yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94488
[Bug 2078425] [NEW] ovn/ml2 selfservice (isolated network) dns-nameserver set in subnet, can't resolve domain
Public bug reported:
Hi,
I met a bit strange problem, currently I use ovn/ml2 and configured
geneve + flat to organize my network.
Following the guidelines, I created two networks, internal and external,
as named, for internal communication within the VMs and for creating
floating ip (external) to assign to the VMs in order for them to access
the public network.
Here are some openstack commands as follows (enable dhcp by default)
### internal network & subnet
openstack network create internal --provider-network-type geneve
openstack subnet create internal-subnet --network internal \
--subnet-range 192.168.200.0/24 --gateway 192.168.200.1 \
--dns-nameserver 8.8.8.8
### external network & subnet, flat, physnet1 is mapping
openstack network create \
--provider-physical-network physnet1 \
--provider-network-type flat --external external
openstack subnet create external-subnet \
--network external--subnet-range 192.168.5.0/24 \
--allocation-pool start=192.168.5.200,end=192.168.5.220 \
--gateway 192.168.5.1 --dns-nameserver 9.9.9.9 --no-dhcp
### of course, a router is a must
openstack router create router-001
openstack router add subnet router-001 internal-subnet
openstack router add gateway router-001 external
### bridge & ports, compute node as the same
root@master-01 ~(keystone)# ovs-vsctl list-br
br-external
br-int
root@master-01 ~(keystone)# ovs-vsctl list-ports br-external
eno3
patch-provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf-to-br-int
root@master-01 ~(keystone)#
### mapping is here, use different physical NICs to differentiate between management and VM data transfers
{hostname=master-01, ovn-bridge-mappings="physnet1:br-external", ovn-cms-options=enable-chassis-as-gw, ovn-encap-ip="10.20.0.10", ovn-encap-type=geneve, ovn-remote="tcp:10.10.0.10:6642", rundir="/var/run/openvswitch", system-id="121c0c62-b0fb-4441-bf10-14d429b4bcd8"}
...
### sb information
ovn-sbctl show
Chassis "121c0c62-b0fb-4441-bf10-14d429b4bcd8"
hostname: master-01
Encap geneve
ip: "10.20.0.10"
options: {csum="true"}
Port_Binding cr-lrp-1641f948-ac28-422a-99a4-e056372812cd
Chassis "c8bd82a0-a930-48ad-a3f0-48ce81713dfc"
hostname: compute-01
Encap geneve
ip: "10.20.0.20"
options: {csum="true"}
Port_Binding "fced94e8-c0f7-43ba-be90-3d93983c4b4a"
Port_Binding "6102cb9b-e42f-4f37-abe1-d0765f4b6c4e"
### nb information
ovn-nbctl show
switch 5751184d-39ef-4a10-bb72-9fc5285caa7e (neutron-7c28892d-5864-403a-8a8d-03180770db60) (aka internal)
port 6102cb9b-e42f-4f37-abe1-d0765f4b6c4e
addresses: ["fa:16:3e:02:8e:f4 192.168.200.153"]
port 6cec6fa7-1a80-4b20-b96d-bd79d528ad64
type: localport
addresses: ["fa:16:3e:94:ff:e1 192.168.200.2"]
port beb8f8d3-7d18-4d02-b786-9927b7ad2d17
addresses: ["fa:16:3e:85:52:47 192.168.200.214"]
port 2e495938-68da-44e4-b2c0-20031f8faa59
type: router
router-port: lrp-2e495938-68da-44e4-b2c0-20031f8faa59
port fced94e8-c0f7-43ba-be90-3d93983c4b4a
addresses: ["fa:16:3e:df:1e:63 192.168.200.44"]
port 9ba1c2e0-8035-422b-a632-8f8fb7f217a3
addresses: ["fa:16:3e:b4:7d:14 192.168.200.179"]
switch c91f2dd7-9fbb-4f75-9b05-20db0d5173c7 (neutron-8a7b3145-393a-46fc-a019-c0676671db40) (aka external)
port 1641f948-ac28-422a-99a4-e056372812cd
type: router
router-port: lrp-1641f948-ac28-422a-99a4-e056372812cd
port provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf
type: localnet
addresses: ["unknown"]
port 1163cb86-7241-492a-a8a6-f6cd51f661f0
type: localport
addresses: ["fa:16:3e:15:06:23"]
router 63145aba-6fac-4cbd-bfb8-a7adb9daa361 (neutron-7fa5c121-0385-4fa8-ba24-cb6988c87aaa) (aka router-001)
port lrp-1641f948-ac28-422a-99a4-e056372812cd
mac: "fa:16:3e:11:2c:9a"
networks: ["192.168.5.209/24"]
gateway chassis: [121c0c62-b0fb-4441-bf10-14d429b4bcd8 c8bd82a0-a930-48ad-a3f0-48ce81713dfc]
port lrp-2e495938-68da-44e4-b2c0-20031f8faa59
mac: "fa:16:3e:fd:f8:67"
networks: ["192.168.200.1/24"]
nat 00f4a3b9-35cc-41b0-b2dc-dc6fb174c313
external ip: "192.168.5.216"
logical ip: "192.168.200.44"
type: "dnat_and_snat"
nat 16a4b585-9e25-41f6-9e9c-9923f2ffc236
external ip: "192.168.5.201"
logical ip: "192.168.200.153"
type: "dnat_and_snat"
### dhcp information
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={8.8.8.8}
### boot the VM to configure a NIC and point it to the internal network
openstack server create --flavor m1.small --image Ubuntu-24-04 --security-group secgroup-001 --nic net-id=internal --key-name mykey ubuntu2404-001
### only icmp and ssh ports are open in the security group, 5201 is for ipref3, it's ok.
openstack security group rule list secgroup-001
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 0e2fcc8f-15a7-47b5-bd9c-4029a230cabf | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
| 2100ca19-3f17-4c39-8dce-5c50f8a4ffa4 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| 5433e8b0-7e1c-48b5-8b5d-f22e745a9ee0 | tcp | IPv4 | 0.0.0.0/0 | 5201:5201 | ingress | None | None |
| b2556f92-f296-46c6-8f8f-fcaf5e2eda1c | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |
| d50fe1f0-4a29-49af-984a-66bcebe10b04 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
### creating a floating ip and assigning it to a vm
openstack floating ip create external
openstack server add floating ip Ubuntu-24-04 192.168.5.216
At this point, everything is working fine, and after creating a few more
VMs, they can communicate with each other on the intranet via
192.168.200.0/24, and can also ping external (public) IP addresses due
to the assigned and floating IPs.
Just when I was happy, the problem came that it could not resolve the
external domain name properly.
:(
In fact, it's not that it can't be parsed at all, it's that it can be
parsed at one time and can't be parsed at another time, and it switches
back and forth, but most of the time it can't be parsed properly.
root@ubuntu2404-001:~# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
I'm sure the nameserver is coming from dhcp and writing to /run/systemd/resolve/resolv.conf
root@ubuntu2404-001:~# cat /run/systemd/resolve/resolv.conf
...
nameserver 8.8.8.8
root@ubuntu2404-001:~# systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-08-30 07:23:13 UTC; 5min ago
...
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in>
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Using system hostname 'ubuntu2404-001'.
Aug 30 07:23:13 ubuntu2404-001 systemd[1]: Started systemd-resolved.service - Network Name Resolution.
Aug 30 07:23:56 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set TCP instead of UDP for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Clock change detected. Flushing caches.
...
Virtual machine using ubuntu 24.04 cloud img from official link
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 20.205.243.166
root@ubuntu2404-001:~#
root@ubuntu2404-001:~# ping 20.205.243.166 -c4
PING 20.205.243.166 (20.205.243.166) 56(84) bytes of data.
64 bytes from 20.205.243.166: icmp_seq=1 ttl=111 time=95.1 ms
64 bytes from 20.205.243.166: icmp_seq=2 ttl=111 time=93.5 ms
64 bytes from 20.205.243.166: icmp_seq=3 ttl=111 time=95.6 ms
64 bytes from 20.205.243.166: icmp_seq=4 ttl=111 time=95.6 ms
--- 20.205.243.166 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 93.541/94.954/95.568/0.833 ms
root@ubuntu2404-001:~#
As I said, it's not completely unresolvable, odds are it will fail, but
pinging is possible, as is access via IP.
After my repeated testing, I'm pretty sure and even more puzzled by the
fact that the above problem occurs when the internal-subnet's dns-
nameserver is set to google's 8.8.8.8 or 8.8.4.4! And switching to any
other internal DNS(self-private) or 1.1.1.1 or 9.9.9.9 is no problem at
all!
### now the internal-subnet information
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 8.8.8.8 |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
|...
+----------------------+--------------------------------------+
###reset dns-nameserver for internal-subnet
openstack subnet set --no-dns-nameservers internal-subnet
openstack subnet set --dns-nameserver 1.1.1.1 internal-subnet
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 1.1.1.1 | 8.8.8.8->1.1.1.1
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
| host_routes | |
|...
+----------------------+--------------------------------------+
### ovn dhcp dns_server changed
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={1.1.1.1}
###reboot the vms, check it out
root@ubuntu2404-001:~# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1
cat /run/systemd/resolve/resolv.conf
...
nameserver 1.1.1.1
search .
root@ubuntu2404-001:~# nslookup www.github.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 140.82.116.3
When performing nslookup, the return is so fast!
root@ubuntu2404-001:~#ping www.github.com -c4
PING github.com (140.82.116.4) 56(84) bytes of data.
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=1 ttl=49 time=152 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=2 ttl=49 time=155 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=3 ttl=49 time=153 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=4 ttl=49 time=152 ms
--- github.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 152.234/153.034/154.550/0.930 ms
So, I really don't know why internal-subnet's dns-nameserver set to
8.8.8.8 or 8.8.4.4 why it doesn't resolve properly, and the same setup
for other dns-nameserver surprisingly works fine.
It seems to me that either none of the external nameservers are
supported or all of them are, so why are only 8.8.8.8 and 8.8.4.4 not
supported?
I'm really curious as to what's going on...
Thank you for reading and helping out.
BR//Evt
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
Hi,
I met a bit strange problem, currently I use ovn/ml2 and configured
geneve + flat to organize my network.
Following the guidelines, I created two networks, internal and external,
as named, for internal communication within the VMs and for creating
floating ip (external) to assign to the VMs in order for them to access
the public network.
Here are some openstack commands as follows (enable dhcp by default)
### internal network & subnet
openstack network create internal --provider-network-type geneve
openstack subnet create internal-subnet --network internal \
--subnet-range 192.168.200.0/24 --gateway 192.168.200.1 \
--dns-nameserver 8.8.8.8
### external network & subnet, flat, physnet1 is mapping
openstack network create \
--provider-physical-network physnet1 \
--provider-network-type flat --external external
openstack subnet create external-subnet \
--network external--subnet-range 192.168.5.0/24 \
--allocation-pool start=192.168.5.200,end=192.168.5.220 \
--gateway 192.168.5.1 --dns-nameserver 1.1.1.1 --no-dhcp
### of course, a router is a must
openstack router create router-001
- openstack router add subnet router-001 internal-subnet
+ openstack router add subnet router-001 internal-subnet
openstack router add gateway router-001 external
### bridge & ports, compute node as the same
- root@master-01 ~(keystone)# ovs-vsctl list-br
+ root@master-01 ~(keystone)# ovs-vsctl list-br
br-external
br-int
root@master-01 ~(keystone)# ovs-vsctl list-ports br-external
eno3
patch-provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf-to-br-int
- root@master-01 ~(keystone)#
+ root@master-01 ~(keystone)#
### mapping is here, use different physical NICs to differentiate between management and VM data transfers
{hostname=master-01, ovn-bridge-mappings="physnet1:br-external", ovn-cms-options=enable-chassis-as-gw, ovn-encap-ip="10.20.0.10", ovn-encap-type=geneve, ovn-remote="tcp:10.10.0.10:6642", rundir="/var/run/openvswitch", system-id="121c0c62-b0fb-4441-bf10-14d429b4bcd8"}
...
