Re: [Openstack] Routing in connected VMs

[James Denton]

Hi Navdeep,

To get this to work, you will need to disable port security on the B device’s 
ports, or at a minimum, modify the allowed-address-pairs on the port to allow 
the traffic out towards C. Disabling port security is typically the way to go 
about satisfying this particular use case.

James

From: Navdeep Uniyal 
Date: Friday, February 9, 2018 at 12:40 PM
To: OpenStack Mailing List 
Subject: [Openstack] Routing in connected VMs

Dear all,


I am trying to create a network chain manually of VMs in openstack by entering 
the routing table entries in the machines. However, it doesn’t seems to work.
The network between the VMs is VLAN network on top of provider network.

Scenario is like : A-->B-->C

I have enabled the IP forwarding on the node B but I am not able to ping from A 
to C. ICMP echo requests are not reaching C.
I am able to ping from B to A and B to C. Please if someone could help in this 
regard.


Best Regards,
Navdeep
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [openstack-dev][openstack] API to get tunnel port connect to other host

[James Denton]

Hi Vikash,

The VXLAN tunnel endpoint address is listed in the output of a neutron 
agent-show :

$ neutron agent-show cb45e3f8-4a28-475a-994d-83bc27806c38
+-++
| Field   | Value  |
+-++
| admin_state_up  | True   |
| agent_type  | Linux bridge agent |
| alive   | True   |
| availability_zone   ||
| binary  | neutron-linuxbridge-agent  |
| configurations  | {  |
| |  "tunneling_ip": "172.29.232.66",  |
| |  "devices": 2, |
| |  "interface_mappings": {   |
| |   "vlan": "br-vlan"|
| |  },|
| |  "extensions": [], |
| |  "l2_population": true,|
| |  "tunnel_types": [ |
| |   "vxlan"  |
| |  ],|
| |  "bridge_mappings": {} |
| | }  |
| created_at  | 2017-04-19 23:12:47|
| description ||
| heartbeat_timestamp | 2017-04-28 15:07:59|
| host| 841445-compute007  |
| id  | cb45e3f8-4a28-475a-994d-83bc27806c38   |
| started_at  | 2017-04-20 17:38:03|
| topic   | N/A|
+-++

The actual Layer 4 port used may vary between drivers (linuxbridge vs OVS), but 
that would either be hard-coded or defined within a configuration file.

James

From: Vikash Kumar 
Date: Friday, April 28, 2017 at 6:50 AM
To: openstack-dev , Openstack Milis 

Subject: [Openstack] [openstack-dev][openstack] API to get tunnel port connect 
to other host

Is there any neutron API, which returns the tunnel port details connected to 
other host ?
For eg. I have Host-A and Host-B. Is there a way to know what is the 
tunnel-port on Host-A which connects Host-B ?
Can't use OVS commands directly.

--
Regards,
Vikash
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] How Launch to a VM on particular subnet in network.

[James Denton]

Hi Amit,

You can create a port on a particular subnet using the neutron/openstack CLI, 
and then boot the instance using the port rather than the network. The 
difference being nova boot --port-id versus --net-id.

James

From: Amit Uniyal 
Date: Friday, April 28, 2017 at 4:12 AM
To: openstack 
Subject: [Openstack] How Launch to a VM on particular subnet in network.

Hi all,


How to launch a VM on particular subnet in network.

We have a option of creating more then one subnets in networks. but how to 
launch a VM on particular subnet.


[nline image 3]

In above image, I have a network parent-network, and this network has 
sub-networks. My objective is two launch a VM on subnet under same network.

But while launching a VM, it only offer network to launch VM not individual 
subnets. So is there any way we can launch VM on subnet.


[nline image 2]

If we launch vm in this network, its taking the subnet itself.



Regards

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [OpenStack]SRIOV VLAN Trunk Support

[James Denton]

Hi –

> Does SR-IOV support VLAN trunk? If yes, what kind of configuration shall I do 
> for PF and VF (VM)?

My experience has been YES, it does. At a minimum, the switchport should be 
configured as a trunk. The VF can be configured with VLAN ID 0, which will 
allow tagging within the VM.

> Does OpenStack support SR-IOV VF vlan trunk? If yes, what kind of 
> configuration is needed?

VLAN filtering is the default (and only) behavior supported by Neutron as far 
as I know. Without modifying the code, you’d be limited to a single VLAN per VF 
(untagged within the VM).


--
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com<mailto:james.den...@rackspace.com>

From: "Xu, Rongjie (Nokia - CN/Hangzhou)" 
Date: Thursday, April 27, 2017 at 12:31 AM
To: "openstack@lists.openstack.org" 
Subject: [Openstack] [OpenStack]SRIOV VLAN Trunk Support

Hi,

Background:
I am using 82599 SR-IOV function, and attach the VF (by OpenStack) to the VM. I 
want to send and receive VLAN tagged and untagged traffic inside VM, just like 
the VLAN trunk port on the switch.

My question are:
Does SR-IOV support VLAN trunk? If yes, what kind of configuration shall I do 
for PF and VF (VM)?
Does OpenStack support SR-IOV VF vlan trunk? If yes, what kind of configuration 
is needed?


I try to search in the Internet, does it need somehow configure `Packet 
Filtering and Replication` in PF and tag/untag VLAN inside VM?
Currently I set up a SRIOV provider network, create a neutron network on top of 
that. And then create port on this network and attach this port to VM. For 
this, I see inside VM, there is a VLAN ID for this port (VF) by default, which 
is the provider VLAN ID.

Best Regards
Xu Rongjie (Max)



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [openstack] Tenant/Project resource name spaces does not seem to work

[James Denton]

Hi Lars,

By default, networks marked as ‘external’ are visible/usable from all projects, 
even if shared is False. Ordinary networks (non-external) should not be usable 
or visible from projects other than the one they’re associated with. Neutron 
RBAC policies can be used to provide granular visibility to specific projects 
for both external and non-external networks. If you’re seeing something 
different, please let us know.

James


From: Lars-Erik Helander 
Date: Thursday, April 6, 2017 at 8:30 AM
To: "openstack@lists.openstack.org" 
Subject: [Openstack] [openstack] Tenant/Project resource name spaces does not 
seem to work

If I create networks in a project and define the networks to be non-shared, I 
still can use these networks from other projects. Not via Horizon but via the 
Openstack CLI commands (openstack, nova, neutron etc) and via Heat (heat 
templates may refer to networks in other projects).

Is this how it is supposed to be?
Might I have misconfigured my Openstack in order to get this behaviour, if so 
any hints on where to look for the settings that causes the current behaviour?

/Lars
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] running control plane on a vmware VM

[James Denton]

Hi Manuel,


In my home lab, I run OpenStack control plane nodes on ESXi and compute on bare 
metal. At a minimum, you'll want to enable 'promiscuous mode' on the virtual 
switch(es) in VMware to ensure traffic to the Neutron router doesn't get 
dropped.


This link may help:

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004099


James


From: Manuel Sopena Ballesteros 
Sent: Thursday, March 30, 2017 8:05:51 PM
To: openstack@lists.openstack.org
Subject: [Openstack] running control plane on a vmware VM

Hi all,

I deployed openstack on a vmware vm using kolla-ansible. The installation was 
successful but my router namespace cannot ping the internet and I don't know 
why.

I checked with the openstack IRC channel and my guess is that vmware is 
blocking the traffic from the quantum gateway but I don't know how to prove 
this.

Am I doing something stupid by running the control plane on a vmware vm? Has 
anyone done this before? How can I troubleshoot deeper so I can prove my theory?

Thank you very much

Manuel Sopena Ballesteros | Big data Engineer
Garvan Institute of Medical Research
The Kinghorn Cancer Centre, 370 Victoria Street, Darlinghurst, NSW 2010
T: + 61 (0)2 9355 5760 | F: +61 (0)2 9295 8507 | E: 
manuel...@garvan.org.au

NOTICE
Please consider the environment before printing this email. This message and 
any attachments are intended for the addressee named and may contain legally 
privileged/confidential/copyright information. If you are not the intended 
recipient, you should not read, use, disclose, copy or distribute this 
communication. If you have received this message in error please notify us at 
once by return email and then delete both messages. We accept no liability for 
the distribution of viruses or similar in electronic communications. This 
notice should not be removed.
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] delete router interface issue

[James Denton]

Hi Satish,

It’s hard to tell from this output, the port was likely added using the 
‘router-gateway-set’ command. Try using the ‘router-gateway-clear  
’ command and syntax instead. You can only delete ports 
with router-interface-delete if they were added with ‘router-interface-add’.



--
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com<mailto:james.den...@rackspace.com>

From: Remo Mattei 
Date: Friday, September 2, 2016 at 2:54 PM
To: Satish Patel 
Cc: openstack 
Subject: Re: [Openstack] delete router interface issue

Does it have floating IP from the pool? If you look only one will be active. 
Delete the not used port

Inviato da iPhone

Il giorno 02 set 2016, alle ore 12:36, Satish Patel 
mailto:satish@gmail.com>> ha scritto:
[root@controller-1 ~(keystone_admin)]# neutron router-port-list Router1
+--+--+---+--+
| id   | name | mac_address   |
fixed_ips
 |
+--+--+---+--+
| 95f3e5a4-81c4-4af2-b8f0-c3ec229d3b91 |  | fa:16:3e:ef:2d:f8 |
{"subnet_id": "88bfba15-1451-4928-9e43-23ee7071f7af", "ip_address":
"64.xx.xx.100"} |
| bf3e5f40-7b43-469f-ab22-4f08e82f73b6 |  | fa:16:3e:8a:62:6b |
{"subnet_id": "7adcc689-afbb-47d5-9ba5-505a3b19a55e", "ip_address":
"192.168.5.5"}   |
| c9e48c7f-7aca-4489-ae61-f28b79cd15cf |  | fa:16:3e:c7:b1:3f |
{"subnet_id": "7adcc689-afbb-47d5-9ba5-505a3b19a55e", "ip_address":
"192.168.5.1"}   |
| f27960d9-80bd-4039-a64e-08d5209beb5f |  | fa:16:3e:ad:2a:cc |
{"subnet_id": "68da8fdd-3ef6-416d-b386-d13d9024f592", "ip_address":
"10.5.2.182"}|
+--+--+---+--+

I am trying to delete 64.xx.xx.100 interface but getting weird error

[root@controller-1 ~(keystone_admin)]# neutron router-interface-delete
ddbab37b-1b6d-43a4-8f78-0b8cdc8bf624
88bfba15-1451-4928-9e43-23ee7071f7af
Router ddbab37b-1b6d-43a4-8f78-0b8cdc8bf624 has no interface on subnet
88bfba15-1451-4928-9e43-23ee7071f7af
Neutron server returns request_ids: ['req-06ba6a76-4812-4130-875e-a993d9c45e98']

How should i delete this interface? By mistake i add two external
gateway and not i stuck here

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

!DSPAM:1,57c9d5a3234561354010822!
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] individual floating ips in single vlan

[James Denton]

Hi Satish,

>>I want to add those to provider network to my router then show should i 
>> add them and who will be the default gateway, I want to make VLAN 20 default 
>> External Gateway.
>>
>>I have tried following but it only allow single network:
>>neutron router-gateway-set ROUTER1 VLAN10
>>Should i add second VLAN 20 using router-interface-add command?

The expectation is that a router should be connected to only a single external 
(provider) network at a time, but can be connected to multiple internal 
(tenant) networks. If you utilize the router-interface-add command to attach to 
the second external network, the interface will not be treated as an external 
interface and instead would be treated as an internal interface. You then run 
the risk of the router taking the IP defined as the ‘gateway ip’ for the subnet 
and causing network issues.**

** Note: You *can* attach the router to the network by creating a port on the 
network first, then specifying a port ID rather than a subnet ID when using the 
router-interface-add command. This interface will still be treated as an 
internal interface, but would not overlap with the physical gateway IP address. 
You cannot use the network as a floating IP pool in this case, but you can add 
static routes to the router which would force traffic out that particular 
interface. The true internal subnet where the VM is attached would need to be 
statically routed from the physical gateway device to the router’s IP address 
you specified when creating the port, since the router will not SNAT traffic on 
that interface. It’s a wonky configuration that I don’t really recommend you 
implement unless you absolutely have to.

-- 
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com


On 9/2/16, 1:34 PM, "Satish Patel"  wrote:

Last question We have two provider external VLAN 10 and VLAN 20

I want to add those to provider network to my router then show should
i add them and who will be the default gateway, I want to make VLAN 20
default External Gateway.

I have tried following but it only allow single network

neutron router-gateway-set ROUTER1 VLAN10

Should i add second VLAN 20 using router-interface-add command?



On Fri, Sep 2, 2016 at 2:32 PM, Satish Patel  wrote:
> Great!! i got your point, I am not using DHCP anywhere except internal
> VM network. All provide network created without enabling DHCP on them.
>
    > Thanks again
>
> On Fri, Sep 2, 2016 at 2:30 PM, James Denton  
wrote:
>> You typically enable DHCP on networks where you intend to put VMs. 
Neutron routers don’t rely on DHCP to obtain their IP. If you enable DHCP on 
the external network, and your intention if only to connect routers to it, 
those DHCP server(s) Neutron creates will still each consume an IP address, 
reducing the total number of IPs available for use as floating IPs.
>>
>> --
>> James Denton
>> Network Architect
>> Rackspace Private Cloud
>> james.den...@rackspace.com
>>
>>
>> On 9/2/16, 1:26 PM, "Satish Patel"  wrote:
>>
>> Thanks James,
>>
>> I didn't understand your following statement.
>>
>> "You may want to refrain from enabling DHCP on that subnet as well,
    >>     otherwise they will each grab an address as well."
>>
>> Could you give me example or explain what does that means?
>>
>> On Fri, Sep 2, 2016 at 1:53 PM, James Denton 
 wrote:
>> > Hi Satish,
>> >
>> > You can create multiple non-contiguous allocation pools for the 
external (floating) network, even as small as a single IP address. Keep in mind 
that the Neutron router will take an IP address from this pool for its ‘qg’ 
interface. You may want to refrain from enabling DHCP on that subnet as well, 
otherwise they will each grab an address as well.
>> >
>> > James
>> >
>> > On 9/2/16, 10:34 AM, "Satish Patel"  wrote:
>> >
>> > Its very weird requirement, stay with me to explain.
>> >
>> > We have /24 public IP pool which we are using since long time 
and we
>> > cherry picked IP address from that pool so they are not in 
sequence :(
>> >
>> > Now we have openstack and i want to give some floating IP to 
openstack
>> > but because of non-sequence range how do i give individual IP 
address
>> > to floating pool in VLAN?
>> >
>> &g

Re: [Openstack] individual floating ips in single vlan

[James Denton]

You typically enable DHCP on networks where you intend to put VMs. Neutron 
routers don’t rely on DHCP to obtain their IP. If you enable DHCP on the 
external network, and your intention if only to connect routers to it, those 
DHCP server(s) Neutron creates will still each consume an IP address, reducing 
the total number of IPs available for use as floating IPs.

-- 
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com


On 9/2/16, 1:26 PM, "Satish Patel"  wrote:

Thanks James,

I didn't understand your following statement.

"You may want to refrain from enabling DHCP on that subnet as well,
otherwise they will each grab an address as well."

Could you give me example or explain what does that means?

On Fri, Sep 2, 2016 at 1:53 PM, James Denton  
wrote:
> Hi Satish,
>
> You can create multiple non-contiguous allocation pools for the external 
(floating) network, even as small as a single IP address. Keep in mind that the 
Neutron router will take an IP address from this pool for its ‘qg’ interface. 
You may want to refrain from enabling DHCP on that subnet as well, otherwise 
they will each grab an address as well.
>
> James
>
> On 9/2/16, 10:34 AM, "Satish Patel"  wrote:
>
> Its very weird requirement, stay with me to explain.
>
> We have /24 public IP pool which we are using since long time and we
> cherry picked IP address from that pool so they are not in sequence :(
>
> Now we have openstack and i want to give some floating IP to openstack
> but because of non-sequence range how do i give individual IP address
> to floating pool in VLAN?
>
> In single VLAN 10 net how do i put individual IP in subnet?
>
> ___
> Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] individual floating ips in single vlan

[James Denton]

Hi Satish,

You can create multiple non-contiguous allocation pools for the external 
(floating) network, even as small as a single IP address. Keep in mind that the 
Neutron router will take an IP address from this pool for its ‘qg’ interface. 
You may want to refrain from enabling DHCP on that subnet as well, otherwise 
they will each grab an address as well.

James

On 9/2/16, 10:34 AM, "Satish Patel"  wrote:

Its very weird requirement, stay with me to explain.

We have /24 public IP pool which we are using since long time and we
cherry picked IP address from that pool so they are not in sequence :(

Now we have openstack and i want to give some floating IP to openstack
but because of non-sequence range how do i give individual IP address
to floating pool in VLAN?

In single VLAN 10 net how do i put individual IP in subnet?

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Single router shared between multiple project

[James Denton]

Hi Satish,

Routers cannot be shared amongst tenants/projects, though the networks attached 
to those routers *may* be shared with the appropriate RBAC policy in place. The 
general understanding is that projects create/manage their own networks and 
routers, and can attach routers to shared external networks. Networks, external 
or not, can be shared amongst all projects, or limited to certain projects with 
an RBAC policy.

James


On 9/1/16, 12:09 PM, "Satish Patel"  wrote:

Can i create single Router and shared them between multiple Projects?
or its stupidity?  Just trying to understand

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Eternal fixed ip to router interface strange behavior

[James Denton]

Hi Satish,

Are you using the ‘router-gateway-set’ command? Or the ‘router-interface-add’ 
command? Based on the behavior you described, it sounds like the latter.

If you need to attach the router to the external network, use the 
‘router-gateway-set’ command. An IP should be allocated from the pool. If you 
need to attach the router to an internal network to serve as the gateway for 
said network, use the ‘router-interface-add’ command.

James


On 9/1/16, 10:51 AM, "Satish Patel"  wrote:

I have external provider network and today when i tried to attached it
to one of DVR router on openstack then it automatically assigned
Provider network gateway IP (10.5.0.1) to DVR router Fixed IP and it
bring down my network :(

How come openstack give external gateway IP (which is not in pool
allocation list) to virtual router?

My allocation pool is 10.5.3.135 to 10.5.3.146  (Gateway is 10.5.0.1)

[root@controller-1 ~(keystone_admin)]# neutron subnet-list

+--++--+-+
| id   | name   | cidr
| allocation_pools|

+--++--+-+
| ca2b3219-52a9-4158-8494-11a7dca72bbb | private_vlan30_subnet1 |
10.5.0.0/21  | {"start": "10.5.3.135", "end": "10.5.3.149"}
|

-


[root@controller-1 ~(keystone_admin)]# neutron subnet-show
ca2b3219-52a9-4158-8494-11a7dca72bbb
+---+--+
| Field | Value|
+---+--+
| allocation_pools  | {"start": "10.5.3.135", "end": "10.5.3.149"} |
| cidr  | 10.5.0.0/21  |
| created_at| 2016-08-26T18:18:45  |
| description   |  |
| dns_nameservers   |  |
| enable_dhcp   | False|
| gateway_ip| 10.5.0.1 |
| host_routes   |  |
| id| ca2b3219-52a9-4158-8494-11a7dca72bbb |
| ip_version| 4|
| ipv6_address_mode |  |
| ipv6_ra_mode  |  |
| name  | private_vlan30_subnet1   |
| network_id| c9006e25-9496-4cc4-8f1c-4e3fcc6ec0b9 |
| subnetpool_id |  |
| tenant_id | a7ae274c8f4442c2af7c0a43bc548917 |
| updated_at| 2016-08-26T18:18:45  |
+---+--+

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] neutron, l2population, linuxbridge and multiple ips

[James Denton]

Hi Andreas,

LinuxBridge w/ VXLAN and l2population was incompatible with 
allowed-address-pairs, or any case where an IP may be configured on an 
interface that isn't defined on a port or moves around from VM to VM, for some 
time. It is more of a limitation of the ARP proxy implementation in the VXLAN 
kernel module more than a Neutron bug, but nonetheless, here you go:

https://bugs.launchpad.net/neutron/+bug/1445089

The workaround was to patch the LinuxBridge agent to disable the ARP proxy when 
creating vxlan interfaces. Try adding 'arp_responder=False' to the [vxlan] 
section of the linuxbridge agent config file and restart the agent. This should 
be done across all nodes, and will only apply to Liberty and above.

James

From: Andreas Scheuring 
Sent: Monday, June 20, 2016 6:06 AM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] neutron, l2population, linuxbridge and multiple ips

- What about using Neutrons "allowed address pairs"?
- Or setting up a tunnel network within your existing openstack tunnel
network?



--
-
Andreas
IRC: andreas_s



On Sa, 2016-06-18 at 18:52 +0200, Joerg Streckfuss wrote:
> Dear list,
>
> I'm trying set up an isolated network for testing clustermanagers like
> keepalived on linux and carp on openbsd. This means there are ips which
> are bound to multiple ports. The main problem is when I try to configure
> new ip-addresses inside the vms and _not_ in neutron, these ips are not
> visible by the other vms. When I try to ping this ips I can see an local
> arp request inside the bridge of the requesting vm but this request does
> not reach the bridge of the destination vm. So my assumption is neutron
> in particular the l2population works only for ip addresses which are
> known by neutron ports. So in case of disabling dhcp I have to configure
> it for the neutron port and inside the vm, right?
>
> My setup is a 4-node openstack environment (one controller, three
> compute nodes), using liberty on centos7 carefully following the
> instructions under http://docs.openstack.org/liberty/install-guide-rdo/.
>
> I'm using self-service networks with one flat provider-network for
> external communication. I use VXLAN for overlay-networks. As mechanism
> drivers I use linuxbridge and l2population.
>
> The isolated network and the vms are initiated by heat templates. I
> disabled port security for each neutron port by setting
> 'port_security_enabled: false' inside the heat template.
>
> So what can I do, that a neutron isolated network behaves like a
> standard linuxbridge or especially a hardware switch, where no port
> security is configured and which forwards all kind of arp traffic?
>
> Thanks in advance,
>
> Joerg
>
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Multi-Node OpenStack with no VLANs

[James Denton]

Hi John,

What you are describing is a perfectly valid and common scenario. The 
segmentation IDs don't really come out of thin air, though. They are defined as 
a range of IDs in the ML2 or openvswitch agent configuration file depending on 
the version of OpenStack. There could be a performance penalty with VXLAN over 
VLAN, depending on your NIC and MTU size, and other caveats I won't go in to. 
But, you gain some flexibility. 

At some point, though, you will need at least one VLAN or untagged (flat) 
network as your provider network. That will need to be trunked to the nodes 
hosting the L3 agent(s), and possibly all nodes in the case of DVR.

James


From: John van Ommen 
Sent: Wednesday, May 4, 2016 9:11 PM
To: openstack@lists.openstack.org
Subject: [Openstack] Multi-Node OpenStack with no VLANs

I am working on an OpenStack deployment where my customer's VLANs do
not appeared to be configured properly.

I am in a time crunch and I'm looking for a way to work around this.

Would it be possible to use VxLAN for my guest traffic, and basically
pick the subnets arbitrarily?

I am using OpenStack Kilo with KVM for my compute nodes, and I'm using
OVS for switching. It *seems* like I could pick the networks "out of
thin air" with VxLAN, and let OVS deal with the tags, instead of using
VLAN and have the customer's switches deal with the tags.

