<div dir="ltr"><div>Ah!  I CAN ping and ssh to a Cirros instance on the Public net.  So this may just be a permissions issue or something.  hmmm.  Wonder why I can't ping the router.<br><br><br>[root@maersk src]# ssh <a href="mailto:root@172.22.10.12">root@172.22.10.12</a><br>The authenticity of host '172.22.10.12 (172.22.10.12)' can't be established.<br>RSA key fingerprint is 6f:90:ef:16:20:5a:b6:81:33:c1:9e:ba:2b:47:cd:73.<br>Are you sure you want to continue connecting (yes/no)? yes<br>Warning: Permanently added '172.22.10.12' (RSA) to the list of known hosts.<br>Please login as 'cirros' user, not as root<br><br>^CConnection to 172.22.10.12 closed.<br>[root@maersk src]# ping 172.22.10.12<br>PING 172.22.10.12 (172.22.10.12) 56(84) bytes of data.<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=1 ttl=64 time=0.081 ms<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=2 ttl=64 time=0.097 ms<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=3 ttl=64 time=0.115 ms<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=4 ttl=64 time=0.096 ms<br><br></div>AND  :-)   <br><br>[root@maersk src]# ssh <a href="mailto:cirros@172.22.10.12">cirros@172.22.10.12</a><br>$ ping <a href="http://google.com">google.com</a>  <br>PING <a href="http://google.com">google.com</a> (216.58.216.14): 56 data bytes<br>64 bytes from <a href="http://216.58.216.14">216.58.216.14</a>: seq=0 ttl=54 time=34.185 ms<br>64 bytes from <a href="http://216.58.216.14">216.58.216.14</a>: seq=1 ttl=54 time=32.834 ms<br>64 bytes from <a href="http://216.58.216.14">216.58.216.14</a>: seq=2 ttl=54 time=32.875 ms<br>^C<br>--- <a href="http://google.com">google.com</a> ping statistics ---<br>3 packets transmitted, 3 packets received, 0% packet loss<br>round-trip min/avg/max = 32.834/33.298/34.185 ms<br>$ whoami  <br>cirros<br>$ ifconfig<br>eth0      Link encap:Ethernet  HWaddr FA:16:3E:F1:BE:6F  <br>          inet addr:172.22.10.12  Bcast:172.22.10.255  Mask:255.255.255.0<br>          inet6 addr: fe80::f816:3eff:fef1:be6f/64 Scope:Link<br>          UP BROADCAST RUNNING MULTICAST  MTU:1450  Metric:1<br>          RX packets:860 errors:0 dropped:0 overruns:0 frame:0<br>          TX packets:254 errors:0 dropped:0 overruns:0 carrier:0<br>          collisions:0 txqueuelen:1000 <br>          RX bytes:73360 (71.6 KiB)  TX bytes:28415 (27.7 KiB)<br><br><br><br><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div>- Christopher T. Hull<br></div><div>333 Orchard Ave, Sunnyvale CA. 94085<br>(415) 385 4865<br></div><div><a href="mailto:chrishull42@gmail.com" target="_blank">chrishull42@gmail.com</a><br></div><a href="http://chrishull.com" target="_blank">http://chrishull.com</a><br><br></div></div><div><div><br></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Mar 9, 2016 at 9:06 AM, Christopher Hull <span dir="ltr"><<a href="mailto:chrishull42@gmail.com" target="_blank">chrishull42@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><span style="font-family:monospace,monospace"><font size="1"><br></font></span></div><span style="font-family:monospace,monospace"><font size="1">Hi all;<br></font></span></div><span style="font-family:monospace,monospace"><font size="1">Following the Neutron (Network Option 2 setup) instructions in Liberty.  I can't ping my demo router.  However, I do recall there are new security constraints that might prevent this in Liberty.   Do I need to somehow allow ICMP?   <br><br></font></span></div><span style="font-family:monospace,monospace"><font size="1">Here's what I did.<br><br><br><br>===========================================<br>Create virtual networks<br><a href="http://docs.openstack.org/liberty/install-guide-rdo/launch-instance.html#create-virtual-networks" target="_blank">http://docs.openstack.org/liberty/install-guide-rdo/launch-instance.html#create-virtual-networks</a><br><br>===========================================<br>Create Public Provider Network<br><br><a href="http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-public.html" target="_blank">http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-public.html</a><br><br><br>[root@maersk src]# source admin-openrc.sh <br>[root@maersk src]# neutron net-create public --shared --provider:physical_network public \<br>>   --provider:network_type flat<br>Created a new network:<br>+---------------------------+--------------------------------------+<br>| Field                     | Value                                |<br>+---------------------------+--------------------------------------+<br>| admin_state_up            | True                                 |<br>| id                        | be6e920a-51aa-4293-bb95-7ac38aab9df6 |<br>| mtu                       | 0                                    |<br>| name                      | public                               |<br>| port_security_enabled     | True                                 |<br>| provider:network_type     | flat                                 |<br>| provider:physical_network | public                               |<br>| provider:segmentation_id  |                                      |<br>| router:external           | False                                |<br>| shared                    | True                                 |<br>| status                    | ACTIVE                               |<br>| subnets                   |                                      |<br>| tenant_id                 | fdf3f98a9b0c4e9e94603d8a84ea41a8     |<br>+---------------------------+--------------------------------------+<br>[root@maersk src]# <br><br><br><br><br>--- Create a subnet on the network:<br><br>Replace START_IP_ADDRESS and END_IP_ADDRESS with the first and last IP address of the range within <br>the subnet that you want to allocate for instances. This range must not include any <br>existing active IP addresses.<br><br>Example<br>neutron subnet-create public <a href="http://203.0.113.0/24" target="_blank">203.0.113.0/24</a> --name public \<br>  --allocation-pool start=203.0.113.101,end=203.0.113.200 \<br>  --dns-nameserver 8.8.4.4 --gateway 203.0.113.1  <br>  <br>[root@maersk src]# cat /etc/resolv.conf <br>; generated by /usr/sbin/dhclient-script<br>search <a href="http://attlocal.net" target="_blank">attlocal.net</a><br>nameserver 172.22.10.254<br><br>cat ifcfg-enp3s0<br>GATEWAY=172.22.10.254<br>DNS1=172.22.10.254<br><br>neutron subnet-create public <a href="http://172.22.10.0/24" target="_blank">172.22.10.0/24</a> --name public \<br>   --allocation-pool start=172.22.10.10,end=172.22.10.90 \<br>   --dns-nameserver 172.22.10.254 --gateway 172.22.10.254<br>   <br>Created a new subnet:<br>+-------------------+--------------------------------------------------+<br>| Field             | Value                                            |<br>+-------------------+--------------------------------------------------+<br>| allocation_pools  | {"start": "172.22.10.10", "end": "172.22.10.90"} |<br>| cidr              | <a href="http://172.22.10.0/24" target="_blank">172.22.10.0/24</a>                                   |<br>| dns_nameservers   | 172.22.10.254                                    |<br>| enable_dhcp       | True                                             |<br>| gateway_ip        | 172.22.10.254                                    |<br>| host_routes       |                                                  |<br>| id                | f227734a-eca3-4472-81f6-620e1bf1fac9             |<br>| ip_version        | 4                                                |<br>| ipv6_address_mode |                                                  |<br>| ipv6_ra_mode      |                                                  |<br>| name              | public                                           |<br>| network_id        | be6e920a-51aa-4293-bb95-7ac38aab9df6             |<br>| subnetpool_id     |                                                  |<br>| tenant_id         | fdf3f98a9b0c4e9e94603d8a84ea41a8                 |<br>+-------------------+--------------------------------------------------+<br><br>===========================================<br>Create the private project network<br><a href="http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-private.html" target="_blank">http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-private.html</a><br>  <br><br>source demo-openrc.sh<br><br>neutron net-create private<br>Created a new network:<br>+-----------------------+--------------------------------------+<br>| Field                 | Value                                |<br>+-----------------------+--------------------------------------+<br>| admin_state_up        | True                                 |<br>| id                    | 28ca326a-8443-4c1c-b288-48920a1eefbe |<br>| mtu                   | 0                                    |<br>| name                  | private                              |<br>| port_security_enabled | True                                 |<br>| router:external       | False                                |<br>| shared                | False                                |<br>| status                | ACTIVE                               |<br>| subnets               |                                      |<br>| tenant_id             | 7813be77b1de4196b1c6b77006afa21c     |<br>+-----------------------+--------------------------------------+<br>[root@maersk src]# neutron subnet-create private <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> \<br>>     --name private --dns-nameserver 172.22.10.254 --gateway 192.168.10.1<br>Created a new subnet:<br>+-------------------+----------------------------------------------------+<br>| Field             | Value                                              |<br>+-------------------+----------------------------------------------------+<br>| allocation_pools  | {"start": "192.168.10.2", "end": "192.168.10.254"} |<br>| cidr              | <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a>                                    |<br>| dns_nameservers   | 172.22.10.254                                      |<br>| enable_dhcp       | True                                               |<br>| gateway_ip        | 192.168.10.1                                       |<br>| host_routes       |                                                    |<br>| id                | eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92               |<br>| ip_version        | 4                                                  |<br>| ipv6_address_mode |                                                    |<br>| ipv6_ra_mode      |                                                    |<br>| name              | private                                            |<br>| network_id        | 28ca326a-8443-4c1c-b288-48920a1eefbe               |<br>| subnetpool_id     |                                                    |<br>| tenant_id         | 7813be77b1de4196b1c6b77006afa21c                   |<br>+-------------------+----------------------------------------------------+<br><br><br><br><br><br><br>====<br>Create a router<br>====<br><br>Private project networks connect to public provider networks using a virtual router. <br>Each router contains an interface to at least one private project network and a gateway <br>on a public provider network.<br><br>source admin<br><br>  <br>[root@maersk src]# source admin-openrc.sh <br>[root@maersk src]# neutron net-update public --router:external  <br>Updated network: public<br>[root@maersk src]# source demo-openrc.sh <br>[root@maersk src]# neutron router-create router<br>Created a new router:<br>+-----------------------+--------------------------------------+<br>| Field                 | Value                                |<br>+-----------------------+--------------------------------------+<br>| admin_state_up        | True                                 |<br>| external_gateway_info |                                      |<br>| id                    | 52ca91cb-df23-4593-bb95-ea9f1fc33e99 |<br>| name                  | router                               |<br>| routes                |                                      |<br>| status                | ACTIVE                               |<br>| tenant_id             | 7813be77b1de4196b1c6b77006afa21c     |<br>+-----------------------+--------------------------------------+<br>[root@maersk src]# neutron router-interface-add router private<br>Added interface 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 to router router.<br>[root@maersk src]# neutron router-gateway-set router public<br>Set gateway for router router<br>[root@maersk src]# source admin-openrc.sh<br>[root@maersk src]# ip netns<br>qrouter-52ca91cb-df23-4593-bb95-ea9f1fc33e99 (id: 2)<br>qdhcp-28ca326a-8443-4c1c-b288-48920a1eefbe (id: 1)<br>qdhcp-be6e920a-51aa-4293-bb95-7ac38aab9df6 (id: 0)<br>[root@maersk src]# neutron router-port-list router<br>+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+<br>| id                                   | name | mac_address       | fixed_ips                                                                           |<br>+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+<br>| 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 |      | fa:16:3e:d5:62:14 | {"subnet_id": "eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92", "ip_address": "192.168.10.1"} |<br>| d1dfcc09-9da6-4366-8080-c73d48286036 |      | fa:16:3e:b7:d2:22 | {"subnet_id": "f227734a-eca3-4472-81f6-620e1bf1fac9", "ip_address": "172.22.10.11"} |<br>+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+<br>[root@maersk src]# ping -c 4 172.22.10.11<br>PING 172.22.10.11 (172.22.10.11) 56(84) bytes of data.<br>From 172.22.10.99 icmp_seq=1 Destination Host Unreachable<br>From 172.22.10.99 icmp_seq=2 Destination Host Unreachable<br>From 172.22.10.99 icmp_seq=3 Destination Host Unreachable<br>From 172.22.10.99 icmp_seq=4 Destination Host Unreachable<br><br>--- 172.22.10.11 ping statistics ---<br>4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2999ms<br>pipe 4<br>[root@maersk src]# <br><br><br><br></font></span></div><span style="font-family:monospace,monospace"><font size="1">===== Config info.<br><br>I set LinuxBridgeAgent.ini  linux_bridge physical_interface_mappings to public:enp3s0  as this is what shows up for "eth0" when I ifconfig.   Is this correct?