[Openstack] nova nodes hosted in kvm virtual machines: no access to the outside world.

Pierre Amadio pierre.amadio at canonical.com
Thu Apr 12 09:59:47 UTC 2012


Hi there !

My goal is to host an essex cloud on my laptop to study how it works,
play with it, demo it and so on.

I am experiencing a network problem with cloud instances: they are not
allowed to access the internet (wget on google.com by example).

Nodes runs as kvm virtual machines hosted in a laptop running Ubuntu
Oneiric.

So, in my laptop/hypervisor, i have created the following libvirt
network used for the openstack nodes:

<network>
  <name>default</name>
  <uuid>d5d3dcc1-f863-9bbf-8d57-1149e361de6d</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0' />
  <mac address='52:54:00:5C:7B:5D'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
  </ip>
</network>

There is no libvirt dhcp, it is nated to the outside world, and the
network used is 192.168.122.0/24

I have installed several nodes (Ubuntu precise).

192.168.122.2   orchestra
This behave as a dhcp and cobbler server to install other nodes.

192.168.122.101 manager-node
Runs nova-api, nova-scheduler, nova-objectstore, nova-volume, nova-cert
and IScsi tgt.

192.168.122.102 messaging
Runs rabbitMQ, MySql, Glance and keystone.

192.168.122.103 compute-a
Runs nova-compute, nova-api and nova-network.

Excerpt from the nova.conf file:
--network_manager=nova.network.manager.FlatDHCPManager
--fixed_range=10.0.0.0/24
--floating_range=192.168.123.0/24
--auto_assign_floating_ip
--flat_network_dns=192.168.122.2

I can run some instances and log in to them from my hypervisor after
adding a route to the 192.168.123.0/24 network via the node running
nova-network (192.168.122.103) :

sudo route add -net 192.168.123.0 netmask 255.255.255.0 gw
192.168.122.103 dev virbr0

So, i have a vm running on 192.168.123.3 :

euca-describe-instances
RESERVATION	r-xu7c0o8y	f45695cb80ca402a9a7f63852098b582	default
INSTANCE	i-00000007	ami-00000003	192.168.123.3	server-7	running	adminkey
(f45695cb80ca402a9a7f63852098b582, compute-a)	0	
m1.small2012-04-12T08:58:36.000Z	nova	aki-00000001	ari-00000002

It s private ip is 10.0.0.2

>From it, I cannot download page from the internet:

ubuntu at server-7:~$ wget http://www.yahoo.com/
--2012-04-12 09:36:55--  http://www.yahoo.com/
Resolving www.yahoo.com... 87.248.112.181
Connecting to www.yahoo.com|87.248.112.181|:80... failed: Connection
refused.

But, I can download page from http://192.168.122.1/ (hypervisor virbr0)
as well as http://192.168.0.9/ (hypervisor wifi interface used to get
access to the outside world).

>From compute-a, the node running nova-network, i can download pages from
yahoo.com.

An iptables-save file from my hypervisor is attached to this mail.

I did try to remove all the REJECT line in the FORWARD table and reload
the rules without success.

I am afraid i m a bit lost in all those bridges.

Has anyone :

- any idea if my problem is in the nova configuration, or something to
do with the hypervisor iptables rules ?
- done something similar with good result ?
- any idea on what to try next ?

Have a nice day...

-------------- next part --------------
# Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012
*nat
:PREROUTING ACCEPT [415:71017]
:INPUT ACCEPT [88:7343]
:OUTPUT ACCEPT [2282:152990]
:POSTROUTING ACCEPT [2346:157728]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE 
COMMIT
# Completed on Thu Apr 12 11:41:24 2012
# Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012
*mangle
:PREROUTING ACCEPT [159113:79914067]
:INPUT ACCEPT [69979:40278276]
:FORWARD ACCEPT [89107:39599033]
:OUTPUT ACCEPT [60378:10029197]
:POSTROUTING ACCEPT [150789:49724062]
-A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill 
COMMIT
# Completed on Thu Apr 12 11:41:24 2012
# Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012
*filter
:INPUT ACCEPT [69896:40270442]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [60374:10028752]
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT 
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT 
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT 
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -d 10.1.0.0/16 -o virbr2 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 10.1.0.0/16 -i virbr2 -j ACCEPT 
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT 
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Thu Apr 12 11:41:24 2012


More information about the Openstack mailing list