I think I found the solution. https://bugzilla.redhat.com/show_bug.cgi?id=889868
It was reported as a bug by RedHat. It also suggests a work-around. Thank you everyone. David ----- Original Message ----- > What I have observed so far is... > > 1. nova-compute sends dhcp request > 2. dhcp-server running on the Quantum node does not receive the > request > because of the firewall setting. > I don't understand why quantum-dhcp-agent does not set up firewall > properly. > (Yes, all the openstack components are running on CentOS6.4 in our > system.) > > Thanks, > David > > ----- Original Message ----- > > Hi, > > > > > > This is very interesting..:) > > I am using openstack grizzly allinone with quantum/neutron. > > > > > > Look what I am observing. > > -before starting an instance on the server > > root@ubuntu1204:~# iptables-save -t filter > > # Generated by iptables-save v1.4.12 on Tue Jul 23 20:22:55 2013 > > *filter > > :INPUT ACCEPT [62981:17142030] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [62806:17138989] > > :nova-api-FORWARD - [0:0] > > :nova-api-INPUT - [0:0] > > :nova-api-OUTPUT - [0:0] > > :nova-api-local - [0:0] > > :nova-filter-top - [0:0] > > -A INPUT -j nova-api-INPUT > > -A INPUT -p gre -j ACCEPT > > -A FORWARD -j nova-filter-top > > -A FORWARD -j nova-api-FORWARD > > -A OUTPUT -j nova-filter-top > > -A OUTPUT -j nova-api-OUTPUT > > -A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j > > ACCEPT > > -A nova-filter-top -j nova-api-local > > COMMIT > > # Completed on Tue Jul 23 20:22:55 2013 > > root@ubuntu1204:~# > > > > > > -after starting an instance on the host > > > > root@ubuntu1204:~# iptables-save -t filter > > # Generated by iptables-save v1.4.12 on Tue Jul 23 20:24:42 2013 > > *filter > > :INPUT ACCEPT [90680:24989889] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [90482:24984752] > > :nova-api-FORWARD - [0:0] > > :nova-api-INPUT - [0:0] > > :nova-api-OUTPUT - [0:0] > > :nova-api-local - [0:0] > > :nova-compute-FORWARD - [0:0] > > :nova-compute-INPUT - [0:0] > > :nova-compute-OUTPUT - [0:0] > > :nova-compute-inst-35 - [0:0] > > :nova-compute-local - [0:0] > > :nova-compute-provider - [0:0] > > :nova-compute-sg-fallback - [0:0] > > :nova-filter-top - [0:0] > > -A INPUT -j nova-compute-INPUT > > -A INPUT -j nova-api-INPUT > > -A INPUT -p gre -j ACCEPT > > -A FORWARD -j nova-filter-top > > -A FORWARD -j nova-compute-FORWARD > > -A FORWARD -j nova-api-FORWARD > > -A OUTPUT -j nova-filter-top > > -A OUTPUT -j nova-compute-OUTPUT > > -A OUTPUT -j nova-api-OUTPUT > > -A nova-api-INPUT -d 10.200.10.10/32 -p tcp -m tcp --dport 8775 -j > > ACCEPT > > -A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp > > -m > > udp --sport 68 --dport 67 -j ACCEPT > > -A nova-compute-INPUT -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m > > udp --sport 68 --dport 67 -j ACCEPT > > -A nova-compute-inst-35 -m state --state INVALID -j DROP > > -A nova-compute-inst-35 -m state --state RELATED,ESTABLISHED -j > > ACCEPT > > -A nova-compute-inst-35 -j nova-compute-provider > > -A nova-compute-inst-35 -s 172.24.17.2/32 -p udp -m udp --sport 67 > > --dport 68 -j ACCEPT > > -A nova-compute-inst-35 -s 172.24.17.0/24 -j ACCEPT > > -A nova-compute-inst-35 -p tcp -m tcp --dport 22 -j ACCEPT > > -A nova-compute-inst-35 -p icmp -j ACCEPT > > -A nova-compute-inst-35 -j nova-compute-sg-fallback > > -A nova-compute-local -d 172.24.17.1/32 -j nova-compute-inst-35 > > -A nova-compute-sg-fallback -j DROP > > -A nova-filter-top -j nova-compute-local > > -A nova-filter-top -j nova-api-local > > COMMIT > > # Completed on Tue Jul 23 20:24:42 2013 > > > > > > > > > > It seams that the rule that accepts dhcp packets is created once an > > instance is spawned. > > > > > > I will try the same thing on an centos64. > > > > > > Regards, > > Gabriel > > > > > > > > > > > > From: David Kang <dk...@isi.edu> > > To: Staicu Gabriel <gabriel_sta...@yahoo.com> > > Cc: "openstack@lists.launchpad.net (openstack@lists.launchpad.net)" > > <openstack@lists.launchpad.net> > > Sent: Tuesday, July 23, 2013 7:59 PM > > Subject: Re: [Openstack] [Quantum/Neutron] VM cannot get IP address > > from DHCP server > > > > > > > > Thank you for your suggestion. > > > > We are using Quantum/Neutron not nova-network. > > So, we don't use br100. > > (I believe you are using nova-network.) > > > > And the firewall rules that cause problem reside on the Quantum node > > not on the nova-compute node. > > I cannot find any rule for "--dport 67" on my Quantum node. > > I used "service iptables status" command to check the firewall > > rules. > > > > Thanks, > > David > > > > > > ----- Original Message ----- > > > Hi, > > > > > > Please can you look up in the iptables? > > > Normally on a working openstack host the packets comming in the > > > filter > > > table in the input chain are directed to the nova-network-INPUT > > > which > > > has a rule to accept dhcp packets. > > > On my setup is something like: > > > -A INPUT -j nova-network-INPUT > > > > > > . > > > . > > > . > > > -A nova-network-INPUT -i br100 -p udp -m udp --dport 67 -j ACCEPT > > > > > > > > > So I think you have to look somewhere else for your issue. > > > > > > > > > Regards, > > > Gabriel > > > > > > > > > > > > > > > > > > > > > From: David Kang < dk...@isi.edu > > > > To: " openstack@lists.launchpad.net ( > > > openstack@lists.launchpad.net > > > )" > > > < openstack@lists.launchpad.net > > > > Sent: Tuesday, July 23, 2013 7:22 PM > > > Subject: [Openstack] [Quantum/Neutron] VM cannot get IP address > > > from > > > DHCP server > > > > > > > > > > > > Hi, > > > > > > We are running OpenStack Folsom on CentOS 6.4. > > > Quantum-linuxbridge-agent is used. > > > By default, the Quantum node has the following entries in its > > > /etc/sysconfig/iptables file. > > > > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > > > > > With those two lines, VM cannot get IP address from the DHCP > > > server > > > running on the Quantum node. > > > More specifically, the first line prevents a VM from getting IP > > > address from DHCP server. > > > The second line prevents a VM from talking to other VMs and > > > external > > > worlds. > > > Is there a better way to make the Quantum network work well > > > than just commenting them out? > > > > > > I'll appreciate your help. > > > > > > David > > > > > > -- > > > ---------------------- > > > Dr. Dong-In "David" Kang > > > Computer Scientist > > > USC/ISI > > > > > > _______________________________________________ > > > Mailing list: https://launchpad.net/~openstack > > > Post to : openstack@lists.launchpad.net > > > Unsubscribe : https://launchpad.net/~openstack > > > More help : https://help.launchpad.net/ListHelp > > > > -- > > ---------------------- > > Dr. Dong-In "David" Kang > > Computer Scientist > > USC/ISI > > -- > ---------------------- > Dr. Dong-In "David" Kang > Computer Scientist > USC/ISI -- ---------------------- Dr. Dong-In "David" Kang Computer Scientist USC/ISI _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
