[0].uuid) File "/usr/lib/python2.7/dist-packages/nova/scheduler/utils.py", line 186, in populate_retry raise exception.MaxRetriesExceeded(reason=msg)

Is there something different in Mitaka? Any thoughts?

thank you.

@msandhu2014
Copy link

I was able to setup mikata where it does not create linux bridges. the config is a bit different.
On each controller and compute node

# /etc/neutron/plugins/ml2/ml2_conf.ini
[securitygroup]
firewall_driver = neutron.agent.firewall.NoopFirewallDriver

On the controller node

# /etc/nova/nova.conf
[DEFAULT]
security_group_api = neutron
firewall_driver = nova.virt.firewall.NoopFirewallDriver

Note that you need to make sure
enable_security_group = True
otherwise an instance cannot be launched and an error will be reported.
A firewall rule is still present, but it is in the flow table of br-int.

@schmilmo
Copy link

In Mitaka the anti-spoofing aren't anymore set in the IPtables instead they are implemented to in ovs flows.
if you want to disable the anti spoofing rules you should set prevent_arp_spoofing = false in the neutron ml2 configuration

@alogracia
Copy link

Does it mean that Linux bridges do not work in Mitaka with security groups?

Copy link

ghost commented Nov 28, 2016

On Mitaka, "firewall_driver=openvswitch" on ml2 re-activate the Security Groups via new "ovs-firewall-driver", no more Linux Bridges in the middle, open-flow-based firewall. Pretty cool!

@Allkoman
Copy link

Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 070a5c08-990b-4479-b6fb-596bac225a9e. Last exception: Binding failed for port 81b6f811-6566-4a9a-aed0-e1840bc5f464, please check neutron logs for more information.
Code : 500
details:File "/usr/lib/python2.7/dist-packages/nova/conductor/manager.py", line 393, in build_instances filter_properties, instances[0].uuid) File "/usr/lib/python2.7/dist-packages/nova/scheduler/utils.py", line 186, in populate_retry raise exception.MaxRetriesExceeded(reason=msg)

how can i solve the problem .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment