[Rdo-list] Can't ping/ssh to new instance

Kashyap Chamarthy kchamart at redhat.com
Wed May 21 17:31:00 UTC 2014 

> Thanks, Kashyap.
> 
> I have made some progress in that I was able to connect to my cirros
> image from the public network, but only from the host on which openstack
> is installed and on which the instance is running.
> 
> At the end of Lars's video, mentioned below, he assigns a gateway ip
> address to the public (192.168.20.0/24) network to the br-ex device, and
> then adds a rule that I translated into this command:
> 
> iptables -t nat -I POSTROUTING 1 -s 192.168.20.0/24 -j MASQUERADE
> 
> 
> but this breaks the connectivity, so I removed that so that I could
> still ssh into the cirros instance from my physical host.
> 
> Currently, I'm able to log in from the openstack physical host, but not
> from the rest of my 192.168.0.0 network.
> 
> My networking is a little bit rusty, so I'm not sure what the next step
> is to allow me to log into the instances on the 192.168.20.0/24 network
> from existing hosts on the 192.168.0.0 network.

I'm only just shooting in the dark -- it could possibly be some routing 
issues as you're using default libvirt network for Floating IP.
FWIW, I usually create a non-default libvirt network like that[1] for 
OpenStack setups (as my Controller/Compute nodes themselves are virtual
 machines).


  [1] http://kashyapc.fedorapeople.org/virt/create-a-new-libvirt-bridge.txt

> 
> BTW, is there a script that will provide a dump of the configurations
> like the one for which you provided a URL below?

No, I just generated it manually and indented it a bit for readability.
But a trivial shell script can be written to that effect.

/kashyap

> 
> On 5/21/14, 4:24 AM, Kashyap Chamarthy wrote:
> > On Tue, May 20, 2014 at 01:17:21PM -0400, Eric Berg wrote:
> >> I've done a fresh install of RDO using packstack on a single host like
> >> this:
> >>
> >>    packstack --allinone --provision-all-in-one-ovs-bridge=n
> >>
> >> And then followed the instructions here:
> >>
> >> http://openstack.redhat.com/Neutron_with_existing_external_network
> >>
> >> I've also generally followed Lars's approach from this video with the same
> >> lack of connectivity: https://www.youtube.com/watch?v=DGf-ny25OAw
> >>
> >> My public network is 192.168.20.0/24.
> >>
> >> But I'm not able to ping or ssh from my 1902.168.0.0 network, the host
> >> running OpenStack is at 192.168.0.37.
> >>
> >> My instance is up and running with a 10.0.0.2 IP and 192.168.20.4 floating
> >> IP.
> >>
> >> I can ping 192.168.20.3, but not 192.168.20.4.
> >>
> >> I can use the net namespace approach to log into my cirros instance, but
> >> can't get to 192.168.20.0/24 hosts.
> > That at-sounds you've got most of it right. You're not able to SSH via
> > floating IPs.
> >
> > Couple of things:
> >
> >   - You might want to check if your iptables rules are correct. i.e. when
> >     you run something like this, you should see SNAT/DNAT rules:
> >
> >      $ ip netns exec qrouter-2c7ba7dc-0101-417a-b76d-1cae17ae654e iptables
> >      -t nat -L -nv | grep NAT
> >          0     0 DNAT       all  --  *      *       0.0.0.0/0
> >          192.169.142.12       to:30.0.0.26
> >          0     0 DNAT       all  --  *      *       0.0.0.0/0
> >          192.169.142.13       to:30.0.0.25
> >         26  1704 ACCEPT     all  --  !qg-fb9ff0ad-56 !qg-fb9ff0ad-56
> >         0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT
> >          0     0 DNAT       all  --  *      *       0.0.0.0/0
> >          192.169.142.12       to:30.0.0.26
> >          5   324 DNAT       all  --  *      *       0.0.0.0/0
> >          192.169.142.13       to:30.0.0.25
> >          0     0 SNAT       all  --  *      *       30.0.0.26
> >          0.0.0.0/0            to:192.169.142.12
> >          0     0 SNAT       all  --  *      *       30.0.0.25
> >          0.0.0.0/0            to:192.169.142.13
> >          0     0 SNAT       all  --  *      *       30.0.0.0/24
> >          0.0.0.0/0            to:192.169.142.10
> >
> >
> >   - Ensure you have security group rules for SSH are set correctly (you
> >     can enumerate them by doing '$ neutron security-group-rule-list')
> >
> > I recently did a 2-node IceHouse install (but this is manual setup),
> > here[1] are my configurations of Nova/Neutron and iptables rules (scroll
> > down to bottom).
> >
> >
> >> This is my first OpenStack install.   I'm a little confused at how a
> >> stock installation (based on packstack) could somehow not include the
> >> ability to access the VMs from the network on which the OS compute
> >> host is running.
> >>
> >> Any help troubleshooting this would be greatly appreciated.
> >
> >    [1]
> >    http://kashyapc.fedorapeople.org/virt/openstack/rdo/IceHouse-Nova-Neutron-ML2-GRE-OVS.txt
> >
> 
> --
> Eric Berg
> Sr. Software Engineer
> Rubenstein Technology Group
> 55 Broad Street, 14th Floor
> New York, NY 10004-2501
> 
> (212) 518-6400
> (212) 518-6467 fax
> eberg at rubensteintech.com
> www.rubensteintech.com
> 
>

More information about the dev mailing list