Open Stack

On 5/7/15 1:23 PM, Antonio Messina wrote:
> On Thu, May 7, 2015 at 7:30 PM, Andrew Bogott <abogott at wikimedia.org> wrote:
>> On 5/7/15 2:34 AM, Antonio Messina wrote:
>>> On Wed, May 6, 2015 at 10:56 PM, Andrew Bogott <abogott at wikimedia.org>
>>> wrote:
>>>>       Since time immemorial, I've accepted as a fact of life that routing
>>>> from
>>>> a nova instance to another instance via floating ip is impossible.  We've
>>>> coped with this via a hack in dnsmasq, setting an alias to rewrite public
>>>> IPs to the corresponding internal IP.
>>> Have you checked this serverfault question[0]? The issue is different
>>> though: VM not being able to contact its own floating iP, but maybe
>>> it's related. It also contains links to relevant bugs.
>> I did see that, although it seems to be a subcase of my issue (implying that
>> routing is working for people in general, just not from a host to itself.)
>>
>> I'm glad to hear that it works for you!  I just now tried setting
> It works because I patched Folsom, backporting some patch from some
> newer OpenStack release :)

OK, we've made some progress with this -- the solution seems to involve 
changing my dmz_cidr setting and switching our bridge to promiscuous mode.

However -- I'm now unclear on whether this will fix all routing, or just 
routing between instances that have floating IPs assigned (I have lots 
of both.)  Antonio, do all cases work?  Or do you have floating ips 
assigned to everything?



>
>> force_snat_range for my floating IP range but I'm still not getting any
>> pings.  Strangely if I restart nova-network things work for a minute or two,
>> then return to the status quo.  That means that no matter what I change, it
>> looks like it worked, for a minute :)
> When you restart nova-network, the firewall rules are cleaned up and
> then re-created, so there is a sort of "race conditions" during which
> the firewall rules might allow this type of traffic. But it's a "bug"
> :)
>
> IMHO you should try to understand *why* it doesn't work. In my case, I
> remember one of the problem was that when VM1 contacts VM2 using the
> floating IPs, the firewall rules were only performing DNAT but not
> SNAT, so the packets arrives to VM2 with the source IP of VM1 (the
> private IP), instead of the floating IP. This implies that VM2 will
> reply with the *private ip* instead of the floating ip, so that VM1
> will drop the packet as unknown/not requested.
>
> To fix this, you need an iptables rule like:
>
> iptables -t nat -A POSTROUTING -s <fixedip> -m conntrack --ctstate
> DNAT -j SNAT --to-source <floating-ip>
>
> also cfr. https://github.com/openstack/nova/commit/b8c434630d31f49ae0e9686ddfac8f25acf117b1
>
> .a.
>