Unable to SSH an instance from controller node

asked 2014-10-25 03:58:27 -0500

Andrea Meroni
21 ●1 ●1 ●5

Hi all,

I have a 3 nodes Openstack setup (2 compute nodes and 1 controller/network node). When I launch a new VM on the controller I am able to SSH it, while I am not able to SSH any VM on the compute nodes. Moreover: I am able to ping every VM, and I am also able to SSH a VM on compute node 2 from inside a VM on compute node 1. But whenever I try to SSH from the controller a VM on a compute node, the connection stucks at

debug1: SSH2_MSG_KEXINIT

Honestly I have no idea of where is the problem, I checked the network configuration lots of time and everything seems to be ok. I guess the problem is on the controller, but I have no hints apart from this.

Andrea

edit retag flag offensive close merge delete

Comments

Please, post nova secgroup-list-rules default and ssh command exactly as you issue it on controller.

dbaxps ( 2014-10-25 10:13:56 -0500 )edit

Regarding the secgroup rules I run

nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0

Then about SSH I tried

sudo ip netns exec qdhcp-$internal_network_id sudo ssh -i ~/.ssh/id_rsa andrea@$IP

Andrea Meroni ( 2014-10-25 12:21:47 -0500 )edit

Right now I don't have access to the deployment, I hope you can find the explaination sufficiently clear

Andrea Meroni ( 2014-10-25 12:26:43 -0500 )edit

What OS is running your VM ( why default name is andrea ) ?
How you created ssh keypair and assign it to VM upon creation ?
What was the the nova boot ...... command ?

dbaxps ( 2014-10-25 12:28:53 -0500 )edit

It's ubuntu-server 14.04 (where I created the user andrea).

By the way, I tried also with a Fedora 20 Cloud Image and I got the same exact error.

Yes, I have created the keypair with

nova keypair --add-public ~/.ssh/id_rsa.pub key

Andrea Meroni ( 2014-10-25 12:35:44 -0500 )edit

see more comments

1

answered 2014-10-28 05:35:01 -0500

Andrea Meroni
21 ●1 ●1 ●5

sudo ip netns exec qdhcp-a9794e3f-9cb7-4e19-b057-5826f46b5643 sudo netstat -antp

gives the following output

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name 
tcp        0      0 192.168.200.3:53        0.0.0.0:*               LISTEN      5905/dnsmasq
tcp6       0      0 fe80::f816:3eff:fee3:53 :::*                    LISTEN      5905/dnsmasq

while instead

sudo ip netns exec qdhcp-a9794e3f-9cb7-4e19-b057-5826f46b5643 sudo iptables -S -t nat | grep 169.254

gives no output. Am I missing something? As you can notice I didn't create a router because I need just an internal network

edit flag offensive delete link

Comments

Floating IPs are assigned via qrouter-namespace && metadata access also works via qrouter-namespace. Regarding Neutron L3 routing architecture
Please, view https://www.hastexo.com/system/files/...

dbaxps ( 2014-10-28 05:48:35 -0500 )edit

Ok, got it. But is it normal that my iptables are still empty? I will try by adding a router, but I guess that the situation will be the same

Andrea Meroni ( 2014-10-28 05:58:29 -0500 )edit

What OS are running on nodes ? After creating router , run iptables -L

dbaxps ( 2014-10-28 06:06:56 -0500 )edit

You were right, output of iptables:

-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697

Andrea Meroni ( 2014-10-28 06:14:35 -0500 )edit

And this is the one of netstat

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9697            0.0.0.0:*               LISTEN      5881/python

Andrea Meroni ( 2014-10-28 06:15:28 -0500 )edit

see more comments

0

answered 2014-10-28 10:30:02 -0500

XicoLoco
68 ●4 ●6 ●12

you take a look to see if you mess up your firewall tables on controller ?

edit flag offensive delete link

add a comment

0

answered 2014-10-25 13:20:49 -0500

dbaxps

10788 ●57 ●112 ●224 http://bderzhavets.blo...

Forced to use answer field due to formatting options :-
Would try

$ nova keypair-add oskey1 > oskey1.priv
$ chmod 600 oskey1.priv

Now create instance with oskey1 :-

$ nova boot --flavor 2 --key_name oskey1 --image ubuntu-glance-image-id \
    --availability-zone nova:compute1 --nic net-id=$net_id   ubuntu-guest1

Assign floating IP1 to ubuntu-guest1

Login from controller
$ ssh -i oskey1.priv  ubuntu@IP1   ( ubuntu default user name for ubuntu images)

edit flag offensive delete link

Comments

I'll give it a try ASAP, thanks

Andrea Meroni ( 2014-10-25 14:04:30 -0500 )edit

Still not working. But with a CirrOS image everything works fine. I guess it is a metadata problem ... Other hints?

Andrea Meroni ( 2014-10-28 04:30:49 -0500 )edit

Did you try a fresh Ubuntu glance image or just old one ?

dbaxps ( 2014-10-28 04:39:09 -0500 )edit

I used the one specified in docs.openstack.org/image-guide/content/ch_obtaining_images.html. Downloaded just 10 minutes ago and booted without any modification

Andrea Meroni ( 2014-10-28 04:40:55 -0500 )edit

Moreover, the Ubuntu image seems to be not able to contact 169.254.169.254 to get metadata ...

Andrea Meroni ( 2014-10-28 04:44:58 -0500 )edit

see more comments

Unable to SSH an instance from controller node

Comments

3 answers

Comments

Comments

Your Answer

Get to know Ask OpenStack

Question Tools

Stats

Related questions

Feedback About This Page

OpenStack

Community

Documentation

Branding & Legal

Unable to SSH an instance from controller node edit

Comments

3 answers

Comments

Comments

Your Answer

Get to know Ask OpenStack

Question Tools

Stats

Related questions

Feedback About This Page

OpenStack

Community

Documentation

Branding & Legal

Unable to SSH an instance from controller node