Ask Your Question
0

can't ping/ssh floating ip of instance

asked 2014-04-27 08:36:06 -0600

alphazhang gravatar image 
Environment: Centos6.5+RDO+havana

I create a instace successfully with (public ip:192.168.226.101,private ip:10.10.10.2). I can ping private ip but I can't ping public ip.  I found following information from my dashboard. status of 192.xxx.xxx.xxx are DOWN, status of 10.xx.xx.xx are Active. I'm a newer for openstack.could some help to tell me the solution? or you can tell me how to debug this issue?


(02b8a649)      192.168.226.100 network:router_gateway  DOWN    UP  Edit Port
(566a3ad7)      192.168.226.102 network:floatingip  DOWN    UP  Edit Port
(660d4ae8)      192.168.226.101 network:floatingip  DOWN    UP  Edit Port


private net interface
(29c7c3bb)      10.10.10.2          compute:nova                    ACTIVE  UP  Edit Port
(3055a9a8)      10.10.10.1          network:router_interface    ACTIVE  UP  Edit Port
(a6a7d763)      10.10.10.254    network:router_interface    ACTIVE  UP  Edit Port
(f8781dd1)      10.10.10.3          network:dhcp                    ACTIVE  UP  Edit Port


[root@alpha ~(keystone_admin)]# openstack-status
== Nova services ==
openstack-nova-api:                     active
openstack-nova-cert:                    active
openstack-nova-compute:                 active
openstack-nova-network:                 dead      (disabled on boot)
openstack-nova-scheduler:               active
openstack-nova-conductor:               active
== Glance services ==
openstack-glance-api:                   active
openstack-glance-registry:              active
== Keystone service ==
openstack-keystone:                     active
== Horizon service ==
openstack-dashboard:                    active
== neutron services ==
neutron-server:                         active
neutron-dhcp-agent:                     active
neutron-l3-agent:                       active
neutron-metadata-agent:                 active
neutron-lbaas-agent:                    inactive  (disabled on boot)
neutron-openvswitch-agent:              active
== Swift services ==
openstack-swift-proxy:                  active
openstack-swift-account:                active
openstack-swift-container:              active
openstack-swift-object:                 active
== Cinder services ==
openstack-cinder-api:                   active
openstack-cinder-scheduler:             active
openstack-cinder-volume:                active
== Ceilometer services ==
openstack-ceilometer-api:               active
openstack-ceilometer-central:           active
openstack-ceilometer-compute:           active
openstack-ceilometer-collector:         active
openstack-ceilometer-alarm-notifier:    active
openstack-ceilometer-alarm-evaluator:   active
== Support services ==
mysqld:                                 active
libvirtd:                               active
openvswitch:                            active
messagebus:                             active
tgtd:                                   active
qpidd:                                  active
memcached:                              active
== Keystone users ==
+----------------------------------+------------+---------+--------------------------+
|                id                |    name    | enabled |          email           |
+----------------------------------+------------+---------+--------------------------+
| 203938cc33b440f0b11927fd025c53f4 |   admin    |   True  |      test@test.com       |
| c7d5dbd22f5549689cd118484f7afacb |   alphaz   |   True  | alpha.zhang@centling.com |
| c1366e2f3cc94e558861fa6b08d84914 | ceilometer |   True  |   ceilometer@localhost   |
| 442cb4e41ec344cf8d9e418f40450f18 |   cinder   |   True  |     cinder@localhost     |
| 67600fa19a62438d8f67f0378595c71c |   glance   |   True  |     glance@localhost     |
| 6aa5560877864193a080557dca52b0d8 |  neutron   |   True  |    neutron@localhost     |
| f4e4f3783b0f484fb8f14aa95064f249 |    nova    |   True  |      nova@localhost      |
| 2f819f003fa44ba684cd59de3efd3b70 |   swift    |   True  |     swift@localhost      |
+----------------------------------+------------+---------+--------------------------+
== Glance images ==

+--------------------------------------+------+-------------+------------------+-----------+--------+
| ID                                   | Name | Disk Format | Container Format | Size      | Status |
+--------------------------------------+------+-------------+------------------+-----------+--------+
| 1333c7da-c410-4395-b0b9-2e10ef05d2c8 | net  | qcow2       | bare             | 260243968 | active |
+--------------------------------------+------+-------------+------------------+-----------+--------+
== Nova managed services ==
+------------------+--------------------+----------+---------+-------+----------------------------+-----------------+
| Binary           | Host               | Zone     | Status  | State | Updated_at                 | Disabled Reason |
+------------------+--------------------+----------+---------+-------+----------------------------+-----------------+
| nova-consoleauth | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-conductor   | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-scheduler   | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-compute     | alpha.centling.com | nova     | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
| nova-cert        | alpha.centling.com | internal | enabled | up    | 2014-04-26T02:24:23.000000 | -               |
+------------------+--------------------+----------+---------+-------+----------------------------+-----------------+
== Nova networks ==
+--------------------------------------+-------+------+
| ID                                   | Label | Cidr |
+--------------------------------------+-------+------+
| 3e92a5bf-6587-46d6-9e68-46e67c01becb | net2  | -    |
| 9a3566ce-bba7-4f9c-9cf6-c0a716a5e456 | net1  | -    |
+--------------------------------------+-------+------+
== Nova instance flavors ==
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name      | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| 1  | m1.tiny   | 512       | 1    | 0         |      | 1     | 1.0         | True      |
| 2  | m1.small  | 2048      | 20   | 0         |      | 1     | 1.0         | True      |
| 3  | m1.medium | 4096      | 40   | 0         |      | 2     | 1.0         | True      |
| 4  | m1.large  | 8192      | 80   | 0         |      | 4     | 1.0         | True      |
| 5  | m1.xlarge | 16384     | 160  | 0         |      | 8     | 1.0         | True      |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
== Nova instances ==
+--------------------------------------+------+--------+------------+-------------+----------------------------------+
| ID                                   | Name | Status | Task State | Power State | Networks                         |
+--------------------------------------+------+--------+------------+-------------+----------------------------------+
| da38397a-4fb0-4331-a289-99384b2a5c31 | 1234 | ACTIVE | -          | Running     | net1=192.168.226.106             |
| 52182671-30f3-48b0-b7c6-2b9eb385ced2 | net  | ACTIVE | -          | Running     | net2=10.10.10.2, 192.168.226.101 |
+--------------------------------------+------+--------+------------+-------------+----------------------------------+



br-ex     Link encap:Ethernet ...
(更多)
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by » oldest newest most voted
0

answered 2014-04-27 09:45:38 -0600

alphazhang gravatar image

Hi dbaxps,

security rule was added when I create network.

edit flag offensive delete link more

Comments

Please provide :-
$ neutron router-list
$ ip netns | grep router_id ( for every router)
$ ip netns exec qrouter-router_id iptables -S -t nat
$ ip netns exec qrouter-router_id ip a
$ ip netns exec qrouter-router_id ifconfig
$ ovs-vsctl show
and upload to some text file on Internet or make archive.

dbaxps gravatar imagedbaxps ( 2014-04-27 10:13:44 -0600 )edit

$ ip netns exec qrouter-router_id ifconfig will provide for instance
qg-9c090153-08
qr-e031db6b-d0
In ovs-vsctl tree should be corresponding interface entries for 9c090153-08 under br-ex
and for e031db6b-d0 under br-int.
My intend is to run tcpdump -i inteface-name -vv on each one of mentioned interfaces
when you try to ping VM floating IP from Controller and see could we capture anything at internal and external interfaces

dbaxps gravatar imagedbaxps ( 2014-04-27 10:40:24 -0600 )edit

OK. I just took a look at your security group list in my mail box . Nothing has been done. It should look like :-

