subject:"\[Openstack\] How to troubleshoot Security Group rules"

Re: [Openstack] How to troubleshoot Security Group rules

2017-01-21 Thread Vimal Kumar

I am facing a mysterious situation. I am using LinuxBridge (ML2) on
OpenStack Newton all-in-one. I set up tcpdump on the tap device used by the
instance and then attach a floating ip from web UI. I see traffic flowing
for a few seconds after which there is no further traffic in/out of this
tap device. During the first few seconds, I am able to ssh into the
instance using the pubic ip. After 5-7 seconds, no connection could be
established from the Internet. However I am still able to ssh into the
instance if I execute ssh w.r.t the corresponding network namespace, like:

# ip netns exec  ssh cirros@

Why is this happening? I do not see any specific errors in neutron logs
even with debug on.

Attaching the relevant configs below.



# grep -Ev '^#|^$' /etc/nova/nova.conf
[DEFAULT]
auth_strategy = keystone
disk_allocation_ratio=10.0
my_ip = 
use_neutron = True
enabled_apis = osapi_compute,metadata
firewall_driver = nova.virt.firewall.NoopFirewallDriver
transport_url = rabbit://
openstack:55de10077d1f953e8...@openstack.mycloud.com
[api_database]
connection = mysql+pymysql://
nova:9a55c0c04085248aa...@openstack.mycloud.com/nova_api
[barbican]
[cache]
[cells]
[cinder]
os_region_name = RegionOne
[cloudpipe]
[conductor]
[cors]
[cors.subdomain]
[crypto]
[database]
connection = mysql+pymysql://
nova:9a55c0c04085248aa...@openstack.mycloud.com/nova
[ephemeral_storage_encryption]
[glance]
api_servers = http://openstack.mycloud.com:9292
[guestfs]
[hyperv]
[image_file_url]
[ironic]
[key_manager]
[keystone_authtoken]
auth_uri = http://openstack.mycloud.com:5000
auth_url = http://openstack.mycloud.com:35357
memcached_servers = openstack.mycloud.com:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = 57227b66ed883b739e0b
[libvirt]
virt_type=kvm
[matchmaker_redis]
[metrics]
[mks]
[neutron]
url = http://openstack.mycloud.com:9696
auth_url = http://openstack.mycloud.com:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = neutron
password = 8b229c60d8faf31da416
service_metadata_proxy = True
metadata_proxy_shared_secret = d37bee945996e7ed5100
[osapi_v21]
[oslo_concurrency]
lock_path=/var/lib/nova/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[placement]
[placement_database]
[rdp]
[remote_debug]
[serial_console]
[spice]
[ssl]
[trusted_computing]
[upgrade_levels]
[vmware]
[vnc]
enabled=true
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip
novncproxy_base_url = http://openstack.mycloud.com:6080/vnc_auto.html
[workarounds]
[wsgi]
[xenserver]
[xvp]




# grep -Ev '^#|^$' /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
debug = true
[AGENT]




# grep -Ev '^#|^$' /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
[AGENT]




# grep -Ev '^#|^$' /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_ip = openstack.mycloud.com
metadata_proxy_shared_secret = d37bee945996e7ed5100
[AGENT]
[cache]




# grep -Ev '^#|^$' /etc/neutron/neutron.conf
[DEFAULT]
auth_strategy = keystone
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
debug = true
transport_url = rabbit://
openstack:55de10077d1f953e8...@openstack.mycloud.com
[agent]
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://
neutron:60f65e693265e4499...@openstack.mycloud.com/neutron
[keystone_authtoken]
auth_uri = http://openstack.mycloud.com:5000
auth_url = http://openstack.mycloud.com:35357
memcached_servers = openstack.mycloud.com:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = neutron
password = 8b229c60d8faf31da416
[matchmaker_redis]
[nova]
auth_url = http://openstack.mycloud.com:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = nova
password = 57227b66ed883b739e0b
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[qos]
[quotas]
[ssl]





# grep -Ev '^#|^$' /etc/neutron/plugin.ini
[DEFAULT]
debug = true
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = True




On Fri, Jan 20, 2017 at 2:49 PM, Vikash Kumar <
vikash.ku...@oneconvergence.com> wrote:

> Checkout on the

Re: [Openstack] How to troubleshoot Security Group rules

2017-01-20 Thread Vikash Kumar

Checkout on the bridge connected to tap ports.

