Ask Your Question
0

cant access instance ip from any ip outside cloud ips

asked 2016-11-13 02:29:21 -0500

hossam gravatar image

hello all ,

I have multi-node setup with packstack instances work with ip ok i can access any ip in any vlan in my network from any instance (tested with ssh) and can access instance ip from another instance ip . the problem is i cant access the instance ip from any ip not instance example . compute node :- 10.13.43.50 centos instance :- 10.13.43.73

from 10.13.43.73 i can ping or ssh to 10.13.43.50 with out problems. from 10.13.43.50 i can't access any instances ip with any protocol .

i install OpenStack allinone the i used the answer file to add more compute node firewall and SELinux disabled in all

  [root@server1 ~(keystone_admin)]# neutron net-list
  +--------------------------------------+------------------+----------------------------------------------------+
  | id | name | subnets |
  +--------------------------------------+------------------+----------------------------------------------------+
  | c3daeb74-4337-412f-a0f2-8ae71645d16f | external_network | 2a968b98-4fce-4669-96b1-d4b73480bc53 10.13.43.0/24 |
  +--------------------------------------+------------------+----------------------------------------------------+
  [root@server1 ~(keystone_admin)]# neutron subnet-list
  +--------------------------------------+---------------+---------------+-------------------------------------------------+
  | id | name | cidr | allocation_pools |
  +--------------------------------------+---------------+---------------+-------------------------------------------------+
  | 2a968b98-4fce-4669-96b1-d4b73480bc53 | public_subnet | 10.13.43.0/24 | {"start": "10.13.43.65", "end": "10.13.43.239"} |
  +--------------------------------------+---------------+---------------+-------------------------------------------------+
  [root@server1 ~(keystone_admin)]# neutron port-list
  +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
  | id | name | mac_address | fixed_ips |
  +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
  | 39f5d246-90c1-4eb2-965c-da55a1f4728a | | fa:16:3e:a5:39:04 | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.73"} |
  | cae2a36b-9d17-4e4c-9d96-ff9cc01cf845 | | fa:16:3e:dd:73:7f | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.74"} |
  | de6f9c7b-4823-4de1-9bd1-9d33a7c63a59 | | fa:16:3e:35:b5:22 | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.70"} |
  +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
  [root@server1 ~(keystone_admin)]# neutron router-list
  +--------------------------------------+---------+---------------------------------------------------------------+-------------+-------+
  | id | name | external_gateway_info | distributed | ha |
  +--------------------------------------+---------+---------------------------------------------------------------+-------------+-------+
  | 3790c404-78dd-4414-9126-18c64c626ebc | router1 | {"network_id": "c3daeb74-4337-412f-a0f2-8ae71645d16f", | False | False |
  | | | "enable_snat": true, "external_fixed_ips": [{"subnet_id": | | |
  | | | "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": | | |
  | | | "10.13.43.70"}]} | | |
  +--------------------------------------+---------+---------------------------------------------------------------+-------------+-------+
  [root@server1 ~(keystone_admin)]# neutron floatingip-list

  [root@server1 ~(keystone_admin)]# ovs-vsctl show
  8b0bf079-d523-464e-b7c6-1a7ae4c46ebd
  Manager "ptcp:6640:127.0.0.1"
  is_connected: true
  Bridge br-tun
  Controller "tcp:127.0.0.1:6633"
  is_connected: true
  fail_mode: secure
  Port br-tun
  Interface br-tun
  type: internal
  Port "vxlan-0a0d2b35"
  Interface "vxlan-0a0d2b35"
  type: vxlan
  options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.53"}
  Port patch-int
  Interface patch-int
  type: patch
  options: {peer=patch-tun}
  Port "vxlan-0a0d2b33"
  Interface "vxlan-0a0d2b33"
  type: vxlan
  options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.51"}
  Port "vxlan-0a0d2b34"
  Interface "vxlan-0a0d2b34"
  type: vxlan
  options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.52"}
  Port "vxlan-0a0d2b36"
  Interface "vxlan-0a0d2b36"
  type: vxlan
  options: {df_default="true", in_key=flow, local_ip="10.13.43.50", out_key=flow, remote_ip="10.13.43.54"}
  Bridge br-ex
  Controller "tcp:127.0.0.1:6633"
  is_connected: true
  fail_mode: secure
  Port "eth0"
  Interface "eth0"
  Port br-ex
  Interface br-ex
  type: internal
  Port phy-br-ex
  Interface phy-br-ex
  type: patch
  options: {peer=int-br-ex}
  Bridge br-int
  Controller "tcp:127.0.0.1:6633"
  is_connected: true
  fail_mode: secure
  Port int-br-ex
  Interface int-br-ex
  type: patch
  options: {peer=phy-br-ex}
  Port br-int
  Interface br-int
  type: internal
  Port "qvo39f5d246-90"
  tag: 1
  Interface "qvo39f5d246-90"
  Port patch-tun
  Interface patch-tun
  type: patch
  options: {peer=patch-int}
  ovs_version: "2.5.0"
edit retag flag offensive close merge delete

