11:11 a.m.
Hi there, I have a lot of problems with RDO/OpenStack configuration.
Firstly, I need to describe my network situation.
I have 7 machine, each of them with 2 NIC. I would like to use one machine
as a controller/network node and the others as compute nodes.
I would like to use the eth0 to connect nodes to internet (and get access
by remote sessions) with the network "172.16.58.0/24", in which I have just
7 available IPs, and eth1 as configuration network on the network
10.42.100.0/42.
This is my current configuration, for each node (varying the IPs on each
machine):
eth0:
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=static
IPADDR=172.16.58.50
NETMASK=255.255.255.0
GATEWAY=172.16.58.254
DNS1=172.16.58.50
DOMAIN=###
DEFROUTE="yes"
eth1:
DEVICE=eth1
TYPE=OVSPort
DEVICETYPE=ovs
OVS_BRIDGE=br-ex
ONBOOT=yes
br-ex:
DEVICE=br-ex
DEVICETYPE=ovs
TYPE=OVSBridge
BOOTPROTO=static
IPADDR=10.42.100.1
NETMASK=255.255.255.0
ONBOOT=yes
I'd like to have instances on 10.42.200.0/24 virtual private network and
the remaining IPs of 10.42.100.0/24 network as floating IPs.
These are the relevant parts of my answers.txt file:
CONFIG_CONTROLLER_HOST=10.42.100.1
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
CONFIG_NETWORK_HOSTS=10.42.100.1
CONFIG_AMQP_HOST=10.42.100.1
CONFIG_MARIADB_HOST=10.42.100.1
CONFIG_NOVA_COMPUTE_PRIVIF=eth1
CONFIG_NOVA_NETWORK_PUBIF=eth1
CONFIG_NOVA_NETWORK_PRIVIF=eth1
CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
After the installation, I configure the network like this:
neutron router-create router
neutron net-create private
neutron subnet-create private 10.42.200.0/24 --name private-subnet
neutron router-interface-add router private-subnet
neutron net-create public --router:external=True
neutron subnet-create public 10.42.100.0/24 --name public-subnet
--enable_dhcp=False --allocation-pool start=10.42.100.100,end=10.42.100.200
--no-gateway
neutron router-gateway-set router public
I'm able to launch instances but I can't get access (ping/ssh) to them.
I don't know if I'm doing something wrong starting from planning.
Please, help me!
11:30 a.m.
Hi Pasquale,
Did you modify your security group rules to allow ICMP and/or 22:tcp access?
Many thanks
Rhys
On 20 Feb 2015, at 17:11, Pasquale Salza
<pasquale.salza(a)gmail.com> wrote:
Hi there, I have a lot of problems with RDO/OpenStack configuration. Firstly, I need to
describe my network situation.
I have 7 machine, each of them with 2 NIC. I would like to use one machine as a
controller/network node and the others as compute nodes.
I would like to use the eth0 to connect nodes to internet (and get access by remote
sessions) with the network "172.16.58.0/24", in which I have just 7 available
IPs, and eth1 as configuration network on the network 10.42.100.0/42.
This is my current configuration, for each node (varying the IPs on each machine):
eth0:
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=static
IPADDR=172.16.58.50
NETMASK=255.255.255.0
GATEWAY=172.16.58.254
DNS1=172.16.58.50
DOMAIN=###
DEFROUTE="yes"
eth1:
DEVICE=eth1
TYPE=OVSPort
DEVICETYPE=ovs
OVS_BRIDGE=br-ex
ONBOOT=yes
br-ex:
DEVICE=br-ex
DEVICETYPE=ovs
TYPE=OVSBridge
BOOTPROTO=static
IPADDR=10.42.100.1
NETMASK=255.255.255.0
ONBOOT=yes
I'd like to have instances on 10.42.200.0/24 virtual private network and the
remaining IPs of 10.42.100.0/24 network as floating IPs.
These are the relevant parts of my answers.txt file:
CONFIG_CONTROLLER_HOST=10.42.100.1
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
CONFIG_NETWORK_HOSTS=10.42.100.1
CONFIG_AMQP_HOST=10.42.100.1
CONFIG_MARIADB_HOST=10.42.100.1
CONFIG_NOVA_COMPUTE_PRIVIF=eth1
CONFIG_NOVA_NETWORK_PUBIF=eth1
CONFIG_NOVA_NETWORK_PRIVIF=eth1
CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
After the installation, I configure the network like this:
neutron router-create router
neutron net-create private
neutron subnet-create private 10.42.200.0/24 --name private-subnet
neutron router-interface-add router private-subnet
neutron net-create public --router:external=True
neutron subnet-create public 10.42.100.0/24 --name public-subnet --enable_dhcp=False
--allocation-pool start=10.42.100.100,end=10.42.100.200 --no-gateway
neutron router-gateway-set router public
I'm able to launch instances but I can't get access (ping/ssh) to them.
I don't know if I'm doing something wrong starting from planning.
