← Back to team overview

openstack team mailing list archive

Re: [Quantum/Neutron] VM cannot get IP address from DHCP server

 

 I think I found the solution.

https://bugzilla.redhat.com/show_bug.cgi?id=889868

 It was reported as a bug by RedHat.
It also suggests a work-around.

 Thank you everyone.

 David

----- Original Message -----
> What I have observed so far is...
> 
> 1. nova-compute sends dhcp request
> 2. dhcp-server running on the Quantum node does not receive the
> request
> because of the firewall setting.
> I don't understand why quantum-dhcp-agent does not set up firewall
> properly.
> (Yes, all the openstack components are running on CentOS6.4 in our
> system.)
> 
> Thanks,
> David
> 
> ----- Original Message -----
> > Hi,
> >
> >
> > This is very interesting..:)
> > I am using openstack grizzly allinone with quantum/neutron.
> >
> >
> > Look what I am observing.
> > -before starting an instance on the server
> > root@ubuntu1204:~# iptables-save -t filter
> > # Generated by iptables-save v1.4.12 on Tue Jul 23 20:22:55 2013
> > *filter
> > :INPUT ACCEPT [62981:17142030]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [62806:17138989]
> > :nova-api-FORWARD - [0:0]
> > :nova-api-INPUT - [0:0]
> > :nova-api-OUTPUT - [0:0]
> > :nova-api-local - [0:0]
> > :nova-filter-top - [0:0]
> > -A INPUT -j nova-api-INPUT
> > -A INPUT -p gre -j ACCEPT
> > -A FORWARD -j nova-filter-top
> > -A FORWARD -j nova-api-FORWARD
> > -A OUTPUT -j nova-filter-top
> > -A OUTPUT -j nova-api-OUTPUT
> > -A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j
> > ACCEPT
> > -A nova-filter-top -j nova-api-local
> > COMMIT
> > # Completed on Tue Jul 23 20:22:55 2013
> > root@ubuntu1204:~#
> >
> >
> > -after starting an instance on the host
> >
> > root@ubuntu1204:~# iptables-save -t filter
> > # Generated by iptables-save v1.4.12 on Tue Jul 23 20:24:42 2013
> > *filter
> > :INPUT ACCEPT [90680:24989889]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [90482:24984752]
> > :nova-api-FORWARD - [0:0]
> > :nova-api-INPUT - [0:0]
> > :nova-api-OUTPUT - [0:0]
> > :nova-api-local - [0:0]
> > :nova-compute-FORWARD - [0:0]
> > :nova-compute-INPUT - [0:0]
> > :nova-compute-OUTPUT - [0:0]
> > :nova-compute-inst-35 - [0:0]
> > :nova-compute-local - [0:0]
> > :nova-compute-provider - [0:0]
> > :nova-compute-sg-fallback - [0:0]
> > :nova-filter-top - [0:0]
> > -A INPUT -j nova-compute-INPUT
> > -A INPUT -j nova-api-INPUT
> > -A INPUT -p gre -j ACCEPT
> > -A FORWARD -j nova-filter-top
> > -A FORWARD -j nova-compute-FORWARD
> > -A FORWARD -j nova-api-FORWARD
> > -A OUTPUT -j nova-filter-top
> > -A OUTPUT -j nova-compute-OUTPUT
> > -A OUTPUT -j nova-api-OUTPUT
> > -A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j
> > ACCEPT
> > -A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp
> > -m
> > udp --sport 68 --dport 67 -j ACCEPT
> > -A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m
> > udp --sport 68 --dport 67 -j ACCEPT
> > -A nova-compute-inst-35 -m state --state INVALID -j DROP
> > -A nova-compute-inst-35 -m state --state RELATED,ESTABLISHED -j
> > ACCEPT
> > -A nova-compute-inst-35 -j nova-compute-provider
> > -A nova-compute-inst-35 -s 172.24.17.2/32 -p udp -m udp --sport 67
> > --dport 68 -j ACCEPT
> > -A nova-compute-inst-35 -s 172.24.17.0/24 -j ACCEPT
> > -A nova-compute-inst-35 -p tcp -m tcp --dport 22 -j ACCEPT
> > -A nova-compute-inst-35 -p icmp -j ACCEPT
> > -A nova-compute-inst-35 -j nova-compute-sg-fallback
> > -A nova-compute-local -d 172.24.17.1/32 -j nova-compute-inst-35
