openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #09938
nova nodes hosted in kvm virtual machines: no access to the outside world.
Hi there !
My goal is to host an essex cloud on my laptop to study how it works,
play with it, demo it and so on.
I am experiencing a network problem with cloud instances: they are not
allowed to access the internet (wget on google.com by example).
Nodes runs as kvm virtual machines hosted in a laptop running Ubuntu
Oneiric.
So, in my laptop/hypervisor, i have created the following libvirt
network used for the openstack nodes:
<network>
<name>default</name>
<uuid>d5d3dcc1-f863-9bbf-8d57-1149e361de6d</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0' />
<mac address='52:54:00:5C:7B:5D'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
</ip>
</network>
There is no libvirt dhcp, it is nated to the outside world, and the
network used is 192.168.122.0/24
I have installed several nodes (Ubuntu precise).
192.168.122.2 orchestra
This behave as a dhcp and cobbler server to install other nodes.
192.168.122.101 manager-node
Runs nova-api, nova-scheduler, nova-objectstore, nova-volume, nova-cert
and IScsi tgt.
192.168.122.102 messaging
Runs rabbitMQ, MySql, Glance and keystone.
192.168.122.103 compute-a
Runs nova-compute, nova-api and nova-network.
Excerpt from the nova.conf file:
--network_manager=nova.network.manager.FlatDHCPManager
--fixed_range=10.0.0.0/24
--floating_range=192.168.123.0/24
--auto_assign_floating_ip
--flat_network_dns=192.168.122.2
I can run some instances and log in to them from my hypervisor after
adding a route to the 192.168.123.0/24 network via the node running
nova-network (192.168.122.103) :
sudo route add -net 192.168.123.0 netmask 255.255.255.0 gw
192.168.122.103 dev virbr0
So, i have a vm running on 192.168.123.3 :
euca-describe-instances
RESERVATION r-xu7c0o8y f45695cb80ca402a9a7f63852098b582 default
INSTANCE i-00000007 ami-00000003 192.168.123.3 server-7 running adminkey
(f45695cb80ca402a9a7f63852098b582, compute-a) 0
m1.small2012-04-12T08:58:36.000Z nova aki-00000001 ari-00000002
It s private ip is 10.0.0.2
>From it, I cannot download page from the internet:
ubuntu@server-7:~$ wget http://www.yahoo.com/
--2012-04-12 09:36:55-- http://www.yahoo.com/
Resolving www.yahoo.com... 87.248.112.181
Connecting to www.yahoo.com|87.248.112.181|:80... failed: Connection
refused.
But, I can download page from http://192.168.122.1/ (hypervisor virbr0)
as well as http://192.168.0.9/ (hypervisor wifi interface used to get
access to the outside world).
>From compute-a, the node running nova-network, i can download pages from
yahoo.com.
An iptables-save file from my hypervisor is attached to this mail.
I did try to remove all the REJECT line in the FORWARD table and reload
the rules without success.
I am afraid i m a bit lost in all those bridges.
Has anyone :
- any idea if my problem is in the nova configuration, or something to
do with the hypervisor iptables rules ?
- done something similar with good result ?
- any idea on what to try next ?
Have a nice day...
# Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012
*nat
:PREROUTING ACCEPT [415:71017]
:INPUT ACCEPT [88:7343]
:OUTPUT ACCEPT [2282:152990]
:POSTROUTING ACCEPT [2346:157728]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
COMMIT
# Completed on Thu Apr 12 11:41:24 2012
# Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012
*mangle
:PREROUTING ACCEPT [159113:79914067]
:INPUT ACCEPT [69979:40278276]
:FORWARD ACCEPT [89107:39599033]
:OUTPUT ACCEPT [60378:10029197]
:POSTROUTING ACCEPT [150789:49724062]
-A POSTROUTING -o virbr2 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Apr 12 11:41:24 2012
# Generated by iptables-save v1.4.10 on Thu Apr 12 11:41:24 2012
*filter
:INPUT ACCEPT [69896:40270442]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [60374:10028752]
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.1.0.0/16 -o virbr2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -i virbr2 -j ACCEPT
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Apr 12 11:41:24 2012
Follow ups