### sb information
ovn-sbctl show
Chassis "121c0c62-b0fb-4441-bf10-14d429b4bcd8"
- hostname: master-01
- Encap geneve
- ip: "10.20.0.10"
- options: {csum="true"}
- Port_Binding cr-lrp-1641f948-ac28-422a-99a4-e056372812cd
+ hostname: master-01
+ Encap geneve
+ ip: "10.20.0.10"
+ options: {csum="true"}
+ Port_Binding cr-lrp-1641f948-ac28-422a-99a4-e056372812cd
Chassis "c8bd82a0-a930-48ad-a3f0-48ce81713dfc"
- hostname: compute-01
- Encap geneve
- ip: "10.20.0.20"
- options: {csum="true"}
- Port_Binding "fced94e8-c0f7-43ba-be90-3d93983c4b4a"
- Port_Binding "6102cb9b-e42f-4f37-abe1-d0765f4b6c4e"
+ hostname: compute-01
+ Encap geneve
+ ip: "10.20.0.20"
+ options: {csum="true"}
+ Port_Binding "fced94e8-c0f7-43ba-be90-3d93983c4b4a"
+ Port_Binding "6102cb9b-e42f-4f37-abe1-d0765f4b6c4e"
### nb information
ovn-nbctl show
switch 5751184d-39ef-4a10-bb72-9fc5285caa7e (neutron-7c28892d-5864-403a-8a8d-03180770db60) (aka internal)
- port 6102cb9b-e42f-4f37-abe1-d0765f4b6c4e
- addresses: ["fa:16:3e:02:8e:f4 192.168.200.153"]
- port 6cec6fa7-1a80-4b20-b96d-bd79d528ad64
- type: localport
- addresses: ["fa:16:3e:94:ff:e1 192.168.200.2"]
- port beb8f8d3-7d18-4d02-b786-9927b7ad2d17
- addresses: ["fa:16:3e:85:52:47 192.168.200.214"]
- port 2e495938-68da-44e4-b2c0-20031f8faa59
- type: router
- router-port: lrp-2e495938-68da-44e4-b2c0-20031f8faa59
- port fced94e8-c0f7-43ba-be90-3d93983c4b4a
- addresses: ["fa:16:3e:df:1e:63 192.168.200.44"]
- port 9ba1c2e0-8035-422b-a632-8f8fb7f217a3
- addresses: ["fa:16:3e:b4:7d:14 192.168.200.179"]
+ port 6102cb9b-e42f-4f37-abe1-d0765f4b6c4e
+ addresses: ["fa:16:3e:02:8e:f4 192.168.200.153"]
+ port 6cec6fa7-1a80-4b20-b96d-bd79d528ad64
+ type: localport
+ addresses: ["fa:16:3e:94:ff:e1 192.168.200.2"]
+ port beb8f8d3-7d18-4d02-b786-9927b7ad2d17
+ addresses: ["fa:16:3e:85:52:47 192.168.200.214"]
+ port 2e495938-68da-44e4-b2c0-20031f8faa59
+ type: router
+ router-port: lrp-2e495938-68da-44e4-b2c0-20031f8faa59
+ port fced94e8-c0f7-43ba-be90-3d93983c4b4a
+ addresses: ["fa:16:3e:df:1e:63 192.168.200.44"]
+ port 9ba1c2e0-8035-422b-a632-8f8fb7f217a3
+ addresses: ["fa:16:3e:b4:7d:14 192.168.200.179"]
switch c91f2dd7-9fbb-4f75-9b05-20db0d5173c7 (neutron-8a7b3145-393a-46fc-a019-c0676671db40) (aka external)
- port 1641f948-ac28-422a-99a4-e056372812cd
- type: router
- router-port: lrp-1641f948-ac28-422a-99a4-e056372812cd
- port provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf
- type: localnet
- addresses: ["unknown"]
- port 1163cb86-7241-492a-a8a6-f6cd51f661f0
- type: localport
- addresses: ["fa:16:3e:15:06:23"]
- router 63145aba-6fac-4cbd-bfb8-a7adb9daa361 (neutron-7fa5c121-0385-4fa8-ba24-cb6988c87aaa) (aka router-local)
- port lrp-1641f948-ac28-422a-99a4-e056372812cd
- mac: "fa:16:3e:11:2c:9a"
- networks: ["192.168.5.209/24"]
- gateway chassis: [121c0c62-b0fb-4441-bf10-14d429b4bcd8 c8bd82a0-a930-48ad-a3f0-48ce81713dfc]
- port lrp-2e495938-68da-44e4-b2c0-20031f8faa59
- mac: "fa:16:3e:fd:f8:67"
- networks: ["192.168.200.1/24"]
- nat 00f4a3b9-35cc-41b0-b2dc-dc6fb174c313
- external ip: "192.168.5.216"
- logical ip: "192.168.200.44"
- type: "dnat_and_snat"
- nat 16a4b585-9e25-41f6-9e9c-9923f2ffc236
- external ip: "192.168.5.201"
- logical ip: "192.168.200.153"
- type: "dnat_and_snat"
+ port 1641f948-ac28-422a-99a4-e056372812cd
+ type: router
+ router-port: lrp-1641f948-ac28-422a-99a4-e056372812cd
+ port provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf
+ type: localnet
+ addresses: ["unknown"]
+ port 1163cb86-7241-492a-a8a6-f6cd51f661f0
+ type: localport
+ addresses: ["fa:16:3e:15:06:23"]
+ router 63145aba-6fac-4cbd-bfb8-a7adb9daa361 (neutron-7fa5c121-0385-4fa8-ba24-cb6988c87aaa) (aka router-001)
+ port lrp-1641f948-ac28-422a-99a4-e056372812cd
+ mac: "fa:16:3e:11:2c:9a"
+ networks: ["192.168.5.209/24"]
+ gateway chassis: [121c0c62-b0fb-4441-bf10-14d429b4bcd8 c8bd82a0-a930-48ad-a3f0-48ce81713dfc]
+ port lrp-2e495938-68da-44e4-b2c0-20031f8faa59
+ mac: "fa:16:3e:fd:f8:67"
+ networks: ["192.168.200.1/24"]
+ nat 00f4a3b9-35cc-41b0-b2dc-dc6fb174c313
+ external ip: "192.168.5.216"
+ logical ip: "192.168.200.44"
+ type: "dnat_and_snat"
+ nat 16a4b585-9e25-41f6-9e9c-9923f2ffc236
+ external ip: "192.168.5.201"
+ logical ip: "192.168.200.153"
+ type: "dnat_and_snat"
### dhcp information
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={8.8.8.8}
### boot the VM to configure a NIC and point it to the internal network
openstack server create --flavor m1.small --image Ubuntu-24-04 --security-group secgroup-001 --nic net-id=internal --key-name mykey ubuntu2404-001
### only icmp and ssh ports are open in the security group, 5201 is for ipref3, it's ok.
- openstack security group rule list secgroup-001
+ openstack security group rule list secgroup-001
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 0e2fcc8f-15a7-47b5-bd9c-4029a230cabf | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
| 2100ca19-3f17-4c39-8dce-5c50f8a4ffa4 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| 5433e8b0-7e1c-48b5-8b5d-f22e745a9ee0 | tcp | IPv4 | 0.0.0.0/0 | 5201:5201 | ingress | None | None |
| b2556f92-f296-46c6-8f8f-fcaf5e2eda1c | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |
| d50fe1f0-4a29-49af-984a-66bcebe10b04 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
### creating a floating ip and assigning it to a vm
openstack floating ip create external
openstack server add floating ip Ubuntu-24-04 192.168.5.216
At this point, everything is working fine, and after creating a few more
VMs, they can communicate with each other on the intranet via
192.168.200.0/24, and can also ping external (public) IP addresses due
to the assigned and floating IPs.
Just when I was happy, the problem came that it could not resolve the
external domain name properly.
- :(
+ :(
In fact, it's not that it can't be parsed at all, it's that it can be
parsed at one time and can't be parsed at another time, and it switches
back and forth, but most of the time it can't be parsed properly.
root@ubuntu2404-001:~# resolvectl status
Global
- Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
- resolv.conf mode: stub
+ Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
+ resolv.conf mode: stub
Link 2 (ens3)
- Current Scopes: DNS
- Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
+ Current Scopes: DNS
+ Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
- DNS Servers: 8.8.8.8
-
- I'm sure the nameserver is coming from dhcp and writing to /run/systemd/resolve/resolv.conf
- root@ubuntu2404-001:~# cat /run/systemd/resolve/resolv.conf
+ DNS Servers: 8.8.8.8
+
+ I'm sure the nameserver is coming from dhcp and writing to /run/systemd/resolve/resolv.conf
+ root@ubuntu2404-001:~# cat /run/systemd/resolve/resolv.conf
...
nameserver 8.8.8.8
root@ubuntu2404-001:~# systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
- Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
- Active: active (running) since Fri 2024-08-30 07:23:13 UTC; 5min ago
+ Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
+ Active: active (running) since Fri 2024-08-30 07:23:13 UTC; 5min ago
...
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in>
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Using system hostname 'ubuntu2404-001'.
Aug 30 07:23:13 ubuntu2404-001 systemd[1]: Started systemd-resolved.service - Network Name Resolution.
Aug 30 07:23:56 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set TCP instead of UDP for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Clock change detected. Flushing caches.
...
Virtual machine using ubuntu 24.04 cloud img from official link
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 20.205.243.166
- root@ubuntu2404-001:~#
+ root@ubuntu2404-001:~#
root@ubuntu2404-001:~# ping 20.205.243.166 -c4
PING 20.205.243.166 (20.205.243.166) 56(84) bytes of data.
64 bytes from 20.205.243.166: icmp_seq=1 ttl=111 time=95.1 ms
64 bytes from 20.205.243.166: icmp_seq=2 ttl=111 time=93.5 ms
64 bytes from 20.205.243.166: icmp_seq=3 ttl=111 time=95.6 ms
64 bytes from 20.205.243.166: icmp_seq=4 ttl=111 time=95.6 ms
--- 20.205.243.166 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 93.541/94.954/95.568/0.833 ms
root@ubuntu2404-001:~#
As I said, it's not completely unresolvable, odds are it will fail, but
pinging is possible, as is access via IP.
After my repeated testing, I'm pretty sure and even more puzzled by the
fact that the above problem occurs when the internal-subnet's dns-
nameserver is set to google's 8.8.8.8 or 8.8.4.4! And switching to any
other internal DNS(self-private) or 1.1.1.1 or 9.9.9.9 is no problem at
all!
### now the internal-subnet information
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 8.8.8.8 |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
|...
+----------------------+--------------------------------------+
###reset dns-nameserver for internal-subnet
openstack subnet set --no-dns-nameservers internal-subnet
openstack subnet set --dns-nameserver 1.1.1.1 internal-subnet
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 1.1.1.1 | 8.8.8.8->1.1.1.1
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
| host_routes | |
|...