> > -A nova-compute-sg-fallback -j DROP
> > -A nova-filter-top -j nova-compute-local
> > -A nova-filter-top -j nova-api-local
> > COMMIT
> > # Completed on Tue Jul 23 20:24:42 2013
> >
> >
> >
> >
> > It seams that the rule that accepts dhcp packets is created once an
> > instance is spawned.
> >
> >
> > I will try the same thing on an centos64.
> >
> >
> > Regards,
> > Gabriel
> >
> >
> >
> >
> >
> > From: David Kang <dkang@xxxxxxx>
> > To: Staicu Gabriel <gabriel_staicu@xxxxxxxxx>
> > Cc: "openstack@xxxxxxxxxxxxxxxxxxx (openstack@xxxxxxxxxxxxxxxxxxx)"
> > <openstack@xxxxxxxxxxxxxxxxxxx>
> > Sent: Tuesday, July 23, 2013 7:59 PM
> > Subject: Re: [Openstack] [Quantum/Neutron] VM cannot get IP address
> > from DHCP server
> >
> >
> >
> > Thank you for your suggestion.
> >
> > We are using Quantum/Neutron not nova-network.
> > So, we don't use br100.
> > (I believe you are using nova-network.)
> >
> > And the firewall rules that cause problem reside on the Quantum node
> > not on the nova-compute node.
> > I cannot find any rule for "--dport 67" on my Quantum node.
> > I used "service iptables status" command to check the firewall
> > rules.
> >
> > Thanks,
> > David
> >
> >
> > ----- Original Message -----
> > > Hi,
> > >
> > > Please can you look up in the iptables?
> > > Normally on a working openstack host the packets comming in the
> > > filter
> > > table in the input chain are directed to the nova-network-INPUT
> > > which
> > > has a rule to accept dhcp packets.
> > > On my setup is something like:
> > > -A INPUT -j nova-network-INPUT
> > >
> > > .
> > > .
> > > .
> > > -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT
> > >
> > >
> > > So I think you have to look somewhere else for your issue.
> > >
> > >
> > > Regards,
> > > Gabriel
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: David Kang < dkang@xxxxxxx >
> > > To: " openstack@xxxxxxxxxxxxxxxxxxx (
> > > openstack@xxxxxxxxxxxxxxxxxxx
> > > )"
> > > < openstack@xxxxxxxxxxxxxxxxxxx >
> > > Sent: Tuesday, July 23, 2013 7:22 PM
> > > Subject: [Openstack] [Quantum/Neutron] VM cannot get IP address
> > > from
> > > DHCP server
> > >
> > >
> > >
> > > Hi,
> > >
> > > We are running OpenStack Folsom on CentOS 6.4.
> > > Quantum-linuxbridge-agent is used.
> > > By default, the Quantum node has the following entries in its
> > > /etc/sysconfig/iptables file.
> > >
> > > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> > >
> > > With those two lines, VM cannot get IP address from the DHCP
> > > server
> > > running on the Quantum node.
> > > More specifically, the first line prevents a VM from getting IP
> > > address from DHCP server.
> > > The second line prevents a VM from talking to other VMs and
> > > external
> > > worlds.
> > > Is there a better way to make the Quantum network work well
> > > than just commenting them out?
> > >
> > > I'll appreciate your help.
> > >
> > > David
> > >
> > > --
> > > ----------------------
> > > Dr. Dong-In "David" Kang
> > > Computer Scientist
> > > USC/ISI
> > >
> > > _______________________________________________
> > > Mailing list: https://launchpad.net/~openstack
> > > Post to : openstack@xxxxxxxxxxxxxxxxxxx
> > > Unsubscribe : https://launchpad.net/~openstack
> > > More help : https://help.launchpad.net/ListHelp
> >
> > --
> > ----------------------
> > Dr. Dong-In "David" Kang
> > Computer Scientist
> > USC/ISI
> 
> --
> ----------------------
> Dr. Dong-In "David" Kang
> Computer Scientist
> USC/ISI

-- 
----------------------
Dr. Dong-In "David" Kang
Computer Scientist
USC/ISI


References