openstack team mailing list archive

[Patrick Petit <patrick.michel.petit@xxxxxxxxx>]

Ooops... I got it. Thought nova-compute has responsibilities in local
iptables settings.
I guess I was misled by the fact that I have default iptables rules setup
at boot time in my VM which looks like rules defined in security group but
it's just a coincidence.
Thanks
Patrick



2012/12/10 Patrick Petit <patrick.michel.petit@xxxxxxxxx>

> Hi Lei,
>
> I could spend some more time looking at my "no route to host" issue today.
> I could be very well that the iptables on VM is the root of the problem.
>
> Here is what it looks like.
>
>
> *$ sudo iptables -L*
> *Chain INPUT (policy ACCEPT)*
> *target     prot opt source               destination         *
> *ACCEPT     all  --  anywhere             anywhere             state
> RELATED,ESTABLISHED*
> *ACCEPT     icmp --  anywhere             anywhere            *
> *ACCEPT     all  --  anywhere             anywhere            *
> *ACCEPT     tcp  --  anywhere             anywhere             state NEW
> tcp dpt:ssh*
> *REJECT     all  --  anywhere             anywhere
> reject-with icmp-host-prohibited*
> *
> *
> *Chain FORWARD (policy ACCEPT)*
> *target     prot opt source               destination         *
> *REJECT     all  --  anywhere             anywhere
> reject-with icmp-host-prohibited*
> *
> *
> *Chain OUTPUT (policy ACCEPT)*
> *target     prot opt source               destination  *
>
> I am not unfortunately very familiar with iptables's rules syntax
> Shouldn't ACCEPT all -- anywhere anywhere allow my http traffic to port 80?
>
> However, running explicitly
>
> *sudo iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT*
>
> Does fix the problem. I can access my instance on port 80.
>
> But my VM is associated with the default security group in which I added a
> rule to enable http traffic.
>
> $ nova secgroup-list-rules default
> +-------------+-----------+---------+-----------+--------------+
> | IP Protocol | From Port | To Port | IP Range  | Source Group |
> +-------------+-----------+---------+-----------+--------------+
> | icmp        | -1        | -1      | 0.0.0.0/0 |              |
> | tcp         | 22        | 22      | 0.0.0.0/0 |              |
> | tcp         | 80        | 80      | 0.0.0.0/0 |              |
> +-------------+-----------+---------+-----------+--------------+
>
> So the big question is why aren't my iptables rules in the VM no setup by
> the security group specs?
> I don't see any error in nova logs on the compute node.
>
> Any help would be really appreciated.
> Thanks
> Patrick
>
>
>
>
>
> 2012/12/6 Lei Zhang <zhang.lei.fly@xxxxxxxxx>
>
>> Could you check the iptables in the vm? Whether it drop the packets on
>> the port 80
>>
>>
>> On Thu, Dec 6, 2012 at 12:29 AM, Patrick Petit <
>> patrick.michel.petit@xxxxxxxxx> wrote:
>>
>>> Dear Stackers,
>>>
>>> I am running instance wordpress.WikiServer
>>>
>>>
>>>  $ nova list
>>>
>>> +--------------------------------------+--------------------------+--------+------------------------------------+
>>> | ID                                   | Name                     |
>>> Status | Networks                           |
>>>
>>> +--------------------------------------+--------------------------+--------+------------------------------------+
>>> | 6be47af7-2e29-4b4c-afeb-0a7f760f5970 | test2                    |
>>> ACTIVE | xlcloud=172.16.1.6                 |
>>> | 5a4c552f-933c-4a06-8e6f-164176380af5 | wordpress.DatabaseServer |
>>> ACTIVE | xlcloud=172.16.1.3                 |
>>> | ddb120d9-e1ad-444c-8490-37ecb15f500e | wordpress.WikiServer     |
>>> ACTIVE | xlcloud=172.16.1.4, 10.197.217.131 |
>>>
>>> +--------------------------------------+--------------------------+--------+------------------------------------+
>>>
>>>
>>> With Security Group setup as:
>>>
>>> $ nova secgroup-list
>>>
>>> +-----------------------------------+------------------------------------------------+
>>> | Name                              | Description
>>>              |
>>>
>>> +-----------------------------------+------------------------------------------------+
>>> | default                           | default
>>>              |
>>>
>>> +-----------------------------------+------------------------------------------------+
>>>
>>>
>>> $ nova secgroup-list-rules default
>>> +-------------+-----------+---------+-----------+--------------+
>>> | IP Protocol | From Port | To Port | IP Range  | Source Group |
>>> +-------------+-----------+---------+-----------+--------------+
>>> | icmp        | -1        | -1      | 0.0.0.0/0 |              |
>>> | tcp         | 22        | 22      | 0.0.0.0/0 |              |
>>> | tcp         | 80        | 80      | 0.0.0.0/0 |              |
>>> +-------------+-----------+---------+-----------+--------------+
>>>
>>> I can ping and ssh through the fix or floating IP without any problem
>>> (172.16.1.4, 10.197.217.131).
>>> But HTTP requests on port 80 doesn't go through.
>>> I get a "no route host" error message from wget or telnet for example.
>>>
>>> Ex. $ telnet 172.16.1.4 80
>>> Trying 172.16.1.4...
>>> telnet: Unable to connect to remote host: No route to host.
>>> Clearly it's not a routing problem.
>>>
>>> Any idea what the problem could be or hints to debug it.
>>>
>>> Thanks
>>> Patrick
>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>> --
>> Lei Zhang
>>
>> Blog: http://jeffrey4l.github.com
>> twitter/weibo: @jeffrey4l
>>
>>
>
>
> --
> *"Give me a place to stand, and I shall move the earth with a lever"*
>



-- 
*"Give me a place to stand, and I shall move the earth with a lever"*