[Openstack] instance cannot access outside network

Emilien Macchi emilien.macchi at stackops.com
Thu Jun 14 11:03:14 UTC 2012 

Don't forget to CC the mail ;-) for the community.


I think you should try to add *--routing_source_ip*=<IP of nova-network>
flag in your nova.conf.


Regards,


On Thu, Jun 14, 2012 at 12:51 PM, David <yuezhou.li at hisoft.com> wrote:

>  I try ****
>
> #cat /proc/sys/net/ipv4/ip_forward****
>
>  The result is 1****
>
> And the iptables have wrote by nova actually .****
>
> As follow :****
>
> ** **
>
> # Generated by iptables-save v1.4.12 on Fri Jun 15 02:58:58 2012****
>
> *nat****
>
> :PREROUTING ACCEPT [774:124753]****
>
> :INPUT ACCEPT [534:94672]****
>
> :OUTPUT ACCEPT [858:54250]****
>
> :POSTROUTING ACCEPT [919:59061]****
>
> :nova-api-OUTPUT - [0:0]****
>
> :nova-api-POSTROUTING - [0:0]****
>
> :nova-api-PREROUTING - [0:0]****
>
> :nova-api-float-snat - [0:0]****
>
> :nova-api-snat - [0:0]****
>
> :nova-network-OUTPUT - [0:0]****
>
> :nova-network-POSTROUTING - [0:0]****
>
> :nova-network-PREROUTING - [0:0]****
>
> :nova-network-float-snat - [0:0]****
>
> :nova-network-snat - [0:0]****
>
> :nova-postrouting-bottom - [0:0]****
>
> -A PREROUTING -j nova-network-PREROUTING****
>
> -A PREROUTING -j nova-api-PREROUTING****
>
> -A OUTPUT -j nova-network-OUTPUT****
>
> -A OUTPUT -j nova-api-OUTPUT****
>
> -A POSTROUTING -j nova-network-POSTROUTING****
>
> -A POSTROUTING -j nova-api-POSTROUTING****
>
> -A POSTROUTING -j nova-postrouting-bottom****
>
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
> MASQUERADE --to-ports 1024-65535****
>
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
> MASQUERADE --to-ports 1024-65535****
>
> -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE****
>
> -A nova-api-snat -j nova-api-float-snat****
>
> -A nova-network-POSTROUTING -s 192.168.4.0/27 -d 192.168.7.151/32 -j
> ACCEPT****
>
> -A nova-network-POSTROUTING -s 192.168.4.0/27 -d 10.128.0.0/24 -j<http://10.128.0.0/24-j>ACCEPT
> ****
>
> -A nova-network-POSTROUTING -s 192.168.4.0/27 -d 192.168.4.0/27 -m<http://192.168.4.0/27-m>conntrack ! --ctstate DNAT -j ACCEPT
> ****
>
> -A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80
> -j DNAT --to-destination 192.168.7.151:8775****
>
> -A nova-network-snat -j nova-network-float-snat****
>
> -A nova-network-snat -s 192.168.4.0/27 -j SNAT --to-source 192.168.7.151**
> **
>
> -A nova-postrouting-bottom -j nova-network-snat****
>
> -A nova-postrouting-bottom -j nova-api-snat****
>
> COMMIT****
>
> # Completed on Fri Jun 15 02:58:58 2012****
>
> # Generated by iptables-save v1.4.12 on Fri Jun 15 02:58:58 2012****
>
> *mangle****
>
> :PREROUTING ACCEPT [224637:108582489]****
>
> :INPUT ACCEPT [221029:107788819]****
>
> :FORWARD ACCEPT [29116:11774224]****
>
> :OUTPUT ACCEPT [187094:188512394]****
>
> :POSTROUTING ACCEPT [216210:200286618]****
>
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
> --checksum-fill****
>
> COMMIT****
>
> # Completed on Fri Jun 15 02:58:58 2012****
>
> # Generated by iptables-save v1.4.12 on Fri Jun 15 02:58:58 2012****
>
> *filter****
>
> :INPUT ACCEPT [91273:50201087]****
>
> :FORWARD ACCEPT [0:0]****
>
> :OUTPUT ACCEPT [84624:51049560]****
>
> :nova-api-FORWARD - [0:0]****
>
> :nova-api-INPUT - [0:0]****
>
> :nova-api-OUTPUT - [0:0]****
>
> :nova-api-local - [0:0]****
>
> :nova-filter-top - [0:0]****
>
> :nova-network-FORWARD - [0:0]****
>
> :nova-network-INPUT - [0:0]****
>
> :nova-network-OUTPUT - [0:0]****
>
> :nova-network-local - [0:0]****
>
> -A INPUT -j nova-network-INPUT****
>
> -A INPUT -j nova-api-INPUT****
>
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT****
>
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT****
>
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT****
>
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT****
>
> -A FORWARD -j nova-filter-top****
>
> -A FORWARD -j nova-network-FORWARD****
>
> -A FORWARD -j nova-api-FORWARD****
>
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT****
>
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable****
>
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable****
>
> -A OUTPUT -j nova-filter-top****
>
