Magnum

Bays spawned from devstack dont have external network access

Bug #1446372 reported by Andrew Melton on 2015-04-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Undecided	Unassigned	Magnum mitaka-1

Bug Description

When using a devstack build with out plugin, instances spawned for bays don't have external network access. And thus, our example that use public containers won't work. To get external network access, IP masquerading needs to be set up on the external bridge. This can be done manually after setting up devstack by running: "sudo /sbin/iptables -t nat -A POSTROUTING -o br-ex -j MASQUERADE" But, we may want to consider running this command by default in our devstack plugin.

See original description

Andrew Melton (andrew-melton) on 2015-04-20

description:

updated

Revision history for this message

Adrian Otto (aotto) wrote on 2015-04-20:

I agree it should be added by default. I expect that most users of the devstack plugin actually intend to use public images, at least to start with, so we should set the environment up to allow that.

Revision history for this message

Steven Dake (sdake) wrote on 2015-04-21:

Disagree. The proper way to masquarade is to use local.sh. If people have neutron working in devstack they either have a public/private network that is routed or they have a masquarade rule in local.sh. If we hard code the masquarade rule in devstack, it would not allow the case of a public/private routed network to work (i.e. an actual deployment model in the field). I am not arguing people should deploy Magnum via DevStack, but I want to get my environment for example working as I just described with a real router and not a masquarade rule.

Carrying these types of rules is a use case of local.sh.

Revision history for this message

Adrian Otto (aotto) wrote on 2015-04-21:

Okay, we can add the masquerade rule to the instructions that explain what to put in local.conf for magnum to work.

Revision history for this message

Kai Qiang Wu(Kennan) (wkqwu) wrote on 2015-04-22:

I think we just follows devstack meachnism, devstack not do anything about masquarade rule.

It is depeneds on user usage. For example,
if he user virtualbox, and the br-ex who is eth0 (in virtualbox it is nat ways).

if user want instance access outside, it need add special flow to make br-ex include eth0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-10: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/181255
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=1476aa7f199c569803d96a0fee88ac9ad16e25ce
Submitter: Jenkins
Branch: master

commit 1476aa7f199c569803d96a0fee88ac9ad16e25ce
Author: Andrew Melton <email address hidden>
Date: Thu May 7 16:45:44 2015 -0700

Add local.sh to dev guides

    This will configure devstack to automatically set up NAT properly
    on br-ex after ./stack.sh sets up devstack. This allows instances
    spawned by Nova to access the internet.

Change-Id: Ide25f8b5770f808fe39da329597cc8e4024fba41
Closes-Bug: #1446372

Changed in magnum:
status:	New → Fix Committed

Adrian Otto (aotto) on 2015-11-24

Changed in magnum:
milestone:	none → mitaka-1
status:	Fix Committed → Fix Released

Revision history for this message

Khoi Vo (khoi-vo) wrote on 2015-12-08:

Hi,

My nova instances can successfully access the internet with the iptables command after Devstack was installed. good.

Now, what is required for my actual containers to access the internet?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.