OpenStack havana release on Ubuntu 13.10
Neutron + OpenvSwitch plugin
1.需要修改的配置文件
Edit /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
[securitygroup]
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
# Firewall driver for realizing neutron security group function.
# firewall_driver = neutron.agent.firewall.NoopFirewallDriver
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
Edit /etc/nova/nova.conf
firewall_driver=nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron
security_group_api=neutron
2.重启服务
service nova-api restart
service nova-compute restart
service neutron-plugin-openvswitch-agent restart
对应的代码为:_add_rule_by_security_group() in /usr/share/pyshared/neutron/agent/linux/iptables_firewall.py on Compute Node.
对应的log文件为: /var/log/neutron/openvswitch-agent.log
简单分析:securitygroup是通过iptable来实现控制进出VM(虚拟机)流量的一种机制,以前是由Nova实现的,现在则由Neutron中的agent实现,如采用OpenvSwitch plugin则由其位于计算节点上的neutron-plugin-openvswitch-agent实现iptable规则的添加。