<p dir="ltr">Whops! I figured out just few seconds after I sent the mail! Ok, tomorrow I'll try with it. :) I'd like to share how I want to organise my network in order to get some advices. </p>
<p dir="ltr">Let's say I have 7 machines and 7 spare IPs on the network <a href="http://172.16.58.0/24">172.16.58.0/24</a> which are also associated to 7 public (internet) IPs. </p>
<p dir="ltr">I'd like to reserve 6 IPs for 6 VMs I could instanciate on OpenStack. </p>
<p dir="ltr">So I planned to do this:<br>
the controller node has a static IP on eth0 of the 7 in <a href="http://172.16.58.50/24">172.16.58.50/24</a> network so as I can access it from outside. I add an alias eth0:0 with which I connect the controller to the Management network of OpenStack, the <a href="http://10.0.1.0/24">10.0.1.0/24</a> network. Also on the controller, I set statically the IP for eth1 with one of float IPs network <a href="http://192.168.0.0/16">192.168.0.0/16</a> network. With iptables, I add the rule of forwarding everithing on eth0 and eth1, so the other nodes can get Internet access on network <a href="http://10.0.1.0/24">10.0.1.0/24</a>.</p>
<p dir="ltr">On the compute nodes I set eth0 as one of IPs on <a href="http://10.0.1.0/24">10.0.1.0/24</a> management network and eth1 as one on <a href="http://192.168.0.0/16">192.168.0.0/16</a>.</p>
<p dir="ltr">Om each node I put the bridge on eth1.</p>
<p dir="ltr">With RDO I put virtualisation and tunneling only on eth1.</p>
<p dir="ltr">When the installatation has finished, I create a private neutron network <a href="http://10.100.0.0/16">10.100.0.0/16</a> and two public networks of floating IPs. The first is <a href="http://192.168.0.0/24">192.168.0.0/24</a> for any kind of VM. The other is the <a href="http://172.16.58.0/24">172.16.58.0/24</a> network, limited to the 6 available IPs with which I can put virtual machines on Internet. </p>
<p dir="ltr">Does it make sense or I'm doing some mistakes? Do you have any other idea? </p>
<p dir="ltr">Thank you very much indeed! </p>
<p dir="ltr">Pasquale </p>
<div class="gmail_quot<blockquote class=" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 02/20/2015 02:07 PM, Pasquale Salza wrote:<br>
> Hi Rhys, I suppose so, because these are my iptables rules:<br>
><br>
> iptables -F iptables -t nat -F iptables -P INPUT ACCEPT iptables -P<br>
> OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -d<br>
> <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -m state --state<br>
> ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br>
> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport ssh -j ACCEPT iptables -A<br>
> INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport www<br>
> -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br>
> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport pptp -j ACCEPT iptables -A<br>
> INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --sport<br>
> domain -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br>
> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p tcp --dport domain -j ACCEPT iptables -A<br>
> INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p udp --sport<br>
> domain -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br>
> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p udp --dport domain -j ACCEPT iptables -A<br>
> INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p gre -j ACCEPT<br>
> iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -p icmp<br>
> -j ACCEPT iptables -A INPUT -d <a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br>
> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>> -j DROP iptables -t nat -A POSTROUTING -o<br>
> eth0 -j MASQUERADE service iptables save<br>
><br>
> Firstly, do you think I planned the network organisation well? Do<br>
> you have other suggestion (best practices) with 2 interfaces?<br>
><br>
><br>
> 2015-02-20 18:30 GMT+01:00 Rhys Oxenham <<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a><br>
> <mailto:<a href="mailto:roxenham@redhat.com">roxenham@redhat.com</a>>>:<br>
><br>
> Hi Pasquale,<br>
><br>
> Did you modify your security group rules to allow ICMP and/or<br>
> 22:tcp access?<br>
><br>
> Many thanks Rhys<br>
><br>
>> On 20 Feb 2015, at 17:11, Pasquale Salza<br>
>> <<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a><br>
> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>>> wrote:<br>
>><br>
>> Hi there, I have a lot of problems with RDO/OpenStack<br>
> configuration. Firstly, I need to describe my network situation.<br>
>><br>
>> I have 7 machine, each of them with 2 NIC. I would like to use<br>
>> one<br>
> machine as a controller/network node and the others as compute<br>
> nodes.<br>
>><br>
>> I would like to use the eth0 to connect nodes to internet (and<br>
>> get<br>
> access by remote sessions) with the network "<a href="http://172.16.58.0/24" target="_blank">172.16.58.0/24</a><br>
> <<a href="http://172.16.58.0/24" target="_blank">http://172.16.58.0/24</a>>", in which I have just 7 available IPs,<br>
> and eth1 as configuration network on the network <a href="http://10.42.100.0/42" target="_blank">10.42.100.0/42</a><br>
> <<a href="http://10.42.100.0/42" target="_blank">http://10.42.100.0/42</a>>.<br>
>><br>
>> This is my current configuration, for each node (varying the IPs<br>
> on each machine):<br>
>><br>
>> eth0: DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static<br>
>> IPADDR=172.16.58.50 NETMASK=255.255.255.0 GATEWAY=172.16.58.254<br>
>> DNS1=172.16.58.50 DOMAIN=### DEFROUTE="yes"<br>
>><br>
