access VM from inside itself by its float IP, flatDHCP mode

Asked by Alexander Novikov on 2012-03-20

Hi
I cannot ping or telnet/ssh/etc itself from running VM with floating IP assosiated by that floating(IPfl).
All access from outside to IPfl or IPfixed goes well.
I have --routing_source_ip=IPfl2 flag in conf and two interfaces on node(eth1 and br100 full auto configured by nova-network) .

kvm, flatDHCP, diablo 2011.3 release on Ubuntu x64

on node default route is nova_dhcpIP

>iptables-save
-A nova-network-OUTPUT -d IPfl/32 -j DNAT --to-destination 192.168.22.10
-A nova-network-PREROUTING -d IPfl/32 -j DNAT --to-destination 192.168.22.10
-A nova-network-POSTROUTING -s 192.168.22.0/24 -d 10.128.0.0/24 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.22.0/24 -d 192.168.22.0/24 -j ACCEPT
-A nova-network-floating-snat -s 192.168.22.10/32 -j SNAT --to-source IPfl
-A nova-network-snat -s 192.168.22.0/24 -j SNAT --to-source IPfl2

-A nova-compute-inst-23 -m state --state INVALID -j DROP
-A nova-compute-inst-23 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-23 -j nova-compute-provider
-A nova-compute-inst-23 -s 192.168.22.5/32 -p udp -m udp --sport 67 --dport 68 -
j ACCEPT
-A nova-compute-inst-23 -s 192.168.22.0/24 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 1935 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 5080 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 3306 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 21 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 8080 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 3389 -j ACCEPT
-A nova-compute-inst-23 -p tcp -m tcp --dport 80 -j ACCEPT
-A nova-compute-inst-23 -j nova-compute-sg-fallback
...
-A nova-compute-local -d 192.168.22.10/32 -j nova-compute-inst-23

What should I check? Any ideas, please!
Thank you!

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
Alexander Novikov
Solved:
Last query:
Last reply:
Revision history for this message
Alexander Novikov (novikov) said :
#1

Can somebody approve that this is the case of what is said in docs - "Note that you cannot SSH to an instance with a public IP from within the same server as the routing configuration won't allow it." (here http://docs.openstack.org/trunk/openstack-compute/admin/content/associating-public-ip.html )

And the only decision is to do it manually via smth like iptables/route in the VM itself? i.e route VM_realIP to VM_privateIP inside VM

Revision history for this message
Alexander Novikov (novikov) said :
#2

The probles was caused, that for example you have an http file/object server which make URL to objects like http://IP/object binded together with some web-service on that objects that need to access them via http locally and remotelly.

my real case:
We have working implementation of some package on real node, but to make it work in the cloud we had to make object like innerIP and outerIP -i.e. some kind of change concept and code rewriting.
To me it looks like this is not very rare case, especially if you not know exactly what must be public and what is localhost_like enough.

As a part of solution, I was adviced to use hostname(as of EC2 practice) which dnsmasq on nova-network give to an instance. In global world that must be done with real DNS, I think. So the case of use publicIP from within VM itself is rare. But if one cannot make DNS record for publicIP and want to access objects both from inside VM and from other service outside it(and mb outside the cloud at all) there still must be concept of inner and public IPs for objects URLs naming.

Revision history for this message
Vish Ishaya (vishvananda) said :
#3

This should work now that the fix for bug 933640 is in

On Mar 20, 2012, at 7:15 AM, Alexander Novikov wrote:

> Question #191210 on OpenStack Compute (nova) changed:
> https://answers.launchpad.net/nova/+question/191210
>
> Alexander Novikov gave more information on the question:
> Can somebody approve that this is the case of what is said in docs -
> "Note that you cannot SSH to an instance with a public IP from within
> the same server as the routing configuration won't allow it." (here
> http://docs.openstack.org/trunk/openstack-compute/admin/content
> /associating-public-ip.html )
>
> And the only decision is to do it manually via smth like iptables/route
> in the VM itself? i.e route VM_realIP to VM_privateIP inside VM
>
> --
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Revision history for this message
Alexander Novikov (novikov) said :
#4

Ok. Thank you, Vish!
Need to add that to docs.