I've added to default security group the following . keystonerc_demo
~(keystone_demo)]# neutron security-group-rule-create --protocol icmp --direction ingress default ~(keystone_demo)]# neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 --direction ingress default After that I can ping the instance ~(keystone_admin)]# ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e ping 10.0.0.3 PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.365 ms 64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.238 ms 64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.189 ms > > But on other machine under Scientific Linux 6.4 with OpenStack Neutron, > and the same configuration and default security group I can ping an instance. > Only difference is that machine is with 1 NIC rather than multiple ones. > > > >> No that is not correct. You need to open icmp >> >> Inviato da iPhone >> >>> Il giorno Mar 16, 2014, alle ore 12:44, "Anatoly Oreshkin" >>> <[email protected]> ha scritto: >>> >>> >>> In dashboad in Access & Security I see default security group which is as >>> follows >>> >>> Security Group Rules >>> Add Rule >>> Direction Ether Type IP Protocol Port Range >>> Remote >>> Actions >>> Ingress IPv4 Any - >>> default >>> Egress IPv4 Any - >>> 0.0.0.0/0(CIDR) >>> Egress IPv6 Any - ::/0 >>> (CIDR) >>> Ingress IPv6 Any - >>> default >>> >>> As I understand every protocol and port is allowed. >>> >>> >>> >>>> Did you open the security group for icmp? >>>> >>>> Inviato da iPhone >>>> >>>>> Il giorno Mar 16, 2014, alle ore 10:36, "Anatoly Oreshkin" >>>>> <[email protected]> ha scritto: >>>>> >>>>> Hello, >>>>> >>>>> I've installed OpenStack Havana with Neutron all-in-one on single node >>>>> under >>>>> Scientific Linux 6.4 >>>>> having multiple NICs Specifically eth0 with public network >>>>> 212.190.96.128/27 >>>>> and eth2 with internal network 192.168.1.0/24 >>>>> >>>>> All openstack components were installed on ip address 212.190.96.14 >>>>> (eth0) >>>>> CONFIG_NOVA_NETWORK_PUBIF=eth0 >>>>> >>>>> >>>>> OpenStack configuration follows: >>>>> >>>>> /etc/neutron/plugin.ini >>>>> >>>>> [OVS] >>>>> vxlan_udp_port=4789 >>>>> tenant_network_type=local >>>>> enable_tunneling=False >>>>> integration_bridge=br-int >>>>> network_vlan_ranges = physnet1 >>>>> bridge_mappings = physnet1:br-ex >>>>> >>>>> [AGENT]polling_interval=2 >>>>> >>>>> [SECURITYGROUP] >>>>> firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver >>>>> >>>>> Floating ip addreses are allocated from public ip range 212.190.96.140 - >>>>> 212.190.96.142 (eth0) >>>>> >>>>> Routing tables on my node >>>>> >>>>> Destination Gateway Genmask Flags Metric Ref Use >>>>> Iface >>>>> 212.190.96.128 * 255.255.255.224 U 0 0 0 >>>>> br-ex >>>>> 192.168.1.0 * 255.255.255.0 U 0 0 0 >>>>> eth2 >>>>> 192.168.0.0 * 255.255.255.0 U 0 0 0 >>>>> eth3 >>>>> link-local * 255.255.0.0 U 1002 0 0 >>>>> eth0 >>>>> link-local * 255.255.0.0 U 1004 0 0 >>>>> eth2 >>>>> link-local * 255.255.0.0 U 1005 0 0 >>>>> eth3 >>>>> link-local * 255.255.0.0 U 1011 0 0 >>>>> br-ex >>>>> default 212.190.96.129 0.0.0.0 UG 0 0 0 >>>>> br-ex >>>>> >>>>> >>>>> >>>>> >>>>> I launched instance from dashboard and instance was allocated ip address >>>>> 10.0.0.3 >>>>> from private network 10.0.0.0/24. Then I allocated the instance floating >>>>> ip >>>>> address 212.190.96.141 from public network. >>>>> >>>>> The problem is that I can't ping the instance neither through floating ip >>>>> address >>>>> 212.190.96.141 nor private address 10.0.0.3 >>>>> >>>>> ~(keystone_admin)]# ip netns exec >>>>> qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e >>>>> ping >>>>> 10.0.0.3 >>>>> PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. >>>>> >>>>> However from inside the instance