设置如下,工作站<-> Maas 服务器<-> 3 VM - 实例
Maas 服务器和虚拟机部署在 vSphere 中。
Maas 服务器的 eth1 具有 10.4.xx,它充当 VM 的 DHCP 管理器。我的工作站的 IP 是 10.xxx,我能够通过 ssh 连接到 Maas 服务器和 VM。我有一个专用的计算节点,网络节点有两个接口。eth0 (br0) 有一个来自 maas 服务器的 IP 地址,eth1 (br-ex) 从 192.168.xx 范围(外部网络)获取一个可公开访问的 IP 地址
问题是我无法直接从我的工作站或我们网络中的任何其他终端连接到实例。我已确定问题出在路由器命名空间中。我无法从中子路由器命名空间 ping 8.8.8.8。它可以 ping br-ex,但当我 ping 192.168.x.1 时显示“目标无法访问”。请查看以下命令的输出,
网际协议网络
qrouter-1ff7cd3f-7d73-4c7a-a9aa-0f8efb14a718
ip netns exec qrouter-1ff7cd3f-7d73-4c7a-a9aa-0f8efb14a718 ifconfig
lo 链路封装:本地环回
inet 地址:127.0.0.1 掩码:255.0.0.0 inet6 地址:::1/128 范围:主机 UP 环回运行 MTU:65536 度量:1 RX 数据包:16 错误:0 丢弃:0 超限:0 帧:0 TX 数据包:16 错误:0 丢弃:0 超限:0 载波:0 冲突:0 txqueuelen:0 RX 字节:1776(1.7 KB) TX 字节:1776(1.7 KB)qg-80014d1d-df 链路封装:以太网 HWaddr fa:16:3e:b8:62:2e
inet addr:192.168.xx Bcast:192.168.x.255 掩码:255.255.255.0 inet6 addr:fe80::f816:3eff:feb8:622e/64 范围:链路 UP 广播运行多播 MTU:1500 度量:1 RX 数据包:21036 错误:0 丢弃:0 超限:0 帧:0 TX 数据包:3095 错误:0 丢弃:0 超限:0 载波:0 冲突:0 txqueuelen:1000 RX 字节:4857288(4.8 MB) TX 字节:1047570(1.0 MB)ip netns exec qrouter-1ff7cd3f-7d73-4c7a-a9aa-0f8efb14a718 ip 路由列表
默认通过 192.168.x.1 dev qg-80014d1d-df
192.168.x.0/24 dev qg-80014d1d-df proto 内核范围链接 src 192.168.xx
我见过中子设置,其中路由器接口(qg-80014d1d-df)包含在网桥br-ex中。此外,openstack.org中子故障排除显示 br-ex 应该包含“qg”接口。
但在我的节点上它显示不同,
ovs-vsctl 显示
f50f0af5-a5ab-4ab8-935a-9eaf71b40eea
桥梁 br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Bridge br-ex
Port "tap80014d1d-df"
Interface "tap80014d1d-df"
Port br-ex
Interface br-ex
type: internal
Port "eth1"
Interface "eth1"
Bridge br-tun
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port "gre-0a04546a"
Interface "gre-0a04546a"
type: gre
options: {in_key=flow, local_ip="10.4.x.x", out_key=flow, remote_ip="10.4.x.x"}
ovs_version: "2.0.2"
这里 br-ex 确实获得了一个额外的接口,但那就是“tap”。但是,这个“tap”和“qg”接口的数值是相同的。我检查了计算节点和控制器上的日志文件,但没有发现任何重要的东西。我可以生成实例并为其分配浮动 IP。我也可以 ping br-ex,但不能 ping 其中的路由器接口。不确定问题是否由“tap”接口引起,但路由器命名空间和外部世界之间没有流量。我又想到,问题是否是由 VMware vSphere 引起的 !!!
需要指出的是,发布输出时,只有外部网络和路由器用于检查连通性。没有实例或内部网络。
我一直被这个问题困扰。任何建议都将不胜感激。
答案1
我的设置非常相似,所以我将向您展示我的配置,也许这会对您有所帮助。
所有节点部署maas和juju,每个节点有两个接口:
- eth0 - 局域网唤醒、局域网启动、maas 网络 - 10.5.0.0/16、gw 10.5.0.1
- eth1 - 外部公司网络 - 172.16.62.0/24 gw 172.16.62.254
我已经根据本指南安装了 Openstack
http://linux.dell.com/files/whitepapers/Deploying_Workloads_With_Juju_And_MAAS-14.04LTS-Edition.pdf
h20564.www2.hp.com/hpsc/doc/public/display?docId=c04330703(由于我的 askubuntu 信誉较低,我无法将其粘贴为链接)
我在普通节点上的网络设置:
#/etc/network/interfaces
auto lo
auto eth0
iface eth0 inet manual
auto juju-br0
iface juju-br0 inet dhcp
bridge_ports eth0
auto eth1
iface eth1 inet static
address 172.16.62.10
netmask 255.255.255.0
#gateway commented
#gateway 172.16.62.254
$route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.5.0.1 0.0.0.0 UG 0 0 0 juju-br0
10.5.0.0 0.0.0.0 255.255.0.0 U 0 0 0 juju-br0
172.16.62.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
在网络中子(量子)节点上:
#/etc/network/interfaces
auto lo
auto eth0
iface eth0 inet manual
auto juju-br0
iface juju-br0 inet dhcp
bridge_ports eth0
auto eth1
iface eth1 inet manual
up ip link set dev $IFACE up
down ip link set dev $IFACE down
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.5.0.1 0.0.0.0 UG 0 0 0 juju-br0
10.5.0.0 0.0.0.0 255.255.0.0 U 0 0 0 juju-br0
在网络上,我还编辑了 /etc/sysctl.conf 并取消注释这些行
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
然后重新更改
# sysctl -p
在 maas 中登记节点后,我开始部署 juju Openstack charms。
通过 Horizon 安装后开放堆栈配置:
作为管理员我做了:
- 上传 cirros 图片,
- 创建新租户和用户
- 在我的公司范围 172.16.62.192/26 中创建新的外部网络,但不要与正常的 dhcp 地址拉取(即 172.16.62.10 - 172.16.62.100)重叠
- 创建路由器并将网关设置为外部网络
作为用户我做了:
- 创建新的专用网络 192.168.0.1
- 向路由器添加新接口(在前面的步骤中创建)
- 启动新实例
- 更改默认安全组并允许 ICMP(ping)和 ssh 连接
部署后网络配置如下所示:
#list of ovs ports
ubuntu@fair-stone:~$ sudo ovs-vsctl show
b4a92be0-56d3-4cd5-b113-9657c21daf8a
Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port "tapf199827f-4f" #interface appears after creation new
Interface "tapf199827f-4f"
Port "eth1"
Interface "eth1"
Bridge br-tun
Port br-tun
Interface br-tun
type: internal
Port "gre-0a050104"
Interface "gre-0a050104"
type: gre
options: {in_key=flow, local_ip="10.5.1.1", out_key=flow, remote_ip="10.5.1.4"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "tap08438cff-fc"
tag: 1
Interface "tap08438cff-fc"
Port "tap592b1f29-da"
tag: 1
Interface "tap592b1f29-da"
Port br-int
Interface br-int
type: internal
ovs_version: "2.0.2"
网络命名空间
ubuntu@fair-stone:~$ ip netns list
qdhcp-9d699ab8-940b-478e-ac98-ba3fd38e5d9d
qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3
命名空间 qrouter-xxx 中的接口列表
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: qr-08438cff-fc: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:61:dd:b7 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global qr-08438cff-fc
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe61:ddb7/64 scope link
valid_lft forever preferred_lft forever
3: qg-f199827f-4f: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:1b:c3:d7 brd ff:ff:ff:ff:ff:ff
inet 172.16.62.193/26 brd 172.16.62.255 scope global qg-f199827f-4f #router interface
valid_lft forever preferred_lft forever
inet 172.16.62.194/32 brd 172.16.62.194 scope global qg-f199827f-4f #instance floating ip addres
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe1b:c3d7/64 scope link
valid_lft forever preferred_lft forever
命名空间 qrouter-xxxx 中的路由表
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 ip r
default via 172.16.62.254 dev qg-f199827f-4f
172.16.62.192/26 dev qg-f199827f-4f proto kernel scope link src 172.16.62.193
192.168.0.0/24 dev qr-08438cff-fc proto kernel scope link src 192.168.0.1
命名空间 qrouter-xxx 中的 iptables
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 1721 packets, 628K bytes)
pkts bytes target prot opt in out source destination
1848 635K neutron-vpn-agen-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 908 packets, 372K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 542 bytes)
pkts bytes target prot opt in out source destination
8 542 neutron-vpn-agen-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 98 packets, 6014 bytes)
pkts bytes target prot opt in out source destination
108 6773 neutron-vpn-agen-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
104 6485 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
104 6485 neutron-vpn-agen-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-vpn-agen-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 172.16.62.194 to:192.168.0.3
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
4 288 ACCEPT all -- !qg-f199827f-4f !qg-f199827f-4f 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-vpn-agen-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
15 900 REDIRECT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
97 5940 DNAT all -- * * 0.0.0.0/0 172.16.62.194 to:192.168.0.3
Chain neutron-vpn-agen-float-snat (1 references)
pkts bytes target prot opt in out source destination
6 471 SNAT all -- * * 192.168.0.3 0.0.0.0/0 to:172.16.62.194
Chain neutron-vpn-agen-snat (1 references)
pkts bytes target prot opt in out source destination
104 6485 neutron-vpn-agen-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * * 192.168.0.0/24 0.0.0.0/0 to:172.16.62.193
命名空间 qrouter-xxx 中的 IPtables nat 规则
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-postrouting-bottom
-N neutron-vpn-agen-OUTPUT
-N neutron-vpn-agen-POSTROUTING
-N neutron-vpn-agen-PREROUTING
-N neutron-vpn-agen-float-snat
-N neutron-vpn-agen-snat
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A OUTPUT -j neutron-vpn-agen-OUTPUT
-A POSTROUTING -j neutron-vpn-agen-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-postrouting-bottom -j neutron-vpn-agen-snat
-A neutron-vpn-agen-OUTPUT -d 172.16.62.194/32 -j DNAT --to-destination 192.168.0.3
-A neutron-vpn-agen-POSTROUTING ! -i qg-f199827f-4f ! -o qg-f199827f-4f -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-vpn-agen-PREROUTING -d 172.16.62.194/32 -j DNAT --to-destination 192.168.0.3
-A neutron-vpn-agen-float-snat -s 192.168.0.3/32 -j SNAT --to-source 172.16.62.194
-A neutron-vpn-agen-snat -j neutron-vpn-agen-float-snat
-A neutron-vpn-agen-snat -s 192.168.0.0/24 -j SNAT --to-source 172.16.62.193