[Openstack] openstack havana with neutron can't ping instance

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Sun Mar 16 17:36:21 UTC 2014 

Hello,

 I've installed OpenStack Havana  with Neutron all-in-one on single node under
Scientific Linux 6.4
having multiple NICs Specifically eth0 with public network 212.190.96.128/27
and eth2 with internal network 192.168.1.0/24

All openstack components were installed on ip address 212.190.96.14  (eth0)
CONFIG_NOVA_NETWORK_PUBIF=eth0


OpenStack configuration follows:

/etc/neutron/plugin.ini

[OVS]
vxlan_udp_port=4789
tenant_network_type=local
enable_tunneling=False
integration_bridge=br-int
network_vlan_ranges = physnet1
bridge_mappings = physnet1:br-ex

[AGENT]polling_interval=2

[SECURITYGROUP]
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

Floating ip addreses are allocated from public ip range 212.190.96.140 -
212.190.96.142  (eth0)

Routing tables on my node

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
212.190.96.128  *               255.255.255.224 U     0      0        0 br-ex
192.168.1.0     *               255.255.255.0   U     0      0        0 eth2
192.168.0.0     *               255.255.255.0   U     0      0        0 eth3
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1004   0        0 eth2
link-local      *               255.255.0.0     U     1005   0        0 eth3
link-local      *               255.255.0.0     U     1011   0        0 br-ex
default         212.190.96.129  0.0.0.0         UG    0      0        0 br-ex




 I launched instance from dashboard and instance was allocated  ip address 10.0.0.3
from private network  10.0.0.0/24. Then I allocated the instance floating ip
address 212.190.96.141 from public network.

The problem is that I can't ping the instance neither through floating ip address
212.190.96.141 nor private address 10.0.0.3

~(keystone_admin)]# ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e ping
10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.

However from inside the instance I can ping any ip address.

But when I restart linux wirewall iptables "service iptables restart" I can ping the
instance
I can't understand why so happened. I suspect that "linux wirewall restart" deleted
the records from
iptables which were added by neutron when launching the instance and permitted to
ping the instance.


Can anybody help me ?

Any hint ?

I provide additional information.

Network namespace of my openstack configuration:
# ip netns
qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e
qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99

# ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 route -n

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
212.190.96.128  0.0.0.0         255.255.255.224 U     0      0        0 qg-fdd17595-7b
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 qr-67571cae-0a
0.0.0.0         212.190.96.129  0.0.0.0         UG    0      0        0 qg-fdd17595-7b

# ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e route -n

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tape150108a-ef
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 tape150108a-ef


# ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 iptables -t nat -S

-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N neutron-l3-agent-OUTPUT
-N neutron-l3-agent-POSTROUTING
-N neutron-l3-agent-PREROUTING
-N neutron-l3-agent-float-snat
-N neutron-l3-agent-snat
-N neutron-postrouting-bottom
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-l3-agent-OUTPUT -d 212.190.96.141/32 -j DNAT --to-destination 10.0.0.3
-A neutron-l3-agent-POSTROUTING ! -i qg-fdd17595-7b ! -o qg-fdd17595-7b -m conntrack
! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 212.190.96.141/32 -j DNAT --to-destination 10.0.0.3
-A neutron-l3-agent-float-snat -s 10.0.0.3/32 -j SNAT --to-source 212.190.96.141
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 212.190.96.140
-A neutron-postrouting-bottom -j neutron-l3-agent-snat


# iptables -S | grep tap
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapcfb4a18d-aa
--physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapcfb4a18d-aa
--physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapcfb4a18d-aa
--physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapcfb4a18d-aa
--physdev-is-bridged -j neutron-openvswi-icfb4a18d-a
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapcfb4a18d-aa
--physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a

More information about the Openstack mailing list