openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #25142
can not reach internet from vm using nova-network
Hi,
I have also asked this on ask.openstack. here
My scenario is:
OpenStack is installed using packtack with Nova Network
One controller with only one NIC with one IP
One compute with also only one NIC with one IP
Both machines are running Scientific Linux 6.4 with openstack kernel
nova-manage service list
Binary Host Zone Status State Updated_At
nova-cert CONTROLLER internal enabled :-) 2013-07-15 10:52:07
nova-network CONTROLLER internal enabled :-) 2013-07-15 10:52:07
nova-conductor CONTROLLER internal enabled :-) 2013-07-15 10:52:07
nova-scheduler CONTROLLER internal enabled :-) 2013-07-15 10:52:17
nova-consoleauth CONTROLLER internal enabled :-) 2013-07-15 10:52:07
nova-compute COMPUTE nova enabled :-) 2013-07-15 10:52:16 Controller node:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.32.0 0.0.0.0 255.255.252.0 U 0 0 0 br100
PUBLIC_NETWORK 0.0.0.0 255.255.240.0 U 0 0 0 br100
0.0.0.0 PUBLIC_GW 0.0.0.0 UG 0 0 0 br100 Compute node:
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr1
PUBLIC_NETWORK 0.0.0.0 255.255.240.0 U 0 0 0 br100
0.0.0.0 PUBLIC_GW 0.0.0.0 UG 0 0 0 br100 Controller node iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
nova-network-INPUT all -- anywhere anywhere
nova-api-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere multiport dports http /* 001 horizon incoming */
ACCEPT tcp -- anywhere anywhere multiport dports iscsi-target,8776 /* 001 cinder incoming */
ACCEPT tcp -- anywhere anywhere multiport dports armtechdaemon /* 001 glance incoming */
ACCEPT tcp -- anywhere anywhere multiport dports commplex-main,35357 /* 001 keystone incoming */
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere multiport dports 6080 /* 001 novncproxy incoming */
ACCEPT tcp -- anywhere anywhere multiport dports 8773,8774,8775 /* 001 novaapi incoming */
ACCEPT tcp -- anywhere anywhere multiport dports amqp /* 001 qpid incoming */
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere multiport dports mysql /* 001 mysql incoming */
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- PUBLIC_NET anywhere tcp dpt:webcache
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-network-FORWARD all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere 192.168.32.0/22 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.32.0/22 anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-network-OUTPUT all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
Chain nova-api-FORWARD (1 references)
target prot opt source destination
Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere CONTROLLER tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-network-local all -- anywhere anywhere
nova-api-local all -- anywhere anywhere
Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain nova-network-OUTPUT (1 references)
target prot opt source destination
Chain nova-network-local (1 references)
target prot opt source destination Compute node iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
nova-compute-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere multiport dports vnc-server:cvsup /* 001 nova compute incoming */
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-compute-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.100.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.100.0/24 anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
nova-filter-top all -- anywhere anywhere
nova-compute-OUTPUT all -- anywhere anywhere
Chain nova-compute-FORWARD (1 references)
target prot opt source destination
ACCEPT udp -- default 255.255.255.255 udp spt:bootpc dpt:bootps
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain nova-compute-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- default 255.255.255.255 udp spt:bootpc dpt:bootps
Chain nova-compute-OUTPUT (1 references)
target prot opt source destination
Chain nova-compute-inst-33 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
nova-compute-provider all -- anywhere anywhere
ACCEPT udp -- 192.168.32.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 192.168.32.0/22 anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
nova-compute-sg-fallback all -- anywhere anywhere
Chain nova-compute-local (1 references)
target prot opt source destination
nova-compute-inst-33 all -- anywhere 192.168.32.3
Chain nova-compute-provider (1 references)
target prot opt source destination
Chain nova-compute-sg-fallback (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain nova-filter-top (2 references)
target prot opt source destination
nova-compute-local all -- anywhere anywhere And ip addr from CONTROLLER:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet 169.254.169.254/32 scope link lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1f:c6:cb:3d:55 brd ff:ff:ff:ff:ff:ff
inet 10.3.4.1/32 scope global eth0
inet6 fe80::21f:c6ff:fecb:3d55/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 52:54:00:f6:1c:49 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
link/ether 52:54:00:f6:1c:49 brd ff:ff:ff:ff:ff:ff
6: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:1f:c6:cb:3d:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.32.1/22 brd 192.168.35.255 scope global br100
inet PUBLIC_IP/20 brd PUBLIC_BRD scope global br100
inet 10.3.4.1/32 scope global br100
inet 10.3.4.2/32 scope global br100
inet 10.3.4.3/32 scope global br100
inet6 fe80::d0de:b7ff:fecd:52f9/64 scope link
valid_lft forever preferred_lft forever And ip addr from COMPUTE:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 38:60:77:0d:31:87 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3a60:77ff:fe0d:3187/64 scope link
valid_lft forever preferred_lft forever
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 52:54:00:2c:da:de brd ff:ff:ff:ff:ff:ff
inet 192.168.200.1/24 brd 192.168.200.255 scope global virbr1
4: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
link/ether 52:54:00:2c:da:de brd ff:ff:ff:ff:ff:ff
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 52:54:00:dc:d0:6f brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr0
6: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
link/ether 52:54:00:dc:d0:6f brd ff:ff:ff:ff:ff:ff
8: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 38:60:77:0d:31:87 brd ff:ff:ff:ff:ff:ff
inet PUBLIC_IP/20 brd PUBLIC_BRD scope global br100
inet6 fe80::e41c:c0ff:fecf:453d/64 scope link
valid_lft forever preferred_lft forever
21: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
link/ether fe:16:3e:05:76:8f brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc16:3eff:fe05:768f/64 scope link
valid_lft forever preferred_lft forever When
I run an instance I can get IP address but I can't browse Internet. It
seems that packages are going out from the compute node, they arrive to
destination, destination replay them but compute node is not receiving
answers.
Thanks.
