Ooops... I got it. Thought nova-compute has responsibilities in local iptables settings. I guess I was misled by the fact that I have default iptables rules setup at boot time in my VM which looks like rules defined in security group but it's just a coincidence. Thanks Patrick
2012/12/10 Patrick Petit <[email protected]> > Hi Lei, > > I could spend some more time looking at my "no route to host" issue today. > I could be very well that the iptables on VM is the root of the problem. > > Here is what it looks like. > > > *$ sudo iptables -L* > *Chain INPUT (policy ACCEPT)* > *target prot opt source destination * > *ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED* > *ACCEPT icmp -- anywhere anywhere * > *ACCEPT all -- anywhere anywhere * > *ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:ssh* > *REJECT all -- anywhere anywhere > reject-with icmp-host-prohibited* > * > * > *Chain FORWARD (policy ACCEPT)* > *target prot opt source destination * > *REJECT all -- anywhere anywhere > reject-with icmp-host-prohibited* > * > * > *Chain OUTPUT (policy ACCEPT)* > *target prot opt source destination * > > I am not unfortunately very familiar with iptables's rules syntax > Shouldn't ACCEPT all -- anywhere anywhere allow my http traffic to port 80? > > However, running explicitly > > *sudo iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT* > > Does fix the problem. I can access my instance on port 80. > > But my VM is associated with the default security group in which I added a > rule to enable http traffic. > > $ nova secgroup-list-rules default > +-------------+-----------+---------+-----------+--------------+ > | IP Protocol | From Port | To Port | IP Range | Source Group | > +-------------+-----------+---------+-----------+--------------+ > | icmp | -1 | -1 | 0.0.0.0/0 | | > | tcp | 22 | 22 | 0.0.0.0/0 | | > | tcp | 80 | 80 | 0.0.0.0/0 | | > +-------------+-----------+---------+-----------+--------------+ > > So the big question is why aren't my iptables rules in the VM no setup by > the security group specs? > I don't see any error in nova logs on the compute node. > > Any help would be really appreciated. > Thanks > Patrick > > > > > > 2012/12/6 Lei Zhang <[email protected]> > >> Could you check the iptables in the vm? Whether it drop the packets on >> the port 80 >> >> >> On Thu, Dec 6, 2012 at 12:29 AM, Patrick Petit < >> [email protected]> wrote: >> >>> Dear Stackers, >>> >>> I am running instance wordpress.WikiServer >>> >>> >>> $ nova list >>> >>> +--------------------------------------+--------------------------+--------+------------------------------------+ >>> | ID | Name | >>> Status | Networks | >>> >>> +--------------------------------------+--------------------------+--------+------------------------------------+ >>> | 6be47af7-2e29-4b4c-afeb-0a7f760f5970 | test2 | >>> ACTIVE | xlcloud=172.16.1.6 | >>> | 5a4c552f-933c-4a06-8e6f-164176380af5 | wordpress.DatabaseServer | >>> ACTIVE | xlcloud=172.16.1.3 | >>> | ddb120d9-e1ad-444c-8490-37ecb15f500e | wordpress.WikiServer | >>> ACTIVE | xlcloud=172.16.1.4, 10.197.217.131 | >>> >>> +--------------------------------------+--------------------------+--------+------------------------------------+ >>> >>> >>> With Security Group setup as: >>> >>> $ nova secgroup-list >>> >>> +-----------------------------------+------------------------------------------------+ >>> | Name | Description >>> | >>> >>> +-----------------------------------+------------------------------------------------+ >>> | default | default >>> | >>> >>> +-----------------------------------+------------------------------------------------+ >>> >>> >>> $ nova secgroup-list-rules default >>> +-------------+-----------+---------+-----------+--------------+ >>> | IP Protocol | From Port | To Port | IP Range | Source Group | >>> +-------------+-----------+---------+-----------+--------------+ >>> | icmp | -1 | -1 | 0.0.0.0/0 | | >>> | tcp | 22 | 22 | 0.0.0.0/0 | | >>> | tcp | 80 | 80 | 0.0.0.0/0 | | >>> +-------------+-----------+---------+-----------+--------------+ >>> >>> I can ping and ssh through the fix or floating IP without any problem >>> (172.16.1.4, 10.197.217.131). >>> But HTTP requests on port 80 doesn't go through. >>> I get a "no route host" error message from wget or telnet for example. >>> >>> Ex. $ telnet 172.16.1.4 80 >>> Trying 172.16.1.4... >>> telnet: Unable to connect to remote host: No route to host. >>> Clearly it's not a routing problem. >>> >>> Any idea what the problem could be or hints to debug it. >>> >>> Thanks >>> Patrick >>> >>> >>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~openstack >>> Post to : [email protected] >>> Unsubscribe : https://launchpad.net/~openstack >>> More help : https://help.launchpad.net/ListHelp >>> >>> >> >> >> -- >> Lei Zhang >> >> Blog: http://jeffrey4l.github.com >> twitter/weibo: @jeffrey4l >> >> > > > -- > *"Give me a place to stand, and I shall move the earth with a lever"* > -- *"Give me a place to stand, and I shall move the earth with a lever"*
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
