<div dir="ltr">Damnit, sent before reading.<div><br></div><div style>To delete the SNAT rule in the last part of my message, I'm running the following in root's crontab</div><div style>* * * * * /sbin/iptables -t nat --flush nova-network-snat<br>
</div><div style><br></div><div style>I'm going to dig into the python to stop it from setting it in the first place, but I haven't had the time yet. The rules get re-added every time you change the openstack config, by adding a virt, or editing any of the security groups etc. </div>
<div style><br></div><div style> -- joe.</div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 15 January 2013 16:44, Joe Warren-Meeks <span dir="ltr"><<a href="mailto:joe.warren.meeks@gmail.com" target="_blank">joe.warren.meeks@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Just as an addendum, now that I've got it working, it works really well!</div><div class="HOEnZb"><div class="h5">
<div class="gmail_extra"><br><br><div class="gmail_quote">On 15 January 2013 16:43, Joe Warren-Meeks <span dir="ltr"><<a href="mailto:joe.warren.meeks@gmail.com" target="_blank">joe.warren.meeks@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hey James,</div><div><br></div><div>I had exactly your requirement too, and it took me many weeks to get to a solution. Hopefully, you won't have to. I have installed and reinstalled it so, so many times. For a while I thought I'd lost the ability to *computer*. Feel free to contact me offlist if you need any other guidance, I'd be very happy to help.</div>
<div><br></div><div>Firstly, if you can use a different NIC for the bridges, I'd strongly recommend it.</div><div><br></div><div>You need to configure nova to work as multi_host, this will enable you to dish out your switch/router IP as the default route via dnsmasq. You also need to lightly hack linux_net.py so that this works.</div>
<div><br></div><div>You also need to slighly hack Iptables to stop it SNATting your instances out.</div><div><br></div><div>Follow <a href="http://cssoss.files.wordpress.com/2012/05/openstackbookv3-0_csscorp2.pdf" target="_blank">http://cssoss.files.wordpress.com/2012/05/openstackbookv3-0_csscorp2.pdf</a> up to chapter 2.2.7.</div>
<div><br></div><div>Once you've installed all the Nova packages, stop then.</div><div><br></div><div>0. Linux stuff</div><div>^^^^^^^^^^^^^^</div><div>Before you start, apt-get install vlan and add 8021q to the end of /etc/modules</div>
<div>If you are using an unconfigured interface as the bridge device, add</div><div>/sbin/ifconfig ethX up</div><div>to /etc/rc.local</div><div><br></div><div>1. Linux net</div><div>^^^^^^^^^^^^</div><div>You need to copy the attached linux_net.py over /usr/share/pyshared/nova/network/linux_net.py</div>
<div>(Do a diff first, so you can see it isn't trojaned :-)</div><div><br></div><div>2. dnsmasq</div><div>^^^^^^^^^^</div><div>You need to tell dnsmasq to send out a different IP for your router</div><div>tailor the following and put it into /etc/dnsmasq-nova.conf</div>
<div><br></div><div>================</div><div>#</div><div># Set the default route for all networks to be the firewall</div><div>#</div><div>dhcp-option=tag:'production',option:router,10.0.31.1</div><div>dhcp-option=tag:'dmz',option:router,10.0.21.1</div>
<div>dhcp-option=tag:'development',option:router,10.0.41.1</div><div><br></div><div># devsupp</div><div>dhcp-host=fa:16:3e:66:05:c2,10.0.21.7</div><div>=================</div><div><br></div><div>You need to change the tag to match the network label you use when you set up the network later on.</div>
<div><br></div><div>3. nova.conf</div><div>^^^^^^^^^^^^</div><div>I've attached my nova.conf for you. I'll mark the bits you might need to change. Search for ### in there.</div><div><br></div><div>4. Continue with the install</div>
<div>^^^^^^^^^^^^^^^^^^^^^^^^^^^^</div><div>Restart all the Nova services as soon as you have done the 'nova-manage db sync'</div><div><br></div><div>5. Create networks</div><div>^^^^^^^^^^^^^^^^^^</div><div>nova-manage network create --label=production --fixed_range_v4=<a href="http://10.0.31.0/24" target="_blank">10.0.31.0/24</a> --vlan=31 --bridge_interface=eth3 --multi_host=T --project_id=79433bbfc2674bf9bff257a5e0f21581</div>
<div><br></div><div>The important bits are the label, which must match dnsmasq-nova.conf, the vlan, bridge interface and multi_host=T</div><div><br></div><div><br></div><div>So, now you should be done. However, Openstack will try to add in a SNAT rule to SNAT some outbound traffic. Vish suggested leaving --routing_source_ip= in nova.conf set to nothing, but that doesn't work, it throws an error when setting up the iptables rules.</div>
<div><br></div><div>Hope that helps!</div><span><font color="#888888"><div><br></div><div> -- joe.</div><div><br></div></font></span></div><div><div><div class="gmail_extra"><br><br>
<div class="gmail_quote">On 15 January 2013 14:31, Jay Pipes <span dir="ltr"><<a href="mailto:jaypipes@gmail.com" target="_blank">jaypipes@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On 01/15/2013 05:31 AM, James Condron wrote:<br>
> Jay, Guys,<br>
><br>
