Hi list,
I am seeing a strange behaviour of my cloud and could use some help on this.
I have a project containing 2 VMs, one is running in an external
network, the other is in a tenant-network with a floating ip. Security
group allows ping and ssh.
Now there are several ways to break or restore the connectivity but I
can't find the cause.
1. Boot a new instance on the same compute node (but different
project, no matter if same or different network). Connectivity to both
existing VMs is lost, however, from within the instance I can still
get out! Restarting neutron-linuxbridge-agent gets it right again.
2. During the state of broken connectivity changing the
security-group-rules (adding one rule or deleting a rule) for the
default sec-group has the same effect, although
neutron-linuxbridge-agent is not restarted after that, but the VMs are
reachable again.
3. Different project, different network, same compute node: deleting a
running instance also leads to a connectivity loss for the existing VMs.
4. In a way I was able to reproduce this issue: on a different compute
node and different project I launched an instance in the same external
network last Friday. The instance was reachable, I shut it down. Today
I booted it again, it was not reachable. Restarting the
linuxbridge-agent fixed it again.
I took a look into iptables and compared the output when the instances
are reachable and when they are not. Somehow the neutron rules aren't
there. Following the rule tree to the bottom it leads to a DROP rule
for all packets.
---cut here---
compute1:~ # iptables -L FORWARD -nv|more
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 nova-filter-top all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
compute1:~ # systemctl restart openstack-neutron-linuxbridge-agent.service
compute1:~ # iptables -L FORWARD -nv|more
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
14 1176 neutron-filter-top all -- * * 0.0.0.0/0
0.0.0.0/0
14 1176 neutron-linuxbri-FORWARD all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 nova-filter-top all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
---cut here---
What is going on with neutron? I see that since about two weeks now, I
updated all nodes last Friday but the problem still exists.
Any help is appreciated!
Regards,
Eugen
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : ebl...@nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
