[Openstack] openstack havana with neutron can't ping instance

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Mon Mar 17 06:05:54 UTC 2014 

But on other machine under Scientific Linux 6.4 with OpenStack Neutron,
and the same configuration and default security group I can ping an instance.
Only difference is  that machine is with 1 NIC rather than multiple ones.



> No that is not correct. You need to open icmp
>
> Inviato da iPhone
>
>> Il giorno Mar 16, 2014, alle ore 12:44, "Anatoly Oreshkin"
>> <Anatoly.Oreshkin at pnpi.spb.ru> ha scritto:
>>
>>
>> In dashboad in Access & Security  I see default security group which is as follows
>>
>> Security Group Rules
>> Add Rule
>>        Direction       Ether Type      IP Protocol     Port Range      Remote
>> Actions
>>        Ingress         IPv4            Any             -               default
>>        Egress          IPv4            Any             -
>> 0.0.0.0/0(CIDR)
>>        Egress          IPv6            Any             -               ::/0 (CIDR)
>>        Ingress         IPv6            Any             -               default
>>
>> As I understand every protocol and port  is allowed.
>>
>>
>>
>>> Did you open the security group for icmp?
>>>
>>> Inviato da iPhone
>>>
>>>> Il giorno Mar 16, 2014, alle ore 10:36, "Anatoly Oreshkin"
>>>> <Anatoly.Oreshkin at pnpi.spb.ru> ha scritto:
>>>>
>>>> Hello,
>>>>
>>>> I've installed OpenStack Havana  with Neutron all-in-one on single node under
>>>> Scientific Linux 6.4
>>>> having multiple NICs Specifically eth0 with public network 212.190.96.128/27
>>>> and eth2 with internal network 192.168.1.0/24
>>>>
>>>> All openstack components were installed on ip address 212.190.96.14  (eth0)
>>>> CONFIG_NOVA_NETWORK_PUBIF=eth0
>>>>
>>>>
>>>> OpenStack configuration follows:
>>>>
>>>> /etc/neutron/plugin.ini
>>>>
>>>> [OVS]
>>>> vxlan_udp_port=4789
>>>> tenant_network_type=local
>>>> enable_tunneling=False
>>>> integration_bridge=br-int
>>>> network_vlan_ranges = physnet1
>>>> bridge_mappings = physnet1:br-ex
>>>>
>>>> [AGENT]polling_interval=2
>>>>
>>>> [SECURITYGROUP]
>>>> firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>>
>>>> Floating ip addreses are allocated from public ip range 212.190.96.140 -
>>>> 212.190.96.142  (eth0)
>>>>
>>>> Routing tables on my node
>>>>
>>>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>>>> 212.190.96.128  *               255.255.255.224 U     0      0        0 br-ex
>>>> 192.168.1.0     *               255.255.255.0   U     0      0        0 eth2
>>>> 192.168.0.0     *               255.255.255.0   U     0      0        0 eth3
>>>> link-local      *               255.255.0.0     U     1002   0        0 eth0
>>>> link-local      *               255.255.0.0     U     1004   0        0 eth2
>>>> link-local      *               255.255.0.0     U     1005   0        0 eth3
>>>> link-local      *               255.255.0.0     U     1011   0        0 br-ex
>>>> default         212.190.96.129  0.0.0.0         UG    0      0        0 br-ex
>>>>
>>>>
>>>>
>>>>
>>>> I launched instance from dashboard and instance was allocated  ip address
>>>> 10.0.0.3
>>>> from private network  10.0.0.0/24. Then I allocated the instance floating ip
>>>> address 212.190.96.141 from public network.
>>>>
>>>> The problem is that I can't ping the instance neither through floating ip
>>>> address
>>>> 212.190.96.141 nor private address 10.0.0.3
>>>>
>>>> ~(keystone_admin)]# ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e
>>>> ping
>>>> 10.0.0.3
>>>> PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
>>>>
>>>> However from inside the instance I can ping any ip address.
>>>>
>>>> But when I restart linux wirewall iptables "service iptables restart" I can ping
>>>> the
>>>> instance
>>>> I can't understand why so happened. I suspect that "linux wirewall restart"
>>>> deleted
>>>> the records from
>>>> iptables which were added by neutron when launching the instance and permitted
>>>> to
>>>> ping the instance.
>>>>
>>>>
>>>> Can anybody help me ?
>>>>
>>>> Any hint ?
>>>>
>>>> I provide additional information.
>>>>
>>>> Network namespace of my openstack configuration:
>>>> # ip netns
>>>> qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e
>>>> qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99
>>>>
>>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 route -n
>>>>
>>>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>>>> 212.190.96.128  0.0.0.0         255.255.255.224 U     0      0        0
>>>> qg-fdd17595-7b
>>>> 10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0
>>>> qr-67571cae-0a
>>>> 0.0.0.0         212.190.96.129  0.0.0.0         UG    0      0        0
>>>> qg-fdd17595-7b
>>>>
>>>> # ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e route -n
>>>>
>>>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>>>> 10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0
>>>> tape150108a-ef
>>>> 0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0
>>>> tape150108a-ef
>>>>
>>>>
>>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 iptables -t nat -S
>>>>
>>>> -P PREROUTING ACCEPT
>>>> -P POSTROUTING ACCEPT
>>>> -P OUTPUT ACCEPT
>>>> -N neutron-l3-agent-OUTPUT
>>>> -N neutron-l3-agent-POSTROUTING
>>>> -N neutron-l3-agent-PREROUTING
>>>> -N neutron-l3-agent-float-snat
>>>> -N neutron-l3-agent-snat
>>>> -N neutron-postrouting-bottom
>>>> -A PREROUTING -j neutron-l3-agent-PREROUTING
>>>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
>>>> -A POSTROUTING -j neutron-postrouting-bottom
>>>> -A OUTPUT -j neutron-l3-agent-OUTPUT
>>>> -A neutron-l3-agent-OUTPUT -d 212.190.96.141/32 -j DNAT --to-destination
>>>> 10.0.0.3
>>>> -A neutron-l3-agent-POSTROUTING ! -i qg-fdd17595-7b ! -o qg-fdd17595-7b -m
>>>> conntrack
>>>> ! --ctstate DNAT -j ACCEPT
>>>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j
>>>> REDIRECT --to-ports 9697
>>>> -A neutron-l3-agent-PREROUTING -d 212.190.96.141/32 -j DNAT --to-destination
>>>> 10.0.0.3
>>>> -A neutron-l3-agent-float-snat -s 10.0.0.3/32 -j SNAT --to-source 212.190.96.141
>>>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
>>>> -A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 212.190.96.140
>>>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>>>>
>>>>
>>>> # iptables -S | grep tap
>>>> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapcfb4a18d-aa
>>>> --physdev-is-bridged -j neutron-openvswi-sg-chain
>>>> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapcfb4a18d-aa
>>>> --physdev-is-bridged -j neutron-openvswi-sg-chain
>>>> -A neutron-openvswi-INPUT -m physdev --physdev-in tapcfb4a18d-aa
>>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a
>>>> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapcfb4a18d-aa
>>>> --physdev-is-bridged -j neutron-openvswi-icfb4a18d-a
>>>> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapcfb4a18d-aa
>>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>> !DSPAM:1,53260cd8167551756219460!
>>
>

More information about the Openstack mailing list