> -A OUTPUT -j nova-network-OUTPUT****
>
> -A OUTPUT -j nova-api-OUTPUT****
>
> -A nova-api-INPUT -d 192.168.7.151/32 -p tcp -m tcp --dport 8775 -j ACCEPT
> ****
>
> -A nova-filter-top -j nova-network-local****
>
> -A nova-filter-top -j nova-api-local****
>
> -A nova-network-FORWARD -i br100 -j ACCEPT****
>
> -A nova-network-FORWARD -o br100 -j ACCEPT****
>
> COMMIT****
>
> # Completed on Fri Jun 15 02:58:58 2012****
>
> ** **
>
> *Best Regards*
>
> *David(**李跃洲**)*
>
> *E-MAIL: yuezhou.li at hisoft.com*
>
> ** **
>
> *发件人:* emilien.macchi at gmail.com [mailto:emilien.macchi at gmail.com] *代表 *Emilien
> Macchi
> *发送时间:* 2012年6月14日 16:51
> *收件人:* David
> *抄送:* openstack at lists.launchpad.net
> *主题:* Re: [Openstack] instance cannot access outside network****
>
> ** **
>
> Hi,
>
> Can you try :
>
> *echo 1 > /proc/sys/net/**ipv4**/ip_forward* on the nova-network node.
>
> And also modify */etc/sysctl.conf* to uncomment the ip_forward parameter :
>
> *net.ipv4.ip_forward = 1*
>
>
> Is it ok now ?
>
>
> Regards
>
> ****
>
> On Thu, Jun 14, 2012 at 10:24 AM, David <yuezhou.li at hisoft.com> wrote:****
>
> Hi All****
>
>  ****
>
> I try to install openstack on multi-node . ****
>
> I can boot instance and use vnc console to visit the instance .****
>
> But , I cannot access outside in instance .****
>
>  ****
>
> I found the fixed ip range didn’t put on the br100 at compute-node only on
> compute-controller. The compute-node only install nova-compute****
>
> On compute-node , ip addr****
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN ****
>
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00****
>
>     inet 127.0.0.1/8 scope host lo****
>
>     inet6 ::1/128 scope host ****
>
>        valid_lft forever preferred_lft forever****
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> master br100 state UP qlen 1000****
>
>     link/ether 00:0c:29:cf:ec:d7 brd ff:ff:ff:ff:ff:ff****
>
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UP qlen 1000****
>
>     link/ether 00:0c:29:cf:ec:e1 brd ff:ff:ff:ff:ff:ff****
>
>     inet 192.168.7.153/27 brd 192.168.7.159 scope global eth1****
>
>     inet6 fe80::20c:29ff:fecf:ece1/64 scope link ****
>
>        valid_lft forever preferred_lft forever****
>
> 4: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UP ****
>
>     link/ether 00:0c:29:cf:ec:d7 brd ff:ff:ff:ff:ff:ff****
>
>     inet6 fe80::20c:29ff:fecf:ecd7/64 scope link ****
>
>        valid_lft forever preferred_lft forever****
>
>  ****
>
> on compute-controller :****
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN ****
>
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00****
>
>     inet 127.0.0.1/8 scope host lo****
>
>     inet 169.254.169.254/32 scope link lo****
>
>     inet6 ::1/128 scope host ****
>
>        valid_lft forever preferred_lft forever****
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> master br100 state UP qlen 1000****
>
>     link/ether 00:0c:29:88:31:51 brd ff:ff:ff:ff:ff:ff****
>
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
> UP qlen 1000****
>
>     link/ether 00:0c:29:88:31:5b brd ff:ff:ff:ff:ff:ff****
>
>     inet 192.168.7.151/27 brd 192.168.7.159 scope global eth1****
>
>     inet6 fe80::20c:29ff:fe88:315b/64 scope link ****
>
>        valid_lft forever preferred_lft forever****
>
> 4: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UP ****
>
>     link/ether 00:0c:29:88:31:51 brd ff:ff:ff:ff:ff:ff****
>
>     inet 10.0.0.3/27 brd 10.0.0.31 scope global br100****
>
>     inet 192.168.4.33/27 brd 192.168.4.63 scope global br100****
>
>     inet6 fe80::20c:29ff:fe88:3151/64 scope link ****
>
>        valid_lft forever preferred_lft forever****
>
>  ****
>
> could Any one tell me why ? Or tell me how openstack set network bridge on
> compute-node so that I can figure out what happened .****
>
>  ****
>
> My nova.conf :****
>
>  ****
>
> --dhcpbridge_flagfile=/etc/nova/nova.conf****
>
> --dhcpbridge=/usr/bin/nova-dhcpbridge****
>
> --logdir=/var/log/nova****
>
> --state_path=/var/lib/nova****
>
> --lock_path=/run/lock/nova****
>
> --allow_admin_api=true****
>
> --use_deprecated_auth=false****
>
> --auth_strategy=keystone****
>
> --scheduler_driver=nova.scheduler.simple.SimpleScheduler****
