Havana Neutron Networking - can't escape namespace
I'm setting up a test cluster with RDO and using Neutron with the openvswitch plugin and GRE tunnels. I have created a private network and subnet, a public network and public subnet (which is also shared with my Openstack infrastructure) and a router connecting the two.
From a running instance I can ping both the inside (private IP) and the outside (public IP) of the router, but cannot ping any of the other public IPs in the subnet. The machines in the Openstack infrastructure can ping each other but not the router, and if I attach a floating IP to the running instance they cannot ping that either.
As far as I can tell, the GRE tunnels are working as the router runs on a networker node separate to the compute node running the instance. On the networker node I can see a number of namespaces and in a "qrouter" namespace I can ping the instance's IP. There doesn't appear to be a proper connection from the "qrouter" namespace to the default namespace though.
What should I be doing to get my instances to talk to the outside world?
Possibly useful information:
[root@networker1 neutron]# neutron net-list
+--------------------------------------+-----------+--------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+-----------+--------------------------------------------------------+
| 4d787148-cde7-43c1-a576-a124ae24edc5 | Cloudnet2 | d75a929d-c610-42d4-b1af-4817a640ea8f 172.16.2.0/24 |
| a1a34853-ddbf-4ccb-b233-389e6e5aa118 | Ext-Net | b126e6ae-f42c-48b4-897f-c72ee6eb58c5 X.Y.Z.128/27 |
+--------------------------------------+-----------+--------------------------------------------------------+
[root@networker1 neutron]# neutron net-show Ext-Net
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | a1a34853-ddbf-4ccb-b233-389e6e5aa118 |
| name | Ext-Net |
| provider:network_type | local |
| provider:physical_network | |
| provider:segmentation_id | |
| router:external | True |
| shared | True |
| status | ACTIVE |
| subnets | b126e6ae-f42c-48b4-897f-c72ee6eb58c5 |
| tenant_id | 378fe6d88a074a80ab33ad398944b75b |
+---------------------------+--------------------------------------+
[root@networker1 neutron]# neutron subnet-show b126e6ae-f42c-48b4-897f-c72ee6eb58c5
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| allocation_pools | {"start": "X.Y.Z.140", "end": "X.Y.Z.155"} |
| cidr | X.Y.Z.128/27 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | X.Y.Z.129 |
| host_routes | |
| id | b126e6ae-f42c-48b4-897f-c72ee6eb58c5 |
| ip_version | 4 |
| name | Public |
| network_id | a1a34853-ddbf-4ccb-b233-389e6e5aa118 |
| tenant_id | 24714c57284d487490eaad91bcf2cc4b |
+------------------+------------------------------------------------------+
[root@networker1 neutron]# neutron router-show Router
+-----------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up | True |
| external_gateway_info | {"network_id": "a1a34853-ddbf-4ccb-b233-389e6e5aa118", "enable_snat": true} |
| id | 149c78f0-5e05-44f6-a683-4d0d680cb947 |
| name | Router |
| routes | |
| status | ACTIVE |
| tenant_id | 24714c57284d487490eaad91bcf2cc4b |
+-----------------------+-----------------------------------------------------------------------------+
[root@networker1 neutron]# neutron port-show 6cf39013-c5cc-4e99-b4be-51fe5816af6b
+-----------------------+---------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:capabilities | {"port_filter": true} |
| binding:host_id | networker1.g2c.domicilium.com |
| binding:vif_type | ovs |
| device_id | 149c78f0-5e05-44f6-a683-4d0d680cb947 |
| device_owner | network:router_gateway |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "b126e6ae-f42c-48b4-897f-c72ee6eb58c5", "ip_address": "X.Y.Z.140"} |
| id | 6cf39013-c5cc-4e99-b4be-51fe5816af6b |
| mac_address | fa:16:3e:a9:b8:ab |
| name | |
| network_id | a1a34853-ddbf-4ccb-b233-389e6e5aa118 |
| security_groups | |
| status | DOWN |
| tenant_id | |
+-----------------------+---------------------------------------------------------------------------------------+
[root@networker1 neutron]# ip netns exec qrouter-149c78f0-5e05-44f6-a683-4d0d680cb947 ip address list
11: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
179: qr-925648b5-72: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:d1:df:ae brd ff:ff:ff:ff:ff:ff
inet 172.16.2.1/24 brd 172.16.2.255 scope global qr-925648b5-72
inet6 fe80::f816:3eff:fed1:dfae/64 scope link
valid_lft forever preferred_lft forever
181: qg-6cf39013-c5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether fa ...