10:49 a.m.
Hi
Now I try to test mutinode deploy Opentack with packstack
I use centos 6.5, GRE netwrok, two nic. (172.28.1.132 is my control node.)
he bug is if you separate roles install like neutron in single node, and
the control node not install compute service, the dashboard can not login,
becasue the separate roles node, lack a iptables rule ,allow the control
node access the roles node.
this is my answer files
http://paste2.org/GDCVUVd9
I also report to
https://ask.openstack.org/en/question/12544/bug-for-multinode-deployment-...
--
Shake Chen
11:33 p.m.
On Thu, Feb 27, 2014 at 12:49:38AM +0800, Shake Chen wrote:
Hi
Now I try to test mutinode deploy Opentack with packstack
I use centos 6.5, GRE netwrok, two nic. (172.28.1.132 is my control node.)
he bug is if you separate roles install like neutron in single node, and
the control node not install compute service, the dashboard can not login,
becasue the separate roles node, lack a iptables rule ,allow the control
node access the roles node.
Thank you for trying this.
But it is hard to follow what you're saying.
That said, here's[1] my Neutron configs and iptables rules with GRE that
worked for me on Fedora.
Also, for future reference, please see this[2]. In short: providing
clear information gets you better responses.
[1]
http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-t...
[2] https://wiki.openstack.org/wiki/BugFilingRecommendations
--
/kashyap
3:06 a.m.
Thanks
I have found many bug about mutinode setup and try to report it.
I can reproduce the bug.
http://paste2.org/dzGnB2Zt
I can provide any info if need.
Now I l can not login dashboard, debug show can not connect neutron,
so I need to ssh to neutron node add iptables rule
-A INPUT -s 172.18.1.12/32 -p tcp -m multiport --dports 9696,67,68 -m
comment --comment "001 neutron incoming 172.18.1.13"
-j ACCEPT
then work, I can login Dashboard.
On Thu, Feb 27, 2014 at 1:33 PM, Kashyap Chamarthy <kchamart(a)redhat.com>wrote:
On Thu, Feb 27, 2014 at 12:49:38AM +0800, Shake Chen wrote:
> Hi
>
> Now I try to test mutinode deploy Opentack with packstack
>
> I use centos 6.5, GRE netwrok, two nic. (172.28.1.132 is my control
node.)
>
> he bug is if you separate roles install like neutron in single node, and
> the control node not install compute service, the dashboard can not
login,
> becasue the separate roles node, lack a iptables rule ,allow the control
> node access the roles node.
Thank you for trying this.
But it is hard to follow what you're saying.
That said, here's[1] my Neutron configs and iptables rules with GRE that
worked for me on Fedora.
Also, for future reference, please see this[2]. In short: providing
clear information gets you better responses.
[1]
http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-t...
[2] https://wiki.openstack.org/wiki/BugFilingRecommendations
--
/kashyap
--
Shake Chen
7:47 a.m.
On Thu, Feb 27, 2014 at 05:06:49PM +0800, Shake Chen wrote:
I have found many bug about mutinode setup and try to report it.
Note that at 10AM Eastern *today* (2/27), I'll be giving an RDO
hangout on multinode installs with packstack. Details are here:
http://openstack.redhat.com/Hangouts
I'll be running through a complete install, including a number of
post-install configuration steps.
Cheers,
--
Lars Kellogg-Stedman <lars(a)redhat.com> | larsks @ irc
Cloud Engineering / OpenStack | " " @ twitter
11:57 p.m.
Hi Lars
I watch your mutil node video careful , use packstack run again and find
the problem. I think is bug for RDO
the video ip is
control
10.15.0.7
network
10.15.0.5
compute
10.15.0.2,10.15.0.4
when Lars login network node (10.15.0.5) show the iptables rules, (the pic
is come from Lar video.)
[image: Inline image 1]
have 3 iptabes rules.
I think the last rule
-A INPUT -s 10.15.0.5/32
show change to
-A INPUT -s 10.15.0.7/32
otherwise, I can not login Dashboard. show can not connect to neutron.
On Thu, Feb 27, 2014 at 9:47 PM, Lars Kellogg-Stedman <lars(a)redhat.com>wrote:
On Thu, Feb 27, 2014 at 05:06:49PM +0800, Shake Chen wrote:
> I have found many bug about mutinode setup and try to report it.
Note that at 10AM Eastern *today* (2/27), I'll be giving an RDO
hangout on multinode installs with packstack. Details are here:
http://openstack.redhat.com/Hangouts
I'll be running through a complete install, including a number of
post-install configuration steps.
Cheers,
--
Lars Kellogg-Stedman <lars(a)redhat.com> | larsks @ irc
Cloud Engineering / OpenStack | " " @ twitter
--
Shake Chen
9:24 a.m.
On Wed, Mar 05, 2014 at 01:57:24PM +0800, Shake Chen wrote:
I watch your mutil node video careful , use packstack run again and
find
the problem. I think is bug for RDO
I think you may be correct. My demo environment did not have a
default firewall enabled, so problems like this would not have shown
up.
I'm going to re-deploy things today and double check the behavior, and
if I can confirm the problem I'll open a bug against RDO.