Will that work?

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [OpenStack] How to deploy Liberty Neutron with linuxbridge on physical machine having single NIC

[James Denton]

Hi Li,

Yes, this is absolutely possible. The easiest way would be to create a VLAN 
interface (e.g. eth0.50) for use as your management/API network as well as your 
VXLAN VTEP address, or you can create a separate interface for that. You will 
then use eth0 for your provider bridge interface (e.g. 
physical_interface_mappings = physnet1:eth0). You can then create a single flat 
and multiple VLAN provider networks using --provider:physical_network=physnet1 
and segmentation IDs other than 50. The LinuxBridge agent will create VLAN 
interfaces and place them in the respective bridges.

James



From: liyulei mailto:liyulei_wal...@hotmail.com>>
Date: Thursday, April 14, 2016 at 3:17 AM
To: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>
Subject: [Openstack] [OpenStack] How to deploy Liberty Neutron with linuxbridge 
on physical machine having single NIC

Hello,

Is it possible that deploying Liberty Neutron with linuxbridge on physical 
machine having single NIC ?
If it is, how should do ?

Thanks

Li yulei
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Neutron Provider Networks Without DHCP

[James Denton]

Hi Brent,

I managed to do this by creating the port first, and then associating it with 
the instance:

instance0_port0:
type: OS::Neutron::Port
properties:
  admin_state_up: true
  network_id: e0be3064-2011-4d92-b73c-5c4c6825b0c1
  security_groups:
- 0875fe40-c509-44bf-ac68-e9a4795a64c6

instance0:
type: OS::Nova::Server
properties:
  image: 1499479f-80d9-4f39-9129-eec7b6c8d976
  flavor: m1.tiny
  config_drive: true
  networks:
- port: { get_resource: instance0_port0 }

You should be able to then use get_attr in your template to get characteristics 
of the port:

get_attr: [instance0_port0, fixed_ips, 0, ip_address] -or-
get_attr: [instance0_port0, fixed_ips, 0, mac_address]


Hope that helps.

James

From: Brent Troge mailto:brenttroge2...@gmail.com>>
Date: Thursday, March 24, 2016 at 2:44 PM
To: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>
Subject: [Openstack] Neutron Provider Networks Without DHCP


Using HEAT, I am creating VM instances against a neutron provider network that 
does not
supply DHCP services.

Still using HEAT, any ideas on how I can grab the MAC address of the assigned 
neutron port? I will also need to grab the IP Neutron has allocated to my VM 
instance.

I will pass the MAC and IP to a user-data template.
The MAC will be used to find the name of the network interface on the VM.
Once the script finds the correct interface name, the user-data script
will plumb the VM NIC, then continue to create the network interface file to 
make the network changes persistent.

So I guess my first hurdle is to find out how to modify my existing heat 
template to discover
the allocated MAC and IP of the created/attached neutron port.  Then pass those 
data points to
a cloud-init user-data script.


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] VPNaaS limited to one subnet

[James Denton]

I believe this will be addressed in Mitaka:

https://bugs.launchpad.net/neutron/+bug/1459423


JD









On 3/18/16, 12:15 PM, "iain smith"  wrote:

>Hi all -
>
>When using neutron's VPNaaS with the Strongswan back-end, has anyone
>come up against the seemingly needless limitation whereby the 'Add VPN
>Service' configuration pane in Horizon only allows you to add one
>subnet, even if you have several subnets attached to the router which
>will host the VPN endpoint at the openstack end?
>
>The IPSEC VPN works well, but only allows you to route to the one
>openstack subnet behind the router, through the VPN tunnel.
>
>However... on the openstack network node (where the neutron-vpn-agent
>and strongswan are running) I can manually edit the Strongswan
>configuration file generated from the horizon input
>(/var/lib/neutron/ipsec//etc/strongswan/ipsec.conf). I can
>add the other openstack subnet addresses to the 'leftsubnet' statement
>(comma-separated), save the file, and send a HUP to the
>/usr/libexec/strongswan/starter process to force charon to re-read the
>config.
>
>After adding the subnets to the 'rightsubnet' statement in my strongswan
>VPN client config and bringing up the VPN tunnel, all of the openstack
>subnets are then routable through the VPN tunnel.
>
>Shouldn't the horizon GUI config allow you to select multiple subnets,
>if more than one is available on the chosen router?
>
>cheers
>Iain
>--
>
>
>
>
>
>___
>Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>Post to : openstack@lists.openstack.org
>Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Error when installing RDO

[James Denton]

I use a consistent, known working answers file and from time to time Puppet 
will bomb out on some operation. Simply rerunning Packstack will, in most 
cases, result in a working installation on the next run. Sometimes it takes 
three runs, but it gets there.  This is using CentOS 7.1 inside a VirtualBox 
virtual machine and the RDO Liberty repo. I have about a 90-95% success rate on 
the first run.

James


From: Wilson Kwok mailto:leiw...@gmail.com>>
Date: Thursday, March 3, 2016 at 11:38 PM
To: Adam Young mailto:ayo...@redhat.com>>
Cc: Openstack 
mailto:openstack@lists.openstack.org>>
Subject: Re: [Openstack] Error when installing RDO


Sorry, we deleted those VMs already, we were using packstack allinall for 
Single Node training.

2016/3/4 下午1:34 於 "Adam Young" mailto:ayo...@redhat.com>> 寫道：
On 03/03/2016 09:57 PM, Wilson Kwok wrote:
Hello all,

I am teaching RDO with 10 students, when they start to installing RDO, half 
student can't finish installation, after re-run the RDO can finish.

I was tested in VMware Workstation 11.0 with this problem, I was thinking may 
be VMware Workstation or physical servers problem, so I changed to use 
ravellosystems to install RDO, but also half students can't install RDO.

Thank



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


If you are using current Tripleo, the default host sizes are too small.  I am 
running with 8 GM for the underclopud and 6 for controller and compute nodes.

Try:
export NODE_MEM=6144
Before running instack-virt-setup



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] DVR and public IP consumption

[James Denton]

Hi,

>> You cannot get around each tenant gateway router consuming an extra public 
>> IP address itself as far as I know.

Almost. With DVR, a FIP namespace is created on compute nodes, with one FIP 
namespace per external network. The FIP namespace owns an IP address from the 
external provider network, and all tenant routers connected to the same 
external network on the same node connect to the respective FIP namespace via 
veth pair. It is possible that all compute nodes could each have a FIP 
namespace connected to the same external network, which would certainly reduce 
the number of IPs available, but it beats having to give each tenant router an 
IP. There is some NAT/routing/Proxy ARP magic that goes into making this config 
work. Assaf’s blog is a great resource for that info.

James

From: Tom Verdaat mailto:t...@server.biz>>
Date: Wednesday, January 20, 2016 at 9:02 AM
To: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>
Subject: Re: [Openstack] DVR and public IP consumption

Hi Tomas,

Actually the networking nodes, and in a DVR scenario the compute nodes, don't 
need a public IP assigned to the node itself. All they need is a networking 
interface connected to the "public" network. Only tenant routers set as a 
gateway consume one public IP address each as overhead. You cannot get around 
each tenant gateway router consuming an extra public IP address itself as far 
as I know.

Does that answer your question?

Cheers,

Tom


2016-01-20 13:48 GMT+01:00 Tomas Vondra 
mailto:von...@czech-itc.cz>>:
Hi!
I have just deployed an OpenStack Kilo installation with DVR and expected
that it will consume one Public IP per network node as per
http://assafmuller.com/2015/04/15/distributed-virtual-routing-floating-ips/,
but it still eats one per virtual Router.
What is the correct behavior?
Otherwise, it works as a DVR should according to documentation. There are
router namespaces at both compute and network nodes, snat namespaces at the
network nodes and fip namespaces at the compute nodes. Every router has a
router_interface_distributed and a router_centralized_snat with private IPs,
however the router_gateway has a public IP, which I would like to getr id of
to increase density.
Thanks


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [openstack][neutron]external network packets to network node

[James Denton]

Hi Akshay,

In most cases, you won’t have IP addresses configured on interfaces used by 
Neutron.

The Neutron L2 agents set up or configure the virtual bridges/switches on the 
host based on the type of network in use (VLAN, FLAT, VXLAN, etc). In many 
cases, an external provider network may be setup as a VLAN network. In that 
case, the VLAN ID must correspond to the VLAN configured on the physical switch 
that corresponds to your external network connected to the external router. The 
Neutron virtual router will connect to a virtual switch/bridge that effectively 
“bridges” the virtual network with the physical network. When that happens, 
your physical router and your virtual router will be in the same Layer 2 
broadcast domain and Layer 3 network. Thus, when you have floating IPs 
configured,they would come from the ‘external’ network/pool and your physical 
router would send ARP requests for those addresses. The virtual router would 
send ARP replies and the traffic would be forwarded and NAT’d accordingly.

Of course, all of this working depends on Neutron having been configured 
appropriately and the networks created with the proper provider attribute 
values.

Hope that helps,

James


From: Akshay Kumar Sanghai 
mailto:akshaykumarsang...@gmail.com>>
Date: Friday, January 15, 2016 at 3:13 PM
To: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>
Subject: [Openstack] [openstack][neutron]external network packets to network 
node

Hi,
I have done a kilo ubuntu installation of openstack. One thing i noticed was 
the network node's external interface is unnumbered. Then how does the external 
router forwards the packet to the network node? Suppose a vm has a floating ip 
. I send a packet to that vm using the floating ip. The nat happens at the 
network node. How does the packet reached the network node as there is no ip 
assigned to the interface. I have not configured dvr and l3 agent is running on 
network node.

Thanks,
Akshay
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [neutron] User documentation for Neutron's Firewall-as-a-Service (FWaaS)?

[James Denton]

Old (and undesirable) behavior was to apply the ‘firewall’ with all tenant 
routers.

Using --router allows you to apply the ‘firewall’ with one or more specified 
routers.

IIRC, there’s nothing special needed to utilize this other than to have the 
FWaaS driver and extension enabled.

James

> On Jan 12, 2016, at 11:57 AM, Mike Spreitzer  wrote:
> 
> > From: Matt Kassawara 
> > To: Mike Spreitzer/Watson/IBM@IBMUS
> > Cc: "openstack@lists.openstack.org" 
> > Date: 01/12/2016 12:16 PM
> > Subject: Re: [Openstack] [neutron] User documentation for Neutron's
> > Firewall-as-a-Service (FWaaS)?
> >
> > Not really... :/
> >
> > On Tue, Jan 12, 2016 at 9:43 AM, Mike Spreitzer  wrote:
> > Is there any user documentation for FWaaS besides http://
> > docs.openstack.org/admin-guide-cloud/
> > networking_introduction.html#firewall-as-a-service-fwaas-overview
> > ?  That one is a bit skimpy and, I suspect, a little outdated. For
> > example, `neutron help firewall-create` mentions an option, `--
> > router`, that is not mentioned in that doc section and not well
> > explained in the on-line help.
> 
> So can someone please explain the `--router` option to `neutron 
> firewall-create` in more detail?  Here is what I get from `neutron help 
> firewall-create`:
> 
> usage: neutron firewall-create [-h] [-f {json,shell,table,value,yaml}]
>[-c COLUMN] [--max-width ]
>[--noindent] [--prefix PREFIX]
>[--request-format {json,xml}]
>[--tenant-id TENANT_ID] [--name NAME]
>[--description DESCRIPTION]
>[--admin-state-down] [--router ROUTER]
>POLICY
> 
> ...
> optional arguments:
> ...
>   --router ROUTER   Firewall associated router names or IDs (requires
> FWaaS router insertion extension, this option can be
> repeated)
> ...
> 
> Is there someplace I can learn more about this "FWaaS router insertion 
> extension"?  When I use DevStack, does it install this extension?  How do I 
> controls its installation when using DevStack?  How do I install it when not 
> using DevStack?  How, in general, can I tell whether it is installed/enabled? 
>  What happens if I do not supply a `--router` argument to this command?  Does 
> the answer to that depend on whether the FWaaS router insertion extension is 
> installed/enabled?
> 
> Thanks,
> Mike
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Trouble connecting to a new VM

[James Denton]

>> dhcp part of the console.log:
>> Starting network...
>> udhcpc (v1.20.1) started
>> Sending discover...
>> Sending discover...
>> Sending discover...
>> Usage: /sbin/cirros-dhcpc 
>> No lease, failing
>> 
>> 
>> I looked at the dnsmasq logs after a VM reboot, and I also straced the
>> dnsmasq process during a VM reboot. Both show that dnsmasq isn’t doing
>> anything when I reboot the machine. It should be giving out an ip address
>> to my VM right?
>> 
>> I’ve read that GRE doesn’t work on kernels below 3.11, and I’m running
>> CentOS 7 with 3.10, but I’ve also read otherwise.
>> 
>> I’m trying to see if this is a problem with the GRE tunnel, but I’m
>> getting very confusing results. I’ll try to explain it. I have four
>> tcpdumps running.
>> On the compute node I have the following:
>> 1. tcpdump -i br-int
>> 2. tcpdump -i br-tun
>> 3. tcpdump -i gre-mirror1 # <— This is a mirror of the gre port on br-tun
>> 
>> On the controller/network node I have the following:
>> 1. tcpdump -i gre-mirror2 # <— Also a gre port mirror on br-tun of
>> controller node
>> 
>> I’ve done a few things with this setup. I’ll try to explain a couple of
>> them and tell you where I see traffic.
>> 1. ping -I br-tun 192.168.1.1 # <— It shouldn’t matter where I send it
>> right?
>> - - I see identical ARP traffic on br-tun and gre-mirror1 (compute node),
>> but no traffic on br-int and gre-mirror2
>> - - 15:03:49.994644 ARP, Request who-has 192.168.1.1 tell
>> openstack102.example.com, length 28
>> 2. nova reboot demo-instance1
>> - - I see identical BOOTPC/BOOTPS traffic on br-int and gre-mirror2
>> (controller/network node), but no traffic on br-tun or gre-mirror1
>> - - 15:26:06.583855 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
>> BOOTP/DHCP, Request from fa:16:3e:1d:9a:9d (oui Unknown), length 290
>> 
>> The first test suggests that the gre tunnel is broken, and there’s
>> something wrong with the patch between br-tun and br-int.
>> The second test seems to show that the gre tunnel is working well.
>> 
>> What am I missing here? Is something terribly wrong with this test?
>> 
>> Thanks,
>> Tyler
>> 
>> On 11/17/15, 12:58 PM, "James Denton"  wrote:
>> 
>>> Hi Tyler,
>>> 
>>> You might try verifying that the instance properly received its IP
>>> address. You can try using ‘nova console-log ’ to view the console
>>> log of the instance. Look for the cloud-init info. Also, take a look at
>>> the syslog of the network node to see if the DHCP request made it and was
>>> acknowledged. If it looks like it got its IP, try hitting the instance
>>> from within the DHCP or router namespace to see if you can hit the fixed
>>> IP from something in the same network before trying to hit the floating
>>> IP. You may also want to run some packet captures on the respective qbr
>>> bridge and physical interfaces while doing these tests to see if/where
>>> traffic is getting dropped.
>>> 
>>> James
>>> 
>>>> On Nov 17, 2015, at 11:31 AM, Tyler Couto  wrote:
>>>> 
>>>> Thanks Andreas. My security groups do allow icmp traffic.
>>>> 
>>>> +-+-
>>>> -
>>>> --
>>>> --+
>>>> | name| security_group_rules
>>>> |
>>>> 
>>>> +-+-
>>>> -
>>>> --
>>>> --+
>>>> | default | egress, IPv4
>>>> |
>>>> | | egress, IPv6
>>>> |
>>>> | | ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
>>>> |
>>>> | | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0
>>>> |
>>>> | | ingress, IPv4, remote_group_id:
>>>> d404679b-aeed-4d2f-bea9-2c7d19ff3fb1 |
>>>> | | ingress, IPv6, remote_group_id:
>>>> d404679b-aeed-4d2f-bea9-2c7d19ff3fb1 |
>>>> +-+‹‹‹+
>>>> 
>>>> I can¹t access my VM¹s console, so I do not know whether I can ping
>>>> from
>>>> my VM. I figured this might be a related issue. I receive this error on
>>>> when trying to access the noVNC console:
>>>> Failed to connect to server (code: 1006)
>>>> 
>>>> 
>>>> Thi

Re: [Openstack] Trouble connecting to a new VM

[James Denton]

Hi Tyler,

You might try verifying that the instance properly received its IP address. You 
can try using ‘nova console-log ’ to view the console log of the instance. 
Look for the cloud-init info. Also, take a look at the syslog of the network 
node to see if the DHCP request made it and was acknowledged. If it looks like 
it got its IP, try hitting the instance from within the DHCP or router 
namespace to see if you can hit the fixed IP from something in the same network 
before trying to hit the floating IP. You may also want to run some packet 
captures on the respective qbr bridge and physical interfaces while doing these 
tests to see if/where traffic is getting dropped.

James

> On Nov 17, 2015, at 11:31 AM, Tyler Couto  wrote:
> 
> Thanks Andreas. My security groups do allow icmp traffic.
> +-+
> --+
> | name| security_group_rules
>  |
> +-+
> --+
> | default | egress, IPv4
>  |
> | | egress, IPv6
>  |
> | | ingress, IPv4, 22/tcp, remote_ip_prefix: 0.0.0.0/0
>  |
> | | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0
>  |
> | | ingress, IPv4, remote_group_id:
> d404679b-aeed-4d2f-bea9-2c7d19ff3fb1 |
> | | ingress, IPv6, remote_group_id:
> d404679b-aeed-4d2f-bea9-2c7d19ff3fb1 |
> +-+‹‹‹+
> 
> I can¹t access my VM¹s console, so I do not know whether I can ping from
> my VM. I figured this might be a related issue. I receive this error on
> when trying to access the noVNC console:
> Failed to connect to server (code: 1006)
> 
> 
> This is a two node setup. I have one controller/neutron-network node.
> Here¹s the output of 'ovs-vsctl show¹:
> 
> Bridge br-tun
>  fail_mode: secure
>Port "gre-ac10183d"
>  Interface "gre-ac10183d"
>type: gre
>options: {df_default="true", in_key=flow, local_ip="172.16.24.60",
> out_key=flow, remote_ip="172.16.24.61"}
>Port gre-mirror
>  Interface gre-mirror
>Port br-tun
>  Interface br-tun
>type: internal
>Port patch-int
>  Interface patch-int
>type: patch
>options: {peer=patch-tun}
>Bridge br-ex
>Port "enp4s0f0"
>  Interface "enp4s0f0"
>Port phy-br-ex
>  Interface phy-br-ex
>type: patch
>options: {peer=int-br-ex}
>Port br-ex
>  Interface br-ex
>type: internal
>Port "enp4s0f1"
>  Interface "enp4s0f1"
>Bridge br-int
>  fail_mode: secure
>Port "qr-a81f0614-0e"
>  tag: 2
>  Interface "qr-a81f0614-0e"
>type: internal
>Port "qg-289ea4d2-29"
>  tag: 5
>  Interface "qg-289ea4d2-29"
>type: internal
>Port br-int
>  Interface br-int
>type: internal
>Port patch-tun
>  Interface patch-tun
>type: patch
>options: {peer=patch-int}
>Port int-br-ex
>  Interface int-br-ex
>type: patch
>options: {peer=phy-br-ex}
>Port "tap468d3ee4-c0"
>  tag: 4095
>  Interface "tap468d3ee4-c0"
>type: internal
>ovs_version: "2.3.1"
> 
> 
> I have on compute node. Here¹s the output of 'ovs-vsctl show':
> 
> Bridge br-int
>  fail_mode: secure
>Port "qvoc6d01e4b-1d"
>  tag: 1
>  Interface "qvoc6d01e4b-1d"
>Port br-int
>  Interface br-int
>type: internal
>Port patch-tun
>  Interface patch-tun
>type: patch
>options: {peer=patch-int}
> Bridge br-tun
>  fail_mode: secure
>Port br-tun
>  Interface br-tun
>type: internal
>Port patch-int
>  Interface patch-int
>type: patch
>options: {peer=patch-tun}
>Port "gre-ac10183c"
>  Interface "gre-ac10183c"
>type: gre
>options: {df_default="true", in_key=flow, local_ip="172.16.24.61",
> out_key=flow, remote_ip="172.16.24.60"}
>Port gre-mirror
>  Interface gre-mirror
>Port "tap0"
>  Interface "tap0"
>ovs_version: "2.3.1"
> 
> 
> I also have a laptop on the same network as the openstack machines. I can
> successfully ping the interface of the neutron router from my laptop.
> 
> As far as the physical interfaces, I am only using one physical interface
> on each openstack machine. I know this is not the recommended setup, but
> since this is only a POC, I wanted to keep it simple.
> 
> -Tyler
> 
> 
> 
> On 11/17/15, 12:48 AM, "Andreas Scheuring" 
> wrote:
> 
>> ease check your Security Groups first.
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ope

Re: [Openstack] FWaaS bug (error state on update thing)

[James Denton]

As a workaround, maybe you can try putting using firewall-update  
--admin-state-up  after it goes into error state to recover after 
making the rule change.

James

> On Nov 6, 2015, at 5:27 AM, Erdősi Péter  wrote:
> 
> Hy guys!
> 
> We facing a problem with FWaaS on Kilo release.
> The problem is the same with this
> (https://review.openstack.org/#/c/190336/), but as I see, the patch only
> included  to Liberty release.
> 
> Are there any possibility to backport that to Kilo, or we must upgrade,
> to get FWaaS up and running?
> 
> Thanks,
> Peter
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Convert from GRE to VLAN

[James Denton]

Hi Florian,

It is possible, though maybe not for the faint of heart depending on your 
strategy. You can:

1. Create new VLAN networks using the same subnet CIDRs as the existing GRE 
networks, then detach existing interfaces and attach new interfaces with the 
same IPs. You would need to detach/attach router interfaces as well and maybe 
change floating IP associations. There are quite a few steps here but it is 
possible.

2. Make the changes to the database and restart services. This is not the route 
I would go if I could avoid it, but it has been done. We went from OVS/GRE to 
ML2/LinuxBridge/VLAN over a year ago in some live environments. I highly 
recommend simulating this in a lab environment before doing it live.

Here’s some links on the latter that talk about what we did:

https://www.openstack.org/summit/openstack-paris-summit-2014/session-videos/presentation/migrating-production-workloads-from-ovs-to-linux-bridge-w-ml2
 


https://github.com/busterswt/openstackparis2014 


James

> On Oct 18, 2015, at 3:15 AM, Florian Rommel  
> wrote:
> 
> Hi, I have a problem that I need to convert our Dev environment to VLAN from 
> GRE tunnels.
> Can someone assist me on how complicated it is? the environment is about 10 
> nodes including compute, storage and control nodes.
> 
> There can be a LITTLE bit of downtime but not that much (hour, maybe 2?)
> Is this even possible?
> 
> 
> Thanks for any help, you can also contact me directly.
> 
> Best regards,
> //Florian
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Liberty] What happened with "glance image-create --location http://..." ?

