Iptables implementation of Quantum SecurityGroup Extension (OVS)
Scope: This bp implements iptables version of Quantum SecurityGroup Extension.
This bg targes OVS plugin.
Blueprint information
- Status:
- Complete
- Approver:
- dan wendlandt
- Priority:
- High
- Drafter:
- Nachi Ueno
- Direction:
- Needs approval
- Assignee:
- Nachi Ueno
- Definition:
- Review
- Series goal:
- Accepted for grizzly
- Implementation:
- Implemented
- Milestone target:
- 2013.1
- Started by
- Nachi Ueno
- Completed by
- dan wendlandt
Related branches
Related bugs
Sprints
Whiteboard
Design document: https:/
This bp tracks ovs version of security group implementation.
Note basic discussion of the architecture of iptables implementation should be done in linuxbridge support. This patch only deals with OVS plugin and agent support.
so please see https:/
Gerrit topic: https:/
Addressed by: https:/
Implements quantum security groups support on OVS plugin
HOW TO TEST -------
use https:/
set following variables in localrc
Q_USE_QUANTUM_
Q_PLUGIN=
Note this patch is blocked by fixing https:/
--> The bug has been fixed in nova. (amotoki -- Feb 10)
After that patch merges, we also need to fix: https:/
--> This bug is specific to LibvirtGenericV
If LibvirtHybridOV
With LibvirtHybridOV
and quantum security group can be used if NoopFirewallDriver is used.
Default Value upgrade plan
In order to not break quantum-gate. we should bootstrap the default value for security group configuration.
- (step1) turn off quantum security group by default
- (step2) update devstack
- (step3) turn on quantum security group by default
To use OVS security group the following configurations are required. We need to update devstack to configure there parameters. These also needs to be documented.
nova.conf
- firewall_driver = nova.virt.
- libvirt_vif_driver = nova.virt.
ovs_quantum_
- [SECURITYGROUP] firewall_driver = quantum.
- [DEFAULT] state_path = /opt/stack/
Work Items
Dependency tree
* Blueprints in grey have been implemented.