How do I ssh to an OpenStack instance?

asked 2015-09-03 17:52:35 -0500

anonymous user

Anonymous

I have an OpenStack component server running Ubuntu. I created a Cirros instance via OpenStack's GUI. I associated an IP address with the Cirros instance using the OpenStack GUI. I can SSH from the Cirros instance to the Ubuntu server. But I cannot SSH from the Ubuntu server to the Cirros server. I get "Connection timed out." I can ping the Cirros instance's associated IP address. The echo comes from its original IP address.

I used nmap from the Ubuntu server to the Cirros server. Every port appears to be filtered (or blocked) on the target Cirros machine including port 135. That is, port 22 is not open between the Ubuntu server and the Cirros server. I can ssh from the Ubuntu server to other Linux machines (but not instances).

On the Cirros instance, I can ssh to the loopback IP address. I get prompted for a password. It works fine. What can I do to ssh from my Ubuntu machine to the Cirros instance?

I don't think a security group is blocking port 22. nova secgroup-list shows these rules were in place:

Protocol From Port       To Port
tcp            22            22     0.0.0.0/0    
icmp           -1            -1     0.0.0.0/0

What does port -1 do? It is an icmp rule. So it likely is irrelevant. But I am curious.

Could a neutron security group be blocking port 22 to the instance? How do I identify and modify such a rule?

edit retag flag offensive close merge delete

Comments

Can you provide us with more information on your networking setup. The -1 means it will allow any port for the ICMP protocol. Can you ping the instance IP? If you are running Neutron with L3 agents you must ping or SSH to the local IP in the router namespace or assign it a floating IP.

Tobias Urdin gravatar imageTobias Urdin ( 2015-09-04 01:45:29 -0500 )edit

No, I cannot ping the instance IP. What do you want to know? I have a security group that allows all TCP traffic from any IP address on any port. So I don't see what is blocking the ssh attempt.

Infantry gravatar imageInfantry ( 2015-09-04 11:00:26 -0500 )edit

Have you assigned a FIP address to the instance? Is the FIP address routable from the client?

bgdn_sk gravatar imagebgdn_sk ( 2015-09-10 05:49:49 -0500 )edit