Ask Your Question
0

cannot ssh to spawned vms

asked 2013-10-16 23:41:36 -0500

hackman gravatar image

updated 2013-10-16 23:56:10 -0500

The previous content was wrong.

The problem is: I had logged in as demo, and started the default cirros image instance. I added the security rule to the default group to open up the SSH connection:

nova secgroup-add-rule default tcp 22 22 172.24.4.0/24

I still cannot ssh login to the vm from the host where devstack is running. ie. ssh cirros@10.0.0.3 hangs. This used to work before after adding the security rule above without any tampering of iptables.

To debug the problem, I enabled trace on iptables, and I found that the rule:

-A nova-compute-sg-fallback -j DROP

ultimately matches, and as a result, the firewall is rejecting the SSH connection.

If I change it manually to:

-A nova-compute-sg-fallback -j ACCEPT

it works. However, if I spawn a second VM, the rule goes back to the DROP target, and as a result, I cannot connect. I have to put the ACCEPT target back once more to get the login to work again.

My question is what am I doing wrong that what used to work before does not work now, and as a temporary fix, I have to change the rule above.

Thanks

edit retag flag offensive close merge delete

Comments

I am not sure if this has to do with the fact that had updated my local git branches (devstack, nova, nuetron etc.) to latest master yesterday.

hackman gravatar imagehackman ( 2013-10-17 02:01:48 -0500 )edit

Sorry for the obvious but have you tried allowing the address that you are trying to reach?

nova secgroup-add-rule default tcp 22 22 10.0.0.0/24

What does nova secgroup-list-rules default show?

dcreno gravatar imagedcreno ( 2017-02-06 10:20:11 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2018-10-31 03:57:03 -0500

eahmyou gravatar image

Hi I think you need to specify the direction ingress (openstack) security group rule create --protocol tcp --ingress --dst-port 22 default

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-10-16 23:41:36 -0500

Seen: 269 times

Last updated: Oct 16 '13