Fwd: [OpenStack][VDI][Bumblebee] About CIDR, Security Group Help
---------- Forwarded message --------- From: Matthew Swigart <matthew.swigart35@gmail.com> Date: Tue, May 7, 2024 at 10:57 AM Subject: Re: [OpenStack][VDI][Bumblebee] About CIDR, Security Group Help To: Brian Haley <haleyb.dev@gmail.com> Oh sorry to attaching the screenshots. Let me share the logs through plain text. *openstack security group list --debug* START with options: security group list --debug options: Namespace(verbose_level=3, log_file=None, deferred_help=False, debug=True, cloud='', region_name='RegionOne', cacert=None, cert='', key='', verify=None, insecure=None, default_domain='default', interface='public', service_provider='', remote_project_name='', remote_project_id='', remote_project_domain_name='', remote_project_domain_id='', timing=False, os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_volume_api_version='', auth_type='v3applicationcredential', auth_url=' http://192.168.122.111/identity', system_scope='', domain_id='', domain_name='', project_id='', project_name='', project_domain_id='', project_domain_name='', trust_id='', auth_methods='', identity_provider='', protocol='', client_id='', client_secret='***', openid_scope='', access_token_endpoint='', discovery_endpoint='', access_token_type='', redirect_uri='', code='', identity_provider_url='', username='', password='***', default_domain_id='', default_domain_name='', token='***', user_id='', user_domain_id='', user_domain_name='', endpoint='', application_credential_secret='***', application_credential_id='4a4df089f7834bd487ac811d70e45286', application_credential_name='', consumer_key='', consumer_secret='***', access_key='', access_secret='***', device_authorization_endpoint='', code_challenge_method='', oauth2_endpoint='', oauth2_client_id='', oauth2_client_secret='***', access_token='***', service_provider_endpoint='', service_provider_entity_id='', passcode='', os_project_name=None, os_project_id=None) Auth plugin v3applicationcredential selected auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} defaults: {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'auth_type': 'password', 'baremetal_status_code_retries': 5, 'baremetal_introspection_status_code_retries': 5, 'image_status_code_retries': 5, 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active'} cloud cfg: {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} compute API version 2.1, cmd group openstack.compute.v2 identity API version 3, cmd group openstack.identity.v3 image API version 2, cmd group openstack.image.v2 network API version 2, cmd group openstack.network.v2 object_store API version 1, cmd group openstack.object_store.v1 volume API version 3, cmd group openstack.volume.v3 command: security group list -> openstackclient.network.v2.security_group.ListSecurityGroup (auth=True) Auth plugin v3applicationcredential selected auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'additional_user_agent': [('osc-lib', '3.0.1')], 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': ' http://192.168.122.111/identity', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} Using auth plugin: v3applicationcredential Using parameters {'auth_url': 'http://192.168.122.111/identity', 'application_credential_secret': '***', 'application_credential_id': '} Get auth_ref Making authentication request to http://192.168.122.111/identity/v3/auth/tokens Starting new HTTP connection (1): 192.168.122.111:80 http://192.168.122.111:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 2844 {"token": {"methods": ["application_credential"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "47edeac1ea6144078669710d0854364b", "name": "bumblebee", "password_expires_at": null}, "audit_ids": ["3fDW4oqWQfCr_3xeHlUt_A"], "expires_at": "2024-05-06T20:14:44.000000Z", "issued_at": "2024-05-06T19:14:44.