Please, help me!
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com
4:07 p.m.
Hi Rhys,
I suppose so, because these are my iptables rules:
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport www -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport pptp -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --sport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p udp --sport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p udp --dport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p gre -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p icmp -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
Firstly, do you think I planned the network organisation well? Do you have
other suggestion (best practices) with 2 interfaces?
2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham(a)redhat.com>:
Hi Pasquale,
Did you modify your security group rules to allow ICMP and/or 22:tcp
access?
Many thanks
Rhys
> On 20 Feb 2015, at 17:11, Pasquale Salza <pasquale.salza(a)gmail.com>
wrote:
>
> Hi there, I have a lot of problems with RDO/OpenStack configuration.
Firstly, I need to describe my network situation.
>
> I have 7 machine, each of them with 2 NIC. I would like to use one
machine as a controller/network node and the others as compute nodes.
>
> I would like to use the eth0 to connect nodes to internet (and get
access by remote sessions) with the network "172.16.58.0/24", in which I
have just 7 available IPs, and eth1 as configuration network on the network
10.42.100.0/42.
>
> This is my current configuration, for each node (varying the IPs on each
machine):
>
> eth0:
> DEVICE=eth0
> TYPE=Ethernet
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=172.16.58.50
> NETMASK=255.255.255.0
> GATEWAY=172.16.58.254
> DNS1=172.16.58.50
> DOMAIN=###
> DEFROUTE="yes"
>
> eth1:
> DEVICE=eth1
> TYPE=OVSPort
> DEVICETYPE=ovs
> OVS_BRIDGE=br-ex
> ONBOOT=yes
>
> br-ex:
> DEVICE=br-ex
> DEVICETYPE=ovs
> TYPE=OVSBridge
> BOOTPROTO=static
> IPADDR=10.42.100.1
> NETMASK=255.255.255.0
> ONBOOT=yes
>
> I'd like to have instances on 10.42.200.0/24 virtual private network
and the remaining IPs of 10.42.100.0/24 network as floating IPs.
>
> These are the relevant parts of my answers.txt file:
>
> CONFIG_CONTROLLER_HOST=10.42.100.1
>
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
> CONFIG_NETWORK_HOSTS=10.42.100.1
> CONFIG_AMQP_HOST=10.42.100.1
> CONFIG_MARIADB_HOST=10.42.100.1
> CONFIG_NOVA_COMPUTE_PRIVIF=eth1
> CONFIG_NOVA_NETWORK_PUBIF=eth1
> CONFIG_NOVA_NETWORK_PRIVIF=eth1
> CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
> CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
>
> After the installation, I configure the network like this:
>
> neutron router-create router
> neutron net-create private
> neutron subnet-create private 10.42.200.0/24 --name private-subnet
> neutron router-interface-add router private-subnet
> neutron net-create public --router:external=True
> neutron subnet-create public 10.42.100.0/24 --name public-subnet
--enable_dhcp=False --allocation-pool start=10.42.100.100,end=10.42.100.200
--no-gateway
> neutron router-gateway-set router public
>
> I'm able to launch instances but I can't get access (ping/ssh) to them.
>
> I don't know if I'm doing something wrong starting from planning.
>
> Please, help me!
>
> _______________________________________________
> Rdo-list mailing list
> Rdo-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe(a)redhat.com
--
Pasquale Salza
e-mail: pasquale.salza(a)gmail.com
phone: +39 393 4415978
fax: +39 089 8422939
skype: pasquale.salza
linkedin: http://it.linkedin.com/in/psalza/
4:12 p.m.
taken from
https://github.com/marafa/openstack/blob/master/openstack-project-add.sh
write_security_rules(){ echo "todo: use neutron secgroup to add ssh and
ping rules instead of nova" source $ks_dir/keystonerc_$user$id nova
keypair-add key$id > $ks_dir/key$id.pem chmod 600 $ks_dir/key$id.pem nova
secgroup-create SecGrp$id "Security Group $id" nova secgroup-add-rule
SecGrp$id tcp 22 22 0.0.0.0/0 neutron security-group-rule-create
--direction ingress --protocol tcp --port_range_min 1 --port_range_max
65535 SecGrp$id neutron security-group-rule-create --direction ingress
--protocol udp --port_range_min 1 --port_range_max 65535 SecGrp$id neutron
security-group-rule-create --direction ingress --protocol icmp SecGrp$id }
On Fri, Feb 20, 2015 at 5:07 PM, Pasquale Salza <pasquale.salza(a)gmail.com>
wrote:
Hi Rhys,
I suppose so, because these are my iptables rules:
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport www -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport pptp -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --sport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p tcp --dport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p udp --sport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p udp --dport domain -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p gre -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -p icmp -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 -j DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
Firstly, do you think I planned the network organisation well? Do you have
other suggestion (best practices) with 2 interfaces?
