[Rdo-list] I can't get access to VM instances
Dan Sneddon
dsneddon at redhat.com
Sat Feb 21 00:35:35 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2015 03:29 PM, Pasquale Salza wrote:
> Whops! I figured out just few seconds after I sent the mail! Ok,
> tomorrow I'll try with it. :) I'd like to share how I want to
> organise my network in order to get some advices.
>
> Let's say I have 7 machines and 7 spare IPs on the network
> 172.16.58.0/24 <http://172.16.58.0/24> which are also associated to
> 7 public (internet) IPs.
>
> I'd like to reserve 6 IPs for 6 VMs I could instanciate on
> OpenStack.
>
> So I planned to do this: the controller node has a static IP on
> eth0 of the 7 in 172.16.58.50/24 <http://172.16.58.50/24> network
> so as I can access it from outside. I add an alias eth0:0 with
> which I connect the controller to the Management network of
> OpenStack, the 10.0.1.0/24 <http://10.0.1.0/24> network. Also on
> the controller, I set statically the IP for eth1 with one of float
> IPs network 192.168.0.0/16 <http://192.168.0.0/16> network. With
> iptables, I add the rule of forwarding everithing on eth0 and
> eth1, so the other nodes can get Internet access on network
> 10.0.1.0/24 <http://10.0.1.0/24>.
>
> On the compute nodes I set eth0 as one of IPs on 10.0.1.0/24
> <http://10.0.1.0/24> management network and eth1 as one on
> 192.168.0.0/16 <http://192.168.0.0/16>.
>
> Om each node I put the bridge on eth1.
>
> With RDO I put virtualisation and tunneling only on eth1.
>
> When the installatation has finished, I create a private neutron
> network 10.100.0.0/16 <http://10.100.0.0/16> and two public
> networks of floating IPs. The first is 192.168.0.0/24
> <http://192.168.0.0/24> for any kind of VM. The other is the
> 172.16.58.0/24 <http://172.16.58.0/24> network, limited to the 6
> available IPs with which I can put virtual machines on Internet.
>
> Does it make sense or I'm doing some mistakes? Do you have any
> other idea?
>
> Thank you very much indeed!
>
> Pasquale
>
> On 02/20/2015 02:07 PM, Pasquale Salza wrote:
>> Hi Rhys, I suppose so, because these are my iptables rules:
>
>> iptables -F iptables -t nat -F iptables -P INPUT ACCEPT iptables
>> -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -d
>> 172.16.58.0/24 <http://172.16.58.0/24> <http://172.16.58.0/24>
>> -m
> state --state
>> ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -d
>> 172.16.58.0/24
> <http://172.16.58.0/24>
>> <http://172.16.58.0/24> -p tcp --dport ssh -j ACCEPT iptables -A
>> INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
> <http://172.16.58.0/24> -p tcp --dport www
>> -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
>> <http://172.16.58.0/24> <http://172.16.58.0/24> -p tcp --dport
>> pptp -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
>> <http://172.16.58.0/24>
> <http://172.16.58.0/24> -p tcp --sport
>> domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24>
>> <http://172.16.58.0/24> -p tcp --dport domain -j ACCEPT iptables
>> -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
> <http://172.16.58.0/24> -p udp --sport
>> domain -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
> <http://172.16.58.0/24>
>> <http://172.16.58.0/24> -p udp --dport domain -j ACCEPT iptables
>> -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
> <http://172.16.58.0/24> -p gre -j ACCEPT
>> iptables -A INPUT -d 172.16.58.0/24 <http://172.16.58.0/24>
> <http://172.16.58.0/24> -p icmp
>> -j ACCEPT iptables -A INPUT -d 172.16.58.0/24
>> <http://172.16.58.0/24> <http://172.16.58.0/24> -j DROP iptables
>> -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables
>> save
>
>> Firstly, do you think I planned the network organisation well?
>> Do you have other suggestion (best practices) with 2 interfaces?
>
>
>> 2015-02-20 18:30 GMT+01:00 Rhys Oxenham <roxenham at redhat.com
> <mailto:roxenham at redhat.com>
>> <mailto:roxenham at redhat.com <mailto:roxenham at redhat.com>>>:
>
>> Hi Pasquale,
>
>> Did you modify your security group rules to allow ICMP and/or
>> 22:tcp access?
>
>> Many thanks Rhys
>
>>> On 20 Feb 2015, at 17:11, Pasquale Salza
>>> <pasquale.salza at gmail.com <mailto:pasquale.salza at gmail.com>
>> <mailto:pasquale.salza at gmail.com
>> <mailto:pasquale.salza at gmail.com>>>
> wrote:
>>>
>>> Hi there, I have a lot of problems with RDO/OpenStack
>> configuration. Firstly, I need to describe my network situation.
