Atom feed of this document
  
 

 Configure security groups

The Networking Service provides security group functionality using a mechanism that is more flexible and powerful than the security group capabilities built into Compute. Therefore, if you use Networking, you should always disable built-in security groups and proxy all security group calls to the Networking API . If you do not, security policies will conflict by being simultaneously applied by both services.

To proxy security groups to Networking, use the following configuration values in nova.conf:

Table 7.8. nova.conf security group settings
Item Configuration

firewall_driver

Update to nova.virt.firewall.NoopFirewallDriver, so that nova-compute does not perform iptables-based filtering itself.

security_group_api

Update to neutron, so that all security group requests are proxied to the Network Service.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...