2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham(a)redhat.com>:
> Hi Pasquale,
>
> Did you modify your security group rules to allow ICMP and/or 22:tcp
> access?
>
> Many thanks
> Rhys
>
> > On 20 Feb 2015, at 17:11, Pasquale Salza <pasquale.salza(a)gmail.com>
> wrote:
> >
> > Hi there, I have a lot of problems with RDO/OpenStack configuration.
> Firstly, I need to describe my network situation.
> >
> > I have 7 machine, each of them with 2 NIC. I would like to use one
> machine as a controller/network node and the others as compute nodes.
> >
> > I would like to use the eth0 to connect nodes to internet (and get
> access by remote sessions) with the network "172.16.58.0/24", in which I
> have just 7 available IPs, and eth1 as configuration network on the network
> 10.42.100.0/42.
> >
> > This is my current configuration, for each node (varying the IPs on
> each machine):
> >
> > eth0:
> > DEVICE=eth0
> > TYPE=Ethernet
> > ONBOOT=yes
> > BOOTPROTO=static
> > IPADDR=172.16.58.50
> > NETMASK=255.255.255.0
> > GATEWAY=172.16.58.254
> > DNS1=172.16.58.50
> > DOMAIN=###
> > DEFROUTE="yes"
> >
> > eth1:
> > DEVICE=eth1
> > TYPE=OVSPort
> > DEVICETYPE=ovs
> > OVS_BRIDGE=br-ex
> > ONBOOT=yes
> >
> > br-ex:
> > DEVICE=br-ex
> > DEVICETYPE=ovs
> > TYPE=OVSBridge
> > BOOTPROTO=static
> > IPADDR=10.42.100.1
> > NETMASK=255.255.255.0
> > ONBOOT=yes
> >
> > I'd like to have instances on 10.42.200.0/24 virtual private network
> and the remaining IPs of 10.42.100.0/24 network as floating IPs.
> >
> > These are the relevant parts of my answers.txt file:
> >
> > CONFIG_CONTROLLER_HOST=10.42.100.1
> >
>
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
> > CONFIG_NETWORK_HOSTS=10.42.100.1
> > CONFIG_AMQP_HOST=10.42.100.1
> > CONFIG_MARIADB_HOST=10.42.100.1
> > CONFIG_NOVA_COMPUTE_PRIVIF=eth1
> > CONFIG_NOVA_NETWORK_PUBIF=eth1
> > CONFIG_NOVA_NETWORK_PRIVIF=eth1
> > CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
> > CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
> > CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
> > CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
> > CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
> > CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
> > CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
> > CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
> > CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
> > CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
> >
> > After the installation, I configure the network like this:
> >
> > neutron router-create router
> > neutron net-create private
> > neutron subnet-create private 10.42.200.0/24 --name private-subnet
> > neutron router-interface-add router private-subnet
> > neutron net-create public --router:external=True
> > neutron subnet-create public 10.42.100.0/24 --name public-subnet
> --enable_dhcp=False --allocation-pool start=10.42.100.100,end=10.42.100.200
> --no-gateway
> > neutron router-gateway-set router public
> >
> > I'm able to launch instances but I can't get access (ping/ssh) to them.
> >
> > I don't know if I'm doing something wrong starting from planning.
> >
> > Please, help me!
> >
> > _______________________________________________
> > Rdo-list mailing list
> > Rdo-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/rdo-list
> >
> > To unsubscribe: rdo-list-unsubscribe(a)redhat.com
>
>
--
Pasquale Salza
e-mail: pasquale.salza(a)gmail.com
phone: +39 393 4415978
fax: +39 089 8422939
skype: pasquale.salza
linkedin: http://it.linkedin.com/in/psalza/
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com
--
<https://candidate.peoplecert.org/ReportsLink.aspx?argType=1&id=13D642...
*805010942448935*
<https://www.redhat.com/wapps/training/certification/verify.html?certNumbe...
*GR750055912MA*
<https://candidate.peoplecert.org/ReportsLink.aspx?argType=1&id=13D642...
*Link to me on LinkedIn <http://www.linkedin.com/in/mohammedarafa>*
4:19 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2015 02:07 PM, Pasquale Salza wrote:
Hi Rhys, I suppose so, because these are my iptables rules:
iptables -F iptables -t nat -F iptables -P INPUT ACCEPT iptables -P
OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -d
172.16.58.0/24 <http://172.16.58.0/24> -m state --state
ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p tcp --dport ssh -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p tcp --dport www
-j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p tcp --dport pptp -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p tcp --sport
domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p tcp --dport domain -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p udp --sport
domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p udp --dport domain -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p gre -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p icmp
-j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -j DROP iptables -t nat -A POSTROUTING -o
eth0 -j MASQUERADE service iptables save
Firstly, do you think I planned the network organisation well? Do
you have other suggestion (best practices) with 2 interfaces?
2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham(a)redhat.com
<mailto:roxenham@redhat.com>>:
Hi Pasquale,
Did you modify your security group rules to allow ICMP and/or
22:tcp access?