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "ffac951fdd364848bb5a45a44925bd37", "name": "VDI"}, "is_domain": false, "roles": [{"id": "91fc6589ab3743ae9a1f9dc8cfbe9ee6", "name": "member"}], "catalog": [{"endpoints": [{"id": "82763e6d0a524db8a80f82b4c823378f", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/image", "region": "RegionOne"}], "id": "668988a7a1f64048aa69b40850339e18", "type": "image", "name": "glance"}, {"endpoints": [{"id": "423040cdeae24ce1be957c2d63c269d3", "interface": "public", "region_id": "RegionOne", "url": " http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37", "region": "RegionOne"}], "id": "6b546ba7accd440383dd4618028045a4", "type": "volumev3", "name": "cinderv3"}, {"endpoints": [{"id": "8d232d3c977345e5a5d6bb2f48e257d5", "interface": "public", "region_id": "RegionOne", "url": " http://192.168.122.111/compute/v2/ffac951fdd364848bb5a45a44925bd37", "region": "RegionOne"}], "id": "76b8985d819d4b3e8c22f665aaf2c368", "type": "compute_legacy", "name": "nova_legacy"}, {"endpoints": [{"id": "72a814723a5f43e6908ff55c08194790", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/identity", "region": "RegionOne"}], "id": "76f00bb62ec84acc91e2b18642f9d8cc", "type": "identity", "name": "keystone"}, {"endpoints": [{"id": "fe78270ab8b64cb7952e6e68f9c6ddc1", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111:9696/networking", "region": "RegionOne"}], "id": "8fcfe1317724496fbd8ea4d02c0a4bec", "type": "network", "name": "neutron"}, {"endpoints": [{"id": "d5fe1b7820d0493c9a581701615a04cd", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/placement", "region": "RegionOne"}], "id": "b6112ad35e1e4a8791336c962c808552", "type": "placement", "name": "placement"}, {"endpoints": [{"id": "bb17d1a45a824dd697e44cc6a0e5cb2d", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/compute/v2.1", "region": "RegionOne"}], "id": "bd5bbd79e36449c8b9d61a7dd3f4953d", "type": "compute", "name": "nova"}, {"endpoints": [{"id": "492d351cd7024681b876a30b770641f4", "interface": "public", "region_id": "RegionOne", "url": " http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37", "region": "RegionOne"}], "id": "cbca0058f7b64e98b24cc428d0d7a103", "type": "block-storage", "name": "cinder"}], "application_credential": {"id": "4a4df089f7834bd487ac811d70e45286", "name": "bumblebee-app-cred", "restricted": true}}} get_parser(openstack security group list) common parser: ArgumentParser(prog='openstack security group list', usage=None, description='List security groups', formatter_class=<class 'cliff._argparse.SmartHelpFormatter'>, conflict_handler='ignore', add_help=True) network endpoint in service catalog run(Namespace(formatter='table', columns=[], quote_mode='nonnumeric', noindent=False, max_width=0, fit_width=False, print_empty=False, sort_columns=[], sort_direction=None, all_projects=False, project=None, project_domain=None, tags=None, any_tags=None, not_tags=None, not_any_tags=None)) Network client initialized using OpenStack SDK: <openstack.network.v2._proxy.Proxy object at 0x7dbd22840af0> REQ: curl -g -i -X GET " http://192.168.122.111:9696/networking/v2.0/security-groups?fields=%5B%27id%..." -H "Accept: application/json" -H "User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-requests/2.25.1 CPython/3.10.12" -H "X-Auth-Token: {SHA256}d9e51c8dabe77e5cac58c275e1c0ec522d259c03ab51314b66ac0b5cb5773a49" Starting new HTTP connection (1): 192.168.122.111:9696 http://192.168.122.111:9696 "GET /networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags HTTP/1.1" 200 23 RESP: [200] Connection: keep-alive Content-Length: 23 Content-Type: application/json Date: Mon, 06 May 2024 19:14:44 GMT X-Openstack-Request-Id: req-fa36e7a8-6aa6-44ff-b0be-1390fdb9131e RESP BODY: {"security_groups": []} GET call to network for http://192.168.122.111:9696/networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags used request id req-fa36e7a8-6aa6-44ff-b0be-1390fdb9131e clean_up ListSecurityGroup: END return value: 0 *Regarding the CIDR*, I thought it is OpenStack auth IP so in my case, I used DevStack so 192.168.122.111 so CIDR would be 192.168.122.0/24. In this case, CIDR still be 10.0.0.0/24 as you mentioned? Please correct me if I am wrong. Thank you, Matthew On Mon, May 6, 2024 at 4:18 PM Brian Haley <haleyb.dev@gmail.com> wrote:
Hi,
On 5/6/24 3:15 PM, Matthew Swigart wrote:
I tried running the command with a debug flag like this: `openstack security group list --debug` Attached are screenshots for reference. image.png image.png image.png image.png
Please don't attach screenshots, instead put the text inline or use pastebin, etc. otherwise it's impossible for someone to quote anything.
As far as cidr format, if you don't specify the rule will apply to all IPs, else use standard '--remote-ip 10.0.0.0/24' cidr notation.
-Brian
On Mon, May 6, 2024 at 2:54 PM Hoai-Thu Vuong <thuvh87@gmail.com <mailto:thuvh87@gmail.com>> wrote:
Can you run openstack cli with flag debug?
On Tue, May 7, 2024, 01:38 Matthew Swigart <matthew.swigart35@gmail.com <mailto:matthew.swigart35@gmail.com>> wrote:
Hello all,
This is Matthew who just started working for the OpenStack VDI project last year and I decided to try with Bumblebee+DevStack for an experiment. [1] https://github.com/NeCTAR-RC/bumblebee <https://github.com/NeCTAR-RC/bumblebee> [2] https://docs.openstack.org/devstack/latest/ <https://docs.openstack.org/devstack/latest/> So I created two VMs using libvirt on Ubuntu 22.04 - one for DevStack, the other one for the Bumblebee VDI project. Each VM is running on Ubuntu 22.04.
I installed DevStack successfully and I can access the horizon dashboard from Bumblebee VM. So I created a new project and created a new user and assigned it to a new project. Also created a new application credential and downloaded openrc file.
The problem is, when I tried to create a security group using command, it succeeded so I can see a new security group from Horizon *but when I run `openstack security group list` command, there is nothing.* Also I needed to add some security group rules to allow SSH access, but no idea how to get the correct *CIDR value*. [3]
https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-securi... < https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-securi...
So I will appreciate it if I can get any support.
Thank you, Matthew
Hi Matthew,
openstack security group list --debug
This is the same thing I run but I get output, and nothing sticks out in the logs you provided. I would try two more things: 1) Run the command using the admin credentials 2) Look in the neutron server log for any errors Something with this deployment is not standard. -Brian On 5/7/24 1:27 AM, Matthew Swigart wrote:
---------- Forwarded message --------- From: *Matthew Swigart* <matthew.swigart35@gmail.com <mailto:matthew.swigart35@gmail.com>> Date: Tue, May 7, 2024 at 10:57 AM Subject: Re: [OpenStack][VDI][Bumblebee] About CIDR, Security Group Help To: Brian Haley <haleyb.dev@gmail.com <mailto:haleyb.dev@gmail.com>>
Oh sorry to attaching the screenshots. Let me share the logs through plain text.
*openstack security group list --debug* START with options: security group list --debug options: Namespace(verbose_level=3, log_file=None, deferred_help=False, debug=True, cloud='', region_name='RegionOne', cacert=None, cert='', key='', verify=None, insecure=None, default_domain='default', interface='public', service_provider='', remote_project_name='', remote_project_id='', remote_project_domain_name='', remote_project_domain_id='', timing=False, os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_volume_api_version='', auth_type='v3applicationcredential', auth_url='http://192.168.122.111/identity <http://192.168.122.111/identity>', system_scope='', domain_id='', domain_name='', project_id='', project_name='', project_domain_id='', project_domain_name='', trust_id='', auth_methods='', identity_provider='', protocol='', client_id='', client_secret='***', openid_scope='', access_token_endpoint='', discovery_endpoint='', access_token_type='', redirect_uri='', code='', identity_provider_url='', username='', password='***', default_domain_id='', default_domain_name='', token='***', user_id='', user_domain_id='', user_domain_name='', endpoint='', application_credential_secret='***', application_credential_id='4a4df089f7834bd487ac811d70e45286', application_credential_name='', consumer_key='', consumer_secret='***', access_key='', access_secret='***', device_authorization_endpoint='', code_challenge_method='', oauth2_endpoint='', oauth2_client_id='', oauth2_client_secret='***', access_token='***', service_provider_endpoint='', service_provider_entity_id='', passcode='', os_project_name=None, os_project_id=None) Auth plugin v3applicationcredential selected auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} defaults: {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'auth_type': 'password', 'baremetal_status_code_retries': 5, 'baremetal_introspection_status_code_retries': 5, 'image_status_code_retries': 5, 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active'} cloud cfg: {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} compute API version 2.1, cmd group openstack.compute.v2 identity API version 3, cmd group openstack.identity.v3 image API version 2, cmd group openstack.image.v2 network API version 2, cmd group openstack.network.v2 object_store API version 1, cmd group openstack.object_store.v1 volume API version 3, cmd group openstack.volume.v3 command: security group list -> openstackclient.network.v2.security_group.ListSecurityGroup (auth=True) Auth plugin v3applicationcredential selected auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'additional_user_agent': [('osc-lib', '3.0.1')], 