On 5/7/15 1:23 PM, Antonio Messina wrote:
On Thu, May 7, 2015 at 7:30 PM, Andrew Bogott <abog...@wikimedia.org> wrote:
On 5/7/15 2:34 AM, Antonio Messina wrote:
On Wed, May 6, 2015 at 10:56 PM, Andrew Bogott <abog...@wikimedia.org>
wrote:
Since time immemorial, I've accepted as a fact of life that routing
from
a nova instance to another instance via floating ip is impossible. We've
coped with this via a hack in dnsmasq, setting an alias to rewrite public
IPs to the corresponding internal IP.
Have you checked this serverfault question[0]? The issue is different
though: VM not being able to contact its own floating iP, but maybe
it's related. It also contains links to relevant bugs.
I did see that, although it seems to be a subcase of my issue (implying that
routing is working for people in general, just not from a host to itself.)
I'm glad to hear that it works for you! I just now tried setting
It works because I patched Folsom, backporting some patch from some
newer OpenStack release :)
OK, we've made some progress with this -- the solution seems to involve
changing my dmz_cidr setting and switching our bridge to promiscuous mode.
However -- I'm now unclear on whether this will fix all routing, or just
routing between instances that have floating IPs assigned (I have lots
of both.) Antonio, do all cases work? Or do you have floating ips
assigned to everything?
force_snat_range for my floating IP range but I'm still not getting any
pings. Strangely if I restart nova-network things work for a minute or two,
then return to the status quo. That means that no matter what I change, it
looks like it worked, for a minute :)
When you restart nova-network, the firewall rules are cleaned up and
then re-created, so there is a sort of "race conditions" during which
the firewall rules might allow this type of traffic. But it's a "bug"
:)
IMHO you should try to understand *why* it doesn't work. In my case, I
remember one of the problem was that when VM1 contacts VM2 using the
floating IPs, the firewall rules were only performing DNAT but not
SNAT, so the packets arrives to VM2 with the source IP of VM1 (the
private IP), instead of the floating IP. This implies that VM2 will
reply with the *private ip* instead of the floating ip, so that VM1
will drop the packet as unknown/not requested.
To fix this, you need an iptables rule like:
iptables -t nat -A POSTROUTING -s <fixedip> -m conntrack --ctstate
DNAT -j SNAT --to-source <floating-ip>
also cfr.
https://github.com/openstack/nova/commit/b8c434630d31f49ae0e9686ddfac8f25acf117b1
.a.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
