Nova security group not working properly

asked 2013-08-29 04:08:25 -0500

javsalgar gravatar image

updated 2013-08-29 11:30:56 -0500

I have a multi-node Openstack Grizzly setup: 1 front-end network node (3 nics) and 2 compute nodes (3 nics). Everything seems to work perfectly: VM's have external access, I can ping the VM's from the virtual router, VM's can communicate between themselves...

However, I am unable to ping the VM's from any compute node to the VM's. I have added the virtual router to the routing table, I changed the default security permissions... so I think that it is a problem with grizzly's security group filtering.

practicas@lemarq:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 br-ex   UG    0      0        0 br-ex  # VIRTUAL ROUTER     *        U     0      0        0 br-ex   *        U     1      0        0 eth1

practicas@lemarq:~$ nova secgroup-list-rules default
| IP Protocol | From Port | To Port | IP Range  | Source Group |
| icmp        | -1        | -1      | |              |
| tcp         | 1         | 65535   | |              |

I tried executing tcpdump in VM's eth0 and also in its counterpart in br-int (qvoc55...) and sending a ping. The icmp package arrives at br-int -> qvoc55... but not to VM's eth0, so it is being filtered by nova security policies. Somehow, the Accept all policies are being ignored by nova, what can I do then?

Thank you

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-06-24 06:44:45 -0500

Radhakrishnan Rk gravatar image

Hello javsalgar,

Can you print the route table of the virtual router. You need to add the route policy to route the vm traffic across compute nodes. Then only your vm should be accessible form the compute node host.

ip netns exec qrouter-XXXXXXXXXXXXXXXX route

VMs' should have external access if it sends packet top the gateway and it is accessible to inter network. But we cant assure it traverses the packet to compute node.

image description

Thanks and Regards, Radhakrishnan RK

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-08-29 04:08:25 -0500

Seen: 1,354 times

Last updated: Jun 24 '16