Ask Your Question

james-denton's profile - activity

2019-03-18 18:23:04 -0500 received badge  Good Answer (source)
2018-11-21 20:19:56 -0500 received badge  Guru (source)
2018-11-21 20:19:56 -0500 received badge  Great Answer (source)
2018-01-22 05:27:43 -0500 received badge  Nice Answer (source)
2017-08-14 06:34:56 -0500 received badge  Nice Answer (source)
2017-05-23 11:01:00 -0500 received badge  Nice Answer (source)
2016-10-10 04:51:27 -0500 received badge  Enlightened (source)
2016-10-10 04:51:27 -0500 received badge  Good Answer (source)
2016-08-29 04:02:44 -0500 received badge  Nice Answer (source)
2016-08-15 08:12:45 -0500 answered a question Public endpoints

"public" users leveraging OpenStack clients such as python-novaclient, python-neutronclient, python-cinderclient, etc., will need access to the 'publicURL' endpoint of the respective service, as well as public access to the Keystone service on port 5000. So the publicURL endpoint should be on a public network in that case. InternalURL and AdminURL for each service can remain on internal IP space in most, if not all, cases. Keystone is the only service I can think of offhand that leverages the AdminURL for certain commands, but those are really administrative commands and not necessarily ones you'd want accessible publicly.

2016-08-12 16:05:16 -0500 answered a question router_gateway does not transition to the ACTIVE state from BUILD state

There is a reason that port is stuck in BUILD. Have you verified the respective 'tap' interface is in the integration bridge? You may want to check logs for mention of the port UUID (or subset of the UUID) to see if there were any errors during provisioning.

2016-08-12 15:53:34 -0500 answered a question Will DVR ever support linuxbridge


I can't speak for the development team, but I think there are numerous technical challenges to overcome when it comes to using traditional Linux bridges and distributed virtual routers. I have a feeling this feature will remain an OVS-only feature. Numerous vendors also implement similar functionality in their solutions (ie. PLUMGrid). With LinuxBridge, HA routers w/ VRRP is likely the best we can expect for the foreseeable future. And that's not a bad thing.

2016-07-14 16:31:06 -0500 received badge  Nice Answer (source)
2016-07-13 14:41:12 -0500 answered a question Should neutron leak nameservers to public net?

If using Neutron, you can define nameservers on a per-subnet basis. DHCP will push those nameservers to the instances. If a nameserver is not defined, I believe the default behavior is to use the IP address of the DHCP server/agent that provided the lease.

2016-07-13 14:38:40 -0500 answered a question OpenStack Mitaka difference openvswitch_agent and ml2_agent

Each file is responsible for their respective plugins or agents. Over the last few years there have been a lot of changes in where configuration options were defined, but the preferred method is that openvswitch-agent-related options go in openvswitch_agent.ini, and general ML2 config options go in ml2_conf.ini. There may seem to be some overlap between them, but it is all necessary.

2016-07-11 15:05:26 -0500 answered a question Unable to reach private network router

Did you attach the router to the private network?

neutron router-interface-add <routerid> <subnetid>

You can attach the router to the public network using:

neutron router-gateway-set <routerid> <networkid>

Give that a shot and then try again. If you did complete those steps we will need to look elsewhere.

2016-07-10 15:21:38 -0500 received badge  Supporter (source)
2016-07-10 11:39:32 -0500 answered a question How to configure an ESXi server as Compute node

I have not tried this, but the docs for Mitaka can be found here:

There's a nice blog about this scenario at

2016-07-10 11:33:28 -0500 answered a question instance not able to reach internet with associated ip

That's an interesting issue. By default, the Neutron router grabs an IP from the external provider network will source NAT all traffic from VMs without a floating IP as that address. Couple of questions:

  • Is your external provider network a non-RFC1918 network, meaning the addresses are publicly routable?
  • Or is it an RFC1918 network? If so, do the other addresses in the network have some kind of external NAT that is responsible for translating them to an Internet-routable address?
  • Can you reach the instance via floating IP from within your network?
  • Can the instance reach resources within your network, even though it can't reach the Internet?
2016-07-10 11:19:36 -0500 answered a question deleted the identity service

If you've accidentally deleted the identity endpoint(s) in Keystone, it's not a big deal. You'll need to manually specify the admin token and auth URL via environment variables, re-create the services, then delete your environment vars.

