[Openstack] iptables chain and instance id
Joe Topjian
joe at topjian.net
Thu Mar 19 05:11:18 UTC 2015
The number is the ID of the instance in the nova.instances table:
mysql> select id from instances where uuid =
'9927550c-5950-4daf-9f05-0530e51d36c7';
+-------+
| id |
+-------+
| 19437 |
+-------+
$ iptables-save | grep 19437
:nova-compute-inst-19437 - [0:0]
-A nova-compute-inst-19437 -m state --state INVALID -j DROP
-A nova-compute-inst-19437 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-19437 -j nova-compute-provider
...
The only way I've found to obtain that ID without looking directly in the
DB is to convert the `OS-EXT-SRV-ATTR:instance_name` value to decimal:
$ nova show 9927550c-5950-4daf-9f05-0530e51d36c7 | grep
OS-EXT-SRV-ATTR:instance_name
| OS-EXT-SRV-ATTR:instance_name | instance-00004bed
00004bed in hex = 19437 in decimal
Hope that helps :)
Joe
On Wed, Mar 18, 2015 at 3:57 PM, James Denton <james.denton at rackspace.com>
wrote:
> I’m not sure, but the X may be arbitrary. You should be able to correlate
> the nova-compute-inst-X chain to the instance by looking at the
> 'nova-compute-local’ chain and looking for the fixed IP:
>
> -A nova-compute-local -d 10.239.0.11/32 -j nova-compute-inst-25
> -A nova-compute-local -d 10.239.0.18/32 -j nova-compute-inst-65
> -A nova-compute-local -d 10.239.0.26/32 -j nova-compute-inst-95
> -A nova-compute-local -d 10.239.0.20/32 -j nova-compute-inst-69
>
> In the DB, the correlation exists:
>
> root at controller01:~# nova list --all-ten | grep 10.239.0.11
> | 1bbb6888-b74f-4fc3-8c22-4c5231823567 | myInstance | ACTIVE |
> public=10.239.0.11, 10.242.0.232 |
>
> mysql> use nova; select * from security_group_instance_association where
> instance_uuid='1bbb6888-b74f-4fc3-8c22-4c5231823567';
> Database changed
>
> +---------------------+------------+------------+---------+----+-------------------+--------------------------------------+
> | created_at | updated_at | deleted_at | deleted | id |
> security_group_id | instance_uuid |
>
> +---------------------+------------+------------+---------+----+-------------------+--------------------------------------+
> | 2013-07-03 14:40:47 | NULL | NULL | 0 | 25 |
> 3 | 1bbb6888-b74f-4fc3-8c22-4c5231823567 |
>
> +---------------------+------------+------------+---------+----+-------------------+———————————————————+
>
> The ID (25) corresponds to the chain name seen here:
>
> -A nova-compute-local -d 10.239.0.11/32 -j nova-compute-inst-25
>
> James
>
> On Mar 18, 2015, at 1:37 PM, mad Engineer <themadengin33r at gmail.com>
> wrote:
>
> I am having issue troubleshooting iptables rules.
>
> How can i identify which chain belongs to which instance..
>
> i can see nova-compute-inst-X but i am not able to relate X to nova list
> or to virsh list,Can some one please help in identifying proper iptables
> chains
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150318/c9aca7ec/attachment.html>
More information about the Openstack
mailing list