在openstack的kilo版本终于加上了这个ML2PortSecurityExtensionDriver,这样在openstack里做NFV的实验就会轻松很多,因为很多时候需要让流量通过VM;
Openstack kilo的最新port-security介绍文档如下
http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html
Openstack kilo的最新port-security配置文档如下
https://wiki.openstack.org/wiki/Neutron/ML2PortSecurityExtensionDriver
port-security代码如下:
from neutron.api import extensions
from neutron.api.v2 import attributes
from neutron.common import exceptions as nexception
class PortSecurityPortHasSecurityGroup(nexception.InUse):
message = _("Port has security group associated. Cannot disable port "
"security or ip address until security group is removed")
class PortSecurityAndIPRequiredForSecurityGroups(nexception.InvalidInput):
message = _("Port security must be enabled and port must have an IP"
" address in order to use security groups.")
class PortSecurityBindingNotFound(nexception.InvalidExtensionEnv):
message = _("Port does not have port security binding.")
PORTSECURITY = 'port_security_enabled'
EXTENDED_ATTRIBUTES_2_0 = {
'networks': {
PORTSECURITY: {'allow_post': True, 'allow_put': True,
'convert_to': attributes.convert_to_boolean,
'enforce_policy': True,
'default': True,
'is_visible': True},
},
'ports': {
PORTSECURITY: {'allow_post': True, 'allow_put': True,
'convert_to': attributes.convert_to_boolean,
'default': attributes.ATTR_NOT_SPECIFIED,
'enforce_policy': True,
'is_visible': True},
}
}
class Portsecurity(extensions.ExtensionDescriptor):
"""Extension class supporting port security."""
@classmethod
def get_name(cls):
return "Port Security"
@classmethod
def get_alias(cls):
return "port-security"
@classmethod
def get_description(cls):
return "Provides port security"
@classmethod
def get_updated(cls):
return "2012-07-23T10:00:00-00:00"
def get_extended_resources(self, version):
if version == "2.0":
return EXTENDED_ATTRIBUTES_2_0
else:
return {}
在 /etc/neutron/plugins/ml2/ml2_conf.ini 添加如下配置
新建network如下:
neutron net-create net2 –port-security-enabled=False
neutron subnet-create net2 6.6.6.0/24 –enable-dhcp=False –name subnet2
发现port-security已经false了,这样今后的ipables就可以不用删除了。
接下去把floodlight和opendaylight装进去
whole picture如下: