Hi there ! My goal is to host an essex cloud on my laptop to study how it works, play with it, demo it and so on.
I am experiencing a network problem with cloud instances: they are not allowed to access the internet (wget on google.com by example). Nodes runs as kvm virtual machines hosted in a laptop running Ubuntu Oneiric. So, in my laptop/hypervisor, i have created the following libvirt network used for the openstack nodes: <network> <name>default</name> <uuid>d5d3dcc1-f863-9bbf-8d57-1149e361de6d</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0' /> <mac address='52:54:00:5C:7B:5D'/> <ip address='192.168.122.1' netmask='255.255.255.0'> </ip> </network> There is no libvirt dhcp, it is nated to the outside world, and the network used is 192.168.122.0/24 I have installed several nodes (Ubuntu precise). 192.168.122.2 orchestra This behave as a dhcp and cobbler server to install other nodes. 192.168.122.101 manager-node Runs nova-api, nova-scheduler, nova-objectstore, nova-volume, nova-cert and IScsi tgt. 192.168.122.102 messaging Runs rabbitMQ, MySql, Glance and keystone. 192.168.122.103 compute-a Runs nova-compute, nova-api and nova-network. Excerpt from the nova.conf file: --network_manager=nova.network.manager.FlatDHCPManager --fixed_range=10.0.0.0/24 --floating_range=192.168.123.0/24 --auto_assign_floating_ip --flat_network_dns=192.168.122.2 I can run some instances and log in to them from my hypervisor after adding a route to the 192.168.123.0/24 network via the node running nova-network (192.168.122.103) : sudo route add -net 192.168.123.0 netmask 255.255.255.0 gw 192.168.122.103 dev virbr0 So, i have a vm running on 192.168.123.3 : euca-describe-instances RESERVATION r-xu7c0o8y f45695cb80ca402a9a7f63852098b582 default INSTANCE i-00000007 ami-00000003 192.168.123.3 server-7 running adminkey (f45695cb80ca402a9a7f63852098b582, compute-a) 0 m1.small2012-04-12T08:58:36.000Z nova aki-00000001 ari-00000002 It s private ip is 10.0.0.2 >From it, I cannot download page from the internet: ubuntu@server-7:~$ wget http://www.yahoo.com/ --2012-04-12 09:36:55-- http://www.yahoo.com/ Resolving www.yahoo.com... 87.248.112.181 Connecting to www.yahoo.com|87.248.112.181|:80... failed: Connection refused. But, I can download page from http://192.168.122.1/ (hypervisor virbr0) as well as http://192.168.0.9/ (hypervisor wifi interface used to get access to the outside world). >From compute-a, the node running nova-network, i can download pages from yahoo.com. An iptables-save file from my hypervisor is attached to this mail. I did try to remove all the REJECT line in the FORWARD table and reload the rules without success. I am afraid i m a bit lost in all those bridges. Has anyone : - any idea if my problem is in the nova configuration, or something to do with the hypervisor iptables rules ? - done something similar with good result ? - any idea on what to try next ? Have a nice day...
# Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012 *nat :PREROUTING ACCEPT [415:71017] :INPUT ACCEPT [88:7343] :OUTPUT ACCEPT [2282:152990] :POSTROUTING ACCEPT [2346:157728] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE COMMIT # Completed on Thu Apr 12 11:41:24 2012 # Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012 *mangle :PREROUTING ACCEPT [159113:79914067] :INPUT ACCEPT [69979:40278276] :FORWARD ACCEPT [89107:39599033] :OUTPUT ACCEPT [60378:10029197] :POSTROUTING ACCEPT [150789:49724062] -A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Thu Apr 12 11:41:24 2012 # Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012 *filter :INPUT ACCEPT [69896:40270442] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [60374:10028752] -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 10.1.0.0/16 -o virbr2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.1.0.0/16 -i virbr2 -j ACCEPT -A FORWARD -i virbr2 -o virbr2 -j ACCEPT -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Apr 12 11:41:24 2012
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp