openstack-manuals

Bug #1379391
Comment #2

Comment 2 for bug 1379391

Revision history for this message

Jon Proulx (jproulx) wrote on 2015-06-12:

I still have dreams of actually fixing this but if some one can get there before me the misisng bridge is a linux-bridge device between the eth0 in the VM (#1 in the diagram) and integration bridge (#3). The tap device (#2) is on this bridge and then connected to the integration bridge by another veth pair

root@pulsar-2:/etc/nova# brctl show
bridge name bridge id STP enabled interfaces
qbr36edc375-17 8000.e61a7141009e no qvb36edc375-17
tap36edc375-17

so in this case:

tap36edc375-17 is item #2 in the diagram
qbr36edc375-17 is the missing bridge
qvb36edc375-17 is the veth on the linux-bridge qbr36edc375-17
qvo36edc375-17 is the other side of the veth pair which is on br-int (#3)

I'm not 100% sure why this is necessary as all the iptables rules specify the tap device (#2) as the physical interface:
(this is 'default' security group on a system with instance fixed IP 10.0.171.132)

root@pulsar-2:~# iptables -S |grep 36edc375-1
-N neutron-openvswi-i36edc375-1
-N neutron-openvswi-o36edc375-1
-N neutron-openvswi-s36edc375-1
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-o36edc375-1
-A neutron-openvswi-i36edc375-1 -m state --state INVALID -j DROP
-A neutron-openvswi-i36edc375-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-i36edc375-1 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-i36edc375-1 -p icmp -j RETURN
-A neutron-openvswi-i36edc375-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o36edc375-1 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-o36edc375-1 -j neutron-openvswi-s36edc375-1
-A neutron-openvswi-o36edc375-1 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-o36edc375-1 -m state --state INVALID -j DROP
-A neutron-openvswi-o36edc375-1 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-o36edc375-1 -j RETURN
-A neutron-openvswi-o36edc375-1 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s36edc375-1 -s 10.0.171.132/32 -m mac --mac-source FA:16:3E:40:3A:5E -j RETURN
-A neutron-openvswi-s36edc375-1 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-i36edc375-1
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap36edc375-17 --physdev-is-bridged -j neutron-openvswi-o36edc375-1

I still have dreams of actually fixing this but if some one can get there before me the misisng bridge is a linux-bridge device between the eth0 in the VM (#1 in the diagram) and  integration bridge (#3).  The tap device (#2) is on this bridge and then connected to the integration bridge by another veth pair

root@pulsar-2:/etc/nova# brctl show
bridge name     bridge id               STP enabled     interfaces
qbr36edc375-17          8000.e61a7141009e       no              qvb36edc375-17
                                                        tap36edc375-17

so in this case:

tap36edc375-17 is item #2 in the diagram
qbr36edc375-17 is the missing bridge
qvb36edc375-17 is the veth on the linux-bridge  qbr36edc375-17
qvo36edc375-17 is the other side of the veth pair which is on br-int (#3)

I'm not 100% sure why this is necessary as all the iptables rules specify the tap device (#2) as the physical interface:
(this is 'default'  security group on a system with instance fixed IP 10.0.171.132)