[James Denton]

Hi Thiago,

I'm not sure, but this may be a change from v1 API to v2 API. Here's a bug I 
found a few months ago that may be related:

https://bugs.launchpad.net/python-glanceclient/+bug/1399778

James

From: Martinx - ジェームズ 
Sent: Sunday, October 18, 2015 2:28 AM
To: openstack@lists.openstack.org
Subject: [Openstack] [Liberty] What happened with "glance image-create 
--location http://..."; ?

Hey guys,

I'm trying Liberty (on Trusty) for the first time now... I'm facing
one problem that I think it might be easy to obtain help...

To begin with:

source admin-openrc.sh
glance image-list

...works...

But, I'm trying to add an image to it and it fails, like this:

---
myuser@liberty-1:~$ glance image-create --location
http://uec-images.ubuntu.com/releases/14.04.3/release/ubuntu-14.04-server-cloudimg-amd64-disk1.img
--visibility public --disk-format qcow2 --container-format bare --name
"Ubuntu 14.04.3 LTS - Trusty Tahr - 64-bit - Cloud Based Image"
usage: glance [--version] [-d] [-v] [--get-schema] [--timeout TIMEOUT]
  [--no-ssl-compression] [-f] [--os-image-url OS_IMAGE_URL]
  [--os-image-api-version OS_IMAGE_API_VERSION]
  [--profile HMAC_KEY] [-k] [--os-cert OS_CERT]
  [--cert-file OS_CERT] [--os-key OS_KEY] [--key-file OS_KEY]
  [--os-cacert ] [--ca-file OS_CACERT]
  [--os-username OS_USERNAME] [--os-user-id OS_USER_ID]
  [--os-user-domain-id OS_USER_DOMAIN_ID]
  [--os-user-domain-name OS_USER_DOMAIN_NAME]
  [--os-project-id OS_PROJECT_ID]
  [--os-project-name OS_PROJECT_NAME]
  [--os-project-domain-id OS_PROJECT_DOMAIN_ID]
  [--os-project-domain-name OS_PROJECT_DOMAIN_NAME]
  [--os-password OS_PASSWORD] [--os-tenant-id OS_TENANT_ID]
  [--os-tenant-name OS_TENANT_NAME] [--os-auth-url OS_AUTH_URL]
  [--os-region-name OS_REGION_NAME]
  [--os-auth-token OS_AUTH_TOKEN]
  [--os-service-type OS_SERVICE_TYPE]
  [--os-endpoint-type OS_ENDPOINT_TYPE]
   ...
glance: error: unrecognized arguments: --location
http://uec-images.ubuntu.com/releases/14.04.3/release/ubuntu-14.04-server-cloudimg-amd64-disk1.img
---

What happens to "--location" option?

I'm using a very similar line to add images to Kilo, only difference
is that on Kilo, I'm using "--is-public true", instead of
"--visibility public" (Liberty)...

If I download the file, and use "--file", instead of "--location" as
before, then it works... But I prefer to add download the images on
demand...

Workaround:

---
wget 
http://uec-images.ubuntu.com/releases/14.04.3/release/ubuntu-14.04-server-cloudimg-amd64-disk1.img

glance image-create --file
ubuntu-14.04-server-cloudimg-amd64-disk1.img --disk-format qcow2
--container-format bare --name "Ubuntu 14.04.3 LTS - Trusty Tahr -
64-bit - Cloud Based Image"
+--+---+
| Property | Value
|
+--+---+
| checksum | cf12c9878c9fb71c95d8f8c288761a99
|
| container_format | bare
|
| created_at   | 2015-10-18T06:06:34Z
|
| disk_format  | qcow2
|
| id   | 9f1a7acf-d217-4def-9de2-8fc497f395ba
|
| min_disk | 0
|
| min_ram  | 0
|
| name | Ubuntu 14.04.3 LTS - Trusty Tahr - 64-bit - Cloud
Based Image |
| owner| 8c4863fc865e4050b58cb6353c44724a
|
| protected| False
|
| size | 258540032
|
| status   | active
|
| tags | []
|
| updated_at   | 2015-10-18T06:06:35Z
|
| virtual_size | None
|
| visibility   | private
|
+--+---+
---

What am I missing with Liberty?

I also tried the "--os-image-url" option but I don't think it is the
same, plus, it returned the very same "glance: error: unrecognized
arguments: --os-image-url" error!

BTW, I'm trying Liberty on Trusty, following this:

http://docs.openstack.org/liberty/install-guide-ubuntu/glance-verify.html

Thanks in advance!

-
Thiago

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Openstack Kilo Vxlan tunnel single NIC setup

[James Denton]

Hi Amir,

A couple of recommendations:

- Your vxlan_group setting has an extra dot at the end that may be causing 
issues:
[ml2_type_vxlan]
vxlan_group = 239.0.0.0.
- Your [OVS] block has some incorrect options. Use underscores rather than 
spaces:
[ovs]
bridge_mappings = public:br-ex
local_ip = 192.168.100.100
vxlan_udp_port = 8472
tunnel type = vxlan
tunnel id ranges = 1001:2000
tenant network type = vxlan
enable tunneling = true
- Same goes for [agent] as well:
[agent]
tunnel_types = vxlan
root_helper_daemon = sudo /usr/local/bin/neutron-rootwrap-daemon 
/etc/neutron/rootwrap.conf
root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
#tunnel_types = vxlan
vxlan_udp_port = 8472
l2 population = false
Start by correcting those issues and restart the OVS agents across your hosts. 
The agent log may be of help here as well.

James

> On Oct 14, 2015, at 2:38 AM, Amir Huskić  wrote:
> 
> Hello,
> 
> there is also my ml2_conf.ini file: 
> https://dl.dropboxusercontent.com/u/4298410/ml2_conf.ini 
> 
> 
> Could problem be related to single NIC installation? Is it possible to have 
> same interface for bridge mappings and also for tunnel bridge? Example below:
> 
> bridge_mappings = public:br-ex
> integration bridge = br-int
> tunnel bridge = br-ex
> 
> Thank you.
> Regards,
> Amir
> 
> 
> On Mon, Oct 12, 2015 at 3:53 PM, Amir Huskić  > wrote:
> Hi all,
> 
> I'm trying to setup up Openstack test lab.
> 
> I deployed Openstack Kilo (Devstack) on PC running Ubuntu LTS 14.02 with 
> single NIC.
> Tenants are isolated with vxlan networks. I can ping from VMs to external 
> network PCs, SSH login from external PCs to tenants VMs floating IP address, 
> etc.
> 
> I would like also to connect tenant VMs to external network physical Linux 
> host using vxlan tunnel and have L2 connectivity between VM and physical 
> Linux host over L3 network.
> 
> Vxlan interface on Linux physical host is up and running. When I am trying to 
> ping from Linux physical host to Openstack VM (not floating IP) using same 
> subnet L2 address (example ping from 192.168.10.10 to 192.168.10.11) UDP 
> packets on port 8472 are coming to Openstack br-ex interface with ARP request.
> 
> Problem is that I can't setup vxlan tunnel on Openstack.
> Command "sudo ovs-vsctl show" doesn't show any vxlan tunnels.
> Also when I try to ping from VM to Linux host using L2 IP address (ping from 
> 192.168.10.11 to 192.168.10.10) tcpdump on br-ex doesn't show anything.
> 
> My ml2_conf.ini files is configured following this guide: 
> http://www.opencloudblog.com/?p=300 
> 
> Thanks in advance for your help,
> 
> Regards,
> Amir
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Mac Address Question

[James Denton]

Hi Georgios,

You should be able to create a Neutron port with the custom MAC address and 
boot the instance with that port using --nic port-id rather than --nic net-id.

James

> On Oct 8, 2015, at 6:43 AM, Georgios Dimitrakakis  
> wrote:
> 
> Dear all,
> 
> I am wondering if it's possible to start a VM with a predefined mac address 
> (or a set of VMs from a pool of mac addresses). The reason I want to do it is 
> because I have a license server that permits software running only if
> the mac address is on the acceptance list.
> 
> If you have any recommendations I am all ears.
> 
> 
> Best regards,
> 
> 
> G.
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Openstack-operators] [Neutron][Linuxbridge] Problem with configuring linux bridge agent with vxlan networks

[James Denton]

If eth1 is used for the vxlan tunnel end points, it can't also be used in a 
bridge ala provider_bridge_mappings. You should have a dedicated interface or a 
vlan interface off eth1 (i.e. Eth1.20) that is dedicated to the overlay 
traffic. Move the local_ip address to that interface on respective nodes. 
Verify that you can ping between nodes at each address. If this doesn't work, 
the Neutron pieces won't work. You shouldn't have to restart any neutron 
services, since the IP isn't changing.

Once you create a vxlan tenant network and boot some instances, verify that the 
vxlan interface is being setup and placed in the respective bridge. You can use 
'brctl show' to look at the brq bridge that corresponds to the network. You 
should see a vxlan interface and the tap interfaces of your instances. 

As always, verify your security groups first when troubleshooting instance to 
instance communication.

James

Sent from my iPhone

> On Oct 2, 2015, at 3:48 PM, Sławek Kapłoński  wrote:
> 
> Hello,
> 
> I'm trying to configure small openstack infra (one network node, 2
> compute nodes) with linux bridge and vxlan tenant networks. I don't know
> what I'm doing wrong but my instances have no connection between
> each other. On compute hosts I run neutron-plugin-linuxbrigde-agent
> with config like:
> 
> --
> [ml2_type_vxlan]
> # (ListOpt) Comma-separated list of : tuples
> # enumerating
> # ranges of VXLAN VNI IDs that are available for tenant network
> # allocation.
> #
> vni_ranges = 1:2
> 
> # (StrOpt) Multicast group for the VXLAN interface. When configured,
> # will
> # enable sending all broadcast traffic to this multicast group. When
> # left
> # unconfigured, will disable multicast VXLAN mode.
> #
> # vxlan_group =
> # Example: vxlan_group = 239.1.1.1
> 
> [securitygroup]
> # Controls if neutron security group is enabled or not.
> # It should be false when you use nova security group.
> enable_security_group = True
> 
> # Use ipset to speed-up the iptables security groups. Enabling ipset
> # support
> # requires that ipset is installed on L2 agent node.
> enable_ipset = True
> 
> firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
> 
> [ovs]
> local_ip = 10.1.0.4
> 
> [agent]
> tunnel_types = vxlan
> 
> [linuxbridge]
> physical_interface_mappings = physnet1:eth1
> 
> [vxlan]
> local_ip = 10.1.0.4
> l2_population = True
> enable_vxlan = True
> ---
> 
> Eth1 is my "tunnel network" which should be used for tunnels. When I
> spawn vms on compute 1 and 2 and after configuring network manually on
> both vms (dhcp is not working also because of broken tunnels probably)
> it not pings.
> Even when I started two instances on same host and they are both
> connected to one bridge:
> 
> ---
> root@compute-2:/usr/lib/python2.7/dist-packages/neutron# brctl show
> bridge namebridge idSTP enabledinterfaces
> brq8fe8a32f-e68000.ce544d0c0e5dnotap691a138a-6c
>tapbc1e5179-53
>vxlan-10052
> virbr08000.5254007611abyesvirbr0-nic
> ---
> 
> those 2 vms are not pinging each other :/
> I don't have any expeirence with linux bridge in fact (For now I was always
> using ovs). Maybe someone of You will know what I should check or what I 
> should
> configure wrong :/ Generally I was installing this openstack according to
> official openstack documentation but in this docs there is info about ovs+gre
> tunnels and that is what I changed. I'm using Ubuntu 14.04 and Openstack Kilo
> installed from cloud archive repo.
> 
> -- 
> Best regards / Pozdrawiam
> Sławek Kapłoński
> sla...@kaplonski.pl
> 
> ___
> OpenStack-operators mailing list
> openstack-operat...@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] os-ansible-deployment pip failing in container

[James Denton]

Have you tried configuring 172.29.236.100 on br-mgmt in addition to the address 
that is there? That is the default IP set for internal_lb_vip_address if I’m 
not mistaken, and is what haproxy will bind to.

James

> On Sep 11, 2015, at 4:06 PM, Duck Euler  wrote:
> 
> 
> running os-ansible-deployment all in one. using reference configuration.
> 
> following error from ansible run:
> 
> TASK: [galera_client | Install pip packages] 
> **
> failed: [aio1_galera_container-fc2a8901] => (item=MySQL-python) => 
> {"attempts": 5, "cmd": "/usr/local/bin/pip install MySQL-python", "failed": 
> true, "item": "MySQL-python"}
> msg: Task failed as maximum retries was encountered
> 
> 
> same pip install command from with in container, following error:
> 
> root@aio1_galera_container-fc2a8901:/tmp# /usr/local/bin/pip -v install 
> MySQL-python
> Ignoring indexes: https://pypi.python.org/simple 
> 
> Collecting MySQL-python
>   1 location(s) to search for versions of MySQL-python:
>   * http://172.29.236.100:8181/os-releases/11.2.2/ 
> 
>   Skipping link http://172.29.236.100:8181/os-releases/11.2.2/ 
>  (from -f); unsupported 
> archive format: .2
>   Getting page http://172.29.236.100:8181/os-releases/11.2.2/ 
> 
>   Starting new HTTP connection (1): 172.29.236.100
>   Incremented Retry for (url='/os-releases/11.2.2/'): Retry(total=4, 
> connect=None, read=None, redirect=None)
>   Retrying (Retry(total=4, connect=None, read=None, redirect=None)) after 
> connection broken by 'ProtocolError('Connection aborted.', error(111, 
> 'Connection refused'))': /os-releases/11.2.2/
> 
> looks like pip is looking for MySQL-python from -> 
> http://172.29.236.100:8181/os-releases/11.2.2/ 
> 
> 
> this is the AllInOne host, ip is configured br-mgnt interface. there is no 
> http server on that host:port.
> 
> are there suggestions on where to look for getting a http repo server 
> installed on local server? or any other advice on getting past this point.
> 
> thanks
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Neutron add external interface to external router?

[James Denton]

Hi Michael,

If you are creating an external network it will more than likely not be 
VXLAN/GRE but would be of type VLAN or FLAT. In the ML2 configuration file 
there is a mapping under [linux_bridge] labeled ‘physical_interface_mappings’. 
In an OSAD deployment, it may look like this:

[linux_bridge]
physical_interface_mappings = vlan:eth11

The provider label is ‘vlan’ and the physical interface (in the container, 
anyway) is eth11. To create an external provider network you would need to use 
the following:

neutron net-create EXTERNAL_NET --provider:network_type= 
--provider:physical_network= --provider:segmentation_id= 
--router:external=true

In your case, it looks like a flat network would work, so you could try:

neutron net-create EXTERNAL_NET --provider:network_type=flat 
--provider:physical_network=vlan --router:external=true

Neutron should automatically put eth11 in the bridge. If it were a vlan 
network, Neutron would put eth11.xxx in the bridge instead.

James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com

> On Sep 2, 2015, at 12:39 AM, Michael Gale  wrote:
> 
> Hello,
> 
> I am running the Kilo release using os-ansible-deployment and have a 
> functioning OpenStack installation using VXLANs however I am running into an 
> issue adding an external network.
> 
> From the Horizon interface I can create private tenant networks without an 
> issue and I have created an external network:
> - Subnet 1.2.10.0/24 <http://1.2.10.0/24>
> - GW 1.2.10.1
> - VXLAN ID: 999
> 
> Inside OpenStack the instances can access each other and the public IP's that 
> exist on the external subnet however they can not access the external subnet 
> gateway which exist outside of OpenStack.
> 
> On the neutron agent node where I have the neutron L3 agent:
> - I can see my external network interface (eth11) and it is working
> - I can see a bridge device that has a VXLAN ID interface attached that 
> matches my external network plus 2 tap devices
> 
> If I check the network namespace I find a router exists with ports, routers, 
> etc and matches the Horizon Network Topology graph.
> 
> Now from my understanding I need to update /etc/neutron/l3_agent.ini and set 
> my external interface and that neutron will automatically add that interface 
> to the router when it is marked as external:
> external_network_bridge = eth11
> 
> However that did not work, I was able to make it work by adding eth11 to the 
> bridge interface that got created:
> 
> Neutron Node - Before change
> --snip--
> bridge name bridge id   STP enabled interfaces
> brq321e79ee-60  8000.629228307545   no  tap69cab170-04
> vxlan-77
> brqd8c6a159-03  8000.16ed469b44d8   no  tap83dc2c50-ef
> vxlan-999
> 
> --snip--
> 
> Neutron Node - After change
> --snip--
> bridge name bridge id   STP enabled interfaces
> brq321e79ee-60  8000.9225a6292c5c   no  tap277296ef-97
> tape55e2167-98
> vxlan-77
> brqd8c6a159-03  8000.00163ee12e11   no  eth11
> tap124723f9-2e
> tap5f9dc7ba-d6
> vxlan-999
> 
> --snip--
> 
> 
> Obviously I am missing something, any help is appreciated.
> 
> 
> Thanks
> Michael
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] 99.5% of packets are disappearing somewhere between the Linux Bridge (brqxxxxzzzz-yy) and the tap (tapxxxxzzzz-yy).

[James Denton]

Thanks, Thiago.


Do you mind running a capture across the 3 interfaces (eth, bridge, tap) 
simultaneously? In particular, traffic generated outside of the node that 
demonstrates connection attempts to your instance. It will be helpful to see if 
there are continuous ARP requests without replies, or a reply and continuous 
TCP SYN packets and whatnot. On the tap interface you should only expect to see 
broadcast, multicast, and unicast traffic to the MAC address of the instance. 
Because the MAC addresses are masqueraded in those captures, and they're not 
related, it's hard to tell what you're seeing. Do you mind not masking them 
this time around?


Also, what is the IP address of the instance? Seeing that this is an 
all-in-one, I'm guessing you didn't having issues with DHCP?


Thanks,

James

​


From: Martinx - ジェームズ 
Sent: Thursday, July 9, 2015 8:51 PM
To: James Denton
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] 99.5% of packets are disappearing somewhere between 
the Linux Bridge (brq-yy) and the tap (tap-yy).

Hello James!

On 9 July 2015 at 11:17, James Denton 
mailto:james.den...@rackspace.com>> wrote:
Hi Thiago,

 * I can see the untagged packets arriving at "brq50b13311-fa", by using 
"tcpdump -eni brq50b13311-fa";

Do you mind posting the packet capture from eth3 and the bridge on pastebin?


I don't mind, I'll just replace the public IPs before posting (and possibly 
MAC)...


* Actual traffic hitting physical "eth3" with VLAN tag (OK):

http://paste.openstack.org/show/360214/


* Actual traffic hitting "brq50b13311-fa" without tag (OK):

http://paste.openstack.org/show/360249/


* Actual traffic hitting "tap9a546be0-d6" without tag (BUGGED - missing 
packets):

http://paste.openstack.org/show/360274/


* Actual traffic hitting vNIC "eth3" without tag (BUGGED - missing packets):

http://paste.openstack.org/show/360275/


*** Only PVST, OSPF and ICMP are appearing inside the Instance (and its tap, of 
course) ***



 For example, I can not see the string "Cisco" while running "tcpdump -eni 
brq50b13311-fa | grep -i cisco", so, where those packets come from (that I'm 
seeing on tap9a546be0-d6 and within its instance - pastebin above) ???

Those are multicast packets for PVST and OSPF from the switch and router, 
respectively. You might try filtering by MAC on the bridge instead of using 
grep to isolate those packets:

tcpdump -eni brq50b13311-fa ether dst 01:00:0c:cc:cc:cd

I would expect to see those packets on eth3 as well.

You're absolutely right!

The PVST, OSPF (and very rare ICMP) are appearing @ eth3 too (with "vlan " 
tagged), my bad (that grep, "ether dst" is much better, tks).

Look, inside the Instance - vNIC eth3:

tcpdump -eni eth3

http://paste.openstack.org/show/360127/


Only the PVST, OSPF and ICMP packets are hitting the tap-yy interface! 
As expected, I can see those packets inside of the Instance as well (Pastebin 
above).

Why TCP/UDP isn't passing?


 * I CAN NOT see the untagged packets arriving at "tap9a546be0-d6", by using 
"tcpdump -eni tap9a546be0-d6"!

What do your security group rules look like?

I have no Security Groups, no Firewall, no ipset...


ML2 configuration contains:

http://paste.openstack.org/show/356860/



 What is driving me crazy is that, on top of this very same setup (including 
e1000 driver), but with different vlan tag, it works!

Is it the same eth3 interface? You may want to avoid vlan 666, anyway. Never 
known those numbers to be lucky.

Yes, very same eth3.

LOL... I just posted this number here, to not publish private data, actual VLAN 
ID is different.   :-P

Why it works for "VLAN X", but not for "VLAN Y", is a mystery for me.

Thank you so much for your help!

I'm seeing some debugging progress here...

Hopping to get this fixed! It is very important for the project that I'm 
working on.



James

Thiago
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] 99.5% of packets are disappearing somewhere between the Linux Bridge (brqxxxxzzzz-yy) and the tap (tapxxxxzzzz-yy).

[James Denton]

Hi Thiago,

>  * I can see the untagged packets arriving at "brq50b13311-fa", by using 
> "tcpdump -eni brq50b13311-fa";


Do you mind posting the packet capture from eth3 and the bridge on pastebin?

>  For example, I can not see the string "Cisco" while running "tcpdump -eni 
> brq50b13311-fa | grep -i cisco", so, where those packets come from (that I'm 
> seeing on tap9a546be0-d6 and within its instance - pastebin above) ???


Those are multicast packets for PVST and OSPF from the switch and router, 
respectively. You might try filtering by MAC on the bridge instead of using 
grep to isolate those packets:

tcpdump -eni brq50b13311-fa ether dst 01:00:0c:cc:cc:cd

I would expect to see those packets on eth3 as well.

>  * I CAN NOT see the untagged packets arriving at "tap9a546be0-d6", by using 
> "tcpdump -eni tap9a546be0-d6"!


What do your security group rules look like?

>  What is driving me crazy is that, on top of this very same setup (including 
> e1000 driver), but with different vlan tag, it works!

Is it the same eth3 interface? You may want to avoid vlan 666, anyway. Never 
known those numbers to be lucky.


