[vbox] Enable Internet for slave nodes

Bug #1442988 reported by Mike Scherbakov on 2015-04-12
30
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Critical
Miroslav Anashkin
6.0.x
Undecided
Serhii Ovsianikov

Bug Description

As now we have Ubuntu being installed from external repos, we need to improve UX for VirtualBox installations. If you try to use current version of scripts, your installation will fail, if you use default repos with Ubuntu packages. The reason for the failure is that slave nodes will lose network connectivity during deployment.

High level networking process is the following:
- Node loaded with bootstrap. DNS, default gateway point to Fuel Master node, and since Fuel Master has masquerading enabled, bootstrap has full access to Internet via Fuel Master
- Once slave is rebooted for OS provisioning, we still have access through Fuel master.
- When deployment is started, l23network puppet module configures all the interfaces, including routing table. As OpenStack requires default route to public network, it's being configured as so via corresponding interface.
- Once it's done using virtualbox scripts, default gateway for the slave node becomes 172.16.0.1. You can access this IP, but your traffic won't go over it.

In order to fix this, and allow traffic to go, you would need to do the following:
--- in Linux ---
sudo iptables -t nat -A POSTROUTING -s 172.16.1.0/24 \! -d 172.16.1.0/24 -j MASQUERADE
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

--- in MacOS ---
Assuming that en0 is the external interface:
sudo /usr/sbin/natd -interface en0
sudo /sbin/ipfw -f flush
sudo /sbin/ipfw add divert natd all from any to any via en0
sudo /sbin/ipfw add pass all from any to any
sudo sysctl -w net.inet.ip.forwarding=1

In order to achieve better UX these steps have to be automated in VirtualBox scripts. Instructions for MacOS has to be modified in such a way that:
a) external interface identified automatically
b) configuration does not harm already existing configuration (i.e. we should avoid ipfw -f flush).
c) We have to let the user know, what we are doing with sudo, and why it is required.

Nathan Trueblood (ntrueblood) wrote :

Unfortunately, both natd and ipfw are deprecated in the latest Mac OS X (Yosemite)

ipfw: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/ipfw.8.html
natd: https://support.apple.com/en-us/HT202553

So for Mac OS X, we are going to have instructions using Internet Connection Sharing - probably.

Changed in fuel:
status: New → Confirmed
tags: added: feature-separate-repos
Fabrizio Soppelsa (fsoppelsa) wrote :

I think the right way to achieve this for OS X is to use PF.
See the previous related commit: https://review.openstack.org/#/c/119717/

Will work on this on 04.15, on OS X Yosemite.

Changed in fuel:
assignee: nobody → Fabrizio Soppelsa (fsoppelsa)
Mike Scherbakov (mihgen) wrote :

Is a bug #1288135 also duplicate of this one, as well as bug #1288135?

Fix proposed to branch: master
Review: https://review.openstack.org/173768

Changed in fuel:
status: Confirmed → In Progress
Changed in fuel:
assignee: Fabrizio Soppelsa (fsoppelsa) → Serhiy Ovsianikov (sovsianikov)

To fix the issue manually on my VBox environment I have executed the following commands on master node:

ifconfig eth2 192.168.200.15/24 up && route add default gw 192.168.200.2
iptables -A FORWARD -s 10.20.0.0/24 -j ACCEPT
iptables -A FORWARD -d 10.20.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth2 -s 10.20.0.0/24 -j MASQUERADE

Dmitry Pyzhov (dpyzhov) on 2015-04-21
tags: added: feature-remote-repos
removed: feature-separate-repos
Changed in fuel:
assignee: Serhiy Ovsianikov (sovsianikov) → Miroslav Anashkin (manashkin)

Reviewed: https://review.openstack.org/173768
Committed: https://git.openstack.org/cgit/stackforge/fuel-main/commit/?id=8a1433341fd1f36b949c226d29d5656248f18928
Submitter: Jenkins
Branch: master

commit 8a1433341fd1f36b949c226d29d5656248f18928
Author: Serhiy Ovsianikov <email address hidden>
Date: Wed May 6 10:11:47 2015 +0300

    Enable Internet for slave nodes

    Adds NAT features to the slaves in the VirtualBox scripts, now
    for Linux and OS X (Yosemite) systems:
    * It requires the sudo password (giving explantions on the reasons)
    * For OS X, it backups the original pf.conf before setting the NAT
      using pfctl, and does some cleanups
    * For Linux, inserts the masquerade rule in the nat chain

    Change-Id: Id37cb55241682f530a7e5378cadd556cccc1db90
    Closes-Bug: #1442988

Changed in fuel:
status: In Progress → Fix Committed

What does one do to provide the NAT in Windows environments... Some of us still have to use that...

Serhii Ovsianikov (sovsianikov) wrote :

Bruce,

We gave up the idea to configure NAT on the host computers. The Fuel master node is forwarding the public network through the existing NAT interface. Please look at the following review https://review.openstack.org/#/c/119717/

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers