Ask Your Question
0

RDO setup. Instances cannot access external network, while external network cannot ping instances

asked 2014-07-11 05:49:47 -0500

sprhawk gravatar image

updated 2014-07-11 05:52:47 -0500

I'm new to OpenStack. I'm using RDO packstack --allinone setup.

All openstack nodes reside in one single machine, with only one physical ethernet interface (eth0, 192.168.0.11)

I launched two instances(Test6 and Test7) and set up public and private network, then assigned floating ips to both of them.

network topology image see here: http://postimg.org/image/yumejw07n/

Public Network is 192.168.0.192/26, Private Network is 10.0.0.0/24.

Test6 network is 10.0.0.15 and 192.168.0.204, Test7 network is 10.0.0.17 and 192.168.0.199

A router connect among test6 test7 and public network, 10.0.0.1 to the private network, 192.168.0.203 to the public network.

In Private network, Test6 , Test7, and Router can ping or access between each other. (any public network address or private network address).

In Public, no hosts in public network can access Test6, Test7 or Router (192.168.0.203), nor instances can access hosts.

I think I missed some iptables configurations for bridge, but I didn't figure it out what filter should I add.

On host:

#ovs-vsctl show
bc3a6627-8bfa-4d4a-b75a-a360b1d9ebe2
Bridge br-int
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
    Port "qvoa86f386a-84"
        tag: 1
        Interface "qvoa86f386a-84"
    Port "tap816bfb16-c3"
        tag: 4095
        Interface "tap816bfb16-c3"
    Port "qvof5f02caa-df"
        tag: 1
        Interface "qvof5f02caa-df"
    Port "tapa37e0f14-18"
        tag: 1
        Interface "tapa37e0f14-18"
    Port "qr-095473ef-8f"
        tag: 1
        Interface "qr-095473ef-8f"
            type: internal
    Port br-int
        Interface br-int
            type: internal
    Port "qr-34feb8f5-dd"
        tag: 2
        Interface "qr-34feb8f5-dd"
            type: internal
Bridge br-ex
    Port "eth0"
        Interface "eth0"
    Port br-ex
        Interface br-ex
            type: internal
Bridge br-tun
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
    Port br-tun
        Interface br-tun
            type: internal
ovs_version: "1.11.0"

#iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 49201 packets, 7639K bytes)
 pkts bytes target     prot opt in     out     source               destination
49201 7639K neutron-openvswi-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-metadat-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
42619 6708K nova-api-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 15292 packets, 934K bytes)
 pkts bytes target     prot opt in     out     source               destination
15292  934K neutron-openvswi-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K neutron-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12768  779K nova-api-metadat-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12791  781K nova-api-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
15292  934K nova-postrouting-bottom  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 15266 packets, 932K bytes)
 pkts bytes target     prot opt in     out     source               destination
15266  932K neutron-openvswi-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12760  779K nova-api-metadat-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
12783  780K nova-api-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain neutron-openvswi-OUTPUT ...
(more)
edit retag flag offensive close merge delete

Comments

Have you setup security-group rules :

$ source keystonerc_admin
$  nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
dbaxps gravatar imagedbaxps ( 2014-07-11 05:56:53 -0500 )edit

Yes, I have set that. I can ping and ssh among instances and router namespace(ie, ip netns exec <router-ns> ping)

sprhawk gravatar imagesprhawk ( 2014-07-11 06:02:14 -0500 )edit

Could you create test CirrOS 0.3.2 VM

Login :-
$ ifconfig
$ ping 8.8.8.8
$ curl http://169.254.169.254
$ curl  msn.com
What reports :-
$ ip netns list
dbaxps gravatar imagedbaxps ( 2014-07-11 06:13:31 -0500 )edit

I'm currently working on it, and i'm trying to re-install the packstack, but I failed to install it, so I cannot show you the list. But I can tell you, inside VM, I cannot ping to external network (not even the router set in OpenStack dashboard).

When I finished the installation, I will show you

sprhawk gravatar imagesprhawk ( 2014-07-11 08:12:32 -0500 )edit

To reinstall:
$ packstack --answer-file=./answer-file-left-by-previous-run

dbaxps gravatar imagedbaxps ( 2014-07-11 08:19:18 -0500 )edit

3 answers

Sort by ยป oldest newest most voted
2

answered 2014-07-14 05:41:17 -0500

SGPJ gravatar image

Please refer to this blog: https://blogs.oracle.com/ronen/entry/...

edit flag offensive delete link more
1

answered 2014-07-11 10:56:25 -0500

dbaxps gravatar image
To resolve the problem external network was created matching public office network and OVS bridge br-ex placed on this  network, eth0 was made OVS port of bridge br-ex
edit flag offensive delete link more
0

answered 2014-07-11 10:01:53 -0500

sprhawk gravatar image

I freshly reinstall the openstack package, and packstack --allinone.

Now the network works!

I think the only different settings is the public_net network address CIDR, was 192.168.0.192/26, now is 192.168.0.0/24.

I'm not professional in network administration. Is the netmask affect the network route table or something?

edit flag offensive delete link more

Comments

Is the netmask affect the network route table or something? - No
Do you have real network 192.168.0.0/24 with active internet ?

dbaxps gravatar imagedbaxps ( 2014-07-11 10:45:32 -0500 )edit

yes. my office internal network is on 192.168.0.0/24 previously, I setup the openstack public network as 192.168.0.192/26, but no instances can access the public network. even the router's external network port cannot access the external network

sprhawk gravatar imagesprhawk ( 2014-07-11 10:48:12 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2014-07-11 05:49:47 -0500

Seen: 3,118 times

Last updated: Jul 14 '14