[Openstack] openstack havana with neutron can't ping instance
Anatoly Oreshkin
Anatoly.Oreshkin at pnpi.spb.ru
Mon Mar 17 06:27:18 UTC 2014
I've added to default security group the following
. keystonerc_demo
~(keystone_demo)]# neutron security-group-rule-create --protocol icmp --direction
ingress default
~(keystone_demo)]# neutron security-group-rule-create --protocol tcp
--port-range-min 22 --port-range-max 22 --direction ingress default
After that I can ping the instance
~(keystone_admin)]# ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e ping
10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.365 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.238 ms
64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.189 ms
>
> But on other machine under Scientific Linux 6.4 with OpenStack Neutron,
> and the same configuration and default security group I can ping an instance.
> Only difference is that machine is with 1 NIC rather than multiple ones.
>
>
>
>> No that is not correct. You need to open icmp
>>
>> Inviato da iPhone
>>
>>> Il giorno Mar 16, 2014, alle ore 12:44, "Anatoly Oreshkin"
>>> <Anatoly.Oreshkin at pnpi.spb.ru> ha scritto:
>>>
>>>
>>> In dashboad in Access & Security I see default security group which is as
>>> follows
>>>
>>> Security Group Rules
>>> Add Rule
>>> Direction Ether Type IP Protocol Port Range Remote
>>> Actions
>>> Ingress IPv4 Any - default
>>> Egress IPv4 Any -
>>> 0.0.0.0/0(CIDR)
>>> Egress IPv6 Any - ::/0
>>> (CIDR)
>>> Ingress IPv6 Any - default
>>>
>>> As I understand every protocol and port is allowed.
>>>
>>>
>>>
>>>> Did you open the security group for icmp?
>>>>
>>>> Inviato da iPhone
>>>>
>>>>> Il giorno Mar 16, 2014, alle ore 10:36, "Anatoly Oreshkin"
>>>>> <Anatoly.Oreshkin at pnpi.spb.ru> ha scritto:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I've installed OpenStack Havana with Neutron all-in-one on single node under
>>>>> Scientific Linux 6.4
>>>>> having multiple NICs Specifically eth0 with public network 212.190.96.128/27
>>>>> and eth2 with internal network 192.168.1.0/24
>>>>>
>>>>> All openstack components were installed on ip address 212.190.96.14 (eth0)
>>>>> CONFIG_NOVA_NETWORK_PUBIF=eth0
>>>>>
>>>>>
>>>>> OpenStack configuration follows:
>>>>>
>>>>> /etc/neutron/plugin.ini
>>>>>
>>>>> [OVS]
>>>>> vxlan_udp_port=4789
>>>>> tenant_network_type=local
>>>>> enable_tunneling=False
>>>>> integration_bridge=br-int
>>>>> network_vlan_ranges = physnet1
>>>>> bridge_mappings = physnet1:br-ex
>>>>>
>>>>> [AGENT]polling_interval=2
>>>>>
>>>>> [SECURITYGROUP]
>>>>> firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>>>>>
>>>>> Floating ip addreses are allocated from public ip range 212.190.96.140 -
>>>>> 212.190.96.142 (eth0)
>>>>>
>>>>> Routing tables on my node
>>>>>
>>>>> Destination Gateway Genmask Flags Metric Ref Use Iface
>>>>> 212.190.96.128 * 255.255.255.224 U 0 0 0 br-ex
>>>>> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
>>>>> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth3
>>>>> link-local * 255.255.0.0 U 1002 0 0 eth0
>>>>> link-local * 255.255.0.0 U 1004 0 0 eth2
>>>>> link-local * 255.255.0.0 U 1005 0 0 eth3
>>>>> link-local * 255.255.0.0 U 1011 0 0 br-ex
>>>>> default 212.190.96.129 0.0.0.0 UG 0 0 0 br-ex
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I launched instance from dashboard and instance was allocated ip address
>>>>> 10.0.0.3
>>>>> from private network 10.0.0.0/24. Then I allocated the instance floating ip
>>>>> address 212.190.96.141 from public network.
