Ask Your Question
1

Still cannot ssh or ping instances

asked 2015-02-23 15:15:18 -0500

bbronstein gravatar image

Hi all, i've configure my openstack install using the RDO quickstart (using Juno). Everything went very well, all service running, can utilize the Horizon GUI w/o issue. I've allowed openstack to create the default 'public' network of 172.24.4.x and spun up an instance using the CirrOS test image. I can login via console. I cannot ping or SSH-i've googled this for days w/o resolution though i see many others with similar issues. My ssh keys are good, my network config appears to be correct (ive actually blown out this machine and rebuilt from scratch after hosing up my network configs) but i'm still unable to talk to the vm's.

What i dont understand is how the vm's talk to the host and on what network it should be on. My host is a physical box with a static IP in a lab (i dont have dhcp here, nor do i have other ip's available besides the single i've been assigned). How do i direct traffic through the bridge (br-ex) to my vm's and back? I can provide any info that will assist.

This is on a CentOS7 fresh install.

edit retag flag offensive close merge delete

Comments

I'm wondering if one of my issues is the fact i dont have other IP's available in my host ip range...is that an issue? If so, how do i need to configure instance access to my host network?

bbronstein gravatar imagebbronstein ( 2015-02-24 08:56:05 -0500 )edit

UPDATE: i've changed my iptables rules and i can now ssh using ip netns. any instance besides the cirros is prompting for a passphrase on the key (no passphrase). from the cirros image i still cannot ping out. we're getting there.

bbronstein gravatar imagebbronstein ( 2015-02-25 07:50:25 -0500 )edit

**Let me update here-i have ssh working using ip netns (since i dont have any floating ips). But it only works by using my private key??? Thats completely backwards. anyone else seeing this?

bbronstein gravatar imagebbronstein ( 2015-02-25 14:00:04 -0500 )edit

Can'you please share the rule yo added because i have the same problem, i can ping the gateway of my instance but note the instance (in the qrouter namespace )

joha gravatar imagejoha ( 2017-03-20 13:19:34 -0500 )edit

@bbronstein did you get solution of this problem? I am facing same issue.

vatsal gravatar imagevatsal ( 2018-11-26 06:50:07 -0500 )edit

2 answers

Sort by » oldest newest most voted
0

answered 2015-02-24 23:53:47 -0500

hello

first of all you need to add the rules like all-icmp and all-tcp rules to your instance

nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0  (is used for PING)
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 (is used for SSH)

then try to ping and SSH to your instance.

please do check the documentation of image you trying to build.

try this enable network forwarding

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
edit flag offensive delete link more

Comments

these rules do all exist. i can ping using ip netns exec qrouterxxxx ping 192.168.0.3 (instance IP) but cannot ssh using the same command (qdhcp). how must i list my host/external ip range in openstack? what must my gateway be?

bbronstein gravatar imagebbronstein ( 2015-02-25 07:26:19 -0500 )edit
0

answered 2015-02-23 23:36:38 -0500

pandiarajan.s gravatar image

Can you able to ping external network from instance ? if yes means you have to open firewall in openstack instance.

In project (the admin project) you have to configure your Security Groups under Compute—>Access & Security—>Security Groups. Once there click Manage Rules for the default security group. Delete what’s there. Add Ingress/Egress for ALL ICMP, ALL TCP, and ALL UDP accepting all other defaults on the form. This will open up your firewall completely.

edit flag offensive delete link more

Comments

I guess my primary question is how am I to configure the network? is there something i need to add besides a default network to allow communication between host/vm or is that supposed to be automatic after the bridge is configured? ICMP and TCP port 22 are all allowed Ingress/Egress for default

bbronstein gravatar imagebbronstein ( 2015-02-24 08:09:43 -0500 )edit

sorry. no, i cannot ping from within an instance to my host network-only within the networks created in neutron.

bbronstein gravatar imagebbronstein ( 2015-02-24 10:19:32 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2015-02-23 15:15:18 -0500

Seen: 2,623 times

Last updated: Feb 24 '15