Bug 926998
| Summary: | NAT is not working on OVS when l3 agent runs on same host as compute node | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Ofer Blaut <oblaut> | ||||
| Component: | openstack-quantum | Assignee: | RHOS Maint <rhos-maint> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ofer Blaut <oblaut> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 2.1 | CC: | chrisw, jkt, jschluet, rkukura, rvaknin | ||||
| Target Milestone: | beta | Keywords: | TestOnly, Triaged | ||||
| Target Release: | 3.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-01-06 19:48:37 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 892339 | ||||||
| Attachments: |
|
||||||
The problem occurs only when the l3 agent is running on the same host as the compute node. In my testing, this problem applies to SNAT, preventing VMs from accessing IPs via the external network. I ran tcpdump on the host looking at the external network's interface, and saw that outgoing traffic originating from a local VM was not getting SNAT'ed - it had the VM's private network IP as the source address. Outgoing traffic from a remote VM was getting properly SNAT'ed. Also, DNAT (incoming connections to floating IPs) did seem to work correctly to both local and remote VMs. Gary, can you write up "known issue" doc text for this issue? garyk: Is this issue resolved with proper netns support or is this still an outstanding item for rhos-3.0? Verified on grizzly running on rhel6.4 with openstack-quantum-2013.1.1-10.el6ost.
I've installed OpenStack Networking + OVS on 2 machines environment - one machine with compute node, the second one with compute node + l3 + dhcp + all services.
I've assigned a floating ip to the instace and managed to ping from the outside world to the instance and from the instance to the outside world.
Here are my iptables rules
==========================
$ iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 85 packets, 9419 bytes)
pkts bytes target prot opt in out source destination
85 9419 quantum-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
85 9419 nova-api-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 81 packets, 6304 bytes)
pkts bytes target prot opt in out source destination
81 6304 quantum-openvswi-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
81 6304 nova-api-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
81 6304 quantum-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
81 6304 nova-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 70 packets, 4200 bytes)
pkts bytes target prot opt in out source destination
70 4200 quantum-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
70 4200 nova-api-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nova-api-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-float-snat (1 references)
pkts bytes target prot opt in out source destination
Chain nova-api-snat (1 references)
pkts bytes target prot opt in out source destination
81 6304 nova-api-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain nova-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
81 6304 nova-api-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain quantum-openvswi-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain quantum-openvswi-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain quantum-openvswi-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain quantum-openvswi-float-snat (1 references)
pkts bytes target prot opt in out source destination
Chain quantum-openvswi-snat (1 references)
pkts bytes target prot opt in out source destination
81 6304 quantum-openvswi-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain quantum-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
81 6304 quantum-openvswi-snat all -- * * 0.0.0.0/0 0.0.0.0/0
|
Created attachment 715599 [details] iptables output Description of problem: My setup include OVS and two hosts host 1 : quanutm server + L3 agent + compute node host 2 : DHCP + compute node Traffic is sent from VMs via L3 agent to the External router . Traffic is sent but no NAT is performed There is connecticity to the external router router ID is configured on the l3.ini file attached iptables nat output Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.create setup above 2.ping from VMs to internet 3.pings between VMs works Actual results: Expected results: Additional info: