Ask Your Question
0

can't ping/ssh floating ip of instance

asked 2014-04-27 08:36:06 -0500

alphazhang gravatar image 
Environment: Centos6.5+RDO+havana

I create a instace successfully with (public ip:192.168.226.101,private ip:10.10.10.2). I can ping private ip but I can't ping public ip.  I found following information from my dashboard. status of 192.xxx.xxx.xxx are DOWN, status of 10.xx.xx.xx are Active. I'm a newer for openstack.could some help to tell me the solution? or you can tell me how to debug this issue?


(02b8a649)      192.168.226.100 network:router_gateway  DOWN    UP  Edit Port
(566a3ad7)      192.168.226.102 network:floatingip  DOWN    UP  Edit Port
(660d4ae8)      192.168.226.101 network:floatingip  DOWN    UP  Edit Port


private net interface
(29c7c3bb)      10.10.10.2          compute:nova                    ACTIVE  UP  Edit Port
(3055a9a8)      10.10.10.1          network:router_interface    ACTIVE  UP  Edit Port
(a6a7d763)      10.10.10.254    network:router_interface    ACTIVE  UP  Edit Port
(f8781dd1)      10.10.10.3          network:dhcp                    ACTIVE  UP  Edit Port


[root@alpha ~(keystone_admin)]# openstack-status
== Nova services ==
openstack-nova-api:                     active
openstack-nova-cert:                    active
openstack-nova-compute:                 active
openstack-nova-network:                 dead      (disabled on boot)
openstack-nova-scheduler:               active
openstack-nova-conductor:               active
== Glance services ==
openstack-glance-api:                   active
openstack-glance-registry:              active
== Keystone service ==
openstack-keystone:                     active
== Horizon service ==
openstack-dashboard:                    active
== neutron services ==
neutron-server:                         active
neutron-dhcp-agent:                     active
neutron-l3-agent:                       active
neutron-metadata-agent:                 active
neutron-lbaas-agent:                    inactive  (disabled on boot)
neutron-openvswitch-agent:              active
== Swift services ==
openstack-swift-proxy:                  active
openstack-swift-account:                active
openstack-swift-container:              active
openstack-swift-object:                 active
== Cinder services ==
openstack-cinder-api:                   active
openstack-cinder-scheduler:             active
openstack-cinder-volume:                active
== Ceilometer services ==
openstack-ceilometer-api:               active
openstack-ceilometer-central:           active
openstack-ceilometer-compute:           active
openstack-ceilometer-collector:         active
openstack-ceilometer-alarm-notifier:    active
openstack-ceilometer-alarm-evaluator:   active
== Support services ==
mysqld:                                 active
libvirtd:                               active
openvswitch:                            active
messagebus:                             active
tgtd:                                   active
qpidd:                                  active
memcached:                              active
== Keystone users ==
+----------------------------------+------------+---------+--------------------------+
|                id                |    name    | enabled |          email           |
+----------------------------------+------------+---------+--------------------------+
| 203938cc33b440f0b11927fd025c53f4 |   admin    |   True  |      test@test.com       |
| c7d5dbd22f5549689cd118484f7afacb |   alphaz   |   True  | alpha.zhang@centling.com |
| c1366e2f3cc94e558861fa6b08d84914 | ceilometer |   True  |   ceilometer@localhost   |
| 442cb4e41ec344cf8d9e418f40450f18 |   cinder   |   True  |     cinder@localhost     |
| 67600fa19a62438d8f67f0378595c71c |   glance   |   True  |     glance@localhost     |
| 6aa5560877864193a080557dca52b0d8 |  neutron   |   True  |    neutron@localhost     |
| f4e4f3783b0f484fb8f14aa95064f249 |    nova    |   True  |      nova@localhost      |
| 2f819f003fa44ba684cd59de3efd3b70 |   swift    |   True  |     swift@localhost      |
+----------------------------------+------------+---------+--------------------------+
== Glance images ==

+--------------------------------------+------+-------------+------------------+-----------+--------+
| ID                                   | Name | Disk Format | Container Format | Size      | Status |
+--------------------------------------+------+-------------+------------------+-----------+--------+
| 1333c7da-c410-4395-b0b9-2e10ef05d2c8 | net  | qcow2       | bare             | 260243968 | active |
+--------------------------------------+------+-------------+------------------+-----------+--------+
== Nova managed services ==
+------------------+--------------------+----------+---------+-------+----------------------------+-----------------+
| Binary           | Host               | Zone     | Status  | State | Updated_at                 | Disabled Reason |
+------------------+--------------------+----------+---------+-------+----------------------------+-----------------+
| nova-consoleauth | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-conductor   | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-scheduler   | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-compute     | alpha.centling.com | nova     | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-cert        | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
+------------------+--------------------+----------+---------+-------+----------------------------+-----------------+
== Nova networks ==
+--------------------------------------+-------+------+
| ID                                   | Label | Cidr |
+--------------------------------------+-------+------+
| 3e92a5bf-6587-46d6-9e68-46e67c01becb | net2  | -    |
| 9a3566ce-bba7-4f9c-9cf6-c0a716a5e456 | net1  | -    |
+--------------------------------------+-------+------+
== Nova instance flavors ==
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name      | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| 1  | m1.tiny   | 512       | 1    | 0         |      | 1     | 1.0         | True      |
| 2  | m1.small  | 2048      | 20   | 0         |      | 1     | 1.0         | True      |
| 3  | m1.medium | 4096      | 40   | 0         |      | 2     | 1.0         | True      |
| 4  | m1.large  | 8192      | 80   | 0         |      | 4     | 1.0         | True      |
| 5  | m1.xlarge | 16384     | 160  | 0         |      | 8     | 1.0         | True      |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
== Nova instances ==
+--------------------------------------+------+--------+------------+-------------+----------------------------------+
| ID                                   | Name | Status | Task State | Power State | Networks                         |
+--------------------------------------+------+--------+------------+-------------+----------------------------------+
| da38397a-4fb0-4331-a289-99384b2a5c31 | 1234 | ACTIVE | -          | Running     | net1=192.168.226.106             |
| 52182671-30f3-48b0-b7c6-2b9eb385ced2 | net  | ACTIVE | -          | Running     | net2=10.10.10.2, 192.168.226.101 |
+--------------------------------------+------+--------+------------+-------------+----------------------------------+



br-ex     Link encap:Ethernet ...
(更多)
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by » oldest newest most voted
0

answered 2014-04-27 09:45:38 -0500

alphazhang gravatar image

Hi dbaxps,

security rule was added when I create network.

edit flag offensive delete link more

Comments

Please provide :-
$ neutron router-list
$ ip netns | grep router_id ( for every router)
$ ip netns exec qrouter-router_id iptables -S -t nat
$ ip netns exec qrouter-router_id ip a
$ ip netns exec qrouter-router_id ifconfig
$ ovs-vsctl show
and upload to some text file on Internet or make archive.

dbaxps gravatar imagedbaxps ( 2014-04-27 10:13:44 -0500 )edit

$ ip netns exec qrouter-router_id ifconfig will provide for instance
qg-9c090153-08
qr-e031db6b-d0
In ovs-vsctl tree should be corresponding interface entries for 9c090153-08 under br-ex
and for e031db6b-d0 under br-int.
My intend is to run tcpdump -i inteface-name -vv on each one of mentioned interfaces
when you try to ping VM floating IP from Controller and see could we capture anything at internal and external interfaces

dbaxps gravatar imagedbaxps ( 2014-04-27 10:40:24 -0500 )edit

OK. I just took a look at your security group list in my mail box . Nothing has been done. It should look like :-

