Open Stack

I am facing a mysterious situation. I am using LinuxBridge (ML2) on
OpenStack Newton all-in-one. I set up tcpdump on the tap device used by the
instance and then attach a floating ip from web UI. I see traffic flowing
for a few seconds after which there is no further traffic in/out of this
tap device. During the first few seconds, I am able to ssh into the
instance using the pubic ip. After 5-7 seconds, no connection could be
established from the Internet. However I am still able to ssh into the
instance if I execute ssh w.r.t the corresponding network namespace, like:

# ip netns exec <NETNS> ssh cirros@<PUBLIC_IP>

Why is this happening? I do not see any specific errors in neutron logs
even with debug on.

Attaching the relevant configs below.



# grep -Ev '^#|^$' /etc/nova/nova.conf
[DEFAULT]
auth_strategy = keystone
disk_allocation_ratio=10.0
my_ip = <PUBLIC_IP>
use_neutron = True
enabled_apis = osapi_compute,metadata
firewall_driver = nova.virt.firewall.NoopFirewallDriver
transport_url = rabbit://
openstack:55de10077d1f953e8329 at openstack.mycloud.com
[api_database]
connection = mysql+pymysql://
nova:9a55c0c04085248aa039 at openstack.mycloud.com/nova_api
[barbican]
[cache]
[cells]
[cinder]
os_region_name = RegionOne
[cloudpipe]
[conductor]
[cors]
[cors.subdomain]
[crypto]
[database]
connection = mysql+pymysql://
nova:9a55c0c04085248aa039 at openstack.mycloud.com/nova
[ephemeral_storage_encryption]
[glance]
api_servers = http://openstack.mycloud.com:9292
[guestfs]
[hyperv]
[image_file_url]
[ironic]
[key_manager]
[keystone_authtoken]
auth_uri = http://openstack.mycloud.com:5000
auth_url = http://openstack.mycloud.com:35357
memcached_servers = openstack.mycloud.com:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = 57227b66ed883b739e0b
[libvirt]
virt_type=kvm
[matchmaker_redis]
[metrics]
[mks]
[neutron]
url = http://openstack.mycloud.com:9696
auth_url = http://openstack.mycloud.com:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = neutron
password = 8b229c60d8faf31da416
service_metadata_proxy = True
metadata_proxy_shared_secret = d37bee945996e7ed5100
[osapi_v21]
[oslo_concurrency]
lock_path=/var/lib/nova/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[placement]
[placement_database]
[rdp]
[remote_debug]
[serial_console]
[spice]
[ssl]
[trusted_computing]
[upgrade_levels]
[vmware]
[vnc]
enabled=true
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip
novncproxy_base_url = http://openstack.mycloud.com:6080/vnc_auto.html
[workarounds]
[wsgi]
[xenserver]
[xvp]




# grep -Ev '^#|^$' /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
debug = true
[AGENT]




# grep -Ev '^#|^$' /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
[AGENT]




# grep -Ev '^#|^$' /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_ip = openstack.mycloud.com
metadata_proxy_shared_secret = d37bee945996e7ed5100
[AGENT]
[cache]




# grep -Ev '^#|^$' /etc/neutron/neutron.conf
[DEFAULT]
auth_strategy = keystone
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
debug = true
transport_url = rabbit://
openstack:55de10077d1f953e8329 at openstack.mycloud.com
[agent]
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://
neutron:60f65e693265e449983b at openstack.mycloud.com/neutron
[keystone_authtoken]
auth_uri = http://openstack.mycloud.com:5000
auth_url = http://openstack.mycloud.com:35357
memcached_servers = openstack.mycloud.com:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = neutron
password = 8b229c60d8faf31da416
[matchmaker_redis]
[nova]
auth_url = http://openstack.mycloud.com:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = nova
password = 57227b66ed883b739e0b
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[qos]
[quotas]
[ssl]





# grep -Ev '^#|^$' /etc/neutron/plugin.ini
[DEFAULT]
debug = true
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = True




On Fri, Jan 20, 2017 at 2:49 PM, Vikash Kumar <
vikash.kumar at oneconvergence.com> wrote:

> Checkout on the bridge connected to tap ports.
>
> On Thu, Jan 19, 2017 at 7:02 PM, Vimal Kumar <vimal7370 at gmail.com> wrote:
>
>> Hi,
>>
>> Is the rules implemented in the iptables of the node (I am running
>> all-in-one, LinuxBridge setup), or is it implemented in the iptables of a
>> separate network namespace?
>>
>> On Thu, Jan 19, 2017 at 1:27 PM, Melvin Hillsman <mrhillsman at gmail.com>
>> wrote:
>>
>>> If you are running an all-in-one/single node deployment, your security
>>> groups are implemented via iptables on that node. If you had a multi-node
>>> setup, security group rules would show up on the compute hosts.
>>>
>>> On Thu, Jan 19, 2017 at 12:47 AM, Vimal Kumar <vimal7370 at gmail.com>
>>> wrote:
>>>
>>>> Hi!
>>>>
>>>> How can I troubleshoot issues related to security groups? It is
>>>> probably getting implemented via iptables but where? In the host iptables,
>>>> or inside network namespace, or inside instance itself? I am running a
>>>> single-node Newton.
>>>>
>>>> I am looking for a way to check whether the rules in my security group
>>>> is actually being implemented or not.
>>>>
>>>> Thank you!
>>>>
>>>> Regards,
>>>>
>>>> Vimal
>>>>
>>>> _______________________________________________
>>>> Mailing list: http://lists.openstack.org/cgi
>>>> -bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe : http://lists.openstack.org/cgi
>>>> -bin/mailman/listinfo/openstack
>>>>
>>>>
>>>
>>>
>>> --
>>> Kind regards,
>>>
>>> Melvin Hillsman
>>> Ops Technical Lead
>>> OpenStack Innovation Center
>>>
>>> mrhillsman at gmail.com
>>> phone: (210) 312-1267
>>> mobile: (210) 413-1659
>>> http://osic.org
>>>
>>> Learner | Ideation | Belief | Responsibility | Command
>>>
>>
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>>
>>
>
>
> --
> Regards,
> Vikash
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170121/86283463/attachment.html>