Find your admin token in the /etc/keystone/keystone.conf file:

admin_token = ADMIN_TOKEN

The page here outlines the procedure for initially creating the service endpoints. You can follow the same steps to recreate them, replacing the hostname controller with the name or IP of your hostname, fqdn, or IP:

2016-07-08 09:19:02 -0500 received badge  Enthusiast
2016-07-07 08:35:00 -0500 commented answer DVR possible with Linux Bridge agent and not OpenvSwitch on Mitaka?

Here's a guide that will help you in your journey:

2016-07-07 08:32:57 -0500 answered a question Openstack Security Group - default Rules

There is no way that I know of, other than modifying the Neutron code, to modify the rules that make up the default security group for each tenant when the tenant is created.

2016-07-07 08:11:36 -0500 answered a question How to use neutronclient python SDK or exist any docs?
2016-07-06 13:12:26 -0500 answered a question Control network access between tenant networks in same neutron L3 router?

If networks are attached to a router using the 'router-interface-add' command, static routes are not necessary. Traffic between instances in those different networks via their fixed IPs is allowed by default provided the appropriate security group rules are in place. It may be necessary to perform packet captures on the computes/network nodes to see if/where packets are being dropped and if there are any other issues.

2016-07-05 23:15:42 -0500 answered a question Unable to ping a floating ip of a instance, port status of the floating ip is N/A

Floating IP ports are really just reservations - I wouldn't worry too much about the status of the port itself.

I would start by looking at your security group rules and ensure that the floating IPs are allowed as source addresses for the respective rules. If you go with the standard rule set, only the 'remote group' may be set as an allowed source, which means only the fixed IPs are accounted for and not the respective floating IPs. Try adding an ICMP rule allowing for now and see if that works.

2016-07-05 23:07:10 -0500 answered a question Floating IPs
  1. Can you confirm you're actually using Nova networking, or Neutron? If using Neutron, you'll be utilizing a completely different workflow compared to floating IPs with Nova network.

  2. When you sudo, you are executing commands in an environment different from the one you originally sourced the credentials in and none of the environment variables are set.

2016-07-05 23:04:01 -0500 answered a question Release RAM/CPU resources on shutdown

The nova shelve command will free up the physical resources that have been allocated by shutting down and snapshotting the instance, but doesn't appear to allow tenants to workaround quota limitations.

2016-07-05 22:50:04 -0500 answered a question How to find internal / private IP from within an instance?

In OpenStack, the metadata service can be reached from the instance at

From within the instance, try the following:

$ curl

The fixed IP of the instance should be returned. There are some other attributes as well:

$ curl

Hope that helps.

2016-07-05 22:43:36 -0500 answered a question how to know whether the orphan ip address which neutron.delete_floatingip can be allocated again in another project?

If you list floating IPs, either through the API or neutron floatingip-list, and the IP does not show up as being allocated or unallocated, then it should be available for another tenant upon a floatingip-create action.

If floating IPs are orphaned after deleting a project, they will still be associated with the newly-deleted tenant-id and can be deleted by the admin via neutron floatingip-delete.

Hope that helps.

2016-07-05 22:35:54 -0500 answered a question Get floating ip for instance

There's nothing I know of in the API that does it gracefully, but I'd love to know otherwise. Floating IPs are associated with ports, which are in turn associated with instances. You can try determining the ID of the port(s) associated with an instance ID using the following:

neutron port-list --device_id=<instanceid>

Then you can filter floating IPs by the port ID(s):

neutron floatingip-list --port-id=<portid>

You can also filter floating IPs by the fixed IP address, if you know that:

neutron floatingip-list --fixed-ip-address=<fixedip>

However, you may get duplicate responses if you have multiple instances with the same fixed IP address in different networks.

2016-07-05 22:16:35 -0500 answered a question For the love of Pete, why does br-ex have a drop flow?!!

