[Rdo-list] Can't ping/ssh to new instance

Attila Fazekas afazekas at redhat.com
Thu May 22 21:41:19 UTC 2014 




----- Original Message -----
> From: "Eric Berg" <eberg at rubensteintech.com>
> To: "Kashyap Chamarthy" <kchamart at redhat.com>
> Cc: rdo-list at redhat.com
> Sent: Wednesday, May 21, 2014 4:25:06 PM
> Subject: Re: [Rdo-list] Can't ping/ssh to new instance
> 
> Thanks, Kashyap.
> 
> I have made some progress in that I was able to connect to my cirros image
> from the public network, but only from the host on which openstack is
> installed and on which the instance is running.
> 
> At the end of Lars's video, mentioned below, he assigns a gateway ip address
> to the public (192.168.20.0/24) network to the br-ex device, and then adds a
> rule that I translated into this command:
> 
> iptables -t nat -I POSTROUTING 1 -s 192.168.20.0/24 -j MASQUERADE
> 

Probably you also need to define a route entry
 for 192.168.20.0/24 in your switch.

In my SOHO switch it can be done on the web interface as
'Advanced Routing' -> 'Static Routing List'

Destination Network: 192.168.20.0
Subnet Mask: 255.255.255.0
Default Gateway: <Reserved IP address of your L3 agent host>
For example: 192.168.0.42

Also consider adding an outgoing interface -o dev to your
MASQUERADE rule.

> but this breaks the connectivity, so I removed that so that I could still ssh
> into the cirros instance from my physical host.
> 
> Currently, I'm able to log in from the openstack physical host, but not from
> the rest of my 192.168.0.0 network.
> 
> My networking is a little bit rusty, so I'm not sure what the next step is to
> allow me to log into the instances on the 192.168.20.0/24 network from
> existing hosts on the 192.168.0.0 network.
> 
> BTW, is there a script that will provide a dump of the configurations like
> the one for which you provided a URL below?
> 
> Thanks again.
> 
> Eric
> 
> On 5/21/14, 4:24 AM, Kashyap Chamarthy wrote:
> 
> 
> 
> On Tue, May 20, 2014 at 01:17:21PM -0400, Eric Berg wrote:
> 
> 
> 
> I've done a fresh install of RDO using packstack on a single host like this:
> 
>   packstack --allinone --provision-all-in-one-ovs-bridge=n
> 
> And then followed the instructions here:
> http://openstack.redhat.com/Neutron_with_existing_external_network I've also
> generally followed Lars's approach from this video with the same
> lack of connectivity: https://www.youtube.com/watch?v=DGf-ny25OAw My public
> network is 192.168.20.0/24.
> 
> But I'm not able to ping or ssh from my 1902.168.0.0 network, the host
> running OpenStack is at 192.168.0.37.
> 
> My instance is up and running with a 10.0.0.2 IP and 192.168.20.4 floating
> IP.
> 
> I can ping 192.168.20.3, but not 192.168.20.4.
> 
> I can use the net namespace approach to log into my cirros instance, but
> can't get to 192.168.20.0/24 hosts.
> That at-sounds you've got most of it right. You're not able to SSH via
> floating IPs.
> 
> Couple of things:
> 
>  - You might want to check if your iptables rules are correct. i.e. when
>    you run something like this, you should see SNAT/DNAT rules:
> 
>     $ ip netns exec qrouter-2c7ba7dc-0101-417a-b76d-1cae17ae654e iptables -t
>     nat -L -nv | grep NAT
>         0     0 DNAT       all  --  *      *       0.0.0.0/0
>         192.169.142.12       to:30.0.0.26
>         0     0 DNAT       all  --  *      *       0.0.0.0/0
>         192.169.142.13       to:30.0.0.25
>        26  1704 ACCEPT     all  --  !qg-fb9ff0ad-56 !qg-fb9ff0ad-56
>        0.0.0.0/0            0.0.0.0/0            ! ctstate DNAT
>         0     0 DNAT       all  --  *      *       0.0.0.0/0
>         192.169.142.12       to:30.0.0.26
>         5   324 DNAT       all  --  *      *       0.0.0.0/0
>         192.169.142.13       to:30.0.0.25
>         0     0 SNAT       all  --  *      *       30.0.0.26
>         0.0.0.0/0            to:192.169.142.12
>         0     0 SNAT       all  --  *      *       30.0.0.25
>         0.0.0.0/0            to:192.169.142.13
>         0     0 SNAT       all  --  *      *       30.0.0.0/24
>         0.0.0.0/0            to:192.169.142.10
> 
> 
>  - Ensure you have security group rules for SSH are set correctly (you
>    can enumerate them by doing '$ neutron security-group-rule-list')
> 
> I recently did a 2-node IceHouse install (but this is manual setup),
> here[1] are my configurations of Nova/Neutron and iptables rules (scroll
> down to bottom).
> 
> 
> 
> This is my first OpenStack install.   I'm a little confused at how a
> stock installation (based on packstack) could somehow not include the
> ability to access the VMs from the network on which the OS compute
> host is running.
> 
> Any help troubleshooting this would be greatly appreciated.
> [1]
> http://kashyapc.fedorapeople.org/virt/openstack/rdo/IceHouse-Nova-Neutron-ML2-GRE-OVS.txt
> 
> --
> Eric Berg
> Sr. Software Engineer
> Rubenstein Technology Group
> 55 Broad Street, 14th Floor
> New York, NY 10004-2501
> 
> (212) 518-6400
> (212) 518-6467 fax eberg at rubensteintech.com www.rubensteintech.com
> 
> _______________________________________________
> Rdo-list mailing list
> Rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
>

More information about the rdo-list mailing list