[root@dfw02 ~(keystone_admin)]$ neutron security-group-rule-list | grep icmp
| 4a6deddf-9350-4f98-97d7-a54cf6ebaa9a | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| 5cb456f8-5a27-4308-8070-48e527fb61ba | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| 6bf35f35-59ef-4454-9cc2-2b4a25250688 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| d0ef7460-9ec5-40a0-a826-1c5b95915d4a | default        | ingress   | icmp     | 0.0.0.0/0        |              |
[root@dfw02 ~(keystone_admin)]$ neutron security-group-rule-list | grep tcp
| 7a461936-ffbc-4968-975b-3d27ec975e04 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
| 8db330db-bd16-475f-9dc0-3dd01cd33d9a | default        | ingress   | tcp      | 0.0.0.0/0        |              |
| b421766b-bb29-4b82-a29f-850c32f91a54 | default        | ingress   | tcp      | 0.0.0.0/0        |
dbaxps gravatar imagedbaxps ( 2014-04-27 10:54:24 -0500 )edit

So, first thing to do is went back to my original instructions and perform as required. Sorry , it was bad pictuter in my mailbox, it thread it's OK.

dbaxps gravatar imagedbaxps ( 2014-04-27 10:59:11 -0500 )edit

Hi dbaxps,

    When I install my lab. I name the eth0 to ech0. I have to use it in br-ex.  following is the information you wanted. seems flooating ip(192.xxxx) is not activated.
    cat /etc/sysconfig/network-scripts/ifcfg-eth0
    DEVICE=ech0
    HWADDR=00:0C:29:03:B6:10
    ONBOOT=yes
    TYPE=OVSPort
    DEVICETYPE=ovs
    OVS_BRIDGE=br-ex
    DNS1=202.102.134.68
    DNS2=202.102.128.68
    GATEWAY=192.168.1.1



  ip netns exec qrouter-5e17da58-dff0-4f60-8632-a3f861e3b24f ip a
96: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
98: qr-3055a9a8-40: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:c3:82:81 brd ff:ff:ff:ff:ff:ff
    inet 10.10 ...
(more)
alphazhang gravatar imagealphazhang ( 2014-04-28 08:32:01 -0500 )edit
see more comments
0

answered 2014-04-27 08:41:44 -0500

dbaxps gravatar image

updated 2014-04-28 10:17:30 -0500 

Source keystonerc_demo ( or keystonerc_user1 , user should be created before for particlular tenant) 

 $ cat >> ~/keystonerc_admin <<EOF
  export OS_USERNAME=admin
  export OS_TENANT_NAME=admin
  export OS_PASSWORD=xxxxxxxx
  export OS_AUTH_URL=http://192.168.1.127:35357/v2.0/
  export PS1='[\u@\h \W(keystone_admin)]\$ '
  EOF

  $ . keystonerc_admin

  $ keystone user-create --name user1 --pass xxxxxx1
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |  email   |                                  |
  | enabled  |               True               |
  |    id    | 1c18b2231aa34dbe9c31cd390aaedb42 |
  |   name   |             user1              |
  +----------+----------------------------------+

  $ keystone role-create --name user
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |    id    | 6fac6b1cd0c24ba0a949d12acc757311 |
  |   name   |               user               |
  +----------+----------------------------------+

  $ keystone tenant-create --name ostenant
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +-------------+----------------------------------+
  |   Property  |              Value               |
  +-------------+----------------------------------+
  | description |                                  |
  |   enabled   |               True               |
  |      id     | 2c845a6ad20e45ccb0b045cee27a9661 |
  |     name    |             ostenant             |
  +-------------+----------------------------------+

  $ keystone user-role-add --user user1 \
  --role user --tenant ostenant

$ cat >> ~/keystonerc_user1 <<EOF
  export OS_USERNAME=user1
  export OS_TENANT_NAME=ostenant
  export OS_PASSWORD=xxxxxxx1
  export OS_AUTH_URL=http://192.168.1.127:35357/v2.0/
  export PS1='[\u@\h \W(keystone_user1)]\$ '
  EOF


     and run :

     Add the security rules
    ----------------------

     $ neutron security-group-rule-create --protocol icmp  --direction ingress --remote-ip-prefix 0.0.0.0/0 default
     $ neutron security-group-rule-create --protocol tcp   --port-range-min 22 --port-range-max 22  --direction ingress    --remote-ip-prefix 0.0.0.0/0  default

