[mitaka][octavia] octavia-worker cannot reach amphora [closed]

asked 2016-06-30 10:29:15 -0500

jsheeren gravatar image

Hi all,

We are in the process of configuring the octavia lbaasv2 service. On our mitaka environment we are using neutron dvr with openvswitch. We have multiple controllers (3 to be exact). But at the moment octavia is only active on one controller.
We're following https://github.com/openstack/octavia/blob/stable/mitaka/devstack/plugin.sh (https://github.com/openstack/octavia/...) as a guide.

After creating a load balancer, the amphora instance is booted. It receives ips in the lb-net and the private network according to nova.

The octavia-worker log show:

DEBUG octavia.amphorae.drivers.haproxy.rest_api_driver [-] request url plug/vip/192.168.1.137 request /octavia/octavia/amphorae/drivers/haproxy/rest_api_driver.py:218
DEBUG octavia.amphorae.drivers.haproxy.rest_api_driver [-] request url https://192.168.246.22:9443/0.5/plug/vip/192.168.1.137 request /octavia/octavia/amphorae/drivers/haproxy/rest_api_driver.py:221
WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [-] Could not connect to instance. Retrying.
WARNING octavia.amphorae.drivers.haproxy.rest_api_driver [-] Could not connect to instance. Retrying.
etc...

on the controller we have added the neutron health manager port, configured in openvswitch all according to https://github.com/openstack/octavia/blob/stable/mitaka/devstack/plugin.sh#L123 (https://github.com/openstack/octavia/...)

# ovs-vsctl list interface o-hm0
admin_state         : up
...
external_ids        : {attached-mac="fa:16:3e:7d:46:69", iface-id="ea137d2a-3465-4545-bee5-886934318e6c", iface-status=active}
...

neutron port info shows binding failed?

# neutron port-show ea137d2a-3465-4545-bee5-886934318e6c
...
| binding:vif_type      | binding_failed                                                                        |
...
| fixed_ips             | {"subnet_id": "80c93dca-b413-4afc-af99-186024984a27", "ip_address": "192.168.246.12"} |
... 
| security_groups       | 0c4f23c2-309e-4e35-a546-d0d46ef72ef2                                                  |

our security group rules

# nova secgroup-list-rules 0c4f23c2-309e-4e35-a546-d0d46ef72ef2
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 9443      | 9443    | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

from the controller i can ping the amphora that gets created and ssh into it

# ping 192.168.246.22
PING 192.168.246.22 (192.168.246.22) 56(84) bytes of data.
64 bytes from 192.168.246.22: icmp_seq=1 ttl=64 time=1.39 ms

# ssh -i /etc/octavia/.ssh/lb-key ubuntu@192.168.246.22
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-88-generic x86_64)
...
Last login: Thu Jun 30 15:05:28 2016 from 192.168.246.12
ubuntu@amphora-81792203-1b6a-40c4-a7ac-5d1271ca8f62:~$

But i cannot contact it on port 9443...

dmesg shows us that the traffic is blocked

[276697.925035] BLOCKED OUTPUT : IN= OUT=o-hm0 SRC=192.168.246.12 DST=192.168.246.22 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31079 DF PROTO=TCP SPT=36008 DPT=9443 WINDOW=29200 RES=0x00 SYN URGP=0 
[276699.929036] BLOCKED OUTPUT : IN= OUT=o-hm0 SRC=192.168.246.12 DST=192.168.246.22 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31080 DF PROTO=TCP SPT=36008 DPT=9443 WINDOW=29200 RES=0x00 SYN URGP=0

yet, the secgroup is applied in iptables

# iptables -S | grep neutron-openvswi-iea137d2a-3
-N neutron-openvswi-iea137d2a-3
-A neutron-openvswi-iea137d2a-3 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with ...
(more)
edit retag flag offensive reopen merge delete

Closed for the following reason question is not relevant or outdated by jsheeren
close date 2016-06-30 13:52:49.319229