Re: [Openstack] How to troubleshoot Security Group rules
I am facing a mysterious situation. I am using LinuxBridge (ML2) on OpenStack Newton all-in-one. I set up tcpdump on the tap device used by the instance and then attach a floating ip from web UI. I see traffic flowing for a few seconds after which there is no further traffic in/out of this tap device. During the first few seconds, I am able to ssh into the instance using the pubic ip. After 5-7 seconds, no connection could be established from the Internet. However I am still able to ssh into the instance if I execute ssh w.r.t the corresponding network namespace, like: # ip netns exec ssh cirros@ Why is this happening? I do not see any specific errors in neutron logs even with debug on. Attaching the relevant configs below. # grep -Ev '^#|^$' /etc/nova/nova.conf [DEFAULT] auth_strategy = keystone disk_allocation_ratio=10.0 my_ip = use_neutron = True enabled_apis = osapi_compute,metadata firewall_driver = nova.virt.firewall.NoopFirewallDriver transport_url = rabbit:// openstack:55de10077d1f953e8...@openstack.mycloud.com [api_database] connection = mysql+pymysql:// nova:9a55c0c04085248aa...@openstack.mycloud.com/nova_api [barbican] [cache] [cells] [cinder] os_region_name = RegionOne [cloudpipe] [conductor] [cors] [cors.subdomain] [crypto] [database] connection = mysql+pymysql:// nova:9a55c0c04085248aa...@openstack.mycloud.com/nova [ephemeral_storage_encryption] [glance] api_servers = http://openstack.mycloud.com:9292 [guestfs] [hyperv] [image_file_url] [ironic] [key_manager] [keystone_authtoken] auth_uri = http://openstack.mycloud.com:5000 auth_url = http://openstack.mycloud.com:35357 memcached_servers = openstack.mycloud.com:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = nova password = 57227b66ed883b739e0b [libvirt] virt_type=kvm [matchmaker_redis] [metrics] [mks] [neutron] url = http://openstack.mycloud.com:9696 auth_url = http://openstack.mycloud.com:35357 auth_type = password project_domain_name = Default user_domain_name = Default region_name = RegionOne project_name = service username = neutron password = 8b229c60d8faf31da416 service_metadata_proxy = True metadata_proxy_shared_secret = d37bee945996e7ed5100 [osapi_v21] [oslo_concurrency] lock_path=/var/lib/nova/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [placement] [placement_database] [rdp] [remote_debug] [serial_console] [spice] [ssl] [trusted_computing] [upgrade_levels] [vmware] [vnc] enabled=true vncserver_listen = $my_ip vncserver_proxyclient_address = $my_ip novncproxy_base_url = http://openstack.mycloud.com:6080/vnc_auto.html [workarounds] [wsgi] [xenserver] [xvp] # grep -Ev '^#|^$' /etc/neutron/l3_agent.ini [DEFAULT] interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver debug = true [AGENT] # grep -Ev '^#|^$' /etc/neutron/dhcp_agent.ini [DEFAULT] interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True [AGENT] # grep -Ev '^#|^$' /etc/neutron/metadata_agent.ini [DEFAULT] nova_metadata_ip = openstack.mycloud.com metadata_proxy_shared_secret = d37bee945996e7ed5100 [AGENT] [cache] # grep -Ev '^#|^$' /etc/neutron/neutron.conf [DEFAULT] auth_strategy = keystone core_plugin = ml2 service_plugins = router allow_overlapping_ips = True notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true debug = true transport_url = rabbit:// openstack:55de10077d1f953e8...@openstack.mycloud.com [agent] [cors] [cors.subdomain] [database] connection = mysql+pymysql:// neutron:60f65e693265e4499...@openstack.mycloud.com/neutron [keystone_authtoken] auth_uri = http://openstack.mycloud.com:5000 auth_url = http://openstack.mycloud.com:35357 memcached_servers = openstack.mycloud.com:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = neutron password = 8b229c60d8faf31da416 [matchmaker_redis] [nova] auth_url = http://openstack.mycloud.com:35357 auth_type = password project_domain_name = Default user_domain_name = Default region_name = RegionOne project_name = service username = nova password = 57227b66ed883b739e0b [oslo_concurrency] lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [qos] [quotas] [ssl] # grep -Ev '^#|^$' /etc/neutron/plugin.ini [DEFAULT] debug = true [ml2] type_drivers = flat,vlan,vxlan tenant_network_types = vxlan mechanism_drivers = linuxbridge,l2population extension_drivers = port_security [ml2_type_flat] flat_networks = provider [ml2_type_geneve] [ml2_type_gre] [ml2_type_vlan] [ml2_type_vxlan] vni_ranges = 1:1000 [securitygroup] enable_ipset = True On Fri, Jan 20, 2017 at 2:49 PM, Vikash Kumar < vikash.ku...@oneconvergence.com> wrote: > Checkout on the