  Or add security rules via dashboard :

Add security rules for ICMP and TCP

Per your feedback (ovs-vsctl show) :-

Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port "ech0"
Interface "ech0"
Port "qg-df4f9361-a1"
Interface "qg-df4f9361-a1"
type: internal

Hence Interface "eth0" is not attached to OVS port "eth0" of OVS bridge br-ex.
Such configuration of ovs-vsctl show is not supposed to work
Say "xxxxxxxxxx" your router-id then command
$ ip netns exec qrouter-xxxxxxxxx tcpdump -ln -i qg-df4f9361-a1
won't capture any ICMP request from yours AIO Havana Server

Update as of 04/28/14
View my feedback here - Your Neutron L3 Layer is broken
Following bellow is a snapshot from working AIO RDO Havana Instance

edit flag offensive delete link more

Comments

this is my security rule

   neutron security-group-rule-list
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | 03d2e816-7e31-474e-913d-5c59388829ba | default        | ingress   |          |                  | default      |
    | 2de7137b-2960-4e3d-9647-448c13790244 | default        | egress    |          |                  |              |
    | 3fca1413-cd25-4d17-8256-cb77d6749253 | default        | ingress   |          |                  | default      |
    | 571ac0c0-d54b-488e-b0a9-d412c7ef18d0 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
    | 87934c88-968c-4712-979e-d6185651b8b2 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
    | 9c3f5c7c-5470-4b83-8d6f-54e699718597 | default        | ingress   |          |                  | default      |
    | bb80d09b-f32d-4188-a905-51fd164881f0 | default        | egress    |          |                  |              |
    | c5c90ec2-16a7-42d1-bb8d-fd2c83e5d63a | default        | egress    |          |                  |              |
    | d511f405-313a-49f2-b11d-f90df4fd69ef | default        | egress    |          |                  |              |
    | d728668f-9237-49e4-b394-2df73c60847e | default        | ingress   |          |                  | default      |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
alphazhang gravatar imagealphazhang ( 2014-04-27 10:07:40 -0500 )edit

Now I need
$ ip netns | grep router_id , coming from neutron router-list and output for :-
$ ip netns exec qrouter-router_id ifconfig ( for router namespace , where your VM is running )

dbaxps gravatar imagedbaxps ( 2014-04-27 11:22:00 -0500 )edit

What means interface "ech0" should "eth0" ?
Can you explain ?

Without output I've asked , would try :-
tcpdump -i qr-3055a9a8-40 -vv
tcpdump -i qr-a6a7d763-50 -vv
tcpdump -i qg-df4f9361-a1 -vv
when pinging VM from Controller.

dbaxps gravatar imagedbaxps ( 2014-04-27 11:55:30 -0500 )edit

Another option to troubleshoot :

Say 4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d is your router-id
Then run :-
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d tcpdump -ln -i qg-df4f9361-a1
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d tcpdump -ln -i qr-3055a9a8-40
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d tcpdump -ln -i qr-a6a7d763-50 

The only one qr-xxxxx will come up running
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d ip a
dbaxps gravatar imagedbaxps ( 2014-04-27 12:33:59 -0500 )edit

Can you run :-
$ ip netns list
Right now . I want to see your qrouter-* namespaces.

dbaxps gravatar imagedbaxps ( 2014-04-27 12:51:56 -0500 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-04-27 08:36:06 -0500

Seen: 8,896 times

Last updated: Apr 28 '14

Related questions

Cannot ping/ssh to CirrOS/Ubuntu instance

can't ping and ssh cirros vm from floating ip [closed]

Unable to ssh with key pair - Ubuntu (permission denied)

SSH timeout to Controller Node [closed]

instance cannot ping external network

packstack metadata and sshkey errors

Problem discovering Host's Details

wrong external network gateway devstack

Router VM not forwarding Ping reply

The keypair injected using api doesn't match the keypair created?