2707974's profile - activity

2019-02-18 18:59:07 -0600 received badge  Famous Question (source)
2018-05-02 06:29:00 -0600 received badge  Teacher (source)
2017-06-06 03:49:50 -0600 answered a question port forwarding via dashboard

This cannot be done via Dashboard. Only way to do this is directly on tenant router.

Example:

  • We have 3 network nodes
  • Tenant routers are in HA

First list tenant routers with command

 neutron router-list

I output you will see tenant router

| ff34f529-ebd8-463d-9eef-351302f4751a | XXX_router| {"network_id": "abdf8375-ee13-4c0f-8d8a -21ea5f44d366","enable_snat": true, "external_fixed_ips": [{"subnet_id": "5b653809-4a2d-4fc0-b8fd-345b33f929d9", "ip_address": "123.45.678.90"}]}

Then we must see on witch network node's are router, because of HA we have primary and one in stand by.

neutron l3-agent-list-hosting-router ff34f529-ebd8-463d-9eef-351302f4751a

output is

+--------------------------------------+--------------------+----------------+-------+----------+
| id                                   | host               | admin_state_up | alive | ha_state |
+--------------------------------------+--------------------+----------------+-------+----------+
| ecce13b3-f920-4803-8fc0-90caaaa586ac | nn-m1 | True           | :-)   | standby  |
| e70f3759-7e48-42b0-b21b-177abd13be68 | nn-m2 | True           | :-)   | active   |
+--------------------------------------+--------------------+----------------+-------+----------+

We must do changes on both routers. Go to first

nn-m1~$ sudo ip netns exec qrouter-ff34f529-ebd8-463d-9eef-351302f4751a bash

First save existing iptables rules

root@nn-m1:/home/stack# iptables-save
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*raw
:PREROUTING ACCEPT [1260371:52215836]
:OUTPUT ACCEPT [14:560]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-PREROUTING - [0:0]
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A OUTPUT -j neutron-vpn-agen-OUTPUT
COMMIT
# Completed on Mon Mar 27 11:04:43 2017
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*nat
:PREROUTING ACCEPT [7:367]
:INPUT ACCEPT [1:127]
:OUTPUT ACCEPT [1:40]
:POSTROUTING ACCEPT [0:0]
:neutron-postrouting-bottom - [0:0]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-POSTROUTING - [0:0]
:neutron-vpn-agen-PREROUTING - [0:0]
:neutron-vpn-agen-float-snat - [0:0]
:neutron-vpn-agen-snat - [0:0]
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A OUTPUT -j neutron-vpn-agen-OUTPUT
-A POSTROUTING -j neutron-vpn-agen-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-vpn-agen-snat
-A neutron-vpn-agen-POSTROUTING ! -i qg-51adb648-eb ! -o qg-51adb648-eb -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-vpn-agen-snat -j neutron-vpn-agen-float-snat
-A neutron-vpn-agen-snat -o qg-51adb648-eb -j SNAT --to-source 123.45.678.90
-A neutron-vpn-agen-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 123.45.678.90
COMMIT
# Completed on Mon Mar 27 11:04:43 2017
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*mangle
:PREROUTING ACCEPT [1260369:52215756]
:INPUT ACCEPT [1260289:52212556]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:520]
:POSTROUTING ACCEPT [13:520]
:neutron-vpn-agen-FORWARD - [0:0]
:neutron-vpn-agen-INPUT - [0:0]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-POSTROUTING - [0:0]
:neutron-vpn-agen-PREROUTING - [0:0]
:neutron-vpn-agen-mark - [0:0]
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A INPUT -j neutron-vpn-agen-INPUT
-A FORWARD -j neutron-vpn-agen-FORWARD
-A OUTPUT -j neutron-vpn-agen-OUTPUT
-A POSTROUTING -j neutron-vpn-agen-POSTROUTING
-A neutron-vpn-agen-PREROUTING -j neutron-vpn-agen-mark
-A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff
-A neutron-vpn-agen-mark -i qg-51adb648-eb -j MARK --set-xmark 0x2/0xffff
COMMIT
# Completed on Mon Mar 27 11:04:43 2017
# Generated by iptables-save v1.4.21 on Mon Mar 27 11:04:43 2017
*filter
:INPUT ACCEPT [1260289:52212556]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:520]
:neutron-filter-top - [0:0]
:neutron-vpn-agen-FORWARD - [0:0]
:neutron-vpn-agen-INPUT - [0:0]
:neutron-vpn-agen-OUTPUT - [0:0]
:neutron-vpn-agen-local - [0:0]
-A INPUT -j neutron-vpn-agen-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-vpn-agen-FORWARD
-A OUTPUT -j neutron-filter-top
-A ...
(more)
2017-06-05 07:56:07 -0600 answered a question nova backup - NoRootDiskDefined: No root disk defined.

