<div dir="ltr"><div>Ah! I CAN ping and ssh to a Cirros instance on the Public net. So this may just be a permissions issue or something. hmmm. Wonder why I can't ping the router.<br><br><br>[root@maersk src]# ssh <a href="mailto:root@172.22.10.12">root@172.22.10.12</a><br>The authenticity of host '172.22.10.12 (172.22.10.12)' can't be established.<br>RSA key fingerprint is 6f:90:ef:16:20:5a:b6:81:33:c1:9e:ba:2b:47:cd:73.<br>Are you sure you want to continue connecting (yes/no)? yes<br>Warning: Permanently added '172.22.10.12' (RSA) to the list of known hosts.<br>Please login as 'cirros' user, not as root<br><br>^CConnection to 172.22.10.12 closed.<br>[root@maersk src]# ping 172.22.10.12<br>PING 172.22.10.12 (172.22.10.12) 56(84) bytes of data.<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=1 ttl=64 time=0.081 ms<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=2 ttl=64 time=0.097 ms<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=3 ttl=64 time=0.115 ms<br>64 bytes from <a href="http://172.22.10.12">172.22.10.12</a>: icmp_seq=4 ttl=64 time=0.096 ms<br><br></div>AND :-) <br><br>[root@maersk src]# ssh <a href="mailto:cirros@172.22.10.12">cirros@172.22.10.12</a><br>$ ping <a href="http://google.com">google.com</a> <br>PING <a href="http://google.com">google.com</a> (216.58.216.14): 56 data bytes<br>64 bytes from <a href="http://216.58.216.14">216.58.216.14</a>: seq=0 ttl=54 time=34.185 ms<br>64 bytes from <a href="http://216.58.216.14">216.58.216.14</a>: seq=1 ttl=54 time=32.834 ms<br>64 bytes from <a href="http://216.58.216.14">216.58.216.14</a>: seq=2 ttl=54 time=32.875 ms<br>^C<br>--- <a href="http://google.com">google.com</a> ping statistics ---<br>3 packets transmitted, 3 packets received, 0% packet loss<br>round-trip min/avg/max = 32.834/33.298/34.185 ms<br>$ whoami <br>cirros<br>$ ifconfig<br>eth0 Link encap:Ethernet HWaddr FA:16:3E:F1:BE:6F <br> inet addr:172.22.10.12 Bcast:172.22.10.255 Mask:255.255.255.0<br> inet6 addr: fe80::f816:3eff:fef1:be6f/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1<br> RX packets:860 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:254 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1000 <br> RX bytes:73360 (71.6 KiB) TX bytes:28415 (27.7 KiB)<br><br><br><br><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div>- Christopher T. Hull<br></div><div>333 Orchard Ave, Sunnyvale CA. 94085<br>(415) 385 4865<br></div><div><a href="mailto:chrishull42@gmail.com" target="_blank">chrishull42@gmail.com</a><br></div><a href="http://chrishull.com" target="_blank">http://chrishull.com</a><br><br></div></div><div><div><br></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Mar 9, 2016 at 9:06 AM, Christopher Hull <span dir="ltr"><<a href="mailto:chrishull42@gmail.com" target="_blank">chrishull42@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><span style="font-family:monospace,monospace"><font size="1"><br></font></span></div><span style="font-family:monospace,monospace"><font size="1">Hi all;<br></font></span></div><span style="font-family:monospace,monospace"><font size="1">Following the Neutron (Network Option 2 setup) instructions in Liberty. I can't ping my demo router. However, I do recall there are new security constraints that might prevent this in Liberty. Do I need to somehow allow ICMP? <br><br></font></span></div><span style="font-family:monospace,monospace"><font size="1">Here's what I did.