xenserver compute driver support neutron security group

Registered by huan on 2015-11-30

XenServer as compute driver in OpenStack lacks of supporting neutron security group currently. When using neutron network with ML2 openvswitch, the connection between vm and public network now is:
ComputeNode[vm-vif -> br-int -> br-eth] -> NetworkNode[br-eth -> br-int -> br-ex]
As we know neutron's security group is implemented using iptables which is applied on linux bridge, however openvswitch is not compatible with iptables.
Thus xenserver driver cannot support neutron security group now without doubt.

This BP is to implement this feature to let OpenStack + XenServer work well with security group under neutron network. The main change is to add linux bridge qbrxxx for each vm in compute node, so that vm will connect to linux brdige and linux bridge connect to br-int. And then security group can be applied on linux bridge. When this work is finished, the connection between vm and public network is:
compute node[vm-vif -> qbr(linux bridge) -> br-int -> br-eth] -> network node [br-eth -> br-int -> br-ex]

For detailed implementation, libvirt\vif.py:LibvirtGenericVIFDriver is reference.

Blueprint information

Status:
Complete
Approver:
John Garbutt
Priority:
Low
Drafter:
huan
Direction:
Approved
Assignee:
huan
Definition:
Approved
Series goal:
Accepted for newton
Implementation:
Implemented
Milestone target:
milestone icon newton-2
Started by
John Garbutt on 2016-06-03
Completed by
Matt Riedemann on 2016-06-30

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/xenserver-give-support-on-neutron-security-group,n,z

Addressed by: https://review.openstack.org/251271
    XenAPI: Support neutron security group

Gerrit topic: https://review.openstack.org/#q,topic:bp/support-neutron-security-group,n,z

Addressed by: https://review.openstack.org/304377
    Xenerver compute driver support neutron security group

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.