Nice work. With OVS, bridge_mappings must contain mappings of network labels (i.e. physnet1) to actual bridge names. In your case, br-ex. With that information, any time you have a provider network whose provider:physical_network attribute is 'physnet1', the OVS agent will create the appropriate flows on the br-int and br-ex bridges. The nice thing about the mapping is the bridge itself can change if needed. The Neutron networks only refer to the label, so if you change the mapping and restart Neutron services/agents, the flows should land on the respective bridge.

2016-07-05 22:10:58 -0500 answered a question How to provision a windows VM with D and E drives automatically?

You should be able to provision a VM with multiple volumes attached, provided you are also running the Cinder service in your environment. I believe cloudbase-init can assist with the partitioning of those drives on first boot.

There is an older thread that mentions this as well:

2016-07-05 22:07:24 -0500 answered a question sql connection failed. 10 attempts left

I would check the following:

  • MySQL is running on port 3306
  • You are able to connect to MySQL using the mysql client
  • The connection URL is properly configured:

The example in the install guide assumes you have a /etc/hosts file entry for 'controller' to the IP of the host, preferably the management IP and not

connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

  • Check the password. Replace the KEYSTONE_DBPASS in the connection string with the SQL keystone user password set while following the guide
2016-07-05 21:55:57 -0500 answered a question Just say no to SNAT

I realize I'm late to the party, but I'm curious to know why you're considering DVR if one of your requirements is a public IP on the VM/instance and no SNAT/DNAT. Even though you can disable SNAT and route the 'tenant' network to the external IP of the Neutron router, it only really works when the address is consistently the same. With DVR, every compute node will have a FIP namespace attached to a particular provider network, each with its own unique address from the subnet. It would be difficult to create an upstream route for the tenant (public, in your case) network, given that you wouldn't know which router/fip namespace would be the next hop. This isn't so much an issue for legacy or HA routers, since a single router acts as the gateway for the network.

If possible, I would simplify your environment and forgo Neutron routers altogether, especially if you're talking a few networks, no NAT, and can rely on hardware failover (e.g. VRRP/HSRP).

2016-07-05 15:46:34 -0500 answered a question why provider networking require on both compute and controller node as per official docs

If you leverage overlay networking (GRE/VXLAN) and Neutron routers in legacy or HA mode, then provider networks are only necessary on the controller/network nodes, or wherever the L3 agent is running.

If you use DVR (distributed virtual routers) or attach VMs directly to VLANs rather than VXLAN/GRE networks, then you'll need to make sure all nodes (controller/network and compute) have those provider interfaces available.

2016-07-05 07:59:03 -0500 received badge  Nice Answer (source)
2016-07-04 07:46:56 -0500 answered a question what's the next step after installation and some operations.

I highly suggest performing an installation using the docs at or a simple deployment tool such as RDO. There are a few books that can walk you through this process, including 'Learning OpenStack', 'OpenStack Essentials', 'OpenStack Networking Essentials', and others. The books have useful information and are a good starting point for someone new to OpenStack. Once you have a good foundation, there are other advanced books, blogs, etc. that can really break down the individual components.

2016-07-03 15:33:47 -0500 answered a question Is it possible to run a multi node architecture in a single server for dev testing purpose ?

You may also want to try deploying OpenStack on a single host with OpenStack-Ansible using affinity. It will enable you to configure most of the services in a highly-available fashion using containers and haproxy. You can also run VMs on the same node or other nodes if you'd like. OSA uses LinuxBridge and not OVS for the time being.

More info can be found at:

2016-07-03 15:15:54 -0500 answered a question DVR possible with Linux Bridge agent and not OpenvSwitch on Mitaka?

At this time, DVR only works with OpenvSwitch and is not compatible with LinuxBridge. With LinuxBridge you are limited to legacy (standalone) routers or HA routers using VRRP.

2016-07-03 15:12:15 -0500 answered a question Cirros VM cannot boot with fixed IP


Did you follow the OVS guide or the LinuxBridge guide?