>>>
>>> I have 7 machine, each of them with 2 NIC. I would like to use
>>> one
>> machine as a controller/network node and the others as compute
>> nodes.
>>>
>>> I would like to use the eth0 to connect nodes to internet (and
>>> get
>> access by remote sessions) with the network "172.16.58.0/24
> <http://172.16.58.0/24>
>> <http://172.16.58.0/24>", in which I have just 7 available IPs,
>> and eth1 as configuration network on the network 10.42.100.0/42
> <http://10.42.100.0/42>
>> <http://10.42.100.0/42>.
>>>
>>> This is my current configuration, for each node (varying the
>>> IPs
>> on each machine):
>>>
>>> eth0: DEVICE=eth0 TYPE=Ethernet ONBOOT=yes BOOTPROTO=static
>>> IPADDR=172.16.58.50 NETMASK=255.255.255.0
>>> GATEWAY=172.16.58.254 DNS1=172.16.58.50 DOMAIN=###
>>> DEFROUTE="yes"
>>>
>>> eth1: DEVICE=eth1 TYPE=OVSPort DEVICETYPE=ovs OVS_BRIDGE=br-ex
>>> ONBOOT=yes
>>>
>>> br-ex: DEVICE=br-ex DEVICETYPE=ovs TYPE=OVSBridge
>>> BOOTPROTO=static IPADDR=10.42.100.1 NETMASK=255.255.255.0
>>> ONBOOT=yes
>>>
>>> I'd like to have instances on 10.42.200.0/24
>>> <http://10.42.200.0/24>
>> <http://10.42.200.0/24> virtual private network and the
>> remaining IPs of 10.42.100.0/24 <http://10.42.100.0/24>
>> <http://10.42.100.0/24>
> network as floating
>> IPs.
>>>
>>> These are the relevant parts of my answers.txt file:
>>>
>>> CONFIG_CONTROLLER_HOST=10.42.100.1
>>>
>
> CONFIG_COMPUTE_HOSTS=10.42.100.10,10.42.100.11,10.42.100.12,10.42.100.13,10.42.100.14,10.42.100.15
>
>
>> CONFIG_NETWORK_HOSTS=10.42.100.1
>>> CONFIG_AMQP_HOST=10.42.100.1 CONFIG_MARIADB_HOST=10.42.100.1
>>> CONFIG_NOVA_COMPUTE_PRIVIF=eth1 CONFIG_NOVA_NETWORK_PUBIF=eth1
>>> CONFIG_NOVA_NETWORK_PRIVIF=eth1
>>> CONFIG_NOVA_NETWORK_FIXEDRANGE=10.42.200.0/24
>>> <http://10.42.200.0/24>
>> <http://10.42.200.0/24>
>>> CONFIG_NOVA_NETWORK_FLOATRANGE=10.42.100.0/24
>>> <http://10.42.100.0/24>
>> <http://10.42.100.0/24>
>>> CONFIG_NEUTRON_L3_EXT_BRIDGE=br-ex
>>> CONFIG_NEUTRON_ML2_TYPE_DRIVERS=vxlan
>>> CONFIG_NEUTRON_ML2_TENANT_NETWORK_TYPES=vxlan
>>> CONFIG_NEUTRON_ML2_VNI_RANGES=10:100
>>> CONFIG_NEUTRON_LB_INTERFACE_MAPPINGS=
>>> CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=
>>> CONFIG_NEUTRON_OVS_BRIDGE_IFACES=
>>> CONFIG_NEUTRON_OVS_TUNNEL_IF=eth1
>>>
>>> After the installation, I configure the network like this:
>>>
>>> neutron router-create router neutron net-create private
>>> neutron subnet-create private 10.42.200.0/24
>>> <http://10.42.200.0/24>
>> <http://10.42.200.0/24> --name private-subnet
>>> neutron router-interface-add router private-subnet neutron
>>> net-create public --router:external=True neutron subnet-create
>>> public 10.42.100.0/24 <http://10.42.100.0/24>
>> <http://10.42.100.0/24> --name public-subnet --enable_dhcp=False
>> --allocation-pool start=10.42.100.100,end=10.42.100.200
>> --no-gateway
>>> neutron router-gateway-set router public
>>>
>>> I'm able to launch instances but I can't get access (ping/ssh)
>>> to
>> them.
>>>
>>> I don't know if I'm doing something wrong starting from
>>> planning.
>>>
>>> Please, help me!