James

> On Jul 8, 2015, at 7:41 PM, Martinx - ジェームズ  wrote:
> 
> Guys,
> 
>  What can cause packets to just disappear after arriving the bridge 
> "brq-yy" ???
> 
>  I'm using "VLAN Provider Networks", Juno on top of Trusty.
> 
>  With Neutron ML2 + LinuxBridges, setup "all-in-one".
> 
> 
> Where:
> 
>  - eth0 is the default - api, etc;
>  - eth1 is the "external" - floating ip, etc;
>  - eth2 is the physical vlan mapped into ML2;
>  - eth3 is another physical vlan mapped into ML2;
>  - dummy0 is being used by ML2 for VXLAN.
> 
> 
> Explaining:
> 
> 
>  * I can see the tagged packets arriving at "eth3", by using "tcpdump -eni 
> eth2 | grep "vlan 666";
> 
>  * I can see the untagged packets arriving at "brq50b13311-fa", by using 
> "tcpdump -eni brq50b13311-fa";
> 
>  * I CAN NOT see the untagged packets arriving at "tap9a546be0-d6", by using 
> "tcpdump -eni tap9a546be0-d6"!
> 
> 
>  "tcpdump -eni tap9a546be0-d6" only shows "alien" packets for this "tap", 
> like this:
> 
>  http://paste.openstack.org/show/356838/ 
>  - While what is arriving at 
> "brq50b13311-fa" looks completely different!
> 
>  For example, I can not see the string "Cisco" while running "tcpdump -eni 
> brq50b13311-fa | grep -i cisco", so, where those packets come from (that I'm 
> seeing on tap9a546be0-d6 and within its instance - pastebin above) ???
> 
> 
> Instance details:
> ---
> ...
> 
>   
>   
>   
>   
>function='0x0'/>
> 
> ...
> ---
> 
> "brctl show" returns:
> 
> ---
> bridge namebridge id   STP enabled interfaces
> 
> brq50b13311-fa  8000.ecf4bbd0417b   no
> eth3.666
>   
>  tap9a546be0-d6
> 
> ---
> 
> "neutron net-show XXX" returns:
> 
>  http://paste.openstack.org/show/356845/ 
> 
> 
> -
> 
> ML2 configuration contains:
> 
> http://paste.openstack.org/show/356860/ 
> 
> 
> -
> 
>  Can someone please, tell me, why ~99.5% of the packets are disappearing out 
> of nothing?
> 
>  What is driving me crazy is that, on top of this very same setup (including 
> e1000 driver), but with different vlan tag, it works!
> 
>  I already disabled "rp_filter", ebtables, arptables, iptables, also, all 
> files under "/proc/sys/net/bridge" have "0"...
> 
>  I really appreciate any help! I'm working on this for about 16 hours 
> straight...
> 
> Thanks,
> Thiago
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] network question on openstack installation

[James Denton]

Hi Yang,

> Another confusion I have is about network_vlan_ranges. Is this network VLAN 
> id range?

Yes, it is. But the range is only used for tenant networks when 
tenant_network_types == vlan. Neutron will automatically assign a vlan ID from 
this range when a user creates a network.

> If so, does it has to match external network?

No. In fact, I wouldn’t include the external vlan ID at all. Admins can specify 
any vlan ID when creating a network and are not limited to the configuration. 
That would leave you with this configuration:

network_vlan_ranges = physnet1

> For example, we only have one external VLAN we can use as Our provider 
> network and that VLAN id is 775 (xxx.xxx.xxx.0/26). Should I define 
> network_vlan_ranges as following?

> [ml2]
> type_drivers=vlan
> tenant_network_types = vlan
> mechanism_drivers=openvswitch
> #
> [ml2_type_vlan]
> # this tells Openstack that the internal name "physnet1" provides the vlan 
> range 100-199
> network_vlan_ranges = physnet1:775
> #


If you do specify a range of one vlan, it would look like this:

network_vlan_ranges = physnet1:775:775

In the configuration you shared, users would be limited to creating vlan 
networks. If vlan 775 already exists as a provider network, then the tenant 
will get an error upon trying to create a network, since there are no vlans 
left for allocation. If you don’t have any vlans available other than 775 then 
you’ll need to look into using gre or vxlan instead to overcome that limitation.

James

> On Jun 27, 2015, at 6:47 AM, YANG LI  wrote:
> 
> Thank you so much, James! This is so helpful. Another confusion I have is 
> about network_vlan_ranges. Is this network VLAN id range? If so, does it has 
> to match external network? For example, we only have one external VLAN we can 
> use as Our provider network and that VLAN id is 775 (xxx.xxx.xxx.0/26). 
> Should I define network_vlan_ranges as following?
> 
> [ml2]
> type_drivers=vlan
> tenant_network_types = vlan
> mechanism_drivers=openvswitch
> #
> [ml2_type_vlan]
> # this tells Openstack that the internal name "physnet1" provides the vlan 
> range 100-199
> network_vlan_ranges = physnet1:775
> #
> 
> Thanks,
> Yang
> Sent from my iPhone
> 
> On Jun 26, 2015, at 8:54 AM, "James Denton"  <mailto:james.den...@rackspace.com>> wrote:
> 
>> You can absolutely have instances in the same network span different compute 
>> nodes. As an admin, you can run ‘nova show ’ and see the host in 
>> the output:
>> 
>> root@controller01:~# nova show 7bb18175-87da-4d1f-8dca-2ef07fee9d21 | grep 
>> host
>> | OS-EXT-SRV-ATTR:host | compute02   
>>|
>> 
>> That info is not available to non-admin users by default.
>> 
>> James
>> 
>>> On Jun 26, 2015, at 7:38 AM, YANG LI >> <mailto:yan...@clemson.edu>> wrote:
>>> 
>>> Thanks, James for the explanation. it make more sense now. <http://now.it/> 
>>> it is possible that a instances on same tenant network reside on different 
>>> compute nodes right? how do I tell which compute node a instance is on?
>>> 
>>> Thanks,
>>> Yang
>>> 
>>>> On Jun 24, 2015, at 10:27 AM, James Denton >>> <mailto:james.den...@rackspace.com>> wrote:
>>>> 
>>>> Hello.
>>>> 
>>>>> all three nodes will have eth0 on management/api network. since I am 
>>>>> using ml2 plugin with vlan for tenant network, I think all compute node 
>>>>> should have eth1 as the second nic on provider network. Is this correct?  
>>>>> I understand provider network is for instance to get external access  to 
>>>>> internet, but how is instance live on compute1  communicate with instance 
>>>>> live on compute2? are they also go through provider network?
>>>> 
>>>> In short, yes. If you’re connecting instances to vlan “provider” networks, 
>>>> traffic between instances on different compute nodes will traverse the 
>>>> “provider bridge”, get tagged out eth1, and hit the physical switching 
>>>> fabric. Your external gateway device could also sit in that vlan, and the 
>>>> default route on the instance would direct external traffic to that device.
>>>> 
>>>> In reality, every network has ‘provider’ attributes that describe the 
>>>> network type, segmentation id, and bridge interface (for vlan/flat only). 
>>>> So tenant networks that leverage vlans would have provider attributes set 
>>>> by Neutron automatically based on

Re: [Openstack] network question on openstack installation

[James Denton]

You can absolutely have instances in the same network span different compute 
nodes. As an admin, you can run ‘nova show ’ and see the host in 
the output:

root@controller01:~# nova show 7bb18175-87da-4d1f-8dca-2ef07fee9d21 | grep host
| OS-EXT-SRV-ATTR:host | compute02  
|

That info is not available to non-admin users by default.

James

> On Jun 26, 2015, at 7:38 AM, YANG LI  wrote:
> 
> Thanks, James for the explanation. it make more sense now. <http://now.it/> 
> it is possible that a instances on same tenant network reside on different 
> compute nodes right? how do I tell which compute node a instance is on?
> 
> Thanks,
> Yang
> 
>> On Jun 24, 2015, at 10:27 AM, James Denton > <mailto:james.den...@rackspace.com>> wrote:
>> 
>> Hello.
>> 
>>> all three nodes will have eth0 on management/api network. since I am using 
>>> ml2 plugin with vlan for tenant network, I think all compute node should 
>>> have eth1 as the second nic on provider network. Is this correct?  I 
>>> understand provider network is for instance to get external access  to 
>>> internet, but how is instance live on compute1  communicate with instance 
>>> live on compute2? are they also go through provider network?
>> 
>> In short, yes. If you’re connecting instances to vlan “provider” networks, 
>> traffic between instances on different compute nodes will traverse the 
>> “provider bridge”, get tagged out eth1, and hit the physical switching 
>> fabric. Your external gateway device could also sit in that vlan, and the 
>> default route on the instance would direct external traffic to that device.
>> 
>> In reality, every network has ‘provider’ attributes that describe the 
>> network type, segmentation id, and bridge interface (for vlan/flat only). So 
>> tenant networks that leverage vlans would have provider attributes set by 
>> Neutron automatically based on the configuration set in the ML2 config file. 
>> If you use Neutron routers that connect to both ‘tenant’ vlan-based networks 
>> and external ‘provider’ networks, all of that traffic could traverse the 
>> same provider bridge on the controller/network node, but would be tagged 
>> accordingly based on the network (ie. vlan 100 for external network, vlan 
>> 200 for tenant network).
>> 
>> Hope that’s not too confusing!
>> 
>> James
>> 
>>> On Jun 24, 2015, at 8:54 AM, YANG LI >> <mailto:yan...@clemson.edu>> wrote:
>>> 
>>> I am working on install openstack from scratch, but get confused with 
>>> network part. I want to have one controller node, two compute nodes.
>>> 
>>> the controller node will only handle following services:
>>> glance-api
>>> glance-registry
>>> keystone
>>> nova-api
>>> nova-cert
>>> nova-conductor
>>> nova-consoleauth
>>> nova-novncproxy
>>> nova-scheduler
>>> qpid
>>> mysql
>>> neutron-server
>>> 
>>> compute nodes will have following services:
>>> neutron-dhcp-agent
>>> neutron-l3-agent
>>> neutron-metadata-agent
>>> neutron-openvswitch-agent
>>> neutron-ovs-cleanup
>>> openvswtich
>>> nova-compute
>>> 
>>> all three nodes will have eth0 on management/api network. since I am using 
>>> ml2 plugin with vlan for tenant network, I think all compute node should 
>>> have eth1 as the second nic on provider network. Is this correct?  I 
>>> understand provider network is for instance to get external access  to 
>>> internet, but how is instance live on compute1  communicate with instance 
>>> live on compute2? are they also go through provider network?
>>> ___
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>>> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>> Post to : openstack@lists.openstack.org 
>>> <mailto:openstack@lists.openstack.org>
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>>> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>> 
> 



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] network question on openstack installation

[James Denton]

Hello.

> all three nodes will have eth0 on management/api network. since I am using 
> ml2 plugin with vlan for tenant network, I think all compute node should have 
> eth1 as the second nic on provider network. Is this correct?  I understand 
> provider network is for instance to get external access  to internet, but how 
> is instance live on compute1  communicate with instance live on compute2? are 
> they also go through provider network?

In short, yes. If you’re connecting instances to vlan “provider” networks, 
traffic between instances on different compute nodes will traverse the 
“provider bridge”, get tagged out eth1, and hit the physical switching fabric. 
Your external gateway device could also sit in that vlan, and the default route 
on the instance would direct external traffic to that device.

In reality, every network has ‘provider’ attributes that describe the network 
type, segmentation id, and bridge interface (for vlan/flat only). So tenant 
networks that leverage vlans would have provider attributes set by Neutron 
automatically based on the configuration set in the ML2 config file. If you use 
Neutron routers that connect to both ‘tenant’ vlan-based networks and external 
‘provider’ networks, all of that traffic could traverse the same provider 
bridge on the controller/network node, but would be tagged accordingly based on 
the network (ie. vlan 100 for external network, vlan 200 for tenant network).

Hope that’s not too confusing!

James

> On Jun 24, 2015, at 8:54 AM, YANG LI  wrote:
> 
> I am working on install openstack from scratch, but get confused with network 
> part. I want to have one controller node, two compute nodes.
> 
> the controller node will only handle following services:
> glance-api
> glance-registry
> keystone
> nova-api
> nova-cert
> nova-conductor
> nova-consoleauth
> nova-novncproxy
> nova-scheduler
> qpid
> mysql
> neutron-server
> 
> compute nodes will have following services:
> neutron-dhcp-agent
> neutron-l3-agent
> neutron-metadata-agent
> neutron-openvswitch-agent
> neutron-ovs-cleanup
> openvswtich
> nova-compute
> 
> all three nodes will have eth0 on management/api network. since I am using 
> ml2 plugin with vlan for tenant network, I think all compute node should have 
> eth1 as the second nic on provider network. Is this correct?  I understand 
> provider network is for instance to get external access  to internet, but how 
> is instance live on compute1  communicate with instance live on compute2? are 
> they also go through provider network?
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Add floating IP address to an existing floating IP pool

[James Denton]

You should simply be able to add a new subnet to the existing external network 
using the subnet-create command:

neutron subnet-create   [--all the 
normal subnet options]

Caveat: The new subnet will need a respective gateway address, and that IP 
should be configured on the external gateway device. The gateway device will 
need to support multiple ips/subnets on the same interface. Most routers can 
handle this.

James

> On Jun 24, 2015, at 7:59 AM, Narayanan, Krishnaprasad  
> wrote:
> 
> Hi,
> 
> In continuation from my earlier email, I have created the port using neutron 
> by specifying the subnet id, floating ip address and the network id. Further, 
> when I executed floatingip-create using the neutron API, I am getting the 
> error “No more IP addresses available on network network ID”.
> 
> Can I know is this the procedure to add a floating IP to an existing pool? 
> Can somebody help me to get rid of this problem?
> 
> Regards,
> Krishnaprasad
> From: Narayanan, Krishnaprasad [mailto:naray...@uni-mainz.de 
> ]
> Sent: Mittwoch, 24. Juni 2015 11:00
> To: 'openstack@lists.openstack.org '
> Subject: [Openstack] Add floating IP address to an existing floating IP pool
> 
> Hello all,
> 
> I am looking for either nova / nova-manage command  which can add a set of 
> new floating IP / IPs to an existing floating IP pool. Can somebody provide 
> me this information?
> 
> Regards,
> Krishnaprasad
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
> 
> Post to : openstack@lists.openstack.org 
> 
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
> 


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Openstack-operators] Help with multiple external network in openstack

[James Denton]

Hi Daniel,

There should be no different between those versions. As for vlan tagging, using 
tagging allows you to have multiple networks on the same physical 
interface/bridge. If you use a flat networks you are limited to 1 per 
interface/bridge.

James

Sent from my iPhone

On Jun 6, 2015, at 5:12 PM, Daniel Comnea 
mailto:comnea.d...@gmail.com>> wrote:

Are any major differences in setting the provider network in IceHouse vs Juno 
vs Kilo? Or i can assume the above configuration should work on all 3 versions 
mentioned?

And what is the advantage of having vlan tagging vs not having set?

Thanks


On Sat, Jun 6, 2015 at 8:59 AM, Geo Varghese 
mailto:gvargh...@aqorn.com>> wrote:
Hi James,

Thanks a lot for explaing everything from basic level.

I will surely help us to understand the working.

Everything seems working now.

I will kepp i touch with you.

On Sat, Jun 6, 2015 at 5:43 AM, James Denton 
mailto:james.den...@rackspace.com>> wrote:
Hi Geo,

When configuring multiple provider bridges, try to think of a 1:1 relationship 
between a provider bridge and a physical interface on the host that connects to 
a particular switching layer (in many cases). For example:

br-eth0 is a bridge containing eth0. Eth0 connects to a switching 
infrastructure behind a firewall.

br-eth1 is a bridge containing eth1. Eth1 connects to a dedicated backup 
infrastructure.

There are countless combinations here, and they depend greatly on your network 
infrastructure.

Now, for each of these bridges I am allowed a single flat network and up to 
~4,096 vlans. The real number will depend on the physical infrastructure, 
however.

When using OVS, you will create your provider bridges using the 'ovs-vsctl 
add-br' command. You will need to add a physical interface to each of those 
bridges using the 'ovs-vsctl add-port' command. Within the ML2 conf file, you 
will define the provider label to provider bridge mappings. Using my examples 
above, it may look like this:

externalnet:br-eth0,backupnet:br-eth1

So when I go to create my network (as an admin) I can specify the provider 
attributes including label name, segmentation id, and network type. If I wanted 
to create a Neutron network that used vlan id 200 on my external infrastructure 
I would use the following attributes:

Network type: vlan
Provider label: externalnet
Segmentation id: 200

If I create a router and use externalnet as the network in the 
'router-gateway-set' command, the OVS agent is smart enough to put the flow 
rules that manipulate traffic on both br-int (where my router qg and qr ports 
live) and the br-eth0 bridge thanks to the mappings I defined in the ML2 conf 
file. If I create a network using the backupnet label, the OVS agent would put 
rules on br-int and br-eth1, accordingly.

Now, network_vlan_ranges is used specifically for tenant network allocation. 
Non-admin users have no visibility into the network type, ids, bridges, etc. 
So, if tenant_network_types is set to vlan,  you can define WHICH provider 
bridge is used and the IDs to be allocated when a tenant creates a network. You 
may have an interface and corresponding bridge dedicated to tenant network 
traffic, so tenantnet:br-eth2, for example. You could set the 
network_vlan_ranges to tenantnet:1000:1999, which would allow tenants to create 
2000 vlans. When they're gone, tenants cannot create add'l networks. 
Tenant_network_types is an ordered list, so you could have vlan,vxlan,gre, for 
example. When the vlans have been consumed, it moves to vxlan then to gre.

All of the tenant network stuff is abstracted from the user, so they have no 
idea WHAT type of network they've created. Just FYI.

I apologize for being a bit long winded here. Hope this helps!

James






Sent from my iPhone

On Jun 5, 2015, at 2:45 AM, Geo Varghese 
mailto:gvargh...@aqorn.com>> wrote:

Kevin,

Thanks for the reply.

Have added these names of external network in any other configurations

On Fri, Jun 5, 2015 at 4:18 AM, Fox, Kevin M 
mailto:kevin@pnnl.gov>> wrote:
Those are the 4 external networks. In this cloud, they are all linux bridges.

I'm not using vlan tagging on this cloud, so I'm not sure what that would look 
like.

Thanks,
Kevin

From: Geo Varghese [gvargh...@aqorn.com<mailto:gvargh...@aqorn.com>]
Sent: Thursday, June 04, 2015 1:02 PM

To: Fox, Kevin M
Cc: 
openstack-operat...@lists.openstack.org<mailto:openstack-operat...@lists.openstack.org>;
 openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: Re: Help with multiple external network in openstack

Kevin,

Thanks. Can you please explain these values

pub:br-pub,scz:br-scz,osg:br-osg,mgmt:br-mgmt

These 4 networks are external networks? How you created these bridges.

Can you please specify the value added for

network_vlan_ranges =

Are you using vlan tag fro external network.

S

Re: [Openstack] Confusion of external network

[James Denton]

Hi Wilson,

Can you clarify a couple of things here?

- Does each tenant have their own router in front of their respective instance?

- have you confirmed connectivity to the admin instance from the router 
namespace?

- can you verify the dnat/snat entries for the admin instance exist in iptables 
in the router namespace?

- have you verified the instance got its fixed up from dhcp?

- have you tried consoling to the instance and verifying outbound connectivity?

If you can, start with some simple connectivity verifications with the 
namespaces and work your way out from there. Also, your screenshots didn't come 
through, so if you can post the Cli output somewhere that would be helpful.

James

Sent from my iPhone

On Jun 4, 2015, at 10:18 PM, Wilson Kwok 
mailto:leiw...@gmail.com>> wrote:


Any one can help?

於 2015/5/29 上午10:39，"Wilson Kwok" mailto:leiw...@gmail.com>> 
寫道：

Ok

於 2015/5/28 下午6:24，"Remo Mattei" mailto:r...@italy1.com>> 寫道：
Nope.

Inviato da iPhone

Il giorno 28/mag/2015, alle ore 02:04, Wilson Kwok 
mailto:leiw...@gmail.com>> ha scritto:


Hello all,

Have some see my attached screenshots?

Thanks

於 2015/5/27 上午11:14，"Wilson Kwok" mailto:leiw...@gmail.com>> 
寫道：
Hello all,

Please see attached Zip screenshots, you will know what is my problem.

Thanks for your help!

2015-05-27 1:15 GMT+08:00 Remo Mattei mailto:r...@italy1.com>>:
Just a quick note, each tenant has it’s own default security group rules. So I 
would double check and make sure your admin does have those rules set. If it 
works with Demo it has to work with admin.

Remo

On May 26, 2015, at 09:03, Wilson Kwok 
mailto:leiw...@gmail.com>> wrote:

Hi Yair,

I just tried something:

1. I created Peter account and added into Demo project, I can access Peter's VM 
from external network PC via floating IP.
2. Admin account router account floating IP is 172.28.0.163, I can ping it, but 
I can't access Admin's VM floating IP 172.128.0.164 from external network PC 
(Securty Group allow ICMP and SSH)
3. Demo account with no problem.

I created public network with keystone admin, please see below result with 
neutron net-show public:

[root@localhost ~(keystone_admin)]# neutron net-show public
+---+--+
| Field | Value|
+---+--+
| admin_state_up| True |
| id| 6145669e-4688-40a6-b878-aaa2f9cb26c6 |
| mtu   | 0|
| name  | public   |
| provider:network_type | vxlan|
| provider:physical_network |  |
| provider:segmentation_id  | 10   |
| router:external   | True |
| shared| True |
| status| ACTIVE   |
| subnets   | 65c1896c-0bc6-4b00-b89b-57f2677b3219 |
| tenant_id | e67ef147ee074f83bdab0da903f0cdd3 |
+---+--+
and keystone tenant-list command:

[root@localhost ~(keystone_admin)]# keystone tenant-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: 
DeprecationWarning: The keystone CLI is deprecated in favor of 
python-openstackclient. For a Python library, continue using 
python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
+--+--+-+
|id|   name   | enabled |
+--+--+-+
| e67ef147ee074f83bdab0da903f0cdd3 |  admin   |   True  |
| 24f9a6c52a1d471a8e7dc0f8fde32ced |   demo   |   True  |
| 64c18def585e45e39b5e4ec161e18633 | services |   True  |
| 80f0de3f19bf4c699938b54288d1ede8 |   test   |   True  |
+--+--+-+
Thanks for your help!


2015-05-26 18:32 GMT+08:00 Yair Fried 
mailto:yfr...@redhat.com>>:
Hi,
>From https://bugzilla.redhat.com/show_bug.cgi?id=1163726#c3


By marking a network as "external" you are actually sharing it among all other 
tenants to be used as default GW and a source for floating IPs.

Marking a network as "shared" is allowing other tenants to connect VMs (and not 
router GWs) directly to the network.

Marking an external network as "shared" would allow VMs of all tenants to 
connect to a network as well as pull floating ips from it (via router GW). 
While this is possible in Neutron, it is also redundant, as with the case above 
- There isn't much sense in pulling a floating IP from a network that you can 
connect to directly.


please provide the relevant output from:
$ neutron net-show 
$ keystone tenant-list

Without this output it seems like 

Re: [Openstack] Help with multiple external network in openstack

[James Denton]

Hi Geo,

When configuring multiple provider bridges, try to think of a 1:1 relationship 
between a provider bridge and a physical interface on the host that connects to 
a particular switching layer (in many cases). For example:

br-eth0 is a bridge containing eth0. Eth0 connects to a switching 
infrastructure behind a firewall.

br-eth1 is a bridge containing eth1. Eth1 connects to a dedicated backup 
infrastructure.

There are countless combinations here, and they depend greatly on your network 
infrastructure.

Now, for each of these bridges I am allowed a single flat network and up to 
~4,096 vlans. The real number will depend on the physical infrastructure, 
however.

When using OVS, you will create your provider bridges using the 'ovs-vsctl 
add-br' command. You will need to add a physical interface to each of those 
bridges using the 'ovs-vsctl add-port' command. Within the ML2 conf file, you 
will define the provider label to provider bridge mappings. Using my examples 
above, it may look like this:

externalnet:br-eth0,backupnet:br-eth1

So when I go to create my network (as an admin) I can specify the provider 
attributes including label name, segmentation id, and network type. If I wanted 
to create a Neutron network that used vlan id 200 on my external infrastructure 
I would use the following attributes:

Network type: vlan
Provider label: externalnet
Segmentation id: 200

If I create a router and use externalnet as the network in the 
'router-gateway-set' command, the OVS agent is smart enough to put the flow 
rules that manipulate traffic on both br-int (where my router qg and qr ports 
live) and the br-eth0 bridge thanks to the mappings I defined in the ML2 conf 
file. If I create a network using the backupnet label, the OVS agent would put 
rules on br-int and br-eth1, accordingly.

