浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 云计算开源区 OpenStack介绍版 openstack添加vrrp安全组规则入口配置
返回列表 发新帖
查看: 1495|回复: 3

openstack添加vrrp安全组规则入口配置

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2021-12-7 15:01:06 | 显示全部楼层 |阅读模式
       valid_lft forever preferred_lft forever. j3 ]# K  |( A) X+ S/ H
[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp
2 [" p7 d- k3 `8 z1 F6 X+ C( ^( t$ a( Ktcpdump: verbose output suppressed, use -v or -vv for full protocol decode9 f* O# Y3 N' I# O' o& P& _2 ~5 G  x
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
3 E0 J* H0 ~1 `8 h" r1 P15:01:31.166318 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20. f+ d6 V5 e; C; J" Y. e7 M( O
15:01:32.166682 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20. U- A! Z1 B( x8 R1 O. n; w5 h
15:01:33.167075 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
; x- O& S) f6 \6 [1 a1 a- H7 L9 B) R^C
# H% ^8 U& g1 y3 C) f2 n' ]" f& ]/ \( v8 r# @2 a0 u4 x
[root@keepalived-2 ~]# tcpdump -i eth1  vrrp0 ]$ N% U  [/ i7 h
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode  V8 o- d: |( [% s/ F+ z& G1 g
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
3 m. p6 A1 A, N8 w( e+ P0 Q8 k15:01:22.170651 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 206 h+ O. ~0 ], w8 O% ?/ h
15:01:23.171685 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
: a8 e; U# U) \+ k1 U" R15:01:24.172739 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20. x$ F+ y4 [. N7 U: X5 f
15:01:25.173771 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20- b3 B3 Y' m3 F0 P% T
15:01:26.174855 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20( {1 Q1 T2 [& y# r4 b/ h
^C
9 N  R3 H: E( u' N
9 s, Q  `% U* h& x8 R& d6 Z  K2 y8 I. H# H
在openstack平台上创建的keepalived虚机因安全组不通而导致vrrp不通,openstack上需要调整vrrp安全组规则入口配置:
# ^, |$ O: n4 P: u/ y
& b% c. s3 [, u8 W) i7 M$ `

