You’ve decided to deploy CloudForms to manage your hybrid cloud environment – fantastic! This article discusses a few architectural options and considerations you need before you deploy your new region.Read more “So, you want to deploy a CloudForms region?”
I’m attempting to run through the OSP10 -> OSP13 fast-forward upgrade process on my home lab. Unfortunately I kept running into an error when prepping for the fast forward upgrade:
Started Mistral Workflow tripleo.plan_management.v1.update_deployment_plan.
Execution ID: 3fb62e82-9025-4057-a5ff-8e2189e42a99
Processing templates in the directory /tmp/tripleoclient-rjkHaX/tripleo-heat-templates
Unable to establish connection to https://192.168.0.162:13989/v2/action_executions: ('Connection aborted.', BadStatusLine("''",))
This error arises from httplib in the Python standard library. In short, it’s telling you that the remote end of the connection terminated without sending an HTTP status code. In this case it’s reporting an empty string.Read more “ConnectionError: (‘Connection aborted.’, BadStatusLine(“””)) – OpenStack”
So far we’ve looked at:
- What tap interfaces are and why the VMs require them for network connectivity. (Part 1)
- How security groups are implemented as iptables rules. (Part 2)
- The implementation detail that iptables is just a front-end to the netfilter framework within the kernel, a framework that operates at layer 3.
None of that explains why we need the linux bridge in the middle, however.Read more “Neutron security groups and OVS, Part 3: tracing OVS’s hooks and claws…”
Security groups provide IP traffic filtering for your VM instances. You can specify ingress and egress rules and filter traffic based on port, source address, destination address, etc. Here’s a shot from my lab, with some basic security group rules assigned to my demo project (click to enlarge):
Under the hood, when using the iptables_hybrid firewall driver, these are all implemented as iptables rules on every compute node where an instance is running with this security group assigned.Read more “Neutron security groups and OVS, part 2: security groups implementation”
Today I did a little digging into the implementation of security groups when using OpenVSwitch. In particular, I was curious about this: why is it that security groups require the creation of a linux bridge on the compute node? Why can’t we just attach the VM directly to the OVS integration bridge (br-int) and set iptables rules on the VM interface like we otherwise would?
This applies when using the iptables_hybrid firewall driver for Neutron with the ML2+OVS subsystem. If you use the openvswitch firewall driver, these firewall rules are implemented entirely by OpenFlow rules that use the conntrack module in the Kernel.
This was originally going to be one post but I ended up rambling on for so long I opted to split it into a few related posts. This is the first!Read more “Neutron security groups and OVS, part 1: tap interfaces and VM connectivity”