[Openstack] [neutron] provider router with private networks, can not ping private IP and floating IP

sylecn sylecn at gmail.com
Mon Nov 18 01:28:15 UTC 2013


Here is the route -n and ifconfig output from the qdhcp namespace:

root at 172-17-6-68:/var/log/neutron# ip netns exec
qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0
tap35a8ab42-4f
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0
tap35a8ab42-4f
root at 172-17-6-68:/var/log/neutron# ip netns exec
qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244 ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4768 (4.7 KB)  TX bytes:4768 (4.7 KB)

tap35a8ab42-4f Link encap:Ethernet  HWaddr fa:16:3e:44:c2:0a
          inet addr:10.0.1.2  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe44:c20a/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:50 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2624 (2.6 KB)  TX bytes:2000 (2.0 KB)




On Mon, Nov 18, 2013 at 9:24 AM, sylecn <sylecn at gmail.com> wrote:

> I have enabled namespace, but I did not use overlapping IP addresses so
> far.
>
> Here is the result of the netns command:
>
> root at 172-17-6-68:/var/log/neutron# ip netns show
> qrouter-c5b513fa-6d6a-476f-bfc0-2114954a15aa
> qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244
> root at 172-17-6-68:/var/log/neutron# ip netns exec
> qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244 ping 10.0.1.3
> PING 10.0.1.3 (10.0.1.3) 56(84) bytes of data.
> From 10.0.1.2 icmp_seq=1 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=2 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=3 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=4 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=5 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=6 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=7 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=8 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=9 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=10 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=11 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=12 Destination Host Unreachable
> ^C
> --- 10.0.1.3 ping statistics ---
> 13 packets transmitted, 0 received, +12 errors, 100% packet loss, time
> 12061ms
> pipe 3
> root at 172-17-6-68:/var/log/neutron#
>
> Using ip netns exec qdhcp-* ping, I can ping 10.0.1.1 and 10.0.1.2.
> However, ping 10.0.1.3 still fail.
>
>
>
> On Mon, Nov 18, 2013 at 12:59 AM, Kyle Mestery (kmestery) <
> kmestery at cisco.com> wrote:
>
>> On Nov 17, 2013, at 2:45 AM, sylecn <sylecn at gmail.com> wrote:
>> >
>> > Thanks for the information. Now I have configured a provider router
>> based network, with Open vSwitch GRE tunnels.
>> >
>> > Here is the network topology:
>> >
>> > external network: 172.17.0.0/16
>> > external network physical router: 172.17.0.1
>> > neutron node IP: 172.17.6.68
>> >
>> > virtual provider router: 172.17.6.70
>> >
>> > virtual subnet1: 10.0.1.0/24
>> >
>> > Now I can boot a vm instance and it got an IP from private IP pool
>> (10.0.1.3). I can also associate a floating IP to it (172.17.6.71). But I
>> can't ping the private ip nor the floating ip.
>> >
>> > From the neutron node, I can ping 172.17.6.70, but can't ping 10.0.1.1,
>> 10.0.1.3, 172.17.6.71.
>> > So I can't ssh into the vm. My guess is something is wrong with the
>> 10.0.1.0/24 network, but I don't know what.
>> >
>> Are you setup to use network namespaces with overlapping IP addresses? If
>> so, each tenant network will have it's own network namespace on the node
>> running the Neutron L3 agent. To see these, run this command:
>>
>> ip netns show
>>
>> From the qdhcp-* one, you can try to ping your tenant network address:
>>
>> ip netns exec qdhcp-* ping 10.0.1.3
>>
>> Let me know if that helps.
>>
>> Thanks,
>> Kyle
>>
>> > I used the NoopFirewallDriver in OVS plugin, so icmp and tcp:22 are not
>> blocked by security-group rules.
>> >
>> > Here is the current setup:
>> > (neutron) net-list
>> >
>> +--------------------------------------+--------+----------------------------------------------------+
>> > | id                                   | name   | subnets
>>                              |
>> >
>> +--------------------------------------+--------+----------------------------------------------------+
>> > | a63f0950-cdea-4a6d-8312-1819113dc244 | net1   |
>> 708f2a58-bd85-4493-b91c-a6d42c0db5e7 10.0.1.0/24   |
>> > | ee318d0b-74e5-43c6-92bd-abb690df3334 | extnet |
>> 4c111c62-50f2-4332-b635-57846cf1980c 172.17.0.0/16 |
>> >
>> +--------------------------------------+--------+----------------------------------------------------+
