openstack team mailing list archive

[Staicu Gabriel <gabriel_staicu@xxxxxxxxx>]

Hi,

This is very interesting..:)
I am using openstack grizzly allinone with quantum/neutron.

Look what I am observing. 
-before starting an instance on the server
root@ubuntu1204:~# iptables-save -t filter
# Generated by iptables-save v1.4.12 on Tue Jul 23 20:22:55 2013
*filter
:INPUT ACCEPT [62981:17142030]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [62806:17138989]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j nova-api-INPUT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Jul 23 20:22:55 2013
root@ubuntu1204:~# 

-after starting an instance on the host
root@ubuntu1204:~# iptables-save -t filter
# Generated by iptables-save v1.4.12 on Tue Jul 23 20:24:42 2013
*filter
:INPUT ACCEPT [90680:24989889]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90482:24984752]
:nova-api-FORWARD - [0:0]
:nova-api-INPUT - [0:0]
:nova-api-OUTPUT - [0:0]
:nova-api-local - [0:0]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-35 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -j nova-api-INPUT
-A INPUT -p gre -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -j nova-api-FORWARD
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A nova-compute-inst-35 -m state --state INVALID -j DROP
-A nova-compute-inst-35 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-35 -j nova-compute-provider
-A nova-compute-inst-35 -s 172.24.17.2/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-35 -s 172.24.17.0/24 -j ACCEPT
-A nova-compute-inst-35 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-35 -p icmp -j ACCEPT
-A nova-compute-inst-35 -j nova-compute-sg-fallback
-A nova-compute-local -d 172.24.17.1/32 -j nova-compute-inst-35
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-compute-local
-A nova-filter-top -j nova-api-local
COMMIT
# Completed on Tue Jul 23 20:24:42 2013


It seams that the rule that accepts dhcp packets is created once an instance is spawned.

I will try the same thing on an centos64.

Regards,
Gabriel


________________________________
 From: David Kang <dkang@xxxxxxx>
To: Staicu Gabriel <gabriel_staicu@xxxxxxxxx> 
Cc: "openstack@xxxxxxxxxxxxxxxxxxx (openstack@xxxxxxxxxxxxxxxxxxx)" <openstack@xxxxxxxxxxxxxxxxxxx> 
Sent: Tuesday, July 23, 2013 7:59 PM
Subject: Re: [Openstack] [Quantum/Neutron] VM cannot get IP address from DHCP	server
 


Thank you for your suggestion.

We are using Quantum/Neutron not nova-network.
So, we don't use br100.
(I believe you are using nova-network.)

And the firewall rules that cause problem reside on the Quantum node
not on the nova-compute node.
I cannot find any rule for "--dport 67" on my Quantum node.
I used "service iptables status" command to check the firewall rules.

Thanks,
David


----- Original Message -----
> Hi,
> 
> Please can you look up in the iptables?
> Normally on a working openstack host the packets comming in the filter
> table in the input chain are directed to the nova-network-INPUT which
> has a rule to accept dhcp packets.
> On my setup is something like:
> -A INPUT -j nova-network-INPUT
> 
> .
> .
> .
> -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT
> 
> 
> So I think you have to look somewhere else for your issue.
> 
> 
> Regards,
> Gabriel
> 
> 
> 
> 
> 
> 
> From: David Kang <dkang@xxxxxxx>
> To: "openstack@xxxxxxxxxxxxxxxxxxx (openstack@xxxxxxxxxxxxxxxxxxx)"
> <openstack@xxxxxxxxxxxxxxxxxxx>
> Sent: Tuesday, July 23, 2013 7:22 PM
> Subject: [Openstack] [Quantum/Neutron] VM cannot get IP address from
> DHCP server
> 
> 
> 
> Hi,
> 
> We are running OpenStack Folsom on CentOS 6.4.
> Quantum-linuxbridge-agent is used.
> By default, the Quantum node has the following entries in its
> /etc/sysconfig/iptables file.
> 
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
> With those two lines, VM cannot get IP address from the DHCP server
> running on the Quantum node.
> More specifically, the first line prevents a VM from getting IP
> address from DHCP server.
> The second line prevents a VM from talking to other VMs and external
> worlds.
> Is there a better way to make the Quantum network work well
> than just commenting them out?
> 
> I'll appreciate your help.
> 
> David
> 
> --
> ----------------------
> Dr. Dong-In "David" Kang
> Computer Scientist
> USC/ISI
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp

-- 
----------------------
Dr. Dong-In "David" Kang
Computer Scientist
USC/ISI