This page will list all gotchas and frequently asked questions pertaining to networking & neutron with Platform9 managed Openstack
Host Configuration & troubleshooting
Gotcha: Restarting networking on CentOS (service network restart or similar) will disconnect your virtual machines from the network (Including Floating IPs/Elastic IPs). To fix this, a "service network restart" should be followed by restart of Platform9 openstack services: "service pf9-neutron-ovs-agent restart" , "service pf9-neutron-l3-agent restart" and "service pf9-neutron-dhcp-agent restart". Note that the l3-agent and dhcp-agent will be present on network node/host in case of a Non-DVR setup. L3-agent will be present on all nodes/hosts in case of DVR.
Gotcha: Some info on network namespaces:
- Run "ip netns" to list the network namespaces on your host
- Run "ip netns exec
" to run a command within the network namespace.
- Namespaces in neutron are named as "snat-
", "qrouter- ", "dhcp- ".
Gotcha: Check your external network reachability by initiating a "ping" to the IP present in your SNAT namespace. You can get the external IP assigned to your router either by looking at the router ports through the UI or by running "ifconfig -a / ip a" within the snat network namespace. Also try pinging the external gateway from within the SNAT network namespace.
Gotcha: Security groups in Neutron are designed as "allow" rules. All protocols and ports are by default in "Deny" mode. Create a new security group to add Inbound & Outbound allow rules. Rules are fine grained to CIDR (Specific IP can be used by specifying mask of 32), protocols and ports.
Gotcha: Default security group is created by Neutron to ensure that there is atleast some connectivity to the instances if spawned without defining a security group explicitly. The Default security group allows "All outbound" from within the VM only.
Gotcha: Security groups are scoped to a particular tenant. So if you need to create security groups in multiple tenants, you will need to create a new one for each tenant. This also means that each tenant will get its own "default" security group too.