Atom feed of this document
 

 Configure security groups

The OpenStack Networking Service provides security group functionality using a mechanism that is more flexible and powerful than the security group capabilities built into OpenStack Compute. Therefore, if you use OpenStack Networking, you should always disable built-in security groups and proxy all security group calls to the OpenStack Networking API . If you do not, security policies will conflict by being simultaneously applied by both services.

To proxy security groups to OpenStack Networking, use the following configuration values in nova.conf:

Table 4.44. nova.conf security group settings
Item Configuration

firewall_driver

Update to nova.virt.firewall.NoopFirewallDriver, so that nova-compute does not perform iptables-based filtering itself.

security_group_api

Update to neutron, so that all security group requests are proxied to the OpenStack Network Service.

Log a bug against this page


loading table of contents...