xenserver compute driver support neutron security group
XenServer as compute driver in OpenStack lacks of supporting neutron security group currently. When using neutron network with ML2 openvswitch, the connection between vm and public network now is:
ComputeNode[vm-vif -> br-int -> br-eth] -> NetworkNode[br-eth -> br-int -> br-ex]
As we know neutron's security group is implemented using iptables which is applied on linux bridge, however openvswitch is not compatible with iptables.
Thus xenserver driver cannot support neutron security group now without doubt.
This BP is to implement this feature to let OpenStack + XenServer work well with security group under neutron network. The main change is to add linux bridge qbrxxx for each vm in compute node, so that vm will connect to linux brdige and linux bridge connect to br-int. And then security group can be applied on linux bridge. When this work is finished, the connection between vm and public network is:
compute node[vm-vif -> qbr(linux bridge) -> br-int -> br-eth] -> network node [br-eth -> br-int -> br-ex]
For detailed implementation, libvirt\
Blueprint information
- Status:
- Complete
- Approver:
- John Garbutt
- Priority:
- Low
- Drafter:
- huan
- Direction:
- Approved
- Assignee:
- huan
- Definition:
- Approved
- Series goal:
- Accepted for newton
- Implementation:
-
Implemented
- Milestone target:
-
newton-2
- Started by
- John Garbutt
- Completed by
- Matt Riedemann
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
XenAPI: Support neutron security group
Gerrit topic: https:/
Addressed by: https:/
Xenerver compute driver support neutron security group