+----------------------+--------------------------------------+
### ovn dhcp dns_server changed
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={1.1.1.1}
###reboot the vms, check it out
root@ubuntu2404-001:~# resolvectl status
Global
- Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
- resolv.conf mode: stub
+ Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
+ resolv.conf mode: stub
Link 2 (ens3)
- Current Scopes: DNS
- Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
+ Current Scopes: DNS
+ Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
- DNS Servers: 1.1.1.1
- cat /run/systemd/resolve/resolv.conf
+ DNS Servers: 1.1.1.1
+ cat /run/systemd/resolve/resolv.conf
...
nameserver 1.1.1.1
search .
root@ubuntu2404-001:~# nslookup www.github.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 140.82.116.3
When performing nslookup, the return is so fast!
root@ubuntu2404-001:~#ping www.github.com -c4
PING github.com (140.82.116.4) 56(84) bytes of data.
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=1 ttl=49 time=152 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=2 ttl=49 time=155 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=3 ttl=49 time=153 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=4 ttl=49 time=152 ms
--- github.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 152.234/153.034/154.550/0.930 ms
So, I really don't know why internal-subnet's dns-nameserver set to
8.8.8.8 or 8.8.4.4 why it doesn't resolve properly, and the same setup
for other dns-nameserver surprisingly works fine.
It seems to me that either none of the external nameservers are
supported or all of them are, so why are only 8.8.8.8 and 8.8.4.4 not
supported?
I'm really curious as to what's going on...
-
-
Thank you for reading and helping out.
BR//Evt
** Description changed:
Hi,
I met a bit strange problem, currently I use ovn/ml2 and configured
geneve + flat to organize my network.
Following the guidelines, I created two networks, internal and external,
as named, for internal communication within the VMs and for creating
floating ip (external) to assign to the VMs in order for them to access
the public network.
Here are some openstack commands as follows (enable dhcp by default)
### internal network & subnet
openstack network create internal --provider-network-type geneve
openstack subnet create internal-subnet --network internal \
--subnet-range 192.168.200.0/24 --gateway 192.168.200.1 \
--dns-nameserver 8.8.8.8
### external network & subnet, flat, physnet1 is mapping
openstack network create \
--provider-physical-network physnet1 \
--provider-network-type flat --external external
openstack subnet create external-subnet \
--network external--subnet-range 192.168.5.0/24 \
--allocation-pool start=192.168.5.200,end=192.168.5.220 \
- --gateway 192.168.5.1 --dns-nameserver 1.1.1.1 --no-dhcp
+ --gateway 192.168.5.1 --dns-nameserver 9.9.9.9 --no-dhcp
### of course, a router is a must
openstack router create router-001
openstack router add subnet router-001 internal-subnet
openstack router add gateway router-001 external
### bridge & ports, compute node as the same
root@master-01 ~(keystone)# ovs-vsctl list-br
br-external
br-int
root@master-01 ~(keystone)# ovs-vsctl list-ports br-external
eno3
patch-provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf-to-br-int
root@master-01 ~(keystone)#
### mapping is here, use different physical NICs to differentiate between management and VM data transfers
{hostname=master-01, ovn-bridge-mappings="physnet1:br-external", ovn-cms-options=enable-chassis-as-gw, ovn-encap-ip="10.20.0.10", ovn-encap-type=geneve, ovn-remote="tcp:10.10.0.10:6642", rundir="/var/run/openvswitch", system-id="121c0c62-b0fb-4441-bf10-14d429b4bcd8"}
...
### sb information
ovn-sbctl show
Chassis "121c0c62-b0fb-4441-bf10-14d429b4bcd8"
hostname: master-01
Encap geneve
ip: "10.20.0.10"
options: {csum="true"}
Port_Binding cr-lrp-1641f948-ac28-422a-99a4-e056372812cd
Chassis "c8bd82a0-a930-48ad-a3f0-48ce81713dfc"
hostname: compute-01
Encap geneve
ip: "10.20.0.20"
options: {csum="true"}
Port_Binding "fced94e8-c0f7-43ba-be90-3d93983c4b4a"
Port_Binding "6102cb9b-e42f-4f37-abe1-d0765f4b6c4e"
### nb information
ovn-nbctl show
switch 5751184d-39ef-4a10-bb72-9fc5285caa7e (neutron-7c28892d-5864-403a-8a8d-03180770db60) (aka internal)
port 6102cb9b-e42f-4f37-abe1-d0765f4b6c4e
addresses: ["fa:16:3e:02:8e:f4 192.168.200.153"]
port 6cec6fa7-1a80-4b20-b96d-bd79d528ad64
type: localport
addresses: ["fa:16:3e:94:ff:e1 192.168.200.2"]
port beb8f8d3-7d18-4d02-b786-9927b7ad2d17
addresses: ["fa:16:3e:85:52:47 192.168.200.214"]
port 2e495938-68da-44e4-b2c0-20031f8faa59
type: router
router-port: lrp-2e495938-68da-44e4-b2c0-20031f8faa59
port fced94e8-c0f7-43ba-be90-3d93983c4b4a
addresses: ["fa:16:3e:df:1e:63 192.168.200.44"]
port 9ba1c2e0-8035-422b-a632-8f8fb7f217a3
addresses: ["fa:16:3e:b4:7d:14 192.168.200.179"]
switch c91f2dd7-9fbb-4f75-9b05-20db0d5173c7 (neutron-8a7b3145-393a-46fc-a019-c0676671db40) (aka external)
port 1641f948-ac28-422a-99a4-e056372812cd
type: router
router-port: lrp-1641f948-ac28-422a-99a4-e056372812cd
port provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf
type: localnet
addresses: ["unknown"]
port 1163cb86-7241-492a-a8a6-f6cd51f661f0
type: localport
addresses: ["fa:16:3e:15:06:23"]
router 63145aba-6fac-4cbd-bfb8-a7adb9daa361 (neutron-7fa5c121-0385-4fa8-ba24-cb6988c87aaa) (aka router-001)
port lrp-1641f948-ac28-422a-99a4-e056372812cd
mac: "fa:16:3e:11:2c:9a"
networks: ["192.168.5.209/24"]
gateway chassis: [121c0c62-b0fb-4441-bf10-14d429b4bcd8 c8bd82a0-a930-48ad-a3f0-48ce81713dfc]
port lrp-2e495938-68da-44e4-b2c0-20031f8faa59
mac: "fa:16:3e:fd:f8:67"
networks: ["192.168.200.1/24"]
nat 00f4a3b9-35cc-41b0-b2dc-dc6fb174c313
external ip: "192.168.5.216"
logical ip: "192.168.200.44"
type: "dnat_and_snat"
nat 16a4b585-9e25-41f6-9e9c-9923f2ffc236
external ip: "192.168.5.201"
logical ip: "192.168.200.153"
type: "dnat_and_snat"
### dhcp information
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={8.8.8.8}
### boot the VM to configure a NIC and point it to the internal network
openstack server create --flavor m1.small --image Ubuntu-24-04 --security-group secgroup-001 --nic net-id=internal --key-name mykey ubuntu2404-001
