Ask Your Question
2

Allowing guests in DevStack to talk to outside world

asked 2013-06-04 23:03:38 -0500

radix gravatar image

updated 2013-06-04 23:25:35 -0500

I'm running DevStack in a minimal Ubuntu 12.04 KVM to test and learn about how to deploy a development environment for hacking on OpenStack.

I've found the most success with using Quantum instead of nova-network; if I use nova-network, I can't route ("No route to host") from the openstack host to the guests. With quantum, I can. The guests can also route to each other.

However, the other direction doesn't fully work. The guests can talk to the host on its br-ex IP (172.24.4.225), but everything past that (towards the Internet) is black-holed.

Is it expected that guests in a devstack should be able to route all the way out to the Internet, assuming their host has Internet access? Do I need to set up additional routes or iptables rules to allow this? I'm using no localrc configuration that should affect networking other than using quantum instead of nova-network.

disable_service n-net
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service q-l3
enable_service q-meta
enable_service quantum

DATABASE_PASSWORD=db123
RABBIT_PASSWORD=rabbit123
SERVICE_TOKEN=servicetoken123
SERVICE_PASSWORD=servicepassword123
ADMIN_PASSWORD=keystone123

my route table:

radix@devstack-lts:~/devstack$ ip route
default via 192.168.122.1 dev eth0  metric 100 
10.0.0.0/24 via 172.24.4.226 dev br-ex 
172.24.4.224/28 dev br-ex  proto kernel  scope link  src 172.24.4.225 
192.168.122.0/24 dev eth0  proto kernel  scope link  src 192.168.122.90

Thanks!

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
2

answered 2013-06-05 10:27:44 -0500

radix gravatar image

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

edit flag offensive delete link more
0

answered 2013-06-05 08:45:59 -0500

darragh-oreilly gravatar image

updated 2013-06-05 08:48:52 -0500

172.24.4.225 is part of rfc1918 and so is not publicly routable. Packets with this source address must be SNATed again with a public IP so hosts on the Internet can send packets back to you. If you are on a company network, then you will need help from your networking people. If you are working from home, then you will need to ensure that outbound packets get to your home router and it SNATs them with the public IP your ISP has allocated to you - this might be happening aready. Run tcpdump on the nic on the physical host to see if packets are leaving with source IP 172.24.4.225 and the destination MAC of your home router. You will need to add a static route on the home-router so it knows send inbound packets (from Internet) (destination IP = 172.24.4.225/32 or 172.24.4.224/28) to the physical machine. The physical host will need to have IP forwarding enabled and its firewall needs to allow this traffic.

edit flag offensive delete link more

Comments

Thanks for your answer, Darragh. (sorry, didn't realize hitting enter would save my post...) I'm doing this from home. I'm surprised you think I'll have to change the configuration of my physical router - isn't it possible to just set up NAT with iptables on the devstack host? it has Internet access

radix gravatar imageradix ( 2013-06-05 09:07:32 -0500 )edit

The physical router does not know about the 172 network and does not have a route for it - so you have to add it. This should be easy with the router's web gui. Yes - alternatively you could snat or masquerade the packets again to the IP of the host (then 3 levels of NAT) - more difficult though.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-06-05 09:43:36 -0500 )edit

Yeah, it turns out the solution was simple: sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.

radix gravatar imageradix ( 2013-06-05 10:27:19 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2013-06-04 23:03:38 -0500

Seen: 4,407 times

Last updated: Jun 05 '13