<br><br><br><br>===========================================<br>Create virtual networks<br><a href="http://docs.openstack.org/liberty/install-guide-rdo/launch-instance.html#create-virtual-networks" target="_blank">http://docs.openstack.org/liberty/install-guide-rdo/launch-instance.html#create-virtual-networks</a><br><br>===========================================<br>Create Public Provider Network<br><br><a href="http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-public.html" target="_blank">http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-public.html</a><br><br><br>[root@maersk src]# source admin-openrc.sh <br>[root@maersk src]# neutron net-create public --shared --provider:physical_network public \<br>> --provider:network_type flat<br>Created a new network:<br>+---------------------------+--------------------------------------+<br>| Field | Value |<br>+---------------------------+--------------------------------------+<br>| admin_state_up | True |<br>| id | be6e920a-51aa-4293-bb95-7ac38aab9df6 |<br>| mtu | 0 |<br>| name | public |<br>| port_security_enabled | True |<br>| provider:network_type | flat |<br>| provider:physical_network | public |<br>| provider:segmentation_id | |<br>| router:external | False |<br>| shared | True |<br>| status | ACTIVE |<br>| subnets | |<br>| tenant_id | fdf3f98a9b0c4e9e94603d8a84ea41a8 |<br>+---------------------------+--------------------------------------+<br>[root@maersk src]# <br><br><br><br><br>--- Create a subnet on the network:<br><br>Replace START_IP_ADDRESS and END_IP_ADDRESS with the first and last IP address of the range within <br>the subnet that you want to allocate for instances. This range must not include any <br>existing active IP addresses.<br><br>Example<br>neutron subnet-create public <a href="http://203.0.113.0/24" target="_blank">203.0.113.0/24</a> --name public \<br> --allocation-pool start=203.0.113.101,end=203.0.113.200 \<br> --dns-nameserver 8.8.4.4 --gateway 203.0.113.1 <br> <br>[root@maersk src]# cat /etc/resolv.conf <br>; generated by /usr/sbin/dhclient-script<br>search <a href="http://attlocal.net" target="_blank">attlocal.net</a><br>nameserver 172.22.10.254<br><br>cat ifcfg-enp3s0<br>GATEWAY=172.22.10.254<br>DNS1=172.22.10.254<br><br>neutron subnet-create public <a href="http://172.22.10.0/24" target="_blank">172.22.10.0/24</a> --name public \<br> --allocation-pool start=172.22.10.10,end=172.22.10.90 \<br> --dns-nameserver 172.22.10.254 --gateway 172.22.10.254<br> <br>Created a new subnet:<br>+-------------------+--------------------------------------------------+<br>| Field | Value |<br>+-------------------+--------------------------------------------------+<br>| allocation_pools | {"start": "172.22.10.10", "end": "172.22.10.90"} |<br>| cidr | <a href="http://172.22.10.0/24" target="_blank">172.22.10.0/24</a> |<br>| dns_nameservers | 172.22.10.254 |<br>| enable_dhcp | True |<br>| gateway_ip | 172.22.10.254 |<br>| host_routes | |<br>| id | f227734a-eca3-4472-81f6-620e1bf1fac9 |<br>| ip_version | 4 |<br>| ipv6_address_mode | |<br>| ipv6_ra_mode | |<br>| name | public |<br>| network_id | be6e920a-51aa-4293-bb95-7ac38aab9df6 |<br>| subnetpool_id | |<br>| tenant_id | fdf3f98a9b0c4e9e94603d8a84ea41a8 |<br>+-------------------+--------------------------------------------------+<br><br>===========================================<br>Create the private project network<br><a href="http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-private.html" target="_blank">http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-private.html</a><br> <br><br>source demo-openrc.sh<br><br>neutron net-create private<br>Created a new network:<br>+-----------------------+--------------------------------------+<br>| Field | Value |<br>+-----------------------+--------------------------------------+<br>| admin_state_up | True |<br>| id | 28ca326a-8443-4c1c-b288-48920a1eefbe |<br>| mtu | 0 |<br>| name | private |<br>| port_security_enabled | True |<br>| router:external | False |<br>| shared | False |<br>| status | ACTIVE |<br>| subnets | |<br>| tenant_id | 7813be77b1de4196b1c6b77006afa21c |<br>+-----------------------+--------------------------------------+<br>[root@maersk