<br><br><br>[root@maersk src]# ./pluto.py show  -p /etc  ml2_conf.ini l3_agent.ini plugin.ini   linuxbridge_agent.ini  <br>+-------------------+----------------------+--------------------------+<br>| ml2_conf: Section | Key                  | Value                    |<br>+-------------------+----------------------+--------------------------+<br>| ml2               | extension_drivers    | port_security            |<br>| ml2               | mechanism_drivers    | linuxbridge,l2population |<br>| ml2               | tenant_network_types | vxlan                    |<br>| ml2               | type_drivers         | flat,vlan,vxlan          |<br>| ml2_type_flat     | flat_networks        | public                   |<br>| ml2_type_vxlan    | vni_ranges           | 1:1000                   |<br>| securitygroup     | enable_ipset         | True                     |<br>+-------------------+----------------------+--------------------------+<br>+-------------------+--------------------------+-----------------------------------------------------+<br>| l3_agent: Section | Key                      | Value                                               |<br>+-------------------+--------------------------+-----------------------------------------------------+<br>| DEFAULT           | external_network_bridge  |                                                     |<br>| DEFAULT           | verbose                  | True                                                |<br>| DEFAULT           | interface_driver         | neutron.agent.linux.interface.BridgeInterfaceDriver |<br>+-------------------+--------------------------+-----------------------------------------------------+<br>+-----------------+----------------------+--------------------------+<br>| plugin: Section | Key                  | Value                    |<br>+-----------------+----------------------+--------------------------+<br>| ml2             | extension_drivers    | port_security            |<br>| ml2             | mechanism_drivers    | linuxbridge,l2population |<br>| ml2             | tenant_network_types | vxlan                    |<br>| ml2             | type_drivers         | flat,vlan,vxlan          |<br>| ml2_type_flat   | flat_networks        | public                   |<br>| ml2_type_vxlan  | vni_ranges           | 1:1000                   |<br>| securitygroup   | enable_ipset         | True                     |<br>+-----------------+----------------------+--------------------------+<br>+----------------------------+-----------------------------+--------------------------------------------------------------+<br>| linuxbridge_agent: Section | Key                         | Value                                                        |<br>+----------------------------+-----------------------------+--------------------------------------------------------------+<br>| linux_bridge               | physical_interface_mappings | public:enp3s0                                                |<br>| vxlan                      | l2_population               | True                                                         |<br>| vxlan                      | local_ip                    | 172.22.10.99                                                 |<br>| vxlan                      | enable_vxlan                | True                                                         |<br>| agent                      | prevent_arp_spoofing        | True                                                         |<br>| securitygroup              | firewall_driver             | neutron.agent.linux.iptables_firewall.IptablesFirewallDriver |<br>| securitygroup              | enable_security_group       | True                                                         |<br>+----------------------------+-----------------------------+--------------------------------------------------------------+<br><br><br></font></span><div><div><div><div><span style="font-family:monospace,monospace"><font size="1"><br><br><br><br><br><br><br><br><br><br><br><br><br clear="all"></font></span><div><div><div dir="ltr"><div><div dir="ltr"><div><div><div><span style="font-family:monospace,monospace"><font size="1">- Christopher T. Hull<br></font></span></div><div><span style="font-family:monospace,monospace"><font size="1">333 Orchard Ave, Sunnyvale CA. 94085<br><a href="tel:%28415%29%20385%204865" value="+14153854865" target="_blank">(415) 385 4865</a><br></font></span></div><div><span style="font-family:monospace,monospace"><font size="1"><a href="mailto:chrishull42@gmail.com" target="_blank">chrishull42@gmail.com</a><br></font></span></div><span style="font-family:monospace,monospace"><font size="1"><a href="http://chrishull.com" target="_blank">http://chrishull.com</a><br><br></font></span></div></div><div><div><span style="font-family:monospace,monospace"><font size="1"><br></font></span></div></div></div></div></div></div></div>
</div></div></div></div></div>
</blockquote></div><br></div>