[root@dfw02 ~(keystone_admin)]$ neutron security-group-rule-list | grep icmp
| 4a6deddf-9350-4f98-97d7-a54cf6ebaa9a | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| 5cb456f8-5a27-4308-8070-48e527fb61ba | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| 6bf35f35-59ef-4454-9cc2-2b4a25250688 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
| d0ef7460-9ec5-40a0-a826-1c5b95915d4a | default        | ingress   | icmp     | 0.0.0.0/0        |              |
[root@dfw02 ~(keystone_admin)]$ neutron security-group-rule-list | grep tcp
| 7a461936-ffbc-4968-975b-3d27ec975e04 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
| 8db330db-bd16-475f-9dc0-3dd01cd33d9a | default        | ingress   | tcp      | 0.0.0.0/0        |              |
| b421766b-bb29-4b82-a29f-850c32f91a54 | default        | ingress   | tcp      | 0.0.0.0/0        |
dbaxps gravatar imagedbaxps ( 2014-04-27 10:54:24 -0600 )edit

So, first thing to do is went back to my original instructions and perform as required. Sorry , it was bad pictuter in my mailbox, it thread it's OK.

dbaxps gravatar imagedbaxps ( 2014-04-27 10:59:11 -0600 )edit

Hi dbaxps,

    When I install my lab. I name the eth0 to ech0. I have to use it in br-ex.  following is the information you wanted. seems flooating ip(192.xxxx) is not activated.
    cat /etc/sysconfig/network-scripts/ifcfg-eth0
    DEVICE=ech0
    HWADDR=00:0C:29:03:B6:10
    ONBOOT=yes
    TYPE=OVSPort
    DEVICETYPE=ovs
    OVS_BRIDGE=br-ex
    DNS1=202.102.134.68
    DNS2=202.102.128.68
    GATEWAY=192.168.1.1



  ip netns exec qrouter-5e17da58-dff0-4f60-8632-a3f861e3b24f ip a
96: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
98: qr-3055a9a8-40: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:c3:82:81 brd ff:ff:ff:ff:ff:ff
    inet 10.10 ...
(more)
alphazhang gravatar imagealphazhang ( 2014-04-28 08:32:01 -0600 )edit
see more comments
0

answered 2014-04-27 08:41:44 -0600

dbaxps gravatar image

updated 2014-04-28 10:17:30 -0600 

Source keystonerc_demo ( or keystonerc_user1 , user should be created before for particlular tenant) 

 $ cat >> ~/keystonerc_admin <<EOF
  export OS_USERNAME=admin
  export OS_TENANT_NAME=admin
  export OS_PASSWORD=xxxxxxxx
  export OS_AUTH_URL=http://192.168.1.127:35357/v2.0/
  export PS1='[\u@\h \W(keystone_admin)]\$ '
  EOF

  $ . keystonerc_admin

  $ keystone user-create --name user1 --pass xxxxxx1
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |  email   |                                  |
  | enabled  |               True               |
  |    id    | 1c18b2231aa34dbe9c31cd390aaedb42 |
  |   name   |             user1              |
  +----------+----------------------------------+

  $ keystone role-create --name user
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |    id    | 6fac6b1cd0c24ba0a949d12acc757311 |
  |   name   |               user               |
  +----------+----------------------------------+

  $ keystone tenant-create --name ostenant
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +-------------+----------------------------------+
  |   Property  |              Value               |
  +-------------+----------------------------------+
  | description |                                  |
  |   enabled   |               True               |
  |      id     | 2c845a6ad20e45ccb0b045cee27a9661 |
  |     name    |             ostenant             |
  +-------------+----------------------------------+

  $ keystone user-role-add --user user1 \
  --role user --tenant ostenant

$ cat >> ~/keystonerc_user1 <<EOF
  export OS_USERNAME=user1
  export OS_TENANT_NAME=ostenant
  export OS_PASSWORD=xxxxxxx1
  export OS_AUTH_URL=http://192.168.1.127:35357/v2.0/
  export PS1='[\u@\h \W(keystone_user1)]\$ '
  EOF


     and run :

     Add the security rules
    ----------------------

     $ neutron security-group-rule-create --protocol icmp  --direction ingress --remote-ip-prefix 0.0.0.0/0 default
     $ neutron security-group-rule-create --protocol tcp   --port-range-min 22 --port-range-max 22  --direction ingress    --remote-ip-prefix 0.0.0.0/0  default

  Or add security rules via dashboard :