>
> --s3_host=192.168.7.151****
>
> --ec2_host=192.168.7.151****
>
> --rabbit_host=192.168.7.151****
>
> --cc_host=192.168.7.151****
>
> --nova_url=http://192.168.7.151:8774/v1.1/****
>
> --routing_source_ip=192.168.7.151****
>
> --glance_api_servers=192.168.7.151:9292****
>
> --image_service=nova.image.glance.GlanceImageService****
>
> --iscsi_ip_prefix=192.168.4****
>
> --sql_connection=mysql://root:hisoft@192.168.7.151/nova****
>
> --ec2_url=http://192.168.7.151:8773/services/Cloud****
>
> --keystone_ec2_url=http://192.168.7.151:5000/v2.0/ec2tokens****
>
> --api_paste_config=/etc/nova/api-paste.ini****
>
> --libvirt_type=qemu****
>
> --libvirt_use_virtio_for_bridges=true****
>
> --start_guests_on_host_boot=true****
>
> --resume_guests_state_on_host_boot=true****
>
> # vnc specific configuration****
>
> --novnc_enabled=true****
>
> --novncproxy_base_url=http://192.168.7.151:6080/vnc_auto.html****
>
> --vncserver_proxyclient_address=192.168.7.151****
>
> --vncserver_listen=192.168.7.151****
>
> # network specific settings****
>
> --network_manager=nova.network.manager.FlatDHCPManager****
>
> --public_interface=eth1****
>
> --flat_network_bridge=br100****
>
> --fixed_range=192.168.4.1/27****
>
> --floating_range=192.168.7.208/28****
>
> --network_size=32****
>
> --flat_network_dhcp_start=192.168.4.33****
>
> --flat_injected=False****
>
> --force_dhcp_release****
>
> --iscsi_helper=tgtadm****
>
> --connection_type=libvirt****
>
> --root_helper=sudo nova-rootwrap****
>
> --verbose****
>
>  ****
>
> And nova version :****
>
> #nova-manage version****
>
> 2012.1 (2012.1-LOCALBRANCH:LOCALREVISION)****
>
>  ****
>
> Thank you in advance .****
>
>  ****
>
> *David(李跃洲**)*****
>
> *E-MAIL: yuezhou.li at hisoft.com*****
>
>  ****
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp****
>
>
>
>
> -- ****
>
> Emilien Macchi
> *SysAdmin (Intern)*
> *www.stackops.com* | emilien.macchi at stackops.com****
>
> ****
>
> ******************** ADVERTENCIA LEGAL ********************
> Le informamos, como destinatario de este mensaje, que el correo
> electrónico y las comunicaciones por medio de Internet no permiten asegurar
> ni garantizar la confidencialidad de los mensajes transmitidos, así como
> tampoco su integridad o su correcta recepción, por lo que STACKOPS
> TECHNOLOGIES S.L. no asume responsabilidad alguna por tales circunstancias.
> Si no consintiese en la utilización del correo electrónico o de las
> comunicaciones vía Internet le rogamos nos lo comunique y ponga en nuestro
> conocimiento de manera inmediata. Este mensaje va dirigido, de manera
> exclusiva, a su destinatario y contiene información confidencial y sujeta
> al secreto profesional, cuya divulgación no está permitida por la ley. En
> caso de haber recibido este mensaje por error, le rogamos que, de forma
> inmediata, nos lo comunique mediante correo electrónico remitido a nuestra
> atención y proceda a su eliminación, así como a la de cualquier documento
> adjunto al mismo. Asimismo, le comunicamos que la distribución, copia o
> utilización de este mensaje, o de cualquier documento adjunto al mismo,
> cualquiera que fuera su finalidad, están prohibidas por la ley.
>
> ***************** PRIVILEGED AND CONFIDENTIAL ****************
> We hereby inform you, as addressee of this message, that e-mail and
> Internet do not guarantee the confidentiality, nor the completeness or
> proper reception of the messages sent and, thus, STACKOPS TECHNOLOGIES S.L.
> does not assume any liability for those circumstances. Should you not agree
> to the use of e-mail or to communications via Internet, you are kindly
> requested to notify us immediately. This message is intended exclusively
> for the person to whom it is addressed and contains privileged and
> confidential information protected from disclosure by law. If you are not
> the addressee indicated in this message, you should immediately delete it
> and any attachments and notify the sender by reply e-mail. In such case,
> you are hereby notified that any dissemination, distribution, copying or
> use of this message or any attachments, for any purpose, is strictly
> prohibited by law.****
>
> ** **
>



