Open Stack

Hi list,

I am seeing a strange behaviour of my cloud and could use some help on this.
I have a project containing 2 VMs, one is running in an external  
network, the other is in a tenant-network with a floating ip. Security  
group allows ping and ssh.
Now there are several ways to break or restore the connectivity but I  
can't find the cause.

1. Boot a new instance on the same compute node (but different  
project, no matter if same or different network). Connectivity to both  
existing VMs is lost, however, from within the instance I can still  
get out! Restarting neutron-linuxbridge-agent gets it right again.

2. During the state of broken connectivity changing the  
security-group-rules (adding one rule or deleting a rule) for the  
default sec-group has the same effect, although  
neutron-linuxbridge-agent is not restarted after that, but the VMs are  
reachable again.

3. Different project, different network, same compute node: deleting a  
running instance also leads to a connectivity loss for the existing VMs.

4. In a way I was able to reproduce this issue: on a different compute  
node and different project I launched an instance in the same external  
network last Friday. The instance was reachable, I shut it down. Today  
I booted it again, it was not reachable. Restarting the  
linuxbridge-agent fixed it again.

I took a look into iptables and compared the output when the instances  
are reachable and when they are not. Somehow the neutron rules aren't  
there. Following the rule tree to the bottom it leads to a DROP rule  
for all packets.

---cut here---
compute1:~ # iptables -L FORWARD -nv|more
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source                
destination
     0     0 nova-filter-top  all  --  *      *       0.0.0.0/0         
     0.0.0.0/0
     0     0 nova-compute-FORWARD  all  --  *      *       0.0.0.0/0    
          0.0.0.0/0

compute1:~ # systemctl restart openstack-neutron-linuxbridge-agent.service

compute1:~ # iptables -L FORWARD -nv|more
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source                
destination
    14  1176 neutron-filter-top  all  --  *      *       0.0.0.0/0      
        0.0.0.0/0
    14  1176 neutron-linuxbri-FORWARD  all  --  *      *        
0.0.0.0/0            0.0.0.0/0
     0     0 nova-filter-top  all  --  *      *       0.0.0.0/0         
     0.0.0.0/0
     0     0 nova-compute-FORWARD  all  --  *      *       0.0.0.0/0    
          0.0.0.0/0
---cut here---

What is going on with neutron? I see that since about two weeks now, I  
updated all nodes last Friday but the problem still exists.

Any help is appreciated!

Regards,
Eugen

-- 
Eugen Block                             voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg                         e-mail  : eblock at nde.ag

         Vorsitzende des Aufsichtsrates: Angelika Mozdzen
           Sitz und Registergericht: Hamburg, HRB 90934
                   Vorstand: Jens-U. Mozdzen
                    USt-IdNr. DE 814 013 983