Ask Your Question
1

Unable to SSH an instance from controller node

asked 2014-10-25 03:58:27 -0600

Andrea Meroni gravatar image

Hi all,

I have a 3 nodes Openstack setup (2 compute nodes and 1 controller/network node). When I launch a new VM on the controller I am able to SSH it, while I am not able to SSH any VM on the compute nodes. Moreover: I am able to ping every VM, and I am also able to SSH a VM on compute node 2 from inside a VM on compute node 1. But whenever I try to SSH from the controller a VM on a compute node, the connection stucks at

debug1: SSH2_MSG_KEXINIT

Honestly I have no idea of where is the problem, I checked the network configuration lots of time and everything seems to be ok. I guess the problem is on the controller, but I have no hints apart from this.

Andrea

edit retag flag offensive close merge delete

Comments

Please, post nova secgroup-list-rules default and ssh command exactly as you issue it on controller.

dbaxps gravatar imagedbaxps ( 2014-10-25 10:13:56 -0600 )edit

Regarding the secgroup rules I run

nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0

Then about SSH I tried

sudo ip netns exec qdhcp-$internal_network_id sudo ssh -i ~/.ssh/id_rsa andrea@$IP
Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-25 12:21:47 -0600 )edit

Right now I don't have access to the deployment, I hope you can find the explaination sufficiently clear

Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-25 12:26:43 -0600 )edit

What OS is running your VM ( why default name is andrea ) ?
How you created ssh keypair and assign it to VM upon creation ?
What was the the nova boot ...... command ?

dbaxps gravatar imagedbaxps ( 2014-10-25 12:28:53 -0600 )edit

It's ubuntu-server 14.04 (where I created the user andrea).

By the way, I tried also with a Fedora 20 Cloud Image and I got the same exact error.

Yes, I have created the keypair with

nova keypair --add-public ~/.ssh/id_rsa.pub key
Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-25 12:35:44 -0600 )edit
see more comments

3 answers

Sort by ยป oldest newest most voted
1

answered 2014-10-28 05:35:01 -0600

Andrea Meroni gravatar image 
sudo ip netns exec qdhcp-a9794e3f-9cb7-4e19-b057-5826f46b5643 sudo netstat -antp

gives the following output

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name 
tcp        0      0 192.168.200.3:53        0.0.0.0:*               LISTEN      5905/dnsmasq
tcp6       0      0 fe80::f816:3eff:fee3:53 :::*                    LISTEN      5905/dnsmasq

while instead

sudo ip netns exec qdhcp-a9794e3f-9cb7-4e19-b057-5826f46b5643 sudo iptables -S -t nat | grep 169.254

gives no output. Am I missing something? As you can notice I didn't create a router because I need just an internal network

edit flag offensive delete link more

Comments

Floating IPs are assigned via qrouter-namespace && metadata access also works via qrouter-namespace. Regarding Neutron L3 routing architecture
Please, view https://www.hastexo.com/system/files/...

dbaxps gravatar imagedbaxps ( 2014-10-28 05:48:35 -0600 )edit

Ok, got it. But is it normal that my iptables are still empty? I will try by adding a router, but I guess that the situation will be the same

Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-28 05:58:29 -0600 )edit

What OS are running on nodes ? After creating router , run iptables -L

dbaxps gravatar imagedbaxps ( 2014-10-28 06:06:56 -0600 )edit

You were right, output of iptables:

-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-28 06:14:35 -0600 )edit

And this is the one of netstat 

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9697            0.0.0.0:*               LISTEN      5881/python
Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-28 06:15:28 -0600 )edit
see more comments
0

answered 2014-10-28 10:30:02 -0600

XicoLoco gravatar image

you take a look to see if you mess up your firewall tables on controller ?

edit flag offensive delete link more
add a comment
0

answered 2014-10-25 13:20:49 -0600

dbaxps gravatar image

Forced to use answer field due to formatting options :-
Would try 

$ nova keypair-add oskey1 > oskey1.priv
$ chmod 600 oskey1.priv

Now create instance with oskey1 :-

$ nova boot --flavor 2 --key_name oskey1 --image ubuntu-glance-image-id \
    --availability-zone nova:compute1 --nic net-id=$net_id   ubuntu-guest1

Assign floating IP1 to ubuntu-guest1

Login from controller
$ ssh -i oskey1.priv  ubuntu@IP1   ( ubuntu default user name for ubuntu images)
edit flag offensive delete link more

Comments

I'll give it a try ASAP, thanks

Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-25 14:04:30 -0600 )edit

Still not working. But with a CirrOS image everything works fine. I guess it is a metadata problem ... Other hints?

Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-28 04:30:49 -0600 )edit

Did you try a fresh Ubuntu glance image or just old one ?

dbaxps gravatar imagedbaxps ( 2014-10-28 04:39:09 -0600 )edit

I used the one specified in docs.openstack.org/image-guide/content/ch_obtaining_images.html. Downloaded just 10 minutes ago and booted without any modification

Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-28 04:40:55 -0600 )edit

Moreover, the Ubuntu image seems to be not able to contact 169.254.169.254 to get metadata ...

Andrea Meroni gravatar imageAndrea Meroni ( 2014-10-28 04:44:58 -0600 )edit
see more comments

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-10-25 03:58:27 -0600

Seen: 2,798 times

Last updated: Oct 28 '14

Related questions

stuck at nova in openstack icehouse installation on centos 7 on two node

can't ssh to new created instances any more

How to enable passwordless ssh between the instances?

Display not specified?

How to install and configure Two-node architecture with legacy networking (compute controller services) on openstack using packstack on centos 7 ?

Unable to access the instance via SSH

can't remove router, spanning tree

mirantis-8: how to change fuel master SSH listening IP [closed]

CentOS - SSH Private Key - Permission denied

not able to ssh into vm