Looks like you may have some Layer 2 issue. With OVS, your provider label 'public' should map to a bridge, and that bridge should in turn be connected to an interface (ie. eth1) that connects to the physical infrastructure. With LinuxBridge, the label should map to a physical interface that will be automatically connected to a bridge that Neutron creates on each host.

You may want to confirm that plumbing is in place and correct across all hosts, as it may be preventing the DHCP namespace on your network nodes from communicating with the instances on your compute nodes.

EDIT: It looks like you disabled DHCP on the subnet during the creation of the subnet. As a result, your instance will not be able to communicate without you logging in an manually through the console and configuring the fixed IP on the interface. Enabling DHCP allows Neutron to handle that for you, provided the instance's interface is configured to use DHCP.

2016-07-03 15:05:06 -0500 answered a question float ips not visible

Try navigating to:

  • Compute -> Access and Security -> Floating IPs

You will have to create a floating IP first, then you can allocate it to a port/instance. The button in Mitaka says 'Allocate IP to Project'.

2016-07-03 15:00:23 -0500 answered a question working with external dhcp and enable metadata server

An instance can reach metadata via:

An instance will reach via:

  • default route (pointing to Neutron router)
  • static route (pointing to Neutron DHCP namespace)

As long as your org's DHCP server is sending a default route pointing to the Neutron router, I would think you'd be good. Otherwise, you may be limited to using config-drive instead, since it doesn't rely on DHCP.

You can also add DHCP options to Neutron ports that you attach to instances if you'd rather Neutron handled the entire stack rather than using org's DHCP server.

2016-07-03 14:51:26 -0500 answered a question Getting resource could not be found error while setting up external public network

Hard to say, but your Neutron configuration may not be complete. Are you able to execute 'neutron net-list' without an issue? How about 'neutron ext-list'? The external network extension should be listed there. If neither of those commands work, you may want to troubleshoot Neutron by looking at the service log.

2016-07-03 14:47:07 -0500 answered a question What is the physnet?

Per host you can have:

  • 1x integration bridge where VMs connect
  • 1x tunnel bridge used for overlay (vxlan /gre) traffic
  • 1x or more provider bridges that connect to physical interfaces used for tagged (vlan) and untagged (flat) traffic

bridge_mappings defines the mapping of a label (or name) to an actual bridge. The label name is arbitrary, but must be mapped to an actual bridge on the host. The bridge should contain a physical server interface that likely connects to a physical switch, such as eth1. The OVS agent will connect the provider bridge to the integration bridge. When you create a provider or external network using the net-create command, you can specify the provider label to ensure traffic on that network utilizes the mapped bridge and respective interface.

You can have more than one provider bridge, each with its own physical interface or bonded interface. This is useful when you have, say, a 1G network and a 10G network:

bridge_mappings = slownet:br-eth1,fastnet:br-eth4

The br-eth1 bridge would contain eth1, a 1G interface. The br-eth4 bridge would contain eth4, a 10G interface. The labels must be consistent across all hosts, but the bridges they map to can be unique to that host. As a result, I would make the labels fairly generic and not identify some interface name that may not be consistent across hosts. Same goes for the bridge, too, if it may not always contain eth1 or eth4.

2016-07-03 14:20:26 -0500 answered a question How to specify physical network when create project netwokr?

Without the admin role, you will be unable to specify provider attributes when creating a network. Provider attributes include physical network, network type, and segmentation id. Other admin-only attributes include shared and router:external.

You will need to modify Neutron's policy.json file in order to allow non-admin users to modify provider attributes. Personally, I like to create custom roles and allow that role the ability to make changes previously limited to the admin role.

2016-03-31 17:15:06 -0500 received badge  Good Answer (source)
2015-06-16 15:58:16 -0500 received badge  Nice Answer (source)
2015-06-15 22:46:52 -0500 commented answer how to add extra static route in neutron (Havana)

Yes, you can. All entries should be separated by spaces. Example:

Neutron router-update <router> type=list dict=true destination=1.1.1,0/24,nexthop= destination=,nexthop=

Multiple routes can be added that way. The API currently overwrites all routes upon update.