Can't reach metadata server from VM running in single instance setup

Adrian Smith

I've setup a single node Nova VM using these instructions from ilearnstack. The problem is that instances launched in this environment aren't able to access the metadata server. With CirrOS the error is,

cloudsetup: checking
wget: can't connect to remote host ( No route to host

The VM is successfully receiving an IP address.

Since this setup doesn't seem to run an L3 agent I tried setting enable_isolated_metadata = True in /etc/quantum/dhcp_agent.ini (as per this message). That didn't make any difference.

I'm guessing there's something fundamentally wrong with what I've done as I can't ping the VM from within the host (I presume that should be possible?).

Edit: some additional details and questions: Routing table included below. When I launch a VM I can't ping the VM from the host node (I've updated the security groups to allow ICMP messages). I'm using vlan tenant network types. An eth1.1000 device is created by quantum for this purpose. I was wondering though, will the L2 agent drop incoming messages on eth1 if they're not tagged with the 1000 vlan id (which presumably they won't if I'm pinging from the host)?

Some details about the environment,

The Nova VM has three NICs,

# Host-only network
auto eth0
iface eth0 inet static

# Internal network
auto eth1
iface eth1 inet static

# NAT network
auto eth2
iface eth2 inet dhcp

Other Details,

  • Using Linux Bridge
  • When I launched a VM the host node got 5 new network devices, ns-c056d062-7e (, tap31db1cf1-05, tapc056d062-7e, brq08772967-38 (bridging the previous devices) and eth1.1000

Bridge Details,

# brctl show
bridge name      bridge id          STP enabled   interfaces
brq08772967-38   8000.080027872ea9  no            eth1.1000

Routes on Host:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    100    0        0 eth2   U     0      0        0 eth2   U     0      0        0 eth0   U     0      0        0 eth1   U     0      0        0 virbr0

This routing table looks wrong to me. The VM I created is attached to eth1 (well eth1.1000). I guess this means I should have a route for the VM network ( going to eth1. I created that route using route add -net dev eth1, and tried pinging again. I still don't get a response. Using tcpdump -n -i eth1 I can see the arp requests. However there's no ... (more)

Just for troubleshooting can you put firewall_driver=nova.virt.firewall.NoopFirewallDriver in nova.conf? after changing it restart nova services, then try to ping the VM. I suspect something is blocking at the iptables level need to isolate the issue.

Ashokb

I set the firewall_driver, restarted all services and created a new VM. Still not luck unfortunately. I still can't ping or reach the VM from the host. I also tried using "quantum security-group-rule-create" to allow ICMP and SSH traffic but no joy.

Adrian Smith

Ok as a final try do a #iptables -F. then try to ping . It could work . I do hope that vm received the dhcp ip .

Ashokb

answered 2013-07-01 10:23:39 -0500

Arfghl

I think it is not possible for Cirros image to contact the metdata service on a flat network because the DHCP option 121 is ot available for this image. Try with an Ubuntu image for exemple and besure that you have got this line in your nova.conf ([NETWORK]): service_quantum_metadata_proxy=true

I've tried this with no luck unfortunately. The error is,[WARNING]: '' failed [3/120s]: url error [[Errno 113] No route to host]

I presume the setting 'quantum_metadata_proxy_shared_secret' would have no bearing at this stage?

Adrian Smith

Try to see in your nova-api log if the metadata-server get a request from your VM. And be sure you can reach your VM from your compute node because Openstack does not configure this for you.

Arfghl

There doesn't appear to be anything metadata related in the nova-api log. Your second suggestion is interesting. I can't ping the VM from the host. I've included more details/questions above as space is limited here.

Adrian Smith

Doesn't an APIPA address suggest a NIC / HA which isn't getting either DHCP or a manually defined IP address, and therefore it parks itself over in 169.254 where it's out of the way and won't interfere with IP traffic?

Kiloseven

answered 2013-07-01 12:26:11 -0500

Ashokb

Don't use Cirros it has an open bug regarding stateless route pushing. At present metadata push for Cirros can only happen through router. If you use Precise Ubuntu image then the push can happen through dhcp.

