← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #15099

[Bug 1326345] [NEW] Legacy networking (nova-network) in OpenStack Icehouse Installation results in no internet access for instances

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I have performed installation of Openstack Icehouse on two CentOS6.5 machines from scratch (both the OS and Openstack).
The problem is that the instances do not get internet access unless the following rule is added:

iptables -t nat -I POSTROUTING -o  eth1 -j MASQUERADE

where eth1 is the public interface. This rule has to be re-inserted
every time an instance is launched!

A few words regarding the setup of the compute node.

-It has two ethernet interfaces eth0 (internal network) and eth1(public network).
-I have added a bridge interface (br100) which has been bridged with eth0.
-Both eth0 and eth1 are running in promiscuous mode
-In sysctl.conf ip forwarding has been enabled
-In nova.conf I have declared the flat_interface to be eth0 while the public_interface is eth1
-I have followed the guide from here : http://docs.openstack.org/icehouse/install-guide/install/yum/content/   for both compute and controller nodes.
-I have added the secgroup-rules for ICMP and SSH to the default group

-I am launching a cirrOS instance at the default security group which is assigned the IP 10.0.0.2.
-I can ping the cirrOS instance
-I can ssh to the cirrOS
-While logged in to the instance I can resolve external addresses (e.g. nslookup openstack.org produces a correct output)
-While logged in to the instance I can ping 10.0.0.1
-While logged in to the instance I can ping  the compute nodes external IP
-While logged in to the instance I CANNOT ping the compute nodes gateway or anything else outside that!!!

If I insert the afforementioned rule then pinging works as expected!

In the case I have a second instance all the above apply but also I can
ping and ssh from one instance to another. Unfortunately the problem of
pinging outside the compute node from both instances remains until I re-
insert the afforementioned rule.

Tests have shown that every time I start an instance the rule has to be
added at the top of the chain otherwise none of them works.

The above are also the case when floating IPs are assigned to the
instances. They cannot reach an external network unless the rule has
been added. When it has instances can reach and be reached from an
external network.

Furthermore, comparison with an Havana installation with the same
network configuration and topology (two nodes, two ethernet nics each
etc.) revealed that the following chains are not populated correctly in
Icehouse

 - Chain nova-network-OUTPUT
 - Chain nova-network-POSTROUTING
 - Chain nova-network-PREROUTING
 - Chain nova-network-float-snat


I have been trying to find a solution to this through the mailing-lists:

http://lists.openstack.org/pipermail/openstack/2014-May/007454.html
http://lists.openstack.org/pipermail/openstack/2014-May/007515.html

and in the IRC channel but without success.


I have performed the above installations twice and every time the same problem appears leading me to think that it's a bug.

Please check it!

Best,

G.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: access icehouse-backport-potential internet nova

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1326345

Title:
  Legacy networking (nova-network) in OpenStack Icehouse Installation
  results in no internet access for instances

Status in OpenStack Compute (Nova):
  New

Bug description:
  I have performed installation of Openstack Icehouse on two CentOS6.5 machines from scratch (both the OS and Openstack).
  The problem is that the instances do not get internet access unless the following rule is added:

  iptables -t nat -I POSTROUTING -o  eth1 -j MASQUERADE

  where eth1 is the public interface. This rule has to be re-inserted
  every time an instance is launched!

  A few words regarding the setup of the compute node.

  -It has two ethernet interfaces eth0 (internal network) and eth1(public network).
  -I have added a bridge interface (br100) which has been bridged with eth0.
  -Both eth0 and eth1 are running in promiscuous mode
  -In sysctl.conf ip forwarding has been enabled
  -In nova.conf I have declared the flat_interface to be eth0 while the public_interface is eth1
  -I have followed the guide from here : http://docs.openstack.org/icehouse/install-guide/install/yum/content/   for both compute and controller nodes.
  -I have added the secgroup-rules for ICMP and SSH to the default group

  -I am launching a cirrOS instance at the default security group which is assigned the IP 10.0.0.2.
  -I can ping the cirrOS instance
  -I can ssh to the cirrOS
  -While logged in to the instance I can resolve external addresses (e.g. nslookup openstack.org produces a correct output)
  -While logged in to the instance I can ping 10.0.0.1
  -While logged in to the instance I can ping  the compute nodes external IP
  -While logged in to the instance I CANNOT ping the compute nodes gateway or anything else outside that!!!

  If I insert the afforementioned rule then pinging works as expected!

  In the case I have a second instance all the above apply but also I
  can ping and ssh from one instance to another. Unfortunately the
  problem of pinging outside the compute node from both instances
  remains until I re-insert the afforementioned rule.

  Tests have shown that every time I start an instance the rule has to
  be added at the top of the chain otherwise none of them works.

  The above are also the case when floating IPs are assigned to the
  instances. They cannot reach an external network unless the rule has
  been added. When it has instances can reach and be reached from an
  external network.

  Furthermore, comparison with an Havana installation with the same
  network configuration and topology (two nodes, two ethernet nics each
  etc.) revealed that the following chains are not populated correctly
  in Icehouse

   - Chain nova-network-OUTPUT
   - Chain nova-network-POSTROUTING
   - Chain nova-network-PREROUTING
   - Chain nova-network-float-snat

  
  I have been trying to find a solution to this through the mailing-lists:

  http://lists.openstack.org/pipermail/openstack/2014-May/007454.html
  http://lists.openstack.org/pipermail/openstack/2014-May/007515.html

  and in the IRC channel but without success.

  
  I have performed the above installations twice and every time the same problem appears leading me to think that it's a bug.

  Please check it!

  Best,

  G.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1326345/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next