I am facing a mysterious situation. I am using LinuxBridge (ML2) on OpenStack Newton all-in-one. I set up tcpdump on the tap device used by the instance and then attach a floating ip from web UI. I see traffic flowing for a few seconds after which there is no further traffic in/out of this tap device. During the first few seconds, I am able to ssh into the instance using the pubic ip. After 5-7 seconds, no connection could be established from the Internet. However I am still able to ssh into the instance if I execute ssh w.r.t the corresponding network namespace, like:
# ip netns exec <NETNS> ssh cirros@<PUBLIC_IP> Why is this happening? I do not see any specific errors in neutron logs even with debug on. Attaching the relevant configs below. # grep -Ev '^#|^$' /etc/nova/nova.conf [DEFAULT] auth_strategy = keystone disk_allocation_ratio=10.0 my_ip = <PUBLIC_IP> use_neutron = True enabled_apis = osapi_compute,metadata firewall_driver = nova.virt.firewall.NoopFirewallDriver transport_url = rabbit:// openstack:[email protected] [api_database] connection = mysql+pymysql:// nova:[email protected]/nova_api [barbican] [cache] [cells] [cinder] os_region_name = RegionOne [cloudpipe] [conductor] [cors] [cors.subdomain] [crypto] [database] connection = mysql+pymysql:// nova:[email protected]/nova [ephemeral_storage_encryption] [glance] api_servers = http://openstack.mycloud.com:9292 [guestfs] [hyperv] [image_file_url] [ironic] [key_manager] [keystone_authtoken] auth_uri = http://openstack.mycloud.com:5000 auth_url = http://openstack.mycloud.com:35357 memcached_servers = openstack.mycloud.com:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = nova password = 57227b66ed883b739e0b [libvirt] virt_type=kvm [matchmaker_redis] [metrics] [mks] [neutron] url = http://openstack.mycloud.com:9696 auth_url = http://openstack.mycloud.com:35357 auth_type = password project_domain_name = Default user_domain_name = Default region_name = RegionOne project_name = service username = neutron password = 8b229c60d8faf31da416 service_metadata_proxy = True metadata_proxy_shared_secret = d37bee945996e7ed5100 [osapi_v21] [oslo_concurrency] lock_path=/var/lib/nova/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [placement] [placement_database] [rdp] [remote_debug] [serial_console] [spice] [ssl] [trusted_computing] [upgrade_levels] [vmware] [vnc] enabled=true vncserver_listen = $my_ip vncserver_proxyclient_address = $my_ip novncproxy_base_url = http://openstack.mycloud.com:6080/vnc_auto.html [workarounds] [wsgi] [xenserver] [xvp] # grep -Ev '^#|^$' /etc/neutron/l3_agent.ini [DEFAULT] interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver debug = true [AGENT] # grep -Ev '^#|^$' /etc/neutron/dhcp_agent.ini [DEFAULT] interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True [AGENT] # grep -Ev '^#|^$' /etc/neutron/metadata_agent.ini [DEFAULT] nova_metadata_ip = openstack.mycloud.com metadata_proxy_shared_secret = d37bee945996e7ed5100 [AGENT] [cache] # grep -Ev '^#|^$' /etc/neutron/neutron.conf [DEFAULT] auth_strategy = keystone core_plugin = ml2 service_plugins = router allow_overlapping_ips = True notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true debug = true transport_url = rabbit:// openstack:[email protected] [agent] [cors] [cors.subdomain] [database] connection = mysql+pymysql:// neutron:[email protected]/neutron [keystone_authtoken] auth_uri = http://openstack.mycloud.com:5000 auth_url = http://openstack.mycloud.com:35357 memcached_servers = openstack.mycloud.com:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = neutron password = 8b229c60d8faf31da416 [matchmaker_redis] [nova] auth_url = http://openstack.mycloud.com:35357 auth_type = password project_domain_name = Default user_domain_name = Default region_name = RegionOne project_name = service username = nova password = 57227b66ed883b739e0b [oslo_concurrency] lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [qos] [quotas] [ssl] # grep -Ev '^#|^$' /etc/neutron/plugin.ini [DEFAULT] debug = true [ml2] type_drivers = flat,vlan,vxlan tenant_network_types = vxlan mechanism_drivers = linuxbridge,l2population extension_drivers = port_security [ml2_type_flat] flat_networks = provider [ml2_type_geneve] [ml2_type_gre] [ml2_type_vlan] [ml2_type_vxlan] vni_ranges = 1:1000 [securitygroup] enable_ipset = True On Fri, Jan 20, 2017 at 2:49 PM, Vikash Kumar < [email protected]> wrote: > Checkout on the bridge connected to tap ports. > > On Thu, Jan 19, 2017 at 7:02 PM, Vimal Kumar <[email protected]> wrote: > >> Hi, >> >> Is the rules implemented in the iptables of the node (I am running >> all-in-one, LinuxBridge setup), or is it implemented in the iptables of a >> separate network namespace? >> >> On Thu, Jan 19, 2017 at 1:27 PM, Melvin Hillsman <[email protected]> >> wrote: >> >>> If you are running an all-in-one/single node deployment, your security >>> groups are implemented via iptables on that node. If you had a multi-node >>> setup, security group rules would show up on the compute hosts. >>> >>> On Thu, Jan 19, 2017 at 12:47 AM, Vimal Kumar <[email protected]> >>> wrote: >>> >>>> Hi! >>>> >>>> How can I troubleshoot issues related to security groups? It is >>>> probably getting implemented via iptables but where? In the host iptables, >>>> or inside network namespace, or inside instance itself? I am running a >>>> single-node Newton. >>>> >>>> I am looking for a way to check whether the rules in my security group >>>> is actually being implemented or not. >>>> >>>> Thank you! >>>> >>>> Regards, >>>> >>>> Vimal >>>> >>>> _______________________________________________ >>>> Mailing list: http://lists.openstack.org/cgi >>>> -bin/mailman/listinfo/openstack >>>> Post to : [email protected] >>>> Unsubscribe : http://lists.openstack.org/cgi >>>> -bin/mailman/listinfo/openstack >>>> >>>> >>> >>> >>> -- >>> Kind regards, >>> >>> Melvin Hillsman >>> Ops Technical Lead >>> OpenStack Innovation Center >>> >>> [email protected] >>> phone: (210) 312-1267 >>> mobile: (210) 413-1659 >>> http://osic.org >>> >>> Learner | Ideation | Belief | Responsibility | Command >>> >> >> >> _______________________________________________ >> Mailing list: http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> Post to : [email protected] >> Unsubscribe : http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> >> > > > -- > Regards, > Vikash >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
