Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

instances do not receive incoming traffic (no internet)

Hello there,

im now setting up openstack on a two-node cluster for days and encountered several problems. My current issue is that my launched instances have no internet connection. This is my setup:

2 Nodes

  1. Controller Node (one NIC, static ip: 192.168.0.100, keystone, swift, glance, ...)
  2. Compute Node (one NIC, static ip: 192.168.0.101, nova-compute, nova-network)

I am using nova-network (not neutron). I am able to launch an instance which gets a IP via DHCP. I can connect to the instance via SSH and I am able to ping to compute node from the instance, but I am not able to reach any server on the internet.

This are are nova.conf file on the compute node:

[DEFAULT]
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
force_dhcp_release=True
iscsi_helper=tgtadm
libvirt_use_virtio_for_bridges=True
connection_type=libvirt
root_helper=sudo nova-rootwrap /etc/nova/rootwrap.conf
verbose=True
ec2_private_dns_show_ip=True
api_paste_config=/etc/nova/api-paste.ini
volumes_path=/var/lib/nova/volumes
enabled_apis=ec2,osapi_compute,metadata

auth_strategy = keystone

rpc_backend = rabbit
rabbit_host = controller
rabbit_password = ***

my_ip = 192.168.0.101
vnc_enabled = True
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = 192.168.0.101
novncproxy_base_url = http://controller:6080/vnc_auto.html

glance_host = controller

network_api_class = nova.network.api.API
security_group_api = nova
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
network_manager = nova.network.manager.FlatDHCPManager
network_size = 254
allow_same_net_traffic = False
multi_host = True
send_arp_for_ha = True
share_dhcp_address = True
force_dhcp_release = True
flat_network_bridge = br100
flat_interface = eth0
public_interface = eth0

[database]
connection=mysql://nova:***@controller/nova

[keystone_authtoken]
auth_uri = http://controller:5000/v2.0
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = ***

ifconfig on Compute Node:

br100     Link encap:Ethernet  HWaddr 00:50:8d:b0:ee:23  
          inet addr:203.0.113.1  Bcast:203.0.113.255  Mask:255.255.255.0
          inet6 addr: fe80::8ba:ecff:fe5b:3cbe/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19528 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41778 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2316658 (2.3 MB)  TX bytes:9146269 (9.1 MB)

eth0      Link encap:Ethernet  HWaddr 00:50:8d:b0:ee:23  
          inet6 addr: fe80::250:8dff:feb0:ee23/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21239 errors:0 dropped:44 overruns:0 frame:0
          TX packets:44098 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2870997 (2.8 MB)  TX bytes:9702860 (9.7 MB)
          Interrupt:18 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:528 (528.0 B)  TX bytes:528 (528.0 B)

virbr0    Link encap:Ethernet  HWaddr 42:b8:6e:3a:51:49  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vnet0     Link encap:Ethernet  HWaddr fe:16:3e:a7:b6:44  
          inet6 addr: fe80::fc16:3eff:fea7:b644/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1914 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2507 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:240470 (240.4 KB)  TX bytes:219284 (219.2 KB)

iptables on Compute Node:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-compute-INPUT  all  --  anywhere             anywhere            
nova-network-INPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
nova-api-metadat-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  anywhere             anywhere            
nova-compute-FORWARD  all  --  anywhere             anywhere            
nova-network-FORWARD  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
nova-api-metadat-FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  anywhere             anywhere            
nova-compute-OUTPUT  all  --  anywhere             anywhere            
nova-network-OUTPUT  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
nova-api-metadat-OUTPUT  all  --  anywhere             anywhere            

Chain nova-api-metadat-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-metadat-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.0.101        tcp dpt:8775

Chain nova-api-metadat-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-metadat-local (1 references)
target     prot opt source               destination         

Chain nova-compute-FORWARD (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0              255.255.255.255      udp spt:bootpc dpt:bootps

Chain nova-compute-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0              255.255.255.255      udp spt:bootpc dpt:bootps

Chain nova-compute-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-compute-inst-9 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
nova-compute-provider  all  --  anywhere             anywhere            
ACCEPT     udp  --  203.0.113.1          anywhere             udp spt:bootps dpt:bootpc
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
nova-compute-sg-fallback  all  --  anywhere             anywhere            

Chain nova-compute-local (1 references)
target     prot opt source               destination         
nova-compute-inst-9  all  --  anywhere             203.0.113.2         

Chain nova-compute-provider (1 references)
target     prot opt source               destination         

Chain nova-compute-sg-fallback (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-compute-local  all  --  anywhere             anywhere            
nova-network-local  all  --  anywhere             anywhere            
nova-api-metadat-local  all  --  anywhere             anywhere            

Chain nova-network-FORWARD (1 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             255.255.255.255      PHYSDEV match --physdev-in eth0 udp dpt:bootps
DROP       udp  --  anywhere             255.255.255.255      PHYSDEV match --physdev-out eth0 udp dpt:bootps
DROP       all  --  anywhere             203.0.113.1          PHYSDEV match --physdev-in eth0
DROP       all  --  203.0.113.1          anywhere             PHYSDEV match --physdev-out eth0
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain nova-network-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

Chain nova-network-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-network-local (1 references)
target     prot opt source               destination

Doing a traceroute to google.com:

traceroute to 173.194.44.68 (173.194.44.68), 30 hops max, 46 byte packets
 1  203.0.113.1 (203.0.113.1)  0.084 ms  0.093 ms  0.046 ms
 2  *  *  *
 3  *  *  *
and so on

When Im doing a ping on some website from the instance, I do see packets arriving from the bridge (by checking iptables -vnL every second) and wich are getting forwarded, but it seems that the received packets do not get forwarded back to the instances.

I would appreciate any help (and please do not close this question, cause Ive been searching for help for days now), thanks!