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} Using auth plugin: v3applicationcredential Using parameters {'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '} Get auth_ref Making authentication request to http://192.168.122.111/identity/v3/auth/tokens <http://192.168.122.111/identity/v3/auth/tokens> Starting new HTTP connection (1): 192.168.122.111:80 <http://192.168.122.111:80> http://192.168.122.111:80 <http://192.168.122.111:80> "POST /identity/v3/auth/tokens HTTP/1.1" 201 2844 {"token": {"methods": ["application_credential"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "47edeac1ea6144078669710d0854364b", "name": "bumblebee", "password_expires_at": null}, "audit_ids": ["3fDW4oqWQfCr_3xeHlUt_A"], "expires_at": "2024-05-06T20:14:44.000000Z", "issued_at": "2024-05-06T19:14:44.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "ffac951fdd364848bb5a45a44925bd37", "name": "VDI"}, "is_domain": false, "roles": [{"id": "91fc6589ab3743ae9a1f9dc8cfbe9ee6", "name": "member"}], "catalog": [{"endpoints": [{"id": "82763e6d0a524db8a80f82b4c823378f", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/image <http://192.168.122.111/image>", "region": "RegionOne"}], "id": "668988a7a1f64048aa69b40850339e18", "type": "image", "name": "glance"}, {"endpoints": [{"id": "423040cdeae24ce1be957c2d63c269d3", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37 <http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37>", "region": "RegionOne"}], "id": "6b546ba7accd440383dd4618028045a4", "type": "volumev3", "name": "cinderv3"}, {"endpoints": [{"id": "8d232d3c977345e5a5d6bb2f48e257d5", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/compute/v2/ffac951fdd364848bb5a45a44925bd37 <http://192.168.122.111/compute/v2/ffac951fdd364848bb5a45a44925bd37>", "region": "RegionOne"}], "id": "76b8985d819d4b3e8c22f665aaf2c368", "type": "compute_legacy", "name": "nova_legacy"}, {"endpoints": [{"id": "72a814723a5f43e6908ff55c08194790", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/identity <http://192.168.122.111/identity>", "region": "RegionOne"}], "id": "76f00bb62ec84acc91e2b18642f9d8cc", "type": "identity", "name": "keystone"}, {"endpoints": [{"id": "fe78270ab8b64cb7952e6e68f9c6ddc1", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111:9696/networking <http://192.168.122.111:9696/networking>", "region": "RegionOne"}], "id": "8fcfe1317724496fbd8ea4d02c0a4bec", "type": "network", "name": "neutron"}, {"endpoints": [{"id": "d5fe1b7820d0493c9a581701615a04cd", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/placement <http://192.168.122.111/placement>", "region": "RegionOne"}], "id": "b6112ad35e1e4a8791336c962c808552", "type": "placement", "name": "placement"}, {"endpoints": [{"id": "bb17d1a45a824dd697e44cc6a0e5cb2d", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/compute/v2.1 <http://192.168.122.111/compute/v2.1>", "region": "RegionOne"}], "id": "bd5bbd79e36449c8b9d61a7dd3f4953d", "type": "compute", "name": "nova"}, {"endpoints": [{"id": "492d351cd7024681b876a30b770641f4", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37 <http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37>", "region": "RegionOne"}], "id": "cbca0058f7b64e98b24cc428d0d7a103", "type": "block-storage", "name": "cinder"}], "application_credential": {"id": "4a4df089f7834bd487ac811d70e45286", "name": "bumblebee-app-cred", "restricted": true}}} get_parser(openstack security group list) common parser: ArgumentParser(prog='openstack security group list', usage=None, description='List security groups', formatter_class=<class 'cliff._argparse.SmartHelpFormatter'>, conflict_handler='ignore', add_help=True) network endpoint in service catalog run(Namespace(formatter='table', columns=[], quote_mode='nonnumeric', noindent=False, max_width=0, fit_width=False, print_empty=False, sort_columns=[], sort_direction=None, all_projects=False, project=None, project_domain=None, tags=None, any_tags=None, not_tags=None, not_any_tags=None)) Network client initialized using OpenStack SDK: <openstack.network.v2._proxy.Proxy object at 0x7dbd22840af0> REQ: curl -g -i -X GET "http://192.168.122.111:9696/networking/v2.0/security-groups?fields=%5B%27id%... <http://192.168.122.111:9696/networking/v2.0/security-groups?fields=%5B%27id%27%2C+%27name%27%2C+%27description%27%2C+%27project_id%27%2C+%27tags%27%5D>" -H "Accept: application/json" -H "User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-requests/2.25.1 CPython/3.10.12" -H "X-Auth-Token: {SHA256}d9e51c8dabe77e5cac58c275e1c0ec522d259c03ab51314b66ac0b5cb5773a49" Starting new HTTP connection (1): 192.168.122.111:9696 <http://192.168.122.111:9696> http://192.168.122.111:9696 <http://192.168.122.111:9696> "GET /networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags HTTP/1.1" 200 23 RESP: [200] Connection: keep-alive Content-Length: 23 Content-Type: application/json Date: Mon, 06 May 2024 19:14:44 GMT X-Openstack-Request-Id: req-fa36e7a8-6aa6-44ff-b0be-1390fdb9131e RESP BODY: {"security_groups": []} GET call to network for http://192.168.122.111:9696/networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags <http://192.168.122.111:9696/networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags> used request id req-fa36e7a8-6aa6-44ff-b0be-1390fdb9131e
