Instance networking diagnostics
Instance unreachable over floating IP
Check connectivity over the private IP. Get the network(s) associated with the instance, then try to ping or otherwise test that a port (like SSH) is open from within the namespace.
If connectivity works over the private IP, then the problem likely exists somewhere in Neutron's IPTables, or in OpenVSwitch.
Check IPTables rules on public network router. This router is usually called "admin-router" and is owned by the
opentstack
admin project.
You should see rules like this:
If there are no rules here for your floating IP or for your static IP assignment, it may help to restart the neutron-l3-agent via docker restart neutron_l3_agent
. This agent takes a while to restart; you will have to be patient while it re-syncs the state of all the IPTables rules in all the network namespaces maintained by Neutron.
Instance unreachable over private IP
Check the node console. It could be that the node failed to boot (this is the most likely culprit). If the node console cannot be read via the web interface, then you can try attaching via
ipmiconsole
from a control node on the provisioning network.
Try logging in to the node via the console and seeing its IP address assignments using ip addr
. If it does not have the static IP assigned, it is likely that DHCP failed when the node was booting. Check the Neutron DHCP agent for errors. It may also help to simply kill the dnsmasq process for the network in question (they typically have the network UUID as part of their ps
entry), or restart the entire DHCP agent, which should kill and restart all dnsmasq processes. To check that the node is able to network at all, you can try manually assigning an IP address using ip addr add <ip> dev <interface>
with an IP address that is unused. The IP should be in the same subnet as the one assigned to the instance by neutron. You can find the interface to use by looking at the output of ip addr
.
Check that the node's switch port has the right VLAN assigned. If the instance hasn't been deleted, any switch configurations related to the instance should still be active. You will first need to figure out which switch the instance's node is physically connected to, and on which switchport. This can be figured out via Ironic. Once you know the switch port, you can check the switch to see if the Neutron network's VLAN is assigned to that switch port. If this is not the case, it is likely that the node has no connectivity.
Once you know which switch the node is connected to, you can log in to the node and examine its configuration. You will need the credentials for the switch to do this. Run the following on the node that has Neutron running:
Note: crudini
might list a keyfile for the switch instead of a password. The path to the keyfile it shows is inside the container. You can access the keyfile outside the container at /etc/kolla/neutron-server/ssh
Dell switches
Chameleon Dell switches (S6000 model) are configured over remote SSH sessions currently. You can log in to the switch from a node that has access to the switch's out-of-band interface (such as the Neutron node.)
Interact with the prompt to show which ports are assigned to which VLAN tag.
You should see the node's switchport ID listed as 'untagged' on this VLAN. If you do not see this, adding it manually might fix things temporarily. Note: this applies immediately! There is no confirm or save flow. Be advised.
If the switch is running OS10, you may have to do this instead:
Corsa switches
Corsa switches can be queried over a remote HTTP API using an authentication token.
TODO: from this point onward, you may need to consult with a member of the team familiar with Corsa switches. In particular, looking at OpenFlow flow rules requires logging on to the switch via an interactive SSH session.
Last updated