[Openstack] Routing from instances to floating ips in nova-network -- possible?
Antonio Messina
antonio.s.messina at gmail.com
Thu May 7 18:23:04 UTC 2015
On Thu, May 7, 2015 at 7:30 PM, Andrew Bogott <abogott at wikimedia.org> wrote:
> On 5/7/15 2:34 AM, Antonio Messina wrote:
>>
>> On Wed, May 6, 2015 at 10:56 PM, Andrew Bogott <abogott at wikimedia.org>
>> wrote:
>>>
>>> Since time immemorial, I've accepted as a fact of life that routing
>>> from
>>> a nova instance to another instance via floating ip is impossible. We've
>>> coped with this via a hack in dnsmasq, setting an alias to rewrite public
>>> IPs to the corresponding internal IP.
>>
>> Have you checked this serverfault question[0]? The issue is different
>> though: VM not being able to contact its own floating iP, but maybe
>> it's related. It also contains links to relevant bugs.
>
> I did see that, although it seems to be a subcase of my issue (implying that
> routing is working for people in general, just not from a host to itself.)
>
> I'm glad to hear that it works for you! I just now tried setting
It works because I patched Folsom, backporting some patch from some
newer OpenStack release :)
> force_snat_range for my floating IP range but I'm still not getting any
> pings. Strangely if I restart nova-network things work for a minute or two,
> then return to the status quo. That means that no matter what I change, it
> looks like it worked, for a minute :)
When you restart nova-network, the firewall rules are cleaned up and
then re-created, so there is a sort of "race conditions" during which
the firewall rules might allow this type of traffic. But it's a "bug"
:)
IMHO you should try to understand *why* it doesn't work. In my case, I
remember one of the problem was that when VM1 contacts VM2 using the
floating IPs, the firewall rules were only performing DNAT but not
SNAT, so the packets arrives to VM2 with the source IP of VM1 (the
private IP), instead of the floating IP. This implies that VM2 will
reply with the *private ip* instead of the floating ip, so that VM1
will drop the packet as unknown/not requested.
To fix this, you need an iptables rule like:
iptables -t nat -A POSTROUTING -s <fixedip> -m conntrack --ctstate
DNAT -j SNAT --to-source <floating-ip>
also cfr. https://github.com/openstack/nova/commit/b8c434630d31f49ae0e9686ddfac8f25acf117b1
.a.
--
antonio.s.messina at gmail.com
antonio.messina at uzh.ch +41 (0)44 635 42 22
S3IT: Service and Support for Science IT http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland
More information about the Openstack
mailing list