Forwarding to -dev from -operators. Any know why when a fixed-ip gets added to an external network guest port, all connectivity on all fixedips for the guest on the external network get block outbound on the compute node?
John ---------- Forwarded message ---------- From: John Gruber <john.t.gru...@gmail.com> Date: Fri, Jul 26, 2013 at 4:39 PM Subject: Problem with nova add-fixed-ip or quantum port-update To: openstack-operat...@lists.openstack.org I am using Grizzly and I have a mix of both provider external networks (VLANs) and tenant GRE tunnels. The provider networks are obviously setup as public, so VMs can start with interfaces on them. I can start VMs just fine and get addresses via the dhcp_agent on both external and tenant networks. Everything is working well... until I need to add additional fixed_ips to existing VM vif on external networks. While I can get commands of the form: nova add-fixed-ip vm-uuid net-uuid repeat for each fixed-ip needed and quantum port-update port-uuid -- --fixed_ips type=dict list=true ip_address='10.1.1.6' ip_address='10.1.1.7' to execute correctly, and can see the fixed_ip addresses either allocate from the network allocation pool (using nova command) or my explicitly define addresses (using quantum command) associate with my vm just fine, I have a problem with security groups. I've simplified my security groups to just one 'default' where everything is allowed. I can start ICMP ping test to my VM and show them working, until I run the commands to provision addition fixed IPs. Once the command takes effect on the compute node, all traffic to the vm interface hosting the network stops. Interestingly adjacent hosts can see the ARP entries with the correct MAC address for the added fixed_ips, but I can not make any connections to them. If I tcpdump on the VM, I see TCP SYN requests and the VM answer with the SYN+ACK. On the network outside the VM (trunked to the compute node) I see the TCP SYN request enter the compute node, and no SYN+ACK emerges. The problem is somewhere with allowing the VM to send packets to the external network. Can anyone tell me how to 'HUP' the security group to allow traffic to my new list of fixed_ips? John
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev