openstack team mailing list archive

Thread
Date

Re: Instances and ARP

To: Belmiro Moreira <moreira.belmiro.email.lists@xxxxxxxxx>
From: Joe Breu <joseph.breu@xxxxxxxxxxxxx>
Date: Tue, 22 Jan 2013 13:58:39 +0000
Accept-language: en-US
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <02C68B1B-E341-4AA4-8943-9E472CD2CDE4@gmail.com>
Thread-index: AQHN98o17RTAxXLopESRNqLr7gFgqJhUD8yAgAG2XAA=
Thread-topic: [Openstack] Instances and ARP

In the interim you can set vpn_image_id to the UUID of an image that you want launched without mac and IP spoofing filters created. On the compute node the instance is launched with the nova-vpn ruleset which allows DHCP traffic.

At current this only works with a single image UUID.

---
Joseph Breu
Deployment Engineer
Rackspace Private Cloud
210-312-3508

On Jan 21, 2013, at 5:49 AM, Belmiro Moreira wrote:

Hi Joe,
nova network filtering rules are preventing ip-spoofing.
There is a proposal to modify this behavior when using HA in instances.
See thread:
[openstack-dev] VM level HA. Changes in firewall.py question.

You can check with:
virsh nwfilter-dumpxml nova-base

cheers,
Belmiro

On Jan 21, 2013, at 12:25 PM, Joe Warren-Meeks <joe.warren.meeks@xxxxxxxxx<mailto:joe.warren.meeks@xxxxxxxxx>> wrote:

Hi guys,

I've got openstack essex configured with vlanmanager and an external gateway and all my networking runs ok generally.

However, I'm trying to setup Linux HA on two instances. They run on separate compute nodes and can see each other just fine. hb_takeover and hb_standby works perfectly. The problem is that nothing outside of the instance with the HA IP address can connect to it.

It seems that something is ignoring the arp is-at from the instance. Doing a tcpdump on the compute node's bridged network and the instance's eth0 I can arp requests and responses fine for its main IP, but when I try to get to the alias address, I see arp requests only on the compute side. On the instance side I see it responding, but this doesn't show up on the bridged interface on the compute node.

Has anyone seen this before? My google-fu is failing to find anything.

Kind regards

-- joe.

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp

References

Instances and ARP
From: Joe Warren-Meeks, 2013-01-21
Re: Instances and ARP
From: Belmiro Moreira, 2013-01-21