[Crowbar] nova_fixed & nova_floating

Paul Pettigrew Paul.Pettigrew at mach.com.au
Sat Jan 14 01:17:54 CST 2012


Thanks Kevin

Certainly did help. I was not intimately familiar with the Dashboard (Horizon) and found the way to edit the security/firewall rules from there (as opposed to old euca2ools commands), thanks.

Cheers

Paul


-----Original Message-----
From: crowbar-bounces at dell.com [mailto:crowbar-bounces at dell.com] On Behalf Of Kevin Bringard
Sent: Saturday, 14 January 2012 1:38 AM
To: crowbar at lists.us.dell.com
Subject: Re: [Crowbar] nova_fixed & nova_floating

So, there are a few things going on here. The first is that euca2ools isn't installed by default. You can install the euca2ools, which give you the euca-* commands. Apt-get install euca2ools should do it. You should be able to add this to your default installs pretty easily in crowbar.

However, the big tricky bit is that in diablo with keystone, the novadb is no longer authoritative for user authentication and keystone doesn't check it at all. Keystone also doesn't create EC2 credentials by default, so you have to get them into keystone "manually" with keystone-manage (it doesn't generate them either, so you have to create them by hand). I wrote a little script to add users/tenants/ec2 creds, etc. You can find it here:

http://paste.openstack.org/show/3911/

If you just want to get a rule into place quickly, I'd suggest using the dashboard; once you've done that you can experiment with getting EC2 creds into keystone.

Finally, it should be noted that I believe OpenStack is going to be deprecating the ec2 API, so unless you have a compelling reason to keep using it, it may be worth your time to learn the OpenStack (nova) API commands.

Hope that helps!

-- Kevin


From: Paul Pettigrew <Paul.Pettigrew at mach.com.au<mailto:Paul.Pettigrew at mach.com.au>>
Date: Fri, 13 Jan 2012 07:30:22 -0800
To: "crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>" <crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>>
Subject: Re: [Crowbar] nova_fixed & nova_floating

Hi all

Trying to view/manipulate firewall/security settings as suggested by Greg, but commands expected not present....

I have previously used commands (on a manually built OpenStack Diablo rig) like:
euca-authorize default -P tcp -p 22 -s 0.0.0.0/0 euca-authorize default -P icmp -t -1:-1

or

nova secgroup-add-rule default tcp 22 22 0.0.0.0/0

nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0

To add rules, and to see:

nova secgroup-list-rules default

+-------------+-----------+---------+-----------+--------------+

| IP Protocol | From Port | To Port |  IP Range | Source Group |

+-------------+-----------+---------+-----------+--------------+

| icmp        | -1        | -1      | 0.0.0.0/0 |              |

| tcp         | 22        | 22      | 0.0.0.0/0 |              |

+-------------+-----------+---------+-----------+--------------+

However, Crowbar does not install euca2ools, and the "nova" program does not include the secgroup-* subcommands (run "nova help" to see limited subset available):

    secgroup-add-group-rule

                        Add a source group rule to a security group.

    secgroup-add-rule   Add a rule to a security group.

    secgroup-create     Create a new security group.

    secgroup-delete     Delete a security group.

    secgroup-delete-group-rule

                        Delete a source group rule from a security group.

    secgroup-delete-rule

                        Delete a rule from a security group.

    secgroup-list       List security groups for the curent tenant.

    secgroup-list-rules List rules for a security group.

Is there a reason the full Diablo commandset is not available under the "nova" command?

Do I need to manually install "apt-get install euca2ools" on a node and then manually get all the keys and environment variables setup to be able to manipulate the firewall/security rules on a Crowbar build Nova compute node?

Thanks - I can find no doco on this topic in the wiki.

Cheers

Paul

PS: I have posted the network Visio as promised to the wiki at:
https://github.com/dellcloudedge/crowbar/wiki/Crowbar-Openstack-Networking-Visio
I hope it helps others to more quickly understand the networking design also

------------------------------------------------------------------------------------
From: Haselwanter Edmund [mailto:edmund at haselwanter.com]
Sent: Friday, 13 January 2012 9:05 PM
To: Paul Pettigrew
Cc: Gregory_Althaus at Dell.com<mailto:Gregory_Althaus at Dell.com>; crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>
Subject: Re: [Crowbar] nova_fixed & nova_floating


On Jan 13, 2012, at 6:17 AM, Paul Pettigrew wrote:


Thanks Greg
(we met at OpenStack, Santa Clara April last year).

I will double check all the security group/firewall aspects - and as you said "Oh,  I like the picture." I will upload it to the wiki as my first contribution to your great project :-)

I like it too :-)



From: crowbar-bounces at dell.com<mailto:crowbar-bounces at dell.com> [mailto:crowbar-bounces at dell.com] On Behalf Of Paul Pettigrew
Sent: Friday, 13 January 2012 3:17 PM
To: Gregory_Althaus at Dell.com<mailto:Gregory_Althaus at Dell.com>; crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>
Subject: Re: [Crowbar] nova_fixed & nova_floating

Thanks Greg
(we met at OpenStack, Santa Clara April last year).

I will double check all the security group/firewall aspects - and as you said "Oh,  I like the picture." I will upload it to the wiki as my first contribution to your great project :-)

Cheers,

Paul


From: Gregory_Althaus at Dell.com<mailto:Gregory_Althaus at Dell.com> [mailto:Gregory_Althaus at Dell.com]<mailto:[mailto:Gregory_Althaus at Dell.com]>
Sent: Friday, 13 January 2012 3:09 PM
To: Paul Pettigrew; crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>
Subject: RE: nova_fixed & nova_floating

Before I turn into a pumpkin, we have some issues with default routes messing things up.  The release notes has some comments on it.  We are working on something to help with it.

Also, remember your security groups can get in the way.  The default is no-access.

Thanks,
Greg

From: crowbar-bounces On Behalf Of Paul Pettigrew
Sent: Thursday, January 12, 2012 10:33 PM
To: crowbar
Subject: [Crowbar] nova_fixed & nova_floating

Hi all

Have successfully built Crowbar 1.2 and OpenStack via Barclamps, but am having issues with router settings and accessibility of some networking.

On p24 of "crowbar_deployment_guide.pdf" it states:

nova_fixed


Public network for nova Virtual Machines


The nova-network node acts as a router. This must be completely owned by the nova system.


nova_floating


Broken


deprecated - most likely to be replaced by nova config.


Is this really broken, or is it working and doco is not quite in sync?

I am correctly getting IPs handed out to a Node, but cannot access either of the IPs handed out on the above two networks.

I have an externally provided router/gateway at 192.168.122.1 (for "public" and "nova_floating") and also one at 192.168.124.1 (for "admin" and "bmc").

See image I have created of the network at: https://mach.com.au/files/CrowbarOpenStackNetworking.png
(PS: if people like the image, I will upload it to the Crowbar wiki)

Are there any gateway/default route issues that may be complicating this I should be mindful of? I have not made any nova firewalling changes, still running via default install.

Many thanks for any ideas provided.

(I have found the doco and Rob's videos using a virtualised rig all on a laptop outstanding (and was able to successfully emulate all) - but moving up to more complex networking across real metal and real switches has not been as smooth)

Cheers

Paul

_______________________________________________
Crowbar mailing list
Crowbar at dell.com
https://lists.us.dell.com/mailman/listinfo/crowbar
For more information: https://github.com/dellcloudedge/crowbar/wiki






More information about the Crowbar mailing list