> The Vlan Manager stuff looks spot on for my needs but I am a tad confused.<br>
><br>
> (Perhaps Folsom addresses these; I'm just on a deadline to get a PoC running and I don't want to look like I've been wasting time building this).<br>
><br>
> Assuming I configure my vlan on my switch, set my switchport to trunk and use vlanmanager do Scenarios 6 and 7 extend out to hosts *not* on OpenStack/ not configured via OpenStack?<br>
><br>
> Would I be able to, say, connect from my PC vlan to one of the vlans configured via OpenStack? Would this also allow me to configure bridges on Open Stack to route via their own IPs and Vlans?<br>
<br>
</div>Not quite sure, actually. I'm certainly no networking guru, sorry :( I'd<br>
imagine you *could* do this, but it would take manually modifying<br>
iptables on the individual compute nodes -- which would mess with the<br>
nova-network controller on the compute nodes IIUC...<br>
<span><font color="#888888"><br>
-jay<br>
</font></span><div><div><br>
> Thanks,<br>
><br>
> James<br>
><br>
><br>
> On 14 Jan 2013, at 18:11, Jay Pipes <<a href="mailto:jaypipes@gmail.com" target="_blank">jaypipes@gmail.com</a>> wrote:<br>
><br>
>> I'd recommend Folsom over Essex :) And I'd highly recommend these<br>
>> articles from Mirantis which really step through the networking setup in<br>
>> VLANManager. Read through them in the following order and I promise at<br>
>> the end you will have a much better understanding of networking in Nova.<br>
>><br>
>> <a href="http://www.mirantis.com/blog/openstack-networking-flatmanager-and-flatdhcpmanager/" target="_blank">http://www.mirantis.com/blog/openstack-networking-flatmanager-and-flatdhcpmanager/</a><br>
>> <a href="http://www.mirantis.com/blog/openstack-networking-single-host-flatdhcpmanager/" target="_blank">http://www.mirantis.com/blog/openstack-networking-single-host-flatdhcpmanager/</a><br>
>> <a href="http://www.mirantis.com/blog/openstack-networking-vlanmanager/" target="_blank">http://www.mirantis.com/blog/openstack-networking-vlanmanager/</a><br>
>> <a href="http://www.mirantis.com/blog/vlanmanager-network-flow-analysis/" target="_blank">http://www.mirantis.com/blog/vlanmanager-network-flow-analysis/</a><br>
>><br>
>> All the best,<br>
>> -jay<br>
>><br>
>> On 01/14/2013 11:52 AM, James Condron wrote:<br>
>>> Hi all,<br>
>>><br>
>>> I've recently started playing with (and working with) OpenStack with a<br>
>>> view to migrate our production infrastructure from esx 4 to Essex.<br>
>>><br>
>>> My issue, or at least utter idiocy, is in the network configuration.<br>
>>> Basically I can't work out whether in the configuration of OpenStack I<br>
>>> have done something daft, on the network something daft or I've not<br>
>>> understood the technology properly.<br>
>>><br>
>>> *NB: *I can get to the outside world form my VMs; I don't want to<br>
>>> confuse things further.<br>
>>><br>
>>> As attached is a diagram I knocked up to hopefully make this simpler,<br>
>>> though I hope I can explain it simply with:<br>
>>><br>
>>> *************<br>
>>> *Given both public and private interfaces on my server being on the same<br>
>>> network and infrastructure how would one go about accessing VMs via<br>
>>> their internal IP and not have to worry about a VPN or Public IPs?*<br>
>>> *************<br>
>>><br>
>>> My corporate network works on simple vlans; I have a vlan for my<br>
>>> production boxen, one for development, one for PCs, telephony, etc. etc.<br>
>>> These are pretty standard.<br>
>>><br>
>>> The public, eth0 NIC on my compute node (Single node setup, nothing<br>
>>> overly fancy; pretty vanilla) is on my production vlan and everything is<br>
>>> accessible.<br>
>>> the second nic, eth1, is supposedly on a vlan for this specific purpose.<br>
>>><br>
>>> I am hoping to be able to access these internal IPs on their... Internal<br>
>>> IPs (For want of a better phrase). Is this possible? I'm reasonably<br>
>>> confident this isn't a routing issue as I can ping the eth1 IP from the<br>
>>> switch:<br>
>>><br>
>>> #ping 10.12.0.1<br>
>>><br>
>>> Type escape sequence to abort.<br>
>>> Sending 5, 100-byte ICMP Echos to 10.12.0.1, timeout is 2 seconds:<br>
>>> !!!!!<br>
>>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms<br>
>>><br>
>>> But none of the ones assigned to VMs:<br>
>>><br>
>>> #ping 10.12.0.4<br>
>>><br>
>>> Type escape sequence to abort.<br>
>>> Sending 5, 100-byte ICMP Echos to 10.12.0.4, timeout is 2 seconds:<br>
>>> .....<br>
>>> Success rate is 0 percent (0/5)<br>
>>><br>
>>> Or.... for those looking at the attached diagram: vlan101 is great and<br>
>>> works fine; what do I need to do (If at all possible) to get vlan102<br>
>>> listening?<br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>>> Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
>>> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>>> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
>>><br>
>><br>
>> _______________________________________________<br>
>> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
>> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
><br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>