Re: [Openstack] Instance no route to host problem
Ooops... I got it. Thought nova-compute has responsibilities in local iptables settings. I guess I was misled by the fact that I have default iptables rules setup at boot time in my VM which looks like rules defined in security group but it's just a coincidence. Thanks Patrick 2012/12/10 Patrick Petit > Hi Lei, > > I could spend some more time looking at my "no route to host" issue today. > I could be very well that the iptables on VM is the root of the problem. > > Here is what it looks like. > > > *$ sudo iptables -L* > *Chain INPUT (policy ACCEPT)* > *target prot opt source destination * > *ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED* > *ACCEPT icmp -- anywhere anywhere* > *ACCEPT all -- anywhere anywhere* > *ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:ssh* > *REJECT all -- anywhere anywhere > reject-with icmp-host-prohibited* > * > * > *Chain FORWARD (policy ACCEPT)* > *target prot opt source destination * > *REJECT all -- anywhere anywhere > reject-with icmp-host-prohibited* > * > * > *Chain OUTPUT (policy ACCEPT)* > *target prot opt source destination * > > I am not unfortunately very familiar with iptables's rules syntax > Shouldn't ACCEPT all -- anywhere anywhere allow my http traffic to port 80? > > However, running explicitly > > *sudo iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT* > > Does fix the problem. I can access my instance on port 80. > > But my VM is associated with the default security group in which I added a > rule to enable http traffic. > > $ nova secgroup-list-rules default > +-+---+-+---+--+ > | IP Protocol | From Port | To Port | IP Range | Source Group | > +-+---+-+---+--+ > | icmp| -1| -1 | 0.0.0.0/0 | | > | tcp | 22| 22 | 0.0.0.0/0 | | > | tcp | 80| 80 | 0.0.0.0/0 | | > +-+---+-+---+--+ > > So the big question is why aren't my iptables rules in the VM no setup by > the security group specs? > I don't see any error in nova logs on the compute node. > > Any help would be really appreciated. > Thanks > Patrick > > > > > > 2012/12/6 Lei Zhang > >> Could you check the iptables in the vm? Whether it drop the packets on >> the port 80 >> >> >> On Thu, Dec 6, 2012 at 12:29 AM, Patrick Petit < >> patrick.michel.pe...@gmail.com> wrote: >> >>> Dear Stackers, >>> >>> I am running instance wordpress.WikiServer >>> >>> >>> $ nova list >>> >>> +--+--+++ >>> | ID | Name | >>> Status | Networks | >>> >>> +--+--+++ >>> | 6be47af7-2e29-4b4c-afeb-0a7f760f5970 | test2| >>> ACTIVE | xlcloud=172.16.1.6 | >>> | 5a4c552f-933c-4a06-8e6f-164176380af5 | wordpress.DatabaseServer | >>> ACTIVE | xlcloud=172.16.1.3 | >>> | ddb120d9-e1ad-444c-8490-37ecb15f500e | wordpress.WikiServer | >>> ACTIVE | xlcloud=172.16.1.4, 10.197.217.131 | >>> >>> +--+--+++ >>> >>> >>> With Security Group setup as: >>> >>> $ nova secgroup-list >>> >>> +---++ >>> | Name | Description >>> | >>> >>> +---++ >>> | default | default >>> | >>> >>> +---++ >>> >>> >>> $ nova secgroup-list-rules default >>> +-+---+-+---+--+ >>> | IP Protocol | From Port | To Port | IP Range | Source Group | >>> +-+---+-+---+--+ >>> | icmp| -1| -1 | 0.0.0.0/0 | | >>> | tcp | 22| 22 | 0.0.0.0/0 | | >>> | tcp | 80| 80 | 0.0.0.0/0 | | >>> +-+---+-+---+--+ >>> >>> I can ping and ssh through the fix or floating IP without any problem >>> (172.16.1.4, 10.197.217.131). >>> But HTTP requests on port 80 doesn't go through. >>> I get a "no route host" error message from wget or telnet for example. >>> >>> Ex. $ telnet 172.16.1.4 80 >>> Trying 172.16.1.4... >>> telnet: U
Re: [Openstack] Instance no route to host problem
Hi Lei, I could spend some more time looking at my "no route to host" issue today. I could be very well that the iptables on VM is the root of the problem. Here is what it looks like. *$ sudo iptables -L* *Chain INPUT (policy ACCEPT)* *target prot opt source destination * *ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED* *ACCEPT icmp -- anywhere anywhere* *ACCEPT all -- anywhere anywhere* *ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh* *REJECT all -- anywhere anywhere reject-with icmp-host-prohibited* * * *Chain FORWARD (policy ACCEPT)* *target prot opt source destination * *REJECT all -- anywhere anywhere reject-with icmp-host-prohibited* * * *Chain OUTPUT (policy ACCEPT)* *target