Open Stack

On Thu, May 14, 2015 at 6:19 PM, Andrew Bogott <abogott at wikimedia.org> wrote:
> OK, we've made some progress with this -- the solution seems to involve
> changing my dmz_cidr setting and switching our bridge to promiscuous mode.

I don't have any dmz_cidr option in my nova.conf, so I don't know if
it's relevant.

My bridges, instead, are all in promiscuous mode (I forgot about
that). I don't remember the details but I kind of remember it was needed.

> However -- I'm now unclear on whether this will fix all routing, or just
> routing between instances that have floating IPs assigned (I have lots of
> both.)  Antonio, do all cases work?  Or do you have floating ips assigned to
> everything?

I'm pretty sure it will not work if the source VM doesn't have a
floating IP. The problem is, I think, that SNAT is usually performed
only to packets leaving the controller node on the public interface:

    iptables -t nat -A nova-network-snat -s 10.65.4.0/22 -o eth3 -j
SNAT --to-source <public-ip-of-controller>

(this is the SNAT rule I have on my controller)

therefore, a packet

  <fixed-ip-vm-A> => <floating-ip-vm-B>

is rewritten with a DNAT only, becoming:

  <fixed-ip-vm-A> => <fixed-ip-vm-B>

This packet will reach vm-B that will answer with

  <fixed-ip-vm-B> => <fixed-ip-vm-A>

which is not recognized by vm-B as part of any connection it
initiated.

Maybe you could try to manually add an additional rule like:

    iptables -t nat -A nova-network-snat -s 10.65.4.0/22 -o br100 -j
SNAT --to-source <public-ip-of-controller>

but I don't know if I'm missing something. Last time I had to fix this
I spent some time with pen and paper trying to sketch the flow of
packets through the iptables rules :)

.a.

-- 
antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland