External connectivity to/from cirros guest-vm

asked 2017-12-22 03:56:32 -0600

holger-king gravatar image

updated 2017-12-22 04:33:55 -0600

Dear OpenStack community,

after having deployed an all-in-one approach based on version PIKE of "Red Hat Distributed OpenStack" (RDO) via this Packstack answer file we observe when:

  • launching a cirros guest image
  • assigning it a floating IP
  • enabling ICMP ingress/egress traffic for the assigned security group

the guest VM neither can't be pinged from outside nor it is possible to ping the default GW within the machine.

Interesting is that port "qg-53bb2acb-e4" of the router (see "ip netns exec"-command) is attached to the internal Open vSwitch bridge called "br-int" instead of "br-ex" although the BCN network is marked "external"?

Hint: we rely on the "openvswitch" setting for:

CONFIG_NEUTRON_ML2_MECHANISM_DRIVERS=openvswitch

So, the OVN-specific configuration settings in the Packstack answer file are dispensable!

Maybe there is a misconfiguration in the answer file that we haven't found yet. Maybe we have to tell Packstack in the answer file to configure the Open vSwitch external bridge for an all-in-one deployment via:

CONFIG_PROVISION_OVS_BRIDGE=y

Currently, we use here: "n"

Additionally, the following configuration directive is of interest, too:

CONFIG_NEUTRON_OVS_BRIDGES_COMPUTE

Currently, it has no setting! Whether that's right or wrong? We do not exactly know.

Can anybody help us?

edit retag flag offensive close merge delete

Comments

It is correct that the qg interface is connected to br-int. Flows in br-int forward packets from qg to int-br-ex (and vice-versa), which is patched to phy-br-ex.

Suggested reading: https://assafmuller.com/category/dvr. It's about DVR but also useful for understanding the wiring in general.

Bernd Bausch gravatar imageBernd Bausch ( 2017-12-22 04:35:49 -0600 )edit

On my DevStack system, I have this route in the router namespace:

default via 172.24.4.1 dev qg-1153cdb8-e5

Which you are lacking.

Bernd Bausch gravatar imageBernd Bausch ( 2017-12-22 04:42:49 -0600 )edit

Can you check if br-ex is up and has the right IP address? E.g.:

$ ip addr show dev br-ex

If you see DOWN and/or no IP address, there is your problem.

Bernd Bausch gravatar imageBernd Bausch ( 2017-12-22 04:44:14 -0600 )edit

We see:

$ ip addr show dev br-ex
6: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN qlen 1000
link/ether 00:50:56:86:63:10 brd ff:ff:ff:ff:ff:ff
inet 10.116.64.10/24 brd 10.116.64.255 scope global br-ex
       valid_lft forever preferred_lft for
holger-king gravatar imageholger-king ( 2017-12-22 06:01:29 -0600 )edit

Interesting is state UNKNOWN of device "br-ex". When checking "br-int" we see it's down:

$ ip addr show dev br-int
5: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 22:18:ac:b0:d8:4e brd ff:ff:ff:ff:ff:ff

Strange - as packstack creates both!

holger-king gravatar imageholger-king ( 2017-12-22 06:10:45 -0600 )edit