Ask Your Question
0

No access between provider and tenant networks

asked 2012-12-07 17:49:34 -0500

rrolim gravatar image

Hi,

I've installed Openstack in a controller/compute two node structure according to Emilien Macchi's Folsom install guide ( http://docs.openstack.org/folsom/basic-install/content (http://docs.openstack.org/folsom/basi...) ) and later changed the configuration to use namespaces. Most things seem fine, except that from a computer on the external network I'm unable to ping either the router's external network interface on the controller node or the floating IP that should lead me to the VMs on the internal (tenant) network. The same holds true in the opposite direction: VMs cannot ping any computers on the external (provider) network.

On the controller node I have eth0 bridged to the external network: br-ex has IP address 192.168.100.224/24 and eth0 has no IP. My virtual router's interface on this network is 192.168.100.225 and the provider network gateway is 192.168.100.254. There's also a floating IP configured as 192.168.100.226, connecting to a VM out of 10.5.5.3/24.

From another computer I can ping 192.168.100.224 (br-ex), but not the floating IP or the router's gateway interface (192.168.100.225). Secgroup rules have been added but didn't help.

From the controller node itself, I can ping any of these external network addresses when I don't use a namespace name. When I'm in the qrouter- namespace, I can ping all IP addresses that belong to the controller's external network as well, but cannot access any other computer in the external network. Also, I can ping VMs if I'm in the dhcp- namespace.

From a VM's perspective, I can ping any IP address on the controller external network (.224, .225 and .226), but nothing on another host (the external network gateway, for instance). VMs can ping each other.

I've pasted quite a lot of output about my setup here so that I could be as clear as possible: http://paste.openstack.org/show/27583/

If anyone could help me on this issue I would be grateful. I've spent an awful lot of time for the past several days trying to figure out what could be wrong with this interconnection problem, but couldn't find anything that would solve it. Any direction on this matter will be much appreciated. Thanks.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2012-12-09 17:30:23 -0500

rrolim gravatar image

I've solved the problem. It turns out that my virtualization software was silently ignoring my guest OS request to set the virtual NIC in promiscuous mode. Other computers in the external network couldn't reach the virtual router's gateway port or floating IPs because the external interface (eth0), not being in promiscuous mode, was not accepting packets to other MAC addresses and hence the bridge was not taking traffic to all attached interfaces.

Reading about network namespaces on the lxc site e trying out their step-by-step configuration with ethernet bridges ( http://lxc.sourceforge.net/index.php/about/kernel-namespaces/network/configuration/ (http://lxc.sourceforge.net/index.php/...) ) I noticed that the behavior I was observing was not the expected result. Even without any OpenStack component installed, I couldn't ping other computers on the external network from a secondary namespace and, conversely, couldn't ping an interface in this secondary namespace from another computer but only the bridge IP address. Exactly the same problem I was having with my OpenStack setup.

The bottom line is that if you can't access interfaces in different namespaces from different computers you should check if your virtualization software is configured to allow promiscuous mode on that VM. Since so many people try out OpenStack on virtual machines it's a bit surpring not to see such remark on any installation guide. I bet others have run into the same kind of problem. Anyway now I understand the basics of how Quantum works with namespaces and hope this little tip can save others the same troubles I met.

edit flag offensive delete link more
0

answered 2012-12-27 09:43:49 -0500

hyunsun-moon gravatar image

Thanks Ricardo. I solved the same issue with your comments.

FYI. I tested openstack and quantum on VMs runs on ESXi and got the exactly the same problem with Ricardo. Ping to the qg-xx interface, which resides in a different namespace from the root, failed from external. It only worked inside the same host. Gateway IP and floating IPs were set successfully and I set routing rules properly. By changing vswitch settings on vsphere client, it just worked well.

Refer to this link(http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004099) to set your VM's network interfaces to promiscuous mode, in case of you're using ESXi.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2012-12-07 17:49:34 -0500

Seen: 389 times

Last updated: Dec 27 '12