### only icmp and ssh ports are open in the security group, 5201 is for ipref3, it's ok.
openstack security group rule list secgroup-001
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 0e2fcc8f-15a7-47b5-bd9c-4029a230cabf | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
| 2100ca19-3f17-4c39-8dce-5c50f8a4ffa4 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| 5433e8b0-7e1c-48b5-8b5d-f22e745a9ee0 | tcp | IPv4 | 0.0.0.0/0 | 5201:5201 | ingress | None | None |
| b2556f92-f296-46c6-8f8f-fcaf5e2eda1c | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |
| d50fe1f0-4a29-49af-984a-66bcebe10b04 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
### creating a floating ip and assigning it to a vm
openstack floating ip create external
openstack server add floating ip Ubuntu-24-04 192.168.5.216
At this point, everything is working fine, and after creating a few more
VMs, they can communicate with each other on the intranet via
192.168.200.0/24, and can also ping external (public) IP addresses due
to the assigned and floating IPs.
Just when I was happy, the problem came that it could not resolve the
external domain name properly.
:(
In fact, it's not that it can't be parsed at all, it's that it can be
parsed at one time and can't be parsed at another time, and it switches
back and forth, but most of the time it can't be parsed properly.
root@ubuntu2404-001:~# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
I'm sure the nameserver is coming from dhcp and writing to /run/systemd/resolve/resolv.conf
root@ubuntu2404-001:~# cat /run/systemd/resolve/resolv.conf
...
nameserver 8.8.8.8
root@ubuntu2404-001:~# systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-08-30 07:23:13 UTC; 5min ago
...
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in>
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Using system hostname 'ubuntu2404-001'.
Aug 30 07:23:13 ubuntu2404-001 systemd[1]: Started systemd-resolved.service - Network Name Resolution.
Aug 30 07:23:56 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set TCP instead of UDP for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Clock change detected. Flushing caches.
...
Virtual machine using ubuntu 24.04 cloud img from official link
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 20.205.243.166
root@ubuntu2404-001:~#
root@ubuntu2404-001:~# ping 20.205.243.166 -c4
PING 20.205.243.166 (20.205.243.166) 56(84) bytes of data.
64 bytes from 20.205.243.166: icmp_seq=1 ttl=111 time=95.1 ms
64 bytes from 20.205.243.166: icmp_seq=2 ttl=111 time=93.5 ms
64 bytes from 20.205.243.166: icmp_seq=3 ttl=111 time=95.6 ms
64 bytes from 20.205.243.166: icmp_seq=4 ttl=111 time=95.6 ms
--- 20.205.243.166 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 93.541/94.954/95.568/0.833 ms
root@ubuntu2404-001:~#
As I said, it's not completely unresolvable, odds are it will fail, but
pinging is possible, as is access via IP.
After my repeated testing, I'm pretty sure and even more puzzled by the
fact that the above problem occurs when the internal-subnet's dns-
nameserver is set to google's 8.8.8.8 or 8.8.4.4! And switching to any
other internal DNS(self-private) or 1.1.1.1 or 9.9.9.9 is no problem at
all!
### now the internal-subnet information
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 8.8.8.8 |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
|...
+----------------------+--------------------------------------+
###reset dns-nameserver for internal-subnet
openstack subnet set --no-dns-nameservers internal-subnet
openstack subnet set --dns-nameserver 1.1.1.1 internal-subnet
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 1.1.1.1 | 8.8.8.8->1.1.1.1
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
| host_routes | |
|...
+----------------------+--------------------------------------+
### ovn dhcp dns_server changed
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={1.1.1.1}
###reboot the vms, check it out
root@ubuntu2404-001:~# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1
cat /run/systemd/resolve/resolv.conf
...
nameserver 1.1.1.1
search .
root@ubuntu2404-001:~# nslookup www.github.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 140.82.116.3
When performing nslookup, the return is so fast!
root@ubuntu2404-001:~#ping www.github.com -c4
PING github.com (140.82.116.4) 56(84) bytes of data.
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=1 ttl=49 time=152 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=2 ttl=49 time=155 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=3 ttl=49 time=153 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=4 ttl=49 time=152 ms
--- github.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 152.234/153.034/154.550/0.930 ms
So, I really don't know why internal-subnet's dns-nameserver set to
8.8.8.8 or 8.8.4.4 why it doesn't resolve properly, and the same setup
for other dns-nameserver surprisingly works fine.
