[Rdo-list] Can't ping/ssh to new instance

Eric Berg eberg at rubensteintech.com
Wed May 21 14:25:06 UTC 2014

Thanks, Kashyap.

I have made some progress in that I was able to connect to my cirros 
image from the public network, but only from the host on which openstack 
is installed and on which the instance is running.

At the end of Lars's video, mentioned below, he assigns a gateway ip 
address to the public ( network to the br-ex device, and 
then adds a rule that I translated into this command:

iptables -t nat -I POSTROUTING 1 -s -j MASQUERADE

but this breaks the connectivity, so I removed that so that I could 
still ssh into the cirros instance from my physical host.

Currently, I'm able to log in from the openstack physical host, but not 
from the rest of my network.

My networking is a little bit rusty, so I'm not sure what the next step 
is to allow me to log into the instances on the network 
from existing hosts on the network.

BTW, is there a script that will provide a dump of the configurations 
like the one for which you provided a URL below?

Thanks again.


On 5/21/14, 4:24 AM, Kashyap Chamarthy wrote:
> On Tue, May 20, 2014 at 01:17:21PM -0400, Eric Berg wrote:
>> I've done a fresh install of RDO using packstack on a single host like this:
>>    packstack --allinone --provision-all-in-one-ovs-bridge=n
>> And then followed the instructions here:
>> http://openstack.redhat.com/Neutron_with_existing_external_network
>> I've also generally followed Lars's approach from this video with the same
>> lack of connectivity: https://www.youtube.com/watch?v=DGf-ny25OAw
>> My public network is
>> But I'm not able to ping or ssh from my 1902.168.0.0 network, the host
>> running OpenStack is at
>> My instance is up and running with a IP and floating
>> IP.
>> I can ping, but not
>> I can use the net namespace approach to log into my cirros instance, but
>> can't get to hosts.
> That at-sounds you've got most of it right. You're not able to SSH via
> floating IPs.
> Couple of things:
>   - You might want to check if your iptables rules are correct. i.e. when
>     you run something like this, you should see SNAT/DNAT rules:
>      $ ip netns exec qrouter-2c7ba7dc-0101-417a-b76d-1cae17ae654e iptables -t nat -L -nv | grep NAT
>          0     0 DNAT       all  --  *      *         to:
>          0     0 DNAT       all  --  *      *         to:
>         26  1704 ACCEPT     all  --  !qg-fb9ff0ad-56 !qg-fb9ff0ad-56              ! ctstate DNAT
>          0     0 DNAT       all  --  *      *         to:
>          5   324 DNAT       all  --  *      *         to:
>          0     0 SNAT       all  --  *      *              to:
>          0     0 SNAT       all  --  *      *              to:
>          0     0 SNAT       all  --  *      *            to:
>   - Ensure you have security group rules for SSH are set correctly (you
>     can enumerate them by doing '$ neutron security-group-rule-list')
> I recently did a 2-node IceHouse install (but this is manual setup),
> here[1] are my configurations of Nova/Neutron and iptables rules (scroll
> down to bottom).
>> This is my first OpenStack install.   I'm a little confused at how a
>> stock installation (based on packstack) could somehow not include the
>> ability to access the VMs from the network on which the OS compute
>> host is running.
>> Any help troubleshooting this would be greatly appreciated.
>    [1] http://kashyapc.fedorapeople.org/virt/openstack/rdo/IceHouse-Nova-Neutron-ML2-GRE-OVS.txt

Eric Berg
Sr. Software Engineer
Rubenstein Technology Group
55 Broad Street, 14th Floor
New York, NY 10004-2501

(212) 518-6400
(212) 518-6467 fax
eberg at rubensteintech.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20140521/70c29f52/attachment.html>

More information about the dev mailing list