<div dir="ltr">Ok I have no NAT rules, so the problem seems to be on the l3-agent. I will check that part. Thanks again for the help. <br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-07-09 14:21 GMT+02:00 Rhys Oxenham <span dir="ltr"><<a href="mailto:roxenham@redhat.com" target="_blank">roxenham@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 9 Jul 2014, at 13:14, Madko <<a href="mailto:madko77@gmail.com">madko77@gmail.com</a>> wrote:<br>
<br>
> thanks Assaf for the point. But When I try to connect to 169.254.169.254 on the Cirros VM I only get a no route to host. On the Fedora VM, the CloudInit seems to know the IP address of the metadata agent and try to contact this IP (instead of 169.254.169.254). I can't recall where exactly but I remember I read something about neutron doing some NAT with iptables to forward the http request to the right address. How can I check this NAT rules? I don't see anything like this with iptables.<br>
><br>
<br>
</div>You can check the NAT rules on the L3 agent (if using the default configuration)...<br>
<br>
'ip netns list’ to find the router namespace appropriate for the tenant network that your instance is operating in.<br>
<br>
You may have to use ‘neutron router-list’ to find the correct UUID.<br>
<br>
Then, execute the following to check the NAT rules:<br>
<br>
‘ip netns exec qrouter-XXXX iptables -L -t nat’ (replace XXXX with the router ID you found in the previous command)<br>
<br>
You should expect something in the output like this:<br>
<br>
Chain neutron-l3-agent-PREROUTING (1 references)<br>
target prot opt source destination<br>
REDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
><br>
> 2014-07-06 11:08 GMT+02:00 Assaf Muller <<a href="mailto:amuller@redhat.com">amuller@redhat.com</a>>:<br>
><br>
><br>
> ----- Original Message -----<br>
> > Great!!! I can connect to the cirros instance. But no .ssh/authorized_keys.<br>
> > Seems the metadata api is not available. Where is it supposed to be hosted?<br>
> > what service? is it the neutron-metadata-agent?<br>
> ><br>
><br>
> Metadata is hosted by the nova-api server. When using Neutron, the neutron-metadata-<br>
> agent on the network node proxies metadata requests to nova-api. It does a couple<br>
> of queries to Neutron,adds the instance-id to the request and forwards the message<br>
> to nova-api. This is because when using nova-network you cannot have overlapping IPs<br>
> so the nova metadata server can figure out the instance ID from its IP. Neutron<br>
> does support overlapping IPs so that's why the neutron-metadata-agent exists.<br>
><br>
> If curl 169.254.169.254 doesn't work, check for errors in the neutron metadata<br>
> agent logs and in nova-api as well.<br>
><br>
> ><br>
> > 2014-07-04 13:13 GMT+02:00 Madko < <a href="mailto:madko77@gmail.com">madko77@gmail.com</a> > :<br>
> ><br>
> ><br>
> ><br>
> > Thank you Rhys and Vimal, I'll try cyrros image right now.<br>
> ><br>
> ><br>
> > 2014-07-04 11:55 GMT+02:00 Vimal Kumar < <a href="mailto:vimal7370@gmail.com">vimal7370@gmail.com</a> > :<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Use cirros (13M) image to test if ssh key-pair injection is working or not:<br>
> ><br>
> > <a href="http://download.cirros-cloud.net/0.3.2/cirros-0.3.2-x86_64-disk.img" target="_blank">http://download.cirros-cloud.net/0.3.2/cirros-0.3.2-x86_64-disk.img</a><br>
> ><br>
> > ssh as: cirros@<ip><br>
> ><br>
> > In case if your ssh key isn't working, the password is cubswin:)<br>
> ><br>
> ><br>
> ><br>
> > On Fri, Jul 4, 2014 at 3:20 PM, Madko < <a href="mailto:madko77@gmail.com">madko77@gmail.com</a> > wrote:<br>
> ><br>
> ><br>
> ><br>
> > I've just deployed OpenStack so I don't have any other image. I can try to<br>
> > make one. Is cloudInit easy to install on Fedora ? I have some CentOS images<br>
> > too, but no cloudInit.<br>
> ><br>
> ><br>
