I used the same template as yesterday and it shows again the same error.
Success: Blueprint Instance CBinstance status.
Description: Create environment CBinstance
Status: ERROR
Error: The Environment CBinstance is Invalid
In the nova-api.log I see the following ERROR:
2015-06-19 10:03:25.389 5464 ERROR nova.network.security_group.neutron_driver [req-3ce97239-520f-4247-a5a5-1e2200faae55 None] Neutron Error adding rules to security group sg_00000000000000000000000000003233_CBinstance-orion-1-003233
I see that the security rule is existing for the user:
tgu@potemkin:~$ nova secgroup-list
--------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------
b37e54ac-e3dc-4dc1-aee9-695f58c4a0b9 |
default |
default |
05c3026f-db5a-445e-8e3e-bbf9ea4a8c4f |
sg_00000000000000000000000000003233_CB-tgu-orion-1-003233 |
descripcion |
20e77527-99cd-4355-8c67-2956ebd57494 |
sg_00000000000000000000000000003233_CB4tgu-orion-1-003233 |
descripcion |
aed8b799-a662-4e38-a36e-0edc6a31b763 |
sg_00000000000000000000000000003233_CBinstance-orion-1-003233 |
descripcion |
268ec2b3-90e9-4987-b302-3001b8e4c07c |
sg_00000000000000000000000000003233_IoTVM-IoTBroker-1-003233 |
descripcion |
ef33b23e-2376-4798-8780-a7dbe4733c4e |
sg_00000000000000000000000000003233_IoTVM-IoTBroker-1-003233 |
descripcion |
--------------------------------------------------------------------------------------------------------------
But it seems that because of the currently configured neutron quota, the user is not able to add a security rules. Therefore I tried to force the issue through CLI.
tgu@potemkin:~$ nova secgroup-list-rules aed8b799-a662-4e38-a36e-0edc6a31b763
-------------------------------------------------
IP Protocol |
From Port |
To Port |
IP Range |
Source Group |
-------------------------------------------------
-------------------------------------------------
tgu@potemkin:~$ nova secgroup-add-rule aed8b799-a662-4e38-a36e-0edc6a31b763 tcp 22 22 0.0.0.0/0
ERROR: Quota exceeded for resources: ['security_group_rule'] (HTTP 403) (Request-ID: req-805a10d2-4afb-4935-8a3a-4c2692d98da8)
Then I verfied the configured neutron quota:
tgu@potemkin:~$ neutron quota-show
--------------------------+
--------------------------+
floatingip |
10 |
network |
5 |
port |
30 |
router |
5 |
security_group |
10 |
security_group_rule |
10 |
subnet |
5 |
--------------------------+
It seems the the parameter security_group and security_group_rule doesn't have to have the same value.
I increased the value for security_group_rule to 20.
root@xifi-juno-ctrl:~# neutron quota-update --security_group_rule 20 --tenant-id 00000000000000000000000000003233
--------------------------+
--------------------------+
floatingip |
10 |
network |
5 |
port |
30 |
router |
5 |
security_group |
10 |
security_group_rule |
20 |
subnet |
5 |
--------------------------+
Now I was able to add a rule to the security group via CLI.
tgu@potemkin:~$ nova secgroup-add-rule aed8b799-a662-4e38-a36e-0edc6a31b763 tcp 22 22 0.0.0.0/0
--------------------------------------------------
IP Protocol |
From Port |
To Port |
IP Range |
Source Group |
--------------------------------------------------
--------------------------------------------------
Next step was to launch again a Blueprint.
There again I reached some quota limit, which I don't understand.
I currently have neutron and nova quota configured to 10 security_groups and 20 security_group_rule. There were only 7 security rules available, while running the test.
tgu@potemkin:~$ nova secgroup-list
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
b37e54ac-e3dc-4dc1-aee9-695f58c4a0b9 |
default |
default |
05c3026f-db5a-445e-8e3e-bbf9ea4a8c4f |
sg_00000000000000000000000000003233_CB-tgu-orion-1-003233 |
descripcion |
20e77527-99cd-4355-8c67-2956ebd57494 |
sg_00000000000000000000000000003233_CB4tgu-orion-1-003233 |
descripcion |
aed8b799-a662-4e38-a36e-0edc6a31b763 |
sg_00000000000000000000000000003233_CBinstance-orion-1-003233 |
descripcion |
9b46679d-e582-4d07-bbd0-5215fb1293ec |
sg_00000000000000000000000000003233_ContexBroker-orion-1-003233 |
descripcion |
268ec2b3-90e9-4987-b302-3001b8e4c07c |
sg_00000000000000000000000000003233_IoTVM-IoTBroker-1-003233 |
descripcion |
ef33b23e-2376-4798-8780-a7dbe4733c4e |
sg_00000000000000000000000000003233_IoTVM-IoTBroker-1-003233 |
descripcion |
----------------------------------------------------------------------------------------------------------------
I would propose that security rules for Blueprint instances will be deleted during termination of blueprint instances.
After I deleted the obsolete security rules the launch of the Blueprint instance seems to be successful.
Success: Blueprint Instance test-2 status.
Description: Create environment test-2
Status: RUNNING
I'm wondering why the Status shows still INSTALLING. Is this the expected behavior?
See attachment.
Thanks for pointing in the right direction.
Hi Henar, yesterday I was able to solve the issue. I had to reduce the MTU size of eth0 on the VM that was launched through Blueprint. We had already other connectivity issues wrt MTU size and the reason seem that we are using GRE tunneling. Now I've configured the dhcp-option-force=26,1456 for the dnsmasq. This will set the MTU size of the interfaces from new VMs to this value and this seems to solve the connectivity issues.
Thanks again for your support.