Here is a list of installed kernel packages: It is stated that RHOSP 12 uses RHEL 7.4, so I have selected 7.4 version. This rule was there for a very long time (at least 3 OpenStack releases, so it looks like this issue is caused by recent kernel change).ĭeploy Red Hat OpenStack 12 with DVR, modify security groups, start VM, assign floating IP and try to ping external destinations (or initiate incoming connections from external network). connections in /proc/net/nf_conntrack are in UNREPLIED stateĪfter notrack rule is removed from raw table of fip-UUID VM gets the whole network connectivity back. connections are not shown in /proc/net/nf_conntrack raw and mangle PREROUTING counters increased, nat counters are not.
I have used iptables counters and /proc/net/nf_conntrack data in qrouter-UUID namespace to troubleshoot this issue and observed the following things: A neutron-l3-agent-PREROUTING -j CT -notrack A PREROUTING -j neutron-l3-agent-PREROUTING The problem is described in the summary: OpenStack use stateless firewall in FIP namespace and there is following iptables rule in raw table: qrouter-UUID implements a set of NAT rules that translate floating IP address to real IP address of VM.Īt this moment it is impossible to use reference DVR implementation with RHOSP12, which may become a very critical issue as soon as some important customer will run up into it. Qrouter-UUID is directly connected to fip-UUID namespace and linux bridge that is used to emulate network connection to VM.
DVR is implemented with two namespaces on compute host: qrouter-UUID and fip-UUID.įip-UUID is directly connected to external network, serves as a router between external network and another DVR namespace and sends proxy-ARP replies to ARP requests for floating IP address. We have a problems with one particular type of OpenStack router: Distributed Virtual Router (DVR). Those namespaces are interconnected with OVS patches and internal interfaces. Red Hat OpenStack Platform uses multiple network namespaces to implement virtual networking infrastructure: routers, DHCP servers, firewalls, etc.
0 kommentar(er)
