<div>Hi Yair,</div><div> </div><div>I just tried something:</div><div> </div><div>1. I created Peter account and added into Demo project, I can access Peter's VM from external network PC via floating IP.</div><div>2. Admin account router account floating IP is 172.28.0.163, I can ping it, but I can't access Admin's VM floating IP 172.128.0.164 from external network PC (Securty Group allow ICMP and SSH)</div><div>3. Demo account with no problem.</div><div> </div><div>I created public network with keystone admin, please see below result with neutron net-show public:</div><div> </div><div>[root@localhost ~(keystone_admin)]# neutron net-show public<br>+---------------------------+--------------------------------------+<br>| Field | Value |<br>+---------------------------+--------------------------------------+<br>| admin_state_up | True |<br>| id | 6145669e-4688-40a6-b878-aaa2f9cb26c6 |<br>| mtu | 0 |<br>| name | public |<br>| provider:network_type | vxlan |<br>| provider:physical_network | |<br>| provider:segmentation_id | 10 |<br>| router:external | True |<br>| shared | True |<br>| status | ACTIVE |<br>| subnets | 65c1896c-0bc6-4b00-b89b-57f2677b3219 |<br>| tenant_id | e67ef147ee074f83bdab0da903f0cdd3 |<br>+---------------------------+--------------------------------------+<br></div><div>and keystone tenant-list command:</div><div> </div><div>[root@localhost ~(keystone_admin)]# keystone tenant-list<br>/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.<br> 'python-keystoneclient.', DeprecationWarning)<br>+----------------------------------+----------+---------+<br>| id | name | enabled |<br>+----------------------------------+----------+---------+<br>| e67ef147ee074f83bdab0da903f0cdd3 | admin | True |<br>| 24f9a6c52a1d471a8e7dc0f8fde32ced | demo | True |<br>| 64c18def585e45e39b5e4ec161e18633 | services | True |<br>| 80f0de3f19bf4c699938b54288d1ede8 | test | True |<br>+----------------------------------+----------+---------+<br></div><div>Thanks for your help!</div><div><br> </div><div class="gmail_quote">2015-05-26 18:32 GMT+08:00 Yair Fried <span dir="ltr"><<a href="mailto:yfried@redhat.com" target="_blank">yfried@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">Hi,<br>
>From <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1163726#c3" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1163726#c3</a><br>
<br>
<snip><br>
By marking a network as "external" you are actually sharing it among all other tenants to be used as default GW and a source for floating IPs.<br>
<br>
Marking a network as "shared" is allowing other tenants to connect VMs (and not router GWs) directly to the network.<br>
<br>
Marking an external network as "shared" would allow VMs of all tenants to connect to a network as well as pull floating ips from it (via router GW). While this is possible in Neutron, it is also redundant, as with the case above - There isn't much sense in pulling a floating IP from a network that you can connect to directly.<br>
</snip><br>
<br>
please provide the relevant output from:<br>
$ neutron net-show <external net><br>
$ keystone tenant-list<br>
<br>
Without this output it seems like the network was created by non-admin tenant/user which shouldn't allow its floating IPs to be consumed by other tenants. I've never tried to do that, so I'm not sure if this is a legitimate operation and if so, how such network should behave.<br>
<br>
The ideal flow is:<br>
1. Admin creates an external network (usually called "public") in its own tenant.<br>
2. Users (in their own tenants) create private networks and VMs attached to them.<br>
3. Users create routers connecting their private networks ( router-interface-add") to the external ("public") network ("router-gateway-set").<br>
*** At this point, VMs should be able to access the outside world via NAT.<br>
4. Now users can allocate floating IPs to their VMs (only those VMs that are connected to the external network via routers).<br>
<br>
Please let me know if this is unclear<br>
Regards<br>
<span class="im HOEnZb">Yair<br>
<br>
<br>
----- Original Message -----<br>
From: "Wilson Kwok" <<a href="mailto:leiw324@gmail.com">leiw324@gmail.com</a>><br>
</span><div class="HOEnZb"><div class="h5">To: "Yair Fried" <<a href="mailto:yfried@redhat.com">yfried@redhat.com</a>><br>
Cc: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Sent: Tuesday, May 26, 2015 1:00:58 PM<br>
Subject: Re: [Openstack] Confusion of external network<br>
<br>
Hi Yair,<br>
<br>
1. The new account same project with demo account.<br>
2. Yes, the external network shared already, so how can share this network<br>
if not use it for floating IP?<br>
<br>
Thanks<br>
<br>
2015-05-26 13:58 GMT+08:00 Yair Fried <<a href="mailto:yfried@redhat.com">yfried@redhat.com</a>>:<br>
<br>
> Hi,<br>
> Your question is missing some details<br>
> 1. What tenant does the network belong to?<br>
> 2. Is it shared? If you want to use it for floating IP it shouldn't be<br>
> shared. And VMs shouldn't be connected directly to it.<br>
><br>
> Regards,<br>
> Yair<br>
><br>
> ----- Original Message -----<br>
> From: "Wilson Kwok" <<a href="mailto:leiw324@gmail.com">leiw324@gmail.com</a>><br>
> To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Sent: Tuesday, May 26, 2015 4:38:20 AM<br>
> Subject: Re: [Openstack] Confusion of external network<br>
><br>
> Can someone help ? thanks!<br>
><br>
> 2015-05-24 11:51 GMT+08:00 Wilson Kwok < <a href="mailto:leiw324@gmail.com">leiw324@gmail.com</a> > :<br>
><br>
><br>
><br>
> Hello all,<br>
><br>
> I have completed my Openstack via this RDO guideline:<br>
> <a href="http://community.redhat.com/blog/2015/01/rdo-quickstart-doing-the-neutron-dance/" target="_blank">http://community.redhat.com/blog/2015/01/rdo-quickstart-doing-the-neutron-dance/</a><br>
><br>
> This guideline help to fix external network that can let my home network<br>
> can access to instance via floating IP, but needed to use neutron command<br>
> to remove default external network and then add new external network that<br>
> subnet match my home network.<br>
><br>
> The new external network shared already, my confusion is why only demo<br>
> account of external network can access instance, but admin account cannot,<br>
> even I create anther user account with same of demo project.<br>
><br>
> Anyone have been try RDO caused this problem ?<br>
><br>
> Thanks<br>
><br>
><br>
> _______________________________________________<br>
> Mailing list:<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe :<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
</div></div></blockquote></div><br>