Ask Your Question

How to allow VM to manage DHCP itself

asked 2013-11-12 21:25:46 -0500

laocius gravatar image

updated 2013-11-13 03:58:38 -0500

darragh-oreilly gravatar image


I need my VM to netboot from another management VM. To do that, the management VM should have DHCP service setup.

I setup OpenStack Grizzly with linuxbridge plugin. Now I created two networks with different segmentation id with --enable_dhcp=False The netboot is suppose to use eth0 to boot from the management VM. But now it cannot.

Any ideas on this?


edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2014-04-25 15:45:13 -0500

kincl gravatar image

updated 2014-04-25 15:45:53 -0500

I also ran into this problem and you can edit /usr/lib/python2.6/site-packages/neutron/agent/linux/ and change

    def _add_rule_by_security_group(self, port, direction):
            ipv4_iptables_rule += self._drop_dhcp_rule()


    def _add_rule_by_security_group(self, port, direction):
            #ipv4_iptables_rule += self._drop_dhcp_rule()

Note that this allows any VM to be a DHCP server, also note that you have to make sure you are allowing UDP traffic from the DHCP server to your VMs with Security Groups

edit flag offensive delete link more

answered 2013-11-13 04:08:23 -0500

darragh-oreilly gravatar image

The security groups implementation automatically adds iptables rules to prevent instances running DHCP servers on a Quantum network. Run iptables-save on the compute node and you will see something like this on the output chain for the port:

-A neutron-linuxbri-o1ea744af-8 -p udp -m udp --sport 67 --dport 68 -j DROP
edit flag offensive delete link more


Thanks Darragh, Anyway to disable this function?

laocius gravatar imagelaocius ( 2013-11-13 18:49:07 -0500 )edit

I don't know. Nova always tries to launch instances with security groups. Even if you do not specify one, it will look for the default security group. There may be a way, I just haven't looked into it.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-11-14 03:02:24 -0500 )edit

Could it be possible to specify create a security group allowing DHCP traffic?

liyi-meng gravatar imageliyi-meng ( 2014-01-15 08:30:44 -0500 )edit

nope, the DROP rule to prevent instances running DHCP servers is near the top of the chain and so will always be processed before user-defined rules. So it is not possible for tenants to circumvent it by adding security group to allow those packets out.

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-01-15 12:51:12 -0500 )edit

I suggest modifying the rule or flat out dropping it. I personally dropped it in our dev enviroment.

SamYaple gravatar imageSamYaple ( 2014-01-15 18:18:54 -0500 )edit

answered 2014-01-15 09:44:23 -0500

updated 2014-01-15 09:45:21 -0500

Hi laocius,

Have you solve your problems, I found a blog at http:// which might be helpful for you.

Good luck!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-11-12 21:25:46 -0500

Seen: 1,441 times

Last updated: Apr 25 '14