Now, network_vlan_ranges is used specifically for tenant network allocation. 
Non-admin users have no visibility into the network type, ids, bridges, etc. 
So, if tenant_network_types is set to vlan,  you can define WHICH provider 
bridge is used and the IDs to be allocated when a tenant creates a network. You 
may have an interface and corresponding bridge dedicated to tenant network 
traffic, so tenantnet:br-eth2, for example. You could set the 
network_vlan_ranges to tenantnet:1000:1999, which would allow tenants to create 
2000 vlans. When they're gone, tenants cannot create add'l networks. 
Tenant_network_types is an ordered list, so you could have vlan,vxlan,gre, for 
example. When the vlans have been consumed, it moves to vxlan then to gre.

All of the tenant network stuff is abstracted from the user, so they have no 
idea WHAT type of network they've created. Just FYI.

I apologize for being a bit long winded here. Hope this helps!

James






Sent from my iPhone

On Jun 5, 2015, at 2:45 AM, Geo Varghese 
mailto:gvargh...@aqorn.com>> wrote:

Kevin,

Thanks for the reply.

Have added these names of external network in any other configurations

On Fri, Jun 5, 2015 at 4:18 AM, Fox, Kevin M 
mailto:kevin@pnnl.gov>> wrote:
Those are the 4 external networks. In this cloud, they are all linux bridges.

I'm not using vlan tagging on this cloud, so I'm not sure what that would look 
like.

Thanks,
Kevin

From: Geo Varghese [gvargh...@aqorn.com]
Sent: Thursday, June 04, 2015 1:02 PM

To: Fox, Kevin M
Cc: 
openstack-operat...@lists.openstack.org;
 openstack@lists.openstack.org
Subject: Re: Help with multiple external network in openstack

Kevin,

Thanks. Can you please explain these values

pub:br-pub,scz:br-scz,osg:br-osg,mgmt:br-mgmt

These 4 networks are external networks? How you created these bridges.

Can you please specify the value added for

network_vlan_ranges =

Are you using vlan tag fro external network.

Sorry for many questions :)





-- Forwarded message --
From: Fox, Kevin M mailto:kevin@pnnl.gov>>
Date: Fri, Jun 5, 2015 at 1:24 AM
Subject: RE: Help with multiple external network in openstack
To: Geo Varghese mailto:gvargh...@aqorn.com>>
Cc: 
"openstack-operat...@lists.openstack.org"
 
mailto:openstack-operat...@lists.openstack.org>>,
 "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>


In /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini currently we have:
bridge_mappings = pub:br-pub,scz:br-scz,osg:br-osg,mgmt:br-mgmt

Thanks,
Kevin

From: Geo Varghese [gvargh...@aqorn.com]
Sent: Thursday, June 04, 2015 12:29 PM
To: Fox, Kevin M
Cc: 
openstack-operat...@lists.openstack.org;
 openstack@lists.openstack.org
Subject: Re: Help with multiple external network in openstack

Thank

Re: [Openstack] Documentation for Neutron L3 / VXLAN with LinuxBridge...

[James Denton]

Hello.

> The visible error was "no valid host was found”

You may find something useful in the nova scheduler log on the controller node 
for debugging that error. You could be out of resources across the compute 
nodes, or the flavor is too small for the image, or something else could be 
wrong. It’s hard to say.

> By the way, does LinuxBridge need to be configured like OVS? For example, 
> add-br and add-port for br-ex is required while configuring OVS setting.

No, it doesn’t. With OVS, you’re adding an interface to the provider bridge 
manually, and then the OVS agent creates flows that modify the packets as they 
traverse the bridge, stripping and adding vlan tags as needed. You can use 
multiple provider bridges that each have dedicated interfaces, and have a 
provider label that maps to each bridge. With LinuxBridge, you specify one or 
more label-to-interface mappings, much like OVS. The LinuxBridge agent will 
create a bridge for every network that gets created, and will create a vlan 
interface (ie. eth1.x) based on the provider label and segmentation ID that 
were specified in net-create. When tenants create networks, both of those 
values are automatically determined based on the configuration file and are not 
settable by users. The agent then puts the vlan interface into the respective 
bridge.

> Another question is that I wonder whether configuring 
> /etc/sysconfig/network-scripts/ifcfg-ethX.X is needed for VLAN setting.

The idea is that you would let the OVS or LinuxBridge agent handle the vlan 
tagging for you by reserving and specifying a dedicated interface that those 
agents can manage. There is no need to configure a vlan interface in 
/etc/sysconfig/network-scripts for every network except in specific 
circumstances.

I hope that makes sense.

James


> On May 26, 2015, at 7:31 PM, BYEONG-GI KIM  wrote:
> 
> Hello all,
> 
> Thank you very much for sharing the information!
> 
> I'm now trying to configure 3 node deployment (1 controller, 1 compute, and 1 
> network) with LinuxBridge Plugin. Actually, I deployed VLAN setting with the 
> plugin but it seemed not working so that I'm now checking what the problem 
> is. The visible error was "no valid host was found", however I think 
> something much more complicated would be behind the error. :(
> 
> I have to go back to the beginning of the deployment in order to check what 
> is wrong, and the information what you all shared would be greatly helpful.
> 
> 
> By the way, does LinuxBridge need to be configured like OVS? For example, 
> add-br and add-port for br-ex is required while configuring OVS setting. 
> Another question is that I wonder whether configuring 
> /etc/sysconfig/network-scripts/ifcfg-ethX.X is needed for VLAN setting.
> 
> Best regards
> 
> Byeong-Gi KIM
> 
> 2015-05-27 5:36 GMT+09:00 James Denton  <mailto:james.den...@rackspace.com>>:
> For more up-to-date configuration examples, including ML2/LinuxBridge/VXLAN, 
> try taking a look at the new networking guides on docs.openstack.org 
> <http://docs.openstack.org/>:
> 
> LinuxBridge: 
> http://docs.openstack.org/networking-guide/deploy_scenario1b.html 
> <http://docs.openstack.org/networking-guide/deploy_scenario1b.html>
> 
> All: http://docs.openstack.org/networking-guide/ 
> <http://docs.openstack.org/networking-guide/>
> 
> James
> 
>> On May 26, 2015, at 11:22 AM, Remo Mattei > <mailto:r...@italy1.com>> wrote:
>> 
>> Hi all,
>> I did a project with a TELCO, and used both Linux Bridge and OVS, with ML2 
>> you can use multiple plugins and I do not recall ti have done anything 
>> special for the config.
>> 
>> If you get stuck send an email, I can always check notes but Arindam, sent a 
>> detail steps so hopefully that will address your question.
>> 
>> Remo
>>> On May 26, 2015, at 08:40, Bhattacharjee, Arindam (Arindam) 
>>> >> <mailto:arindam.bhattachar...@alcatel-lucent.com>> wrote:
>>> 
>>> These are few notes I had for Linux bridge config on neutron in initial 
>>> Havana release. Hope this helps!
>>> Arindam
>>> 
>>> From: BYEONG-GI KIM [mailto:kimbyeon...@gmail.com 
>>> <mailto:kimbyeon...@gmail.com>]
>>> Sent: Tuesday, May 26, 2015 12:09 AM
>>> To: Martinx - ジェームズ; openstack@lists.openstack.org 
>>> <mailto:openstack@lists.openstack.org>
>>> Subject: Re: [Openstack] Documentation for Neutron L3 / VXLAN with 
>>> LinuxBridge...
>>> 
>>> Hello.
>>> 
>>> I'm looking for the way of LinuxBridge setup for openstack neutron 
>>> networking instead of ML2 VLAN/VXLAN/GRE like your rea

Re: [Openstack] openstack and vlans

[James Denton]

Hello.

> Can I configure (let‘s say for a computer node)
> both the tunnel network and the management network on the same interface?
> (with configuring trunk port and two VLANs for this interface). <>
Yes, you can. In this case, the management (primary) interface of the compute 
node would be a vlan interface (ie. eth0.100), and the ‘local ip’ definition in 
ml2_conf.ini can specify that management address as the tunnel address. 
Depending on your plugin/driver, you could then put eth0 in the provider bridge 
(ie. br-eth0 or br-ex or whatever) when using OVS, or map your provider label 
to eth0 if using linuxbridge. You would want to avoid specifying vlan 100 as a 
provider or tenant network, but it should work fine in that configuration.

You could also go the other way and configure eth0 as the primary interface and 
use that addr as the tunnel address, then configure two vlan interfaces on the 
host that could serve in two distinct provider bridges (OVS) or be used for two 
flat networks with LinuxBridge. This is a tedious and limiting configuration, 
though.

James

> On May 27, 2015, at 8:55 AM, Yngvi Páll Þorfinnsson  wrote:
> 
> Hi, to clarify this question better,
> 
> I have installed and configured OpenStack(Juno) environment on Ubuntu(14.04).
> We have currently 1 controller node, 3 network nodes and 4 compute nodes as 
> well as 4 swift nodes.
> I'm using OpenStack Networking (neutron).
> My question is regarding trunk port and VLANs.
> 
> Can I configure (let‘s say for a computer node)
> both the tunnel network and the management network on the same interface?
> (with configuring trunk port and two VLANs for this interface). <>
> 
> Thanks
> Yngvi
> 
> From: Yngvi Páll Þorfinnsson
> Sent: 27. maí 2015 08:46
> To: openstack@lists.openstack.org
> Subject: [Openstack] openstack and vlans
> 
> Hello all,
> 
> is it possible to combine tunnel and mangement networks on one interface?
> i.e. with vlans and trunk mode configuration?
> 
> Thanks
> Yngvi
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Documentation for Neutron L3 / VXLAN with LinuxBridge...

[James Denton]

For more up-to-date configuration examples, including ML2/LinuxBridge/VXLAN, 
try taking a look at the new networking guides on docs.openstack.org 
<http://docs.openstack.org/>:

LinuxBridge: http://docs.openstack.org/networking-guide/deploy_scenario1b.html 
<http://docs.openstack.org/networking-guide/deploy_scenario1b.html>

All: http://docs.openstack.org/networking-guide/ 
<http://docs.openstack.org/networking-guide/>

James

> On May 26, 2015, at 11:22 AM, Remo Mattei  wrote:
> 
> Hi all,
> I did a project with a TELCO, and used both Linux Bridge and OVS, with ML2 
> you can use multiple plugins and I do not recall ti have done anything 
> special for the config.
> 
> If you get stuck send an email, I can always check notes but Arindam, sent a 
> detail steps so hopefully that will address your question.
> 
> Remo
>> On May 26, 2015, at 08:40, Bhattacharjee, Arindam (Arindam) 
>> > <mailto:arindam.bhattachar...@alcatel-lucent.com>> wrote:
>> 
>> These are few notes I had for Linux bridge config on neutron in initial 
>> Havana release. Hope this helps!
>> Arindam
>> 
>> From: BYEONG-GI KIM [mailto:kimbyeon...@gmail.com 
>> <mailto:kimbyeon...@gmail.com>]
>> Sent: Tuesday, May 26, 2015 12:09 AM
>> To: Martinx - ジェームズ; openstack@lists.openstack.org 
>> <mailto:openstack@lists.openstack.org>
>> Subject: Re: [Openstack] Documentation for Neutron L3 / VXLAN with 
>> LinuxBridge...
>> 
>> Hello.
>> 
>> I'm looking for the way of LinuxBridge setup for openstack neutron 
>> networking instead of ML2 VLAN/VXLAN/GRE like your reason, and you seems 
>> successfully deployed the environment.
>> 
>> Could you give me any advice for the deployment?
>> 
>> I'm now deploying openstack 3 nodes (actually, I attached another compute, 
>> so my current deployment setup is 4nodes, i.e., 1 controller, 1 network, and 
>> 2 computes) by following the openstack installation guide, 
>> http://docs.openstack.org/kilo/install-guide/install/yum/content/neutron-controller-node.html
>>  
>> <http://docs.openstack.org/kilo/install-guide/install/yum/content/neutron-controller-node.html>.
>>  I think several options in /etc/nova/nova.conf, 
>> /etc/neutron/plugins/ml2/ml2_conf.ini and /etc/neutron/neutron.conf should 
>> be modifed properly in order to use LinuxBridge instead of OVS.
>> 
>> Here are the lists what I know to modify:
>> 
>> 1. /etc/neutron/neutron.conf on controller
>> core_plugin = ml2 (I think this should be modified but I don't know what 
>> parameter indicates Linux Bridge Agent Plugin)
>> 
>> 2. /etc/neutron/plugins/ml2/ml2_conf.ini on controller
>> Do I still need to modify this file? I'm confused, because the file name is 
>> 'ml2', which is for ml2 plugin not for 'linux bridge'... And, I wonder the 
>> lists should be modified.
>> 
>> Thank you in advance!
>> 
>> Regards
>> 
>> Byeong-Gi KIM
>> 
>> 
>> 
>> 
>> 2015-04-21 7:19 GMT+09:00 Martinx - ジェームズ > <mailto:thiagocmarti...@gmail.com>>:
>> Hi James!
>> 
>> On 20 April 2015 at 18:16, James Denton > <mailto:james.den...@rackspace.com>> wrote:
>> Hi Thiago,
>> 
>> VXLAN requires an IP address on each host from which to build the overlay 
>> mesh between hosts. Some choose to use a dedicated interface/IP/VLAN for 
>> this, but its not required.
>> 
>> Sure, I'm aware of that.
>> 
>> What is new for me, is that when using "VXLAN + OpenvSwitch", plains VLANs 
>> are not required but, when using "VXLAN + LinuxBridges", then, you'll need 
>> plain VLANs as well (and this is new for me).
>> 
>> 
>> As for ‘vconfig’ missing - It appears that the 'ip link’ command (iproute2) 
>> is being used instead to create vlan interfaces.
>> 
>> Okay, cool! I'll take a look on that.
>> 
>> Thank you!
>> 
>> 
>> James
>> 
>> Thiago
>> 
>> 
>> On Apr 17, 2015, at 10:26 PM, Martinx - ジェームズ > <mailto:thiagocmarti...@gmail.com>> wrote:
>> 
>> Perfect! I followed the Juno documentation here:
>> 
>> http://docs.openstack.org/juno/install-guide/install/apt/content/ch_preface.html
>>  
>> <http://docs.openstack.org/juno/install-guide/install/apt/content/ch_preface.html>
>> 
>> But I have "VXLAN + LinuxBridges", instead of "GRE + OVS", pretty cool!
>> 
>> I was doing it wrong (of course), I did not realize

Re: [Openstack] HA for Icehouse Neutron

[James Denton]

Hi Janki,

The IP address should be from a common network between the hosts. It can be the 
primary host address (ie. the one you use for management) or it can be an IP 
from a dedicated network/vlan reserved for tunneled traffic. It’s not routed 
traffic, so there’s no need to have a gateway if you do use a new dedicated 
network/interface.

Every node (controller/network and compute) will need its own address in that 
field.

James

> On May 26, 2015, at 12:45 PM, Janki Chhatbar  wrote:
> 
> Ya sure
> 
> I have 2 Ubuntu 14.04 machines acting as controller nodes (Keystone, Galera 
> cluster, RabbitMq, Horizon, Glance, Nova on them with High availability for 
> OpenStack Icehouse.
> 
> The connection is shown in attachment.
> 
> I want to add Neutron to these nodes.
> 
> My question is:
> In ml2_plugin.ini file:
> [ovs]
> local_ip = ip_for_GRE_tunnel
> 
> What IP to give to varaible local_ip? Would it be the virtual IP or machine's 
> IP or some other thing?
> 
> This GRE tunnel is for data network (i.e between compute and neutron).
> 
> I have followed high availabilty guide available at site and set the 
> variables as described.
> 
> Janki Chhatbar
> M.Tech (Embedded Systems)
> Nirma University
> (+91) 9409239106
> 
> On Tue, May 26, 2015 at 9:50 PM, Remo Mattei  > wrote:
> HI Janki,
> you may want to elaborate a little your question, and explain what you are 
> trying to achieve, then people can see the overall and make suggestions 
> appropriately.
> 
> Remo
>> On May 26, 2015, at 08:36, Janki Chhatbar > > wrote:
>> 
>> I have set up 2 controller nodes in HA. I want to install Neutron in the 
>> same two nodes. What IP should I give for creation of GRE tunnels?
>> 
>> Janki Chhatbar
>> M.Tech (Embedded Systems)
>> Nirma University
>> (+91) 9409239106
>> !DSPAM:1,55649850149079701915195! 
>> ___
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>> 
>> Post to : openstack@lists.openstack.org 
>> 
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>> 
>> 
>> 
>> !DSPAM:1,55649850149079701915195!
> 
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
> 
> Post to : openstack@lists.openstack.org 
> 
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
> 


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] LBaaS on Juno

[James Denton]

Hi Christina,

Is 131.154.96.28 configured as a floating IP and associated with the LB VIP 
port? The NAT is configured on the router connected to the VIP network, in this 
case private_net. Can the router access the VIP 10.0.1.22? I’d start there.

James



> On May 1, 2015, at 4:21 PM, Cristina Aiftimiei  wrote:
> 
> Dear all,
> 
> I have a problem when configuring LBaaS in Juno.
> Our setup is an OpenStack Juno with 2 controller and 2 network nodes in HA, 
> using HAproxy & Keepalived.
> 
> After playing with the Havana version, where services were not in HA (just 1 
> controller and 1 network-node) and where everything was working as explained 
> in all posts and blogs that I found around (mainly based on 
> https://wiki.openstack.org/wiki/Neutron/LBaaS/HowToRun 
> ) I went on 
> configuring in a similar way the Juno version.
> 
> Everyting went fine until the last check "curl" that says 
> "curl: (7) couldn't connect to host" (Connection timed out)
> 
> Some details:
> 
> $ neutron router-list
> +--+--+---+
> | id   | name | external_gateway_info 
>   
>   
> |
> +--+--+---+
> | 0af31338-5aba-4dd3-9af5-6ba0050bea93 | myrouter | {"network_id": 
> "17d5949b-5694-4eab-abe0-c8039f0bd498", "enable_snat": true, 
> "external_fixed_ips": [{"subnet_id": "825bc708-c4f9-4684-8c20-8bddf7e5aa7b", 
> "ip_address": "131.154.96.19"}]} |
> +--+--+---+
> 
> $ neutron lb-pool-list
> +--++--+-+--+++
> | id   | name   | provider | lb_method   | 
> protocol | admin_state_up | status |
> +--++--+-+--+++
> | 3ed76c5b-681b-46dc-80ac-83c6686adc18 | mypool | haproxy  | ROUND_ROBIN | 
> HTTP | True   | ACTIVE |
> +--++--+-+--+++
> 
> $ neutron lb-vip-list
> +--+---+---+--+++
> | id   | name  | address   | protocol | 
> admin_state_up | status |
> +--+---+---+--+++
> | 824c9ee7-c9bd-40fd-91ff-1f2b88372f95 | myvip | 10.0.1.22 | HTTP | True  
>  | ACTIVE |
> +--+---+---+--+++
> 
> $ nova list
> +--++++-+--+
> | ID   | Name   | Status | Task State | 
> Power State | Networks |
> +--++++-+--+
> | 959f0059-f5a8-4085-b093-a1d30d22170c | jumphost   | ACTIVE | -  | 
> Running | private_net=10.0.1.10, 131.154.96.20 |
> | 0ecbe8de-8219-4c05-9198-ce0b8cca8bc5 | webserver1 | ACTIVE | -  | 
> Running | private_net=10.0.1.11|
> | ac62c3f3-5b2d-40f3-afb7-c83291541bf5 | webserver2 | ACTIVE | -  | 
> Running | private_net=10.0.1.12|
> +--++++-+--+
> 
> # ip netns exec qlbaas-3ed76c5b-681b-46dc-80ac-83c6686adc18 curl 
> http://10.0.1.22 
> Welcome to webserver1
> # ip netns exec qlbaas-3ed76c5b-681b-46dc-80ac-83c6686adc18 curl 
> http://10.0.1.22 
> Welcome to webserver2
> 
> $ curl -vvv 131.154.96.28
> * About to connect() to 131.154.96.28 port 80 (#0)
> *   Trying 131.154.96.28... Connection timed out
> * couldn't connect to host
> * Closing connection #0
> curl: (7) couldn't connect to host
> 
> Am I missing something? Where can I look for errors or missconfigurations?
> 
> Thank you very much,
> Cristina
> 
> 

Re: [Openstack] Documentation for Neutron L3 / VXLAN with LinuxBridge...

[James Denton]

Hi Thiago,

VXLAN requires an IP address on each host from which to build the overlay mesh 
between hosts. Some choose to use a dedicated interface/IP/VLAN for this, but 
its not required.

As for ‘vconfig’ missing - It appears that the 'ip link’ command (iproute2) is 
being used instead to create vlan interfaces.

James

> On Apr 17, 2015, at 10:26 PM, Martinx - ジェームズ  
> wrote:
> 
> Perfect! I followed the Juno documentation here:
> 
> http://docs.openstack.org/juno/install-guide/install/apt/content/ch_preface.html
>  
> 
> 
> But I have "VXLAN + LinuxBridges", instead of "GRE + OVS", pretty cool!
> 
> I was doing it wrong (of course), I did not realized that VXLAN with 
> LinuxBridges, required plain VLANs to work (Is that right?)...
> 
> Nevertheless, I still do not fully understand this setup, since the "vlan" 
> package and its "vconfig" binary, is not even installed at my Network Node, 
> also, there is nothing at my "/proc/net/vlan...".
> 
> So, how it is working?  lol
> 
> Good challenge for the weekend to figure this out!   ^_^
> 
> Cheers!
> Thiago
> 
> On 17 April 2015 at 23:30, Martinx - ジェームズ  > wrote:
> BTW, I just found this:
> 
> https://github.com/madorn/vagrant-juno-linuxbridge-vxlan-vlan 
> 
> 
> The problem is that it is for VirtualBox or VMWare, and I'm using exclusively 
> KVM these days...   :-/
> 
> But, I believe it will help me anyway...   =P
> 
> On 17 April 2015 at 22:01, Martinx - ジェームズ  > wrote:
> Hey guys,
> 
>  Where can I find a complete documentation to make use of LinuxBridges, 
> instead of OpenvSwitch, when using it with VXLAN?
> 
>  I faced too many problems with OVS in the past (also these days) and now, 
> even Rackspace deploys their RPC v9 and v10 with LinuxBridges but, where are 
> the documents?
> 
>  I'm reading now, the following  Ansible files, to try to figure this out:
> 
>  https://github.com/stackforge/os-ansible-deployment 
> 
> 
>  But, this isn't a documentation...   :-P
> 
>  The current Juno documents only explain GRE + OVS but, this setup is 
> unstable and slow.
> 
> Cheers!
> Thiago
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Neutron vxlan-setup: new instance does not get the correct network config

[James Denton]

Hi Geert,


Assuming you're using an Ubuntu instance, what do you see in the 
/var/lib/dhcp/dhclient.leases file? It may be named dhclient.ethX.leases. In 
there would be lease information provided by dnsmasq. Is the 'option routers' 
line there? It may also be helpful to see what dnsmasq is configured to send on 
the network node. You may want to restart neutron-dhcp-agent on the network 
node and see if that resolves it.