>>>>>
>>>>> The problem is that I can't ping the instance neither through floating ip
>>>>> address
>>>>> 212.190.96.141 nor private address 10.0.0.3
>>>>>
>>>>> ~(keystone_admin)]# ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e
>>>>> ping
>>>>> 10.0.0.3
>>>>> PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
>>>>>
>>>>> However from inside the instance I can ping any ip address.
>>>>>
>>>>> But when I restart linux wirewall iptables "service iptables restart" I can
>>>>> ping
>>>>> the
>>>>> instance
>>>>> I can't understand why so happened. I suspect that "linux wirewall restart"
>>>>> deleted
>>>>> the records from
>>>>> iptables which were added by neutron when launching the instance and permitted
>>>>> to
>>>>> ping the instance.
>>>>>
>>>>>
>>>>> Can anybody help me ?
>>>>>
>>>>> Any hint ?
>>>>>
>>>>> I provide additional information.
>>>>>
>>>>> Network namespace of my openstack configuration:
>>>>> # ip netns
>>>>> qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e
>>>>> qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99
>>>>>
>>>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 route -n
>>>>>
>>>>> Destination Gateway Genmask Flags Metric Ref Use Iface
>>>>> 212.190.96.128 0.0.0.0 255.255.255.224 U 0 0 0
>>>>> qg-fdd17595-7b
>>>>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
>>>>> qr-67571cae-0a
>>>>> 0.0.0.0 212.190.96.129 0.0.0.0 UG 0 0 0
>>>>> qg-fdd17595-7b
>>>>>
>>>>> # ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e route -n
>>>>>
>>>>> Destination Gateway Genmask Flags Metric Ref Use Iface
>>>>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
>>>>> tape150108a-ef
>>>>> 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0
>>>>> tape150108a-ef
>>>>>
>>>>>
>>>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 iptables -t nat -S
>>>>>
>>>>> -P PREROUTING ACCEPT
>>>>> -P POSTROUTING ACCEPT
>>>>> -P OUTPUT ACCEPT
>>>>> -N neutron-l3-agent-OUTPUT
>>>>> -N neutron-l3-agent-POSTROUTING
>>>>> -N neutron-l3-agent-PREROUTING
>>>>> -N neutron-l3-agent-float-snat
>>>>> -N neutron-l3-agent-snat
>>>>> -N neutron-postrouting-bottom
>>>>> -A PREROUTING -j neutron-l3-agent-PREROUTING
>>>>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING
>>>>> -A POSTROUTING -j neutron-postrouting-bottom
>>>>> -A OUTPUT -j neutron-l3-agent-OUTPUT
>>>>> -A neutron-l3-agent-OUTPUT -d 212.190.96.141/32 -j DNAT --to-destination
>>>>> 10.0.0.3
>>>>> -A neutron-l3-agent-POSTROUTING ! -i qg-fdd17595-7b ! -o qg-fdd17595-7b -m
>>>>> conntrack
>>>>> ! --ctstate DNAT -j ACCEPT
>>>>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80
>>>>> -j
>>>>> REDIRECT --to-ports 9697
>>>>> -A neutron-l3-agent-PREROUTING -d 212.190.96.141/32 -j DNAT --to-destination
>>>>> 10.0.0.3
>>>>> -A neutron-l3-agent-float-snat -s 10.0.0.3/32 -j SNAT --to-source
>>>>> 212.190.96.141
>>>>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
>>>>> -A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 212.190.96.140
>>>>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat
>>>>>
>>>>>
>>>>> # iptables -S | grep tap
>>>>> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapcfb4a18d-aa
>>>>> --physdev-is-bridged -j neutron-openvswi-sg-chain
>>>>> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapcfb4a18d-aa
>>>>> --physdev-is-bridged -j neutron-openvswi-sg-chain
>>>>> -A neutron-openvswi-INPUT -m physdev --physdev-in tapcfb4a18d-aa
>>>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a
>>>>> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapcfb4a18d-aa
>>>>> --physdev-is-bridged -j neutron-openvswi-icfb4a18d-a
>>>>> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapcfb4a18d-aa
>>>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>> Post to : openstack at lists.openstack.org
>>>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>> !DSPAM:1,53260cd8167551756219460!
>>>
>>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
More information about the Openstack
mailing list