Problem solved.

I must behind openstack to go in Vmware and stop instance then ssh to compute node. Then remove from instance folder *.lck file. After that, start instance in Vmware.

Now I again can use nova backup command.

2017-06-03 07:16:58 -0600 answered a question where can i find a cloud image of ubuntu (DESKTOP) ?

Simplest way to create ubuntu desktop is

  • create instance based on Ubuntu Cloud Imagesyou can find it here https://cloud-images.ubuntu.com/
  • To install Unity desktop use the command
sudo apt-get install ubuntu-desktop gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal

But on a server I dought that you will be using Libre Office and other software that come included with the full desktop. So I suggest installing lighter version of Unity desktop using the following command, and then building on it as you go.

sudo apt-get install --no-install-recommends ubuntu-desktop gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal
  • Probably you wabt to acces server diferent then ssh. Install VNC server
sudo apt-get install vnc4server

VNC connections take place on port 5900 Grab the TeamViewer debfile:

 wget https://download.teamviewer.com/download/teamviewer_i386.deb

Install the downloaded DEB file:

 sudo dpkg -i teamviewer_i386.deb
2017-06-03 06:52:13 -0600 commented question NAT functionality inside tenant

VM A is on linux?

2017-06-03 04:56:12 -0600 asked a question nova backup - NoRootDiskDefined: No root disk defined.

On our Openstack we do instance backup wirh nova backup feature. I have scripts and cron trigger them. Everything work well but ... Suddenly I cannot do backup of one instance I do not change script, datastore, ...

Script for backup

#!/bin/bash

source royal.osrc
nova backup fdf9c264-0d1a-40d4-88c2-712f379b0297 royal-sp-backup-`date +%F` daily 3

Now when cron or I manually run script I got error

File "/opt/stack/venv/nova-20170127T151417Z/lib/python2.7/site-packages/nova/virt/vmwareapi/vmops.py", line 933, in _get_vm_and_vmdk_attribs
    raise error_util.NoRootDiskDefined()
NoRootDiskDefined: No root disk defined.

For hypervisor we use vmware.

I try to restart vmware tools on instance, restart of instance. Only thing I cannot do is rebuild from backup, because data loss.

All service work, i mean all nova, glance services.

2017-05-08 15:44:06 -0600 received badge  Famous Question (source)
2017-05-08 15:44:06 -0600 received badge  Notable Question (source)
2017-02-28 08:22:58 -0600 received badge  Famous Question (source)
2017-02-28 08:22:58 -0600 received badge  Notable Question (source)
2017-02-23 06:28:01 -0600 received badge  Popular Question (source)
2017-02-23 02:11:18 -0600 received badge  Scholar (source)
2017-02-22 09:05:25 -0600 asked a question ip netns - iptables

We have 3 network node's. On two of them I have one working tenant router and at second network node I have backup router.

When I ssh to NN1 and access to tenant router with command

sudo ip netns exec qrouter-ff34f529-ebd8-463d-9eef-351302f4751a bash

I can list NAT rules and see chains. Example:

Chain neutron-vpn-agen-float-snat (1 references)
target     prot opt source               destination
SNAT       all  --  172.20.0.140         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.13          anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.214         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.15          anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.101         anywhere             to:185.56.xxx.xxx
SNAT       all  --  172.20.0.14          anywhere             to:185.56.xxx.xxx

or

 Chain neutron-vpn-agen-OUTPUT (1 references)
 target     prot opt source               destination
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.140
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.13
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.214
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.15
 DNAT       all  --  anywhere             185.56.xxx.xxx       to:172.20.0.101
 DNAT       all  --  anywhere             185.56.xxx.xxx        to:172.20.0.14

Also I have identical iptables rules on backup router.

Question is, where are this rules stored? If answer is in database next question is in which base, table?

