Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2014-05-27 21:14:46 -0500

don gravatar image

neutron placing dnsmasq port in wrong bridge

I have created a heat template which creates a single vm with 2 interfaces, a new subnet and router. One interface is on my preexisting public network, and the other is private to the template.

I find that the public network dnsmasq works fine and gets an IP. the new network creates the bridge group etc, but the dnsmasq namespace port is on the wrong ovs bridge.

Can anyone suggest what might be wrong? Do you see the same behaviour w/ the simple heat template? This is running all-in-one flat nova+neutron+ovs.

The port/interface marked below in ** (port tapf2dadea4-f9, interface tapf2dadea4-f9) should be in port qvo588324fa-cd I think.

$ ovs-vsctl show 
604e6c21-b4c9-44b1-b2d6-c4aff8835c54
    Bridge br-int
        Port "qvo6c2da7d2-76"
            tag: 2
            Interface "qvo6c2da7d2-76"
        Port br-int
            Interface br-int
                type: internal
        Port int-br-ex
            Interface int-br-ex
        Port "qvo588324fa-cd"
            tag: 1
            Interface "qvo588324fa-cd"
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port phy-br-ex
            Interface phy-br-ex
        Port "tap06ba7977-87"
            Interface "tap06ba7977-87"
                type: internal
        **Port "tapf2dadea4-f9"**
            **Interface "tapf2dadea4-f9"**
                type: internal
    ovs_version: "2.0.1"

OK, so let me explain...

sudo ip netns list
qdhcp-e6b1fb74-c705-437a-ab96-6606b4205b27
qdhcp-40652eda-638d-497d-b108-8166e8dc3549

are my two namespace. The 2nd one (qdhcp-40652eda-638d-497d-b108-8166e8dc3549) is my 'public' network:

$ sudo ip netns exec qdhcp-40652eda-638d-497d-b108-8166e8dc3549 ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2880 (2.8 KB)  TX bytes:2880 (2.8 KB)

tap06ba7977-87 Link encap:Ethernet  HWaddr fa:16:3e:12:b4:ab  
          inet addr:172.16.1.11  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe12:b4ab/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:22440 (22.4 KB)  TX bytes:2196 (2.1 KB)

whereas the other is the new private network created w/ heat:

$ sudo ip netns exec qdhcp-e6b1fb74-c705-437a-ab96-6606b4205b27 ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tapf2dadea4-f9 Link encap:Ethernet  HWaddr fa:16:3e:69:ab:4c  
          inet addr:172.16.10.11  Bcast:172.16.10.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe69:ab4c/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:41 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3714 (3.7 KB)  TX bytes:828 (828.0 B)

So what happens is my VM tries DHCP on 'eth1', and the broadcast goes out and is seen on the '588324fa-cd' interfaces OK, but not on the tapf2dadea4-f9 interface inside the namespace (because it is in the wrong bridge group I think).

The heat template is below (sorry cannot attach type YAML). The 'trusty' is a stock ubuntu cloud image, and you can substitute my 'm1.2G' flavour for anything really.

If i create multiple VM's inside the template, they can ping each other on this 172.16.10/24 network without trouble, its just that they do not reach the DHCP.

heat_template_version: 2013-05-23

description: >
  none

resources:
  service_net:
    type: OS::Neutron::Net
    properties:
      name: { str_replace: { params: { $stack_name: { get_param: 'OS::stack_name' } }, template: '$stack_name-service' } }

  service_subnet:
    type: OS::Neutron::Subnet
    properties:
      name: { str_replace: { params: { $stack_name: { get_param: 'OS::stack_name' } }, template: '$stack_name-service' } }
      enable_dhcp: True
      network_id: { get_resource: service_net }
      cidr: 172.16.10/24
      allocation_pools:
        - start: 172.16.10.10
          end: 172.16.10.100

  service_router:
    type: OS::Neutron::Router
    properties:
      name: { str_replace: { params: { $stack_name: { get_param: 'OS::stack_name' } }, template: '$stack_name-service' } }

  router_interface:
    type: OS::Neutron::RouterInterface
    properties:
      router_id: { get_resource: service_router }
      subnet_id: { get_resource: service_subnet }

  trusty:
    type: OS::Nova::Server
    properties:
      name: { str_replace: { params: { $stack_name: { get_param: 'OS::stack_name' } }, template: '$stack_name-trusty' } }
      image: "trusty"
      flavor: "m1.2G"
      config_drive: "true"
      networks:
        - network: "public"
        - port: { get_resource: trusty_service_port }
      user_data_format: RAW
      user_data: |
        #!/bin/bash
        ifup eth1

  trusty_service_port:
    type: OS::Neutron::Port
    properties:
      name: { str_replace: { params: { $stack_name: { get_param: 'OS::stack_name' } }, template: '$stack_name-service' } }
      network_id: { get_resource: service_net }
      fixed_ips:
        - subnet_id: { get_resource: service_subnet }
#- ip_address: 172.16.10.2 


outputs:
  ssh:
    value:
      str_replace:
        template: ssh root@$host
        params:
          $host:
            get_attr:
            - trusty
            - accessIPv4
    description: ssh to the trusty host

The complete set of config and diagnostics is below.

    ifconfig -a
    br-ex     Link encap:Ethernet  HWaddr e2:27:cd:ae:cf:4c  
              inet addr:172.16.1.1  Bcast:172.16.1.255  Mask:255.255.255.0
              inet6 addr: fe80::4846:54ff:fe06:355b/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:1998 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2939 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:260673 (260.6 KB)  TX bytes:307111 (307.1 KB)

    br-int    Link encap:Ethernet  HWaddr 16:ce:e6:9f:62:40  
              inet6 addr: fe80::b405:ddff:fedd:f329/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:685 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:122122 (122.1 KB)  TX bytes:648 (648.0 B)

    eth0      Link encap:Ethernet  HWaddr 60:eb:69:3e:97:04  
              inet addr:MYIP  Bcast:MYBCAST  Mask:255.255.255.248
              inet6 addr: fe80::62eb:69ff:fe3e:9704/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:347137 errors:0 dropped:0 overruns:0 frame:0
              TX packets:135375 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:29703879 (29.7 MB)  TX bytes:22168900 (22.1 MB)
              Memory:df6e0000-df700000 

    int-br-ex Link encap:Ethernet  HWaddr 8e:0b:0a:68:98:3c  
              inet6 addr: fe80::8c0b:aff:fe68:983c/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1098 errors:0 dropped:0 overruns:0 frame:0
              TX packets:581 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:86995 (86.9 KB)  TX bytes:100042 (100.0 KB)

    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:6673289 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6673289 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:4709097210 (4.7 GB)  TX bytes:4709097210 (4.7 GB)

    ovs-system Link encap:Ethernet  HWaddr d2:21:95:4f:7b:87  
              BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    phy-br-ex Link encap:Ethernet  HWaddr 3e:3f:4f:c5:f2:db  
              inet6 addr: fe80::3c3f:4fff:fec5:f2db/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:581 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1098 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:100042 (100.0 KB)  TX bytes:86995 (86.9 KB)

    qbr01357ae5-c3 Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
              inet6 addr: fe80::d401:cdff:fea5:781/64 Scope:Link
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:28 errors:0 dropped:0 overruns:0 frame:0
              TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:2396 (2.3 KB)  TX bytes:690 (690.0 B)

    qbr588324fa-cd Link encap:Ethernet  HWaddr 2a:7e:be:4b:8d:f2  
              inet6 addr: fe80::ac07:96ff:fe8f:debd/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:182 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:47956 (47.9 KB)  TX bytes:648 (648.0 B)

    qbr6c2da7d2-76 Link encap:Ethernet  HWaddr f6:b7:73:c8:5c:4a  
              inet6 addr: fe80::a8f3:d6ff:feb1:bc8f/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:226 errors:0 dropped:0 overruns:0 frame:0
              TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:21794 (21.7 KB)  TX bytes:732 (732.0 B)

    qbr7cf2e489-a4 Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
              inet6 addr: fe80::a4d8:efff:fe0e:6bb5/64 Scope:Link
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:60 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:11864 (11.8 KB)  TX bytes:648 (648.0 B)

    qvb588324fa-cd Link encap:Ethernet  HWaddr 2a:7e:be:4b:8d:f2  
              inet6 addr: fe80::287e:beff:fe4b:8df2/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:14 errors:0 dropped:0 overruns:0 frame:0
              TX packets:183 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:1148 (1.1 KB)  TX bytes:50574 (50.5 KB)

    qvb6c2da7d2-76 Link encap:Ethernet  HWaddr f6:b7:73:c8:5c:4a  
              inet6 addr: fe80::f4b7:73ff:fec8:5c4a/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:657 errors:0 dropped:0 overruns:0 frame:0
              TX packets:394 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:67617 (67.6 KB)  TX bytes:49180 (49.1 KB)

    qvo588324fa-cd Link encap:Ethernet  HWaddr 3a:cc:cb:9a:74:b4  
              inet6 addr: fe80::38cc:cbff:fe9a:74b4/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:183 errors:0 dropped:0 overruns:0 frame:0
              TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:50574 (50.5 KB)  TX bytes:1148 (1.1 KB)

    qvo6c2da7d2-76 Link encap:Ethernet  HWaddr 62:e2:22:7e:fa:6f  
              inet6 addr: fe80::60e2:22ff:fe7e:fa6f/64 Scope:Link
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:394 errors:0 dropped:0 overruns:0 frame:0
              TX packets:657 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:49180 (49.1 KB)  TX bytes:67617 (67.6 KB)

    tap588324fa-cd Link encap:Ethernet  HWaddr fe:16:3e:b1:50:ef  
              inet6 addr: fe80::fc16:3eff:feb1:50ef/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:169 errors:0 dropped:0 overruns:0 frame:0
              TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500 
              RX bytes:49446 (49.4 KB)  TX bytes:1198 (1.1 KB)

    tap6c2da7d2-76 Link encap:Ethernet  HWaddr fe:16:3e:19:9b:3e  
              inet6 addr: fe80::fc16:3eff:fe19:9b3e/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:555 errors:0 dropped:0 overruns:0 frame:0
              TX packets:659 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500 
              RX bytes:68412 (68.4 KB)  TX bytes:67673 (67.6 KB)

    vnet0     Link encap:Ethernet  HWaddr fe:e2:26:bc:25:30  
              inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
              inet6 addr: fe80::fce2:26ff:febc:2530/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

