On 02/04/2016 11:23 AM, Kamen Tarlov wrote:
Sorry my previous reply wasn`t directed to the list. I`m reposting.
Hello Brian,
Thanks for the answer. Probably my knowledge around neutron is not sufficient to
add DNAT address from there. But let me answer your question.
When I get the machine up with private address I`m adding an ifconfig alias for
example bond0:1 with real Ip and then setting rules for different ports to
different VMs.
When you configured your external network and subnet in Neutron, you should have
specified an allocation range for Floating IP addresses. See
http://docs.openstack.org/kilo/install-guide/install/apt/content/neutron_initial-external-network.html
for an example. You shouldn't need to manually add an IP address for a VM.
'/sbin/iptables -t nat -A neutron-openvswi-PREROUTING -d {{ external_ip }} -p
tcp --dport {{ external_ports }} -j DNAT --to-destination {{ vm.address }}:{{
internal_ports }} '
(well before that I was setting in PRERPOUTING chain but it was the same)
So basically I would like to persist rule like this in
neutron-openvswi-PREROUTING chain.
This will never work. The problem is that those iptables chains and rules
starting with 'neutron-openvswi-' are "owned" by the neutron agent. Any time
there is a port status change requiring a security group update, it will
re-write everything with that prefix, throwing away whatever you put there.
I know the other way would be to set public ip as floating but thats too much
waste of resources for single node.
This is what I`m trying to achieve, if there is any better way of doing through
neturon API would be nice to know it.
If I understand correctly if the neutron agents are down and I apply the
iptables command the rules will be preserved after start?
Not if you are using that prefix, only for other rules you might be adding to
other chains, like filter:INPUT.
-Brian
On Thu, Feb 4, 2016 at 6:05 PM, Remo Mattei <[email protected]
<mailto:[email protected]>> wrote:
I agree with Brian
Let neutron do all the work and now those rules are in the namespace.
Therefore I would suggest to try and let all the services do their job and
see it that works
Inviato da iPhone
> Il giorno 04 feb 2016, alle ore 06:56, Brian Haley <[email protected]
<mailto:[email protected]>> ha scritto:
>
>> On 02/04/2016 07:05 AM, Kamen Tarlov wrote:
>> Hello,
>>
>> We have a single node installation with RDO Kilo release. Network
configuration
>> consist of 2 private networks and one of them is floating. Networks are
routed
>> just inside the node. The problem I`m facing is when I try to
configure the
>> DNAT rules to reroute the traffic/ports to VM. Initially the traffic to
VM works
>> fine until neutron reorders the rules on top:
>>
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> neutron-openvswi-PREROUTING all -- anywhere anywhere
>> nova-api-PREROUTING all -- anywhere anywhere
>>
>> Is there any way I can prevent this or set them with lower priority?
>
> I guess my first question is, why are you manually adding DNAT rules?
Why aren't you letting Neutron manage iptables for the VMs? You would need
to give more information on the exact rule you are trying to add to help
make things clearer.
>
> As a rule of thumb, it's a bad idea to try and add/remove iptables rules
while Neutron agents are running, you will eventually find yourself in a
race condition where rules are missing and things don't work. If you need
to add a rule I would recommend doing it before the agents are started, that
way it will get left alone.
>
> -Brian
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : [email protected]
<mailto:[email protected]>
> Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> !DSPAM:1,56b3696676807417054422!
>
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
<mailto:[email protected]>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Поздрави/Best Regards,
Kamen Tarlov
Sr. Engineer
phone +359 894224491
Bulgaria, Sofia
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
