[Crowbar] [SPAM] RE: Changing barclamp options
csanburn at redwoodit.com
Wed Jan 25 13:42:07 CST 2012
Thanks to you both for the information. I've decided to go ahead and redeploy and choose to use tenant vlans from the first apply on the nova barclamp to see if that helps.
Just for added information I did delete all of my instances and created a new tenant. But I found that one of my nodes would experience a crash of the nova-network service when it tried to host a new instance. Errors in the nova-network.log file indicated a problem trying to perform a "sudo iptables-restore". Yet another node allowed me to start an instance.
It's probably quicker for me to start over and get right to the testing I'm wanting to perform, which is ensuring that my tenants are not able to interact with each other's instances.
One thing I liked was that I find I can now do a "reinstall" on a node (from the node dashboard) and the process completes and my node comes up to a ready state without me having to manually go in and start processes. I haven't tried that since working on release candidates for Crowbar 1.2 but it's nice to see how much better it's working!
From: crowbar-bounces at dell.com [mailto:crowbar-bounces at dell.com] On Behalf Of Kevin Bringard
Sent: Wednesday, January 25, 2012 11:58 AM
To: crowbar at lists.us.dell.com
Subject: Re: [Crowbar] [SPAM] RE: Changing barclamp options
If you didn't specify "Use Tenant Vlans", then I believe crowbar will use FlatDHCP mode (Greg or someone else feel free to correct me if I'm wrong).
This causes a flat IP space to be used for all tenants. In this situation, L2 stuff is protected by ebtables and nwfilter, but if the security groups for the tenant allow ICMP from 0/0, without the VLAN to stop the traffic at the switch/hypervisor, another internal address in the same L2 domain is allowed. So, 10.0.0.10 can ping 10.0.0.11 if the security groups applied to the VM with 10.0.0.10 allows ICMP from 0.0.0.0/0 (since 10.0.0.11 is in that netmask). Assuming you've done that, I'd say as a test try allowing just a specific IP, or subset of IPs in the security group the 10.0.0.10 VM is in and see if it resolves the issue.
This is why security groups by source is so important... unfortunately it's been bugged in nova for awhile, so at least with the EC2 API it doesn't work right :-/
Does that make sense?
From: "Gregory_Althaus at Dell.com<mailto:Gregory_Althaus at Dell.com>" <Gregory_Althaus at Dell.com<mailto:Gregory_Althaus at Dell.com>>
Date: Wed, 25 Jan 2012 08:44:00 -0800
To: "csanburn at redwoodit.com<mailto:csanburn at redwoodit.com>" <csanburn at redwoodit.com<mailto:csanburn at redwoodit.com>>, "crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>" <crowbar at lists.us.dell.com<mailto:crowbar at lists.us.dell.com>>
Subject: [Crowbar] [SPAM] RE: Changing barclamp options
I suspect that nova doesn't understand what you did. It didn't limit the iptable entries for the existing entry.
While crowbar lets you do things, I'm not sure nova can complete understand it.
From: crowbar-bounces On Behalf Of Chris Sanburn
Sent: Wednesday, January 25, 2012 10:33 AM
Subject: [Crowbar] Changing barclamp options
During my testing I found that an instance for one tenant could ping an instance for another tenant, which is something we don't want to happen. There's an option in the Nova barclamp:
"Use Tenant Vlans"
I had left it at the default of False.
I've tried to change it by deactivating the Nova barclamp, deleting it, recreating and changing the option before applying it. Left everything else in place, instances, other barclamps, etc. But I can still ping the instance in the other tenant.
Can anyone enlighten me on what I've missed? Can I not change the Nova barclamp options like I did? Do I need to delete all of my tenants, instances, etc, and start over? Do I need to start over the entire deployment of openstack?
Crowbar mailing list
Crowbar at dell.com
For more information: https://github.com/dellcloudedge/crowbar/wiki
More information about the Crowbar