[openstack-dev] Problem with nova add-fixed-ip or quantum port-update

John Gruber john.t.gruber at gmail.com
Sat Jul 27 18:22:49 UTC 2013


So I got it work, but I need guidance from the OVS iptables gang on what
the reasoning was and how I fix it in a 'compliant' manner.

Q.  Why are the iptables rules on the OVS output chains for the interfaces
written as if the vif should only have ONE IP address assign where quantum
can assign multiple fixedips?

For the example where IP address 10.0.60.20 was assigned to my guest VM on
an external interface and assign at boot, and then I added 10.0.60.22 via
nova --add-fixed-ip vm-uuid net-uuid...

Here is what I had in my iptables rules after adding the second fixedip:

iptables -L quantum-openvswi-o8a508818-0 --line-numbers
Chain quantum-openvswi-o8a508818-0 (2 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere             MAC !
FA:16:3E:41:6B:15
2    RETURN     udp  --  anywhere             anywhere             udp
spt:bootpc dpt:bootps
*3    DROP       all  -- !10.0.62.20           anywhere
4    DROP       all  -- !10.0.62.22           anywhere
*5    DROP       udp  --  anywhere             anywhere             udp
spt:bootps dpt:bootpc
6    DROP       all  --  anywhere             anywhere             state
INVALID
7    RETURN     all  --  anywhere             anywhere             state
RELATED,ESTABLISHED
8    RETURN     all  --  anywhere             anywhere
9    quantum-openvswi-sg-fallback  all  --  anywhere
anywhere


This obviously will not work.  The rules shadow each other and cut off all
outbound access from the guest VM on that network.  Which is exactly what I
was observing..

Running: iptables -D quantum-openvswi-o8a508818-0 4

And my access to 10.0.62.20 came back...

Running iptables -D quantum-openvswi-o8a508818-0 3

And my access to 10.0.62.22 started working...


Please tell me we did not intend to create a cloud where quantum has no
problems assigning multiple fixed IPs to a port, but iptables will eat them
all up! <g> Oh the humanity...

I know how to make it work and can hunt down the iptables root wrapper
command, but what should we do for this? I could not find an existing bug..

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130727/2a935467/attachment.html>


More information about the OpenStack-dev mailing list