    sudo ovs-vsctl show
    604e6c21-b4c9-44b1-b2d6-c4aff8835c54
        Bridge br-int
            Port "qvo6c2da7d2-76"
                tag: 2
                Interface "qvo6c2da7d2-76"
            Port br-int
                Interface br-int
                    type: internal
            Port int-br-ex
                Interface int-br-ex
            Port "qvo588324fa-cd"
                tag: 1
                Interface "qvo588324fa-cd"
        Bridge br-ex
            Port br-ex
                Interface br-ex
                    type: internal
            Port phy-br-ex
                Interface phy-br-ex
            Port "tap06ba7977-87"
                Interface "tap06ba7977-87"
                    type: internal
            Port "tapf2dadea4-f9"
                Interface "tapf2dadea4-f9"
                    type: internal
        ovs_version: "2.0.1"
    neutron net-list
    +--------------------------------------+-----------+-----------------------------------------------------+
    | id                                   | name      | subnets                                             |
    +--------------------------------------+-----------+-----------------------------------------------------+
    | 40652eda-638d-497d-b108-8166e8dc3549 | public    | 5b3f5741-8ed0-41cf-b44f-566844b52cf1 172.16.1.0/24  |
    | e6b1fb74-c705-437a-ab96-6606b4205b27 | p-service | 4adde0bb-fa57-4051-b558-1daff9f45f19 172.16.10.0/24 |
    +--------------------------------------+-----------+-----------------------------------------------------+
    neutron subnet-list
    +--------------------------------------+---------------+----------------+---------------------------------------------------+
    | id                                   | name          | cidr           | allocation_pools                                  |
    +--------------------------------------+---------------+----------------+---------------------------------------------------+
    | 4adde0bb-fa57-4051-b558-1daff9f45f19 | p-service     | 172.16.10.0/24 | {"start": "172.16.10.10", "end": "172.16.10.100"} |
    | 5b3f5741-8ed0-41cf-b44f-566844b52cf1 | 172.16.1.0/24 | 172.16.1.0/24  | {"start": "172.16.1.10", "end": "172.16.1.254"}   |
    +--------------------------------------+---------------+----------------+---------------------------------------------------+
    neutron port-list
    +--------------------------------------+-----------+-------------------+-------------------------------------------------------------------------------------+
    | id                                   | name      | mac_address       | fixed_ips                                                                           |
    +--------------------------------------+-----------+-------------------+-------------------------------------------------------------------------------------+
    | 06ba7977-87dc-4021-96d7-d18b3dada228 |           | fa:16:3e:12:b4:ab | {"subnet_id": "5b3f5741-8ed0-41cf-b44f-566844b52cf1", "ip_address": "172.16.1.11"}  |
    | 588324fa-cd6c-4768-b073-39e20b6d7c1a | p-service | fa:16:3e:b1:50:ef | {"subnet_id": "4adde0bb-fa57-4051-b558-1daff9f45f19", "ip_address": "172.16.10.10"} |
    | 6c2da7d2-7654-410e-b572-6f0057e16218 |           | fa:16:3e:19:9b:3e | {"subnet_id": "5b3f5741-8ed0-41cf-b44f-566844b52cf1", "ip_address": "172.16.1.26"}  |
    | f25fcba9-10d8-43b2-aece-832ed041e5af |           | fa:16:3e:7f:cf:01 | {"subnet_id": "4adde0bb-fa57-4051-b558-1daff9f45f19", "ip_address": "172.16.10.1"}  |
    | f2dadea4-f969-464a-a4ea-a2185618cbca |           | fa:16:3e:69:ab:4c | {"subnet_id": "4adde0bb-fa57-4051-b558-1daff9f45f19", "ip_address": "172.16.10.11"} |
    +--------------------------------------+-----------+-------------------+-------------------------------------------------------------------------------------+
    ip netns list
    qdhcp-e6b1fb74-c705-437a-ab96-6606b4205b27
    qdhcp-40652eda-638d-497d-b108-8166e8dc3549
    sudo ip netns exec qdhcp-e6b1fb74-c705-437a-ab96-6606b4205b27 ifconfig -a
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    tapf2dadea4-f9 Link encap:Ethernet  HWaddr fa:16:3e:69:ab:4c  
              inet addr:172.16.10.11  Bcast:172.16.10.255  Mask:255.255.255.0
              inet6 addr: fe80::f816:3eff:fe69:ab4c/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:41 errors:0 dropped:0 overruns:0 frame:0
              TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:3714 (3.7 KB)  TX bytes:828 (828.0 B)

    sudo ip netns exec qdhcp-40652eda-638d-497d-b108-8166e8dc3549 ifconfig -a
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:5 errors:0 dropped:0 overruns:0 frame:0
              TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:2880 (2.8 KB)  TX bytes:2880 (2.8 KB)

