Ask Your Question
1

All-in-One: How to set up a virtual external network completely inclosed within the host?

asked 2014-08-06 19:27:57 -0600

beni gravatar image

updated 2014-08-07 04:17:43 -0600

For a test setup of OpenStack, I followed http://openstack.redhat.com/PackStack_All-in-One_DIY_Configuration (PackStack All-in-One DIY Configuration) on a virtual machine running Scientific Linux 6. The machine is located in a corporate OpenStack cloud. It is not (easily) possible to get an address range within this network that could be used for an external network for the instances. Thus, I will not be able to contact instances from outside the host. But I want to contact instances from the host and I want that instances can reach the host and the internet.

Setup

To be more precise: Might the host's IP be 137.131.143.147 (that's just a random address and not my real one). For my test setup It is not possible to get IP addresses from 137.131.143.0/24 for the instances. The host has just one NIC: eth0. I have set up a Neutron external network with the following properties

neutron subnet-create extnet --allocation-pool start=10.0.21.10,end=10.0.21.125 --gateway 10.0.21.1 --enable_dhcp=False 10.0.21.0/24

and an internal network with

neutron subnet-create rdonet 10.0.90.0/24

One of the instances has the _internal_ IP 10.0.90.4 and _external_ IP 10.0.21.11.

Goal

I want to achieve that

  • on the host I can run ping 10.0.21.11 to reach the instance via its external IP address.
  • on the instance I want to be able to ping 137.131.143.147 to reach the host and something like ping 8.8.8.8 because I want to reach the internet.

Problems

As the configured external network is completely virtual, there is currently noone behind the gateway IP 10.0.21.1. Thus a ping 10.0.21.1 from an instance or the namespace of the router gets lost in the network. This can be seen when running tcpdump on qg-…, tap-… and br-ex as

ARP, Request who-has 10.0.21.1 tell 10.0.21.10, length 28

without getting an answer where 10.0.21.10 is the IP of the router.

Questions

What would be a good way to solve this? Create another router, interface or something else with OpenVSwitch and assign the gateway IP 10.0.21.1 to it? And then add a route to the host's routing table to tell him to which interface packets to 10.0.21.0/24 should go? Could I add a route that just says to route packets with target 10.0.21.0/24 to br-ex?

Paste of some Configuration

Everything is in the same Gist https://gist.github.com/blipp/64639aad6149a54826ca (https://gist.github.com/blipp/64639aa...)

  • # ifconfig : https://gist.github.com/blipp/64639aad6149a54826ca#file-ifconfig-host (https://gist.github.com/blipp/64639aa...)
  • # ovs-vsctl show : https://gist.github.com/blipp/64639aad6149a54826ca#file-ovs-vsctl-show (https://gist.github.com/blipp/64639aa...) . I think br-tun and patch-tun can be ignored for this question.
  • # route -n : https ...
(more)
edit retag flag offensive close merge delete
add a comment

1 answer

Sort by » oldest newest most voted
1

answered 2014-08-11 08:50:59 -0600

beni gravatar image

updated 2014-08-11 09:20:58 -0600

I managed to achieve the second goal: on the instance I want to be able to ping 137.131.143.147 to reach the host and something like ping 8.8.8.8 because I want to reach the internet.

I started the tutorial from the beginning and before creating the OpenStack networks with neutron I did the following. I added the gateway IP address to br-ex:

  • ip link set down br-ex
  • ip addr add 10.0.21.1/24 dev br-ex
  • ip link set up br-ex

Do not change /etc/sysconfig/network-scripts/ifcfg-br-ex to include the IP address because for me that interfered with OpenVSwitch and stopped it from creating the other interfaces.

Then I added iptables rules to create a NAT:

  • iptables -I FORWARD -i br-ex -j ACCEPT
  • iptables -I FORWARD -o br-ex -j ACCEPT
  • iptables -t nat -I POSTROUTING -s 10.0.21.0/24 ! -d 10.0.21.0/24 -j MASQUERADE

To add DNS support for external domains, I changed the private subnet to announce the same DNS servers my host is using:

neutron subnet-update $SUBNET_ID --dns-nameservers list=true $DNS1 $DNS2

After this change a reboot of the instances or a run of the DHCP client is necessary.

I don't know yet why I cannot reach the instances via their external addresses, but for now, this is enough for my test setup as I can reach the instances via

ip netns exec qdhcp-… ssh cirros@10.0.90.2

The scripts I wrote for this setup are available under https://gist.github.com/blipp/46e5b84e4d0c5c62347f (https://gist.github.com/blipp/46e5b84...)

Actually, what I did looks a lot like what I now found here: http://oddbit.com/rdo-hangout-multinode-packstack-slides/#/29/1 (http://oddbit.com/rdo-hangout-multino...) which belongs to this screencast https://www.youtube.com/watch?v=DGf-ny25OAw (https://www.youtube.com/watch?v=DGf-n...) .

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-08-06 19:27:57 -0600

Seen: 9,025 times

Last updated: Aug 11 '14

Related questions

External (admin) network and privileges

Tacker Installation Failure

Problems running neutron net-list

Can not change the VM password with nova API on icehouse

vm can not ping outer world with domain name

Neutron Port Create

failed to create network by dashboard

No tenant network is available for allocation.

Cross-Subnet Chain

Caught CRITICAL keystone [-] ImportError: No module named psycopg2