I can ping any ip address. >>>>> >>>>> But when I restart linux wirewall iptables "service iptables restart" I >>>>> can >>>>> ping >>>>> the >>>>> instance >>>>> I can't understand why so happened. I suspect that "linux wirewall >>>>> restart" >>>>> deleted >>>>> the records from >>>>> iptables which were added by neutron when launching the instance and >>>>> permitted >>>>> to >>>>> ping the instance. >>>>> >>>>> >>>>> Can anybody help me ? >>>>> >>>>> Any hint ? >>>>> >>>>> I provide additional information. >>>>> >>>>> Network namespace of my openstack configuration: >>>>> # ip netns >>>>> qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e >>>>> qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 >>>>> >>>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 route -n >>>>> >>>>> Destination Gateway Genmask Flags Metric Ref Use >>>>> Iface >>>>> 212.190.96.128 0.0.0.0 255.255.255.224 U 0 0 0 >>>>> qg-fdd17595-7b >>>>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 >>>>> qr-67571cae-0a >>>>> 0.0.0.0 212.190.96.129 0.0.0.0 UG 0 0 0 >>>>> qg-fdd17595-7b >>>>> >>>>> # ip netns exec qdhcp-abe27f33-13e9-44d9-8f12-905cbccb615e route -n >>>>> >>>>> Destination Gateway Genmask Flags Metric Ref Use >>>>> Iface >>>>> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 >>>>> tape150108a-ef >>>>> 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 >>>>> tape150108a-ef >>>>> >>>>> >>>>> # ip netns exec qrouter-9080a234-308a-40c3-9dda-477e7a9cdd99 iptables -t >>>>> nat -S >>>>> >>>>> -P PREROUTING ACCEPT >>>>> -P POSTROUTING ACCEPT >>>>> -P OUTPUT ACCEPT >>>>> -N neutron-l3-agent-OUTPUT >>>>> -N neutron-l3-agent-POSTROUTING >>>>> -N neutron-l3-agent-PREROUTING >>>>> -N neutron-l3-agent-float-snat >>>>> -N neutron-l3-agent-snat >>>>> -N neutron-postrouting-bottom >>>>> -A PREROUTING -j neutron-l3-agent-PREROUTING >>>>> -A POSTROUTING -j neutron-l3-agent-POSTROUTING >>>>> -A POSTROUTING -j neutron-postrouting-bottom >>>>> -A OUTPUT -j neutron-l3-agent-OUTPUT >>>>> -A neutron-l3-agent-OUTPUT -d 212.190.96.141/32 -j DNAT --to-destination >>>>> 10.0.0.3 >>>>> -A neutron-l3-agent-POSTROUTING ! -i qg-fdd17595-7b ! -o qg-fdd17595-7b -m >>>>> conntrack >>>>> ! --ctstate DNAT -j ACCEPT >>>>> -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp >>>>> --dport 80 >>>>> -j >>>>> REDIRECT --to-ports 9697 >>>>> -A neutron-l3-agent-PREROUTING -d 212.190.96.141/32 -j DNAT >>>>> --to-destination >>>>> 10.0.0.3 >>>>> -A neutron-l3-agent-float-snat -s 10.0.0.3/32 -j SNAT --to-source >>>>> 212.190.96.141 >>>>> -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat >>>>> -A neutron-l3-agent-snat -s 10.0.0.0/24 -j SNAT --to-source 212.190.96.140 >>>>> -A neutron-postrouting-bottom -j neutron-l3-agent-snat >>>>> >>>>> >>>>> # iptables -S | grep tap >>>>> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapcfb4a18d-aa >>>>> --physdev-is-bridged -j neutron-openvswi-sg-chain >>>>> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapcfb4a18d-aa >>>>> --physdev-is-bridged -j neutron-openvswi-sg-chain >>>>> -A neutron-openvswi-INPUT -m physdev --physdev-in tapcfb4a18d-aa >>>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a >>>>> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapcfb4a18d-aa >>>>> --physdev-is-bridged -j neutron-openvswi-icfb4a18d-a >>>>> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapcfb4a18d-aa >>>>> --physdev-is-bridged -j neutron-openvswi-ocfb4a18d-a >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Mailing list: >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> Post to : [email protected] >>>>> Unsubscribe : >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> >>> >>> !DSPAM:1,53260cd8167551756219460! >>> >> > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