    tap06ba7977-87 Link encap:Ethernet  HWaddr fa:16:3e:12:b4:ab  
              inet addr:172.16.1.11  Bcast:172.16.1.255  Mask:255.255.255.0
              inet6 addr: fe80::f816:3eff:fe12:b4ab/64 Scope:Link
              UP BROADCAST RUNNING  MTU:1500  Metric:1
              RX packets:470 errors:0 dropped:0 overruns:0 frame:0
              TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:22440 (22.4 KB)  TX bytes:2196 (2.1 KB)

    ps -ef |grep [d]nsmasq
    nobody    8163     1  0 19:33 ?        00:00:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap06ba7977-87 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/host --addn-hosts=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/40652eda-638d-497d-b108-8166e8dc3549/opts --leasefile-ro --dhcp-range=set:tag0,172.16.1.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq.conf --server=8.8.8.8 --domain=stack
    nobody   26006     1  0 21:19 ?        00:00:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tapf2dadea4-f9 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/e6b1fb74-c705-437a-ab96-6606b4205b27/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/e6b1fb74-c705-437a-ab96-6606b4205b27/host --addn-hosts=/var/lib/neutron/dhcp/e6b1fb74-c705-437a-ab96-6606b4205b27/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/e6b1fb74-c705-437a-ab96-6606b4205b27/opts --leasefile-ro --dhcp-range=set:tag0,172.16.10.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq.conf --server=8.8.8.8 --domain=stack
    sudo ufw status
    Status: inactive
    sudo brctl show
    bridge name bridge id       STP enabled interfaces
    qbr01357ae5-c3      8000.000000000000   no      
    qbr588324fa-cd      8000.2a7ebe4b8df2   no      qvb588324fa-cd
                                tap588324fa-cd
    qbr6c2da7d2-76      8000.f6b773c85c4a   no      qvb6c2da7d2-76
                                tap6c2da7d2-76
    qbr7cf2e489-a4      8000.000000000000   no      
    vnet0       8000.000000000000   no      

= /etc/neutron/neutron.conf =

    [DEFAULT]
    nova_admin_auth_url = http://MYHOST:35357/v2.0
    nova_admin_tenant_id = 30efe661299849d5981daa66e93296a0
    nova_admin_password = password
    nova_admin_username = nova
    nova_url = http://MYHOST:8774/v2
    notify_nova_on_port_data_changes = True
    notify_nova_on_port_status_change = True
    auth_strategy = keystone
    allow_overlapping_ips = True
    policy_file = /etc/neutron/policy.json
    debug = False
    verbose = False
    service_plugins = neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
    core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
    rabbit_password = guest
    rabbit_hosts = localhost
    rabbit_host = localhost
    rpc_backend = neutron.openstack.common.rpc.impl_kombu
    state_path = /var/lib/neutron
    lock_path = $state_path/lock
    log_date_format = %Y-%m-%d %H:%M:%S
    notification_driver = neutron.openstack.common.notifier.rpc_notifier
    [quotas]
    [agent]
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    [keystone_authtoken]
    auth_uri = http://MYHOST:5000
    auth_host = MYHOST
    auth_port = 35357
    auth_protocol = http
    admin_tenant_name = service
    admin_user = neutron
    admin_password = password
    signing_dir = /var/cache/neutron
    [database]
    [service_providers]
    service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
    service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default

= /etc/neutron/plugins/ml2/ml2_conf.ini =

    [ml2]
    type_drivers = local,flat
    mechanism_drivers = openvswitch
    tenant_network_types = local,flat
    [ml2_type_flat]
    flat_networks = *
    [ml2_type_vlan]
    [ml2_type_gre]
    tunnel_id_ranges = 1:1000
    [ml2_type_vxlan]
    vni_ranges = 1001:2000
    [database]
    connection = mysql://root:password@127.0.0.1/neutron_ml2?charset=utf8
    [securitygroup]
    enable_security_group = True
    firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
    [ovs]
    tenant_network_type = flat
    integration_bridge = br-int
    local_ip = MYIP
    enable_tunneling = False
    network_vlan_ranges = physnet1
    bridge_mappings = physnet1:br-ex
    [linux_bridge]
    physical_interface_mappings = 
    [vlans]
    network_vlan_ranges =
    tenant_network_type = local
    [vxlan]
    enable_vxlan = False
    l2_population = False
    [agent]
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    [l2pop]
    agent_boot_time = 180

