[rhos-list] Nova-Network problem

Thu Mar 21 15:50:32 UTC 2013

On Thu, Mar 21, 2013 at 07:38:15AM +0000, Vogel Nicolas wrote:
> Hello,
> 
> I’ve installed Openstack Folsom with Keystone, Nova, Cinder and Glance
> on a single node with CentOS 6.3. I’m using Nova-network and not
> Quantum.  My server has 2 NICs, and I used one of them for management
> (em1: 10.192.75.190/24) and the second for my VM (em2 + br100:
> 10.192.73.193/26).  All the VM I start get a right IP address but I
> can’t reach them.  Here is my config:

What do you mean by "can't reach them"? Do you mean SSH or ping? Did you
define the security group rules (see
http://docs.openstack.org/trunk/openstack-compute/admin/content/enabling-ping-and-ssh-on-vms.html
Without them, iptables is likely blocking access.

<snip>

> em2:
> DEVICE="em2"
> #BOOTPROTO="none"
> HWADDR="84:2B:2B:6C:FD:10"
> BRIDGE=br100
> NM_CONTROLLED="yes"
> ONBOOT="yes"
> TYPE="Ethernet"
> UUID="014a008d-02cb-45c2-98b4-xxxxxxxxxxxx"

Is this interface really configured with NetworkManager, or did you do
this with a configuation file? If the latter, you might want to set
NM_CONTROLLED=no. It may not make a difference, but...

> 
> br100:
> DEVICE=br100
> TYPE=Bridge
> ONBOOT=yes
> DELAY=0
> BOOTPROTO=static
> IPADDR=10.192.73.193
> NETMASK=255.255.255.192
> 
<snip>

> What did I make wrong in my config?

Might be best to verify the security group thing before looking at the
rest.

> 
> If I want to assign my VM a floating IP (public IP), I have to create
> a pool. But do I have to use a third NIC which is available on my
> server and create a br101 interface for that?

No, you do not need another interface. What happens when you allocate
and assign a floating IP is that Openstack adds rules to your iptables
that perform source and destination address translation at appropriate
points according to how you have things configured. For example, as a
packet from a VM goes out your public interface, there is a SNAT to the
assigned public IP address ensuring that return communications come back
a.) to the proper destination and b.) addressed to the proper assigned
address. There is a companion rule that DNAT's it back to the private
address for packets coming back in.

> I’m also trying to configure a second node. Is the network
> configuration identical as for the controller (with a br100 = IP
> 10.192.73.194 in this case) ?

The question is a little ambiguous. Do you mean a second standalone
compute node or a compute/network node? I would recommend giving the
following a read if it is the latter:

http://docs.openstack.org/trunk/openstack-compute/admin/content/existing-ha-networking-options.html

Just a heads up when it comes to configuing your second node, be wary of
instances in your configuration where "localhost" is used (e.g. the
database access configuration). It can be a bit frustrating
(debug=True/verbose=True is your friend!) when you miss them. You also
need to make sure that the firewall rules aren't filtering out the
required traffic. Another thing that tripped me up when I first started
were the mysql accounts (if you are using mysql) as they can be
restrictive with respect to the source host/ip for the connection. Try
running mysql -e "select host, user from mysql.user" . If the host
values are all "%" (percent signs) then I think you are golden.  If not,
you might need to do some tweaking to get things to work.

Cheers,

Brent