clean_up ListSecurityGroup: END return value: 0
*Regarding the CIDR*, I thought it is OpenStack auth IP so in my case, I used DevStack so 192.168.122.111 so CIDR would be 192.168.122.0/24 <http://192.168.122.0/24>. In this case, CIDR still be 10.0.0.0/24 <http://10.0.0.0/24> as you mentioned? Please correct me if I am wrong.
Thank you, Matthew
On Mon, May 6, 2024 at 4:18 PM Brian Haley <haleyb.dev@gmail.com <mailto:haleyb.dev@gmail.com>> wrote:
Hi,
On 5/6/24 3:15 PM, Matthew Swigart wrote: > I tried running the command with a debug flag like this: > `openstack security group list --debug` > Attached are screenshots for reference. > image.png > image.png > image.png > image.png
Please don't attach screenshots, instead put the text inline or use pastebin, etc. otherwise it's impossible for someone to quote anything.
As far as cidr format, if you don't specify the rule will apply to all IPs, else use standard '--remote-ip 10.0.0.0/24 <http://10.0.0.0/24>' cidr notation.
-Brian
> > On Mon, May 6, 2024 at 2:54 PM Hoai-Thu Vuong <thuvh87@gmail.com <mailto:thuvh87@gmail.com> > <mailto:thuvh87@gmail.com <mailto:thuvh87@gmail.com>>> wrote: > > Can you run openstack cli with flag debug? > > On Tue, May 7, 2024, 01:38 Matthew Swigart > <matthew.swigart35@gmail.com <mailto:matthew.swigart35@gmail.com> <mailto:matthew.swigart35@gmail.com <mailto:matthew.swigart35@gmail.com>>> > wrote: > > Hello all, > > This is Matthew who just started working for the OpenStack VDI > project last year and I decided to try with Bumblebee+DevStack > for an experiment. > [1] https://github.com/NeCTAR-RC/bumblebee <https://github.com/NeCTAR-RC/bumblebee> > <https://github.com/NeCTAR-RC/bumblebee <https://github.com/NeCTAR-RC/bumblebee>> > [2] https://docs.openstack.org/devstack/latest/ <https://docs.openstack.org/devstack/latest/> > <https://docs.openstack.org/devstack/latest/ <https://docs.openstack.org/devstack/latest/>> > So I created two VMs using libvirt on Ubuntu 22.04 - one for > DevStack, the other one for the Bumblebee VDI project. Each VM > is running on Ubuntu 22.04. > > I installed DevStack successfully and I can access the horizon > dashboard from Bumblebee VM. So I created a new project and > created a new user and assigned it to a new project. Also > created a new application credential and downloaded openrc file. > > The problem is, when I tried to create a security group using > command, it succeeded so I can see a new security group from > Horizon *but when I run `openstack security group list` command, > there is nothing.* Also I needed to add some security group > rules to allow SSH access, but no idea how to get the correct > *CIDR value*. > [3] > https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-securi... <https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-security-for-instances.html> <https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-securi... <https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-security-for-instances.html>> > > So I will appreciate it if I can get any support. > > Thank you, > Matthew >
Okay thank you Brian, I was able to see the newly created security group using the admin-openrc file. And also was able to create a security group rule on the DevStack VM. Actually I'm using two VM - one for DevStack and the other one for Bumblebee. Both are running through libvirt and my host machine is Ubuntu 22.04 as well. Just want to make sure again for CIDR value - so is it okay to use 10.0.0.0/24 for under my current situation (DevStack is running on ubuntu 22.04 VM, Bumblebee is also running on ubuntu 22.04 VM, both VMs are connected through virtual network)? I can access DevStack through 192.168.122.111 IP. So is it related to setting the CIDR value? I think this CIDR value is used to allow access to the Guacamole server. https://github.com/NeCTAR-RC/bumblebee/blob/master/docker-init/setup-opensta... Please help me to set the correct CIDR value when creating the security group rule. Thank you all for your kind support. Looking forward to hearing from you. Matthew On Thu, May 9, 2024 at 4:30 AM Brian Haley <haleyb.dev@gmail.com> wrote:
Hi Matthew,
openstack security group list --debug
This is the same thing I run but I get output, and nothing sticks out in the logs you provided.
