[Openstack] [IceHouse][Trusty] iptables rules disappeared from within Tenant Namespace (qdhcp-XXX), all tenants affected! Metadata not working anymore...

Martinx - ジェームズ thiagocmartinsc at gmail.com
Sat Aug 16 00:10:50 UTC 2014 

Guys,

Today I'm facing a old/new problem... Metadata doesn't work anymore
(again)... From an already running instance, I'm seeing:


---
ubuntu at linux-builder-1:~$ curl http://169.254.169.254/
curl: (7) Failed to connect to 169.254.169.254 port 80: Connection refused
---


Then, I looked at my Neutron Node, at this tenant Namespace, there are no
iptables rules there, look:

---
root at neutron-node-1:/var/log/neutron# ip netns exec
qdhcp-f0076840-43f3-4b2e-aa15-d6b2422e3795 iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 4 packets, 776 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 4 packets, 776 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 1 packets, 328 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 1 packets, 328 bytes)
 pkts bytes target     prot opt in     out     source
destination


root at neutron-node-1:/var/log/neutron# ip netns exec
qdhcp-f0076840-43f3-4b2e-aa15-d6b2422e3795 ip -4 r
default via 10.192.0.1 dev tap216bf57d-e8
10.192.0.0/20 dev tap216bf57d-e8  proto kernel  scope link  src 10.192.0.3
169.254.0.0/16 dev tap216bf57d-e8  proto kernel  scope link  src
169.254.169.254
---


I can see that "curl request" within the Namespace, with tcpdump:
---
root at neutron-node-1:~# ip netns exec
qdhcp-f0076840-43f3-4b2e-aa15-d6b2422e3795 tcpdump -ni tap216bf57d-e8



tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap216bf57d-e8, link-type EN10MB (Ethernet), capture size
65535 bytes
21:01:29.582960 IP 10.192.0.90.55635 > 169.254.169.254.80: Flags [S], seq
2521313833, win 29200, options [mss 1460,sackOK,TS val 85649833 ecr
0,nop,wscale 7], length 0
21:01:29.583140 IP 169.254.169.254.80 > 10.192.0.90.55635: Flags [R.], seq
0, ack 2521313834, win 0, length 0
---


If I'm not wrong, there was some iptables NAT rules there, to redirect the
Metadata traffic to the Nova API (controller-node-1) at TCP port 8775,
right?!

I'm using `VLAN Provider Networks` (No L3 Router), my Instances have a
route to the 169.254.169.254 IP, via their Namespace IP (10.192.0.3), look:

---
ubuntu at linux-builder-1:~$ ip r
default via 10.192.0.1 dev eth0
10.192.0.0/20 dev eth0  proto kernel  scope link  src 10.192.0.90
169.254.169.254 via 10.192.0.3 dev eth0

ubuntu at linux-builder-1:~$ ping -c 1 10.192.0.3
PING 10.192.0.3 (10.192.0.3) 56(84) bytes of data.
64 bytes from 10.192.0.3: icmp_seq=1 ttl=64 time=4.55 ms
---

It crashed today, it was okay yesterday... This time, I did nothing wrong
(I think)...   :-(

BTW, I just upgraded all nodes (apt-get update / dist-upgrade), still
doesn't work... Proposed repo enabled.

I really appreciate any help!

Tks!
Thiago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140815/d7f9a500/attachment.html>

More information about the Openstack mailing list