Hi Gianluca,
First of, sorry for the late reply, been very busy this past week.
Regarding the lack of security group support on oVirt, I agree it's unfortunate.
Please take a look at this repo [0]; you'll find playbooks to update
the port's / networks port security, security groups, and a couple of
examples on how to create new security groups and rules via ansible.
You can follow the README, it features all the information you need to
install the requirements, and use the playbooks. Comments are welcome.
You can find answers to your questions inline.
[0] -
https://github.com/maiqueb/ovirt-security-groups-demo/
On Fri, Apr 5, 2019 at 10:25 AM Gianluca Cecchi
<gianluca.cecchi(a)gmail.com> wrote:
On Fri, Apr 5, 2019 at 9:56 AM Miguel Duarte de Mora Barroso <mdbarroso(a)redhat.com>
wrote:
>
>
>
> Mind sharing the created ACLs ? (which I'm quite positive will be the
> default ones, but I just have to be sure). Can be done via "ovn-nbctl
> list acl" . With that I can check the ACLs assigned to the default
> group, and assure they are correct.
>
The question is: previous networks (in the sense of already existing before the port
security feature had been introduced in 4.3) seems inherited the "Enabled"
option and this prevents communication between VMs on the same OVN network.
Is this expected?
Previous networks are unchanged; nothing updates any of those during
the upgrade.
Now, newly created ports on existing networks *will* inherit the value
from the configuration - since the network itself doesn't have the
port security attribute set.
Can you share what's the current port-security-enabled value on your
configuration ?
(/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf)
Otherwise other people in 4.2 using OVN will have the same problem
migrating to 4.3
If I create now n 4.3.2 a new OVN based network, if I select "Create an external
provider", I get as default "ovirt-provider-ovn" as External Provider and
"Enabled" as Network Port Security. Is this expected?
Yes.
Is it expected that a new OVN network with default values (Enabled
port security) is made so that by default 2 VMs don't communicate if I don't set a
special security group rule (that in tis moment requires REST api)?
No, the exact purpose of the default group is for the VMs to
communicate out of the box.
The ACLs you provide match all the ACLs present on the port groups
you've previously shared, and ; from my perspective, your VMs should
be able to communicate.
Could you share the output of 'ovs-ofctl dump-flows br-int' on the
ovirt node where your VMs are located ? That could indicate why the
packets are being dropped. Please provide that in a pastebin (this
email is already hard to follow).
A further question: your cluster switch type is ovs, right? This would
only matter if your VMs run in different nodes, but hey, best to get
that sorted out early.
Lastly, are your VMs able to receive an IP address via dhcp ?
>
> As far as ACLs currently in place are concerned, here they are for my current
environment.
>
> [root@ovmgr1 ~]# ovn-nbctl list acl
> _uuid : 239f0fa4-a66e-4cce-8df2-05630f11e052
> action : drop
> direction : to-lport
> external_ids : {description="drop all ingress ip traffic",
ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"}
> log : false
> match : "outport == @DropAll && ip"
> meter : []
> name : ""
> priority : 1000
> severity : alert
>
> _uuid : 141aa336-0549-47d0-b09f-c2cb0dd78dd2
> action : allow-related
> direction : from-lport
> external_ids : {description="automatically added allow all egress ip
traffic", ovirt_ethertype="IPv4",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
> log : false
> match : "inport == @Default && ip4"
> meter : []
> name : ""
> priority : 1001
> severity : alert
>
> _uuid : ac7d5a16-a596-43dc-88ec-e9d47512e7ce
> action : drop
> direction : from-lport
> external_ids : {description="drop all egress ip traffic",
ovirt_port_group_id="79d3d3a0-7a57-4903-8646-f678ea53aeca"}
> log : false
> match : "inport == @DropAll && ip"
> meter : []
> name : ""
> priority : 1000
> severity : alert
>
> _uuid : ef7f32f2-8b78-433f-a831-0e801c9d8b3e
> action : allow-related
> direction : to-lport
> external_ids : {ovirt_ethertype="IPv4",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616",
ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
> log : false
> match : "outport == @Default && ip4 && ip4.src ==
$pg_ip4_Default"
> meter : []
> name : ""
> priority : 1001
> severity : alert
>
> _uuid : 70c7114b-1be6-49c1-9bbd-966c52751e79
> action : allow-related
> direction : from-lport
> external_ids : {description="automatically added allow all egress ip
traffic", ovirt_ethertype="IPv6",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
> log : false
> match : "inport == @Default && ip6"
> meter : []
> name : ""
> priority : 1001
> severity : alert
>
> _uuid : 264111cf-4f66-4b4c-b3c9-693bbca53a70
> action : allow-related
> direction : to-lport
> external_ids : {ovirt_ethertype="IPv6",
ovirt_port_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616",
ovirt_remote_group_id="1fd8cacf-35cf-4aa3-b245-fec9c2e6e616"}
> log : false
> match : "outport == @Default && ip6 && ip6.src ==
$pg_ip6_Default"
> meter : []
> name : ""
> priority : 1001
> severity : alert
> [root@ovmgr1 ~]#
>
> Gianluca