[openstack-dev] Problem with nova add-fixed-ip or quantum port-update
enikanorov at mirantis.com
Sat Jul 27 18:43:35 UTC 2013
Can you take a look at https://bugs.launchpad.net/neutron/+bug/1190613 ?
Looks like the exact issue you're talking about and it was fixed just
On Sat, Jul 27, 2013 at 10:22 PM, John Gruber <john.t.gruber at gmail.com>wrote:
> So I got it work, but I need guidance from the OVS iptables gang on what
> the reasoning was and how I fix it in a 'compliant' manner.
> Q. Why are the iptables rules on the OVS output chains for the interfaces
> written as if the vif should only have ONE IP address assign where quantum
> can assign multiple fixedips?
> For the example where IP address 10.0.60.20 was assigned to my guest VM on
> an external interface and assign at boot, and then I added 10.0.60.22 via
> nova --add-fixed-ip vm-uuid net-uuid...
> Here is what I had in my iptables rules after adding the second fixedip:
> iptables -L quantum-openvswi-o8a508818-0 --line-numbers
> Chain quantum-openvswi-o8a508818-0 (2 references)
> num target prot opt source destination
> 1 DROP all -- anywhere anywhere MAC !
> 2 RETURN udp -- anywhere anywhere udp
> spt:bootpc dpt:bootps
> *3 DROP all -- !10.0.62.20 anywhere
> 4 DROP all -- !10.0.62.22 anywhere
> *5 DROP udp -- anywhere anywhere udp
> spt:bootps dpt:bootpc
> 6 DROP all -- anywhere anywhere state
> 7 RETURN all -- anywhere anywhere state
> 8 RETURN all -- anywhere anywhere
> 9 quantum-openvswi-sg-fallback all -- anywhere
> This obviously will not work. The rules shadow each other and cut off all
> outbound access from the guest VM on that network. Which is exactly what I
> was observing..
> Running: iptables -D quantum-openvswi-o8a508818-0 4
> And my access to 10.0.62.20 came back...
> Running iptables -D quantum-openvswi-o8a508818-0 3
> And my access to 10.0.62.22 started working...
> Please tell me we did not intend to create a cloud where quantum has no
> problems assigning multiple fixed IPs to a port, but iptables will eat them
> all up! <g> Oh the humanity...
> I know how to make it work and can hunt down the iptables root wrapper
> command, but what should we do for this? I could not find an existing bug..
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev