[Rdo-list] Can't ping/ssh to new instance

Kashyap Chamarthy kchamart at redhat.com
Wed May 21 08:24:14 UTC 2014 

On Tue, May 20, 2014 at 01:17:21PM -0400, Eric Berg wrote:
> I've done a fresh install of RDO using packstack on a single host like this:
> 
>   packstack --allinone --provision-all-in-one-ovs-bridge=n
> 
> And then followed the instructions here:
> 
> http://openstack.redhat.com/Neutron_with_existing_external_network
> 
> I've also generally followed Lars's approach from this video with the same
> lack of connectivity: https://www.youtube.com/watch?v=DGf-ny25OAw
> 
> My public network is 192.168.20.0/24.
> 
> But I'm not able to ping or ssh from my 1902.168.0.0 network, the host
> running OpenStack is at 192.168.0.37.
> 
> My instance is up and running with a 10.0.0.2 IP and 192.168.20.4 floating
> IP.
> 
> I can ping 192.168.20.3, but not 192.168.20.4.
> 
> I can use the net namespace approach to log into my cirros instance, but
> can't get to 192.168.20.0/24 hosts.

That at-sounds you've got most of it right. You're not able to SSH via
floating IPs.

Couple of things:

 - You might want to check if your iptables rules are correct. i.e. when
   you run something like this, you should see SNAT/DNAT rules:

    $ ip netns exec qrouter-2c7ba7dc-0101-417a-b76d-1cae17ae654e iptables -t nat -L -nv | grep NAT                        
        0     0 DNAT       all  --  *      *       0.0.0.0/0            192.169.142.12       to:30.0.0.26
        0     0 DNAT       all  --  *      *       0.0.0.0/0            192.169.142.13       to:30.0.0.25
       26  1704 ACCEPT     all  --  !qg-fb9ff0ad-56 !qg-fb9ff0ad-56  0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT
        0     0 DNAT       all  --  *      *       0.0.0.0/0            192.169.142.12       to:30.0.0.26
        5   324 DNAT       all  --  *      *       0.0.0.0/0            192.169.142.13       to:30.0.0.25
        0     0 SNAT       all  --  *      *       30.0.0.26            0.0.0.0/0            to:192.169.142.12
        0     0 SNAT       all  --  *      *       30.0.0.25            0.0.0.0/0            to:192.169.142.13
        0     0 SNAT       all  --  *      *       30.0.0.0/24          0.0.0.0/0            to:192.169.142.10


 - Ensure you have security group rules for SSH are set correctly (you
   can enumerate them by doing '$ neutron security-group-rule-list')

I recently did a 2-node IceHouse install (but this is manual setup),
here[1] are my configurations of Nova/Neutron and iptables rules (scroll
down to bottom).


> This is my first OpenStack install.   I'm a little confused at how a
> stock installation (based on packstack) could somehow not include the
> ability to access the VMs from the network on which the OS compute
> host is running.
> 
> Any help troubleshooting this would be greatly appreciated.


  [1] http://kashyapc.fedorapeople.org/virt/openstack/rdo/IceHouse-Nova-Neutron-ML2-GRE-OVS.txt

-- 
/kashyap

More information about the dev mailing list