Why can't Openstack VM reach itself via it's Floating IP?

virtual-machines openstack

Solution 1:

Tilo,

This is captured pretty well in https://bugs.launchpad.net/nova/+bug/1096259, and patches are currently in progress for nova (https://review.openstack.org/#/c/19139/) as of today (Jan 7th, 2013).

The full fix also goes with bug 1096987 (https://bugs.launchpad.net/nova/+bug/1096987) and 1096985 (https://bugs.launchpad.net/nova/+bug/1096987) to cover the more common deployment scenarios where you are using either a predefined external gateway or taking advantage of the nova-network linux/iptables networking public bridge setup.

Solution 2:

Okay, I have found the problem:

All packets to Floating IPs (10.1.100.0/24 in my case) are DNATed to private network destination (10.0.0.0/24 in my case). The ssh packets go round via the controller and come right back to the VM. The ssh server answers but sends the packet with it's private address as source (of course - it has no other). So the ssh client gets a packet from 10.0.0.13 as answer to a request to 10.1.100.4 which it ignores.

Well, so when sending packets from Private to Floating IPs not only the destination has to be NATed but the source, too. But that's not straight forward because the DNAT is in PREROUTE while the SNAT is in POSTROUTE. It can be done using the connection tracking module:

iptables -t nat -A nova-network-2.7-float-snat -s 10.0.0.13/32 -d 10.0.0.0/24 -j SNAT --to-source 10.1.100.4 -m conntrack --ctstate DNAT

This did the trick for me (for every single Floating IP of course). It mangles every packet from private to private which was already DNATed (then it should go to Floating IP), to make it seem to come from a Floating IP.

In my ssh scenario now happens the following:

  • client sends from 10.0.0.13 to 10.1.100.4
  • packet is DNATed to 10.0.0.13
  • packet is SNATed to 10.1.100.4
  • server answers packet to 10.1.100.4
  • packet is DNATed to 10.0.0.13
  • packet is SNATed to 10.1.100.4
  • client gets answer from 10.1.100.4 and is happy

This works as well for ping and also for traffic between different VMs.

Looks like I have to patch the nova-network code and submit it to the openstack project :-/.

Related

Can I set up nginx to implement SSI-like functionality?
A complicated nginx/php-fpm chroot setup
How can I give a running process priority for bandwidth usage on Windows?
Elastic Beanstalk Rails - Modify passenger config passenger_max_pool_size
How can Mac users change their Windows Active Directory passwords over a VPN connection?
Windows Update for numerous powered-down Virtual Machines [closed]
How do I not show_diff when I do puppet agent -t?
Apache is not responding and nothing is logged after short, strong "traffic wave"
Is it possible to access the ZFS checksums to compare files
32-bit SQL eating up RAM on 64-bit OS until SQL is brought to its knees
Re configure TFS 2012 reporting services
Is using a NAS with hot swap disks an effective way of cycling backups?