>>>
>>> _______________________________________________ Rdo-list
>>> mailing list Rdo-list at redhat.com <mailto:Rdo-list at redhat.com>
> <mailto:Rdo-list at redhat.com <mailto:Rdo-list at redhat.com>>
>>> https://www.redhat.com/mailman/listinfo/rdo-list
>>>
>>> To unsubscribe: rdo-list-unsubscribe at redhat.com
> <mailto:rdo-list-unsubscribe at redhat.com>
>> <mailto:rdo-list-unsubscribe at redhat.com
> <mailto:rdo-list-unsubscribe at redhat.com>>
>
>
>
>
>> -- Pasquale Salza
>
>> e-mail: pasquale.salza at gmail.com
>> <mailto:pasquale.salza at gmail.com>
> <mailto:pasquale.salza at gmail.com
> <mailto:pasquale.salza at gmail.com>>
>> phone: +39 393 4415978 <tel:%2B39%20393%204415978> fax: +39 089
> 8422939 <tel:%2B39%20089%208422939> skype: pasquale.salza
>> linkedin: http://it.linkedin.com/in/psalza/
>
>
>> _______________________________________________ Rdo-list mailing
>> list Rdo-list at redhat.com <mailto:Rdo-list at redhat.com>
>> https://www.redhat.com/mailman/listinfo/rdo-list
>
>> To unsubscribe: rdo-list-unsubscribe at redhat.com
> <mailto:rdo-list-unsubscribe at redhat.com>
>
>
> Those look like the iptables rule on the hypervisor. Rhys is
> talking about the Neutron security group rules. By default, ssh
> into VMs is not allowed. You need to permit ICMP and SSH in the
> security rules on the neutron network.
>
> I don't see anything wrong with your network architecture at first
> glance, but floating IPs can be tricky at first. Start with basic
> VM-to-VM connectivity and add on from there.
>
> Good luck!
>
>
> _______________________________________________ Rdo-list mailing
> list Rdo-list at redhat.com <mailto:Rdo-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe at redhat.com
> <mailto:rdo-list-unsubscribe at redhat.com>
That sounds like it should work, but one of those 6 IP addresses will
need to be used for the Neutron router (that IP will be used for SNAT
for VMs that have no floating IP).
I'm not sure what you mean when you say "I'd like to reserve 6 IPs for
6 VMs I could instanciate on OpenStack." You can instantiate more than
one VM on each compute node, and if you have 6 compute nodes then
depending on size you could have dozens of VMs. Maybe you just mean
you could instantiate 6 VMs with public IPs? Actually, due to the
router IP, you would be limited to 5.
Make sure you add the floating IP network as an external net. Since
your router will not be taking the .1 address, you will need to create
the port by hand with the chosen IP and add it to the router.
$ neutron net-create externalnet -- --router:external=True
$ neutron subnet-create externalnet 172.16.58.0/24 --name external \
- --enable_dhcp=False --allocation_pool start=172.16.58.x,\
end=172.16.58.x --gateway 172.16.58.x
(use your network gateway here - change the IP addresses in the
allocation range to match what is available on your network)
$ neutron router-create extrouter
(name of your router)
$ neutron port-create externalnet --fixed-ip 172.16.58.x
(use desired router IP)
$ neutron router-interface-add extrouter port=$portid
(port id from previous command)
$ neutron router-interface-add extrouter subnet=public
(replace public with the name of the 192.168.0.0/24 network)
Once that is done, you should be able to assign a floating IP to any
VM that has an interface on the 192.168.0.0/24 network.
P.S. - Several times in your email you mentioned 192.168.0.0/16, but
that's not a valid network. I assume you mean 192.168.0.0/24.
- --
Dan Sneddon | Principal OpenStack Engineer
dsneddon at redhat.com | redhat.com/openstack
650.254.4025 | @dxs on twitter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJU59LXAAoJEFkV3ypsGNbjU+AIALtTHElzciDOEn4jzpOppgwO
cQWXIWx3ycfvx9mx77XQR99Xp0l+S1L6ZKRrwvQX3KFDFLNINUt19BW9yGHMaA5m
g8TeH06vPXrmWIeLH+UwluMhAe8p5aM51UcJyYtkkbpvUroj+xoDsxU5ukbOS6Kr
YXUT44Rg1Js7/mSsgo6sIutmMHFpuExQI2ERbFmG1qLIpOSXwFaIsyLGJW+U7T6f
0zSdUGxim6Tw2pBx44C3HAAP70fzP+3xxm14XK3Av/bZELSsVMB31hkvj9oYCe4s
uAS3jro9+DUygZ2Yi26znJ+xHVOYzEyZ/RM61FY+OOt4I7wAOtkY++z1WqUVzEA=
=2NHc
-----END PGP SIGNATURE-----
More information about the dev
mailing list