= /etc/neutron/l3_agent.ini =

    [DEFAULT]
    l3_agent_manager = neutron.agent.l3_agent.L3NATAgentWithStateReport
    external_network_bridge = br-ex
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    ovs_use_veth = False
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    use_namespaces = True
    debug = True
    verbose = True
    router_delete_namespaces = True

= /etc/neutron/dhcp_agent.ini =

    [DEFAULT]
    dhcp_agent_manager = neutron.agent.dhcp_agent.DhcpAgentWithStateReport
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    ovs_use_veth = False
    root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    use_namespaces = True
    debug = True
    verbose = True
    ovs_integration_bridge = br-ex
    dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
    dhcp_domain = stack
    dnsmasq_config_file = /etc/neutron/dnsmasq.conf
    dnsmasq_dns_servers = 8.8.8.8
    dhcp_delete_namespaces = True

= /etc/network/interfaces =

    auto lo
    iface lo inet loopback
    auto eth0
    iface eth0 inet static
        address MYIP
        netmask 255.255.255.248
        gateway MY-UPSTREAM-GW
        #dns-nameservers 208.67.220.220 208.67.222.222
        dns-nameservers 8.8.8.8 8.8.4.4
        pre-up /etc/iptables.rules
        up iptables -t nat -I POSTROUTING 1 -j MASQUERADE -o eth0
        down iptables -t nat -D POSTROUTING 1 -j MASQUERADE -o eth0
    auto br-ex
    iface br-ex inet static
            address 172.16.1.1
            netmask 255.255.255.0
        dns-nameservers 8.8.8.8 8.8.4.4
            #bridge_ports none
            #bridge_maxwait 0
            #bridge_fd 1
            #up iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j MASQUERADE 
            #down iptables -t nat -D POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
    auto vnet0
    iface vnet0 inet static
            address 172.16.0.1
            netmask 255.255.255.0
        dns-nameservers 8.8.8.8 8.8.4.4
            bridge_ports none
            bridge_maxwait 0
            bridge_fd 1
            up iptables -t nat -I POSTROUTING -s 172.16.0.0/24 -j MASQUERADE 
            down iptables -t nat -D POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
    sudo iptables-save
    # Generated by iptables-save v1.4.21 on Tue May 27 22:11:53 2014
    *mangle
    :PREROUTING ACCEPT [2481020:1870525219]
    :INPUT ACCEPT [2480740:1870486457]
    :FORWARD ACCEPT [280:38762]
    :OUTPUT ACCEPT [2479053:1871766411]
    :POSTROUTING ACCEPT [2479333:1871805173]
    :nova-api-POSTROUTING - [0:0]
    :nova-network-POSTROUTING - [0:0]
    -A POSTROUTING -j nova-network-POSTROUTING
    -A POSTROUTING -j nova-api-POSTROUTING
    COMMIT
    # Completed on Tue May 27 22:11:53 2014
    # Generated by iptables-save v1.4.21 on Tue May 27 22:11:53 2014
    *nat
    :PREROUTING ACCEPT [359:20714]
    :INPUT ACCEPT [287:16448]
    :OUTPUT ACCEPT [24528:1476871]
    :POSTROUTING ACCEPT [24185:1451100]
    :neutron-openvswi-OUTPUT - [0:0]
    :neutron-openvswi-POSTROUTING - [0:0]
    :neutron-openvswi-PREROUTING - [0:0]
    :neutron-openvswi-float-snat - [0:0]
    :neutron-openvswi-snat - [0:0]