src]# neutron subnet-create private <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> \<br>> --name private --dns-nameserver 172.22.10.254 --gateway 192.168.10.1<br>Created a new subnet:<br>+-------------------+----------------------------------------------------+<br>| Field | Value |<br>+-------------------+----------------------------------------------------+<br>| allocation_pools | {"start": "192.168.10.2", "end": "192.168.10.254"} |<br>| cidr | <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> |<br>| dns_nameservers | 172.22.10.254 |<br>| enable_dhcp | True |<br>| gateway_ip | 192.168.10.1 |<br>| host_routes | |<br>| id | eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92 |<br>| ip_version | 4 |<br>| ipv6_address_mode | |<br>| ipv6_ra_mode | |<br>| name | private |<br>| network_id | 28ca326a-8443-4c1c-b288-48920a1eefbe |<br>| subnetpool_id | |<br>| tenant_id | 7813be77b1de4196b1c6b77006afa21c |<br>+-------------------+----------------------------------------------------+<br><br><br><br><br><br><br>====<br>Create a router<br>====<br><br>Private project networks connect to public provider networks using a virtual router. <br>Each router contains an interface to at least one private project network and a gateway <br>on a public provider network.<br><br>source admin<br><br> <br>[root@maersk src]# source admin-openrc.sh <br>[root@maersk src]# neutron net-update public --router:external <br>Updated network: public<br>[root@maersk src]# source demo-openrc.sh <br>[root@maersk src]# neutron router-create router<br>Created a new router:<br>+-----------------------+--------------------------------------+<br>| Field | Value |<br>+-----------------------+--------------------------------------+<br>| admin_state_up | True |<br>| external_gateway_info | |<br>| id | 52ca91cb-df23-4593-bb95-ea9f1fc33e99 |<br>| name | router |<br>| routes | |<br>| status | ACTIVE |<br>| tenant_id | 7813be77b1de4196b1c6b77006afa21c |<br>+-----------------------+--------------------------------------+<br>[root@maersk src]# neutron router-interface-add router private<br>Added interface 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 to router router.<br>[root@maersk src]# neutron router-gateway-set router public<br>Set gateway for router router<br>[root@maersk src]# source admin-openrc.sh<br>[root@maersk src]# ip netns<br>qrouter-52ca91cb-df23-4593-bb95-ea9f1fc33e99 (id: 2)<br>qdhcp-28ca326a-8443-4c1c-b288-48920a1eefbe (id: 1)<br>qdhcp-be6e920a-51aa-4293-bb95-7ac38aab9df6 (id: 0)<br>[root@maersk src]# neutron router-port-list router<br>+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+<br>| id | name | mac_address | fixed_ips |<br>+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+<br>| 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 | | fa:16:3e:d5:62:14 | {"subnet_id": "eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92", "ip_address": "192.168.10.1"} |<br>| d1dfcc09-9da6-4366-8080-c73d48286036 | | fa:16:3e:b7:d2:22 | {"subnet_id": "f227734a-eca3-4472-81f6-620e1bf1fac9", "ip_address": "172.22.10.11"} |<br>+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+<br>[root@maersk src]# ping -c 4 172.22.10.11<br>PING 172.22.10.11 (172.22.10.11) 56(84) bytes of data.<br>From 172.22.10.99 icmp_seq=1 Destination Host Unreachable<br>From 172.22.10.99 icmp_seq=2 Destination Host Unreachable<br>From 172.22.10.99 icmp_seq=3 Destination Host Unreachable<br>From 172.22.10.99 icmp_seq=4 Destination Host Unreachable<br><br>--- 172.22.10.11 ping statistics ---<br>4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2999ms<br>pipe 4<br>[root@maersk src]# <br><br><br><br></font></span></div><span style="font-family:monospace,monospace"><font size="1">===== Config info.