[Openstack] Quantum+Openvswitch: could not open /dev/net/tun: Operation not permitted

Dan Wendlandt dan at nicira.com
Sat May 26 20:40:03 UTC 2012 

Hi Igor,

I'd first access the VM via VNC and make sure it has booted and is getting
an IP address via DHCP.  The easiest way to do this is using the VNC
consoles exposed via Horizon, but you can also use a tool like vncviewer
directly from the command line.

If you think it may be an issue with security groups, running nova with the
following flag will disable security groups so you can see if that is what
is blocking the
traffic: firewall_driver=nova.virt.firewall.NoopFirewallDriver .  Of
course, you'll need to restart nova-compute.  With devstack, you can set
this in your
localrc: LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver .

Dan


On Sat, May 26, 2012 at 11:31 AM, Igor Laskovy <igor.laskovy at gmail.com>wrote:

> Thank you Dan, Chris, Dean and Soheil for help. I very appreciated your
> help!
>
> Yes, I using Precise for this lab and after I have added /dev/net/tun
> to the cgroup_device_acl list I have ACTIVE state for my running
> instances. BTW, the doc
> http://openvswitch.org/openstack/documentation/ already have this
> clarification, thanks))
>
> Well, although that the instances are running, I can't ping or ssh to them.
> I already doing this:
> $ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
> $ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
> but didn't help!
>
> On Fri, May 25, 2012 at 12:40 AM, Dan Wendlandt <dan at nicira.com> wrote:
> > Hi Igor,
> >
> > Are you running this on Precise?  If so, Precise is a bit pickier than
> > previous versions about requiring a setting in /etc/libvirt/qemu.conf
> >
> > You need to add /dev/net/tun to the cgroup_device_acl list in that file,
> and
> > restart libvirt.
> >
> > This is actually handled automatically by a branch I've pushed for
> review in
> > devstack: https://review.openstack.org/#/c/7001/
> >
> > It has lots of positive reviews, but still needs one more core review and
> > I've been waiting a while.  If you're a devstack core, please give me a
> > hand! :)
> >
> > Dan
> >
> > p.s.  the root cause of needing to tweak /etc/libvirt/qemu.conf is that
> > we're using libvirt <interface type=ethernet> elements to work with
> > openvswitch.  Starting in libvirt 0.9.11 (not available in precise),
> > openvswitch is integrated directly with libvirt, meaning that using
> > type=ethernet (and the workaround) is no longer necessary.
> >
> >
> > On Thu, May 24, 2012 at 1:05 PM, Igor Laskovy <igor.laskovy at gmail.com>
> > wrote:
> >>
> >> Hello all from sunny Kiev))
> >>
> >> I have built nova+quantum+openvswitch without nova-volume lab on two
> >> nodes - one controller with everything on it except nova-compute and
> >> second dedicated compute node with nova-compute:
> >>
> >> During creating VM I have error which I still can't fix:
> >> $ nova boot --image precise --flavor m1.tiny  my-precise-vm3
> >> $ nova list
> >>
> >>
> +--------------------------------------+----------------+--------+----------+
> >> |                  ID                  |      Name      | Status |
> >> Networks |
> >>
> >>
> +--------------------------------------+----------------+--------+----------+
> >> | 5a72aa9f-5743-486a-9496-130d367bc665 | my-precise-vm3 | ERROR  |
> >>  |
> >>
> >>
> +--------------------------------------+----------------+--------+----------+
> >>
> >> # cat /var/log/libvirt/qemu/instance-00000012.log
> >> 2012-05-24 19:51:47.994+0000: starting up
> >> LC_ALL=C
> PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin
> >> QEMU_AUDIO_DRV=none /usr/bin/kvm -S -M pc-1.0 -enable-kvm -m 512 -smp
> >> 1,sockets=1,cores=1,threads=1 -name instance-00000012 -uuid
> >> 5a72aa9f-5743-486a-9496-130d367bc665 -nodefconfig -nodefaults -chardev
> >>
> >>
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-00000012.monitor,server,nowait
> >> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
> >> -no-shutdown -drive
> >>
> >>
> file=/var/lib/nova/instances/instance-00000012/disk,if=none,id=drive-virtio-disk0,format=qcow2,cache=none
> >> -device
> >>
> virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
> >> -netdev tap,ifname=tap24b9f3da-8b,script=,id=hostnet0 -device
> >> rtl8139,netdev=hostnet0,id=net0,mac=fa:16:3e:49:f1:a9,bus=pci.0,addr=0x3
> >> -netdev tap,ifname=tapcdd6bc93-86,script=,id=hostnet1 -device
> >> rtl8139,netdev=hostnet1,id=net1,mac=fa:16:3e:68:94:b4,bus=pci.0,addr=0x4
> >> -chardev
> >>
> file,id=charserial0,path=/var/lib/nova/instances/instance-00000012/console.log
> >> -device isa-serial,chardev=charserial0,id=serial0 -chardev
> >> pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1
> >> -usb -device usb-tablet,id=input0 -vnc 192.168.1.71:0 -k en-us -vga
> >> cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6
> >> Domain id=4 is tainted: shell-scripts
> >> char device redirected to /dev/pts/2
> >> kvm: -netdev tap,ifname=tap24b9f3da-8b,script=,id=hostnet0: could not
> >> open /dev/net/tun: Operation not permitted
> >> kvm: -netdev tap,ifname=tap24b9f3da-8b,script=,id=hostnet0: Device
> >> 'tap' could not be initialized
> >> 2012-05-24 19:51:48.175+0000: shutting down
> >>
> >> /var/lib/nova/instances/instance-00000012# virsh create libvirt.xml
> >> error: Failed to create domain from libvirt.xml
> >> error: internal error Process exited while reading console log output:
> >> char device redirected to /dev/pts/2
> >> kvm: -netdev tap,ifname=tap24b9f3da-8b,script=,id=hostnet0: could not
> >> open /dev/net/tun: Operation not permitted
> >> kvm: -netdev tap,ifname=tap24b9f3da-8b,script=,id=hostnet0: Device
> >> 'tap' could not be initialized
> >>
> >> Waiting any advises!
> >>
> >> --
> >> Igor Laskovy
> >> Kiev, Ukraine
> >>
> >> _______________________________________________
> >> Mailing list: https://launchpad.net/~openstack
> >> Post to     : openstack at lists.launchpad.net
> >> Unsubscribe : https://launchpad.net/~openstack
> >> More help   : https://help.launchpad.net/ListHelp
> >
> >
> >
> >
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Dan Wendlandt
> > Nicira, Inc: www.nicira.com
> > twitter: danwendlandt
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
>
>
>
> --
> Igor Laskovy
> Kiev, Ukraine
>



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120526/b8688198/attachment.html>

More information about the Openstack mailing list