Many thanks Rhys
> On 20 Feb 2015, at 17:11, Pasquale Salza
> <pasquale.salza(a)gmail.com
<mailto:pasquale.salza@gmail.com>> wrote:
>
> Hi there, I have a lot of problems with RDO/OpenStack
configuration. Firstly, I need to describe my network situation.
>
> I have 7 machine, each of them with 2 NIC. I would like to use
> one
machine as a controller/network node and the others as compute
nodes.
>
> I would like to use the eth0 to connect nodes to internet (and
> get
access by remote sessions) with the network "172.16.58.0/24
<http://172.16.58.0/24>";, in which I have just 7 available IPs,
and eth1 as configuration network on the network 10.42.100.0/42
<http://10.42.100.0/42>;.
>
> This is my current configuration, for each node (varying the IPs
on each machine):
>
> eth0: DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static
> IPADDR=172.16.58.50 NETMASK=255.255.255.0 GATEWAY=172.16.58.254
> DNS1=172.16.58.50 DOMAIN=### DEFROUTE="yes"
>
> eth1: DEVICE=eth1 TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=br-ex
> ONBOOT=yes
>
> br-ex: DEVICE=br-ex DEVICETYPE=ovs TYPE=OVSBridge
> BOOTPROTO=static IPADDR=10.42.100.1 NETMASK=255.255.255.0
> ONBOOT=yes
>
> I'd like to have instances on 10.42.200.0/24
<http://10.42.200.0/24> virtual private network and the remaining
IPs of 10.42.100.0/24 <http://10.42.100.0/24> network as floating
IPs.
>
> These are the relevant parts of my answers.txt file:
>
> CONFIG_CONTROLLER_HOST=10.42.100.1
>
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
CONFIG_NETWORK_HOSTS=10.42.100.1
> CONFIG_AMQP_HOST=10.42.100.1 CONFIG_MARIADB_HOST=10.42.100.1
> CONFIG_NOVA_COMPUTE_PRIVIF=eth1 CONFIG_NOVA_NETWORK_PUBIF=eth1
> CONFIG_NOVA_NETWORK_PRIVIF=eth1
> CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
<http://10.42.200.0/24>
> CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
<http://10.42.100.0/24>
> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
>
> After the installation, I configure the network like this:
>
> neutron router-create router neutron net-create private neutron
> subnet-create private 10.42.200.0/24
<http://10.42.200.0/24> --name private-subnet
> neutron router-interface-add router private-subnet neutron
> net-create public --router:external=True neutron subnet-create
> public 10.42.100.0/24
<http://10.42.100.0/24> --name public-subnet --enable_dhcp=False
--allocation-pool start=10.42.100.100,end=10.42.100.200
--no-gateway
> neutron router-gateway-set router public
>
> I'm able to launch instances but I can't get access (ping/ssh)
> to
them.
>
> I don't know if I'm doing something wrong starting from
> planning.
>
> Please, help me!
>
> _______________________________________________ Rdo-list mailing
> list Rdo-list(a)redhat.com <mailto:Rdo-list@redhat.com>
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe(a)redhat.com
<mailto:rdo-list-unsubscribe@redhat.com>
-- Pasquale Salza
e-mail: pasquale.salza(a)gmail.com <mailto:pasquale.salza@gmail.com>
phone: +39 393 4415978 fax: +39 089 8422939 skype: pasquale.salza
linkedin: http://it.linkedin.com/in/psalza/
_______________________________________________ Rdo-list mailing
list Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com
Those look like the iptables rule on the hypervisor. Rhys is talking
about the Neutron security group rules. By default, ssh into VMs is
not allowed. You need to permit ICMP and SSH in the security rules on
the neutron network.
I don't see anything wrong with your network architecture at first
glance, but floating IPs can be tricky at first. Start with basic
VM-to-VM connectivity and add on from there.
Good luck!
- --
Dan Sneddon | Principal OpenStack Engineer
dsneddon(a)redhat.com | redhat.com/openstack
650.254.4025 | @dxs on twitter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU57MFAAoJEFkV3ypsGNbjlrcIAMc+Bp39+BIEhNm7rDjZZ/4m
wcf/ti9vmeMuCyjTAwRUIHUO1l5ZnhoBLh6vdZaPXABEvC1bFT5U7V2Jeyt1z207
1kRrPxUV5mto5/NLOVJIvxR5qKdDGS0O7QPus9ZNeIWEIwQ/gmpqfm6I3PrQUOlq
dqTVAUt5FoKCtPrGilbjX/6m5NEYa9kPO2vsr9C1OTfa9VYEn4LfUlHaQYDg7g/Q
1TQWlvWiMiHGYTzMqsWQdEb/CQosRfc2+Mf5eqO9Ah5CWrVZx14dDL8gQd1vfLGr
sl3ByfVLwBTv3NiVtd1E+E4yOGceOoQ0xn0ysN30DhGxZlfob9ApV6m8PhMdeek=
=vacc
-----END PGP SIGNATURE-----
5:29 p.m.