-- 
Emilien Macchi
*SysAdmin (Intern)*
*www.stackops.com* | emilien.macchi at stackops.com**
*

*

******************** ADVERTENCIA LEGAL ********************
Le informamos, como destinatario de este mensaje, que el correo electrónico
y las comunicaciones por medio de Internet no permiten asegurar ni
garantizar la confidencialidad de los mensajes transmitidos, así como
tampoco su integridad o su correcta recepción, por lo que STACKOPS
TECHNOLOGIES S.L. no asume responsabilidad alguna por tales circunstancias.
Si no consintiese en la utilización del correo electrónico o de las
comunicaciones vía Internet le rogamos nos lo comunique y ponga en nuestro
conocimiento de manera inmediata. Este mensaje va dirigido, de manera
exclusiva, a su destinatario y contiene información confidencial y sujeta
al secreto profesional, cuya divulgación no está permitida por la ley. En
caso de haber recibido este mensaje por error, le rogamos que, de forma
inmediata, nos lo comunique mediante correo electrónico remitido a nuestra
atención y proceda a su eliminación, así como a la de cualquier documento
adjunto al mismo. Asimismo, le comunicamos que la distribución, copia o
utilización de este mensaje, o de cualquier documento adjunto al mismo,
cualquiera que fuera su finalidad, están prohibidas por la ley.

***************** PRIVILEGED AND CONFIDENTIAL ****************
We hereby inform you, as addressee of this message, that e-mail and
Internet do not guarantee the confidentiality, nor the completeness or
proper reception of the messages sent and, thus, STACKOPS TECHNOLOGIES S.L.
does not assume any liability for those circumstances. Should you not agree
to the use of e-mail or to communications via Internet, you are kindly
requested to notify us immediately. This message is intended exclusively
for the person to whom it is addressed and contains privileged and
confidential information protected from disclosure by law. If you are not
the addressee indicated in this message, you should immediately delete it
and any attachments and notify the sender by reply e-mail. In such case,
you are hereby notified that any dissemination, distribution, copying or
use of this message or any attachments, for any purpose, is strictly
prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120614/1b556e34/attachment.html>

More information about the Openstack mailing list