The ask.openstack.org website will be read-only from now on. Please ask questions on the openstack-discuss mailing-list, stackoverflow.com for coding or serverfault.com for operations.
 | 1 | initial version |
I just took a look at your paste, you haven't specified iptables rules. Ensure you have the GRE INPUT/OUTPUT rules too (refer below).
In my two node setup, I have these iptables rules, and I could reach Floating IPs from inside the Nova instances just fine.
[1] iptables on Controller node:
[root@ostack-controller ~]# cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
[2] iptables rules on Compute node:
[root@ostack-compute ~(keystone_kashyap)]$ cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p gre -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
And, here are my working Neutron configurations with OVS and GRE, two node setup: http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt
| | 2 | No.2 Revision |
I just took a look at your paste, you haven't specified iptables rules. Ensure you have the GRE INPUT/OUTPUT rules too (refer below).
In my two node setup, I have these iptables rules, and I could reach Floating IPs from inside the Nova instances just fine.
[1] iptables on Controller node:
[root@ostack-controller ~]# cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
[2] iptables rules on Compute node:
[root@ostack-compute ~(keystone_kashyap)]$ cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p gre -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
And, here Here are my working Neutron configurations with OVS and GRE, two node setup:
http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt
And, alternatively, you can do some `tcpdump analysis on your various network devices. Here's a recent trace of some analysis I've done -- https://gist.github.com/kashyapc/7926517
Some commands to try for ICMP here (once you invoke an ICMP request from inside the Nova instance):
$ tcpdump -i br-ex -n icmp $ tcpdump -i eth0 -n icmp $ tcpdump -i any -n icmp $ ip netns exec $ROUTER-NAMESPACE tcpdump -i any icmp $ tcpdump -i tape7110dba-a9 -n icmp $ tcpdump -envi br-int $ tcpdump -envi br-tun
| | 3 | No.3 Revision |
I just took a look at your paste, you haven't specified iptables rules. Ensure you have the GRE INPUT/OUTPUT rules too (refer below).
In my two node setup, I have these iptables rules, and I could reach Floating IPs from inside the Nova instances just fine.
[1] iptables on Controller node:
[root@ostack-controller ~]# cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
[2] iptables rules on Compute node:
[root@ostack-compute ~(keystone_kashyap)]$ cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p gre -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Here are my working Neutron configurations with OVS and GRE, two node setup: http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt
And, alternatively, you can do some `tcpdump tcpdump analysis on your various network devices. Here's a recent trace of some analysis I've done -- https://gist.github.com/kashyapc/7926517
Some commands to try for ICMP here (once you invoke an ICMP request from inside the Nova instance):
$ tcpdump -i br-ex -n icmp $ tcpdump -i eth0 -n icmp $ tcpdump -i any -n icmp $ ip netns exec $ROUTER-NAMESPACE tcpdump -i any icmp $ tcpdump -i tape7110dba-a9 -n icmp $ tcpdump -envi br-int $ tcpdump -envi br-tun
