openstack on hetzner

If you want to run your own private cloud hetzner might be good pick nice machines there(not an advertisement :-D).

So how to do it?
Openstack consist of several components and it is arguably large software by todays standards.
Getting that to run can be either done manually or by automation.
If you do it manually you would have to go trough setting up individual openstack components and making everything work right.
Alternative to manual setup is using distirbutions like RDO. What is good about them is that they come from group of people that maintain it and from company like RedHat.
RDO has bunch of puppet scripts that install the thing for you.
So the meat of this post is going to be of how to get your private cloud connected to internet on hetzner.
It might be simple for experienced experts but I am not one of them :-D.

First install centos7 on your hetzner box

Then install firewall for example system-config-firewall-tui

after you complete openstack installation make sure to close ports since you do not want someone bruteforcing the password on your open server

So to install openstack go here

sudo yum update -y
sudo yum install -y
sudo yum install -y openstack-packstack
packstack --allinone

That will create two bridges br-int and br-ex.
br-int is connection between vm instances.
br-ex is connection to external network.
br-ex has different subnet and br-int is
so what one usually wants to do is to use internet from those vm’s.

So here is network setup that works.
We basicly want to route traffic from internal interface(one’s created by openstack) and use main server’s interface as a gateway.
Well that sounds simple to experienced network guy. Just set up the machine as router and set up gateway and bam. Well if you did not spend much time with networking here are the steps to do it. There are most probably plenty of ways to do it and I might have made a mess of my networking setup but I will describe the setup that works.

First use bridged networking setup as described here at the bottom.
What that will do is that the bridge created will be the main interface eth0 will be attached to it and you can plug in stuff to that bridge so it is connected to eth0.
We want to connect stuff to eth0 and that is the main reason why we do it.

Next we now want to route traffic from openstack bridges to this new bridge and this new bridge is to be used as gateway to internet it will be NAT-ed.

so here is how you setup iptables for NAT


iptables -I FORWARD -i $internal -o $external -j ACCEPT
iptables -I FORWARD -i $external -o $internal -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o $external -j MASQUERADE

if you put this in a script called you can then use it like br-ex br0

FORWARD chain makes it that bridge does not try to ask which machine has this ip but instead to send it to gateway FORWARD chain contains the rules that determine what gets routed trought machine
so it is important to have those rules before those that will reject the traffic(they might be set by the firewall)
now while I was trying to do this I might created some unessesary things I am not sure since I am not going to restart my machine now.
What was done is that two veth pairs were used to connect br-int to br0 and br-ex to br0.

I’ve also set ip) on br-in
and to br-ex
to do that you use

ip address add dev br-ex

ip address add dev br-int

to add veth pairs

ip link add dev vm1 type veth peer name vm2
ip link add dev vm11 type veth peer name vm12

ovs-vsctl add-port br-int vm11

ip link set vm12 master br0

ovs-vsctl add-port br-ex vm1

ip link set vm2 master br0

I’ve changed settings back and forth I might left out something from here I did not try to see what is minimal setup.
If this does not work you can write in the comments.
Also here are some debugging tips.

1. Use tcpdump and listen on all the interfaces

2. if you see ARP requests that means your FORWARDING rules are not working you need to make sure they are before the rest.

3. Make sure you have forwarding turned on for your kernel

this should be done already in this process
now you should be able to curl from one of the interfaces in your vm’s
if it does not work comment

Leave a Comment