But on other machine under Scientific Linux 6.4 with OpenStack Neutron, and the same configuration and default security group I can ping an instance. Only difference is that machine is with 1 NIC rather than multiple ones.
> No that is not correct. You need to open icmp > > Inviato da iPhone > >> Il giorno Mar 16, 2014, alle ore 12:44, "Anatoly Oreshkin" >> <[email protected]> ha scritto: >> >> >> In dashboad in Access & Security I see default security group which is as >> follows >> >> Security Group Rules >> Add Rule >> Direction Ether Type IP Protocol Port Range Remote >> Actions >> Ingress IPv4 Any - >> default >> Egress IPv4 Any - >> 0.0.0.0/0(CIDR) >> Egress IPv6 Any - ::/0 >> (CIDR) >> Ingress IPv6 Any - >> default >> >> As I understand every protocol and port is allowed. >> >> >> >>> Did you open the security group for icmp? >>> >>> Inviato da iPhone >>> >>>> Il giorno Mar 16, 2014, alle ore 10:36, "Anatoly Oreshkin" >>>> <[email protected]> ha scritto: >>>> >>>> Hello, >>>> >>>> I've installed OpenStack Havana with Neutron all-in-one on single node >>>> under >>>> Scientific Linux 6.4 >>>> having multiple NICs Specifically eth0 with public network >>>> 212.190.96.128/27 >>>> and eth2 with internal network 192.168.1.0/24 >>>> >>>> All openstack components were installed on ip address 212.190.96.14 (eth0) >>>> CONFIG_NOVA_NETWORK_PUBIF=eth0 >>>> >>>> >>>> OpenStack configuration follows: >>>> >>>> /etc/neutron/plugin.ini >>>> >>>> [OVS] >>>> vxlan_udp_port=4789 >>>> tenant_network_type=local >>>> enable_tunneling=False >>>> integration_bridge=br-int >>>> network_vlan_ranges = physnet1 >>>> bridge_mappings = physnet1:br-ex >>>> >>>> [AGENT]polling_interval=2 >>>> >>>> [SECURITYGROUP] >>>> firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver >>>> >>>> Floating ip addreses are allocated from public ip range 212.190.96.140 - >>>> 212.190.96.142 (eth0) >>>> >>>> Routing tables on my node >>>> >>>> Destination Gateway Genmask Flags Metric Ref Use >>>> Iface >>>> 212.190.96.128 * 255.255.255.224 U 0 0 0 >>>> br-ex >>>> 192.168.1.0 * 255.255.255.0 U 0 0 0 >>>> eth2 >>>> 192.168.0.0 * 255.255.255.0 U 0 0 0 >>>> eth3 >>>> link-local * 255.255.0.0 U 1002 0 0 >>>> eth0 >>>> link-local * 255.255.0.0 U 1004 0 0 >>>> eth2 >>>> link-local * 255.255.0.0 U 1005 0 0 >>>> eth3 >>>> link-local * 255.255.0.0 U 1011 0 0 >>>> br-ex >>>> default 212.190.96.129 0.0.0.0 UG 0 0 0 >>>> br-ex >>>> >>>> >>>> >>>> >>>> I launched instance from dashboard and instance was allocated ip address >>>> 10.0.0.3 >>>> from private network 10.0.0.0/24. Then I allocated the instance floating >>>> ip >>>> address 212.190.96.141 from public network. >>>> >>>> The problem is that I can't ping the instance neither through floating ip >>>> address >>>> 212.190.96.141 nor private address 10.0.0.3 >>>> >>>> ~(keystone_admin)]# ip netns exec >>>> qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e >>>> ping >>>> 10.0.0.3 >>>> PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. >>>> >>>> However from inside the instance I can ping any ip address. >>>> >>>> But when I restart linux wirewall iptables "service iptables restart" I >>>> can ping >>>> the >>>> instance >>>> I can't understand why so happened. I suspect that "linux wirewall restart" >>>> deleted >>>> the records from >>>> iptables which were added by neutron when launching the instance and >>>> permitted >>>> to >>>> ping the instance. >>>> >>>> >>>> Can anybody help me ? >>>> >>>> Any hint ? >>>> >>>> I provide additional information. >>>> >>>> Network namespace of my openstack configuration: >>>> # ip netns >>>> qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e >>>> qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 >>>> >>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 route -n >>>> >>>> Destination Gateway Genmask Flags Metric Ref Use >>>> Iface >>>> 212.190.96.128 0.0.0.0 255.255.255.224 U 0 0 0 >>>> qg-fdd17595-7b >>>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 >>>> qr-67571cae-0a >>>> 0.0.0.0 212.190.96.129 0.0.0.0 UG 0 0 0 >>>> qg-fdd17595-7b >>>> >>>> # ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e route -n >>>> >>>> Destination Gateway Genmask Flags Metric Ref Use >>>> Iface >>>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 >>>> tape150108a-ef >>>> 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 >>>> tape150108a-ef >>>> >>>> >>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 iptables -t >>>> nat -S >>>> >>>> -P PREROUTING ACCEPT >>>> -P POSTROUTING ACCEPT >>>> -P OUTPUT ACCEPT >>>> -N neutron-l3-agent-OUTPUT >>>> -N neutron-l3-agent-POSTROUTING >>>> -N neutron-l3-agent-PREROUTING >>>> -N neutron-l3-agent-float-snat >>>> -N neutron-l3-agent-snat >>>> -N neutron-postrouting-bottom >>>> -A PREROUTING -j neutron-l3-agent-PREROUTING >>>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING >>>> -A POSTROUTING -j neutron-postrouting-bottom >>>> -A OUTPUT -j neutron-l3-agent-OUTPUT >>>> -A neutron-l3-agent-OUTPUT -d 212.190.96.141/32 -j DNAT --to-destination >>>> 10.0.0.3 >>>> -A neutron-l3-agent-POSTROUTING ! -i qg-fdd17595-7b ! -o qg-fdd17595-7b -m >>>> conntrack >>>> ! --ctstate DNAT -j ACCEPT >>>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport >>>> 80 -j >>>> REDIRECT --to-ports 9697 >>>> -A neutron-l3-agent-PREROUTING -d 212.190.96.141/32 -j DNAT >>>> --to-destination >>>> 10.0.0.3 >>>> -A neutron-l3-agent-float-snat -s 10.0.0.3/32 -j SNAT --to-source >>>> 212.190.96.141 >>>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat >>>> -A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 212.190.96.140 >>>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat >>>> >>>> >>>> # iptables -S | grep tap >>>> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapcfb4a18d-aa >>>> --physdev-is-bridged -j neutron-openvswi-sg-chain >>>> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapcfb4a18d-aa >>>> --physdev-is-bridged -j neutron-openvswi-sg-chain >>>> -A neutron-openvswi-INPUT -m physdev --physdev-in tapcfb4a18d-aa >>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a >>>> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapcfb4a18d-aa >>>> --physdev-is-bridged -j neutron-openvswi-icfb4a18d-a >>>> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapcfb4a18d-aa >>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>> Post to : [email protected] >>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> >> >> !DSPAM:1,53260cd8167551756219460! >> > _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
