[Rdo-list] I can't get access to VM instances

Pasquale Salza pasquale.salza at gmail.com
Fri Feb 20 23:29:06 UTC 2015 

Whops! I figured out just few seconds after I sent the mail! Ok, tomorrow
I'll try with it. :) I'd like to share how I want to organise my network in
order to get some advices.

Let's say I have 7 machines and 7 spare IPs on the network 172.16.58.0/24
which are also associated to 7 public (internet) IPs.

I'd like to reserve 6 IPs for 6 VMs I could instanciate on OpenStack.

So I planned to do this:
the controller node has a static IP on eth0 of the 7 in 172.16.58.50/24
network so as I can access it from outside. I add an alias eth0:0 with
which I connect the controller to the Management network of OpenStack, the
10.0.1.0/24 network. Also on the controller,  I set statically the IP for
eth1 with one of float IPs network 192.168.0.0/16 network. With iptables, I
add the rule of forwarding everithing on eth0 and eth1, so the other nodes
can get Internet access on network 10.0.1.0/24.

On the compute nodes I set eth0 as one of IPs on 10.0.1.0/24 management
network and eth1 as one on 192.168.0.0/16.

Om each  node I put the bridge on eth1.

With RDO I put virtualisation and tunneling only on eth1.

When the installatation has finished, I create a private neutron network
10.100.0.0/16 and two public networks of floating IPs. The first is
192.168.0.0/24 for any kind of VM. The other is the 172.16.58.0/24 network,
limited to the 6 available IPs with which I can put virtual machines on
Internet.

Does it make sense or I'm doing some mistakes? Do you have any other idea?

Thank you very much indeed!

Pasquale
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2015 02:07 PM, Pasquale Salza wrote:
> Hi Rhys, I suppose so, because these are my iptables rules:
>
> iptables -F iptables -t nat -F iptables -P INPUT ACCEPT iptables -P
> OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -d
> 172.16.58.0/24 <http://172.16.58.0/24> -m state --state
> ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24> -p tcp --dport ssh -j ACCEPT iptables -A
> INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p tcp --dport www
> -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24> -p tcp --dport pptp -j ACCEPT iptables -A
> INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p tcp --sport
> domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24> -p tcp --dport domain -j ACCEPT iptables -A
> INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p udp --sport
> domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24> -p udp --dport domain -j ACCEPT iptables -A
> INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p gre -j ACCEPT
> iptables -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24> -p icmp
> -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24> -j DROP iptables -t nat -A POSTROUTING -o
> eth0 -j MASQUERADE service iptables save
>
> Firstly, do you think I planned the network organisation well? Do
> you have other suggestion (best practices) with 2 interfaces?
>
>
> 2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham at redhat.com
> <mailto:roxenham at redhat.com>>:
>
> Hi Pasquale,
>
> Did you modify your security group rules to allow ICMP and/or
> 22:tcp access?
>
> Many thanks Rhys
>
>> On 20 Feb 2015, at 17:11, Pasquale Salza
>> <pasquale.salza at gmail.com
> <mailto:pasquale.salza at gmail.com>> wrote:
>>
>> Hi there, I have a lot of problems with RDO/OpenStack
> configuration. Firstly, I need to describe my network situation.
>>
>> I have 7 machine, each of them with 2 NIC. I would like to use
>> one
> machine as a controller/network node and the others as compute
> nodes.
>>
>> I would like to use the eth0 to connect nodes to internet (and
>> get
> access by remote sessions) with the network "172.16.58.0/24
> <http://172.16.58.0/24>", in which I have just 7 available IPs,
> and eth1 as configuration network on the network 10.42.100.0/42
> <http://10.42.100.0/42>.
>>
>> This is my current configuration, for each node (varying the IPs
> on each machine):
>>
>> eth0: DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static
>> IPADDR=172.16.58.50 NETMASK=255.255.255.0 GATEWAY=172.16.58.254
>> DNS1=172.16.58.50 DOMAIN=### DEFROUTE="yes"
>>
>> eth1: DEVICE=eth1 TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=br-ex
>> ONBOOT=yes
>>
>> br-ex: DEVICE=br-ex DEVICETYPE=ovs TYPE=OVSBridge
>> BOOTPROTO=static IPADDR=10.42.100.1 NETMASK=255.255.255.0
>> ONBOOT=yes
>>
>> I'd like to have instances on 10.42.200.0/24
> <http://10.42.200.0/24> virtual private network and the remaining
> IPs of 10.42.100.0/24 <http://10.42.100.0/24> network as floating
> IPs.
>>
>> These are the relevant parts of my answers.txt file:
>>
>> CONFIG_CONTROLLER_HOST=10.42.100.1
>>
>
CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
>
>  CONFIG_NETWORK_HOSTS=10.42.100.1
>> CONFIG_AMQP_HOST=10.42.100.1 CONFIG_MARIADB_HOST=10.42.100.1
>> CONFIG_NOVA_COMPUTE_PRIVIF=eth1 CONFIG_NOVA_NETWORK_PUBIF=eth1
>> CONFIG_NOVA_NETWORK_PRIVIF=eth1
>> CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
> <http://10.42.200.0/24>
>> CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
> <http://10.42.100.0/24>
>> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
>> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
>> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
>> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
>> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
>> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
>> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
>> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
>>
>> After the installation, I configure the network like this:
>>
>> neutron router-create router neutron net-create private neutron
>> subnet-create private 10.42.200.0/24
> <http://10.42.200.0/24> --name private-subnet
>> neutron router-interface-add router private-subnet neutron
>> net-create public --router:external=True neutron subnet-create
>> public 10.42.100.0/24
> <http://10.42.100.0/24> --name public-subnet --enable_dhcp=False
> --allocation-pool start=10.42.100.100,end=10.42.100.200
> --no-gateway
>> neutron router-gateway-set router public
>>
>> I'm able to launch instances but I can't get access (ping/ssh)
>> to
> them.
>>
>> I don't know if I'm doing something wrong starting from
>> planning.
>>
>> Please, help me!
>>
>> _______________________________________________ Rdo-list mailing
>> list Rdo-list at redhat.com <mailto:Rdo-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/rdo-list
>>
>> To unsubscribe: rdo-list-unsubscribe at redhat.com
> <mailto:rdo-list-unsubscribe at redhat.com>
>
>
>
>
> -- Pasquale Salza
>
> e-mail: pasquale.salza at gmail.com <mailto:pasquale.salza at gmail.com>
> phone: +39 393 4415978 fax: +39 089 8422939 skype: pasquale.salza
> linkedin: http://it.linkedin.com/in/psalza/
>
>
> _______________________________________________ Rdo-list mailing
> list Rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe at redhat.com
>

Those look like the iptables rule on the hypervisor. Rhys is talking
about the Neutron security group rules. By default, ssh into VMs is
not allowed. You need to permit ICMP and SSH in the security rules on
the neutron network.

I don't see anything wrong with your network architecture at first
glance, but floating IPs can be tricky at first. Start with basic
VM-to-VM connectivity and add on from there.

Good luck!

- --
Dan Sneddon         |  Principal OpenStack Engineer
dsneddon at redhat.com |  redhat.com/openstack
650.254.4025        |  @dxs on twitter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU57MFAAoJEFkV3ypsGNbjlrcIAMc+Bp39+BIEhNm7rDjZZ/4m
wcf/ti9vmeMuCyjTAwRUIHUO1l5ZnhoBLh6vdZaPXABEvC1bFT5U7V2Jeyt1z207
1kRrPxUV5mto5/NLOVJIvxR5qKdDGS0O7QPus9ZNeIWEIwQ/gmpqfm6I3PrQUOlq
dqTVAUt5FoKCtPrGilbjX/6m5NEYa9kPO2vsr9C1OTfa9VYEn4LfUlHaQYDg7g/Q
1TQWlvWiMiHGYTzMqsWQdEb/CQosRfc2+Mf5eqO9Ah5CWrVZx14dDL8gQd1vfLGr
sl3ByfVLwBTv3NiVtd1E+E4yOGceOoQ0xn0ysN30DhGxZlfob9ApV6m8PhMdeek=
=vacc
-----END PGP SIGNATURE-----

_______________________________________________
Rdo-list mailing list
Rdo-list at redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list

To unsubscribe: rdo-list-unsubscribe at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20150221/0ec0ca3f/attachment.html>

More information about the dev mailing list