[Failed] Add a scope global ip into instance

Asked by Hugo Kou on 2011-06-15

Hi all

We're build several private cloud in our lab to implement Fault Zone and Web-Services HA+LB

There're two NOVA deployments, and run up software LoadBalancer (pound) + heartbeat(keepalived) on each deployment.

It's ok with keepalived part. Two LB instance can detect each other . The problem is pound. While pound startup , it establish a virtual IP for master LB. Attach to instance's eth0. As below , 192.168.1.102 is instance original ip. 192.168.1.55 is for keepalived and pound to be a virtual ip. But this Virtual seems not work in instance. Other client in same network segment can not find out 192.168.1.55.
Is this the limitation of VM ?
How could I realize this virtual IP?
I think this issue is on Hypervisor layer.......

======================================
 eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:16:3e:0c:e9:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.102/24 brd 192.168.1.255 scope global eth0
    inet 192.168.1.55/32 scope global eth0
    inet6 fe80::16:3eff:fe0c:e994/64 scope link
       valid_lft forever preferred_lft forever
======================================

Any suggestion will help :>

Cheers
Hugo Kuo

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
Vish Ishaya
Solved:
2011-06-16
Last query:
2011-06-16
Last reply:
2011-06-16
Best Vish Ishaya (vishvananda) said : #1

Instances cannot spoof other ip addresses. If you want to allow them to you have to disable some firewall rules.

In nova/virt/libvirt/firewall.py there is a method called _ensure_static_filters. You will see one called nova-base and one called nova-vpn. The base filter stops arp, mac, and ip spoofing. nova-vpn allows all of that traffic. You can see that the image defined as FLAGS.vpn_image_id uses nova-vpn instead of nova-base. So you can
a) use nova-vpn for all instances
b) set FLAGS.vpn_image_id to make it work for one image
c) write some new code to allow certain images/instances to have spoofing protection turned off

Vish

On Jun 15, 2011, at 4:11 AM, Hugo Kou wrote:

> New question #161512 on OpenStack Compute (nova):
> https://answers.launchpad.net/nova/+question/161512
>
> Hi all
>
> We're build several private cloud in our lab to implement Fault Zone and Web-Services HA+LB
>
> There're two NOVA deployments, and run up software LoadBalancer (pound) + heartbeat(keepalived) on each deployment.
>
> It's ok with keepalived part. Two LB instance can detect each other . The problem is pound. While pound startup , it establish a virtual IP for master LB. Attach to instance's eth0. As below , 192.168.1.102 is instance original ip. 192.168.1.55 is for keepalived and pound to be a virtual ip. But this Virtual seems not work in instance. Other client in same network segment can not find out 192.168.1.55.
> Is this the limitation of VM ?
> How could I realize this virtual IP?
> I think this issue is on Hypervisor layer.......
>
> ======================================
> eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
> link/ether 02:16:3e:0c:e9:94 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.102/24 brd 192.168.1.255 scope global eth0
> inet 192.168.1.55/32 scope global eth0
> inet6 fe80::16:3eff:fe0c:e994/64 scope link
> valid_lft forever preferred_lft forever
> ======================================
>
> Any suggestion will help :>
>
> Cheers
> Hugo Kuo
>
> --
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Hugo Kou (tonytkdk) said : #2

Hello Vish

Thanks for ur reply , it's the answer what I need .

And in my research ...............

I found a wiki about Atlas-LB , Is this works in current NOVA?
http://wiki.openstack.org/Atlas-LB

As I know , both Rackspace and AWS , or even IBM cloud ....
They provide a service named "Shared IP" / "Cloud Server Virtual IP"

This Virtual IP could be used for heartbeat.......I'm interesting about how's the approach of those public providers to provision Virtual IP.

Thanks

Hugo Kuo

Hugo Kou (tonytkdk) said : #3

Thanks Vish Ishaya, that solved my question.

Hugo Kou (tonytkdk) said : #4

After a test, Rewrite firewall.py it's work now....

Actually , these two NOVA deployments only for our web-service etc.. So it's much more free than a public cloud.
But it's not a recommend way for every time....
I'll keep l working on Atlas-LB ....... To implement " Virtual IPs " as RackSpace.

209 def _ensure_static_filters(self):
    210 if self.static_filters_configured:
    211 return
    212
    213 self._define_filter(self._filter_container('nova-base',
    214 ['no-mac-spoofing', #del
    215 'no-ip-spoofing', #del
    216 'no-arp-spoofing', #del
    217 'allow-dhcp-server'])) #del
    218 self._define_filter(self._filter_container('nova-vpn',
    219 ['allow-dhcp-server']))
    220 self._define_filter(self.nova_base_ipv4_filter)
    221 self._define_filter(self.nova_base_ipv6_filter)
    222 self._define_filter(self.nova_dhcp_filter)
    223 self._define_filter(self.nova_ra_filter)
    224 if FLAGS.allow_project_net_traffic:
    225 self._define_filter(self.nova_project_filter)
    226 if FLAGS.use_ipv6:
    227 self._define_filter(self.nova_project_filter_v6)
    228

Hugo Kou (tonytkdk) said : #5

Oh, Sorry . don't delete line 217...... a typo
Sorry.......

I hope this will help for someone.