    :neutron-postrouting-bottom - [0:0]
    :nova-api-OUTPUT - [0:0]
    :nova-api-POSTROUTING - [0:0]
    :nova-api-PREROUTING - [0:0]
    :nova-api-float-snat - [0:0]
    :nova-api-snat - [0:0]
    :nova-postrouting-bottom - [0:0]
    -A PREROUTING -j neutron-openvswi-PREROUTING
    -A PREROUTING -j nova-api-PREROUTING
    -A OUTPUT -j neutron-openvswi-OUTPUT
    -A OUTPUT -j nova-api-OUTPUT
    -A POSTROUTING -j neutron-openvswi-POSTROUTING
    -A POSTROUTING -j neutron-postrouting-bottom
    -A POSTROUTING -j nova-api-POSTROUTING
    -A POSTROUTING -j nova-postrouting-bottom
    -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A neutron-openvswi-snat -j neutron-openvswi-float-snat
    -A neutron-postrouting-bottom -j neutron-openvswi-snat
    -A nova-api-snat -j nova-api-float-snat
    -A nova-postrouting-bottom -j nova-api-snat
    COMMIT
    # Completed on Tue May 27 22:11:53 2014
    # Generated by iptables-save v1.4.21 on Tue May 27 22:11:53 2014
    *filter
    :INPUT ACCEPT [2456001:1868146243]
    :FORWARD ACCEPT [280:38762]
    :OUTPUT ACCEPT [2479053:1871766411]
    :neutron-filter-top - [0:0]
    :neutron-openvswi-FORWARD - [0:0]
    :neutron-openvswi-INPUT - [0:0]
    :neutron-openvswi-OUTPUT - [0:0]
    :neutron-openvswi-i588324fa-c - [0:0]
    :neutron-openvswi-i6c2da7d2-7 - [0:0]
    :neutron-openvswi-local - [0:0]
    :neutron-openvswi-o588324fa-c - [0:0]
    :neutron-openvswi-o6c2da7d2-7 - [0:0]
    :neutron-openvswi-s588324fa-c - [0:0]
    :neutron-openvswi-s6c2da7d2-7 - [0:0]
    :neutron-openvswi-sg-chain - [0:0]
    :neutron-openvswi-sg-fallback - [0:0]
    :nova-api-FORWARD - [0:0]
    :nova-api-INPUT - [0:0]
    :nova-api-OUTPUT - [0:0]
    :nova-api-local - [0:0]
    :nova-filter-top - [0:0]
    -A INPUT -j neutron-openvswi-INPUT
    -A INPUT -j nova-api-INPUT
    -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -s MYHOME/32 -j ACCEPT
    -A INPUT -s MYWORK/32 -j ACCEPT
    -A INPUT -i eth0 -p udp -m multiport --dports 60000:60100 -j ACCEPT
    -A INPUT -i eth0 -p icmp -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -i eth0 -j DROP
    -A FORWARD -j neutron-filter-top
    -A FORWARD -j neutron-openvswi-FORWARD
    -A FORWARD -j nova-filter-top
    -A FORWARD -j nova-api-FORWARD
    -A OUTPUT -j neutron-filter-top
    -A OUTPUT -j neutron-openvswi-OUTPUT
    -A OUTPUT -j nova-filter-top
    -A OUTPUT -j nova-api-OUTPUT
    -A neutron-filter-top -j neutron-openvswi-local
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tap588324fa-cd --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tap588324fa-cd --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-out tap6c2da7d2-76 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-FORWARD -m physdev --physdev-in tap6c2da7d2-76 --physdev-is-bridged -j neutron-openvswi-sg-chain
    -A neutron-openvswi-INPUT -m physdev --physdev-in tap588324fa-cd --physdev-is-bridged -j neutron-openvswi-o588324fa-c
    -A neutron-openvswi-INPUT -m physdev --physdev-in tap6c2da7d2-76 --physdev-is-bridged -j neutron-openvswi-o6c2da7d2-7
    -A neutron-openvswi-i588324fa-c -m state --state INVALID -j DROP