I would try two more things:
1) Run the command using the admin credentials 2) Look in the neutron server log for any errors
Something with this deployment is not standard.
-Brian
On 5/7/24 1:27 AM, Matthew Swigart wrote:
---------- Forwarded message --------- From: *Matthew Swigart* <matthew.swigart35@gmail.com <mailto:matthew.swigart35@gmail.com>> Date: Tue, May 7, 2024 at 10:57 AM Subject: Re: [OpenStack][VDI][Bumblebee] About CIDR, Security Group Help To: Brian Haley <haleyb.dev@gmail.com <mailto:haleyb.dev@gmail.com>>
Oh sorry to attaching the screenshots. Let me share the logs through plain text.
*openstack security group list --debug* START with options: security group list --debug options: Namespace(verbose_level=3, log_file=None, deferred_help=False, debug=True, cloud='', region_name='RegionOne', cacert=None, cert='', key='', verify=None, insecure=None, default_domain='default', interface='public', service_provider='', remote_project_name='', remote_project_id='', remote_project_domain_name='', remote_project_domain_id='', timing=False, os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_volume_api_version='', auth_type='v3applicationcredential', auth_url='http://192.168.122.111/identity <http://192.168.122.111/identity>', system_scope='', domain_id='', domain_name='', project_id='', project_name='', project_domain_id='', project_domain_name='', trust_id='', auth_methods='', identity_provider='', protocol='', client_id='', client_secret='***', openid_scope='', access_token_endpoint='', discovery_endpoint='', access_token_type='', redirect_uri='', code='', identity_provider_url='', username='', password='***', default_domain_id='', default_domain_name='', token='***', user_id='', user_domain_id='', user_domain_name='', endpoint='', application_credential_secret='***', application_credential_id='4a4df089f7834bd487ac811d70e45286', application_credential_name='', consumer_key='', consumer_secret='***', access_key='', access_secret='***', device_authorization_endpoint='', code_challenge_method='', oauth2_endpoint='', oauth2_client_id='', oauth2_client_secret='***', access_token='***', service_provider_endpoint='', service_provider_entity_id='', passcode='', os_project_name=None, os_project_id=None) Auth plugin v3applicationcredential selected auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} defaults: {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'auth_type': 'password', 'baremetal_status_code_retries': 5, 'baremetal_introspection_status_code_retries': 5, 'image_status_code_retries': 5, 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active'} cloud cfg: {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ': []} compute API version 2.1, cmd group openstack.compute.v2 identity API version 3, cmd group openstack.identity.v3 image API version 2, cmd group openstack.image.v2 network API version 2, cmd group openstack.network.v2 object_store API version 1, cmd group openstack.object_store.v1 volume API version 3, cmd group openstack.volume.v3 command: security group list -> openstackclient.network.v2.security_group.ListSecurityGroup (auth=True) Auth plugin v3applicationcredential selected auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {}, 'additional_user_agent': [('osc-lib', '3.0.1')], 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'region_name': 'RegionOne', 'default_domain': 'default', 'timing': False, 'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '4a4df089f7834bd487ac811d70e45286', 'beta_command': False, 'identity_api_version': '3', 'auth_type': 'v3applicationcredential', ':
[]}
Using auth plugin: v3applicationcredential Using parameters {'auth_url': 'http://192.168.122.111/identity <http://192.168.122.111/identity>', 'application_credential_secret': '***', 'application_credential_id': '} Get auth_ref Making authentication request to http://192.168.122.111/identity/v3/auth/tokens <http://192.168.122.111/identity/v3/auth/tokens> Starting new HTTP connection (1): 192.168.122.111:80 <http://192.168.122.111:80> http://192.168.122.111:80 <http://192.168.122.111:80> "POST /identity/v3/auth/tokens HTTP/1.1" 201 2844 {"token": {"methods": ["application_credential"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "47edeac1ea6144078669710d0854364b", "name": "bumblebee", "password_expires_at": null}, "audit_ids": ["3fDW4oqWQfCr_3xeHlUt_A"], "expires_at": "2024-05-06T20:14:44.000000Z", "issued_at": "2024-05-06T19:14:44.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "ffac951fdd364848bb5a45a44925bd37", "name": "VDI"}, "is_domain": false, "roles": [{"id": "91fc6589ab3743ae9a1f9dc8cfbe9ee6", "name": "member"}], "catalog": [{"endpoints": [{"id": "82763e6d0a524db8a80f82b4c823378f", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/image <http://192.168.122.111/image>", "region": "RegionOne"}], "id": "668988a7a1f64048aa69b40850339e18", "type": "image", "name": "glance"}, {"endpoints": [{"id": "423040cdeae24ce1be957c2d63c269d3", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37 <http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37>", "region": "RegionOne"}], "id": "6b546ba7accd440383dd4618028045a4", "type": "volumev3", "name": "cinderv3"}, {"endpoints": [{"id": "8d232d3c977345e5a5d6bb2f48e257d5", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/compute/v2/ffac951fdd364848bb5a45a44925bd37 <http://192.168.122.111/compute/v2/ffac951fdd364848bb5a45a44925bd37>", "region": "RegionOne"}], "id": "76b8985d819d4b3e8c22f665aaf2c368", "type": "compute_legacy", "name": "nova_legacy"}, {"endpoints": [{"id": "72a814723a5f43e6908ff55c08194790", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/identity <http://192.168.122.111/identity>", "region": "RegionOne"}], "id": "76f00bb62ec84acc91e2b18642f9d8cc", "type": "identity", "name": "keystone"}, {"endpoints": [{"id": "fe78270ab8b64cb7952e6e68f9c6ddc1", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111:9696/networking <http://192.168.122.111:9696/networking>", "region": "RegionOne"}], "id": "8fcfe1317724496fbd8ea4d02c0a4bec", "type": "network", "name": "neutron"}, {"endpoints": [{"id": "d5fe1b7820d0493c9a581701615a04cd", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/placement <http://192.168.122.111/placement>", "region": "RegionOne"}], "id": "b6112ad35e1e4a8791336c962c808552", "type": "placement", "name": "placement"}, {"endpoints": [{"id": "bb17d1a45a824dd697e44cc6a0e5cb2d", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/compute/v2.1 <http://192.168.122.111/compute/v2.1>", "region": "RegionOne"}], "id": "bd5bbd79e36449c8b9d61a7dd3f4953d", "type": "compute", "name": "nova"}, {"endpoints": [{"id": "492d351cd7024681b876a30b770641f4", "interface": "public", "region_id": "RegionOne", "url": "http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37 <http://192.168.122.111/volume/v3/ffac951fdd364848bb5a45a44925bd37>", "region": "RegionOne"}], "id": "cbca0058f7b64e98b24cc428d0d7a103", "type": "block-storage", "name": "cinder"}], "application_credential": {"id": "4a4df089f7834bd487ac811d70e45286", "name": "bumblebee-app-cred", "restricted": true}}} get_parser(openstack security group list) common parser: ArgumentParser(prog='openstack security group list', usage=None, description='List security groups', formatter_class=<class 'cliff._argparse.SmartHelpFormatter'>, conflict_handler='ignore', add_help=True) network endpoint in service catalog run(Namespace(formatter='table', columns=[], quote_mode='nonnumeric', noindent=False, max_width=0, fit_width=False, print_empty=False, sort_columns=[], sort_direction=None, all_projects=False, project=None, project_domain=None, tags=None, any_tags=None, not_tags=None, not_any_tags=None)) Network client initialized using OpenStack SDK: <openstack.network.v2._proxy.Proxy object at 0x7dbd22840af0> REQ: curl -g -i -X GET " http://192.168.122.111:9696/networking/v2.0/security-groups?fields=%5B%27id%... < http://192.168.122.111:9696/networking/v2.0/security-groups?fields=%5B%27id%27%2C+%27name%27%2C+%27description%27%2C+%27project_id%27%2C+%27tags%27%5D>" -H "Accept: application/json" -H "User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-requests/2.25.1 CPython/3.10.12" -H "X-Auth-Token: {SHA256}d9e51c8dabe77e5cac58c275e1c0ec522d259c03ab51314b66ac0b5cb5773a49" Starting new HTTP connection (1): 192.168.122.111:9696 <http://192.168.122.111:9696> http://192.168.122.111:9696 <http://192.168.122.111:9696> "GET
/networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags HTTP/1.1" 200 23
RESP: [200] Connection: keep-alive Content-Length: 23 Content-Type: application/json Date: Mon, 06 May 2024 19:14:44 GMT X-Openstack-Request-Id: req-fa36e7a8-6aa6-44ff-b0be-1390fdb9131e RESP BODY: {"security_groups": []} GET call to network for
http://192.168.122.111:9696/networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags < http://192.168.122.111:9696/networking/v2.0/security-groups?fields=id&fields=name&fields=description&fields=project_id&fields=tags> used request id req-fa36e7a8-6aa6-44ff-b0be-1390fdb9131e
clean_up ListSecurityGroup: END return value: 0
*Regarding the CIDR*, I thought it is OpenStack auth IP so in my case, I used DevStack so 192.168.122.111 so CIDR would be 192.168.122.0/24 <http://192.168.122.0/24>. In this case, CIDR still be 10.0.0.0/24 <http://10.0.0.0/24> as you mentioned? Please correct me if I am wrong.
Thank you, Matthew
On Mon, May 6, 2024 at 4:18 PM Brian Haley <haleyb.dev@gmail.com <mailto:haleyb.dev@gmail.com>> wrote:
Hi,
On 5/6/24 3:15 PM, Matthew Swigart wrote: > I tried running the command with a debug flag like this: > `openstack security group list --debug` > Attached are screenshots for reference. > image.png > image.png > image.png > image.png
Please don't attach screenshots, instead put the text inline or use pastebin, etc. otherwise it's impossible for someone to quote
anything.
As far as cidr format, if you don't specify the rule will apply to
all
IPs, else use standard '--remote-ip 10.0.0.0/24 <http://10.0.0.0/24>' cidr notation.
-Brian
> > On Mon, May 6, 2024 at 2:54 PM Hoai-Thu Vuong <thuvh87@gmail.com <mailto:thuvh87@gmail.com> > <mailto:thuvh87@gmail.com <mailto:thuvh87@gmail.com>>> wrote: > > Can you run openstack cli with flag debug? > > On Tue, May 7, 2024, 01:38 Matthew Swigart > <matthew.swigart35@gmail.com <mailto:matthew.swigart35@gmail.com> <mailto:matthew.swigart35@gmail.com <mailto:matthew.swigart35@gmail.com>>> > wrote: > > Hello all, > > This is Matthew who just started working for the OpenStack VDI > project last year and I decided to try with Bumblebee+DevStack > for an experiment. > [1] https://github.com/NeCTAR-RC/bumblebee <https://github.com/NeCTAR-RC/bumblebee> > <https://github.com/NeCTAR-RC/bumblebee <https://github.com/NeCTAR-RC/bumblebee>> > [2] https://docs.openstack.org/devstack/latest/ <https://docs.openstack.org/devstack/latest/> > <https://docs.openstack.org/devstack/latest/ <https://docs.openstack.org/devstack/latest/>> > So I created two VMs using libvirt on Ubuntu 22.04 - one
for
> DevStack, the other one for the Bumblebee VDI project. Each VM > is running on Ubuntu 22.04. > > I installed DevStack successfully and I can access the horizon > dashboard from Bumblebee VM. So I created a new project
and
> created a new user and assigned it to a new project. Also > created a new application credential and downloaded openrc file. > > The problem is, when I tried to create a security group
using
> command, it succeeded so I can see a new security group
from
> Horizon *but when I run `openstack security group list` command, > there is nothing.* Also I needed to add some security
group
> rules to allow SSH access, but no idea how to get the
correct
> *CIDR value*. > [3] >
https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-securi... < https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-security-for-instances.html> < https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-securi... < https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-securi...
> > So I will appreciate it if I can get any support. > > Thank you, > Matthew >
participants (2)
-
Brian Haley
-
Matthew Swigart