2017-02-17 02:40:58 -0600 received badge  Notable Question (source)
2017-02-17 02:40:28 -0600 received badge  Popular Question (source)
2017-02-10 10:34:11 -0600 received badge  Popular Question (source)
2017-02-10 10:34:11 -0600 received badge  Popular Question (source)
2017-02-10 05:36:33 -0600 answered a question Disable sharing of images

You can change Image visibility with command

 glance image-update <image-id> --visibility private/public

from public to private

glance image-update d18b270c-daf8-4a20-8301-ef0cc5003268 --visibility private
+--------------------+--------------------------------------+
| Property           | Value                                |
+--------------------+--------------------------------------+
| checksum           | 15f4984113141c390d669c92be07b804     |
| container_format   | bare                                 |
| created_at         | 2016-10-12T09:41:36Z                 |
| disk_format        | vmdk                                 |
| hypervisor_type    | vmware                               |
| id                 | d18b270c-daf8-4a20-8301-ef0cc5003268 |
| min_disk           | 0                                    |
| min_ram            | 0                                    |
| name               | OpenSUSE_42.1                        |
| ostype             | Linux                                |
| owner              | 62dc1d159df94bf29c78a8d21fa3f64b     |
| protected          | False                                |
| size               | 1527644160                           |
| status             | active                               |
| tags               | []                                   |
| updated_at         | 2017-02-10T11:27:45Z                 |
| virtual_size       | None                                 |
| visibility         | private                              |
| vmware_adaptertype | lsiLogicsas                          |
| vmware_disktype    | sparse                               |
+--------------------+--------------------------------------+

or from private to public

glance image-update d18b270c-daf8-4a20-8301-ef0cc5003268 --visibility public

+--------------------+--------------------------------------+
| Property           | Value                                |
+--------------------+--------------------------------------+
| checksum           | 15f4984113141c390d669c92be07b804     |
| container_format   | bare                                 |
| created_at         | 2016-10-12T09:41:36Z                 |
| disk_format        | vmdk                                 |
| hypervisor_type    | vmware                               |
| id                 | d18b270c-daf8-4a20-8301-ef0cc5003268 |
| min_disk           | 0                                    |
| min_ram            | 0                                    |
| name               | OpenSUSE_42.1                        |
| ostype             | Linux                                |
| owner              | 62dc1d159df94bf29c78a8d21fa3f64b     |
| protected          | False                                |
| size               | 1527644160                           |
| status             | active                               |
| tags               | []                                   |
| updated_at         | 2017-02-10T11:27:25Z                 |
| virtual_size       | None                                 |
| visibility         | public                               |
| vmware_adaptertype | lsiLogicsas                          |
| vmware_disktype    | sparse                               |
+--------------------+--------------------------------------+

Public images are available for all aka shared

2017-02-09 00:58:54 -0600 received badge  Enthusiast
2017-02-08 05:04:13 -0600 asked a question port forwarding via dashboard

I wish to enable on Dashboard aka Horizon [Openstack 3.0] option that I can do port forwarding from router public ip to tenant private ip.

Something like

Traffic from internet on port 2222 on public ip on tenant router to forward to private ip on tenant instance on port 22

internet -> 185.56.223.120:2222 -> 172.20.0.99:22

I can do that manually with iptables but like I say, can this be implement in Horizon?

2017-02-08 03:04:37 -0600 asked a question network - snat

I wish to have one tenant and two external network on router.

On one external network I have nat, but not on second external network. I need nat enabled on both network.

First network, with nat enabled and name External Network, is for internet access. Second network is for trunk, direct dedicated connection from tenant router to far end resource. In short I have l2 tunnel on my hardware equipment and tag packet with vlan id 1804. That traffic must be passed to the tenant router.

I create ProNet and setup is correct and working.

ProNet use 172.18.4.0/24 net.

Interface on tenant router connected to that netwotk have ip 172.18.4.1

From tenant router I can access far end resource on ip 172.18.4.250. But without nat, instance represent him self with ip from network 172.20.0.0/24.

Far end resource do not have route for 172.20.0.0/24 network but have Route for 172.18.4.0/24 network.

For me is easiest to enable nat on interface on tenant router to access far end resource for in My case network with name ProNet.

Second working solution is to put route on far end resource

172.20.0.0/24 via 172.18.4.250

I want to avoid far end resource configuration aka adding route. Because of that I need nat on router interface. In that case traffic from instace on 172.20.0.0/24 will be nated to 172.18.4.1 and I do not need to ad route to far end resource.

Configuration:

Tenant network: 172.20.0.0/24

External Network: xxx.xxx.223.14 – on port

ProNet: 172.18.4.0/24

Traffic flows:

To internet

172.20.0.140 -> 172.20.0.1 -> nat -> xxx.xxx.223.14 -> internet

To far end

172.20.0.140 -> 172.20.0.1 -> no nat -> 172.18.4.1 -> 172.18.4.250

On this flow I need nat.

2017-01-04 05:03:45 -0600 asked a question Ceilometer - bandwidth - Horizon - how to

Like for other network resources I wish to set quota for network bandwidth per Tenant in Horizon. Is that possible?