[Openstack] openstack havana with neutron can't ping instance
Anatoly Oreshkin
Anatoly.Oreshkin at pnpi.spb.ru
Sun Mar 16 19:44:50 UTC 2014
In dashboad in Access & Security I see default security group which is as follows
Security Group Rules
Add Rule
Direction Ether Type IP Protocol Port Range Remote Actions
Ingress IPv4 Any - default
Egress IPv4 Any - 0.0.0.0/0(CIDR)
Egress IPv6 Any - ::/0 (CIDR)
Ingress IPv6 Any - default
As I understand every protocol and port is allowed.
> Did you open the security group for icmp?
>
> Inviato da iPhone
>
>> Il giorno Mar 16, 2014, alle ore 10:36, "Anatoly Oreshkin"
>> <Anatoly.Oreshkin at pnpi.spb.ru> ha scritto:
>>
>> Hello,
>>
>> I've installed OpenStack Havana with Neutron all-in-one on single node under
>> Scientific Linux 6.4
>> having multiple NICs Specifically eth0 with public network 212.190.96.128/27
>> and eth2 with internal network 192.168.1.0/24
>>
>> All openstack components were installed on ip address 212.190.96.14 (eth0)
>> CONFIG_NOVA_NETWORK_PUBIF=eth0
>>
>>
>> OpenStack configuration follows:
>>
>> /etc/neutron/plugin.ini
>>
>> [OVS]
>> vxlan_udp_port=4789
>> tenant_network_type=local
>> enable_tunneling=False
>> integration_bridge=br-int
>> network_vlan_ranges = physnet1
>> bridge_mappings = physnet1:br-ex
>>
>> [AGENT]polling_interval=2
>>
>> [SECURITYGROUP]
>> firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>
>> Floating ip addreses are allocated from public ip range 212.190.96.140 -
>> 212.190.96.142 (eth0)
>>
>> Routing tables on my node
>>
>> Destination Gateway Genmask Flags Metric Ref Use Iface
>> 212.190.96.128 * 255.255.255.224 U 0 0 0 br-ex
>> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
>> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth3
>> link-local * 255.255.0.0 U 1002 0 0 eth0
>> link-local * 255.255.0.0 U 1004 0 0 eth2
>> link-local * 255.255.0.0 U 1005 0 0 eth3
>> link-local * 255.255.0.0 U 1011 0 0 br-ex
>> default 212.190.96.129 0.0.0.0 UG 0 0 0 br-ex
>>
>>
>>
>>
>> I launched instance from dashboard and instance was allocated ip address 10.0.0.3
>> from private network 10.0.0.0/24. Then I allocated the instance floating ip
>> address 212.190.96.141 from public network.
>>
>> The problem is that I can't ping the instance neither through floating ip address
>> 212.190.96.141 nor private address 10.0.0.3
>>
>> ~(keystone_admin)]# ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e ping
>> 10.0.0.3
>> PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
>>
>> However from inside the instance I can ping any ip address.
>>
>> But when I restart linux wirewall iptables "service iptables restart" I can ping
>> the
>> instance
>> I can't understand why so happened. I suspect that "linux wirewall restart"
>> deleted
>> the records from
>> iptables which were added by neutron when launching the instance and permitted to
>> ping the instance.
>>
>>
>> Can anybody help me ?
>>
>> Any hint ?
>>
>> I provide additional information.
>>
>> Network namespace of my openstack configuration:
>> # ip netns
>> qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e
>> qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99
>>
>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 route -n
>>
>> Destination Gateway Genmask Flags Metric Ref Use Iface
>> 212.190.96.128 0.0.0.0 255.255.255.224 U 0 0 0
>> qg-fdd17595-7b
>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
>> qr-67571cae-0a
>> 0.0.0.0 212.190.96.129 0.0.0.0 UG 0 0 0
>> qg-fdd17595-7b
>>
>> # ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e route -n
>>
>> Destination Gateway Genmask Flags Metric Ref Use Iface
>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
>> tape150108a-ef
>> 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0
>> tape150108a-ef
>>
>>
>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 iptables -t nat -S
>>
>> -P PREROUTING ACCEPT
>> -P POSTROUTING ACCEPT
>> -P OUTPUT ACCEPT
>> -N neutron-l3-agent-OUTPUT
>> -N neutron-l3-agent-POSTROUTING
>> -N neutron-l3-agent-PREROUTING
>> -N neutron-l3-agent-float-snat
>> -N neutron-l3-agent-snat
>> -N neutron-postrouting-bottom
>> -A PREROUTING -j neutron-l3-agent-PREROUTING
>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
>> -A POSTROUTING -j neutron-postrouting-bottom
>> -A OUTPUT -j neutron-l3-agent-OUTPUT
>> -A neutron-l3-agent-OUTPUT -d 212.190.96.141/32 -j DNAT --to-destination 10.0.0.3
>> -A neutron-l3-agent-POSTROUTING ! -i qg-fdd17595-7b ! -o qg-fdd17595-7b -m
>> conntrack
>> ! --ctstate DNAT -j ACCEPT
>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j
>> REDIRECT --to-ports 9697
>> -A neutron-l3-agent-PREROUTING -d 212.190.96.141/32 -j DNAT --to-destination
>> 10.0.0.3
>> -A neutron-l3-agent-float-snat -s 10.0.0.3/32 -j SNAT --to-source 212.190.96.141
>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
>> -A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 212.190.96.140
>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>>
>>
>> # iptables -S | grep tap
>> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapcfb4a18d-aa
>> --physdev-is-bridged -j neutron-openvswi-sg-chain
>> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapcfb4a18d-aa
>> --physdev-is-bridged -j neutron-openvswi-sg-chain
>> -A neutron-openvswi-INPUT -m physdev --physdev-in tapcfb4a18d-aa
>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a
>> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapcfb4a18d-aa
>> --physdev-is-bridged -j neutron-openvswi-icfb4a18d-a
>> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapcfb4a18d-aa
>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a
>>
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>> !DSPAM:1,5325e51b100158565920067!
>>
>
More information about the Openstack
mailing list