Thanks,
-- Lars
--
Lars Kellogg-Stedman <lars(a)redhat.com> | larsks @ irc
Cloud Engineering / OpenStack | " " @ twitter
4:57 p.m.
On Wed, Mar 05, 2014 at 01:57:24PM +0800, Shake Chen wrote:
I watch your mutil node video careful , use packstack run again and
find
the problem. I think is bug for RDO
I've submitted a fix for this upstream:
https://bugs.launchpad.net/packstack/+bug/1288447
This should eventually make it into RDO. The Red Hat bug on this
issue is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1073100
--
Lars Kellogg-Stedman <lars(a)redhat.com> | larsks @ irc
Cloud Engineering / OpenStack | " " @ twitter
12:21 a.m.
Hi Lars
Thanks for confirm the bug.
the other module have same bug, like cinder.heat, glance
172.18.1.12 controller
172.18.1.13 network
172.18.1.14 compute
172.18.1.15 compute
172.18.1.16 cinder storage
172.18.1.17 heat
172.18.1.18 glance
The system "network" runs neutron-server and neutron-*-agent; the
system "controller" runs everything other than nova-compute glance and
cinder, including
Horizon.
I use the newest packstack for test
# rpm -qa | grep packstack
openstack-packstack-2013.2.1-0.32.dev987.el6.noarch
After packstack finishes, the iptables rules on "cinder" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 172.18.1.14/32 -p tcp -m multiport --dports 3260,8776 -m
comment --comment "001 cinder incoming 172.18.1.14" -j ACCEPT
-A INPUT -s 172.18.1.15/32 -p tcp -m multiport --dports 3260,8776 -m
comment --comment "001 cinder incoming 172.18.1.15" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
the iptables also have no rule let horizon access the cinder.
the iptables rules on "heat" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
no any iptables rules. so in horizon ,can not access heat.
the iptables rules on "glance" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 172.18.1.14/32 -p tcp -m multiport --dports 9292 -m comment
--comment "001 glance incoming 172.18.1.14" -j ACCEPT
-A INPUT -s 172.18.1.15/32 -p tcp -m multiport --dports 9292 -m comment
--comment "001 glance incoming 172.18.1.15" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
also have same problem.the iptables also have no rule let horizon access
the glance..
On Thu, Mar 6, 2014 at 6:57 AM, Lars Kellogg-Stedman <lars(a)redhat.com>wrote:
On Wed, Mar 05, 2014 at 01:57:24PM +0800, Shake Chen wrote:
> I watch your mutil node video careful , use packstack run again and find
> the problem. I think is bug for RDO
I've submitted a fix for this upstream:
https://bugs.launchpad.net/packstack/+bug/1288447
This should eventually make it into RDO. The Red Hat bug on this
issue is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1073100
--
Lars Kellogg-Stedman <lars(a)redhat.com> | larsks @ irc
Cloud Engineering / OpenStack | " " @ twitter
--
Shake Chen
12:25 a.m.
Hi Lars
Thanks for confirm the bug.
the other module have same bug, like cinder.heat, glance
172.18.1.12 controller
172.18.1.13 network
172.18.1.14 compute
172.18.1.15 compute
172.18.1.16 cinder storage
172.18.1.17 heat
172.18.1.18 glance
The system "network" runs neutron-server and neutron-*-agent; the
system "controller" runs everything other than nova-compute glance and
cinder, including
Horizon.
I use the newest packstack for test
# rpm -qa | grep packstack
openstack-packstack-2013.2.1-0.32.dev987.el6.noarch
After packstack finishes, the iptables rules on "cinder" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 172.18.1.14/32 -p tcp -m multiport --dports 3260,8776 -m
comment --comment "001 cinder incoming 172.18.1.14" -j ACCEPT
-A INPUT -s 172.18.1.15/32 -p tcp -m multiport --dports 3260,8776 -m
comment --comment "001 cinder incoming 172.18.1.15" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
the iptables also have no rule let horizon access the cinder.
the iptables rules on "heat" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
no any iptables rules. so in horizon ,can not access heat.
the iptables rules on "glance" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 172.18.1.14/32 -p tcp -m multiport --dports 9292 -m comment
--comment "001 glance incoming 172.18.1.14" -j ACCEPT
-A INPUT -s 172.18.1.15/32 -p tcp -m multiport --dports 9292 -m comment
--comment "001 glance incoming 172.18.1.15" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
also have same problem.the iptables also have no rule let horizon access
the glance..
On Thu, Mar 6, 2014 at 6:57 AM, Lars Kellogg-Stedman <lars(a)redhat.com>wrote:
On Wed, Mar 05, 2014 at 01:57:24PM +0800, Shake Chen wrote:
> I watch your mutil node video careful , use packstack run again and find
> the problem. I think is bug for RDO
I've submitted a fix for this upstream:
https://bugs.launchpad.net/packstack/+bug/1288447
This should eventually make it into RDO. The Red Hat bug on this
issue is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1073100
--
Lars Kellogg-Stedman <lars(a)redhat.com> | larsks @ irc
Cloud Engineering / OpenStack | " " @ twitter
--
Shake Chen
3958
days inactive
3966
days old
8 comments
3 participants
participants (3)
-
Kashyap Chamarthy -
Lars Kellogg-Stedman -
Shake Chen