Whops! I figured out just few seconds after I sent the mail! Ok, tomorrow
I'll try with it. :) I'd like to share how I want to organise my network in
order to get some advices.
Let's say I have 7 machines and 7 spare IPs on the network 172.16.58.0/24
which are also associated to 7 public (internet) IPs.
I'd like to reserve 6 IPs for 6 VMs I could instanciate on OpenStack.
So I planned to do this:
the controller node has a static IP on eth0 of the 7 in 172.16.58.50/24
network so as I can access it from outside. I add an alias eth0:0 with
which I connect the controller to the Management network of OpenStack, the
10.0.1.0/24 network. Also on the controller, I set statically the IP for
eth1 with one of float IPs network 192.168.0.0/16 network. With iptables, I
add the rule of forwarding everithing on eth0 and eth1, so the other nodes
can get Internet access on network 10.0.1.0/24.
On the compute nodes I set eth0 as one of IPs on 10.0.1.0/24 management
network and eth1 as one on 192.168.0.0/16.
Om each node I put the bridge on eth1.
With RDO I put virtualisation and tunneling only on eth1.
When the installatation has finished, I create a private neutron network
10.100.0.0/16 and two public networks of floating IPs. The first is
192.168.0.0/24 for any kind of VM. The other is the 172.16.58.0/24 network,
limited to the 6 available IPs with which I can put virtual machines on
Internet.
Does it make sense or I'm doing some mistakes? Do you have any other idea?
Thank you very much indeed!
Pasquale
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2015 02:07 PM, Pasquale Salza wrote:
Hi Rhys, I suppose so, because these are my iptables rules:
iptables -F iptables -t nat -F iptables -P INPUT ACCEPT iptables -P
OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -d
172.16.58.0/24 <http://172.16.58.0/24> -m state --state
ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p tcp --dport ssh -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p tcp --dport www
-j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p tcp --dport pptp -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p tcp --sport
domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p tcp --dport domain -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p udp --sport
domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -p udp --dport domain -j ACCEPT iptables -A
INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p gre -j ACCEPT
iptables -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p icmp
-j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24> -j DROP iptables -t nat -A POSTROUTING -o
eth0 -j MASQUERADE service iptables save
Firstly, do you think I planned the network organisation well? Do
you have other suggestion (best practices) with 2 interfaces?
2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham(a)redhat.com
<mailto:roxenham@redhat.com>>:
Hi Pasquale,
Did you modify your security group rules to allow ICMP and/or
22:tcp access?
Many thanks Rhys
> On 20 Feb 2015, at 17:11, Pasquale Salza
> <pasquale.salza(a)gmail.com
<mailto:pasquale.salza@gmail.com>> wrote:
>
> Hi there, I have a lot of problems with RDO/OpenStack
configuration. Firstly, I need to describe my network situation.
>
> I have 7 machine, each of them with 2 NIC. I would like to use
> one
machine as a controller/network node and the others as compute
nodes.
>
> I would like to use the eth0 to connect nodes to internet (and
> get
access by remote sessions) with the network "172.16.58.0/24
<http://172.16.58.0/24>";, in which I have just 7 available IPs,
and eth1 as configuration network on the network 10.42.100.0/42
<http://10.42.100.0/42>;.
>
> This is my current configuration, for each node (varying the IPs
on each machine):
>
> eth0: DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static
> IPADDR=172.16.58.50 NETMASK=255.255.255.0 GATEWAY=172.16.58.254
> DNS1=172.16.58.50 DOMAIN=### DEFROUTE="yes"
>
> eth1: DEVICE=eth1 TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=br-ex
> ONBOOT=yes
>
> br-ex: DEVICE=br-ex DEVICETYPE=ovs TYPE=OVSBridge
> BOOTPROTO=static IPADDR=10.42.100.1 NETMASK=255.255.255.0
> ONBOOT=yes
>
> I'd like to have instances on 10.42.200.0/24
<http://10.42.200.0/24> virtual private network and the remaining
IPs of 10.42.100.0/24 <http://10.42.100.0/24> network as floating
IPs.
>
> These are the relevant parts of my answers.txt file:
>
> CONFIG_CONTROLLER_HOST=10.42.100.1
>
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
CONFIG_NETWORK_HOSTS=10.42.100.1
> CONFIG_AMQP_HOST=10.42.100.1 CONFIG_MARIADB_HOST=10.42.100.1
> CONFIG_NOVA_COMPUTE_PRIVIF=eth1 CONFIG_NOVA_NETWORK_PUBIF=eth1
> CONFIG_NOVA_NETWORK_PRIVIF=eth1
> CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
<http://10.42.200.0/24>
> CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
<http://10.42.100.0/24>
> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
>
> After the installation, I configure the network like this:
>
> neutron router-create router neutron net-create private neutron
> subnet-create private 10.42.200.0/24
<http://10.42.200.0/24> --name private-subnet
> neutron router-interface-add router private-subnet neutron
> net-create public --router:external=True neutron subnet-create
> public 10.42.100.0/24
<http://10.42.100.0/24> --name public-subnet --enable_dhcp=False
--allocation-pool start=10.42.100.100,end=10.42.100.200
--no-gateway
> neutron router-gateway-set router public
>
> I'm able to launch instances but I can't get access (ping/ssh)
> to
them.
>
> I don't know if I'm doing something wrong starting from
> planning.
>
> Please, help me!
>
> _______________________________________________ Rdo-list mailing
> list Rdo-list(a)redhat.com <mailto:Rdo-list@redhat.com>
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe(a)redhat.com
<mailto:rdo-list-unsubscribe@redhat.com>
-- Pasquale Salza
e-mail: pasquale.salza(a)gmail.com <mailto:pasquale.salza@gmail.com>
phone: +39 393 4415978 fax: +39 089 8422939 skype: pasquale.salza
linkedin: http://it.linkedin.com/in/psalza/
_______________________________________________ Rdo-list mailing
list Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com
Those look like the iptables rule on the hypervisor. Rhys is talking
about the Neutron security group rules. By default, ssh into VMs is
not allowed. You need to permit ICMP and SSH in the security rules on
the neutron network.
I don't see anything wrong with your network architecture at first
glance, but floating IPs can be tricky at first. Start with basic
VM-to-VM connectivity and add on from there.
Good luck!
- --
Dan Sneddon | Principal OpenStack Engineer
dsneddon(a)redhat.com | redhat.com/openstack
650.254.4025 | @dxs on twitter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU57MFAAoJEFkV3ypsGNbjlrcIAMc+Bp39+BIEhNm7rDjZZ/4m
wcf/ti9vmeMuCyjTAwRUIHUO1l5ZnhoBLh6vdZaPXABEvC1bFT5U7V2Jeyt1z207
1kRrPxUV5mto5/NLOVJIvxR5qKdDGS0O7QPus9ZNeIWEIwQ/gmpqfm6I3PrQUOlq
dqTVAUt5FoKCtPrGilbjX/6m5NEYa9kPO2vsr9C1OTfa9VYEn4LfUlHaQYDg7g/Q
1TQWlvWiMiHGYTzMqsWQdEb/CQosRfc2+Mf5eqO9Ah5CWrVZx14dDL8gQd1vfLGr
sl3ByfVLwBTv3NiVtd1E+E4yOGceOoQ0xn0ysN30DhGxZlfob9ApV6m8PhMdeek=
=vacc
-----END PGP SIGNATURE-----
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com
6:35 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2015 03:29 PM, Pasquale Salza wrote:
Whops! I figured out just few seconds after I sent the mail! Ok,
tomorrow I'll try with it. :) I'd like to share how I want to
organise my network in order to get some advices.
Let's say I have 7 machines and 7 spare IPs on the network
172.16.58.0/24 <http://172.16.58.0/24> which are also associated to
7 public (internet) IPs.
I'd like to reserve 6 IPs for 6 VMs I could instanciate on
OpenStack.
So I planned to do this: the controller node has a static IP on
eth0 of the 7 in 172.16.58.50/24 <http://172.16.58.50/24> network
so as I can access it from outside. I add an alias eth0:0 with
which I connect the controller to the Management network of
OpenStack, the 10.0.1.0/24 <http://10.0.1.0/24> network. Also on
the controller, I set statically the IP for eth1 with one of float
IPs network 192.168.0.0/16 <http://192.168.0.0/16> network. With
iptables, I add the rule of forwarding everithing on eth0 and
eth1, so the other nodes can get Internet access on network
10.0.1.0/24 <http://10.0.1.0/24>;.
On the compute nodes I set eth0 as one of IPs on 10.0.1.0/24
<http://10.0.1.0/24> management network and eth1 as one on
192.168.0.0/16 <http://192.168.0.0/16>;.
Om each node I put the bridge on eth1.
With RDO I put virtualisation and tunneling only on eth1.
When the installatation has finished, I create a private neutron
network 10.100.0.0/16 <http://10.100.0.0/16> and two public
networks of floating IPs. The first is 192.168.0.0/24
<http://192.168.0.0/24> for any kind of VM. The other is the
172.16.58.0/24 <http://172.16.58.0/24> network, limited to the 6
available IPs with which I can put virtual machines on Internet.
Does it make sense or I'm doing some mistakes? Do you have any
other idea?
Thank you very much indeed!
Pasquale
On 02/20/2015 02:07 PM, Pasquale Salza wrote:
> Hi Rhys, I suppose so, because these are my iptables rules:
> iptables -F iptables -t nat -F iptables -P INPUT ACCEPT iptables
> -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -d
> 172.16.58.0/24 <http://172.16.58.0/24> <http://172.16.58.0/24>
> -m
state --state
> ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d
> 172.16.58.0/24
<http://172.16.58.0/24>
> <http://172.16.58.0/24> -p tcp --dport ssh -j ACCEPT iptables -A
> INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
<http://172.16.58.0/24> -p tcp --dport www
> -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24> <http://172.16.58.0/24> -p tcp --dport
> pptp -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24>
<http://172.16.58.0/24> -p tcp --sport
> domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24>
> <http://172.16.58.0/24> -p tcp --dport domain -j ACCEPT iptables
> -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
<http://172.16.58.0/24> -p udp --sport
> domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
<http://172.16.58.0/24>
> <http://172.16.58.0/24> -p udp --dport domain -j ACCEPT iptables
> -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
<http://172.16.58.0/24> -p gre -j ACCEPT
> iptables -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
<http://172.16.58.0/24> -p icmp
> -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24> <http://172.16.58.0/24> -j DROP iptables
> -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables
> save
> Firstly, do you think I planned the network organisation well?
> Do you have other suggestion (best practices) with 2 interfaces?
> 2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham(a)redhat.com
<mailto:roxenham@redhat.com>
> <mailto:roxenham@redhat.com <mailto:roxenham@redhat.com>>>:
> Hi Pasquale,
> Did you modify your security group rules to allow ICMP and/or
> 22:tcp access?
> Many thanks Rhys
>> On 20 Feb 2015, at 17:11, Pasquale Salza
>> <pasquale.salza(a)gmail.com <mailto:pasquale.salza@gmail.com>
> <mailto:pasquale.salza@gmail.com
> <mailto:pasquale.salza@gmail.com>>>
wrote:
>>
>> Hi there, I have a lot of problems with RDO/OpenStack
> configuration. Firstly, I need to describe my network situation.
>>
>> I have 7 machine, each of them with 2 NIC. I would like to use
>> one
> machine as a controller/network node and the others as compute
> nodes.
>>
>> I would like to use the eth0 to connect nodes to internet (and
>> get
> access by remote sessions) with the network "172.16.58.0/24
<http://172.16.58.0/24>
> <http://172.16.58.0/24>";, in which I have just 7 available IPs,
> and eth1 as configuration network on the network 10.42.100.0/42
<http://10.42.100.0/42>
> <http://10.42.100.0/42>;.
>>
>> This is my current configuration, for each node (varying the
>> IPs
> on each machine):
>>
>> eth0: DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static
>> IPADDR=172.16.58.50 NETMASK=255.255.255.0
>> GATEWAY=172.16.58.254 DNS1=172.16.58.50 DOMAIN=###
>> DEFROUTE="yes"
>>
>> eth1: DEVICE=eth1 TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=br-ex
>> ONBOOT=yes
>>
>> br-ex: DEVICE=br-ex DEVICETYPE=ovs TYPE=OVSBridge
>> BOOTPROTO=static IPADDR=10.42.100.1 NETMASK=255.255.255.0
>> ONBOOT=yes
>>
>> I'd like to have instances on 10.42.200.0/24
>> <http://10.42.200.0/24>
> <http://10.42.200.0/24> virtual private network and the
> remaining IPs of 10.42.100.0/24 <http://10.42.100.0/24>
> <http://10.42.100.0/24>
network as floating
> IPs.
>>
>> These are the relevant parts of my answers.txt file:
>>
>> CONFIG_CONTROLLER_HOST=10.42.100.1
>>
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
> CONFIG_NETWORK_HOSTS=10.42.100.1
>> CONFIG_AMQP_HOST=10.42.100.1 CONFIG_MARIADB_HOST=10.42.100.1
>> CONFIG_NOVA_COMPUTE_PRIVIF=eth1 CONFIG_NOVA_NETWORK_PUBIF=eth1
>> CONFIG_NOVA_NETWORK_PRIVIF=eth1
>> CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
>> <http://10.42.200.0/24>
> <http://10.42.200.0/24>
>> CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
>> <http://10.42.100.0/24>
> <http://10.42.100.0/24>
>> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
>> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
>> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
>> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
>> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
>> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
>> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
>> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
>>
>> After the installation, I configure the network like this:
>>
>> neutron router-create router neutron net-create private
>> neutron subnet-create private 10.42.200.0/24
>> <http://10.42.200.0/24>
> <http://10.42.200.0/24> --name private-subnet
>> neutron router-interface-add router private-subnet neutron
>> net-create public --router:external=True neutron subnet-create
>> public 10.42.100.0/24 <http://10.42.100.0/24>
> <http://10.42.100.0/24> --name public-subnet --enable_dhcp=False
> --allocation-pool start=10.42.100.100,end=10.42.100.200
> --no-gateway
>> neutron router-gateway-set router public
>>
>> I'm able to launch instances but I can't get access (ping/ssh)
>> to
> them.
