Ah! I CAN ping and ssh to a Cirros instance on the Public net. So this may just be a permissions issue or something. hmmm. Wonder why I can't ping the router.
[root@maersk src]# ssh [email protected] The authenticity of host '172.22.10.12 (172.22.10.12)' can't be established. RSA key fingerprint is 6f:90:ef:16:20:5a:b6:81:33:c1:9e:ba:2b:47:cd:73. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.22.10.12' (RSA) to the list of known hosts. Please login as 'cirros' user, not as root ^CConnection to 172.22.10.12 closed. [root@maersk src]# ping 172.22.10.12 PING 172.22.10.12 (172.22.10.12) 56(84) bytes of data. 64 bytes from 172.22.10.12: icmp_seq=1 ttl=64 time=0.081 ms 64 bytes from 172.22.10.12: icmp_seq=2 ttl=64 time=0.097 ms 64 bytes from 172.22.10.12: icmp_seq=3 ttl=64 time=0.115 ms 64 bytes from 172.22.10.12: icmp_seq=4 ttl=64 time=0.096 ms AND :-) [root@maersk src]# ssh [email protected] $ ping google.com PING google.com (216.58.216.14): 56 data bytes 64 bytes from 216.58.216.14: seq=0 ttl=54 time=34.185 ms 64 bytes from 216.58.216.14: seq=1 ttl=54 time=32.834 ms 64 bytes from 216.58.216.14: seq=2 ttl=54 time=32.875 ms ^C --- google.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 32.834/33.298/34.185 ms $ whoami cirros $ ifconfig eth0 Link encap:Ethernet HWaddr FA:16:3E:F1:BE:6F inet addr:172.22.10.12 Bcast:172.22.10.255 Mask:255.255.255.0 inet6 addr: fe80::f816:3eff:fef1:be6f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1 RX packets:860 errors:0 dropped:0 overruns:0 frame:0 TX packets:254 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:73360 (71.6 KiB) TX bytes:28415 (27.7 KiB) - Christopher T. Hull 333 Orchard Ave, Sunnyvale CA. 94085 (415) 385 4865 [email protected] http://chrishull.com On Wed, Mar 9, 2016 at 9:06 AM, Christopher Hull <[email protected]> wrote: > > Hi all; > Following the Neutron (Network Option 2 setup) instructions in Liberty. I > can't ping my demo router. However, I do recall there are new security > constraints that might prevent this in Liberty. Do I need to somehow > allow ICMP? > > Here's what I did. > > > > =========================================== > Create virtual networks > > http://docs.openstack.org/liberty/install-guide-rdo/launch-instance.html#create-virtual-networks > > =========================================== > Create Public Provider Network > > > http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-public.html > > > [root@maersk src]# source admin-openrc.sh > [root@maersk src]# neutron net-create public --shared > --provider:physical_network public \ > > --provider:network_type flat > Created a new network: > +---------------------------+--------------------------------------+ > | Field | Value | > +---------------------------+--------------------------------------+ > | admin_state_up | True | > | id | be6e920a-51aa-4293-bb95-7ac38aab9df6 | > | mtu | 0 | > | name | public | > | port_security_enabled | True | > | provider:network_type | flat | > | provider:physical_network | public | > | provider:segmentation_id | | > | router:external | False | > | shared | True | > | status | ACTIVE | > | subnets | | > | tenant_id | fdf3f98a9b0c4e9e94603d8a84ea41a8 | > +---------------------------+--------------------------------------+ > [root@maersk src]# > > > > > --- Create a subnet on the network: > > Replace START_IP_ADDRESS and END_IP_ADDRESS with the first and last IP > address of the range within > the subnet that you want to allocate for instances. This range must not > include any > existing active IP addresses. > > Example > neutron subnet-create public 203.0.113.0/24 --name public \ > --allocation-pool start=203.0.113.101,end=203.0.113.200 \ > --dns-nameserver 8.8.4.4 --gateway 203.0.113.1 > > [root@maersk src]# cat /etc/resolv.conf > ; generated by /usr/sbin/dhclient-script > search attlocal.net > nameserver 172.22.10.254 > > cat ifcfg-enp3s0 > GATEWAY=172.22.10.254 > DNS1=172.22.10.254 > > neutron subnet-create public 172.22.10.0/24 --name public \ > --allocation-pool start=172.22.10.10,end=172.22.10.90 \ > --dns-nameserver 172.22.10.254 --gateway 172.22.10.254 > > Created a new subnet: > +-------------------+--------------------------------------------------+ > | Field | Value | > +-------------------+--------------------------------------------------+ > | allocation_pools | {"start": "172.22.10.10", "end": "172.22.10.90"} | > | cidr | 172.22.10.0/24 | > | dns_nameservers | 172.22.10.254 | > | enable_dhcp | True | > | gateway_ip | 172.22.10.254 | > | host_routes | | > | id | f227734a-eca3-4472-81f6-620e1bf1fac9 | > | ip_version | 4 | > | ipv6_address_mode | | > | ipv6_ra_mode | | > | name | public | > | network_id | be6e920a-51aa-4293-bb95-7ac38aab9df6 | > | subnetpool_id | | > | tenant_id | fdf3f98a9b0c4e9e94603d8a84ea41a8 | > +-------------------+--------------------------------------------------+ > > =========================================== > Create the private project network > > http://docs.openstack.org/liberty/install-guide-rdo/launch-instance-networks-private.html > > > source demo-openrc.sh > > neutron net-create private > Created a new network: > +-----------------------+--------------------------------------+ > | Field | Value | > +-----------------------+--------------------------------------+ > | admin_state_up | True | > | id | 28ca326a-8443-4c1c-b288-48920a1eefbe | > | mtu | 0 | > | name | private | > | port_security_enabled | True | > | router:external | False | > | shared | False | > | status | ACTIVE | > | subnets | | > | tenant_id | 7813be77b1de4196b1c6b77006afa21c | > +-----------------------+--------------------------------------+ > [root@maersk src]# neutron subnet-create private 192.168.10.0/24 \ > > --name private --dns-nameserver 172.22.10.254 --gateway 192.168.10.1 > Created a new subnet: > +-------------------+----------------------------------------------------+ > | Field | Value | > +-------------------+----------------------------------------------------+ > | allocation_pools | {"start": "192.168.10.2", "end": "192.168.10.254"} | > | cidr | 192.168.10.0/24 | > | dns_nameservers | 172.22.10.254 | > | enable_dhcp | True | > | gateway_ip | 192.168.10.1 | > | host_routes | | > | id | eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92 | > | ip_version | 4 | > | ipv6_address_mode | | > | ipv6_ra_mode | | > | name | private | > | network_id | 28ca326a-8443-4c1c-b288-48920a1eefbe | > | subnetpool_id | | > | tenant_id | 7813be77b1de4196b1c6b77006afa21c | > +-------------------+----------------------------------------------------+ > > > > > > > ==== > Create a router > ==== > > Private project networks connect to public provider networks using a > virtual router. > Each router contains an interface to at least one private project network > and a gateway > on a public provider network. > > source admin > > > [root@maersk src]# source admin-openrc.sh > [root@maersk src]# neutron net-update public --router:external > Updated network: public > [root@maersk src]# source demo-openrc.sh > [root@maersk src]# neutron router-create router > Created a new router: > +-----------------------+--------------------------------------+ > | Field | Value | > +-----------------------+--------------------------------------+ > | admin_state_up | True | > | external_gateway_info | | > | id | 52ca91cb-df23-4593-bb95-ea9f1fc33e99 | > | name | router | > | routes | | > | status | ACTIVE | > | tenant_id | 7813be77b1de4196b1c6b77006afa21c | > +-----------------------+--------------------------------------+ > [root@maersk src]# neutron router-interface-add router private > Added interface 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 to router router. > [root@maersk src]# neutron router-gateway-set router public > Set gateway for router router > [root@maersk src]# source admin-openrc.sh > [root@maersk src]# ip netns > qrouter-52ca91cb-df23-4593-bb95-ea9f1fc33e99 (id: 2) > qdhcp-28ca326a-8443-4c1c-b288-48920a1eefbe (id: 1) > qdhcp-be6e920a-51aa-4293-bb95-7ac38aab9df6 (id: 0) > [root@maersk src]# neutron router-port-list router > > +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+ > | id | name | mac_address | > fixed_ips > | > > +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+ > | 5b25c4df-0c83-4ef2-bed6-6e854cf66af6 | | fa:16:3e:d5:62:14 | > {"subnet_id": "eb5550e2-4de5-4ca5-9d7e-9d6ffe86ce92", "ip_address": > "192.168.10.1"} | > | d1dfcc09-9da6-4366-8080-c73d48286036 | | fa:16:3e:b7:d2:22 | > {"subnet_id": "f227734a-eca3-4472-81f6-620e1bf1fac9", "ip_address": > "172.22.10.11"} | > > +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+ > [root@maersk src]# ping -c 4 172.22.10.11 > PING 172.22.10.11 (172.22.10.11) 56(84) bytes of data. > From 172.22.10.99 icmp_seq=1 Destination Host Unreachable > From 172.22.10.99 icmp_seq=2 Destination Host Unreachable > From 172.22.10.99 icmp_seq=3 Destination Host Unreachable > From 172.22.10.99 icmp_seq=4 Destination Host Unreachable > > --- 172.22.10.11 ping statistics --- > 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 2999ms > pipe 4 > [root@maersk src]# > > > > ===== Config info. > > I set LinuxBridgeAgent.ini linux_bridge physical_interface_mappings to > public:enp3s0 as this is what shows up for "eth0" when I ifconfig. Is > this correct? > > > [root@maersk src]# ./pluto.py show -p /etc ml2_conf.ini l3_agent.ini > plugin.ini linuxbridge_agent.ini > +-------------------+----------------------+--------------------------+ > | ml2_conf: Section | Key | Value | > +-------------------+----------------------+--------------------------+ > | ml2 | extension_drivers | port_security | > | ml2 | mechanism_drivers | linuxbridge,l2population | > | ml2 | tenant_network_types | vxlan | > | ml2 | type_drivers | flat,vlan,vxlan | > | ml2_type_flat | flat_networks | public | > | ml2_type_vxlan | vni_ranges | 1:1000 | > | securitygroup | enable_ipset | True | > +-------------------+----------------------+--------------------------+ > > +-------------------+--------------------------+-----------------------------------------------------+ > | l3_agent: Section | Key | > Value | > > +-------------------+--------------------------+-----------------------------------------------------+ > | DEFAULT | external_network_bridge > | | > | DEFAULT | verbose | > True | > | DEFAULT | interface_driver | > neutron.agent.linux.interface.BridgeInterfaceDriver | > > +-------------------+--------------------------+-----------------------------------------------------+ > +-----------------+----------------------+--------------------------+ > | plugin: Section | Key | Value | > +-----------------+----------------------+--------------------------+ > | ml2 | extension_drivers | port_security | > | ml2 | mechanism_drivers | linuxbridge,l2population | > | ml2 | tenant_network_types | vxlan | > | ml2 | type_drivers | flat,vlan,vxlan | > | ml2_type_flat | flat_networks | public | > | ml2_type_vxlan | vni_ranges | 1:1000 | > | securitygroup | enable_ipset | True | > +-----------------+----------------------+--------------------------+ > > +----------------------------+-----------------------------+--------------------------------------------------------------+ > | linuxbridge_agent: Section | Key | > Value | > > +----------------------------+-----------------------------+--------------------------------------------------------------+ > | linux_bridge | physical_interface_mappings | > public:enp3s0 | > | vxlan | l2_population | > True | > | vxlan | local_ip | > 172.22.10.99 | > | vxlan | enable_vxlan | > True | > | agent | prevent_arp_spoofing | > True | > | securitygroup | firewall_driver | > neutron.agent.linux.iptables_firewall.IptablesFirewallDriver | > | securitygroup | enable_security_group | > True | > > +----------------------------+-----------------------------+--------------------------------------------------------------+ > > > > > > > > > > > > > > > > - Christopher T. Hull > 333 Orchard Ave, Sunnyvale CA. 94085 > (415) 385 4865 > [email protected] > http://chrishull.com > > >
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