>> > (neutron) subnet-list
>> >
>> +--------------------------------------+---------+---------------+------------------------------------------------+
>> > | id                                   | name    | cidr          |
>> allocation_pools                               |
>> >
>> +--------------------------------------+---------+---------------+------------------------------------------------+
>> > | 4c111c62-50f2-4332-b635-57846cf1980c | extnet  | 172.17.0.0/16 |
>> {"start": "172.17.6.70", "end": "172.17.6.75"} |
>> > | 708f2a58-bd85-4493-b91c-a6d42c0db5e7 | subnet1 | 10.0.1.0/24   |
>> {"start": "10.0.1.2", "end": "10.0.1.254"}     |
>> >
>> +--------------------------------------+---------+---------------+------------------------------------------------+
>> > (neutron) port-list
>> >
>> +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
>> > | id                                   | name | mac_address       |
>> fixed_ips
>>        |
>> >
>> +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
>> > | 234b4e76-7b7a-461f-8b61-2b7c58165fd2 |      | fa:16:3e:86:95:d3 |
>> {"subnet_id": "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address":
>> "10.0.1.1"}    |
>> > | 35a8ab42-4f1a-4f1e-b656-ab4dd0e83725 |      | fa:16:3e:44:c2:0a |
>> {"subnet_id": "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address":
>> "10.0.1.2"}    |
>> > | 85f4d2d7-c92b-4bc1-b080-2b1978bb6e17 |      | fa:16:3e:cd:77:17 |
>> {"subnet_id": "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address":
>> "10.0.1.3"}    |
>> > | 9a24c2e9-a6da-4a24-93d4-9eef8cb0bcfa |      | fa:16:3e:01:a2:ef |
>> {"subnet_id": "4c111c62-50f2-4332-b635-57846cf1980c", "ip_address":
>> "172.17.6.70"} |
>> > | f508b629-6e95-4be4-89c0-b37be3907231 |      | fa:16:3e:7c:41:0a |
>> {"subnet_id": "4c111c62-50f2-4332-b635-57846cf1980c", "ip_address":
>> "172.17.6.71"} |
>> >
>> +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
>> > (neutron) port-show 234b4e76-7b7a-461f-8b61-2b7c58165fd2
>> >
>> +-----------------------+---------------------------------------------------------------------------------+
>> > | Field                 | Value
>>                                   |
>> >
>> +-----------------------+---------------------------------------------------------------------------------+
>> > | admin_state_up        | True
>>                                    |
>> > | allowed_address_pairs |
>>                                   |
>> > | binding:capabilities  | {"port_filter": false}
>>                                    |
>> > | binding:host_id       | 172-17-6-68.yygamedev.com
>>                                     |
>> > | binding:vif_type      | ovs
>>                                   |
>> > | device_id             | c5b513fa-6d6a-476f-bfc0-2114954a15aa
>>                                    |
>> > | device_owner          | network:router_interface
>>                                    |
>> > | extra_dhcp_opts       |
>>                                   |
>> > | fixed_ips             | {"subnet_id":
>> "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address": "10.0.1.1"} |
>> > | id                    | 234b4e76-7b7a-461f-8b61-2b7c58165fd2
>>                                    |
>> > | mac_address           | fa:16:3e:86:95:d3
>>                                   |
>> > | name                  |
>>                                   |
>> > | network_id            | a63f0950-cdea-4a6d-8312-1819113dc244
>>                                    |
>> > | status                | ACTIVE
>>                                    |
>> > | tenant_id             | 860483f3ceeb43aab4d1f0e8f76b4064
>>                                    |
>> >
>> +-----------------------+---------------------------------------------------------------------------------+
>> > (neutron)
>> > root at 172-17-6-68:/etc/neutron# nova list
>> >
>> +--------------------------------------+------+--------+------------+-------------+----------------------------+
>> > | ID                                   | Name | Status | Task State |
>> Power State | Networks                   |
>> >
>> +--------------------------------------+------+--------+------------+-------------+----------------------------+
>> > | ec214f0b-eede-421e-9036-a1b56bff3c37 | c1   | ACTIVE | None       |
>> Running     | net1=10.0.1.3, 172.17.6.71 |
>> >
>> +--------------------------------------+------+--------+------------+-------------+----------------------------+
>> >
>> >
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131118/ef2d8e25/attachment.html>


More information about the Openstack mailing list