[Openstack] Instances and ARP

Belmiro Moreira moreira.belmiro.email.lists at gmail.com
Mon Jan 21 11:49:41 UTC 2013


Hi Joe,
nova network filtering rules are preventing ip-spoofing.
There is a proposal to modify this behavior when using HA in instances. 
See thread: 
[openstack-dev] VM level HA. Changes in firewall.py question.

You can check with:
virsh nwfilter-dumpxml nova-base

cheers,
Belmiro

On Jan 21, 2013, at 12:25 PM, Joe Warren-Meeks <joe.warren.meeks at gmail.com> wrote:

> Hi guys,
> 
> I've got openstack essex configured with vlanmanager and an external gateway and all my networking runs ok generally.
> 
> However, I'm trying to setup Linux HA on two instances. They run on separate compute nodes and can see each other just fine. hb_takeover and hb_standby works perfectly. The problem is that nothing outside of the instance with the HA IP address can connect to it.
> 
> It seems that something is ignoring the arp is-at from the instance. Doing a tcpdump on the compute node's bridged network and the instance's eth0 I can arp requests and responses fine for its main IP, but when I try to get to the alias address, I see arp requests only on the compute side. On the instance side I see it responding, but this doesn't show up on the bridged interface on the compute node.
> 
> Has anyone seen this before? My google-fu is failing to find anything.
> 
> Kind regards
> 
>  -- joe.
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp





More information about the Openstack mailing list