john.t.gruber at gmail
Jul 26, 2013, 2:39 PM
Post #1 of 1
(61 views)
Permalink
|
|
Problem with nova add-fixed-ip or quantum port-update
|
|
I am using Grizzly and I have a mix of both provider external networks
(VLANs) and tenant GRE tunnels. The provider networks are obviously setup
as public, so VMs can start with interfaces on them.
I can start VMs just fine and get addresses via the dhcp_agent on both
external and tenant networks.
Everything is working well... until I need to add additional fixed_ips to
existing VM vif on external networks.
While I can get commands of the form:
nova add-fixed-ip vm-uuid net-uuid
repeat for each fixed-ip needed
and
quantum port-update port-uuid -- --fixed_ips type=dict list=true
ip_address='10.1.1.6' ip_address='10.1.1.7'
to execute correctly, and can see the fixed_ip addresses either allocate
from the network allocation pool (using nova command) or my explicitly
define addresses (using quantum command) associate with my vm just fine, I
have a problem with security groups.
I've simplified my security groups to just one 'default' where everything
is allowed. I can start ICMP ping test to my VM and show them working,
until I run the commands to provision addition fixed IPs. Once the command
takes effect on the compute node, all traffic to the vm interface hosting
the network stops.
Interestingly adjacent hosts can see the ARP entries with the correct MAC
address for the added fixed_ips, but I can not make any connections to
them. If I tcpdump on the VM, I see TCP SYN requests and the VM answer with
the SYN+ACK. On the network outside the VM (trunked to the compute node) I
see the TCP SYN request enter the compute node, and no SYN+ACK emerges. The
problem is somewhere with allowing the VM to send packets to the external
network.
Can anyone tell me how to 'HUP' the security group to allow traffic to my
new list of fixed_ips?
John
|
