[openstack-dev] VMs can't access outside world..
Barrow Kwan
barrowkwan at yahoo.com
Wed Apr 17 06:07:56 UTC 2013
A few people has email me said they have the same issue and if I have this
resolve. Unfortunately, the issue still exists and I gave up and move on to
cloudstack. everything looks great with openstack but if the VM guest can't
access outside world, I can't really move forward.
I saw some people has installed OpenStack on CentOS but they didn't seem to have
issue. I am hoping people can share about their installation and configuation.
Barrow
----- Original Message ----
From: Barrow Kwan <barrowkwan at yahoo.com>
To: openstack-dev at lists.openstack.org
Sent: Thu, February 28, 2013 10:26:19 PM
Subject: [openstack-dev] VMs can't access outside world..
Hi,
I posted this on the General Discussions but didn't get any answer. I also
found someone post similar issue back on Dec but didn't get an answer neither
So I hope someone from the Dev side can help.
I installed Folsom on CentOS6.3. It has 2 NIC ( the server has 4 but I only use
two and disable the other two ). I used Quantum + LinuxBridge. VM provisioning
is fine and it got an ip address. I assigned floatingIP and create security (
allow icmp and ssh ). I can SSH to the VM from outside through the floatingIP.
However, when I am inside the VM, I can't access anything outside of the VM or
my openstack infrastructure. Here is the information I can provide
OS - CentOS6.3 ( single node - everything are running there , eg cinder, nova,
compute, glance.... )
Openstack Folsom
Quantum - LinuxBridge
Single node with two NIC ( em1 and em 3. They are on different VLAN on the
physical switch ).
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
/etc/sysconfig/modules/openstack-quantum-linuxbridge.modules
#!/bin/sh
modprobe -b bridge >/dev/null 2>&1
exit 0
/etc/sysconfig/network-scripts/ifcfg-em1
DEVICE="em1"
BOOTPROTO="static"
DNS1="10.99.99.1"
GATEWAY="10.38.0.254"
IPADDR="10.38.15.251"
IPV6INIT="no"
MTU="1500"
NETMASK="255.255.0.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
/etc/sysconfig/network-scripts/ifcfg-em3
DEVICE="em3"
BOOTPROTO="none"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
/etc/nova/nova.conf
[DEFAULT]
logdir = /var/log/nova
state_path = /var/lib/nova
lock_path = /var/lib/nova/tmp
volumes_dir = /etc/nova/volumes
dhcpbridge = /usr/bin/nova-dhcpbridge
dhcpbridge_flagfile = /etc/nova/nova.conf
force_dhcp_release = True
injected_network_template = /usr/share/nova/interfaces.template
libvirt_nonblocking = True
libvirt_inject_partition = -1
network_manager = nova.network.manager.FlatDHCPManager
iscsi_helper = tgtadm
sql_connection = mysql://nova:nova@localhost/nova
compute_driver = libvirt.LibvirtDriver
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
rpc_backend = nova.openstack.common.rpc.impl_qpid
rootwrap_config = /etc/nova/rootwrap.conf
flat_interface = em3
public_interface = em1
auth_strategy = keystone
qpid_hostname =opst01
glance_api_servers = optst01:9292
glance_host = opst01
volume_api_class = nova.volume.cinder.API
enabled_apis = ec2,osapi_compute,metadata
network_api_class = nova.network.quantumv2.api.API
quantum_admin_username = quantum
quantum_admin_password = quantum
#quantum_admin_auth_url = http://localhost:5000/v2.0/
quantum_admin_auth_url = http://localhost:35357/v2.0/
quantum_auth_strategy = keystone
quantum_admin_tenant_name = service
quantum_url = http://opst01:9696/
libvirt_vif_driver = nova.virt.libvirt.vif.QuantumLinuxBridgeVIFDriver
[keystone_authtoken]
admin_token = 111111111111111
/etc/quantum/l3_agent.ini
[DEFAULT]
debug = True
interface_driver = quantum.agent.linux.interface.BridgeInterfaceDriver
admin_token = 111111111111111
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf
external_network_bridge =
use_namespaces = False
router_id = 1a8fd530-56d2-4192-b3fe-1f77651cbf41
/etc/quantum/plugin.ini
[VLANS]
tenant_network_type = vlan
network_vlan_ranges = physnet1,physnet2:100:199
[DATABASE]
sql_connection = mysql://quantum:quantum@optst01/quantum_linux_bridge
reconnect_interval = 2
[LINUX_BRIDGE]
physical_interface = em1,em3
physical_interface_mappings = physnet1:em1,physnet2:em3
[AGENT]
polling_interval = 2
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf
[root at opst01 quantum]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.151.0 0.0.0.0 255.255.255.0 U 0 0 0
ns-b21309cd-11
192.168.151.0 0.0.0.0 255.255.255.0 U 0 0 0
qr-ec728fdd-44
10.38.17.0 0.0.0.0 255.255.255.0 U 0 0 0
qg-28179e3d-dc
10.38.0.0 0.0.0.0 255.255.0.0 U 0 0 0
brq6b600334-9f
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 em3
0.0.0.0 10.38.0.254 0.0.0.0 UG 100 0 0
brq6b600334-9f
[root at optst01 quantum]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 nova-compute-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
2 quantum-l3-agent-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
3 nova-api-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 nova-compute-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
