openstack team mailing list archive

Thread
Date

Re: Instance no route to host problem

To: Lei Zhang <zhang.lei.fly@xxxxxxxxx>
From: Patrick Petit <patrick.michel.petit@xxxxxxxxx>
Date: Mon, 10 Dec 2012 16:35:36 +0100
Cc: "openstack@xxxxxxxxxxxxxxxxxxx \(openstack@xxxxxxxxxxxxxxxxxxx\)" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAATxhGeAfZJXQNBNoEb9jhrvuxsm8M3-rsPTfnLngGXZivhkYg@mail.gmail.com>

Hi Lei,

I could spend some more time looking at my "no route to host" issue today.
I could be very well that the iptables on VM is the root of the problem.

Here is what it looks like.


*$ sudo iptables -L*
*Chain INPUT (policy ACCEPT)*
*target     prot opt source               destination         *
*ACCEPT     all  --  anywhere             anywhere             state
RELATED,ESTABLISHED*
*ACCEPT     icmp --  anywhere             anywhere            *
*ACCEPT     all  --  anywhere             anywhere            *
*ACCEPT     tcp  --  anywhere             anywhere             state NEW
tcp dpt:ssh*
*REJECT     all  --  anywhere             anywhere             reject-with
icmp-host-prohibited*
*
*
*Chain FORWARD (policy ACCEPT)*
*target     prot opt source               destination         *
*REJECT     all  --  anywhere             anywhere             reject-with
icmp-host-prohibited*
*
*
*Chain OUTPUT (policy ACCEPT)*
*target     prot opt source               destination  *

I am not unfortunately very familiar with iptables's rules syntax
Shouldn't ACCEPT all -- anywhere anywhere allow my http traffic to port 80?

However, running explicitly

*sudo iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT*

Does fix the problem. I can access my instance on port 80.

But my VM is associated with the default security group in which I added a
rule to enable http traffic.

$ nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| tcp         | 80        | 80      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

So the big question is why aren't my iptables rules in the VM no setup by
the security group specs?
I don't see any error in nova logs on the compute node.

Any help would be really appreciated.
Thanks
Patrick





2012/12/6 Lei Zhang <zhang.lei.fly@xxxxxxxxx>

> Could you check the iptables in the vm? Whether it drop the packets on the
> port 80
>
>
> On Thu, Dec 6, 2012 at 12:29 AM, Patrick Petit <
> patrick.michel.petit@xxxxxxxxx> wrote:
>
>> Dear Stackers,
>>
>> I am running instance wordpress.WikiServer
>>
>>
>>  $ nova list
>>
>> +--------------------------------------+--------------------------+--------+------------------------------------+
>> | ID                                   | Name                     |
>> Status | Networks                           |
>>
>> +--------------------------------------+--------------------------+--------+------------------------------------+
>> | 6be47af7-2e29-4b4c-afeb-0a7f760f5970 | test2                    |
>> ACTIVE | xlcloud=172.16.1.6                 |
>> | 5a4c552f-933c-4a06-8e6f-164176380af5 | wordpress.DatabaseServer |
>> ACTIVE | xlcloud=172.16.1.3                 |
>> | ddb120d9-e1ad-444c-8490-37ecb15f500e | wordpress.WikiServer     |
>> ACTIVE | xlcloud=172.16.1.4, 10.197.217.131 |
>>
>> +--------------------------------------+--------------------------+--------+------------------------------------+
>>
>>
>> With Security Group setup as:
>>
>> $ nova secgroup-list
>>
>> +-----------------------------------+------------------------------------------------+
>> | Name                              | Description
>>            |
>>
>> +-----------------------------------+------------------------------------------------+
>> | default                           | default
>>            |
>>
>> +-----------------------------------+------------------------------------------------+
>>
>>
>> $ nova secgroup-list-rules default
>> +-------------+-----------+---------+-----------+--------------+
>> | IP Protocol | From Port | To Port | IP Range  | Source Group |
>> +-------------+-----------+---------+-----------+--------------+
>> | icmp        | -1        | -1      | 0.0.0.0/0 |              |
>> | tcp         | 22        | 22      | 0.0.0.0/0 |              |
>> | tcp         | 80        | 80      | 0.0.0.0/0 |              |
>> +-------------+-----------+---------+-----------+--------------+
>>
>> I can ping and ssh through the fix or floating IP without any problem
>> (172.16.1.4, 10.197.217.131).
>> But HTTP requests on port 80 doesn't go through.
>> I get a "no route host" error message from wget or telnet for example.
>>
>> Ex. $ telnet 172.16.1.4 80
>> Trying 172.16.1.4...
>> telnet: Unable to connect to remote host: No route to host.
>> Clearly it's not a routing problem.
>>
>> Any idea what the problem could be or hints to debug it.
>>
>> Thanks
>> Patrick
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Lei Zhang
>
> Blog: http://jeffrey4l.github.com
> twitter/weibo: @jeffrey4l
>
>


-- 
*"Give me a place to stand, and I shall move the earth with a lever"*

Follow ups

Re: Instance no route to host problem
From: Patrick Petit, 2012-12-10

References

Instance no route to host problem
From: Patrick Petit, 2012-12-05
Re: Instance no route to host problem
From: Lei Zhang, 2012-12-06