Couldn't ssh/ping nova vm from external network using it floating ip

asked 2015-11-09 20:08:39 -0500

anonymous user

Anonymous

updated 2015-11-10 10:35:01 -0500

Hi there,

In a fresh devstack(master branch) install,

  1. I booted up a cirros instance and associated it with a floating ip.
  2. Created a security group rule to allow tcp port 22 and associated it with the nova instance
  3. From the qrouter namespace, I can ping both the private and fip address of the instance.
  4. But, couldn’t ssh into the instance from the external network using its fip.

$ neutron net-list

+--------------------------------------+---------+----------------------------------------------------------+
| id                                   | name    | subnets                                                  |
+--------------------------------------+---------+----------------------------------------------------------+
| 376357b1-6abe-46c1-844b-548a051391d5 | public  | 41b86431-41d6-4503-8329-767f84bad4d5 172.24.4.0/24       |
|                                      |         | 79f0bf72-8c98-478b-a463-b6e3a101e6b7 2001:db8::/64       |
| ebe713c9-5064-48ec-9094-e44e150d36ad | private | c7ebd45c-5a1f-4d97-a90e-b221f19c7177 10.0.0.0/24         |
|                                      |         | d7aac86f-0b2c-4dd4-88cf-246bfb58006e fd69:7a94:27b7::/64 |
+--------------------------------------+---------+—————————————————————————-----------------------------————+

$ neutron router-list

+--------------------------------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+
| id                                   | name    | external_gateway_info                                                                                                                                                                                                                                                      | distributed | ha    |
+--------------------------------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+
| 46715086-3f9c-4fb1-91b4-b41da24baa2f | router1 | {"network_id": "376357b1-6abe-46c1-844b-548a051391d5", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "41b86431-41d6-4503-8329-767f84bad4d5", "ip_address": "172.24.4.2"}, {"subnet_id": "79f0bf72-8c98-478b-a463-b6e3a101e6b7", "ip_address": "2001:db8::1"}]} | True        | False |
+--------------------------------------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------+

$ neutron security-group-rule-list

+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+
| id                                   | security_group | direction | ethertype | protocol/port | remote          |
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+
| 1cfb9a69-61e0-4df3-b04c-f9f9f4a54cc3 | default        | egress    | IPv4      | any           | any             |
| 4afe5008-c192-4582-95c8-21b1f64ab2a5 | default        | ingress   | IPv6      | any           | default (group) |
| 5ce1e34d-7b9d-41d8-9a15-94711824ae68 | secgroup1      | ingress   | IPv4      | 22/tcp        | any             |
| 6b3a8008-b446-4004-a72a-6ea2c9bbf375 | default        | egress    | IPv6      | any           | any             |
| 7feb5969-5f9d-4525-93a3-a108db59f65b | default        | egress    | IPv6      | any           | any             |
| 7ff6a82f-6c8c-4bb5-b893-d06272b0d69b | default        | ingress   | IPv4      | any           | default (group) |
| 90f385c9-de19-4ede-b4ef-bf199537b49b | secgroup1      | egress    | IPv6      | any           | any             |
| c21ed80d-fbee-4db6-8518-60a1070aff20 | secgroup1      | egress    | IPv4      | 22/tcp        | any             |
| c3d1f6ea-b7c4-47ea-ace3-f9b3b1bf8d25 | default        | egress    | IPv4      | any           | any             |
| dc09a10a-37db-4a33-9abc-00798221254e | secgroup1      | egress    | IPv4      | any           | any             |
| df4d7930-6ce0-43c8-996f-ced126c7cba0 | default        | ingress   | IPv4      | any           | default (group) |
| e0d84fea-e47c-48f6-a29b-d41231674256 | default        | ingress   | IPv6      | any           | default (group) |
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------+

$ nova show node1

+--------------------------------------+-----------------------------------------------------------------+
| Property                             | Value                                                           |
+--------------------------------------+-----------------------------------------------------------------+
| OS-DCF:diskConfig                    | MANUAL                                                          |
| OS-EXT-AZ:availability_zone          | nova                                                            |
| OS-EXT-SRV-ATTR:host                 | ubuntu                                                          |
| OS-EXT-SRV-ATTR:hostname             | node1                                                           |
| OS-EXT-SRV-ATTR:hypervisor_hostname  | ubuntu                                                          |
| OS-EXT-SRV-ATTR:instance_name        | instance-00000002                                               |
| OS-EXT-SRV-ATTR:kernel_id            |                                                                 |
| OS-EXT-SRV-ATTR:launch_index         | 0                                                               |
| OS-EXT-SRV-ATTR:ramdisk_id           |                                                                 |
| OS-EXT-SRV-ATTR:reservation_id       | r-nokf6xx0                                                      |
| OS-EXT-SRV-ATTR:root_device_name     | /dev/vda                                                        |
| OS-EXT-SRV-ATTR:user_data            | -                                                               |
| OS-EXT-STS:power_state               | 1                                                               |
| OS-EXT-STS:task_state                | -                                                               |
| OS-EXT-STS:vm_state                  | active                                                          |
| OS-SRV-USG:launched_at               | 2015-11-09T21:59:13.000000                                      |
| OS-SRV-USG:terminated_at             | -                                                               |
| accessIPv4                           |                                                                 |
| accessIPv6                           |                                                                 |
| config_drive                         | True                                                            |
| created                              | 2015-11-09T21:59:03Z                                            |
| flavor                               | m1.tiny (1)                                                     |
| hostId                               | 3cd3087bf1edbd27ef36a03a5b862b810aa8653fed924c9efd6dca8b        |
| id                                   | c936d684-5a20-4842-b47d-f6c336eb4e96                            |
| image                                | cirros-0.3.3-x86_64-disk (cc56d0b4-d143-4859-971d-5ef6ba9e2820) |
| key_name                             | -                                                               |
| metadata                             | {}                                                              |
| name                                 | node1                                                           |
| os-extended-volumes:volumes_attached | []                                                              |
| private network                      | 10.0.0.4, fd69:7a94:27b7:0:f816:3eff:fe39:59ac, 172.24.4.5      |
| progress                             | 0                                                               |
| security_groups                      | default, secgroup1                                              |
| status                               | ACTIVE                                                          |
| tenant_id                            | 5a93452f68c04785aff04fb4572f7472                                |
| updated                              | 2015-11-09T21:59:13Z                                            |
| user_id                              | 124d5155bc9742d2a3f7e018ada5bd07                                |
+--------------------------------------+——————————————————————————---------------------------------——————+

$ sudo ip route add 172.24.4.0/24 dev br-ex

$ route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.24.4.0      0.0.0.0         255.255.255.0   U     0      0        0 br-ex
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

$ ip netns

snat-46715086-3f9c-4fb1-91b4-b41da24baa2f
qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f
qdhcp-ebe713c9-5064-48ec-9094-e44e150d36ad

$ sudo ip netns exec qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f ssh cirros@10.0.0.4

cirros@10.0.0.4's password: 
$ exit
Connection to 10.0.0.4 closed

$ sudo ip netns exec qrouter-46715086-3f9c-4fb1-91b4-b41da24baa2f ssh cirros@172.24.4.5

The authenticity of host '172.24.4.5 (172.24.4.5)' can't be established.
RSA key fingerprint is 4a:96:f0:ea:1f:d0:4e:bb:0f:3f:74:f8:b4:3c:7e ...
(more)
edit retag flag offensive close merge delete