>> eth1: DEVICE=eth1 TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=br-ex<br>
>> ONBOOT=yes<br>
>><br>
>> br-ex: DEVICE=br-ex DEVICETYPE=ovs TYPE=OVSBridge<br>
>> BOOTPROTO=static IPADDR=10.42.100.1 NETMASK=255.255.255.0<br>
>> ONBOOT=yes<br>
>><br>
>> I'd like to have instances on <a href="http://10.42.200.0/24" target="_blank">10.42.200.0/24</a><br>
> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>> virtual private network and the remaining<br>
> IPs of <a href="http://10.42.100.0/24" target="_blank">10.42.100.0/24</a> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>> network as floating<br>
> IPs.<br>
>><br>
>> These are the relevant parts of my answers.txt file:<br>
>><br>
>> CONFIG_CONTROLLER_HOST=10.42.100.1<br>
>><br>
> CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15<br>
><br>
> CONFIG_NETWORK_HOSTS=10.42.100.1<br>
>> CONFIG_AMQP_HOST=10.42.100.1 CONFIG_MARIADB_HOST=10.42.100.1<br>
>> CONFIG_NOVA_COMPUTE_PRIVIF=eth1 CONFIG_NOVA_NETWORK_PUBIF=eth1<br>
>> CONFIG_NOVA_NETWORK_PRIVIF=eth1<br>
>> CONFIG_NOVA_NETWORK_FIXEDRANGE=<a href="http://10.42.200.0/24" target="_blank">10.42.200.0/24</a><br>
> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>><br>
>> CONFIG_NOVA_NETWORK_FLOATRANGE=<a href="http://10.42.100.0/24" target="_blank">10.42.100.0/24</a><br>
> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>><br>
>> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex<br>
>> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan<br>
>> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan<br>
>> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100<br>
>> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=<br>
>> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=<br>
>> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=<br>
>> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1<br>
>><br>
>> After the installation, I configure the network like this:<br>
>><br>
>> neutron router-create router neutron net-create private neutron<br>
>> subnet-create private <a href="http://10.42.200.0/24" target="_blank">10.42.200.0/24</a><br>
> <<a href="http://10.42.200.0/24" target="_blank">http://10.42.200.0/24</a>> --name private-subnet<br>
>> neutron router-interface-add router private-subnet neutron<br>
>> net-create public --router:external=True neutron subnet-create<br>
>> public <a href="http://10.42.100.0/24" target="_blank">10.42.100.0/24</a><br>
> <<a href="http://10.42.100.0/24" target="_blank">http://10.42.100.0/24</a>> --name public-subnet --enable_dhcp=False<br>
> --allocation-pool start=10.42.100.100,end=10.42.100.200<br>
> --no-gateway<br>
>> neutron router-gateway-set router public<br>
>><br>
>> I'm able to launch instances but I can't get access (ping/ssh)<br>
>> to<br>
> them.<br>
>><br>
>> I don't know if I'm doing something wrong starting from<br>
>> planning.<br>
>><br>
>> Please, help me!<br>
>><br>
>> _______________________________________________ Rdo-list mailing<br>
>> list <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a> <mailto:<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a>><br>
>> <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
>><br>
>> To unsubscribe: <a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br>
> <mailto:<a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a>><br>
><br>
><br>
><br>
><br>
> -- Pasquale Salza<br>
><br>
> e-mail: <a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a> <mailto:<a href="mailto:pasquale.salza@gmail.com">pasquale.salza@gmail.com</a>><br>
> phone: <a href="tel:%2B39%20393%204415978" value="+393934415978">+39 393 4415978</a> fax: <a href="tel:%2B39%20089%208422939" value="+390898422939">+39 089 8422939</a> skype: pasquale.salza<br>
> linkedin: <a href="http://it.linkedin.com/in/psalza/" target="_blank">http://it.linkedin.com/in/psalza/</a><br>
><br>
><br>
> _______________________________________________ Rdo-list mailing<br>
> list <a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
><br>
> To unsubscribe: <a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br>
><br>
<br>
Those look like the iptables rule on the hypervisor. Rhys is talking<br>
about the Neutron security group rules. By default, ssh into VMs is<br>
not allowed. You need to permit ICMP and SSH in the security rules on<br>
the neutron network.<br>
<br>
I don't see anything wrong with your network architecture at first<br>
glance, but floating IPs can be tricky at first. Start with basic<br>
VM-to-VM connectivity and add on from there.<br>
<br>
Good luck!<br>
<br>
- --<br>
Dan Sneddon | Principal OpenStack Engineer<br>
<a href="mailto:dsneddon@redhat.com">dsneddon@redhat.com</a> | <a href="http://redhat.com/openstack" target="_blank">redhat.com/openstack</a><br>
650.254.4025 | @dxs on twitter<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
iQEcBAEBAgAGBQJU57MFAAoJEFkV3ypsGNbjlrcIAMc+Bp39+BIEhNm7rDjZZ/4m<br>
wcf/ti9vmeMuCyjTAwRUIHUO1l5ZnhoBLh6vdZaPXABEvC1bFT5U7V2Jeyt1z207<br>
1kRrPxUV5mto5/NLOVJIvxR5qKdDGS0O7QPus9ZNeIWEIwQ/gmpqfm6I3PrQUOlq<br>
dqTVAUt5FoKCtPrGilbjX/6m5NEYa9kPO2vsr9C1OTfa9VYEn4LfUlHaQYDg7g/Q<br>
1TQWlvWiMiHGYTzMqsWQdEb/CQosRfc2+Mf5eqO9Ah5CWrVZx14dDL8gQd1vfLGr<br>
sl3ByfVLwBTv3NiVtd1E+E4yOGceOoQ0xn0ysN30DhGxZlfob9ApV6m8PhMdeek=<br>
=vacc<br>
-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Rdo-list mailing list<br>
<a href="mailto:Rdo-list@redhat.com">Rdo-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/rdo-list" target="_blank">https://www.redhat.com/mailman/listinfo/rdo-list</a><br>
<br>
To unsubscribe: <a href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a><br>
</div>