> > 2014-07-04 11:45 GMT+02:00 Rhys Oxenham < <a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> > :<br>
> ><br>
> ><br>
> ><br>
> > Can you try another image to make sure that key pair injection is working<br>
> > inside of your environment? i.e. an image you already know the password for<br>
> > so you can check via VNC or passworded ssh login?<br>
> ><br>
> > Cheers<br>
> > Rhys<br>
> ><br>
> > On 4 Jul 2014, at 10:40, Madko < <a href="mailto:madko77@gmail.com">madko77@gmail.com</a> > wrote:<br>
> ><br>
> > > Nope didn't try this one, but no luck, same problem :( (I tried root,<br>
> > > fedora, and now cloud-user)<br>
> > ><br>
> > > [root@openstack-neutron ~]# ip netns exec<br>
> > > qdhcp-1d742b5e-c3f3-430f-b8a9-275bcbf967a3 ping 192.168.2.4<br>
> > > PING 192.168.2.4 (192.168.2.4) 56(84) bytes of data.<br>
> > > 64 bytes from 192.168.2.4 : icmp_seq=1 ttl=64 time=2.02 ms<br>
> > > 64 bytes from 192.168.2.4 : icmp_seq=2 ttl=64 time=1.90 ms<br>
> > > ^C<br>
> > > --- 192.168.2.4 ping statistics ---<br>
> > > 2 packets transmitted, 2 received, 0% packet loss, time 1161ms<br>
> > > rtt min/avg/max/mdev = 1.900/1.964/2.029/0.078 ms<br>
> > > [root@openstack-neutron ~]# ip netns exec<br>
> > > qdhcp-1d742b5e-c3f3-430f-b8a9-275bcbf967a3 ssh -i neutron_test.pem -l<br>
> > > cloud-user 192.168.2.4<br>
> > > Permission denied (publickey,gssapi-keyex,gssapi-with-mic).<br>
> > ><br>
> > ><br>
> > ><br>
> > > 2014-07-04 11:09 GMT+02:00 Rhys Oxenham < <a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a> >:<br>
> > > Hi,<br>
> > ><br>
> > > Did you try with using the “cloud-user” login username?<br>
> > ><br>
> > > Thanks<br>
> > > Rhys<br>
> > ><br>
> > > On 4 Jul 2014, at 09:22, Madko < <a href="mailto:madko77@gmail.com">madko77@gmail.com</a> > wrote:<br>
> > ><br>
> > > > Hi,<br>
> > > ><br>
> > > > I have an almost working openstack platform deployed via foreman. When I<br>
> > > > launch an instance from the Fedora 19 cloud image, everything seems<br>
> > > > fine, the VM is running on one of my hypervisor, but I can't access it<br>
> > > > (ping is ok)...<br>
> > > ><br>
> > > > I'm following this documentation<br>
> > > > <a href="http://openstack.redhat.com/Running_an_instance" target="_blank">http://openstack.redhat.com/Running_an_instance</a><br>
> > > ><br>
> > > > I only get a permission denied when I do the last part:<br>
> > > > ssh -l root -i my_key_pair.pem floating_ip_address<br>
> > > > I also try by importing an ssh key. Same error.<br>
> > > ><br>
> > > > In the VM console, I see that CloudInit service is starting inside the<br>
> > > > VM, no error are shown here. So my question is: Where are the logs for<br>
> > > > that parts (cloud init server) in openstack ? Is the above documentation<br>
> > > > fine ?<br>
> > > ><br>
> > > > best regards,<br>
> > > ><br>
> > > > --<br>
> > > > Edouard Bourguignon<br>
> > > > _______________________________________________<br>
> > > > Rdo-list mailing list<br>
> > > > <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br>
> > > > <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Edouard Bourguignon<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Edouard Bourguignon<br>
> ><br>
> > _______________________________________________<br>
> > Rdo-list mailing list<br>
> > <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br>
> > <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Edouard Bourguignon<br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Edouard Bourguignon<br>
> ><br>
> > _______________________________________________<br>
> > Rdo-list mailing list<br>
> > <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br>
> > <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
> ><br>
><br>
><br>
><br>
> --<br>
> Edouard Bourguignon<br>
> _______________________________________________<br>
> Rdo-list mailing list<br>
> <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Edouard Bourguignon
</div>