[rhos-list] Problems with metadata.

Jon Thomas jthomas at redhat.com
Thu Mar 7 18:11:05 UTC 2013 

On Thu, 2013-03-07 at 17:21 +0000, Minton, Rich wrote:
> I know you guys are busy trying to get the new release out the door
> but if someone could take a quick peek at this and provide a
> suggestion on where to look, I would be very grateful. I could really
> use a suggestion on compute node configuration for metadata and vnc
> proxy.
> 
>  
> 
> I’m having some problems with my instances accessing metadata from my
> compute nodes… they don’t.  The instances running on compute nodes are
> not able to contact dhcp to get their IP and as a result I cannot pull
> in the metadata for ssh keys, hostname, etc.  I can ping the metadata
> IP, 169.254.169.254 from my host but when I try to test the connection
> using curl I get a 404 error. I’m also not sure if iptables is being
What curl command?
curl http://169.254.169.254
should give
...
<p>The document has moved <a
href="http://169.254.169.254/dashboard/">here</a>.</p>
...

You can open up dhcp with

-A INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
-A FORWARD -p udp -m udp --sport 68 --dport 67 -j ACCEPT

>  setup properly. I believe I have nova.conf configured properly. I’m
> using nova-metadata-api on each of my compute nodes and have nova.conf
> configured with the hosts IP for the metadata server and I do not have
> “metadata” in the list of enabled apis. I also tried running
> nova-metadata-api from the command line in debug mode to see if I was
> getting any errors. There were none, which leads me to believe it’s
> something in iptables and the VMs are never accessing the service.
> Also if I flush iptables and restart the openstack services, iptables
> is repopulated but it is very sparse. Seems like there should be a lot
> more entries in the tables.
> 
Sounds like something with iptables. You can compare to thsi set from a
packstack based install. 192.168.2.113 is public/admin interface.


$ cat /etc/sys*/iptables
# Generated by iptables-save v1.4.7 on Thu Mar  7 12:29:40 2013
*mangle
:PREROUTING ACCEPT [63439:31483572]
:INPUT ACCEPT [63439:31483572]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62191:32543722]
:POSTROUTING ACCEPT [62191:32543722]
:nova-api-POSTROUTING - [0:0]
:nova-network-POSTROUTING - [0:0]
-A POSTROUTING -j nova-network-POSTROUTING 
-A POSTROUTING -j nova-api-POSTROUTING 
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill 
COMMIT
# Completed on Thu Mar  7 12:29:40 2013
# Generated by iptables-save v1.4.7 on Thu Mar  7 12:29:40 2013
*filter
:INPUT ACCEPT [970:292442]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1291:434252]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
:nova-network-FORWARD - [0:0]
:nova-network-INPUT - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-local - [0:0]
-A INPUT -j nova-network-INPUT 
-A INPUT -j nova-api-INPUT 
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment
"001 keystone incoming" -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 3260,8776 -m comment --comment
"001 cinder incoming" -j ACCEPT 
-A INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment
--comment "001 novaapi incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment
--comment "001 novaapi incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
glance incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
horizon incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment
--comment "001 novaapi incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
horizon incomming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
mysql incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
glance incomming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8773,8774 -m comment --comment
"001 novaapi incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment
"001 keystone incomming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5900:5999 -m comment --comment
"001 nove compute incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001
novncproxy incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
qpid incoming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
mysql incomming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 8773,8774 -m comment --comment
"001 novaapi incomming" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
qpid incomming" -j ACCEPT 
-A FORWARD -j nova-filter-top 
-A FORWARD -j nova-network-FORWARD 
-A FORWARD -j nova-api-FORWARD 
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT 
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
-A OUTPUT -j nova-filter-top 
-A OUTPUT -j nova-network-OUTPUT 
-A OUTPUT -j nova-api-OUTPUT 
-A nova-api-INPUT -d 192.168.2.113/32 -p tcp -m tcp --dport 8775 -j
ACCEPT 
-A nova-filter-top -j nova-network-local 
-A nova-filter-top -j nova-api-local 
-A nova-network-FORWARD -i br100 -j ACCEPT 
-A nova-network-FORWARD -o br100 -j ACCEPT 
-A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT 
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT 
-A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT 
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT 
COMMIT
# Completed on Thu Mar  7 12:29:40 2013
# Generated by iptables-save v1.4.7 on Thu Mar  7 12:29:40 2013
*nat
:PREROUTING ACCEPT [13:752]
:POSTROUTING ACCEPT [589:137435]
:OUTPUT ACCEPT [589:137435]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-POSTROUTING - [0:0]
:nova-network-PREROUTING - [0:0]
:nova-network-float-snat - [0:0]
:nova-network-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-network-PREROUTING 
-A PREROUTING -j nova-api-PREROUTING 
-A POSTROUTING -j nova-network-POSTROUTING 
-A POSTROUTING -j nova-api-POSTROUTING 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
-A POSTROUTING -j nova-postrouting-bottom 
-A OUTPUT -j nova-network-OUTPUT 
-A OUTPUT -j nova-api-OUTPUT 
-A nova-api-snat -j nova-api-float-snat 
-A nova-network-POSTROUTING -s 192.168.32.0/22 -d 192.168.2.113/32 -j
ACCEPT 
-A nova-network-POSTROUTING -s 192.168.32.0/22 -d 192.168.32.0/22 -m
conntrack ! --ctstate DNAT -j ACCEPT 
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport
80 -j DNAT --to-destination 192.168.2.113:8775 
-A nova-network-snat -j nova-network-float-snat 
-A nova-network-snat -s 192.168.32.0/22 -o eth0 -j SNAT --to-source
192.168.2.113 
-A nova-postrouting-bottom -j nova-network-snat 
-A nova-postrouting-bottom -j nova-api-snat 
COMMIT
# Completed on Thu Mar  7 12:29:40 2013
>  
> 
> Also, when I try to access the vnc console on instances running on
> compute nodes (not the controller) I get a connection failure. I have
> the vnc service running on each compute node and set the variables in
> nova.conf to point to the compute node instead of the controller. I
> actually had this working at one point and then something went wrong…
> again maybe iptables.
> 
>  
> 
> I just need some hints on where to look to find out what’s going on.
> 
>  
> 
> Thanks in advance.
> 
> Rick
> 
>  
> 
>  
> 
>  
> 
> Richard Minton
> 
> LMICC Systems Administrator
> 
> 4000 Geerdes Blvd, 13D31
> 
> King of Prussia, PA 19406
> 
> Phone: 610-354-5482
> 
>  
> 
> 
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhos-list

More information about the rhos-list mailing list