<div dir="ltr">which OS do you use?<div><br></div><div style>if you use RDO on RHEL, please refer to:</div><div style><br></div><div style><a href="https://access.redhat.com/site/documentation//en-US/Red_Hat_OpenStack/3/html/Release_Notes/ch03.html">https://access.redhat.com/site/documentation//en-US/Red_Hat_OpenStack/3/html/Release_Notes/ch03.html</a><br>
</div><div style><br></div><div style><div class="" style="font-size:13px;border:0px;margin:0px 0px 0.3em;padding:0px;vertical-align:baseline;color:rgb(51,51,51);font-family:'liberation sans','Myriad ','Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif;line-height:18px">
When the <code class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px;padding:0px;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;white-space:pre-wrap;word-wrap:break-word;font-weight:bold">openvswitch</code> quantum plugin is used, and Nova is configured with</div>
<pre class="" style="background-color:rgb(245,245,245);font-size:0.9em;border:0px none;margin-top:0px;padding:0.5em 1em;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;white-space:pre-wrap;color:rgb(0,0,0);word-wrap:break-word;border-top-left-radius:11px;border-top-right-radius:11px;border-bottom-right-radius:11px;border-bottom-left-radius:11px;line-height:18px">
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver</pre><div class="" style="font-size:13px;border:0px;margin:0px 0px 0.3em;padding:0px;vertical-align:baseline;color:rgb(51,51,51);font-family:'liberation sans','Myriad ','Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif;line-height:18px">
the necessary forwarding rules are not created automatically and the Red Hat Enterprise Linux firewall blocks forwarding of network traffic. Hence traffic between VMs located on different compute nodes is blocked.</div><div class="" style="font-size:13px;border:0px;margin:0px 0px 0.3em;padding:0px;vertical-align:baseline;color:rgb(51,51,51);font-family:'liberation sans','Myriad ','Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif;line-height:18px">
Workarounds to avoid blocking traffic between VMs located on different compute nodes:</div><div class="" style="font-size:13px;border:0px;margin:0px;padding:0px;vertical-align:baseline;color:rgb(51,51,51);font-family:'liberation sans','Myriad ','Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif;line-height:18px">
<ol style="background-image:none;font-size:13px;border:0px;margin:1em 0px;padding:0px 0px 0px 40px;vertical-align:baseline"><li class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px;padding:0px;vertical-align:baseline">
<div class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px 0px 0.3em;padding:0px;vertical-align:baseline">If using nova security groups, add the following <code class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px;padding:0px;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;white-space:pre-wrap;word-wrap:break-word;font-weight:bold">iptables</code> rule on each compute node:<pre class="" style="background-color:rgb(245,245,245);font-size:0.9em;border:0px none;margin-top:0px;padding:0.5em 1em;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;white-space:pre-wrap;color:rgb(0,0,0);word-wrap:break-word;border-top-left-radius:11px;border-top-right-radius:11px;border-bottom-right-radius:11px;border-bottom-left-radius:11px">
<code class="" style="background-color:transparent;font-size:12px;border:0px;margin:0px;padding:0px 0.3em;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;word-wrap:break-word;font-weight:bold">#</code>iptables -t filter -I FORWARD -i qbr+ -o qbr+ -j ACCEPT
<code class="" style="background-color:transparent;font-size:12px;border:0px;margin:0px;padding:0px 0.3em;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;word-wrap:break-word;font-weight:bold">#</code> <code class="" style="background-color:transparent;font-size:12px;border:0px;margin:0px;padding:0px;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;word-wrap:break-word;font-weight:bold">service iptables save</code></pre>
</div><div class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px 0px 0.3em;padding:0px;vertical-align:baseline">Either reboot, or restart <code class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px;padding:0px;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;white-space:pre-wrap;word-wrap:break-word;font-weight:bold">nova-compute</code> after adding this rule, since the rules <code class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px;padding:0px;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;white-space:pre-wrap;word-wrap:break-word;font-weight:bold">nova-compute</code> adds at startup must precede this rule.</div>
</li><li class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px;padding:0px;vertical-align:baseline"><div class="" style="background-color:transparent;font-size:13px;border:0px;margin:0px 0px 0.3em;padding:0px;vertical-align:baseline">
If not using Nova security groups, an alternative solution is to set:</div><pre class="" style="background-color:rgb(245,245,245);font-size:0.9em;border:0px none;margin-top:0px;padding:0.5em 1em;vertical-align:baseline;font-family:'liberation mono','bitstream vera mono','dejavu mono',monospace;white-space:pre-wrap;color:rgb(0,0,0);word-wrap:break-word;border-top-left-radius:11px;border-top-right-radius:11px;border-bottom-right-radius:11px;border-bottom-left-radius:11px">
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtOpenVswitchVirtualPortDriver</pre></li></ol></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/6/15 <span dir="ltr"><<a href="mailto:Yuling_C@dell.com" target="_blank">Yuling_C@dell.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi All,<br>
<br>
>From openstack documentation, it seems that if we need to create routers in order to have two private network ping each other. However, I followed the instruction on the website <a href="http://docs.openstack.org/trunk/openstack-network/admin/content/l3_workflow.html" target="_blank">http://docs.openstack.org/trunk/openstack-network/admin/content/l3_workflow.html</a>, but still could not get the ping working through two private networks.<br>
<br>
Here is what I did:<br>
<br>
1. I'm using the Vlan mode for OVS network type.<br>
2. I created one network net1 in one subnet.<br>
3. I created another network net2 in another subnet.<br>
4. I created a router and attached the two subnet interfaces to the router.<br>
5. I created two VM instances on net1 and net2 respectively.<br>
6. However, I still was not able to ping from vm1 to vm2.<br>
<br>
Any idea?<br>
<br>
Thanks,<br>
<br>
YuLing<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Peng Yong<br></div>
</div></div>