On Thu, Jan 19, 2017 at 7:02 PM, Vimal Kumar  wrote:

> Hi,
>
> Is the rules implemented in the iptables of the node (I am running
> all-in-one, LinuxBridge setup), or is it implemented in the iptables of a
> separate network namespace?
>
> On Thu, Jan 19, 2017 at 1:27 PM, Melvin Hillsman 
> wrote:
>
>> If you are running an all-in-one/single node deployment, your security
>> groups are implemented via iptables on that node. If you had a multi-node
>> setup, security group rules would show up on the compute hosts.
>>
>> On Thu, Jan 19, 2017 at 12:47 AM, Vimal Kumar 
>> wrote:
>>
>>> Hi!
>>>
>>> How can I troubleshoot issues related to security groups? It is probably
>>> getting implemented via iptables but where? In the host iptables, or inside
>>> network namespace, or inside instance itself? I am running a single-node
>>> Newton.
>>>
>>> I am looking for a way to check whether the rules in my security group
>>> is actually being implemented or not.
>>>
>>> Thank you!
>>>
>>> Regards,
>>>
>>> Vimal
>>>
>>> ___
>>> Mailing list: http://lists.openstack.org/cgi
>>> -bin/mailman/listinfo/openstack
>>> Post to : openstack@lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi
>>> -bin/mailman/listinfo/openstack
>>>
>>>
>>
>>
>> --
>> Kind regards,
>>
>> Melvin Hillsman
>> Ops Technical Lead
>> OpenStack Innovation Center
>>
>> mrhills...@gmail.com
>> phone: (210) 312-1267
>> mobile: (210) 413-1659
>> http://osic.org
>>
>> Learner | Ideation | Belief | Responsibility | Command
>>
>
>
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
>


-- 
Regards,
Vikash
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] How to troubleshoot Security Group rules

2017-01-19 Thread Vimal Kumar

Hi,

Is the rules implemented in the iptables of the node (I am running
all-in-one, LinuxBridge setup), or is it implemented in the iptables of a
separate network namespace?

On Thu, Jan 19, 2017 at 1:27 PM, Melvin Hillsman 
wrote:

> If you are running an all-in-one/single node deployment, your security
> groups are implemented via iptables on that node. If you had a multi-node
> setup, security group rules would show up on the compute hosts.
>
> On Thu, Jan 19, 2017 at 12:47 AM, Vimal Kumar  wrote:
>
>> Hi!
>>
>> How can I troubleshoot issues related to security groups? It is probably
>> getting implemented via iptables but where? In the host iptables, or inside
>> network namespace, or inside instance itself? I am running a single-node
>> Newton.
>>
>> I am looking for a way to check whether the rules in my security group is
>> actually being implemented or not.
>>
>> Thank you!
>>
>> Regards,
>>
>> Vimal
>>
>> ___
>> Mailing list: http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi
>> -bin/mailman/listinfo/openstack
>>
>>
>
>
> --
> Kind regards,
>
> Melvin Hillsman
> Ops Technical Lead
> OpenStack Innovation Center
>
> mrhills...@gmail.com
> phone: (210) 312-1267
> mobile: (210) 413-1659
> http://osic.org
>
> Learner | Ideation | Belief | Responsibility | Command
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] How to troubleshoot Security Group rules

2017-01-18 Thread Vimal Kumar

Hi!

How can I troubleshoot issues related to security groups? It is probably
getting implemented via iptables but where? In the host iptables, or inside
network namespace, or inside instance itself? I am running a single-node
Newton.

I am looking for a way to check whether the rules in my security group is
actually being implemented or not.

Thank you!

Regards,

Vimal
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] How to troubleshoot Security Group rules

Re: [Openstack] How to troubleshoot Security Group rules

Re: [Openstack] How to troubleshoot Security Group rules

[Openstack] How to troubleshoot Security Group rules

4 matches

Site Navigation

Mail list logo

Footer information