neutron

floating ip and namespace issue

Asked by vj

I have set up folsom Quantum based on this url (controller node/network node/compute node):
https://github.com/mseknibilel/OpenStack-Folsom-Install-guide/blob/master/OpenStack_Folsom_Install_Guide_WebVersion.rst

use_namespaces , allow_overlapping_Ips set to TRUE.

nova-api is on the controller node ,and l3 and dhcp agents are on network node

Added the external router gateway(192.168.1.185) as the next hop in the controller node where nova-api is running.
[Able to ping the gateway address from other nodes].

I am able to launch a simple tty linux image.

I am able to ping and ssh into it through router namespace from the network node.

I still see problems:

1) The launched VM still cannot access the metadata service.
wget: can't connect to remote host (169.254.169.254): Network is unreachable
iptables rule for this set in router namespace. See below for the iptables rules.

2) Floating ip :
I am able to assign floating ip to VM. However, I can ping and ssh to it only through router namespace on the network node. I cannot access it directly from the other nodes on that network (floating ip/external network).

Any clue is appreciated.

root@network:/home/localadmin# ip netns
qdhcp-f69a3d72-5284-48f1-ac71-d416ae11fef4
qrouter-24231e93-71e6-43e7-a692-7a96019aba4b

root@network:/home/localadmin# ip netns exec qrouter-24231e93-71e6-43e7-a692-7a96019aba4b ifconfig
lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

qg-c2281f74-eb Link encap:Ethernet HWaddr fa:16:3e:2f:2c:97
          inet addr:192.168.1.185 Bcast:192.168.1.191 Mask:255.255.255.240
          inet6 addr: fe80::f816:3eff:fe2f:2c97/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
          RX packets:9565 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:617789 (617.7 KB) TX bytes:468 (468.0 B)

qr-5ad57be7-ae Link encap:Ethernet HWaddr fa:16:3e:96:3d:83
          inet addr:192.168.14.1 Bcast:192.168.14.255 Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe96:3d83/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
          RX packets:192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:22694 (22.6 KB) TX bytes:19030 (19.0 KB)

root@network:/home/localadmin# ip netns exec qrouter-24231e93-71e6-43e7-a692-7a96019aba4b iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 4 packets, 708 bytes)
 pkts bytes target prot opt in out source destination
    4 708 quantum-l3-agent-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
no
Chain INPUT (policy ACCEPT 2 packets, 632 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 quantum-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 quantum-l3-agent-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 quantum-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0

Chain quantum-l3-agent-OUTPUT (1 references)
 pkts bytes target prot opt in out source destination
    0 0 DNAT all -- * * 0.0.0.0/0 192.168.1.186 to:192.168.14.3

Chain quantum-l3-agent-POSTROUTING (1 references)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- !qg-c2281f74-eb !qg-c2281f74-eb 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
    0 0 ACCEPT all -- * * 192.168.14.0/24 192.168.1.78

Chain quantum-l3-agent-PREROUTING (1 references)
 pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 to:192.168.1.78:8775
    0 0 DNAT all -- * * 0.0.0.0/0 192.168.1.186 to:192.168.14.3

Chain quantum-l3-agent-float-snat (1 references)
 pkts bytes target prot opt in out source destination
    0 0 SNAT all -- * * 192.168.14.3 0.0.0.0/0 to:192.168.1.186

Chain quantum-l3-agent-snat (1 references)
 pkts bytes target prot opt in out source destination
    0 0 quantum-l3-agent-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 SNAT all -- * * 192.168.14.0/24 0.0.0.0/0 to:192.168.1.185

Chain quantum-postrouting-bottom (1 references)
 pkts bytes target prot opt in out source destination
    0 0 quantum-l3-agent-snat all -- * * 0.0.0.0/0 0.0.0.0/0

Question information

Language:
English Edit question
Status:
Answered
For:
neutron Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
yong sheng gong (gongysh) said : 		#1

can u ping 192.168.1.78 metataserver in qrouter namespace?
can u ping 192.168.1.185 router gateway port in the external network?

Revision history for this message
vj (vijayrg) said : 		#2

Yes. I am able to ping 192.168.1.78 metaserver in qrouter namespace
Yes. I am able ping 192.168.1.185 router gateway from other nodes on the external network.

Revision history for this message
vj (vijayrg) said : 		#3

CORRECTION FROM MY PREVIOUSE COMMENT:
No, I am NOT able to ping 192.168.1.78 metaserver from inside qrouter namespace.

Yes. I am able to ping 192.168.1.185 router gateway from other nodes on the external network

Revision history for this message
yong sheng gong (gongysh) said : 		#4

first, you need to make sure 192.168.1.78 metadata server pingable from qrouter namespace.
I am confused by 192.168.1.185 pingable but floating ip is not from external network.
what kind of linux are u using? ubuntu 12.04 or Fedora or others?

Revision history for this message
vj (vijayrg) said : 		#5

Thanks for the reply. I fixed the external network configuration. Now, my VMs can reach nova metadata service on the controller node and I am able to associate floating ip and ssh into them from the outside network ( also able to ping/ssh vms using fixed ip).
However, I am not able to access internet from within the VM. My internet gateway router is not pingable from the qrouter namespace. It is in the same network as the other nodes. I can ping other nodes on that network though.

Revision history for this message
vj (vijayrg) said : 		#6

Thanks for the reply. I fixed the external network configuration. Now, my VMs can reach nova metadata service on the controller node and I am able to associate floating ip and ssh into them from the outside network ( also able to ping/ssh vms using fixed ip).
However, I am not able to access internet from within the VM. My internet gateway router is not pingable from the qrouter namespace. It is in the same network as the other nodes. I can ping other nodes on that network though.

Revision history for this message
Ravi Chunduru (ravivsn) said : 		#7

Vijay,
 You can run tcpdump in the qrouter and figure out why packets are not reaching internet. It is just like any other router.
You can also check iptables NAT rules and see if the DNAT rule hits etc.,

Make sure you did not forgot to set gateway on the router. 'quantum router-gateway-set'

Can you help with this problem?

Provide an answer of your own, or ask vj for more information if necessary.

To post a message you must log in.