yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #30623
[Bug 1326345] Re: Legacy networking (nova-network) in OpenStack Icehouse Installation results in no internet access for instances
No longer reproducable, was fixed by the user
** Changed in: nova
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1326345
Title:
Legacy networking (nova-network) in OpenStack Icehouse Installation
results in no internet access for instances
Status in OpenStack Compute (Nova):
Invalid
Bug description:
I have performed installation of Openstack Icehouse on two CentOS6.5 machines from scratch (both the OS and Openstack).
The problem is that the instances do not get internet access unless the following rule is added:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
where eth1 is the public interface. This rule has to be re-inserted
every time an instance is launched!
A few words regarding the setup of the compute node.
-It has two ethernet interfaces eth0 (internal network) and eth1(public network).
-I have added a bridge interface (br100) which has been bridged with eth0.
-Both eth0 and eth1 are running in promiscuous mode
-In sysctl.conf ip forwarding has been enabled
-In nova.conf I have declared the flat_interface to be eth0 while the public_interface is eth1
-I have followed the guide from here : http://docs.openstack.org/icehouse/install-guide/install/yum/content/ for both compute and controller nodes.
-I have added the secgroup-rules for ICMP and SSH to the default group
-I am launching a cirrOS instance at the default security group which is assigned the IP 10.0.0.2.
-I can ping the cirrOS instance
-I can ssh to the cirrOS
-While logged in to the instance I can resolve external addresses (e.g. nslookup openstack.org produces a correct output)
-While logged in to the instance I can ping 10.0.0.1
-While logged in to the instance I can ping the compute nodes external IP
-While logged in to the instance I CANNOT ping the compute nodes gateway or anything else outside that!!!
If I insert the afforementioned rule then pinging works as expected!
In the case I have a second instance all the above apply but also I
can ping and ssh from one instance to another. Unfortunately the
problem of pinging outside the compute node from both instances
remains until I re-insert the afforementioned rule.
Tests have shown that every time I start an instance the rule has to
be added at the top of the chain otherwise none of them works.
The above are also the case when floating IPs are assigned to the
instances. They cannot reach an external network unless the rule has
been added. When it has instances can reach and be reached from an
external network.
Furthermore, comparison with an Havana installation with the same
network configuration and topology (two nodes, two ethernet nics each
etc.) revealed that the following chains are not populated correctly
in Icehouse
- Chain nova-network-OUTPUT
- Chain nova-network-POSTROUTING
- Chain nova-network-PREROUTING
- Chain nova-network-float-snat
I have been trying to find a solution to this through the mailing-lists:
http://lists.openstack.org/pipermail/openstack/2014-May/007454.html
http://lists.openstack.org/pipermail/openstack/2014-May/007515.html
and in the IRC channel but without success.
I have performed the above installations twice and every time the same problem appears leading me to think that it's a bug.
Please check it!
Best,
G.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1326345/+subscriptions
References