<br><br>I set LinuxBridgeAgent.ini linux_bridge physical_interface_mappings to public:enp3s0 as this is what shows up for "eth0" when I ifconfig. Is this correct?<br><br><br>[root@maersk src]# ./pluto.py show -p /etc ml2_conf.ini l3_agent.ini plugin.ini linuxbridge_agent.ini <br>+-------------------+----------------------+--------------------------+<br>| ml2_conf: Section | Key | Value |<br>+-------------------+----------------------+--------------------------+<br>| ml2 | extension_drivers | port_security |<br>| ml2 | mechanism_drivers | linuxbridge,l2population |<br>| ml2 | tenant_network_types | vxlan |<br>| ml2 | type_drivers | flat,vlan,vxlan |<br>| ml2_type_flat | flat_networks | public |<br>| ml2_type_vxlan | vni_ranges | 1:1000 |<br>| securitygroup | enable_ipset | True |<br>+-------------------+----------------------+--------------------------+<br>+-------------------+--------------------------+-----------------------------------------------------+<br>| l3_agent: Section | Key | Value |<br>+-------------------+--------------------------+-----------------------------------------------------+<br>| DEFAULT | external_network_bridge | |<br>| DEFAULT | verbose | True |<br>| DEFAULT | interface_driver | neutron.agent.linux.interface.BridgeInterfaceDriver |<br>+-------------------+--------------------------+-----------------------------------------------------+<br>+-----------------+----------------------+--------------------------+<br>| plugin: Section | Key | Value |<br>+-----------------+----------------------+--------------------------+<br>| ml2 | extension_drivers | port_security |<br>| ml2 | mechanism_drivers | linuxbridge,l2population |<br>| ml2 | tenant_network_types | vxlan |<br>| ml2 | type_drivers | flat,vlan,vxlan |<br>| ml2_type_flat | flat_networks | public |<br>| ml2_type_vxlan | vni_ranges | 1:1000 |<br>| securitygroup | enable_ipset | True |<br>+-----------------+----------------------+--------------------------+<br>+----------------------------+-----------------------------+--------------------------------------------------------------+<br>| linuxbridge_agent: Section | Key | Value |<br>+----------------------------+-----------------------------+--------------------------------------------------------------+<br>| linux_bridge | physical_interface_mappings | public:enp3s0 |<br>| vxlan | l2_population | True |<br>| vxlan | local_ip | 172.22.10.99 |<br>| vxlan | enable_vxlan | True |<br>| agent | prevent_arp_spoofing | True |<br>| securitygroup | firewall_driver | neutron.agent.linux.iptables_firewall.IptablesFirewallDriver |<br>| securitygroup | enable_security_group | True |<br>+----------------------------+-----------------------------+--------------------------------------------------------------+<br><br><br></font></span><div><div><div><div><span style="font-family:monospace,monospace"><font size="1"><br><br><br><br><br><br><br><br><br><br><br><br><br clear="all"></font></span><div><div><div dir="ltr"><div><div dir="ltr"><div><div><div><span style="font-family:monospace,monospace"><font size="1">- Christopher T. Hull<br></font></span></div><div><span style="font-family:monospace,monospace"><font size="1">333 Orchard Ave, Sunnyvale CA. 94085<br><a href="tel:%28415%29%20385%204865" value="+14153854865" target="_blank">(415) 385 4865</a><br></font></span></div><div><span style="font-family:monospace,monospace"><font size="1"><a href="mailto:chrishull42@gmail.com" target="_blank">chrishull42@gmail.com</a><br></font></span></div><span style="font-family:monospace,monospace"><font size="1"><a href="http://chrishull.com" target="_blank">http://chrishull.com</a><br><br></font></span></div></div><div><div><span style="font-family:monospace,monospace"><font size="1"><br></font></span></div></div></div></div></div></div></div>
</div></div></div></div></div>
</blockquote></div><br></div>