James




From: Geert Willems 
Sent: Wednesday, April 8, 2015 5:55 AM
To: openstack@lists.openstack.org
Subject: [Openstack] Neutron vxlan-setup: new instance does not get the correct 
network config

Hi,

I just got a manual install/conbfiguration of openstack Juno up and running 
under Ubuntu 14.04 as a POC.

POC-details:

  *   1 controller node
  *   1 network node
  *   1 compute node
  *   ceph-storage
  *   neutron vxlan-config

Here extra detailed info of what we have configured in neutron and nova:

root@controller:~# neutron net-list
+--++---+
| id   | name   | subnets   
|
+--++---+
| f3091d1f-db16-4294-96ac-3ed1dd8d15f9 | ext-net| 
95c8476b-167d-4e23-9fe1-3b0511775597 10.17.0.0/16 |
| e4c2d1a5-886b-47f0-9f40-c9bf4fce3d04 | goob-net   | 
2033252f-b19c-40ec-8845-81a48f99665d 10.19.0.0/16 |
| 91e11a9a-2b89-4ccc-ba77-ca8a2a2e4493 | test-net-1 | 
84d3757d-a1df-4af1-87d3-10d4834e80a2 192.168.100.0/24 |
+--++---+
root@controller:~# neutron net-show 91e11a9a-2b89-4ccc-ba77-ca8a2a2e4493
+---+--+
| Field | Value|
+---+--+
| admin_state_up| True |
| id| 91e11a9a-2b89-4ccc-ba77-ca8a2a2e4493 |
| name  | test-net-1   |
| provider:network_type | vxlan|
| provider:physical_network |  |
| provider:segmentation_id  | 8201 |
| router:external   | False|
| shared| False|
| status| ACTIVE   |
| subnets   | 84d3757d-a1df-4af1-87d3-10d4834e80a2 |
| tenant_id | a9fd57125a50463e866490caf820efdc |
+---+--+
root@controller:~# neutron net-show f3091d1f-db16-4294-96ac-3ed1dd8d15f9
+---+--+
| Field | Value|
+---+--+
| admin_state_up| True |
| id| f3091d1f-db16-4294-96ac-3ed1dd8d15f9 |
| name  | ext-net  |
| provider:network_type | flat |
| provider:physical_network | external |
| provider:segmentation_id  |  |
| router:external   | True |
| shared| True |
| status| ACTIVE   |
| subnets   | 95c8476b-167d-4e23-9fe1-3b0511775597 |
| tenant_id | a9fd57125a50463e866490caf820efdc |
+---+--+
root@controller:~# neutron subnet-list
+--+---+--++
| id   | name  | cidr | 
allocation_pools   |
+--+---+--++
| 95c8476b-167d-4e23-9fe1-3b0511775597 | ext-subnet| 10.17.0.0/16 | 
{"start": "10.17.1.1", "end": "10.17.255.254"} |
| 2033252f-b19c-40ec-8845-81a48f99665d | goob-subnet   | 10.19.0.0/16 | 
{"start": "10.19.1.1", "end": "10.19.255.254"} |
| 84d3757d-a1df-4af1-87d3-10d4834e80a2 | test-subnet-1 | 192.168.100.0/24 | 
{"start": "192.168.100.100", "end": "192.168.100.150"} |
+--+---+--++
root@controller:~# neutr

Re: [Openstack] [neutron] how to use multiple external networks?

[James Denton]

Hi Mike,


With those requirements, I think dual-homing the instances may be the best 
approach.


In my mind, you would have 5 networks:


A - External Network 1

B - External Network 2

C - Tenant Network 1

D - Tenant Network 2

E - Shared Tenant Network (No gateway)


Because routers can only connect to one external network at a time, and a 
tenant network can only be connected to one router at a time, you would need 
two routers:


Router 1

Router 2


You would connect them as follows:


External Network 1 <-> Router 1 <-> Tenant Network 1

External Network 2 <-> Router 2 <-> Tenant Network 2


The VMs would then connect as follows:


Tenant Network 1 <-> VM1 <-> Shared Network

Tenant Network 2 <-> VM2 <-> Shared Network


With no gateway set on the shared network, you won't have to worry about 
multiple default routes, nor do you need to worry about terminating that 
network off a router. It's simply isolated.


Hope that helps,

James


From: Mike Spreitzer 
Sent: Wednesday, April 8, 2015 12:28 PM
To: openstack
Subject: [Openstack] [neutron] how to use multiple external networks?

Supposing there are two external provider networks, and a tenant wants (a) some 
of his Compute Instances to have floating IP addresses on one of those external 
networks, (b) some other of his Compute Instances to have floating IP addresses 
on the other external network, and (c) all of his Compute Instances to be able 
to talk to each other using only tenant private networking, what arrangement of 
tenant networks and routers would accomplish this?  In Juno, if it matters.

Thanks,
Mike

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] iptables chain and instance id

[James Denton]

I’m not sure, but the X may be arbitrary. You should be able to correlate the 
nova-compute-inst-X chain to the instance by looking at the 
'nova-compute-local’ chain and looking for the fixed IP:

-A nova-compute-local -d 10.239.0.11/32 -j nova-compute-inst-25
-A nova-compute-local -d 10.239.0.18/32 -j nova-compute-inst-65
-A nova-compute-local -d 10.239.0.26/32 -j nova-compute-inst-95
-A nova-compute-local -d 10.239.0.20/32 -j nova-compute-inst-69

In the DB, the correlation exists:

root@controller01:~# nova list --all-ten | grep 10.239.0.11
| 1bbb6888-b74f-4fc3-8c22-4c5231823567 | myInstance | ACTIVE | 
public=10.239.0.11, 10.242.0.232 |

mysql> use nova; select * from security_group_instance_association where 
instance_uuid='1bbb6888-b74f-4fc3-8c22-4c5231823567';
Database changed
+-+++-++---+--+
| created_at  | updated_at | deleted_at | deleted | id | 
security_group_id | instance_uuid|
+-+++-++---+--+
| 2013-07-03 14:40:47 | NULL   | NULL   |   0 | 25 |
 3 | 1bbb6888-b74f-4fc3-8c22-4c5231823567 |
+-+++-++---+———+

The ID (25) corresponds to the chain name seen here:

-A nova-compute-local -d 10.239.0.11/32 -j nova-compute-inst-25

James

> On Mar 18, 2015, at 1:37 PM, mad Engineer  wrote:
> 
> I am having issue troubleshooting iptables rules.
> 
> How can i identify which chain belongs to which instance..
> 
> i can see nova-compute-inst-X  but i am not able to relate X to nova list or 
> to virsh list,Can some one please help in identifying proper iptables chains
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [neutron]Multiple l3 agents

[James Denton]

There used to be a limitation of one external network per agent, which meant 
some folks ran more than one on the same node. Not needed anymore as agents can 
now support multiple networks.

If you still need to go down that route, have you ensured that each agent is 
started with its respective config file argument set? This would need to be 
changed in the upstart script of the respective agent. There may be other 
arguments that need to change as well. I don't have a setup in front of me.

James


On Mar 4, 2015, at 11:23 PM, Akilesh K 
mailto:akilesh1...@gmail.com>> wrote:

Anyone has done this configuration yet and got it right?

On Wed, Mar 4, 2015 at 3:21 PM, Akilesh K 
mailto:akilesh1...@gmail.com>> wrote:
Hi,
What are the exact steps and configuration to run multiple l3 agents.


I have set separate config files with params
gateway_external_network_id, router_id, external_network_bridge for each of 
them.

handle_internal_only_routers is false for one and true for another.

After I start the agents on the network node i see only one l3-agent when I run 
'neutron agent-list'


And when I set gateway for a router from horizon I get 'No eligible l3 agent 
associated with external network 808e4532-122b-4211-a67f-42ca071c248d found'.

Please help me.

Thank you,
Ageeleshwar K

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Can not ping the tenant router gateway from host

[James Denton]

Mitchell,


Let's start with the br-ex bridge. That's the bridge connected to the external 
interface of the router and the physical network:


> Bridge br-ex
> Port "qg-6849da02-da"
> Interface "qg-6849da02-da"
> type: internal
> Port br-ex
> Interface br-ex
> type: internal
> Port "eth2"
> Interface "eth2"
> ovs_version: "2.0.2"


I can't tell from the output you've provided what provider attributes, if any, 
you set for the network 'ext-net'. Can you provide the output of 'neutron 
net-show ext-net'?


As it stands, any traffic leaving the qg interface will be untagged:


> root@ control:~# ovs-ofctl dump-flows br-ex NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=558.95s, table=0, n_packets=479, n_bytes=102435,
> idle_age=10, priority=0 actions=NORMAL


So depending on the switch port configuration, traffic out the qg interface 
(from the Neutron router) may not reach the gateway at 172.29.105.254. Like 
say, if ext-net is configured as a VLAN network, there is nothing currently in 
place to tag the traffic accordingly, be it OVS or a eth2.x interface in br-ex. 
The 'external_network_bridge​' option in l3_agent.ini plays a part in this as 
well. The 'net-show' output would help me deduce what your intentions were and 
go from there.


James


From: Mitchell Chen 
Sent: Wednesday, March 4, 2015 8:12 PM
To: Kevin Benton
Cc: James Denton; openstack@lists.openstack.org
Subject: RE: [Openstack] Can not ping the tenant router gateway from host

The openvswitch agent seems to be all up with my neutron and three compute 
nodes.

root@control: # neutron agent-list
+--+++---++
| id   | agent_type | host   | 
alive | admin_state_up |
+--+++---++
| 68eba267-b885-4aad-96a4-e8d19ac9db4a | L3 agent   | mussdhux20 | :-)  
 | True   |
| c0726b66-a1f4-4b00-9120-7bf0ee91a3d0 | DHCP agent | mussdhux20 | :-)  
 | True   |
| d8808f97-90f8-424d-a786-45b4541af755 | Open vSwitch agent | mussdhux04 | :-)  
 | True   |
| e8d85451-3f6f-4b2a-94a1-6dd3e9a93cff | Metadata agent | mussdhux20 | :-)  
 | True   |
| f4e51873-7e18-49a4-ab6b-94c24500e25f | Open vSwitch agent | mussdhux13 | :-)  
 | True   |
| f8cab47d-a0db-4de2-b457-23c4e87ccb32 | Open vSwitch agent | mussdhux10 | :-)  
 | True   |
| fd9ab1c9-ce62-4504-8d68-215584a70a17 | Open vSwitch agent | mussdhux20 | :-)  
 | True   |
+--+++---++

But, there is an error related to db.sock and exception happened, how is this 
happen? I really appreciate the light. Can this issue be fixed?

2015-03-04 12:05:40.146 1907 ERROR neutron.agent.linux.ovsdb_monitor [-] Error 
received from ovsdb monitor: ovsdb-client: unix:/var/run/openvswitch/db.sock: 
receive failed (End of file)
2015-03-04 12:05:40.148 1907 DEBUG neutron.agent.linux.async_process [-] 
Halting async process [['ovsdb-client', 'monitor', 'Interface', 'name,ofport', 
'--format=json']] in response to an error. _handle_process_error 
/usr/lib/python2.7/dist-packages/neutron/agent/linux/async_process.py:173
2015-03-04 12:05:40.148 1907 DEBUG neutron.agent.linux.utils [-] Running 
command: ['ps', '--ppid', '2452', '-o', 'pid='] create_process 
/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py:48
2015-03-04 12:05:40.186 1907 DEBUG neutron.agent.linux.utils [-]
Command: ['ps', '--ppid', '2452', '-o', 'pid=']
Exit code: 1
Stdout: ''
Stderr: '' execute 
/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py:75
2015-03-04 12:05:40.876 1907 DEBUG 
neutron.plugins.openvswitch.agent.ovs_neutron_agent [-] Agent rpc_loop - 
iteration:633 started rpc_loop 
/usr/lib/python2.7/dist-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py:1287
2015-03-04 12:05:40.877 1907 DEBUG neutron.agent.linux.utils [-] Running 
command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 
'ovs-ofctl', 'dump-flows', 'br-int', 'table=22'] create_process 
/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py:48
2015-03-04 12:05:40.975 1907 DEBUG neutron.agent.linux.utils [-]
Command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 
'ovs-ofctl', 'dump-fl

Re: [Openstack] Can not ping the tenant router gateway from host

[James Denton]

Hi Mitchell,

>> I am able to ping from router to the router gateway (172.29.105.101) and 
>> router to internal tenant gateway (192.168.2.1)

You are pinging these IPs within the router namespace, which I would expect to 
work, as those are the IPs configured on the router’s interfaces.

>> … but still can not ping from control node to the router gateway

The default route of your Neutron host appears to be 172.29.106.254. Is that 
also the case for the control host?

>> default via 172.29.106.254 dev eth0

Is there a route on that device (static/local) that would allow you to reach 
the 172.29.105.0/24 subnet? Are you able to ping the ext-net gateway 
(172.29.105.254) from within the router namespace?

>> I saw there is a tag 4095 in the tap port of the br-int bridge. Is this OK?

It means that tap is stale. You can see if there is still a corresponding 
Neutron port with “neutron port-list | grep 27dd1b25-62”.

James

> On Mar 4, 2015, at 3:03 PM, Mitchell Chen  wrote:
> 
> Hi All,
> 
> I am struggling with not being able to ping the router gateway. I am able to 
> ping from router to the router gateway (172.29.105.101) and router to 
> internal tenant gateway (192.168.2.1), but still can not ping from control 
> node to the router gateway. I am using GRE tunneling. I saw there is a tag 
> 4095 in the tap port of the br-int bridge. Is this OK? Please advise. From 
> the following data, is there a way to debug the issue?
> 
> Thanks,
> Mitchell
> 
> 
> root@control:~# ovs-vsctl show
> f22d3ba4-d785-4fe7-a283-16ffbc75c434
> Bridge br-int
> fail_mode: secure
> Port "qr-784a2f1c-e6"
> tag: 1
> Interface "qr-784a2f1c-e6"
> type: internal
> Port "tap27dd1b25-62"
> tag: 4095
> Interface "tap27dd1b25-62"
> type: internal
>Port br-int
> Interface br-int
> type: internal
> Port patch-tun
> Interface patch-tun
> type: patch
> options: {peer=patch-int}
> Bridge br-tun
> Port patch-int
> Interface patch-int
> type: patch
> options: {peer=patch-tun}
> Port "gre-c0a801cc"
> Interface "gre-c0a801cc"
> type: gre
> options: {in_key=flow, local_ip="192.168.1.220", 
> out_key=flow, remote_ip="192.168.1.204"}
> Port "gre-c0a801d5"
> Interface "gre-c0a801d5"
> type: gre
> options: {in_key=flow, local_ip="192.168.1.220", 
> out_key=flow, remote_ip="192.168.1.213"}
> Port br-tun
> Interface br-tun
> type: internal
> Port "gre-c0a801d2"
> Interface "gre-c0a801d2"
> type: gre
> options: {in_key=flow, local_ip="192.168.1.220", 
> out_key=flow, remote_ip="192.168.1.210"}
> Bridge br-ex
> Port "qg-6849da02-da"
> Interface "qg-6849da02-da"
> type: internal
> Port br-ex
> Interface br-ex
> type: internal
> Port "eth2"
> Interface "eth2"
> ovs_version: "2.0.2"
> 
> root@control:~# ovs-ofctl dump-flows br-int
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=55.846s, table=0, n_packets=2, n_bytes=214, idle_age=8, 
> priority=1 actions=NORMAL
> cookie=0x0, duration=55.649s, table=22, n_packets=0, n_bytes=0, idle_age=55, 
> priority=0 actions=drop
> 
> root@ control:~# ovs-ofctl dump-flows br-tun
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=66.836s, table=0, n_packets=0, n_bytes=0, idle_age=66, 
> priority=1,in_port=3 actions=resubmit(,2)
> cookie=0x0, duration=68.694s, table=0, n_packets=0, n_bytes=0, idle_age=68, 
> priority=1,in_port=1 actions=resubmit(,1)
> cookie=0x0, duration=66.545s, table=0, n_packets=0, n_bytes=0, idle_age=66, 
> priority=1,in_port=4 actions=resubmit(,2)
> cookie=0x0, duration=67.159s, table=0, n_packets=32, n_bytes=5592, 
> idle_age=1, priority=1,in_port=2 actions=resubmit(,2)
> cookie=0x0, duration=68.59s, table=0, n_packets=5, n_bytes=390, idle_age=59, 
> priority=0 actions=drop
> cookie=0x0, duration=68.495s, table=1, n_packets=0, n_bytes=0, idle_age=68, 
> priority=1,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
> cookie=0x0, duration=68.391s, table=1, n_packets=0, n_bytes=0, idle_age=68, 
> priority=1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,21)
> cookie=0x0, duration=64.686s, table=2, n_packets=32, n_bytes=5592, 
> idle_age=1, priority=1,tun_id=0x2 actions=mod_vlan_vid:1,resubmit(,10)
> cookie=0x0, duration=68.293s, table=2, n_packets=0, n_bytes=0, idle_age=68, 
> priority=0 actions=drop
> cookie=0x0, duration=68.193s, table=3, n_packets=0, n_bytes=0, idle_age=68, 
> priority=0 actions=drop
> cookie=0x0, duration=68.082s, table=10, n_packets=32, n_bytes=5592, 
> idle_age=1, priority=1 
> actions=learn(table=20,hard_timeout=3

Re: [Openstack] [Icehouse][neutron][manto-to-one NAT]

[James Denton]

Hi Subbareddy,

SNAT, or source NAT, is the ‘many-to-one’ NAT mode you are referring to. 
Instances that do not have a floating IP will be NAT’d to the IP address of the 
qg interface of the router. This is akin to a PAT on other firewalls.

A floating IP is akin to a static 1-to-1 NAT, and takes precedence over the 
default SNAT behavior.

By setting enable_snat to false, your traffic is being forwarded out of the 
router as the fixed IP of the instance.

James

On Jan 21, 2015, at 8:15 AM, Chinasubbareddy M 
mailto:chinasubbaredd...@persistent.com>> 
wrote:

HI all,

I would like to understand many to one NAT feature  by neutron , so I have 
created a gateway for router with "enable_snat” on disable mode, now I am 
confused how to use many to one NAT, can you please guide me ?

root@vpnaas1:~# neutron router-show 1dc4a054-1a93-4962-abaa-01f118a3
+---+--+
| Field | Value 
   |
+---+--+
| admin_state_up| True  
   |
| external_gateway_info | {"network_id": 
"bc9172f9-25e7-454b-a387-d81ee79be74d", "enable_snat": false} |
| id| 1dc4a054-1a93-4962-abaa-01f118a3  
   |
| name  | router1   
   |
| routes|   
   |
| status| ACTIVE
   |
| tenant_id | 4123b6cff1124795959f4dc73e82531a  
   |
+---+--+
root@vpnaas1:~#


Regards,
Subbareddy,
Persistent systems ltd.

DISCLAIMER == This e-mail may contain privileged and confidential 
information which is the property of Persistent Systems Ltd. It is intended 
only for the use of the individual or entity to which it is addressed. If you 
are not the intended recipient, you are not authorized to read, retain, copy, 
print, distribute or use this message. If you have received this communication 
in error, please notify the sender and delete all copies of this message. 
Persistent Systems Ltd. does not accept any liability for virus infected mails.

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] How to reset neutron (to clear leftovers from incorrect configuration)

[James Denton]

Hi Uwe,

What leads you to believe it’s defective? I think with the right output and 
config files we can figure out what’s missing. 

James

> On Jan 15, 2015, at 3:14 PM, Uwe Sauter  wrote:
> 
> Bump
> 
> Noone to comment on this approach? Am I missing something or is this the
> proper way to reset Neutron?
> 
> 
> Regards,
> 
>Uwe
> 
> 
>  Weitergeleitete Nachricht 
> Betreff: How to reset neutron (to clear leftovers from incorrect
> configuration)
> Datum: Tue, 13 Jan 2015 15:00:01 +0100
> Von: Uwe Sauter 
> Antwort an: uwe.sauter...@gmail.com
> An: openstack@lists.openstack.org
> 
> Hi all,
> 
> I'd like to get your comments on how to correctly clean a defective
> neutron configuration so I can start over with a new config.
> 
> I'm currently running on CentOS 7 but try to keep it as generic as
> possible (but the distro affects the service and package names…)
> 
> 
>  Compute hosts 
> 1) stop service:
>   # systemctl stop neutron-openvswitch-agent.service
> 2) remove Openvswtch bridges:
>   # ovs-vsctl del-br br-tun
>   # ovs-vsctl del-br br-int
> 3) stop services:
>   # systemctl stop openvswitch.service
>   # systemctl stop openvswitch-nonetwork.service
> 4) remove Openvswitch persistent configuration
>   # rm -rf /etc/openvswitch/* /etc/openvswitch/.*
> 5) remove Openvswitch Kernel module
>   # rmmod openvswitch
> 6) optionally: reset configuration files:
>   # rm -rf /etc/neutron/*
>   # yum reinstall openstack-neutron openstack-neutron-ml2
> openstack-neutron-openvswitch (or whatever plugins were installed
> additionally)
> #
> 
> 
>  Network host 
> 1) stop services:
>   # systemctl stop neutron-l3-agent.service
>   # systemctl stop neutron-dhcp-agent.service
>   # systemctl stop neutron-metadata-agent.service
>   # systemctl stop neutron-openvswitch-agent.service
>   # systemctl stop neutron-ovs-cleanup.service
>   # systemctl stop neutron-openvswitch-agent.service
> 2) remove Openvswtch bridges:
>   # ovs-vsctl del-br br-tun
>   # ovs-vsctl del-br br-int
>   # ovs-vsctl del-br br-ex
> 3) stop services:
>   # systemctl stop openvswitch.service
>   # systemctl stop openvswitch-nonetwork.service
> 4) remove Openvswitch persistent configuration
>   # rm -rf /etc/openvswitch/* /etc/openvswitch/.*
> 5) remove Openvswitch Kernel module
>   # rmmod openvswitch
> 6) optionally: reset configuration files:
>   # rm -rf /etc/neutron/*
>   # yum reinstall openstack-neutron openstack-neutron-ml2
> openstack-neutron-openvswitch (or whatever plugins were installed
> additionally)
> #
> 
> 
>  Neutron controller host 
> 1) stop service:
>   # systemctl stop neutron-server.service
> 2) clear neutron database (on database host):
>   # mysql -u  -p
>   mysql> drop database neutron;
>   mysql> create database neutron;
> 3) optionally: reset configuration files:
>   # rm -rf /etc/neutron/*
>   # yum reinstall openstack-neutron openstack-neutron-ml2 (or whatever
> plugins were installed additionally)
> #
> 
> 
> When come to that point, one can begin configuring Neutron again from a
> clean point. Don't forget to:
> 
> 1) create a symlink on each host
>   /etc/neutron/plugin.ini -> /etc/neutron/plugins/ml2/ml2_conf.ini
> 2) sync the database on the controller host
> 3) configure Neutron
> 4) restart services on all hosts
> 
> 
> Do I forget any step? Is there an easier way to get back the vanilla state?
> 
> 
> Best regards,
> 
>   Uwe
> 
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Juno (Ubuntu) Flat Network

[James Denton]

Hi Ross,

> *  can I share the br-ex interface or do I need to use a separate physical 
> interface on the network node? Neutron complains loudly when I try to do 
> this, so I suspect the answer is an emphatic NO.

