Ask Your Question
1

VMs cannot access internet (nova-network)

asked 2014-11-03 14:18:48 -0500

fikovnik gravatar image

Hi,

I see that this has been asked a lot, but I just could not find how to make it fixed in my setting. The problem is that from within the VM I cannot access internet. Following the OS network troubleshooting guide, it seems that the problem is related to the firewall.

  • I can access VMs through their private / public IPs
  • VMs can ping each other
  • I can ping the compute node from the VM
  • I see the ping in the compute node that has spawned the VM

    root@16e854c5a23c:/# tcpdump -i any -n -v \ 'icmp[icmptype] = icmp-echoreply or icmp[icmptype] =icmp-echo'
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    
    19:58:02.029020 IP (tos 0x0, ttl 64, id 5373, offset 0, flags [DF], proto ICMP (1), length 84)
        10.1.1.2 > 8.8.8.8: ICMP echo request, id 18433, seq 5, length 64
    

I tried the iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE, but that does make any difference, even after recreating the VM. I have only one interface (eth0) which is declated both as flat and public in nova.conf. If I use a different hypervisor - nova docker - it works, I can access internet from the VM (docker containers).

The OS is installed using the apt install guide for OS icehouse.

Following is the iptables-save:

    # Generated by iptables-save v1.4.21 on Mon Nov  3 19:58:59 2014
    *mangle
    :PREROUTING ACCEPT [10990:16309178]
    :INPUT ACCEPT [10338:16251055]
    :FORWARD ACCEPT [702:73621]
    :OUTPUT ACCEPT [12413:2791856]
    :POSTROUTING ACCEPT [13098:2862397]
    :nova-api-metadat-POSTROUTING - [0:0]
    :nova-compute-POSTROUTING - [0:0]
    :nova-network-POSTROUTING - [0:0]
    -A POSTROUTING -j nova-network-POSTROUTING
    -A POSTROUTING -j nova-compute-POSTROUTING
    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
    -A POSTROUTING -j nova-api-metadat-POSTROUTING
    COMMIT
    # Completed on Mon Nov  3 19:58:59 2014
    # Generated by iptables-save v1.4.21 on Mon Nov  3 19:58:59 2014
    *nat
    :PREROUTING ACCEPT [13:1621]
    :INPUT ACCEPT [20:1242]
    :OUTPUT ACCEPT [9:1896]
    :POSTROUTING ACCEPT [15:1717]
    :nova-api-metadat-OUTPUT - [0:0]
    :nova-api-metadat-POSTROUTING - [0:0]
    :nova-api-metadat-PREROUTING - [0:0]
    :nova-api-metadat-float-snat - [0:0]
    :nova-api-metadat-snat - [0:0]
    :nova-compute-OUTPUT - [0:0]
    :nova-compute-POSTROUTING - [0:0]
    :nova-compute-PREROUTING - [0:0]
    :nova-compute-float-snat - [0:0]
    :nova-compute-snat - [0:0]
    :nova-network-OUTPUT - [0:0]
    :nova-network-POSTROUTING - [0:0]
    :nova-network-PREROUTING - [0:0]
    :nova-network-float-snat - [0:0]
    :nova-network-snat - [0:0]
    :nova-postrouting-bottom - [0:0]
    -A PREROUTING -j nova-network-PREROUTING
    -A PREROUTING -j nova-compute-PREROUTING
    -A PREROUTING -j nova-api-metadat-PREROUTING
    -A OUTPUT -j nova-network-OUTPUT
    -A OUTPUT -j nova-compute-OUTPUT
    -A OUTPUT -j nova-api-metadat-OUTPUT
    -A POSTROUTING -j nova-network-POSTROUTING
    -A POSTROUTING -j nova-compute-POSTROUTING
    -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122 ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-11-03 14:51:53 -0500

fikovnik gravatar image

OK, I see it. The problem is that I have only one interface - eth0. In the nova.conf the public interface should therefore not be eth0, but br100.

When I tried iptables -t nat -I POSTROUTING -o br100 -j MASQUERADE all started to work - hence I found the mistake.

edit flag offensive delete link more

Comments

how do you work?i i have only interface and i install AIO openstack-ansible

obaviet gravatar imageobaviet ( 2016-03-07 07:40:18 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-11-03 14:18:48 -0500

Seen: 3,247 times

Last updated: Nov 03 '14