[openstack-dev] Fwd: Problem with nova add-fixed-ip or quantum port-update

John Gruber john.t.gruber at gmail.com
Sat Jul 27 17:30:02 UTC 2013


Forwarding to -dev from -operators.

Any know why when a fixed-ip gets added to an external network guest port,
all connectivity on all fixedips for the guest on the external network get
block outbound on the compute node?

John

---------- Forwarded message ----------
From: John Gruber <john.t.gruber at gmail.com>
Date: Fri, Jul 26, 2013 at 4:39 PM
Subject: Problem with nova add-fixed-ip or quantum port-update
To: openstack-operators at lists.openstack.org


I am using Grizzly and I have a mix of both provider external networks
(VLANs) and tenant GRE tunnels.  The provider networks are obviously setup
as public, so VMs can start with interfaces on them.

I can start VMs just fine and get addresses via the dhcp_agent on both
external and tenant networks.

Everything is working well... until I need to add additional fixed_ips to
existing VM vif on external networks.

While I can get commands of the form:

    nova add-fixed-ip vm-uuid net-uuid
    repeat for each fixed-ip needed

and

    quantum port-update port-uuid -- --fixed_ips type=dict list=true
ip_address='10.1.1.6' ip_address='10.1.1.7'


to execute correctly, and can see the fixed_ip addresses either allocate
from the network allocation pool (using nova command) or my explicitly
define addresses (using quantum command) associate with my vm just fine, I
have a problem with security groups.

I've simplified my security groups to just one 'default' where everything
is allowed.  I can start ICMP ping test to my VM and show them working,
until I run the commands to provision addition fixed IPs. Once the command
takes effect on the compute node, all traffic to the vm interface hosting
the network stops.

Interestingly adjacent hosts can see the ARP entries with the correct MAC
address for the added fixed_ips, but I can not make any connections to
them. If I tcpdump on the VM, I see TCP SYN requests and the VM answer with
the SYN+ACK.  On the network outside the VM (trunked to the compute node) I
see the TCP SYN request enter the compute node, and no SYN+ACK emerges. The
problem is somewhere with allowing the VM to send packets to the external
network.

Can anyone tell me how to 'HUP' the security group to allow traffic to my
new list of fixed_ips?

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130727/b0329647/attachment.html>


More information about the OpenStack-dev mailing list