Accessing VM's Fixed IP from controller

asked 2015-11-04 05:01:15 -0500

praburm gravatar image

updated 2015-11-04 05:13:16 -0500


I am newbie to openstack and I tried deploying openstack in both the ways devstack and production setup(3 node architecture, KILO Version). I could be able to successfully bringup the services, launch VMs and play around.

But one thing I noted that when I am launching VMs through devstack the VM Fixed IP is accessible from controller whereas in production setup I need to associate the floating IP from external network so that I could access it from controller.

Am I miss something or it's the expected use case. Please find some more information below. The difference I could see is in devstack management & external n/w is same whereas in production environment they are different.

Devstack Neutron Setup:

Architecture: All-in-One Physical M/C
Management N/W: 172.30.5.x

Production Environment Neutron Setup:

Architecture: 3 node(Controller + Network + Compute)
Management N/w:
Tunnelling: 10.0.1.x(No Gateway)
Tenant N/W:
External N/w:

Thanks, Prabu RM.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-11-04 06:42:30 -0500

dbaxps gravatar image

updated 2015-11-04 07:49:43 -0500


[root@ip-192-169-142-147 ~(keystone_admin)]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42  iptables-save -t nat | grep "^-A"|grep l3-agent
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A neutron-l3-agent-OUTPUT -d -j DNAT --to-destination
-A neutron-l3-agent-OUTPUT -d -j DNAT --to-destination
-A neutron-l3-agent-POSTROUTING ! -i qg-4a6156af-6e ! -o qg-4a6156af-6e -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d -j DNAT --to-destination
-A neutron-l3-agent-PREROUTING -d -j DNAT --to-destination
-A neutron-l3-agent-float-snat -s -j SNAT --to-source
-A neutron-l3-agent-float-snat -s -j SNAT --to-source
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat


Fixed IPs are accessible from Network Node where qdhcp-namespace resides
First :-

[root@ip-192-169-142-147 ~(keystone_admin)]# neutron net-list
| id                                   | name         | subnets                                              |
| 77ff930d-6d09-4737-b5c7-06b5e2899c85 | public       | b49d9374-10be-4560-9be4-b5231d68a0db |
| 36e9550f-4831-41ac-a233-6e47a262f22e | demo_network | ac6971dc-9ae8-4395-a2ad-de11a0875520     |
[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns | grep 36e9550f-4831-41ac-a233-6e47a262f22e

Second :-

[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns exec  qdhcp-36e9550f-4831-41ac-a233-6e47a262f22e ping -c 3
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.60 ms
64 bytes from icmp_seq=2 ttl=64 time=0.342 ms
64 bytes from icmp_seq=3 ttl=64 time=0.483 ms

--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.342/0.811/1.609/0.567 ms

Third :-

[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns exec  qdhcp-36e9550f-4831-41ac-a233-6e47a262f22e ssh -i oskeystor.pem fedora@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 5a:ef:71:c1:80:2b:49:33:a5:bd:04:63:2f:de:7c:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Last login: Tue Nov  3 08:40:00 2015
[fedora@vf22devs01 ~]$ uname -a
Linux vf22devs01.novalocal 4.2.3-200.fc22.x86_64+debug #1 SMP Thu Oct 8 03:09:19 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[fedora@vf22devs01 ~]$ curl
[fedora@vf22devs01 ~]$ curl
[fedora@vf22devs01 ~]$ ifconfig
edit flag offensive delete link more

answered 2015-11-04 07:33:22 -0500

praburm gravatar image

Thanks For the clarification. Yes In network node within the qdhcp-58c4a59c-6f31-.... network namespace I could ping on VMs fixed IPs. Though in devstack I could be able to ping the Fixed IP directly from controller(where network agents also running) m/c terminal rather than from qdhcp namespace. Anything still I miss? Please throw some light.

edit flag offensive delete link more


You cannot access fixed ip from external world. Tenant's network don't exist outside your deployed landscape. Neutron router forward packets from tenant's to external network applying IPtables (DNAT/SNAT) rules vice/versa to Internet and back via translation Floating IP to private IP of Cloud VM.

dbaxps gravatar imagedbaxps ( 2015-11-04 07:42:47 -0500 )edit

Thanks a lot!

praburm gravatar imagepraburm ( 2015-11-04 07:48:18 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2015-11-04 05:01:15 -0500

Seen: 202 times

Last updated: Nov 04 '15