Ask Your Question
0

devstack on Fedora 22, neutron networking, vm can not ping internet hosts

asked 2015-07-08 09:58:47 -0500

croberts gravatar image

I have a Fedora 22 machine where I am running devstack. Almost everything seems to be working properly except my VMs can not ping external (internet) hosts. Hopefully, someone can get me over that hump.

Here is a snippet from my local.conf (enp5s0 is my wired ethernet connection):

FLAT_INTERFACE=enp5s0
IP_VERSION=4
FLOATING_RANGE=192.168.3.0/24
PUBLIC_NETWORK_GATEWAY=192.168.3.1
FIXED_RANGE=10.3.0.0/24
NETWORK_GATEWAY=10.3.0.1

I have run iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE, which has worked for me on older versions of Fedora.

In the event it helps, here is a dump of my iptables rules.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-openvswi-INPUT  all  --  anywhere             anywhere            
nova-api-INPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-FORWARD  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-FORWARD  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-OUTPUT  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-OUTPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-openvswi-local  all  --  anywhere             anywhere            

Chain neutron-openvswi-FORWARD (1 references)
target     prot opt source               destination         
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-out tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-openvswi-sg-chain  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */

Chain neutron-openvswi-INPUT (1 references)
target     prot opt source               destination         
neutron-openvswi-o5d908dd9-1  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tap5d908dd9-18 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
neutron-openvswi-obafd0f82-4  all  --  anywhere             anywhere             PHYSDEV match --physdev-in tapbafd0f82-43 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */

Chain neutron-openvswi-OUTPUT (1 references)
target     prot opt source               destination         

Chain neutron-openvswi-i5d908dd9-1 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
RETURN     all  --  anywhere             anywhere             state RELATED ...
(more)
edit retag flag offensive close merge delete

Comments

I should add that my router's External Gateway (192.168.3.2) shows a status of "Down". That is different from my devstack on Fedora 20 (which is working and shows a state of "Active").

croberts gravatar imagecroberts ( 2015-07-08 10:01:29 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-07-08 10:16:24 -0500

dbaxps gravatar image

updated 2015-07-08 10:28:06 -0500

I wouldn't use devstack on F22 due to "Switching to Dashboard Spice Console in RDO Kilo on Fedora 22 && "Video/Sound" and "cut/paste" spice's features implemented via Spicy or virt-manager for RH's VMs running
in the cloud"
http://bderzhavets.blogspot.com/2015/...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-07-08 09:58:47 -0500

Seen: 227 times

Last updated: Jul 08 '15