It seems to me that either none of the external nameservers are
supported or all of them are, so why are only 8.8.8.8 and 8.8.4.4 not
supported?
I'm really curious as to what's going on...
Thank you for reading and helping out.
BR//Evt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2078425
Title:
ovn/ml2 selfservice (isolated network) dns-nameserver set in subnet,
can't resolve domain
Status in neutron:
New
Bug description:
Hi,
I met a bit strange problem, currently I use ovn/ml2 and configured
geneve + flat to organize my network.
Following the guidelines, I created two networks, internal and
external, as named, for internal communication within the VMs and for
creating floating ip (external) to assign to the VMs in order for them
to access the public network.
Here are some openstack commands as follows (enable dhcp by default)
### internal network & subnet
openstack network create internal --provider-network-type geneve
openstack subnet create internal-subnet --network internal \
--subnet-range 192.168.200.0/24 --gateway 192.168.200.1 \
--dns-nameserver 8.8.8.8
### external network & subnet, flat, physnet1 is mapping
openstack network create \
--provider-physical-network physnet1 \
--provider-network-type flat --external external
openstack subnet create external-subnet \
--network external--subnet-range 192.168.5.0/24 \
--allocation-pool start=192.168.5.200,end=192.168.5.220 \
--gateway 192.168.5.1 --dns-nameserver 9.9.9.9 --no-dhcp
### of course, a router is a must
openstack router create router-001
openstack router add subnet router-001 internal-subnet
openstack router add gateway router-001 external
### bridge & ports, compute node as the same
root@master-01 ~(keystone)# ovs-vsctl list-br
br-external
br-int
root@master-01 ~(keystone)# ovs-vsctl list-ports br-external
eno3
patch-provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf-to-br-int
root@master-01 ~(keystone)#
### mapping is here, use different physical NICs to differentiate between management and VM data transfers
{hostname=master-01, ovn-bridge-mappings="physnet1:br-external", ovn-cms-options=enable-chassis-as-gw, ovn-encap-ip="10.20.0.10", ovn-encap-type=geneve, ovn-remote="tcp:10.10.0.10:6642", rundir="/var/run/openvswitch", system-id="121c0c62-b0fb-4441-bf10-14d429b4bcd8"}
...
### sb information
ovn-sbctl show
Chassis "121c0c62-b0fb-4441-bf10-14d429b4bcd8"
hostname: master-01
Encap geneve
ip: "10.20.0.10"
options: {csum="true"}
Port_Binding cr-lrp-1641f948-ac28-422a-99a4-e056372812cd
Chassis "c8bd82a0-a930-48ad-a3f0-48ce81713dfc"
hostname: compute-01
Encap geneve
ip: "10.20.0.20"
options: {csum="true"}
Port_Binding "fced94e8-c0f7-43ba-be90-3d93983c4b4a"
Port_Binding "6102cb9b-e42f-4f37-abe1-d0765f4b6c4e"
### nb information
ovn-nbctl show
switch 5751184d-39ef-4a10-bb72-9fc5285caa7e (neutron-7c28892d-5864-403a-8a8d-03180770db60) (aka internal)
port 6102cb9b-e42f-4f37-abe1-d0765f4b6c4e
addresses: ["fa:16:3e:02:8e:f4 192.168.200.153"]
port 6cec6fa7-1a80-4b20-b96d-bd79d528ad64
type: localport
addresses: ["fa:16:3e:94:ff:e1 192.168.200.2"]
port beb8f8d3-7d18-4d02-b786-9927b7ad2d17
addresses: ["fa:16:3e:85:52:47 192.168.200.214"]
port 2e495938-68da-44e4-b2c0-20031f8faa59
type: router
router-port: lrp-2e495938-68da-44e4-b2c0-20031f8faa59
port fced94e8-c0f7-43ba-be90-3d93983c4b4a
addresses: ["fa:16:3e:df:1e:63 192.168.200.44"]
port 9ba1c2e0-8035-422b-a632-8f8fb7f217a3
addresses: ["fa:16:3e:b4:7d:14 192.168.200.179"]
switch c91f2dd7-9fbb-4f75-9b05-20db0d5173c7 (neutron-8a7b3145-393a-46fc-a019-c0676671db40) (aka external)
port 1641f948-ac28-422a-99a4-e056372812cd
type: router
router-port: lrp-1641f948-ac28-422a-99a4-e056372812cd
port provnet-76e95ef2-261e-4d51-b89e-48ddb26d0bcf
type: localnet
addresses: ["unknown"]
port 1163cb86-7241-492a-a8a6-f6cd51f661f0
type: localport
addresses: ["fa:16:3e:15:06:23"]
router 63145aba-6fac-4cbd-bfb8-a7adb9daa361 (neutron-7fa5c121-0385-4fa8-ba24-cb6988c87aaa) (aka router-001)
port lrp-1641f948-ac28-422a-99a4-e056372812cd
mac: "fa:16:3e:11:2c:9a"
networks: ["192.168.5.209/24"]
gateway chassis: [121c0c62-b0fb-4441-bf10-14d429b4bcd8 c8bd82a0-a930-48ad-a3f0-48ce81713dfc]
port lrp-2e495938-68da-44e4-b2c0-20031f8faa59
mac: "fa:16:3e:fd:f8:67"
networks: ["192.168.200.1/24"]
nat 00f4a3b9-35cc-41b0-b2dc-dc6fb174c313
external ip: "192.168.5.216"
logical ip: "192.168.200.44"
type: "dnat_and_snat"
nat 16a4b585-9e25-41f6-9e9c-9923f2ffc236
external ip: "192.168.5.201"
logical ip: "192.168.200.153"
type: "dnat_and_snat"
### dhcp information
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={8.8.8.8}
### boot the VM to configure a NIC and point it to the internal network
openstack server create --flavor m1.small --image Ubuntu-24-04 --security-group secgroup-001 --nic net-id=internal --key-name mykey ubuntu2404-001
### only icmp and ssh ports are open in the security group, 5201 is for ipref3, it's ok.
openstack security group rule list secgroup-001
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 0e2fcc8f-15a7-47b5-bd9c-4029a230cabf | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
| 2100ca19-3f17-4c39-8dce-5c50f8a4ffa4 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| 5433e8b0-7e1c-48b5-8b5d-f22e745a9ee0 | tcp | IPv4 | 0.0.0.0/0 | 5201:5201 | ingress | None | None |
| b2556f92-f296-46c6-8f8f-fcaf5e2eda1c | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |
| d50fe1f0-4a29-49af-984a-66bcebe10b04 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
### creating a floating ip and assigning it to a vm
openstack floating ip create external
openstack server add floating ip Ubuntu-24-04 192.168.5.216
At this point, everything is working fine, and after creating a few
more VMs, they can communicate with each other on the intranet via
192.168.200.0/24, and can also ping external (public) IP addresses due
to the assigned and floating IPs.
Just when I was happy, the problem came that it could not resolve the
external domain name properly.
:(
In fact, it's not that it can't be parsed at all, it's that it can be
parsed at one time and can't be parsed at another time, and it
switches back and forth, but most of the time it can't be parsed
properly.
root@ubuntu2404-001:~# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
I'm sure the nameserver is coming from dhcp and writing to /run/systemd/resolve/resolv.conf
root@ubuntu2404-001:~# cat /run/systemd/resolve/resolv.conf
...
nameserver 8.8.8.8
root@ubuntu2404-001:~# systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-08-30 07:23:13 UTC; 5min ago
...
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in>
Aug 30 07:23:13 ubuntu2404-001 systemd-resolved[584]: Using system hostname 'ubuntu2404-001'.
Aug 30 07:23:13 ubuntu2404-001 systemd[1]: Started systemd-resolved.service - Network Name Resolution.
Aug 30 07:23:56 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Using degraded feature set TCP instead of UDP for DNS server 8.8.8.8.
Aug 30 07:24:06 ubuntu2404-001 systemd-resolved[584]: Clock change detected. Flushing caches.
...
Virtual machine using ubuntu 24.04 cloud img from official link
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached
root@ubuntu2404-001:~# nslookup www.github.com
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 20.205.243.166
root@ubuntu2404-001:~#
root@ubuntu2404-001:~# ping 20.205.243.166 -c4
PING 20.205.243.166 (20.205.243.166) 56(84) bytes of data.
64 bytes from 20.205.243.166: icmp_seq=1 ttl=111 time=95.1 ms
64 bytes from 20.205.243.166: icmp_seq=2 ttl=111 time=93.5 ms
64 bytes from 20.205.243.166: icmp_seq=3 ttl=111 time=95.6 ms
64 bytes from 20.205.243.166: icmp_seq=4 ttl=111 time=95.6 ms
--- 20.205.243.166 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 93.541/94.954/95.568/0.833 ms
root@ubuntu2404-001:~#
As I said, it's not completely unresolvable, odds are it will fail,
but pinging is possible, as is access via IP.
After my repeated testing, I'm pretty sure and even more puzzled by
the fact that the above problem occurs when the internal-subnet's dns-
nameserver is set to google's 8.8.8.8 or 8.8.4.4! And switching to any
other internal DNS(self-private) or 1.1.1.1 or 9.9.9.9 is no problem
at all!
### now the internal-subnet information
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 8.8.8.8 |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
|...
+----------------------+--------------------------------------+
###reset dns-nameserver for internal-subnet
openstack subnet set --no-dns-nameservers internal-subnet
openstack subnet set --dns-nameserver 1.1.1.1 internal-subnet
openstack subnet show internal-subnet
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.200.2-192.168.200.254 |
| cidr | 192.168.200.0/24 |
| created_at | 2024-08-30T02:39:23Z |
| description | |
| dns_nameservers | 1.1.1.1 | 8.8.8.8->1.1.1.1
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.200.1 |
| host_routes | |
|...
+----------------------+--------------------------------------+
### ovn dhcp dns_server changed
ovn-nbctl dhcp-options-get-options 88e0b506-23b9-4925-9f82-aa329370a7bb
server_mac=fa:16:3e:44:c0:57
router=192.168.200.1
server_id=192.168.200.1
mtu=1442
classless_static_route={169.254.169.254/32,192.168.200.2, 0.0.0.0/0,192.168.200.1}
lease_time=43200
dns_server={1.1.1.1}
###reboot the vms, check it out
root@ubuntu2404-001:~# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 1.1.1.1
DNS Servers: 1.1.1.1
cat /run/systemd/resolve/resolv.conf
...
nameserver 1.1.1.1
search .
root@ubuntu2404-001:~# nslookup www.github.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.github.com canonical name = github.com.
Name: github.com
Address: 140.82.116.3
When performing nslookup, the return is so fast!
root@ubuntu2404-001:~#ping www.github.com -c4
PING github.com (140.82.116.4) 56(84) bytes of data.
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=1 ttl=49 time=152 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=2 ttl=49 time=155 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=3 ttl=49 time=153 ms
64 bytes from lb-140-82-116-4-sea.github.com (140.82.116.4): icmp_seq=4 ttl=49 time=152 ms
--- github.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 152.234/153.034/154.550/0.930 ms
So, I really don't know why internal-subnet's dns-nameserver set to
8.8.8.8 or 8.8.4.4 why it doesn't resolve properly, and the same setup
for other dns-nameserver surprisingly works fine.
It seems to me that either none of the external nameservers are
supported or all of them are, so why are only 8.8.8.8 and 8.8.4.4 not
supported?
I'm really curious as to what's going on...
Thank you for reading and helping out.
BR//Evt
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2078425/+subscriptions
