<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Just a quick note, each tenant has it’s own default security group rules. So I would double check and make sure your admin does have those rules set. If it works with Demo it has to work with admin.<div class=""><br class=""></div><div class="">Remo <br class=""><div><blockquote type="cite" class=""><div class="">On May 26, 2015, at 09:03, Wilson Kwok <<a href="mailto:leiw324@gmail.com" class="">leiw324@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Hi Yair,</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""> </div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">I just tried something:</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""> </div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">1. I created Peter account and added into Demo project, I can access Peter's VM from external network PC via floating IP.</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">2. Admin account router account floating IP is 172.28.0.163, I can ping it, but I can't access Admin's VM floating IP 172.128.0.164 from external network PC (Securty Group allow ICMP and SSH)</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">3. Demo account with no problem.</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""> </div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">I created public network with keystone admin, please see below result with neutron net-show public:</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""> </div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">[root@localhost ~(keystone_admin)]# neutron net-show public<br class="">+---------------------------+--------------------------------------+<br class="">| Field | Value |<br class="">+---------------------------+--------------------------------------+<br class="">| admin_state_up | True |<br class="">| id | 6145669e-4688-40a6-b878-aaa2f9cb26c6 |<br class="">| mtu | 0 |<br class="">| name | public |<br class="">| provider:network_type | vxlan |<br class="">| provider:physical_network | |<br class="">| provider:segmentation_id | 10 |<br class="">| router:external | True |<br class="">| shared | True |<br class="">| status | ACTIVE |<br class="">| subnets | 65c1896c-0bc6-4b00-b89b-57f2677b3219 |<br class="">| tenant_id | e67ef147ee074f83bdab0da903f0cdd3 |<br class="">+---------------------------+--------------------------------------+<br class=""></div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">and keystone tenant-list command:</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""> </div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">[root@localhost ~(keystone_admin)]# keystone tenant-list<br class="">/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.<br class=""> 'python-keystoneclient.', DeprecationWarning)<br class="">+----------------------------------+----------+---------+<br class="">| id | name | enabled |<br class="">+----------------------------------+----------+---------+<br class="">| e67ef147ee074f83bdab0da903f0cdd3 | admin | True |<br class="">| 24f9a6c52a1d471a8e7dc0f8fde32ced | demo | True |<br class="">| 64c18def585e45e39b5e4ec161e18633 | services | True |<br class="">| 80f0de3f19bf4c699938b54288d1ede8 | test | True |<br class="">+----------------------------------+----------+---------+<br class=""></div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Thanks for your help!</div><div style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class=""> </div><div class="gmail_quote" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">2015-05-26 18:32 GMT+08:00 Yair Fried<span class="Apple-converted-space"> </span><span dir="ltr" class=""><<a href="mailto:yfried@redhat.com" target="_blank" class="">yfried@redhat.com</a>></span>:<br class=""><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">Hi,<br class="">From<span class="Apple-converted-space"> </span><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1163726#c3" target="_blank" class="">https://bugzilla.redhat.com/show_bug.cgi?id=1163726#c3</a><br class=""><br class=""><snip><br class="">By marking a network as "external" you are actually sharing it among all other tenants to be used as default GW and a source for floating IPs.<br class=""><br class="">Marking a network as "shared" is allowing other tenants to connect VMs (and not router GWs) directly to the network.<br class=""><br class="">Marking an external network as "shared" would allow VMs of all tenants to connect to a network as well as pull floating ips from it (via router GW). While this is possible in Neutron, it is also redundant, as with the case above - There isn't much sense in pulling a floating IP from a network that you can connect to directly.<br class=""></snip><br class=""><br class="">please provide the relevant output from:<br class="">$ neutron net-show <external net><br class="">$ keystone tenant-list<br class=""><br class="">Without this output it seems like the network was created by non-admin tenant/user which shouldn't allow its floating IPs to be consumed by other tenants. I've never tried to do that, so I'm not sure if this is a legitimate operation and if so, how such network should behave.<br class=""><br class="">The ideal flow is:<br class="">1. Admin creates an external network (usually called "public") in its own tenant.<br class="">2. Users (in their own tenants) create private networks and VMs attached to them.<br class="">3. Users create routers connecting their private networks ( router-interface-add") to the external ("public") network ("router-gateway-set").<br class="">*** At this point, VMs should be able to access the outside world via NAT.<br class="">4. Now users can allocate floating IPs to their VMs (only those VMs that are connected to the external network via routers).<br class=""><br class="">Please let me know if this is unclear<br class="">Regards<br class=""><span class="im HOEnZb">Yair</span></blockquote></div></div></blockquote></div><br class=""><div class=""><br class=""></div><div class=""><br class=""></div></div></body></html>