2 quantum-l3-agent-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
3 quantum-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
4 nova-api-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
5 nova-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
2 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
3 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-api-OUTPUT (1 references)
num target prot opt source destination
Chain nova-api-POSTROUTING (1 references)
num target prot opt source destination
Chain nova-api-PREROUTING (1 references)
num target prot opt source destination
Chain nova-api-float-snat (1 references)
num target prot opt source destination
Chain nova-api-snat (1 references)
num target prot opt source destination
1 nova-api-float-snat all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-compute-OUTPUT (1 references)
num target prot opt source destination
Chain nova-compute-POSTROUTING (1 references)
num target prot opt source destination
Chain nova-compute-PREROUTING (1 references)
num target prot opt source destination
Chain nova-compute-float-snat (1 references)
num target prot opt source destination
Chain nova-compute-snat (1 references)
num target prot opt source destination
1 nova-compute-float-snat all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-postrouting-bottom (1 references)
num target prot opt source destination
1 nova-compute-snat all -- 0.0.0.0/0 0.0.0.0/0
2 nova-api-snat all -- 0.0.0.0/0 0.0.0.0/0
Chain quantum-l3-agent-OUTPUT (1 references)
num target prot opt source destination
Chain quantum-l3-agent-POSTROUTING (1 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ! ctstate
DNAT
Chain quantum-l3-agent-PREROUTING (1 references)
num target prot opt source destination
Chain quantum-l3-agent-float-snat (1 references)
num target prot opt source destination
Chain quantum-l3-agent-snat (1 references)
num target prot opt source destination
1 quantum-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
2 SNAT all -- 192.168.151.0/24 0.0.0.0/0 to:10.38.17.1
Chain quantum-postrouting-bottom (1 references)
num target prot opt source destination
1 quantum-l3-agent-snat all -- 0.0.0.0/0 0.0.0.0/0
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 nova-compute-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 quantum-l3-agent-INPUT all -- 0.0.0.0/0 0.0.0.0/0
3 nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
2 nova-compute-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0
4 quantum-l3-agent-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
5 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0
2 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
3 quantum-filter-top all -- 0.0.0.0/0 0.0.0.0/0
4 quantum-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
5 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-api-FORWARD (1 references)
num target prot opt source destination
Chain nova-api-INPUT (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 10.38.15.251 tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
num target prot opt source destination
Chain nova-api-local (1 references)
num target prot opt source destination
Chain nova-compute-FORWARD (1 references)
num target prot opt source destination
Chain nova-compute-INPUT (1 references)
num target prot opt source destination
Chain nova-compute-OUTPUT (1 references)
num target prot opt source destination
Chain nova-compute-inst-20 (1 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67
dpt:68
5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0
8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-compute-inst-21 (1 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT udp -- 192.168.151.2 0.0.0.0/0 udp spt:67
dpt:68
5 ACCEPT all -- 192.168.151.0/24 0.0.0.0/0
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT icmp -- 192.168.151.3 0.0.0.0/0
8 ACCEPT icmp -- 192.168.151.4 0.0.0.0/0
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
10 nova-compute-sg-fallback all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-compute-local (1 references)
num target prot opt source destination
1 nova-compute-inst-20 all -- 0.0.0.0/0 192.168.151.3
2 nova-compute-inst-21 all -- 0.0.0.0/0 192.168.151.4
Chain nova-compute-provider (2 references)
num target prot opt source destination
Chain nova-compute-sg-fallback (2 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain nova-filter-top (2 references)
num target prot opt source destination
1 nova-compute-local all -- 0.0.0.0/0 0.0.0.0/0
2 nova-api-local all -- 0.0.0.0/0 0.0.0.0/0
Chain quantum-filter-top (2 references)
num target prot opt source destination
1 quantum-l3-agent-local all -- 0.0.0.0/0 0.0.0.0/0
Chain quantum-l3-agent-FORWARD (1 references)
num target prot opt source destination
Chain quantum-l3-agent-INPUT (1 references)
num target prot opt source destination
Chain quantum-l3-agent-OUTPUT (1 references)
num target prot opt source destination
Chain quantum-l3-agent-local (1 references)
num target prot opt source destination
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list