Hi Gianluca, First of, sorry for the late reply, been very busy this past week. Regarding the lack of security group support on oVirt, I agree it's unfortunate. Please take a look at this repo [0]; you'll find playbooks to update the port's / networks port security, security groups, and a couple of examples on how to create new security groups and rules via ansible. You can follow the README, it features all the information you need to install the requirements, and use the playbooks. Comments are welcome. You can find answers to your questions inline. [0] - https://github.com/maiqueb/ovirt-security-groups-demo/ On Fri, Apr 5, 2019 at 10:25 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Fri, Apr 5, 2019 at 9:56 AM Miguel Duarte de Mora Barroso <mdbarroso@redhat.com> wrote:
Mind sharing the created ACLs ? (which I'm quite positive will be the default ones, but I just have to be sure). Can be done via "ovn-nbctl list acl" . With that I can check the ACLs assigned to the default group, and assure they are correct.
The question is: previous networks (in the sense of already existing before the port security feature had been introduced in 4.3) seems inherited the "Enabled" option and this prevents communication between VMs on the same OVN network. Is this expected?
Previous networks are unchanged; nothing updates any of those during the upgrade. Now, newly created ports on existing networks *will* inherit the value from the configuration - since the network itself doesn't have the port security attribute set. Can you share what's the current port-security-enabled value on your configuration ? (/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf)
Otherwise other people in 4.2 using OVN will have the same problem migrating to 4.3 If I create now n 4.3.2 a new OVN based network, if I select "Create an external provider", I get as default "ovirt-provider-ovn" as External Provider and "Enabled" as Network Port Security. Is this expected?
Yes.
Is it expected that a new OVN network with default values (Enabled port security) is made so that by default 2 VMs don't communicate if I don't set a special security group rule (that in tis moment requires REST api)?
No, the exact purpose of the default group is for the VMs to communicate out of the box. The ACLs you provide match all the ACLs present on the port groups you've previously shared, and ; from my perspective, your VMs should be able to communicate. Could you share the output of 'ovs-ofctl dump-flows br-int' on the ovirt node where your VMs are located ? That could indicate why the packets are being dropped. Please provide that in a pastebin (this email is already hard to follow). A further question: your cluster switch type is ovs, right? This would only matter if your VMs run in different nodes, but hey, best to get that sorted out early. Lastly, are your VMs able to receive an IP address via dhcp ?
As far as ACLs currently in place are concerned, here they are for my current environment.
[root@ovmgr1 ~]# ovn-nbctl list acl _uuid : 239f0fa4-a66e-4cce-8df2-05630f11e052 action : drop direction : to-lport external_ids : {description="drop all ingress ip traffic", ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"} log : false match : "outport == @DropAll && ip" meter : [] name : "" priority : 1000 severity : alert
_uuid : 141aa336-0549-47d0-b09f-c2cb0dd78dd2 action : allow-related direction : from-lport external_ids : {description="automatically added allow all egress ip traffic", ovirt_ethertype="IPv4", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "inport == @Default && ip4" meter : [] name : "" priority : 1001 severity : alert
_uuid : ac7d5a16-a596-43dc-88ec-e9d47512e7ce action : drop direction : from-lport external_ids : {description="drop all egress ip traffic", ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"} log : false match : "inport == @DropAll && ip" meter : [] name : "" priority : 1000 severity : alert
_uuid : ef7f32f2-8b78-433f-a831-0e801c9d8b3e action : allow-related direction : to-lport external_ids : {ovirt_ethertype="IPv4", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616", ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "outport == @Default && ip4 && ip4.src == $pg_ip4_Default" meter : [] name : "" priority : 1001 severity : alert
_uuid : 70c7114b-1be6-49c1-9bbd-966c52751e79 action : allow-related direction : from-lport external_ids : {description="automatically added allow all egress ip traffic", ovirt_ethertype="IPv6", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "inport == @Default && ip6" meter : [] name : "" priority : 1001 severity : alert
_uuid : 264111cf-4f66-4b4c-b3c9-693bbca53a70 action : allow-related direction : to-lport external_ids : {ovirt_ethertype="IPv6", ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616", ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"} log : false match : "outport == @Default && ip6 && ip6.src == $pg_ip6_Default" meter : [] name : "" priority : 1001 severity : alert [root@ovmgr1 ~]#
Gianluca