Add security rules for ICMP and TCP

Per your feedback (ovs-vsctl show) :-

Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port "ech0"
Interface "ech0"
Port "qg-df4f9361-a1"
Interface "qg-df4f9361-a1"
type: internal

Hence Interface "eth0" is not attached to OVS port "eth0" of OVS bridge br-ex.
Such configuration of ovs-vsctl show is not supposed to work
Say "xxxxxxxxxx" your router-id then command
$ ip netns exec qrouter-xxxxxxxxx tcpdump -ln -i qg-df4f9361-a1
won't capture any ICMP request from yours AIO Havana Server

Update as of 04/28/14
View my feedback here - Your Neutron L3 Layer is broken
Following bellow is a snapshot from working AIO RDO Havana Instance

edit flag offensive delete link more

Comments

this is my security rule

   neutron security-group-rule-list
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | id                                   | security_group | direction | protocol | remote_ip_prefix | remote_group |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
    | 03d2e816-7e31-474e-913d-5c59388829ba | default        | ingress   |          |                  | default      |
    | 2de7137b-2960-4e3d-9647-448c13790244 | default        | egress    |          |                  |              |
    | 3fca1413-cd25-4d17-8256-cb77d6749253 | default        | ingress   |          |                  | default      |
    | 571ac0c0-d54b-488e-b0a9-d412c7ef18d0 | default        | ingress   | tcp      | 0.0.0.0/0        |              |
    | 87934c88-968c-4712-979e-d6185651b8b2 | default        | ingress   | icmp     | 0.0.0.0/0        |              |
    | 9c3f5c7c-5470-4b83-8d6f-54e699718597 | default        | ingress   |          |                  | default      |
    | bb80d09b-f32d-4188-a905-51fd164881f0 | default        | egress    |          |                  |              |
    | c5c90ec2-16a7-42d1-bb8d-fd2c83e5d63a | default        | egress    |          |                  |              |
    | d511f405-313a-49f2-b11d-f90df4fd69ef | default        | egress    |          |                  |              |
    | d728668f-9237-49e4-b394-2df73c60847e | default        | ingress   |          |                  | default      |
    +--------------------------------------+----------------+-----------+----------+------------------+--------------+
alphazhang gravatar imagealphazhang ( 2014-04-27 10:07:40 -0600 )edit

Now I need
$ ip netns | grep router_id , coming from neutron router-list and output for :-
$ ip netns exec qrouter-router_id ifconfig ( for router namespace , where your VM is running )

dbaxps gravatar imagedbaxps ( 2014-04-27 11:22:00 -0600 )edit

What means interface "ech0" should "eth0" ?
Can you explain ?

Without output I've asked , would try :-
tcpdump -i qr-3055a9a8-40 -vv
tcpdump -i qr-a6a7d763-50 -vv
tcpdump -i qg-df4f9361-a1 -vv
when pinging VM from Controller.

dbaxps gravatar imagedbaxps ( 2014-04-27 11:55:30 -0600 )edit

Another option to troubleshoot :

Say 4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d is your router-id
Then run :-
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d tcpdump -ln -i qg-df4f9361-a1
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d tcpdump -ln -i qr-3055a9a8-40
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d tcpdump -ln -i qr-a6a7d763-50 

The only one qr-xxxxx will come up running
ip netns exec qrouter-4cdb0354-7732-4d8f-a3d0-9fbc4b93a62d ip a
dbaxps gravatar imagedbaxps ( 2014-04-27 12:33:59 -0600 )edit

Can you run :-
$ ip netns list
Right now . I want to see your qrouter-* namespaces.

dbaxps gravatar imagedbaxps ( 2014-04-27 12:51:56 -0600 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-04-27 08:36:06 -0600

Seen: 8,870 times

Last updated: Apr 28 '14

Related questions

can not access floating ip

can't ping and ssh cirros vm from floating ip [closed]

Can't start up VMs when flavor is bigger than Small [closed]

can't SSH into instance but can ping instance

Accessing instances inside a proxy via VPN

Cannot SSH to Docker Instance on Kilo [closed]

not able to ssh into vm in icehouse [closed]

Keypair creation is failing

SSH Keys no longer being injected on instances

can not ping my instance from host machine [closed]