    -A neutron-openvswi-i588324fa-c -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-i588324fa-c -p icmp -j RETURN
    -A neutron-openvswi-i588324fa-c -p udp -m udp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-i588324fa-c -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-i588324fa-c -j RETURN
    -A neutron-openvswi-i588324fa-c -s 172.16.10.11/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
    -A neutron-openvswi-i588324fa-c -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-i6c2da7d2-7 -m state --state INVALID -j DROP
    -A neutron-openvswi-i6c2da7d2-7 -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-i6c2da7d2-7 -p icmp -j RETURN
    -A neutron-openvswi-i6c2da7d2-7 -p udp -m udp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-i6c2da7d2-7 -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
    -A neutron-openvswi-i6c2da7d2-7 -j RETURN
    -A neutron-openvswi-i6c2da7d2-7 -s 172.16.1.11/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
    -A neutron-openvswi-i6c2da7d2-7 -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-o588324fa-c -p udp -m udp --sport 68 --dport 67 -j RETURN
    -A neutron-openvswi-o588324fa-c -j neutron-openvswi-s588324fa-c
    -A neutron-openvswi-o588324fa-c -p udp -m udp --sport 67 --dport 68 -j DROP
    -A neutron-openvswi-o588324fa-c -m state --state INVALID -j DROP
    -A neutron-openvswi-o588324fa-c -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-o588324fa-c -j RETURN
    -A neutron-openvswi-o588324fa-c -j RETURN
    -A neutron-openvswi-o588324fa-c -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-o6c2da7d2-7 -p udp -m udp --sport 68 --dport 67 -j RETURN
    -A neutron-openvswi-o6c2da7d2-7 -j neutron-openvswi-s6c2da7d2-7
    -A neutron-openvswi-o6c2da7d2-7 -p udp -m udp --sport 67 --dport 68 -j DROP
    -A neutron-openvswi-o6c2da7d2-7 -m state --state INVALID -j DROP
    -A neutron-openvswi-o6c2da7d2-7 -m state --state RELATED,ESTABLISHED -j RETURN
    -A neutron-openvswi-o6c2da7d2-7 -j RETURN
    -A neutron-openvswi-o6c2da7d2-7 -j RETURN
    -A neutron-openvswi-o6c2da7d2-7 -j neutron-openvswi-sg-fallback
    -A neutron-openvswi-s588324fa-c -s 172.16.10.10/32 -m mac --mac-source FA:16:3E:B1:50:EF -j RETURN
    -A neutron-openvswi-s588324fa-c -j DROP
    -A neutron-openvswi-s6c2da7d2-7 -s 172.16.1.26/32 -m mac --mac-source FA:16:3E:19:9B:3E -j RETURN
    -A neutron-openvswi-s6c2da7d2-7 -j DROP
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tap588324fa-cd --physdev-is-bridged -j neutron-openvswi-i588324fa-c
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tap588324fa-cd --physdev-is-bridged -j neutron-openvswi-o588324fa-c
    -A neutron-openvswi-sg-chain -m physdev --physdev-out tap6c2da7d2-76 --physdev-is-bridged -j neutron-openvswi-i6c2da7d2-7
    -A neutron-openvswi-sg-chain -m physdev --physdev-in tap6c2da7d2-76 --physdev-is-bridged -j neutron-openvswi-o6c2da7d2-7
    -A neutron-openvswi-sg-chain -j ACCEPT
    -A neutron-openvswi-sg-fallback -j DROP
    -A nova-api-INPUT -d 127.0.1.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT
    -A nova-filter-top -j nova-api-local
    COMMIT
    # Completed on Tue May 27 22:11:53 2014