Ask Your Question

Network config when testing on nested environment

asked 2016-02-29 06:58:47 -0500

tekka gravatar image

updated 2016-02-29 12:56:31 -0500

rbowen gravatar image

I'm composing a test environment for Openstack Icehouse on CentOS 7 It will be nested in the sense that the 2 openstack nodes I'm going to setup are virtual machines.

In detail:

hypervisor is my laptop with Fedora 23, 16Gb of ram, SSD disk and standard Qemu/KVM environment included inside the distro the laptop would be also where I run web browser to access horizon dashboard

openstack_co1 vm where I initially run and test packstak on CentOS 7.2 with copy host cpu configuration and setup controller+compute

openstack_co2 vm where I will run additional compute node with copy host cpu configuration

the 2 vms will have two networks

1) 192.168.122.x/24 that is configured as NAT in Qemu/KVM of my laptop and should be the public lan for Openstack env

2) 192.168.124.x/24 that is configured as "isolated, internal and host routing only" in Qemu/KVM and should be the private lan for openstack env

So my laptop has the and ip addresses set up and chronyd configured to be queried by the openstack nodes

I was able to run packstak after some debugging:

  • configuring repo with baseurl=

  • preinstalling packages so that packstack needs only to setup and not download

  • modifying file /usr/lib/python2.7/site-packages/packstack/puppet/templates/openstack_client.pp

and changing python-iso8601 with python2-iso8601 as provided now

  • modifying file /etc/mongod.conf

changing bind_ip =

with my node ip bind_ip =

because during puppet phase it is this file that is read and not mongodb.conf and it listens only on localhost causing time out and failure

found reference here: (

  • modifying /usr/share/openstack-dashboard/openstack_dashboard/api/

line 818

if fips.is_supported


if True

otherwise you get error connecting to neutron in instances page. Found reference here: (

  • downgrading python-websockify from python-websockify-0.6.0-2.el7 to python-websockify-0.5.1-1.el7.noarch.rpm

otherwise unable to use novnc console.

Found reference here: (

  • running packstack

All seems ok then.

I have now some doubts related to my nested vm environment and network and iptables configuration.

Is it ok the network config I plan to use and then during the tests to assign as floating ips the ones on 192.168.122.x network (the Qemu/KVM natted one)?

Is it expected ootb that from my laptop ( I will be able to reach (if related security groups configurations are in place) via ssh the openstack instances on these floating ips or should I create a particular firewalld rule on my laptop?

Thanks in advance, Gianluca

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2016-03-31 02:24:05 -0500

tekka gravatar image

Thanks for your answer. Indeed I noticed that on my laptop I had the default 192.168.122.x network pre-configured by plain libvirt with name "default" and I wanted to expose that network as external network. But also the L1 hypervisor, being a CentOS 7 system, was pre-configured by libvirt with that same default network and that caused problems. So on L1 hosts, that are the openstack_co1 and openstack_co2 vms, I run:

# virsh net-destroy default
# virsh net-undefine default

so that at the end, from a libvirt point of view:

[root@openstack_co1 ~]# virsh net-list --all
 Name                 State      Autostart     Persistent
[root@openstack_co1 ~]# 

And all went good with openstack so that after assigning a floating ip on 192.168.122.x network to my instance (L2 vm) I was able to connect from my laptop to it via ssh with the configured ssh key (tested both with cirros and with CentOS 7 cloud images). No need to create any particular additional firewall rule on laptop or anywhere.

After all, anyway I reconfigured using a totally different network, to avoid confusion in case I forget to consider again the pre-default libvirt created 192.168.122.x network upon installation of qemu/libvirt packages. Cheers, Gianluca

edit flag offensive delete link more

answered 2016-03-29 06:53:35 -0500

ihar-hrachyshka gravatar image

As long as you make sure no other service (like dhcp server) manages the IP pool that you expose to neutron as the external network, it should be fine to use the range.

As for firewalld rules, I leave this part of the question to those who know more about the service.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2016-02-29 06:58:47 -0500

Seen: 522 times

Last updated: Mar 31 '16