>>
>> I don't know if I'm doing something wrong starting from
>> planning.
>>
>> Please, help me!
>>
>> _______________________________________________ Rdo-list
>> mailing list Rdo-list(a)redhat.com <mailto:Rdo-list@redhat.com>
<mailto:Rdo-list@redhat.com <mailto:Rdo-list@redhat.com>>
>> https://www.redhat.com/mailman/listinfo/rdo-list
>>
>> To unsubscribe: rdo-list-unsubscribe(a)redhat.com
<mailto:rdo-list-unsubscribe@redhat.com>
> <mailto:rdo-list-unsubscribe@redhat.com
<mailto:rdo-list-unsubscribe@redhat.com>>
> -- Pasquale Salza
> e-mail: pasquale.salza(a)gmail.com
> <mailto:pasquale.salza@gmail.com>
<mailto:pasquale.salza@gmail.com
<mailto:pasquale.salza@gmail.com>>
> phone: +39 393 4415978 <tel:%2B39%20393%204415978> fax: +39 089
8422939 <tel:%2B39%20089%208422939> skype: pasquale.salza
> linkedin: http://it.linkedin.com/in/psalza/
> _______________________________________________ Rdo-list mailing
> list Rdo-list(a)redhat.com <mailto:Rdo-list@redhat.com>
> https://www.redhat.com/mailman/listinfo/rdo-list
> To unsubscribe: rdo-list-unsubscribe(a)redhat.com
<mailto:rdo-list-unsubscribe@redhat.com>
Those look like the iptables rule on the hypervisor. Rhys is
talking about the Neutron security group rules. By default, ssh
into VMs is not allowed. You need to permit ICMP and SSH in the
security rules on the neutron network.
I don't see anything wrong with your network architecture at first
glance, but floating IPs can be tricky at first. Start with basic
VM-to-VM connectivity and add on from there.
Good luck!
_______________________________________________ Rdo-list mailing
list Rdo-list(a)redhat.com <mailto:Rdo-list@redhat.com>
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com
<mailto:rdo-list-unsubscribe@redhat.com>
That sounds like it should work, but one of those 6 IP addresses will
need to be used for the Neutron router (that IP will be used for SNAT
for VMs that have no floating IP).
I'm not sure what you mean when you say "I'd like to reserve 6 IPs for
6 VMs I could instanciate on OpenStack." You can instantiate more than
one VM on each compute node, and if you have 6 compute nodes then
depending on size you could have dozens of VMs. Maybe you just mean
you could instantiate 6 VMs with public IPs? Actually, due to the
router IP, you would be limited to 5.
Make sure you add the floating IP network as an external net. Since
your router will not be taking the .1 address, you will need to create
the port by hand with the chosen IP and add it to the router.
$ neutron net-create externalnet -- --router:external=True
$ neutron subnet-create externalnet 172.16.58.0/24 --name external \
- --enable_dhcp=False --allocation_pool start=172.16.58.x,\
end=172.16.58.x --gateway 172.16.58.x
(use your network gateway here - change the IP addresses in the
allocation range to match what is available on your network)
$ neutron router-create extrouter
(name of your router)
$ neutron port-create externalnet --fixed-ip 172.16.58.x
(use desired router IP)
$ neutron router-interface-add extrouter port=$portid
(port id from previous command)
$ neutron router-interface-add extrouter subnet=public
(replace public with the name of the 192.168.0.0/24 network)
Once that is done, you should be able to assign a floating IP to any
VM that has an interface on the 192.168.0.0/24 network.
P.S. - Several times in your email you mentioned 192.168.0.0/16, but
that's not a valid network. I assume you mean 192.168.0.0/24.
- --
Dan Sneddon | Principal OpenStack Engineer
dsneddon(a)redhat.com | redhat.com/openstack
650.254.4025 | @dxs on twitter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU59LXAAoJEFkV3ypsGNbjU+AIALtTHElzciDOEn4jzpOppgwO
cQWXIWx3ycfvx9mx77XQR99Xp0l+S1L6ZKRrwvQX3KFDFLNINUt19BW9yGHMaA5m
g8TeH06vPXrmWIeLH+UwluMhAe8p5aM51UcJyYtkkbpvUroj+xoDsxU5ukbOS6Kr
YXUT44Rg1Js7/mSsgo6sIutmMHFpuExQI2ERbFmG1qLIpOSXwFaIsyLGJW+U7T6f
0zSdUGxim6Tw2pBx44C3HAAP70fzP+3xxm14XK3Av/bZELSsVMB31hkvj9oYCe4s
uAS3jro9+DUygZ2Yi26znJ+xHVOYzEyZ/RM61FY+OOt4I7wAOtkY++z1WqUVzEA=
=2NHc
-----END PGP SIGNATURE-----
3558
days inactive
3558
days old
6 comments
4 participants
participants (4)
-
Dan Sneddon -
Mohammed Arafa -
Pasquale Salza -
Rhys Oxenham