Re: [Openstack] How to troubleshoot Security Group rules
Checkout on the bridge connected to tap ports. On Thu, Jan 19, 2017 at 7:02 PM, Vimal Kumarwrote: > Hi, > > Is the rules implemented in the iptables of the node (I am running > all-in-one, LinuxBridge setup), or is it implemented in the iptables of a > separate network namespace? > > On Thu, Jan 19, 2017 at 1:27 PM, Melvin Hillsman > wrote: > >> If you are running an all-in-one/single node deployment, your security >> groups are implemented via iptables on that node. If you had a multi-node >> setup, security group rules would show up on the compute hosts. >> >> On Thu, Jan 19, 2017 at 12:47 AM, Vimal Kumar >> wrote: >> >>> Hi! >>> >>> How can I troubleshoot issues related to security groups? It is probably >>> getting implemented via iptables but where? In the host iptables, or inside >>> network namespace, or inside instance itself? I am running a single-node >>> Newton. >>> >>> I am looking for a way to check whether the rules in my security group >>> is actually being implemented or not. >>> >>> Thank you! >>> >>> Regards, >>> >>> Vimal >>> >>> ___ >>> Mailing list: http://lists.openstack.org/cgi >>> -bin/mailman/listinfo/openstack >>> Post to : openstack@lists.openstack.org >>> Unsubscribe : http://lists.openstack.org/cgi >>> -bin/mailman/listinfo/openstack >>> >>> >> >> >> -- >> Kind regards, >> >> Melvin Hillsman >> Ops Technical Lead >> OpenStack Innovation Center >> >> mrhills...@gmail.com >> phone: (210) 312-1267 >> mobile: (210) 413-1659 >> http://osic.org >> >> Learner | Ideation | Belief | Responsibility | Command >> > > > ___ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > > -- Regards, Vikash ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] How to troubleshoot Security Group rules
Hi, Is the rules implemented in the iptables of the node (I am running all-in-one, LinuxBridge setup), or is it implemented in the iptables of a separate network namespace? On Thu, Jan 19, 2017 at 1:27 PM, Melvin Hillsmanwrote: > If you are running an all-in-one/single node deployment, your security > groups are implemented via iptables on that node. If you had a multi-node > setup, security group rules would show up on the compute hosts. > > On Thu, Jan 19, 2017 at 12:47 AM, Vimal Kumar wrote: > >> Hi! >> >> How can I troubleshoot issues related to security groups? It is probably >> getting implemented via iptables but where? In the host iptables, or inside >> network namespace, or inside instance itself? I am running a single-node >> Newton. >> >> I am looking for a way to check whether the rules in my security group is >> actually being implemented or not. >> >> Thank you! >> >> Regards, >> >> Vimal >> >> ___ >> Mailing list: http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> Post to : openstack@lists.openstack.org >> Unsubscribe : http://lists.openstack.org/cgi >> -bin/mailman/listinfo/openstack >> >> > > > -- > Kind regards, > > Melvin Hillsman > Ops Technical Lead > OpenStack Innovation Center > > mrhills...@gmail.com > phone: (210) 312-1267 > mobile: (210) 413-1659 > http://osic.org > > Learner | Ideation | Belief | Responsibility | Command > ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
[Openstack] How to troubleshoot Security Group rules
Hi! How can I troubleshoot issues related to security groups? It is probably getting implemented via iptables but where? In the host iptables, or inside network namespace, or inside instance itself? I am running a single-node Newton. I am looking for a way to check whether the rules in my security group is actually being implemented or not. Thank you! Regards, Vimal ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack