[Openstack] Instances do not have access to internet

Artem Plakunov artacc at lvk.cs.msu.su
Thu Sep 29 11:59:57 UTC 2016


You are right, the router must have an interface in external network and 
the external network must have a subnet

How exactly did you try to create subnet? I guess using a CLI command?
It looks like you didn't specify the network which the new subnet should 
belong to.

Try following this doc about creating an external network subnet:
http://docs.openstack.org/juno/install-guide/install/apt/content/neutron_initial-external-network.html

If you're still getting any errors, look into logs for details: 
/var/log/neutron/server.log or /var/log/neutron-all.log

29.09.2016 13:07, Imran Khakoo пишет:
> Hi there,
> I deleted all the rules and added them back one by one, seeing if each 
> change suddenly allowed connectivity. No improvement, unfortunately.
>
> My current rules:
> Direction
> 	
> Ether Type
> 	
> IP Protocol
> 	
> Port Range
> 	
> Remote IP Prefix
> 	
> Remote Security Group
> 	
> Actions
>
> 	Ingress 	IPv4 	ICMP 	Any 	0.0.0.0/0 <http://0.0.0.0/0> 	- 	Delete Rule
>
> 	Egress 	IPv4 	ICMP 	Any 	0.0.0.0/0 <http://0.0.0.0/0> 	- 	Delete Rule
>
> 	Ingress 	IPv4 	TCP 	1 - 65535 	0.0.0.0/0 <http://0.0.0.0/0> 	- 
> Delete Rule
>
> 	Egress 	IPv4 	TCP 	1 - 65535 	0.0.0.0/0 <http://0.0.0.0/0> 	- 	Delete 
> Rule
>
> 	Ingress 	IPv4 	TCP 	1 - 65535 	- 	default 	Delete Rule
>
> 	Egress 	IPv4 	TCP 	1 - 65535 	- 	default 	Delete Rule
> Displaying 6 items
>
> Going back to my instances, pinging google:
>
> ubuntu at throwaway:~$ ping 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
> From 10.10.0.1 icmp_seq=17 Destination Net Unreachable
> From 10.10.0.1 icmp_seq=18 Destination Net Unreachable
>
>
> ubuntu at throwaway:~$ ip route
> default via 10.10.0.1 dev eth0
> 10.10.0.0/16 <http://10.10.0.0/16> dev eth0  proto kernel  scope link 
>  src 10.10.0.4
> 169.254.169.254 via 10.10.0.1 dev eth0
>
> ubuntu at throwaway:~$ ip neigh
> 10.10.0.2 dev eth0 lladdr fa:16:3e:d7:e1:d5 STALE
> 10.10.0.1 dev eth0 lladdr fa:16:3e:7c:cf:b1 REACHABLE
> 10.10.0.3 dev eth0 lladdr fa:16:3e:13:c8:8b STALE
>
> So the gateway is 10.10.0.1 and the VM can reach it, but it somehow 
> can't route to 8.8.8.8. Looking at my openstack router, I notice that 
> it doesn't have a public IP address, only an internal one.
>
> Name 	Fixed IPs 	Status 	Type 	Admin State 	Actions
>
> 	(af24a36f-6790) 
> <http://10.1.1.147/project/networks/ports/af24a36f-6790-4024-8ee2-b4fbbcb856ba/detail> 
> 	
>
>   * 10.10.0.1
>
> 	Active 	Internal Interface 	UP 	Delete Interface
>
> From other advice I received, the router should have both a public 
> interface and a private one. So when I try to add a public interface, 
> it requires me to first add a subnet.
>
> So I'm guessing I should be creating a subnet on the ext_net, in order 
> to attach the external interface to it. I get the following error:
> *Error: *Failed to create subnet "172.26.1.0/24 
> <http://172.26.1.0/24>" for network "None": The resource could not be 
> found. Neutron server returns request_ids: 
> ['req-0e2edc22-c6a8-4038-89fd-26feb25393c6']
>
>
>
>
> On Wed, Sep 28, 2016 at 7:23 PM, Turbo Fredriksson <turbo at bayour.com 
> <mailto:turbo at bayour.com>> wrote:
>
>     On Sep 28, 2016, at 5:32 PM, Imran Khakoo wrote:
>
>     > I did add this rule to default security group, that was the
>     first thing
>     > before I even launched an instance.
>
>     Yeah, that should have done it.
>
>     > Egress  IPv4 Any  Any 0.0.0.0/0 <http://0.0.0.0/0> -
>     > Egress  IPv4 ICMP Any         -       default
>     > Egress  IPv4 TCP   80 (HTTP)  -       default
>     > Egress  IPv4 TCP  443 (HTTPS) -       default
>     > Ingress IPv4 Any  Any         -       default
>     > Ingress IPv4 ICMP Any0.0.0.0/0 <http://0.0.0.0/0> -
>     > Ingress IPv4 TCP  22 (SSH)0.0.0.0/0 <http://0.0.0.0/0> -
>
>     What strikes me is the sixth column. It is/should be the "Remote
>     Security Group"
>     column.
>
>     I'm a little unsure on how to use that, but if all those rules
>     come from
>     the 'default' security group, then you'll probably end up with a loop
>     or something..
>
>
>     But because of the two Any/Any rules, you would not need the
>     80/443 rules.
>     Nor the 22 one.
>     --
>     Life sucks and then you die
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160929/a13959fa/attachment.html>


More information about the Openstack mailing list