Description of problem: ======================= Vendors implementing Neutron L3 API in their devices may not be able to provide metadata server access via the Neutron router. In such cases it is useful for the deployer to force metadata server access using host route injection as done for isolated network segments. The upstream patch: =================== https://review.openstack.org/#/c/211963
Verification Steps: =================== 1. Create isolated network and subnet: $ neutron net-create isolated $ neutron subnet-create isolated 30.3.3.0/24 --no-gateway --name isolated_subnet 2. Create key and boot an instance: $ nova keypair-add test > test $ nova boot cirros_test --flavor 42 --image 958a122e-2954-45fa-9f90-b7a0d60b4d91 --key-name test --nic net-id=1124cb9f-eb9c-48d7-98e2-7652c8abc22c 3. Allow SSH in your security group rules. 4. SSH to your instance via qdhcp namespace using your key $ sudo ip netns exec qdhcp-1124cb9f-eb9c-48d7-98e2-7652c8abc22c ssh -i test cirros.3.3 5. From within th VM verify that the route is there and you can reach the metadata service: $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 30.3.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.169.254 30.3.3.1 255.255.255.255 UGH 0 0 0 eth0 $ curl http://169.254.169.254:/openstack 2012-08-10 2013-04-04 2013-10-17
Some additions: * In Step 2, don't use --no-gateway. * You may or may not attach a router to your network: VM routing table should look like: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 55.5.5.1 0.0.0.0 UG 0 0 0 eth0 55.5.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.169.254 55.5.5.2 255.255.255.255 UGH 0 0 0 eth0 55.5.5.2 --> DHCP port. dnsmasq config: $ cat /opt/openstack/data/neutron/dhcp/96b93669-9147-45ac-a5d5-26f2a68f4f45/opts tag:tag0,option:classless-static-route,169.254.169.254/32,55.5.5.2,0.0.0.0/0,55.5.5.1 tag:tag0,249,169.254.169.254/32,55.5.5.2,0.0.0.0/0,55.5.5.1 tag:tag0,option:router,55.5.5.1 tag:tag0,option:dns-server,55.5.5.2
The verification is FailedQA Tested with AIO on rhel7.1 openstack-neutron-2015.1.1-5.el7ost.noarc Steps to reproduce: 1. Create a network with attached router 2. set within /etc/neutron/dhcp-agent.ini "force_metadata = True" restart the agent 3.create a VM with ssh key, it should transfer to a VM via metadata Result: VM didn't get an IP address The log is attached
Created attachment 1076534 [details] dhcp log
This is a bug originated from the upstream patch. Working on a fix: https://review.openstack.org/#/c/227358/
The Fix for the issue raised in comment #9 got merged[1] both to upstream master and Liberty. This is also handled in a bug 1267669. [1] https://review.openstack.org/#/q/I4e1d918e3a24dd483ee134021f587ae4520bf431,n,z
Thanks Nir, we will retest it.
Verified on openstack-neutron-2015.1.2-2.el7ost.noarch Rhel7.2 AIO cat /var/lib/neutron/dhcp/8092a357-6bd4-46db-b272-2632a57c8dd7/opts tag:tag0,option:classless-static-route,169.254.169.254/32,10.10.10.2,0.0.0.0/0,10.10.10.1 tag:tag0,249,169.254.169.254/32,10.10.10.2,0.0.0.0/0,10.10.10.1 tag:tag0,option:router,10.10.10.1 tag:tag0,option:dns-server,10.10.10.2 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.10.1 0.0.0.0 UG 0 0 0 eth0 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.169.254 10.10.10.2 255.255.255.255 UGH 0 0 0 eth
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:2652