If you already have a flat network associated with a provider bridge, you will 
be unable to associate another to that bridge. You would need a separate bridge 
configured on the host, along with a corresponding label in the Neutron config, 
before you could create this second flat network. 

> *  is a GRE tunnel still used for a simple flat network between the compute 
> nodes and the network node?

You can still leverage GRE for tenant networks, connect them to a router, and 
have the external router interface connected to the new flat network (as long 
as external=true). This works in Icehouse and beyond.

> when I bring up a separate external interface (call this br-ex2) and try to 
> create the simple flat network using this physical interface, then when I try 
> to boot an instance it fails with a “No available host” found”, with errors 
> also in the nova-conductor log regarding vif interface mapping problems.

If you are attempting to connect instances directly to this flat network, 
rather than a GRE network, you would need to create the bridge on every compute 
node. The bridge label must be consistent among the hosts, but the bridge 
interface mapped to the label can vary.

You can get creative with how these flat bridges are created. Typically, one 
might expect a bridge to contain a physical interface (ie. eth2) and allow 
Neutron to tag traffic (vlan) or not tag traffic (flat). The latter requires 
the use of a native vlan on the trunk. I have seen folks create multiple 
bridges and add host-level vlan interfaces to them so that they could create 
multiple “flat” networks in Neutron. To me, this defeats the purpose of having 
Neutron manage tagging and I don’t recommend it.

Let me know if this didn’t address your questions.

James

> On Jan 13, 2015, at 8:14 PM, Ross Lillie  
> wrote:
> 
> All,
> 
> I’ve just upgraded our cloud from Havana to Juno.
> 
> I’ve succeeded in configuring Neutron with a flat, external network and 
> individual tenants can attach to it via a virtual router and floating 
> address, using GRE tunnels.  However, I also need to configure a simple flat 
> network for a given tenant that maps directly to our campus network (i.e. 
> WAN).
> 
> I’m having problems getting this configured correctly.  Neutron is configured 
> entirely on its own node, with multiple interfaces: eth0 is attached to our 
> campus network and serves as the management interface, br-ex (eth2) is 
> attached to our campus backbone and is used to create the “external" flat 
> network, br-data (eth1) is attached to the cloud’s data network. Compute 
> nodes are configured with a single interface br-data (eth0).
> 
> Now to create a simple flat network:
> 
> *  can I share the br-ex interface or do I need to use a separate physical 
> interface on the network node? Neutron complains loudly when I try to do 
> this, so I suspect the answer is an emphatic NO.
> *  when I bring up a separate external interface (call this br-ex2) and try 
> to create the simple flat network using this physical interface, then when I 
> try to boot an instance it fails with a “No available host” found”, with 
> errors also in the nova-conductor log regarding vif interface mapping 
> problems.
> 
> I had this working in Havana using VLAN networks, but can’t seem to get 
> things working with GRE tunnels. 
> 
> Any tips/pointers would be appreciated
> —
> Ross Lillie, Motorola Solutions
> CTO, SST, Applications & Services Research
> 
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [juno][DVR]

[James Denton]

Hi Subbareddy,

Can you run that command again and then take a look at 
/var/log/neutron/server.log? It should give some indication as to what went 
wrong.

If you'd like, I wouldn't mind seeing your l3_agent.ini, neutron.conf, and 
ml2_conf.ini from the controller/compute nodes if you want to post them 
somewhere.

James

From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Thursday, January 01, 2015 6:26 PM
To: James Denton; openstack@lists.openstack.org
Subject: RE: [Openstack] [juno][DVR]

Hi James,

If I try with out –-name, this is the output,

root@junoos:~# neutron router-create another_router --distributed True
Not Implemented (HTTP 501) (Request-ID: 
req-ed06ba44-48db-46ff-810d-1b323e03d651)
root@junoos:~#

From: James Denton [mailto:james.den...@rackspace.com]
Sent: Thursday, January 01, 2015 9:56 PM
To: Chinasubbareddy M; openstack@lists.openstack.org
Subject: RE: [Openstack] [juno][DVR]

Hi Subbareddy,

Have you tried without --name?

[root@controller ~]# neutron router-create another_router --distributed True
Created a new router:
+---+--+
| Field | Value|
+---+--+
| admin_state_up| True |
| distributed   | True |
| external_gateway_info |  |
| ha| False|
| id| 58f8b03d-f230-4dcb-be7b-71c73a167e41 |
| name  | another_router   |
| routes|  |
| status| ACTIVE   |
| tenant_id | 00b1617b007d41b7aa777e0c97afdccc |
+---+--+

James

From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Wednesday, December 31, 2014 5:06 AM
To: James Denton; 
openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: RE: [Openstack] [juno][DVR]
Hi James,

Yes, I have the setup up and running with router and I manually installed the 
services.
I followed the link that I sent,  if I try to create the router with 
distributed option , it is getting failed .

Here is the output of the command:

root@junoos:~# neutron router-create --name another_router --distributed True
Invalid input for name. Reason: 'True' is not a valid string. (HTTP 400) 
(Request-ID: req-96e0bcab-a9ec-43b8-af68-de55c3ed4a43)

My other doubt in the link , asking to make changes in ml2_conf.ini and 
ovs_neutron_plugin.ini
But I am using only ml2 plugin , please suggest.


Regards,
Subbareddy.


From: James Denton [mailto:james.den...@rackspace.com]
Sent: Tuesday, December 30, 2014 9:42 PM
To: Chinasubbareddy M; 
openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: RE: [Openstack] [juno][DVR]

Subbareddy,

I have been working on this over the last day or so, and have been using the 
link you sent as reference. It is lacking in a few details, however, I got it 
to work.

A couple of questions:

1. Did you have a working legacy router configuration prior to messing with DVR?
2. Did you have a working GRE/VXLAN tenant network that used the legacy router?

I recommend setting up a legacy router first, testing it, and then making the 
few modifications to get DVR working once you have a concrete network setup. 
I'm happy to provide you with those steps once I polish them up a little bit.

James

From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Saturday, December 27, 2014 2:52 PM
To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: [Openstack] [juno][DVR]
Hi,

Can you please guide me for configuring the DVR in juno?
Referred the following link but was not able to do it as router create with 
distributed true failed to create the distributed router.

http://docs.openstack.org/networking-guide/content/ha-dvr.html

Regards,
Subbareddy.

DISCLAIMER == This e-mail may contain privileged and confidential 
information which is the property of Persistent Systems Ltd. It is intended 
only for the use of the individual or entity to which it is addressed. If you 
are not the intended recipient, you are not authorized to read, retain, copy, 
print, distribute or use this message. If you have received this communication 
in error, please notify the sender and delete all copies of this message. 
Persistent Systems Ltd. does not accept any liability for virus infected mails.

DISCLAIMER == This e-mail may contain privileged and confidential 
information which is the property of Persistent Systems Ltd. It is intended 
only for the use of the individual or entity to

Re: [Openstack] [juno][DVR]

[James Denton]

Hi Subbareddy,

Have you tried without --name?

[root@controller ~]# neutron router-create another_router --distributed True
Created a new router:
+---+--+
| Field | Value|
+---+--+
| admin_state_up| True |
| distributed   | True |
| external_gateway_info |  |
| ha| False|
| id| 58f8b03d-f230-4dcb-be7b-71c73a167e41 |
| name  | another_router   |
| routes|  |
| status| ACTIVE   |
| tenant_id | 00b1617b007d41b7aa777e0c97afdccc |
+---+--+

James

From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Wednesday, December 31, 2014 5:06 AM
To: James Denton; openstack@lists.openstack.org
Subject: RE: [Openstack] [juno][DVR]

Hi James,

Yes, I have the setup up and running with router and I manually installed the 
services.
I followed the link that I sent,  if I try to create the router with 
distributed option , it is getting failed .

Here is the output of the command:

root@junoos:~# neutron router-create --name another_router --distributed True
Invalid input for name. Reason: 'True' is not a valid string. (HTTP 400) 
(Request-ID: req-96e0bcab-a9ec-43b8-af68-de55c3ed4a43)

My other doubt in the link , asking to make changes in ml2_conf.ini and 
ovs_neutron_plugin.ini
But I am using only ml2 plugin , please suggest.


Regards,
Subbareddy.


From: James Denton [mailto:james.den...@rackspace.com]
Sent: Tuesday, December 30, 2014 9:42 PM
To: Chinasubbareddy M; openstack@lists.openstack.org
Subject: RE: [Openstack] [juno][DVR]

Subbareddy,

I have been working on this over the last day or so, and have been using the 
link you sent as reference. It is lacking in a few details, however, I got it 
to work.

A couple of questions:

1. Did you have a working legacy router configuration prior to messing with DVR?
2. Did you have a working GRE/VXLAN tenant network that used the legacy router?

I recommend setting up a legacy router first, testing it, and then making the 
few modifications to get DVR working once you have a concrete network setup. 
I'm happy to provide you with those steps once I polish them up a little bit.

James

From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Saturday, December 27, 2014 2:52 PM
To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: [Openstack] [juno][DVR]
Hi,

Can you please guide me for configuring the DVR in juno?
Referred the following link but was not able to do it as router create with 
distributed true failed to create the distributed router.

http://docs.openstack.org/networking-guide/content/ha-dvr.html

Regards,
Subbareddy.

DISCLAIMER == This e-mail may contain privileged and confidential 
information which is the property of Persistent Systems Ltd. It is intended 
only for the use of the individual or entity to which it is addressed. If you 
are not the intended recipient, you are not authorized to read, retain, copy, 
print, distribute or use this message. If you have received this communication 
in error, please notify the sender and delete all copies of this message. 
Persistent Systems Ltd. does not accept any liability for virus infected mails.

DISCLAIMER == This e-mail may contain privileged and confidential 
information which is the property of Persistent Systems Ltd. It is intended 
only for the use of the individual or entity to which it is addressed. If you 
are not the intended recipient, you are not authorized to read, retain, copy, 
print, distribute or use this message. If you have received this communication 
in error, please notify the sender and delete all copies of this message. 
Persistent Systems Ltd. does not accept any liability for virus infected mails.
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [juno][DVR]

[James Denton]

Subbareddy,

I have been working on this over the last day or so, and have been using the 
link you sent as reference. It is lacking in a few details, however, I got it 
to work.

A couple of questions:

1. Did you have a working legacy router configuration prior to messing with DVR?
2. Did you have a working GRE/VXLAN tenant network that used the legacy router?

I recommend setting up a legacy router first, testing it, and then making the 
few modifications to get DVR working once you have a concrete network setup. 
I'm happy to provide you with those steps once I polish them up a little bit.

James


From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Saturday, December 27, 2014 2:52 PM
To: openstack@lists.openstack.org
Subject: [Openstack] [juno][DVR]

Hi,

Can you please guide me for configuring the DVR in juno?
Referred the following link but was not able to do it as router create with 
distributed true failed to create the distributed router.

http://docs.openstack.org/networking-guide/content/ha-dvr.html

Regards,
Subbareddy.

DISCLAIMER == This e-mail may contain privileged and confidential 
information which is the property of Persistent Systems Ltd. It is intended 
only for the use of the individual or entity to which it is addressed. If you 
are not the intended recipient, you are not authorized to read, retain, copy, 
print, distribute or use this message. If you have received this communication 
in error, please notify the sender and delete all copies of this message. 
Persistent Systems Ltd. does not accept any liability for virus infected mails.
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] floating ip list shows whole subnet for non-admin user

[James Denton]

Try nova floating-ip-list, rather than the nova-manage commands.

http://docs.openstack.org/user-guide/content/floating_ips_proc.html

My experience is to avoid nova-manage when possible. Much better results using 
the python-novaclient equivalents.

James

On Nov 10, 2014, at 8:54 AM, mad Engineer 
mailto:themadengin...@gmail.com>> wrote:

Hi,
i am using nova-network and using this command trying to list available 
floating ip in my tenant:

nova-manage floating list

but this shows a whole subnet and not just floating ip available in my tenant.

other commands like nova list is showing as expected.

How can i restrict users to see resource allocated to that tenant ie its 
restricted to use only 12 floating IP.

Thanks


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [openstack][icehouse][neutron][floatingip][br-ex]

[James Denton]

Subbareddy,

Added one of my nic which has connected to trunk port of switch to br-ex , I 
would like create multiple external networks and use each one for them for 
different  tenants or if different tenants wants to create their own floating 
ip networks ,what is the solution?

Tenants are not able to create their own floating IP networks. That is handled 
by the administrator. A provider network needs the router:external attribute 
set to TRUE to be eligible as a floating pool.

Issues I am facing here are:

I . if I add multiple subnets to external network , how to create floating ip 
from specific subnet?

As far as I know, you can’t. Not sure about Juno, but in Havana there was no 
way to specify an address from the pool with the floatingip-create command. The 
address used would be the next available address. It will consume all addrs 
from the allocation range in subnet1, then move on to subnet2.

Ii . can I create multiple external networks with single L3 agent?

Yes, starting with Icehouse. There is no special configuration as far as i 
know. You can have multiple provider networks with router:external set to true.

iii.  should I create virtual interfaces like eth2.23(23 is vlan)  and add them 
to br-ex for each vlan?

You will not want to add multiple interfaces to the br-ex bridge if that’s what 
you’re using, as you would then bridge all of the vlans. Rather than using a 
hard-defined bridge in the l3_agent.ini, set set external_network_bridge to 
‘br-int’ or just leave it blank. For every floating pool you want to create, 
use the net-create/subnet-create commands to create the networks and set 
router:external to true. Neutron will place both the qg and qr ports in the 
integration bridge, and leverage the corresponding provider bridge you 
specified in net-create.

When tenants create their router and use router-gateway-set to attach to one of 
the networks you created, Neutron will connect the router ports to br-int, set 
the internal vlan accordingly on each port, and build the corresponding flows 
on the integration and provider bridges.

The idea is to leverage OVS to do the VLAN tagging for you, so don’t put 
eth2.23 in the bridge - put eth2 in the provider bridge and specify VLAN 23 as 
the segmentation Id in the net-create command. You can leverage the same 
provider bridge for multiple VLANs when OVS does the tagging.

Hope that helps.

James



Correct me if  I am wrong in understanding  floating ip networks in neutron.


On Oct 16, 2014, at 8:05 PM, Chinasubbareddy M 
mailto:chinasubbaredd...@persistent.co.in>> 
wrote:

Thank you so much  of your clarification james.
Can you please guide me for my second question that I asked in the mail?
If each tenant wants to create their own floating ip networks , what is the 
best design?

From: James Denton [mailto:james.den...@rackspace.com]
Sent: Thursday, October 16, 2014 11:12 PM
To: Chinasubbareddy M; 
openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: Re: [Openstack] [openstack][icehouse][neutron][floatingip][br-ex]

Subbareddy,

The external bridge (br-ex), when set, is used only for the external (qg) port 
of the router AFAIK and does not need to connect to br-int. The internal 
interface of the router (qr) is connected to the integration bridge. If 
floating IPs are working ok, and your router is properly routing traffic to 
instances, then your configuration is working properly as-is. A provider 
bridge, like br-eth1, would connect to the integration bridge via a patch port 
as you’ve described.

James

From: Chinasubbareddy M 
mailto:chinasubbaredd...@persistent.co.in>>
Date: Thursday, October 16, 2014 at 11:58 AM
To: "openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>" 
mailto:openstack@lists.openstack.org>>
Subject: [Openstack] [openstack][icehouse][neutron][floatingip][br-ex]

Hi,

1.   I have successfully configured floating ips  in neutron and everything 
working fine , but as per the docs there should be int-br-ex and phy-br-int  
veth pair should be created  between br-int and br-ex, but  that  is not 
created in my setup ,floating ip are working fine, Please suggest .
2.   Added one of my nic which has connected to trunk port of switch to 
br-ex , I would like create multiple external networks and use each one for 
them for different  tenants or if different tenants wants to create their own 
floating ip networks ,what is the solution?
Issues I am facing here are:

I . if I add multiple subnets to external network , how to create floating ip 
from specific subnet?
Ii . can I create multiple external networks with single L3 agent?
iii.  should I create virtual interfaces like eth2.23(23 is vlan)  and add them 
to br-ex for each vlan?

Correct me if  I am wrong in understanding  floating ip networks in neutron.


Here is my ovs-vsctl output:

ovs-vsctl show
f85c99e8-7423-42da-879e-8d4e3f79c7f2
Bridge br-ex
Por

Re: [Openstack] [openstack][icehouse][neutron][floatingip][br-ex]

[James Denton]

Subbareddy,

The external bridge (br-ex), when set, is used only for the external (qg) port 
of the router AFAIK and does not need to connect to br-int. The internal 
interface of the router (qr) is connected to the integration bridge. If 
floating IPs are working ok, and your router is properly routing traffic to 
instances, then your configuration is working properly as-is. A provider 
bridge, like br-eth1, would connect to the integration bridge via a patch port 
as you’ve described.

James

From: Chinasubbareddy M 
mailto:chinasubbaredd...@persistent.co.in>>
Date: Thursday, October 16, 2014 at 11:58 AM
To: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>
Subject: [Openstack] [openstack][icehouse][neutron][floatingip][br-ex]

Hi,


1.   I have successfully configured floating ips  in neutron and everything 
working fine , but as per the docs there should be int-br-ex and phy-br-int  
veth pair should be created  between br-int and br-ex, but  that  is not 
created in my setup ,floating ip are working fine, Please suggest .

2.   Added one of my nic which has connected to trunk port of switch to 
br-ex , I would like create multiple external networks and use each one for 
them for different  tenants or if different tenants wants to create their own 
floating ip networks ,what is the solution?

Issues I am facing here are:



I . if I add multiple subnets to external network , how to create floating ip 
from specific subnet?

Ii . can I create multiple external networks with single L3 agent?

iii.  should I create virtual interfaces like eth2.23(23 is vlan)  and add them 
to br-ex for each vlan?

Correct me if  I am wrong in understanding  floating ip networks in neutron.


Here is my ovs-vsctl output:

ovs-vsctl show
f85c99e8-7423-42da-879e-8d4e3f79c7f2
Bridge br-ex
Port "em3.29"
Interface "em3.29"
Port "qg-01b3854d-fa"
Interface "qg-01b3854d-fa"
type: internal
Port br-ex
Interface br-ex
type: internal
Bridge "br-eth1"
Port "phy-br-eth1"
Interface "phy-br-eth1"
Port "br-eth1"
Interface "br-eth1"
type: internal
Port "em2"
Interface "em2"
Bridge br-int
Port "qr-b70d92cb-cd"
tag: 2
Interface "qr-b70d92cb-cd"
type: internal
Port "qvoa239a290-cf"
tag: 2
Interface "qvoa239a290-cf"
Port br-int
Interface br-int
type: internal
Port "tapfaa69064-de"
tag: 5
Interface "tapfaa69064-de"
type: internal
Port "int-br-eth1"
Interface "int-br-eth1"
Port "qvo9bce9829-2a"
tag: 5
Interface "qvo9bce9829-2a"
Port "tapd3e11080-82"
tag: 2
Interface "tapd3e11080-82"
type: internal

regards,
subbareddy,
persistent systems ltd.

DISCLAIMER == This e-mail may contain privileged and confidential 
information which is the property of Persistent Systems Ltd. It is intended 
only for the use of the individual or entity to which it is addressed. If you 
are not the intended recipient, you are not authorized to read, retain, copy, 
print, distribute or use this message. If you have received this communication 
in error, please notify the sender and delete all copies of this message. 
Persistent Systems Ltd. does not accept any liability for virus infected mails.
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Name Resolution problem (ICEHOUSE)

[James Denton]

Hi Amit,

Have you tried specifying a name server with dig? Ie. dig domain.com @8.8.8.8 
<—google DNS

Have you confirmed your instances have a resolver configured in 
/etc/resolv.conf? This usually occurs via DHCP.

James

From: Amit Anand mailto:mr_amitan...@yahoo.com>>
Reply-To: Amit Anand mailto:mr_amitan...@yahoo.com>>
Date: Tuesday, October 14, 2014 at 11:59 AM
To: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>
Subject: [Openstack] Name Resolution problem (ICEHOUSE)

Hi all,

So I have a DNS (or at least it seems to be only DNS) problem with the VM's I 
have created. I cannot resolve anything from within the VM's. I can ping 
outside by IP (ie, I can ping google,etc but only by IP) but cannot do a dig, 
curl, nslookup, etc by name. I have no clue why this is happening and Ive tried 
some of the solutions other have recommended at Ask Openstack but to no avail. 
I was hoping someone here maybe able to point me in the right direction. I have 
also posted the question at Ask, all the node stack details are here:

No internet access from VM - Ask OpenStack: Q&A Site for OpenStack Users and 
Developers












No internet access from VM - Ask OpenStack: Q&A Site for OpenStack Users and 
Developers
Hi all, So I cant seem to access the internet from my VMs. I can access the 
floating IPs from anywhere in our network and from all nodes now 
(controller/network/compute) just fine (but strangely I cannot access the 
private ips, the tenant network from any of the nodes?!) but cant ...


View on 
ask.openstack.org

Preview by Yahoo






Thanks in advance for any help!

Amit

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [qa] How to troubleshoot why a VM at Compute node won't response to ARP request from Neutron router

[James Denton]

Hi Danny,

Did your instance get its IP from DHCP? This may be seen in the console log 
using ‘nova console-log ’. The output will vary depending on the 
instance's OS. To troubleshoot DHCP issues, use tcpdump across the different 
interfaces (taps, bridges, physical interfaces) to verify DHCP is working 
properly using ‘tcpdump –I  port 67 or port 68’.

James

From: "Danny Choi (dannchoi)" mailto:dannc...@cisco.com>>
Date: Sunday, October 12, 2014 at 11:25 AM
To: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>, 
"openstack-...@lists.openstack.org" 
mailto:openstack-...@lists.openstack.org>>
Subject: [Openstack] [qa] How to troubleshoot why a VM at Compute node won't 
response to ARP request from Neutron router

Hi,

Using devstack to deploy OpenStack, I have Controller + Network running at one 
physical node and Compute at a separate node.

I launched a VM at the Compute node with a private address 10.0.0.2 (Neutron 
router interface is 10.0.0.1).

At the Controller node, in the qrouter namespace, I could not ping the VM 
private address 10.0.0.2.

At the Compute node, tcpdump of the tap interface indicated ARP requests were 
received.

However, it did not show any ARP response.

My understanding is that the VM’s virtual interface is directly connected to 
this tap interface.  Since the VM is unreachable, I cannot
launch its console to see if the ARP requests are received at the virtual 
interface.

Any suggestions on how to troubleshoot this?


localadmin@qa4:~/devstack$ nova show vm1

+--++

| Property | Value  
|

+--++

| OS-DCF:diskConfig| MANUAL 
|

| OS-EXT-AZ:availability_zone  | nova   
|

| OS-EXT-STS:power_state   | 1  
|

| OS-EXT-STS:task_state| -  
|

| OS-EXT-STS:vm_state  | active 
|

| OS-SRV-USG:launched_at   | 2014-10-12T14:25:15.00 
|

| OS-SRV-USG:terminated_at | -  
|

| accessIPv4   |
|

| accessIPv6   |
|

| config_drive |
|

| created  | 2014-10-12T14:23:30Z   
|

| flavor   | m1.tiny (1)
|

| hostId   | 
00ac69883737ebd290ad4f38cae979a6e268902333261ba6bfbade44   |

| id   | 04b5a345-cadf-4dee-9209-5bcf589b6a3c   
|

| image| cirros-0.3.2-x86_64-uec 
(14a55982-a093-4850-80c8-7b2ae3a7eaba) |

| key_name | -  
|

| metadata | {} 
|

| name | vm1
|

| os-extended-volumes:volumes_attached | [] 
|

| private network  | 10.0.0.2, 172.29.173.5 
|

| progress | 0  
|

| security_groups  | default
|

| status   | ACTIVE 
|

| tenant_id| 90058797dddc49efae4d1f45aa5ab982   
|

| updated  | 2014-10-12T14:23:39Z   
|

| user_id  | 5ab6344540974a1fbda5b539778ebe35   
|

+--++

localadmin@qa4:~/devstack$

localadmin@qa4:~/devstack$ ip netns

qdhcp-f55f0683-830f-4523-82cb-46d638f91d47

qrouter-62aecbdd-d58d-4b33-a743-b16c

Re: [Openstack] NFV in OpenStack

[James Denton]

Hi Vijay,

For those components to work you need a functional L3 agent and then specific 
configuration for each service. Do you mind elaborating on what it is you're 
looking to do or configure?

James Denton
Network Engineer
Rackspace Private Cloud
james.den...@rackspace.com

Sent from my iPhone

> On Oct 7, 2014, at 11:05 PM, Vijay Kakkar  wrote:
> 
> Hi Everyone,
> 
> Can you help/guide me to setup/design NFV ( FWaas,LBaas ) etc ? I have read 
> some docs however i could not get what i was looking for.Any suggestions in 
> this regard will be appreciated.
> 
> 
> Thanks,
> Vijay
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Ping from Neutron router to VM at Compute Node

[James Denton]

The DHCP namespace connects to the VM network in that model, along with the 
instances. The router namespace connects to both the external and VM networks 
in that model. The router can ping the DHCP namespace along with instances, and 
vice versa. The router namespace provides external connectivity to instances 
via floating IPs (ie NATs) sourced from the external network.

The management network is used for OpenStack service traffic. You can get 
creative and collapse some of those networks in some cases.

James Denton
Network Engineer
Rackspace Private Cloud
james.den...@rackspace.com<mailto:james.den...@rackspace.com>

Sent from my iPhone

On Oct 7, 2014, at 7:05 PM, Danny Choi (dannchoi) 
mailto:dannc...@cisco.com>> wrote:

Hi,

In a multinode setup, there are 3 networks.


  *   Management Network: Controller, Compute and Network
  *   VM traffic Network: Compute and Network
  *   External Network: Controller and Network

When pinging the VM at the Compute node from the Neutron router (via ip netns 
exec qrouter namespace),
which network is used?

Thanks,
Danny
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Additional port is created when launch the 1st VM

[James Denton]

Hi Danny,

If the subnet had DCHP enabled, then that 'extra' port likely belongs to the 
DHCP namespace. It gets created upon the first boot of an instance in that 
network. The port will then hang around until the network is deleted. A 
port-show should show you the owner of the port.

James Denton
Network Engineer
Rackspace Private Cloud
james.den...@rackspace.com<mailto:james.den...@rackspace.com>

Sent from my iPhone

On Oct 7, 2014, at 12:15 PM, Danny Choi (dannchoi) 
mailto:dannc...@cisco.com>> wrote:

Hi,

I used devstack to deploy Juno OpenStack.

By default, devstack created 2 users: admin (with role “admin”) and demo;
and 2 networks: public (tenant = admin) and private (tenant = demo)

In CLI as user demo, there is one port created (attached to the Neutron router):


localadmin@qa4:~/devstack$ source openrc demo demo

localadmin@qa4:~/devstack$

localadmin@qa4:~/devstack$ neutron port-list

+--+--+---+-+

| id   | name | mac_address   | fixed_ips   
|

+--+--+---+-+

| 8b747b8d-eb66-4cb9-92ef-c150078c50c7 |  | fa:16:3e:77:21:79 | 
{"subnet_id": "d05e862a-6fd1-4586-89ae-03dfa52cbf44", "ip_address": "10.0.0.1"} 
|

+--+--+---+-+

Launch a VM and attach the private network.


localadmin@qa4:~/devstack$ nova net-list

+--+-+--+

| ID   | Label   | CIDR |

+--+-+--+

| 0afb2bd6-38c7-401d-966e-857dd02ba322 | private | None |

| bc6e1c7d-6eca-419a-af93-47bb894e8789 | public  | None |

+--+-+--+

localadmin@qa4:~/devstack$ nova boot --image cirros-0.3.2-x86_64-uec --flavor 1 
--nic net-id=0afb2bd6-38c7-401d-966e-857dd02ba322 vm1

+--++

| Property | Value  
|

+--++

| OS-DCF:diskConfig| MANUAL 
|

| OS-EXT-AZ:availability_zone  | nova   
|

| OS-EXT-STS:power_state   | 0  
|

| OS-EXT-STS:task_state| -  
|

| OS-EXT-STS:vm_state  | building   
|

| OS-SRV-USG:launched_at   | -  
|

| OS-SRV-USG:terminated_at | -  
|

| accessIPv4   |
|

| accessIPv6   |
|

| adminPass| BDLgcrfCLV9h   
|

| config_drive |
|

| created  | 2014-10-07T16:35:07Z   
|

| flavor   | m1.tiny (1)
|

| hostId   |
|

| id   | 38ed7d4c-26f9-4d27-8f50-8f85c680771b   
|

| image| cirros-0.3.2-x86_64-uec 
(0c56933c-1d35-41cc-8771-3c0aa4d7562f) |

| key_name | -  
|

| metadata | {} 
|

| name | vm1
|

| os-extended-volumes:volumes_attached | [] 
|

| progress | 0  
|

| security_groups  | default
   

Re: [Openstack] Per tenant provider networks

[James Denton]

Hi Chris,

If you’re looking to provide a network to a tenant that is a flat/VLAN network 
using an external gateway, you should be able to create the network as a admin 
and use --tenant-id in the net-create and subnet-create commands to specify the 
ID of the tenant.

James

From: Martinx - ジェームズ 
mailto:thiagocmarti...@gmail.com>>
Date: Tuesday, October 7, 2014 at 8:09 AM
To: "c237...@gmail.com" 
mailto:c237...@gmail.com>>
Cc: "openstack@lists.openstack.org" 
mailto:openstack@lists.openstack.org>>
Subject: Re: [Openstack] Per tenant provider networks

I'm using the following topology:

VLAN Provider Networks:

https://developer.rackspace.com/blog/neutron-networking-vlan-provider-networks/

Where each Tenant have its own VLAN tag ID, isolated from the others.

No Neutron acting as a L3 Router, no GRE, no VXLAN.

Cheers!
Thiago

On 7 October 2014 03:42, c237...@gmail.com 
mailto:c237...@gmail.com>> wrote:
Hi All

I want to have all users in a tenant being capable of connecting their VM to a 
provider network, but I want this provider network to be visible only by that 
tenant. I have several tenants and I need one such dedicated provider network 
for each of my tenants.

How can I do this ?


You could tell me to use a private/tenant network but as far as I know, the 
only for accessing a VM connected to a tenant/private network is thru a 
floating IP and external network and this is not wanted.

Thanks \
Chris


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : 
openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] why neutron router interfaces are done ?

[James Denton]

Good deal! Glad you were able to find it.

James

From: b t [905...@gmail.com]
Sent: Friday, October 03, 2014 11:25 PM
To: James Denton
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] why neutron router interfaces are done ?

just figured out the problem !

following the icehouse installation guide for Ubuntu , page 55 .
the guide is like:
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True

what I put in is :
interface_driver = 
neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = True

after modify this part , all is working , and VM can traceroute to internet .

thanks !

On Sat, Oct 4, 2014 at 12:15 AM, James Denton 
mailto:james.den...@rackspace.com>> wrote:
Which version of OpenStack? If the router is plugged into br-ex and not br-int 
you may see this condition. Often, an external bridge like br-ex is not 
properly configured, leading to issues. You might try creating a provider 
bridge using the ovs-vsctl tool, defining the mapping in the plugin 
configuration file, and using router-gateway-set to associate the router with 
that network.

It would help to see your 'ovs-vsctl show' output along with the plugin 
configuration file and a 'neutron net-show ' of the external network.

James

From: b t [905...@gmail.com<mailto:905...@gmail.com>]
Sent: Friday, October 03, 2014 8:52 PM
To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Subject: [Openstack] why neutron router interfaces are done ?

hi,
VM works fine and can ping each other within the same project .
But VM can not ping gateway , not able to ping router external interface from 
external .

here is the port-show and noticed ports are down .
any idea ?   thanks !



root@network:/etc# neutron port-show 7d2e7645-5a05-4eb6-ae9a-50ac627aac67
+---++
| Field | Value 
 |
+---++
| admin_state_up| True  
 |
| allowed_address_pairs |   
 |
| binding:host_id   |   
 |
| binding:profile   | {}
 |
| binding:vif_details   | {}
 |
| binding:vif_type  | unbound   
 |
| binding:vnic_type | normal
 |
| device_id | 84fa4241-4c94-4260-880c-b6092c73c4c0  
 |
| device_owner  | network:router_interface  
 |
| extra_dhcp_opts   |   
 |
| fixed_ips | {"subnet_id": "b3ccfebb-7e08-46b3-9836-0af30242e139", 
"ip_address": "192.168.4.1"} |
| id| 7d2e7645-5a05-4eb6-ae9a-50ac627aac67  
 |
| mac_address   | fa:16:3e:d5:41:d9 
 |
| name  |   
 |
| network_id| cc3ef6ae-7015-49cb-8b0d-49d7acd60601  
 |
| security_groups   |   
 |
| status| DOWN  
 |
| tenant_id | e550fba3fa3743b0930c35d9b90f02e4  
 |
+---++
root@network:/etc# neutron port-show 22495eeb-0856-4cd0-b8f5-55d9500b61f5
+---++
| Field | Value 
 |
+---++
| admin_state_up| True  
 |
| allowed_address_pairs |  

Re: [Openstack] why neutron router interfaces are done ?

[James Denton]

Which version of OpenStack? If the router is plugged into br-ex and not br-int 
you may see this condition. Often, an external bridge like br-ex is not 
properly configured, leading to issues. You might try creating a provider 
bridge using the ovs-vsctl tool, defining the mapping in the plugin 
configuration file, and using router-gateway-set to associate the router with 
that network.

It would help to see your 'ovs-vsctl show' output along with the plugin 
configuration file and a 'neutron net-show ' of the external network.

James

From: b t [905...@gmail.com]
Sent: Friday, October 03, 2014 8:52 PM
To: openstack@lists.openstack.org
Subject: [Openstack] why neutron router interfaces are done ?

hi,
VM works fine and can ping each other within the same project .
But VM can not ping gateway , not able to ping router external interface from 
external .

here is the port-show and noticed ports are down .
any idea ?   thanks !



root@network:/etc# neutron port-show 7d2e7645-5a05-4eb6-ae9a-50ac627aac67
+---++
| Field | Value 
 |
+---++
| admin_state_up| True  
 |
| allowed_address_pairs |   
 |
| binding:host_id   |   
 |
| binding:profile   | {}
 |
| binding:vif_details   | {}
 |
| binding:vif_type  | unbound   
 |
| binding:vnic_type | normal
 |
| device_id | 84fa4241-4c94-4260-880c-b6092c73c4c0  
 |
| device_owner  | network:router_interface  
 |
| extra_dhcp_opts   |   
 |
| fixed_ips | {"subnet_id": "b3ccfebb-7e08-46b3-9836-0af30242e139", 
"ip_address": "192.168.4.1"} |
| id| 7d2e7645-5a05-4eb6-ae9a-50ac627aac67  
 |
| mac_address   | fa:16:3e:d5:41:d9 
 |
| name  |   
 |
| network_id| cc3ef6ae-7015-49cb-8b0d-49d7acd60601  
 |
| security_groups   |   
 |
| status| DOWN  
 |
| tenant_id | e550fba3fa3743b0930c35d9b90f02e4  
 |
+---++
root@network:/etc# neutron port-show 22495eeb-0856-4cd0-b8f5-55d9500b61f5
+---++
| Field | Value 
 |
+---++
| admin_state_up| True  
 |
| allowed_address_pairs |   
 |
| binding:host_id   | compute1  
 |
| binding:profile   | {}
 |
| binding:vif_details   | {"port_filter": true, "ovs_hybrid_plug": true}
 |
| binding:vif_type  | ovs   
 |
| binding:vnic_type | normal
 |
| device_id | c66f0ddf-3209-46c0-b21c-55cfee02d115  
 |
| device_owner  | compute:None  
 |
| extra_dhcp_opts   | 

Re: [Openstack] What is the difference between provider network and tenant network?

[James Denton]

Hi Danny,

I can’t really say. It may be that the help doesn’t differentiate between a 
user with admin rights or a regular user. Also, if you *don’t* specify those 
attributes as an admin user, then the network that’s created is bound to the 
same “limitations" as a non-admin user (ie. What ever is defined in 
tenant_network_type).

James

From: "Danny Choi (dannchoi)" mailto:dannc...@cisco.com>>
Date: Friday, October 3, 2014 at 8:16 AM
To: James Denton 
mailto:james.den...@rackspace.com>>, 
"openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>" 
mailto:openstack@lists.openstack.org>>
Cc: "bxb-openstack-dev(mailer list)" 
mailto:bxb-openstack-...@cisco.com>>
Subject: Re: [Openstack] What is the difference between provider network and 
tenant network?

Hi James,

Thanks for the explanation.

Another question.  As user admin, I do not see these attributes shown in the 
help text of “neutron net-create”.  Why?

  *   provider:network_type
  *   provider:physical_network
  *   provider:segmentation_id
  *   router:external

ubuntu@trusty1:~/devstack$ source openrc admin admin

ubuntu@trusty1:~/devstack$ neutron help net-create

usage: neutron net-create [-h] [-f {shell,table,value}] [-c COLUMN]

  [--max-width ] [--prefix PREFIX]

  [--request-format {json,xml}]

  [--tenant-id TENANT_ID] [--admin-state-down]

  [--shared]

  NAME


Create a network for a given tenant.


positional arguments:

  NAME  Name of network to create.


optional arguments:

  -h, --helpshow this help message and exit

  --request-format {json,xml}

The XML or JSON request format.

  --tenant-id TENANT_ID

The owner tenant ID.

  --admin-state-downSet admin state up to false.

  --shared  Set the network as shared.


output formatters:

  output formatter options


  -f {shell,table,value}, --format {shell,table,value}

the output format, defaults to table

  -c COLUMN, --column COLUMN

specify the column(s) to include, can be repeated


table formatter:

  --max-width 

Maximum display width, 0 to disable


shell formatter:

  a format a UNIX shell can parse (variable="value")


  --prefix PREFIX   add a prefix to all variable names

Thanks,
Danny

From: James Denton 
mailto:james.den...@rackspace.com>>
Date: Thursday, October 2, 2014 at 11:06 PM
To: Danny Choi mailto:dannc...@cisco.com>>, 
"openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>" 
mailto:openstack@lists.openstack.org>>
Cc: "bxb-openstack-dev(mailer list)" 
mailto:bxb-openstack-...@cisco.com>>
Subject: RE: [Openstack] What is the difference between provider network and 
tenant network?

Hi Danny,

When 'admin' creates a network they are able to specify the following 
attributes:

- provider:network_type (ie. vxlan, gre, vlan, flat, local)
- provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni)
- provider:physical_network (ie. provider label of the physical interface - 
physnet1, ph-eth1, etc)

The following attribute that allows the network to be used as an external 
network of a router:
- router:external (ie. true/false)

The following attribute that allows the network to be shared amongst tenants:
- shared (ie. true/false)

A tenant does not have the ability to specify any of those attributes. If they 
try, they will be rejected. Tenants should have no visibility into the 'type' 
of networks they create, and are in fact limited to particular network types 
and IDs that are specified in the plugin configuration file or ml2_conf.ini.  I 
believe the configuration options are 'tenant_network_type' and 
'network_vlan_ranges'. That is why you do not see the provider attributes as 
the tenant, even though they technically exist for ALL networks, regardless of 
who created them.

Admin users are not restricted by the options in the config file, and can 
create a network using any network type or segmentation ID that they choose.

In Horizon, you will likely only see networks owned by the tenant when you go 
to the 'Project' tab. In the 'Admin' tab, you would see all networks.

Hope that helps,
James


From: Danny Choi (dannchoi) [dannc...@cisco.com<mailto:dannc...@cisco.com>]
Sent: Thursday, October 02, 2014 8:14 PM
To: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>
Cc: bxb-openstack-dev(mailer list)
Subject: [Openstack] What is the difference between provider network and tenant 
network?

Hi,

I used devstack to de

Re: [Openstack] What is the difference between provider network and tenant network?

[James Denton]

Hi Danny,

When 'admin' creates a network they are able to specify the following 
attributes:

- provider:network_type (ie. vxlan, gre, vlan, flat, local)
- provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni)
- provider:physical_network (ie. provider label of the physical interface - 
physnet1, ph-eth1, etc)

The following attribute that allows the network to be used as an external 
network of a router:
- router:external (ie. true/false)

The following attribute that allows the network to be shared amongst tenants:
- shared (ie. true/false)

A tenant does not have the ability to specify any of those attributes. If they 
try, they will be rejected. Tenants should have no visibility into the 'type' 
of networks they create, and are in fact limited to particular network types 
and IDs that are specified in the plugin configuration file or ml2_conf.ini.  I 
believe the configuration options are 'tenant_network_type' and 
'network_vlan_ranges'. That is why you do not see the provider attributes as 
the tenant, even though they technically exist for ALL networks, regardless of 
who created them.

Admin users are not restricted by the options in the config file, and can 
create a network using any network type or segmentation ID that they choose.

In Horizon, you will likely only see networks owned by the tenant when you go 
to the 'Project' tab. In the 'Admin' tab, you would see all networks.

Hope that helps,
James


From: Danny Choi (dannchoi) [dannc...@cisco.com]
Sent: Thursday, October 02, 2014 8:14 PM
To: openstack@lists.openstack.org
Cc: bxb-openstack-dev(mailer list)
Subject: [Openstack] What is the difference between provider network and tenant 
network?

Hi,

I used devstack to deploy Juno OpenStack.

By default, devstack created 2 users: admin (with role “admin”) and demo.


ubuntu@trusty1:~/devstack$ source openrc admin admin

ubuntu@trusty1:~/devstack$ keystone user-list

+--+-+-+--+

|id|   name  | enabled |  email   |

+--+-+-+--+

| 3f09f4a2e2e5476681f7726d1bd7a238 |  admin  |   True  |  |   
<

| f9b63fc02a2c41c4a99508215d34698e |  cinder |   True  |  |

| b31235476f904c968a48a6ed13a4423d |   demo  |   True  | d...@example.com |   
<

| 1379192fe5f7427db0b9550f31ae3c8d |  glance |   True  |  |

| 349ef723ec7e40c6bd4b8d8284696a04 |   heat  |   True  |  |

| db2c4d82c9154d4eb58b3308041e8280 | neutron |   True  |  |

| 87becace86e2459493a5e692b47374a8 |   nova  |   True  |  |

+--+-+-+—+

ubuntu@trusty1:~/devstack$ keystone user-role-list --user admin --tenant admin

+--+--+--+--+

|id|   name   | user_id 
 |tenant_id |

+--+--+--+--+

| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 
3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |

| 2c9362c08a224154bdcaeee35d740ddc |  admin   | 
3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |   <

| b2419a321cae46ab9d11d2e126502271 | heat_stack_owner | 
3f09f4a2e2e5476681f7726d1bd7a238 | db81f81239f54d5d89293dacc7a284d2 |

+--+--+--+--+

ubuntu@trusty1:~/devstack$ keystone user-role-list --user demo --tenant demo

+--+--+--+--+

|id|   name   | user_id 
 |tenant_id |

+--+--+--+--+

| 12ff05c09c5d4d1a8cf15d35f84f7a75 |  Member  | 
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

| 21fcd6d7847f44e6a3b9ad777a27f811 |   anotherrole| 
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

| b2419a321cae46ab9d11d2e126502271 | heat_stack_owner | 
b31235476f904c968a48a6ed13a4423d | 181003e05ad44b688925372d97b985c0 |

+--+--+--+--+

There are 2 networks created, public (tenant = admin) and private (tenant = 
demo).


ubuntu@trusty1:~/devstac

Re: [Openstack] ssh cirros@ not working - what can be the possible reason

[James Denton]

Hi Masoom,

I assume your instance is connected to a tenant network that is attached to a 
router, and the router is attached to a publicly-accessible network? Are you 
able to hop into the router via ‘ip netns exec qrouter-x’ and initiate 
successful pings to the outside world? If that doesn’t work, your instance will 
not be able to get out, either. You may also want to ensure the floating IP is 
setup correctly within the qrouter namespace. You should see the IP configured 
as a secondary address on the ‘qg’ interface, and iptables rules are setup to 
handle the NAT.

I would look to resolve connectivity to your instance via the router before 
working on the VPN. Good luck!

James

From: masoom alam mailto:masoom.a...@gmail.com>>
Date: Monday, September 29, 2014 at 4:52 AM
To: "mailto:openstack@lists.openstack.org>>" 
mailto:openstack@lists.openstack.org>>
Subject: [Openstack] ssh cirros@ not working - what can be the 
possible reason

Hi every one,

Context:
We are trying to setup a VPN site -to-site connection, but every time it show 
us down in the status. We have then decided to backtrack and find the problem.


  1.  We cannot sshcirros@, however by using sudo ip netdns 
command, we can ssh to the private ip of the instance. Any clue why?
  2.  From within host which is running all-in-one Openstack setup, we can ping 
any public address such as google.com, but from within 
CirrOS, we cannot do so. Any clue for this?
  3.  Please note that Neutron firewall is disabled and proper security group 
rules are in place such as the following:

# create security profile for jump hostneutron  security-group-create jumphost

# Add rule to allow icmp inneutron  security-group-rule-create  --protocol icmp 
jumphost

# Add rule to allow ssh inneutron  security-group-rule-create  --protocol tcp 
--port-range-min 22 --port-range-max 22  jumphost

  4.

traceroute commands from within Cirros to our public interface works well, but 
to google.com is not working.

I am wondering, host system firewall is disabled via "sudo ufw disable", 
neutron firewall is also disabled 
firewall_driver=nova.virt.firewall.NoopFirewallDriver what else?

Another point, whenever we reboot neutron node, it destroys all the settings, 
nothing is there - you can say VM is no more usable - that is corrupted any 
pointers to this problem? Also adding a default gw by using the "sudo route add 
default gw  eth0" will corrupt the VM :)

Last but not the least, every example in the context of the VPNaaS takes a 
local network as an example, if we are having devstack nodes on two different 
nodes with two different public ip addresses, do we need to have a GRE tunnel 
in between them before going to site-to-site connection? I know it was 
mandatory for Racoon based ipsec tunnels.

Please guide.





___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack