Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Howto disable OpenStack firewalls

Howto disable OpenStack firewalls

tested on kilo, juno and liberty. This breaks creating instances in horizon - on liberty anyway, maybe older too.

People usually want to do this because the anti-spoofing rules are dropping packets transmitted by Nova instances that do not have the source MAC or IP address that was allocated to the instance. Note: allowed-addresses-pairs or port-security extension can fix that. Also there is a performance drop using the hybrid plugging strategy (veth+linuxbridge+iptables).

But Nova needs a security groups API or it will refuse to start instances. It needs to be configured to use its own or Neutron's. Here we configure it to use the Nova security groups API, but disable nova-compute (and the Neutron L2 agent - just to be sure) from applying any iptables rules.

On each controller and compute node, change:

# /etc/neutron/plugins/ml2/ml2_conf.ini
[securitygroup]
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver

To stop nova-compute from creating the iptables rules, configure it to use its Noop driver:

# /etc/nova/nova.conf
[DEFAULT]
security_group_api = nova
firewall_driver = nova.virt.firewall.NoopFirewallDriver

Restart all neutron-server, neutron-openvswitch-agent, nova-api and nova-compute services.

Now Neutron will creates ports with:

# neutron port-show 2a771f08-8758-43c5-b30c-71ec5a141ce0 | grep binding:vif_details
| binding:vif_details | {"port_filter": false, "ovs_hybrid_plug": false}   

When using the OVS agent, that should also stop Nova from using the hybrid VIF plugging strategy, where it places a Linux Bridge in-line between the instance's tap and br-int. Instead, it should plug the VIF straight into br-int.

   <interface type='bridge'>
      <mac address='fa:16:3e:15:93:85'/>
      <source bridge='br-int'/>
      <virtualport type='openvswitch'>
        <parameters interfaceid='7fda07e4-de58-44da-a71f-d137a68d6c60'/>
      </virtualport>
      <target dev='tap7fda07e4-de'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
@dvladisl

This comment has been minimized.

Copy link

@dvladisl dvladisl commented Jun 29, 2016

Hello,

Applying above in Mitaka, I cannot instantiate any VM anymore. Details bellow:

Message Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 9fa74ae2-0fcc-49b1-ad09-67051adbc1e9. Last exception: 404 Not Found The resource could not be found. Neutron server returns request_ids: ['req-37351093-5a67-4128-861
Code 500
Details File "/usr/lib/python2.7/dist-packages/nova/conductor/manager.py", line 388, in build_instances filter_properties, instances[0].uuid) File "/usr/lib/python2.7/dist-packages/nova/scheduler/utils.py", line 186, in populate_retry raise exception.MaxRetriesExceeded(reason=msg)

Is there something different in Mitaka? Any thoughts?

thank you.

@msandhu2014

This comment has been minimized.

Copy link

@msandhu2014 msandhu2014 commented Jul 8, 2016

I was able to setup mikata where it does not create linux bridges. the config is a bit different.
On each controller and compute node

# /etc/neutron/plugins/ml2/ml2_conf.ini
[securitygroup]
firewall_driver = neutron.agent.firewall.NoopFirewallDriver

On the controller node

# /etc/nova/nova.conf
[DEFAULT]
security_group_api = neutron
firewall_driver = nova.virt.firewall.NoopFirewallDriver

Note that you need to make sure
enable_security_group = True
otherwise an instance cannot be launched and an error will be reported.
A firewall rule is still present, but it is in the flow table of br-int.

@schmilmo

This comment has been minimized.

Copy link

@schmilmo schmilmo commented Jul 20, 2016

In Mitaka the anti-spoofing aren't anymore set in the IPtables instead they are implemented to in ovs flows.
if you want to disable the anti spoofing rules you should set prevent_arp_spoofing = false in the neutron ml2 configuration

@alogracia

This comment has been minimized.

Copy link

@alogracia alogracia commented Aug 26, 2016

Does it mean that Linux bridges do not work in Mitaka with security groups?

@tmartinx

This comment has been minimized.

Copy link

@tmartinx tmartinx commented Nov 28, 2016

On Mitaka, "firewall_driver=openvswitch" on ml2 re-activate the Security Groups via new "ovs-firewall-driver", no more Linux Bridges in the middle, open-flow-based firewall. Pretty cool!

@Allkoman

This comment has been minimized.

Copy link

@Allkoman Allkoman commented Jan 18, 2017

Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 070a5c08-990b-4479-b6fb-596bac225a9e. Last exception: Binding failed for port 81b6f811-6566-4a9a-aed0-e1840bc5f464, please check neutron logs for more information.
Code : 500
details:File "/usr/lib/python2.7/dist-packages/nova/conductor/manager.py", line 393, in build_instances filter_properties, instances[0].uuid) File "/usr/lib/python2.7/dist-packages/nova/scheduler/utils.py", line 186, in populate_retry raise exception.MaxRetriesExceeded(reason=msg)

how can i solve the problem .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment