Hi *,

I'll helping out with network setups for a fresh SUSE Openstack Cloud 5 setup.

An instance is trying to reach the nova-api metadata service, by contacting 169.254.169.254 port 80, but no response is received. We can test-case this by using i.e. "wget http://169.254.169.254:80" from within the instance.

The VM receives a fixed address via DHCP (192.168.123.x), and is communicating successfully via (in our case) VLAN 115 ("linuxbridge" setup, no OVS). I can see the instance's connection request to the metadata service via tcpdump on the network node, by listening on bond0.115.

From what I could gather by looking at the Openstack documentation, I expect to see some DNAT rule which would translate the request for 169.254.169.254 port 80 to a request to the actual metadata service, listening on the control node (192.168.124.81, port 8775). There is no such rule in iptables, neither on the control node, nor the compute node, nor inside the instance.

Once I add an according DNAT rule on the control node ("iptables -t nat -I nova-api-PREROUTING -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.124.81:8775"), I see according replies to the instance (again tcpdump'ing on the control node). But as there is no route on the control node that directs traffic for 192.168.123.0/24 to the according VLAN, all those replies are sent to the external default router (on its specific VLAN, *not* VLAN 115). This are the routing tables set by Openstack Cloud on the control node:
Code:
        root@d0c-c4-7a-06-72-96:~ # ip route list table local 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1  
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1  
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1  
local 127.0.0.2 dev lo  proto kernel  scope host  src 127.0.0.1  
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1  
broadcast 192.168.124.0 dev bond0  proto kernel  scope link  src 192.168.124.81  
local 192.168.124.81 dev bond0  proto kernel  scope host  src 192.168.124.81  
broadcast 192.168.124.255 dev bond0  proto kernel  scope link  src 192.168.124.81  
broadcast 192.168.126.0 dev brqc0d4b1ba-e6  proto kernel  scope link  src 192.168.126.2  
local 192.168.126.2 dev brqc0d4b1ba-e6  proto kernel  scope host  src 192.168.126.2  
broadcast 192.168.126.255 dev brqc0d4b1ba-e6  proto kernel  scope link  src 192.168.126.2  
root@d0c-c4-7a-06-72-96:~ # ip route list table main 
default via 192.168.126.1 dev brqc0d4b1ba-e6  metric 100  
127.0.0.0/8 dev lo  scope link  
192.168.124.0/24 dev bond0  proto kernel  scope link  src 192.168.124.81  
192.168.126.0/24 dev brqc0d4b1ba-e6  proto kernel  scope link  src 192.168.126.2  
root@d0c-c4-7a-06-72-96:~ # ip route list table default 
root@d0c-c4-7a-06-72-96:~ #
Is using the metadata service supposed to work at all, and would we need to add some specific setup in order to make this work? Or should this work "out of the box"? The SUSE Cloud documentation is rather unspecific on this.

Any feedback (even "works for me out of the box") would be appreciated.

Regards,
Jens