Ask Your Question
0

Can't ping/ssh new build instaces but with the old ones everything is ok

asked 2018-03-13 16:38:42 -0600

magdallena gravatar image

Hello,

I've been debugging for days and can't find what the problem is. I have the Newton version and everything was working fine but after doing an update I noticed that something is wrong. When I try to build a new instance, the instance is build and active, gets an ip adress and everything looks fine but when i try to ping/ssh it says "Destination host unreachable". I can ping the compute node from the controller but the compute node can not see(ping) the new build instance on it. I tried building on other compute node but it is the same. Everything is ok between the controller and the compute node because they can see each other (they can ping themselves).When i checked the arp table on the compute node the entry for the new instance is incomplete and after trying to force the entry to be in the table nothing change. In the logs there isn't any particular error, only some warnings.

Please write back if you had similar problem or if you may think that you know what the problem is.

edit retag flag offensive close merge delete

Comments

What kind of update was it? OS update or OpenStack update? Are your instances in self-service networks or in provider networks? In our cloud, instances are not supposed to ping the management network (controller/compute nodes), this is configured on switch level, of course.

eblock gravatar imageeblock ( 2018-03-15 05:21:56 -0600 )edit

Can you paste output of

egrep -ve "^#|^$" /etc/neutron/plugins/ml2/ml2_conf.ini

from control node?

eblock gravatar imageeblock ( 2018-03-15 05:22:15 -0600 )edit

4 answers

Sort by ยป oldest newest most voted
0

answered 2018-03-26 16:14:12 -0600

magdallena gravatar image

@eblock Here is the output of the command: egrep -ve "^#|^$" /etc/neutron/plugins/ml2/ml2_conf.ini [DEFAULT] [ml2] type_drivers = flat,vlan,vxlan tenant_network_types = vxlan mechanism_drivers = linuxbridge,l2population extension_drivers = port_security [ml2_type_flat] flat_networks = provider [ml2_type_geneve] [ml2_type_gre] [ml2_type_vlan] [ml2_type_vxlan] vni_ranges = 1:1000 [securitygroup] enable_ipset = True

It was an upgrade of all available packages on the controller node and the compute nodes (with apt-get). The instances are on the provider network i know that they can't ping on the selfservice network. I've tried bulding instance in the selfservice network and assign a floating ip address, but the problem remains the same.

@ripple Yes the security group is the same (the default) and icmp messages are allowed. I used the same security group with the old instances (build before the upgrade) that are pingable and ok. I don't use OVS, I use linux bridge. These interfaces are up:eth0, brqbc, these are down: wlan0, virbr0, virbr0-nic and vxlan20, lo and tap are unknown.

After doing restart on glance and nova services and change glance version to 2.6.0 i managed to build only one new instance that is pingable but i can't ssh in it(destination host unrechable). But i still can't build another new instance (i mean after building another one the problem is the same - i can't ping it)

edit flag offensive delete link more
0

answered 2018-04-12 13:40:20 -0600

Hello,

Firstly, you should check network you assigned to instance. Normally, compute node can't ping instances working on it if instances has no network gw access to control plane network.

Can you please run

neutron net-show <network-id-assigned-to-instance>

?

You said that instance got ip but are you sure about that? Can you please confirm by using ifconfig command in instance? Is dhcp enabled?

Just create another instance with same network on different compute if you have a chance and try to ping them.

If you think that ip's can access to each other, you should check security groups as a last item.

If you can provide more detail, we may help. Thanks.

edit flag offensive delete link more
0

answered 2018-04-01 11:38:39 -0600

yas gravatar image

Hello @magdallena . Your problem could have different causes. I suggest you try the following tips:

  1. Verify the security groups (make sure that the ingress and the egress rules allow icmp)
  2. create networks using CLI (Horizon has problems creating functional networks (I've experienced that few months ago))
  3. Try to use the default cirros image (maybe the image that you are using is misconfigured snapshot)
  4. Verify the Gateway ip (make sure that you correctly configured the instances to use the correct gateway ip)
  5. If you use Neutron router make sure that the router's interfaces that are linking the instance and the external network are active and the external interface can be pinged from outside Openstack if so try to ping the instance from the eutron router using the following command :

       ip netns exec qrouter-ROUTER_ID ping IP_ADDRESS_OF_THE_INSTANCE
    
  6. Verify that your provider network is correctly configured

edit flag offensive delete link more
0

answered 2018-03-15 15:34:20 -0600

rlpple gravatar image

First to recap: Existing Instances : Can be pinged from the network namespace on the controllers. New Instances in the same tenant/project on the same network: From the same location the ping fails.

I have seen this behavior before during an Update.
Things to look at:

  • Are the instances using the same security group?
    • You can try
    • sudo -i
    • ifdown eth0 ; ifup eth0 ; ifdown br-ex ; ifup br-ex ; ifup vlan10

If that works it may be related to https://review.openstack.org/#/c/395854/

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2018-03-13 16:38:42 -0600

Seen: 81 times

Last updated: Apr 01 '18