Comments

What about security groups? Not sure if they are effective for instances directly connected to the external network, but normally an instance should block any ingress traffic from anywhere outside the security group.

Bernd Bausch gravatar imageBernd Bausch ( 2016-11-13 06:16:36 -0500 )edit

Please, upload somewhere picture http://controller/dashboard/project/network_topology/ in "Normal" mode. Packstack works with "Network isolation" pretty smoothly ( vs TripleO )

dbaxps gravatar imagedbaxps ( 2016-11-13 10:48:32 -0500 )edit

Also update your question with neutron router-port-list your-router-name

dbaxps gravatar imagedbaxps ( 2016-11-13 11:03:02 -0500 )edit

3 answers

Sort by ยป oldest newest most voted
1

answered 2016-11-14 02:34:43 -0500

dbaxps gravatar image

updated 2016-11-14 06:54:35 -0500

See http://dbaxps.blogspot.com/2015/10/rd...
regarding classical openstack design done via packstack

image description

edit flag offensive delete link more
0

answered 2016-11-13 23:03:55 -0500

Amar gravatar image

So all your node is running as physical server or virtual server (vmware, ovm, etc...)?

Regards, Amar

edit flag offensive delete link more
0

answered 2016-11-13 17:47:55 -0500

hossam gravatar image

hello , Thanks a lot for your help,

======= @Bernd Bausch for the security groups i didnt check but i will work with it now and update you with the status.

also i had fix the network access with first compute node which also network node and controller (allinone) by following this link http://docs.openstack.org/juno/install-guide/install/apt/content/neutron-compute-node.html https://s21.postimg.org/rh1chtclj/openstack2.png but still no luck with other compute nodes.

@dbaxps network_topology https://s21.postimg.org/vpitpxz3b/open.png

[root@server1 ~(keystone_admin)]# neutron port-list 
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                          |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| 39f5d246-90c1-4eb2-965c-da55a1f4728a |      | fa:16:3e:a5:39:04 | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.73"} |
| cae2a36b-9d17-4e4c-9d96-ff9cc01cf845 |      | fa:16:3e:dd:73:7f | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.74"} |
| de6f9c7b-4823-4de1-9bd1-9d33a7c63a59 |      | fa:16:3e:35:b5:22 | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.70"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
[root@server1 ~(keystone_admin)]# neutron router-list 
+--------------------------------------+---------+------------------------------------------------------------------------+-------------+-------+
| id                                   | name    | external_gateway_info                                                  | distributed | ha    |
+--------------------------------------+---------+------------------------------------------------------------------------+-------------+-------+
| 3790c404-78dd-4414-9126-18c64c626ebc | router1 | {"network_id": "c3daeb74-4337-412f-a0f2-8ae71645d16f", "enable_snat":  | False       | False |
|                                      |         | true, "external_fixed_ips": [{"subnet_id":                             |             |       |
|                                      |         | "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.70"}]} |             |       |
+--------------------------------------+---------+------------------------------------------------------------------------+-------------+-------+
[root@server1 ~(keystone_admin)]# neutron router-port-list router1 
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                          |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| de6f9c7b-4823-4de1-9bd1-9d33a7c63a59 |      | fa:16:3e:35:b5:22 | {"subnet_id": "2a968b98-4fce-4669-96b1-d4b73480bc53", "ip_address": "10.13.43.70"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-11-13 02:29:21 -0500

Seen: 102 times

Last updated: Nov 14 '16