[Openstack] Instances and ARP

Joe Warren-Meeks joe.warren.meeks at gmail.com
Wed Jan 23 17:10:18 UTC 2013


Hi all,

Thanks to Belmiro, I found how to fix this properly, rather than a hack.

For future googlers,

cd /etc/libvirt/nwfilter
cp nova-base.xml nova-base.xml.bak
virsh nwfilter-edit nova-base
remove or comment out the spoof lines you don't want

New instances won't have the rules.

To update old instances:
virsh destroy instance-xxx
virsh undefine instance-xxx
cd /var/lib/nova/instances/instance-xxx
virsh define libvirt.xml
virsh start instance-xxx

Thanks all.

 -- joe.



On 21 January 2013 11:49, Belmiro Moreira <
moreira.belmiro.email.lists at gmail.com> wrote:

> Hi Joe,
> nova network filtering rules are preventing ip-spoofing.
> There is a proposal to modify this behavior when using HA in instances.
> See thread:
> [openstack-dev] VM level HA. Changes in firewall.py question.
>
> You can check with:
> virsh nwfilter-dumpxml nova-base
>
> cheers,
> Belmiro
>
> On Jan 21, 2013, at 12:25 PM, Joe Warren-Meeks <joe.warren.meeks at gmail.com>
> wrote:
>
> > Hi guys,
> >
> > I've got openstack essex configured with vlanmanager and an external
> gateway and all my networking runs ok generally.
> >
> > However, I'm trying to setup Linux HA on two instances. They run on
> separate compute nodes and can see each other just fine. hb_takeover and
> hb_standby works perfectly. The problem is that nothing outside of the
> instance with the HA IP address can connect to it.
> >
> > It seems that something is ignoring the arp is-at from the instance.
> Doing a tcpdump on the compute node's bridged network and the instance's
> eth0 I can arp requests and responses fine for its main IP, but when I try
> to get to the alias address, I see arp requests only on the compute side.
> On the instance side I see it responding, but this doesn't show up on the
> bridged interface on the compute node.
> >
> > Has anyone seen this before? My google-fu is failing to find anything.
> >
> > Kind regards
> >
> >  -- joe.
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack at lists.launchpad.net
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130123/bbeac298/attachment.html>


More information about the Openstack mailing list