Nova security group not working properly

asked 2013-08-29 04:08:25 -0500

javsalgar gravatar image

updated 2013-08-29 11:30:56 -0500

I have a multi-node Openstack Grizzly setup: 1 front-end network node (3 nics) and 2 compute nodes (3 nics). Everything seems to work perfectly: VM's have external access, I can ping the VM's from the virtual router, VM's can communicate between themselves...

However, I am unable to ping the VM's from any compute node to the VM's. I have added the virtual router to the routing table, I changed the default security permissions... so I think that it is a problem with grizzly's security group filtering.

practicas@lemarq:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 br-ex
10.5.5.0        192.168.0.100   255.255.255.0   UG    0      0        0 br-ex  # VIRTUAL ROUTER
192.168.0.0     *               255.255.255.0   U     0      0        0 br-ex
192.168.100.0   *               255.255.255.0   U     1      0        0 eth1

practicas@lemarq:~$ nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
| tcp         | 1         | 65535   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

I tried executing tcpdump in VM's eth0 and also in its counterpart in br-int (qvoc55...) and sending a ping. The icmp package arrives at br-int -> qvoc55... but not to VM's eth0, so it is being filtered by nova security policies. Somehow, the Accept all policies are being ignored by nova, what can I do then?

Thank you

edit retag flag offensive close delete