prot opt source destination * I am not unfortunately very familiar with iptables's rules syntax Shouldn't ACCEPT all -- anywhere anywhere allow my http traffic to port 80? However, running explicitly *sudo iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT* Does fix the problem. I can access my instance on port 80. But my VM is associated with the default security group in which I added a rule to enable http traffic. $ nova secgroup-list-rules default +-+---+-+---+--+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-+---+-+---+--+ | icmp| -1| -1 | 0.0.0.0/0 | | | tcp | 22| 22 | 0.0.0.0/0 | | | tcp | 80| 80 | 0.0.0.0/0 | | +-+---+-+---+--+ So the big question is why aren't my iptables rules in the VM no setup by the security group specs? I don't see any error in nova logs on the compute node. Any help would be really appreciated. Thanks Patrick 2012/12/6 Lei Zhang > Could you check the iptables in the vm? Whether it drop the packets on the > port 80 > > > On Thu, Dec 6, 2012 at 12:29 AM, Patrick Petit < > patrick.michel.pe...@gmail.com> wrote: > >> Dear Stackers, >> >> I am running instance wordpress.WikiServer >> >> >> $ nova list >> >> +--+--+++ >> | ID | Name | >> Status | Networks | >> >> +--+--+++ >> | 6be47af7-2e29-4b4c-afeb-0a7f760f5970 | test2| >> ACTIVE | xlcloud=172.16.1.6 | >> | 5a4c552f-933c-4a06-8e6f-164176380af5 | wordpress.DatabaseServer | >> ACTIVE | xlcloud=172.16.1.3 | >> | ddb120d9-e1ad-444c-8490-37ecb15f500e | wordpress.WikiServer | >> ACTIVE | xlcloud=172.16.1.4, 10.197.217.131 | >> >> +--+--+++ >> >> >> With Security Group setup as: >> >> $ nova secgroup-list >> >> +---++ >> | Name | Description >>| >> >> +---++ >> | default | default >>| >> >> +---++ >> >> >> $ nova secgroup-list-rules default >> +-+---+-+---+--+ >> | IP Protocol | From Port | To Port | IP Range | Source Group | >> +-+---+-+---+--+ >> | icmp| -1| -1 | 0.0.0.0/0 | | >> | tcp | 22| 22 | 0.0.0.0/0 | | >> | tcp | 80| 80 | 0.0.0.0/0 | | >> +-+---+-+---+--+ >> >> I can ping and ssh through the fix or floating IP without any problem >> (172.16.1.4, 10.197.217.131). >> But HTTP requests on port 80 doesn't go through. >> I get a "no route host" error message from wget or telnet for example. >> >> Ex. $ telnet 172.16.1.4 80 >> Trying 172.16.1.4... >> telnet: Unable to connect to remote host: No route to host. >> Clearly it's not a routing problem. >> >> Any idea what the problem could be or hints to debug it. >> >> Thanks >> Patrick >> >> >> >> ___ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> > > > -- > Lei Zha
Re: [Openstack] Instance no route to host problem
Could you check the iptables in the vm? Whether it drop the packets on the port 80 On Thu, Dec 6, 2012 at 12:29 AM, Patrick Petit < patrick.michel.pe...@gmail.com> wrote: > Dear Stackers, > > I am running instance wordpress.WikiServer > > > $ nova list > > +--+--+++ > | ID | Name | Status > | Networks | > > +--+--+++ > | 6be47af7-2e29-4b4c-afeb-0a7f760f5970 | test2| ACTIVE > | xlcloud=172.16.1.6 | > | 5a4c552f-933c-4a06-8e6f-164176380af5 | wordpress.DatabaseServer | ACTIVE > | xlcloud=172.16.1.3 | > | ddb120d9-e1ad-444c-8490-37ecb15f500e | wordpress.WikiServer | ACTIVE > | xlcloud=172.16.1.4, 10.197.217.131 | > > +--+--+++ > > > With Security Group setup as: > > $ nova secgroup-list > > +---++ > | Name | Description >| > > +---++ > | default | default >| > > +---++ > > > $ nova secgroup-list-rules default > +-+---+-+---+--+ > | IP Protocol | From Port | To Port | IP Range | Source Group | > +-+---+-+---+--+ > | icmp| -1| -1 | 0.0.0.0/0 | | > | tcp | 22| 22 | 0.0.0.0/0 | | > | tcp | 80| 80 | 0.0.0.0/0 | | > +-+---+-+---+--+ > > I can ping and ssh through the fix or floating IP without any problem > (172.16.1.4, 10.197.217.131). > But HTTP requests on port 80 doesn't go through. > I get a "no route host" error message from wget or telnet for example. > > Ex. $ telnet 172.16.1.4 80 > Trying 172.16.1.4... > telnet: Unable to connect to remote host: No route to host. > Clearly it's not a routing problem. > > Any idea what the problem could be or hints to debug it. > > Thanks > Patrick > > > > ___ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > -- Lei Zhang Blog: http://jeffrey4l.github.com twitter/weibo: @jeffrey4l ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
