Iptables implementation of Quantum SecurityGroup Extension (OVS)

Registered by Nachi Ueno on 2012-12-03

Scope: This bp implements iptables version of Quantum SecurityGroup Extension.
This bg targes OVS plugin.

Blueprint information

Status:
Complete
Approver:
dan wendlandt
Priority:
High
Drafter:
Nachi Ueno
Direction:
Needs approval
Assignee:
Nachi Ueno
Definition:
Review
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 2013.1
Started by
Nachi Ueno on 2013-01-10
Completed by
dan wendlandt on 2013-02-11

Related branches

Sprints

Whiteboard

Design document: https://docs.google.com/presentation/d/1nXzNXKIfCfotdav5BzkceDiOfDypEkvtTfVXCGdq6rY/edit#slide=id.g2900e35a_0_5

This bp tracks ovs version of security group implementation.
Note basic discussion of the architecture of iptables implementation should be done in linuxbridge support. This patch only deals with OVS plugin and agent support.
so please see https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables-lb also.

Gerrit topic: https://review.openstack.org/#q,topic:bp/quantum-security-groups-iptables-ovs,n,z

Addressed by: https://review.openstack.org/19436
    Implements quantum security groups support on OVS plugin

HOW TO TEST --------------------------
use https://review.openstack.org/#/c/16921/
set following variables in localrc

Q_USE_QUANTUM_SEC_GROUP=True
Q_PLUGIN=openvswitch

Note this patch is blocked by fixing https://bugs.launchpad.net/nova/+bug/1050433
--> The bug has been fixed in nova. (amotoki -- Feb 10)

After that patch merges, we also need to fix: https://bugs.launchpad.net/quantum/+bug/1112912 .
--> This bug is specific to LibvirtGenericVIFDriver. (amotoki -- Feb 10)
If LibvirtHybridOVSBridgeDriver is used the patch works, so it is not a blocker.
With LibvirtHybridOVSBridgeDriver, nova security group is enabled if IptablesFirewallDriver is used
and quantum security group can be used if NoopFirewallDriver is used.

Default Value upgrade plan
In order to not break quantum-gate. we should bootstrap the default value for security group configuration.
- (step1) turn off quantum security group by default
- (step2) update devstack
- (step3) turn on quantum security group by default

To use OVS security group the following configurations are required. We need to update devstack to configure there parameters. These also needs to be documented.

nova.conf
- firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
- libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
ovs_quantum_plugin.ini
- [SECURITYGROUP] firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver (ovs_quantum_plugin.ini)
- [DEFAULT] state_path = /opt/stack/data/quantum (quantum.conf or ovs_quantum_plugin.ini)

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.