Ask Your Question
0

Accessing VM's Fixed IP from controller

asked 2015-11-04 05:01:15 -0500

praburm gravatar image

updated 2015-11-04 05:13:16 -0500

Hi,

I am newbie to openstack and I tried deploying openstack in both the ways devstack and production setup(3 node architecture, KILO Version). I could be able to successfully bringup the services, launch VMs and play around.

But one thing I noted that when I am launching VMs through devstack the VM Fixed IP is accessible from controller whereas in production setup I need to associate the floating IP from external network so that I could access it from controller.

Am I miss something or it's the expected use case. Please find some more information below. The difference I could see is in devstack management & external n/w is same whereas in production environment they are different.

Devstack Neutron Setup:

Architecture: All-in-One Physical M/C
Management N/W: 172.30.5.x
Q_L3_ENABLED=True
FLOATING_RANGE=172.30.5.0/24
FIXED_RANGE=10.0.0.0/24

Production Environment Neutron Setup:

Architecture: 3 node(Controller + Network + Compute)
Management N/w: 172.30.5.0/24
Tunnelling: 10.0.1.x(No Gateway)
Tenant N/W: 10.0.0.0/24
External N/w: 172.30.0.0/24

Thanks, Prabu RM.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-11-04 06:42:30 -0500

dbaxps gravatar image

updated 2015-11-04 07:49:43 -0500

UPDATE 1

[root@ip-192-169-142-147 ~(keystone_admin)]#  ip netns exec qrouter-0f8b3d03-b229-4e86-8469-225648ea0b42  iptables-save -t nat | grep "^-A"|grep l3-agent
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A neutron-l3-agent-OUTPUT -d 172.24.4.228/32 -j DNAT --to-destination 50.0.0.11
-A neutron-l3-agent-OUTPUT -d 172.24.4.229/32 -j DNAT --to-destination 50.0.0.12
-A neutron-l3-agent-POSTROUTING ! -i qg-4a6156af-6e ! -o qg-4a6156af-6e -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 172.24.4.228/32 -j DNAT --to-destination 50.0.0.11
-A neutron-l3-agent-PREROUTING -d 172.24.4.229/32 -j DNAT --to-destination 50.0.0.12
-A neutron-l3-agent-float-snat -s 50.0.0.11/32 -j SNAT --to-source 172.24.4.228
-A neutron-l3-agent-float-snat -s 50.0.0.12/32 -j SNAT --to-source 172.24.4.229
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -o qg-4a6156af-6e -j SNAT --to-source 172.24.4.227
-A neutron-l3-agent-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 172.24.4.227
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-l3-agent-snat

END UPDATE

Fixed IPs are accessible from Network Node where qdhcp-namespace resides
First :-

[root@ip-192-169-142-147 ~(keystone_admin)]# neutron net-list
+--------------------------------------+--------------+------------------------------------------------------+
| id                                   | name         | subnets                                              |
+--------------------------------------+--------------+------------------------------------------------------+
| 77ff930d-6d09-4737-b5c7-06b5e2899c85 | public       | b49d9374-10be-4560-9be4-b5231d68a0db 172.24.4.224/28 |
| 36e9550f-4831-41ac-a233-6e47a262f22e | demo_network | ac6971dc-9ae8-4395-a2ad-de11a0875520 50.0.0.0/24     |
+--------------------------------------+--------------+------------------------------------------------------+
[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns | grep 36e9550f-4831-41ac-a233-6e47a262f22e
qdhcp-36e9550f-4831-41ac-a233-6e47a262f22e

Second :-

[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns exec  qdhcp-36e9550f-4831-41ac-a233-6e47a262f22e ping -c 3 50.0.0.11
PING 50.0.0.11 (50.0.0.11) 56(84) bytes of data.
64 bytes from 50.0.0.11: icmp_seq=1 ttl=64 time=1.60 ms
64 bytes from 50.0.0.11: icmp_seq=2 ttl=64 time=0.342 ms
64 bytes from 50.0.0.11: icmp_seq=3 ttl=64 time=0.483 ms

--- 50.0.0.11 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.342/0.811/1.609/0.567 ms

Third :-

[root@ip-192-169-142-147 ~(keystone_admin)]# ip netns exec  qdhcp-36e9550f-4831-41ac-a233-6e47a262f22e ssh -i oskeystor.pem fedora@50.0.0.11
The authenticity of host '50.0.0.11 (50.0.0.11)' can't be established.
ECDSA key fingerprint is 5a:ef:71:c1:80:2b:49:33:a5:bd:04:63:2f:de:7c:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '50.0.0.11' (ECDSA) to the list of known hosts.
Last login: Tue Nov  3 08:40:00 2015
[fedora@vf22devs01 ~]$ uname -a
Linux vf22devs01.novalocal 4.2.3-200.fc22.x86_64+debug #1 SMP Thu Oct 8 03:09:19 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[fedora@vf22devs01 ~]$ curl http://169.254.169.254/latest/meta-data/local-ipv4
50.0.0.11
[fedora@vf22devs01 ~]$ curl http://169.254.169.254/latest/meta-data/public-ipv4
172.24.4.228
[fedora@vf22devs01 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST ...
(more)
edit flag offensive delete link more
0

answered 2015-11-04 07:33:22 -0500

praburm gravatar image

Thanks For the clarification. Yes In network node within the qdhcp-58c4a59c-6f31-.... network namespace I could ping on VMs fixed IPs. Though in devstack I could be able to ping the Fixed IP directly from controller(where network agents also running) m/c terminal rather than from qdhcp namespace. Anything still I miss? Please throw some light.

edit flag offensive delete link more

Comments

You cannot access fixed ip from external world. Tenant's network don't exist outside your deployed landscape. Neutron router forward packets from tenant's to external network applying IPtables (DNAT/SNAT) rules vice/versa to Internet and back via translation Floating IP to private IP of Cloud VM.

dbaxps gravatar imagedbaxps ( 2015-11-04 07:42:47 -0500 )edit

Thanks a lot!

praburm gravatar imagepraburm ( 2015-11-04 07:48:18 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2015-11-04 05:01:15 -0500

Seen: 149 times

Last updated: Nov 04 '15