[rhos-list] EXTERNAL: Re: Problems with metadata.

Minton, Rich rich.minton at lmco.com
Thu Mar 7 19:08:24 UTC 2013 

Yes, good question. Using Nova-Network in VlanManager mode.

Two NICs bonded together.
One bridge and vlan for my hosts and another vlan and bridge for my single tenant.

Eth0--\             /--bond0.972--->br972----10.10.12.xx host network
       >----bond0---<
Eth1--/             \--bond0.976--->br976----10.10.16.xx instance private IPs
                                         \--10.10.12.xx instance floating IPs

From: Paul Robert Marino [mailto:prmarino1 at gmail.com]
Sent: Thursday, March 07, 2013 2:01 PM
To: Jon Thomas; Minton, Rich
Cc: rhos-list at redhat.com; Pothapragada, Kiran
Subject: EXTERNAL: Re: [rhos-list] Problems with metadata.

Well my first question is are you using quantum or nova network?



-- Sent from my HP Pre3

________________________________
On Mar 7, 2013 1:12 PM, Jon Thomas <jthomas at redhat.com<mailto:jthomas at redhat.com>> wrote:

On Thu, 2013-03-07 at 17:21 +0000, Minton, Rich wrote:
> I know you guys are busy trying to get the new release out the door
> but if someone could take a quick peek at this and provide a
> suggestion on where to look, I would be very grateful. I could really
> use a suggestion on compute node configuration for metadata and vnc
> proxy.
>
>
>
> I’m having some problems with my instances accessing metadata from my
> compute nodes… they don’t. The instances running on compute nodes are
> not able to contact dhcp to get their IP and as a result I cannot pull
> in the metadata for ssh keys, hostname, etc. I can ping the metadata
> IP, 169.254.169.254 from my host but when I try to test the connection
> using curl I get a 404 error. I’m also not sure if iptables is being
What curl command?
curl http://169.254.169.254
should give
...
<p>The document has moved <a
href="http://169.254.169.254/dashboard/">here</a>.</p>
...

You can open up dhcp with

-A INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -p udp -m udp --sport 68 --dport 67 -j ACCEPT

> setup properly. I believe I have nova.conf configured properly. I’m
> using nova-metadata-api on each of my compute nodes and have nova.conf
> configured with the hosts IP for the metadata server and I do not have
> “metadata” in the list of enabled apis. I also tried running
> nova-metadata-api from the command line in debug mode to see if I was
> getting any errors. There were none, which leads me to believe it’s
> something in iptables and the VMs are never accessing the service.
> Also if I flush iptables and restart the openstack services, iptables
> is repopulated but it is very sparse. Seems like there should be a lot
> more entries in the tables.
>
Sounds like something with iptables. You can compare to thsi set from a
packstack based install. 192.168.2.113 is public/admin interface.


$ cat /etc/sys*/iptables
# Generated by iptables-save v1.4.7 on Thu Mar 7 12:29:40 2013
*mangle
:PREROUTING ACCEPT [63439:31483572]
:INPUT ACCEPT [63439:31483572]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62191:32543722]
:POSTROUTING ACCEPT [62191:32543722]
:nova-api-POSTROUTING - [0:0]
:nova-network-POSTROUTING - [0:0]
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill
COMMIT
# Completed on Thu Mar 7 12:29:40 2013
# Generated by iptables-save v1.4.7 on Thu Mar 7 12:29:40 2013
*filter
:INPUT ACCEPT [970:292442]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1291:434252]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
:nova-network-FORWARD - [0:0]
:nova-network-INPUT - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-local - [0:0]
-A INPUT -j nova-network-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment
"001 keystone incoming" -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3260,8776 -m comment --comment
"001 cinder incoming" -j ACCEPT
-A INPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment
--comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment
--comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
glance incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
horizon incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment
--comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
horizon incomming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
mysql incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
glance incomming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774 -m comment --comment
"001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment
"001 keystone incomming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5900:5999 -m comment --comment
"001 nove compute incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001
novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
qpid incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
mysql incomming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774 -m comment --comment
"001 novaapi incomming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
qpid incomming" -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-network-FORWARD
-A FORWARD -j nova-api-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 192.168.2.113/32 -p tcp -m tcp --dport 8775 -j
ACCEPT
-A nova-filter-top -j nova-network-local
-A nova-filter-top -j nova-api-local
-A nova-network-FORWARD -i br100 -j ACCEPT
-A nova-network-FORWARD -o br100 -j ACCEPT
-A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 67 -j ACCEPT
-A nova-network-INPUT -i br100 -p udp -m udp --dport 53 -j ACCEPT
-A nova-network-INPUT -i br100 -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Thu Mar 7 12:29:40 2013
# Generated by iptables-save v1.4.7 on Thu Mar 7 12:29:40 2013
*nat
:PREROUTING ACCEPT [13:752]
:POSTROUTING ACCEPT [589:137435]
:OUTPUT ACCEPT [589:137435]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-POSTROUTING - [0:0]
:nova-network-PREROUTING - [0:0]
:nova-network-float-snat - [0:0]
:nova-network-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j nova-postrouting-bottom
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-snat -j nova-api-float-snat
-A nova-network-POSTROUTING -s 192.168.32.0/22 -d 192.168.2.113/32 -j
ACCEPT
-A nova-network-POSTROUTING -s 192.168.32.0/22 -d 192.168.32.0/22 -m
conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport
80 -j DNAT --to-destination 192.168.2.113:8775
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.32.0/22 -o eth0 -j SNAT --to-source
192.168.2.113
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Thu Mar 7 12:29:40 2013
>
>
> Also, when I try to access the vnc console on instances running on
> compute nodes (not the controller) I get a connection failure. I have
> the vnc service running on each compute node and set the variables in
> nova.conf to point to the compute node instead of the controller. I
> actually had this working at one point and then something went wrong…
> again maybe iptables.
>
>
>
> I just need some hints on where to look to find out what’s going on.
>
>
>
> Thanks in advance.
>
> Rick
>
>
>
>
>
>
>
> Richard Minton
>
> LMICC Systems Administrator
>
> 4000 Geerdes Blvd, 13D31
>
> King of Prussia, PA 19406
>
> Phone: 610-354-5482
>
>
>
>
> _______________________________________________
> rhos-list mailing list
> rhos-list at redhat.com<mailto:rhos-list at redhat.com>
> https://www.redhat.com/mailman/listinfo/rhos-list


_______________________________________________
rhos-list mailing list
rhos-list at redhat.com<mailto:rhos-list at redhat.com>
https://www.redhat.com/mailman/listinfo/rhos-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhos-list/attachments/20130307/f3764f87/attachment.htm>

More information about the rhos-list mailing list