What I have observed so far is... 1. nova-compute sends dhcp request 2. dhcp-server running on the Quantum node does not receive the request because of the firewall setting. I don't understand why quantum-dhcp-agent does not set up firewall properly. (Yes, all the openstack components are running on CentOS6.4 in our system.)
Thanks, David ----- Original Message ----- > Hi, > > > This is very interesting..:) > I am using openstack grizzly allinone with quantum/neutron. > > > Look what I am observing. > -before starting an instance on the server > root@ubuntu1204:~# iptables-save -t filter > # Generated by iptables-save v1.4.12 on Tue Jul 23 20:22:55 2013 > *filter > :INPUT ACCEPT [62981:17142030] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [62806:17138989] > :nova-api-FORWARD - [0:0] > :nova-api-INPUT - [0:0] > :nova-api-OUTPUT - [0:0] > :nova-api-local - [0:0] > :nova-filter-top - [0:0] > -A INPUT -j nova-api-INPUT > -A INPUT -p gre -j ACCEPT > -A FORWARD -j nova-filter-top > -A FORWARD -j nova-api-FORWARD > -A OUTPUT -j nova-filter-top > -A OUTPUT -j nova-api-OUTPUT > -A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j > ACCEPT > -A nova-filter-top -j nova-api-local > COMMIT > # Completed on Tue Jul 23 20:22:55 2013 > root@ubuntu1204:~# > > > -after starting an instance on the host > > root@ubuntu1204:~# iptables-save -t filter > # Generated by iptables-save v1.4.12 on Tue Jul 23 20:24:42 2013 > *filter > :INPUT ACCEPT [90680:24989889] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [90482:24984752] > :nova-api-FORWARD - [0:0] > :nova-api-INPUT - [0:0] > :nova-api-OUTPUT - [0:0] > :nova-api-local - [0:0] > :nova-compute-FORWARD - [0:0] > :nova-compute-INPUT - [0:0] > :nova-compute-OUTPUT - [0:0] > :nova-compute-inst-35 - [0:0] > :nova-compute-local - [0:0] > :nova-compute-provider - [0:0] > :nova-compute-sg-fallback - [0:0] > :nova-filter-top - [0:0] > -A INPUT -j nova-compute-INPUT > -A INPUT -j nova-api-INPUT > -A INPUT -p gre -j ACCEPT > -A FORWARD -j nova-filter-top > -A FORWARD -j nova-compute-FORWARD > -A FORWARD -j nova-api-FORWARD > -A OUTPUT -j nova-filter-top > -A OUTPUT -j nova-compute-OUTPUT > -A OUTPUT -j nova-api-OUTPUT > -A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j > ACCEPT > -A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m > udp --sport 68 --dport 67 -j ACCEPT > -A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m > udp --sport 68 --dport 67 -j ACCEPT > -A nova-compute-inst-35 -m state --state INVALID -j DROP > -A nova-compute-inst-35 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A nova-compute-inst-35 -j nova-compute-provider > -A nova-compute-inst-35 -s 172.24.17.2/32 -p udp -m udp --sport 67 > --dport 68 -j ACCEPT > -A nova-compute-inst-35 -s 172.24.17.0/24 -j ACCEPT > -A nova-compute-inst-35 -p tcp -m tcp --dport 22 -j ACCEPT > -A nova-compute-inst-35 -p icmp -j ACCEPT > -A nova-compute-inst-35 -j nova-compute-sg-fallback > -A nova-compute-local -d 172.24.17.1/32 -j nova-compute-inst-35 > -A nova-compute-sg-fallback -j DROP > -A nova-filter-top -j nova-compute-local > -A nova-filter-top -j nova-api-local > COMMIT > # Completed on Tue Jul 23 20:24:42 2013 > > > > > It seams that the rule that accepts dhcp packets is created once an > instance is spawned. > > > I will try the same thing on an centos64. > > > Regards, > Gabriel > > > > > > From: David Kang <dk...@isi.edu> > To: Staicu Gabriel <gabriel_sta...@yahoo.com> > Cc: "openstack@lists.launchpad.net (openstack@lists.launchpad.net)" > <openstack@lists.launchpad.net> > Sent: Tuesday, July 23, 2013 7:59 PM > Subject: Re: [Openstack] [Quantum/Neutron] VM cannot get IP address > from DHCP server > > > > Thank you for your suggestion. > > We are using Quantum/Neutron not nova-network. > So, we don't use br100. > (I believe you are using nova-network.) > > And the firewall rules that cause problem reside on the Quantum node > not on the nova-compute node. > I cannot find any rule for "--dport 67" on my Quantum node. > I used "service iptables status" command to check the firewall rules. > > Thanks, > David > > > ----- Original Message ----- > > Hi, > > > > Please can you look up in the iptables? > > Normally on a working openstack host the packets comming in the > > filter > > table in the input chain are directed to the nova-network-INPUT > > which > > has a rule to accept dhcp packets. > > On my setup is something like: > > -A INPUT -j nova-network-INPUT > > > > . > > . > > . > > -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT > > > > > > So I think you have to look somewhere else for your issue. > > > > > > Regards, > > Gabriel > > > > > > > > > > > > > > From: David Kang < dk...@isi.edu > > > To: " openstack@lists.launchpad.net ( openstack@lists.launchpad.net > > )" > > < openstack@lists.launchpad.net > > > Sent: Tuesday, July 23, 2013 7:22 PM > > Subject: [Openstack] [Quantum/Neutron] VM cannot get IP address from > > DHCP server > > > > > > > > Hi, > > > > We are running OpenStack Folsom on CentOS 6.4. > > Quantum-linuxbridge-agent is used. > > By default, the Quantum node has the following entries in its > > /etc/sysconfig/iptables file. > > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > > > With those two lines, VM cannot get IP address from the DHCP server > > running on the Quantum node. > > More specifically, the first line prevents a VM from getting IP > > address from DHCP server. > > The second line prevents a VM from talking to other VMs and external > > worlds. > > Is there a better way to make the Quantum network work well > > than just commenting them out? > > > > I'll appreciate your help. > > > > David > > > > -- > > ---------------------- > > Dr. Dong-In "David" Kang > > Computer Scientist > > USC/ISI > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openstack@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > -- > ---------------------- > Dr. Dong-In "David" Kang > Computer Scientist > USC/ISI -- ---------------------- Dr. Dong-In "David" Kang Computer Scientist USC/ISI _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
