Ask Your Question
1

All-in-One: How to set up a virtual external network completely inclosed within the host?

asked 2014-08-06 19:27:57 -0500

beni gravatar image

updated 2014-08-07 04:17:43 -0500

For a test setup of OpenStack, I followed http://openstack.redhat.com/PackStack_All-in-One_DIY_Configuration (PackStack All-in-One DIY Configuration) on a virtual machine running Scientific Linux 6. The machine is located in a corporate OpenStack cloud. It is not (easily) possible to get an address range within this network that could be used for an external network for the instances. Thus, I will not be able to contact instances from outside the host. But I want to contact instances from the host and I want that instances can reach the host and the internet.

Setup

To be more precise: Might the host's IP be 137.131.143.147 (that's just a random address and not my real one). For my test setup It is not possible to get IP addresses from 137.131.143.0/24 for the instances. The host has just one NIC: eth0. I have set up a Neutron external network with the following properties

neutron subnet-create extnet --allocation-pool start=10.0.21.10,end=10.0.21.125 --gateway 10.0.21.1 --enable_dhcp=False 10.0.21.0/24

and an internal network with

neutron subnet-create rdonet 10.0.90.0/24

One of the instances has the _internal_ IP 10.0.90.4 and _external_ IP 10.0.21.11.

Goal

I want to achieve that

  • on the host I can run ping 10.0.21.11 to reach the instance via its external IP address.
  • on the instance I want to be able to ping 137.131.143.147 to reach the host and something like ping 8.8.8.8 because I want to reach the internet.

Problems

As the configured external network is completely virtual, there is currently noone behind the gateway IP 10.0.21.1. Thus a ping 10.0.21.1 from an instance or the namespace of the router gets lost in the network. This can be seen when running tcpdump on qg-…, tap-… and br-ex as

ARP, Request who-has 10.0.21.1 tell 10.0.21.10, length 28

without getting an answer where 10.0.21.10 is the IP of the router.

Questions

What would be a good way to solve this? Create another router, interface or something else with OpenVSwitch and assign the gateway IP 10.0.21.1 to it? And then add a route to the host's routing table to tell him to which interface packets to 10.0.21.0/24 should go? Could I add a route that just says to route packets with target 10.0.21.0/24 to br-ex?

Paste of some Configuration

Everything is in the same Gist https://gist.github.com/blipp/64639aad6149a54826ca (https://gist.github.com/blipp/64639aa...)

  • # ifconfig : https://gist.github.com/blipp/64639aad6149a54826ca#file-ifconfig-host (https://gist.github.com/blipp/64639aa...)
  • # ovs-vsctl show : https://gist.github.com/blipp/64639aad6149a54826ca#file-ovs-vsctl-show (https://gist.github.com/blipp/64639aa...) . I think br-tun and patch-tun can be ignored for this question.
  • # route -n : https ...
(more)
edit retag flag offensive close merge delete
add a comment

1 answer

Sort by » oldest newest most voted
1

answered 2014-08-11 08:50:59 -0500

beni gravatar image

updated 2014-08-11 09:20:58 -0500

I managed to achieve the second goal: on the instance I want to be able to ping 137.131.143.147 to reach the host and something like ping 8.8.8.8 because I want to reach the internet.

I started the tutorial from the beginning and before creating the OpenStack networks with neutron I did the following. I added the gateway IP address to br-ex:

  • ip link set down br-ex
  • ip addr add 10.0.21.1/24 dev br-ex
  • ip link set up br-ex

Do not change /etc/sysconfig/network-scripts/ifcfg-br-ex to include the IP address because for me that interfered with OpenVSwitch and stopped it from creating the other interfaces.

Then I added iptables rules to create a NAT:

  • iptables -I FORWARD -i br-ex -j ACCEPT
  • iptables -I FORWARD -o br-ex -j ACCEPT
  • iptables -t nat -I POSTROUTING -s 10.0.21.0/24 ! -d 10.0.21.0/24 -j MASQUERADE

To add DNS support for external domains, I changed the private subnet to announce the same DNS servers my host is using:

neutron subnet-update $SUBNET_ID --dns-nameservers list=true $DNS1 $DNS2

After this change a reboot of the instances or a run of the DHCP client is necessary.

I don't know yet why I cannot reach the instances via their external addresses, but for now, this is enough for my test setup as I can reach the instances via

ip netns exec qdhcp-… ssh cirros@10.0.90.2

The scripts I wrote for this setup are available under https://gist.github.com/blipp/46e5b84e4d0c5c62347f (https://gist.github.com/blipp/46e5b84...)

Actually, what I did looks a lot like what I now found here: http://oddbit.com/rdo-hangout-multinode-packstack-slides/#/29/1 (http://oddbit.com/rdo-hangout-multino...) which belongs to this screencast https://www.youtube.com/watch?v=DGf-ny25OAw (https://www.youtube.com/watch?v=DGf-n...) .

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-08-06 19:27:57 -0500

Seen: 8,824 times

Last updated: Aug 11 '14

Related questions

Unable to delete neutron port [closed]

l2 neutron port

Failed to bind port on host neutron.plugins.ml2.managers (SLES 11SP3, ML2/VLAN, running under Hyper-V

How to connect the VM to the internet

[Neutron] router can't ping external gateway

quantum admin plugin for horizon

unable to add neutron service to devstack

Help network configuration

OpenStack Newbie [closed]

neutron vxlan and discovery