" w  _; b4 x& t$ C3 H/ ~入口		IPv4112任何192.168.0.0/24
' z3 G  K0 S0 n; f1 b- X1 m
- B. M( i$ W. N! H6 A8 D5 u" r
入口, P& w$ u5 @! m; u
IPv4112任何0.0.0.0/0
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2021-12-7 15:04:32 | 显示全部楼层
[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp / d- s. f: k) O( @
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode9 M- j/ J9 y5 q1 B  N
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes: A0 D4 j& V' o4 K# g
15:03:08.894788 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 200 }: f" z0 G7 V4 n3 m
15:03:09.132334 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
5 {* _; L$ t% ?7 j" W9 ]. B1 L15:03:09.895798 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20$ d+ \! n! v& d7 u% V  h% d
15:03:10.133082 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20& z- d7 b" R9 J( u. K
15:03:10.896827 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20. a: ]' m; L5 e) p  J
15:03:11.133514 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20! S# a' [& W  p% v0 C3 S$ @
15:03:11.897792 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
1 E4 h0 {! D. V1 J15:03:12.134724 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20* R, }, ~* U( U1 p$ X( d
. Q6 [/ j# U9 ~- G6 _  k
第二台设备:" d* ]' M2 Y% X' e
" Z1 _, |5 E7 }3 R$ w+ h! a
[root@keepalived-2 ~]# tcpdump -i eth1  vrrp5 ^+ H2 C0 H' y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
( Y- X- b5 |% J& v2 z8 u  n: }listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
0 B7 @& h, ?/ S8 H8 p- [15:03:03.277349 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20" _7 V0 s- }& x, }) \) s  Z
15:03:03.516783 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
3 ?8 J- d. d& P2 Z5 T15:03:04.278375 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
* F* T3 |) c6 H9 E- ?% m* @% R0 A15:03:04.517146 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
+ b5 |% Q; f' r6 G15:03:05.279264 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
) r* j" n# E! k% |15:03:05.517812 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 206 N) I+ }; j4 F3 X
15:03:06.280214 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
4 R* N) J) k" [3 m9 [2 d# p+ w^C
" D6 L' m2 Y  q) l) @/ [) Z+ W
6 T, {* F2 n  A, y% C4 T地址通了。; _6 x/ Q& a( m0 Y+ a5 B& k; F/ a( ~
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2021-12-7 15:10:16 | 显示全部楼层
安全组允许VRRP协议
" _4 o2 W( v- h直接在控制台导航:项目-访问&安全,搜索虚机所在的安全组, 然后点击后面的管理规则按钮进入规则列表;点击添加规则按钮,弹出框里,在规则的下拉选里选择 其他协议, 然后再 端口 文本框输入 112, 最后点击添加按钮即可 # VRRP协议的端口号是112
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2021-12-7 15:29:28 | 显示全部楼层
对于负载均衡,G版本已经集成了haproxy插件,对haproxy的配置做了一层封装,可以很方便的通过quantum去创建一个负载均衡池,为相同或者不同宿主机上的虚拟机提供负载均衡的能力。
, ]- [, g, t: U" k% b, I; \- b5 O
在这个模式下,haproxy是运行在宿主机上的。
# n" y% r+ g( O/ a% D0 g遗憾的是,目前还不能通过openstack做到haproxy的高可用。
$ _; G* {5 _7 f8 D. S( W9 f( ?0 A% P# b" }  ?9 r# C
想要做高可用,只能在虚拟机中去飘VIP了0 }% I( K2 {: t
# h* q2 V+ L/ O6 G# t
但是创建了虚拟机之后,在这个虚拟机实例中只能使用指定的IP。
, b  g6 Q# o5 Z5 N. a# s7 W这就导致想在虚拟机中部署高可用去飘VIP是不可行的。
, H* N: B  f* n6 Z7 I7 k2 O6 k& m9 d
可以理解,在公有云环境下,是不可能让用户在虚拟机中随意去配置额外地址的。# E8 o2 I3 A4 w* W% d3 A7 |
但我们是私有云环境,这个规则对私有云环境下很是麻烦。% ^1 g5 h( c9 A5 V4 s& C2 F
在openstack中创建虚拟机,通过nova boot的--nic选项指定网卡和IP地址:
- |" N  W' K) ]* g& Q/ ^5 c) c! s--nic net-id=${NETWORK_ID},v4-fixed-ip=${Host_IP}
) f9 b) L5 K1 ~: ?
9 s+ x" m- [* Z之前一直以为是iptables规则导致的。于是去看了一遍宿主机中的iptables规则
" [. O. R! x7 `% i0 O5 d1 iroot@node1:~# iptables -vnL- o- _: Y# k1 z! U% K" C
Chain INPUT (policy ACCEPT 3556K packets, 744M bytes)2 F9 j5 @0 T9 t3 I" M5 z& J1 r& {6 }
pkts bytes target prot opt in out source destination
; N7 Y3 L; N) j- O- l* n' K1778K 372M nova-compute-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
* u9 {' m9 W- [7 c- g: S, b0 ]0 E
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  z! {2 n, Y& ]9 t. L. Y; m/ J5 @pkts bytes target prot opt in out source destination/ {5 Z3 u- d8 H& C6 N. X5 G, X
150 13488 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0; S$ A5 g6 L5 O8 l5 G0 g* w5 }" X* v
6 1392 nova-compute-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/08 e6 f$ ^1 [4 t  {. o$ H& F
" z/ E! j) s0 O! v0 \
Chain OUTPUT (policy ACCEPT 4208K packets, 567M bytes)
1 a; s, V3 G' Q$ ]8 j# A3 Apkts bytes target prot opt in out source destination
' J! q8 p/ g/ f$ q2 v" Q6 F4202K 567M nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
+ U7 k* O7 {" X  ^/ h9 V9 Z2106K 284M nova-compute-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/05 |6 N: i; h3 r  g

. E5 }# P# E, N* N2 O# uChain nova-compute-FORWARD (1 references)
- ]% z9 a. L8 M# V' r9 i3 J( ypkts bytes target prot opt in out source destination
, `+ {( M, m3 I7 ~* i4 1312 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:678 ~- v! q& R, w1 T! \$ {
2 80 ACCEPT all -- brq3eefcd79-07 * 0.0.0.0/0 0.0.0.0/0% a; T4 h, I+ Z& G, V3 E3 E
0 0 ACCEPT all -- * brq3eefcd79-07 0.0.0.0/0 0.0.0.0/0
* b) j- f% p" N- v5 V0 H$ e9 R  I) g$ m6 x
Chain nova-compute-INPUT (1 references)
: P# T0 D% f. `& ?8 J8 @! Ipkts bytes target prot opt in out source destination
1 k5 o1 R1 h; `2 656 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67
! M9 e2 h# M2 y8 `1 E8 B2 L$ Q8 F1 @( Z
Chain nova-compute-OUTPUT (1 references)
1 L& V: {: c- ^( ^* e( {1 b: h$ ppkts bytes target prot opt in out source destination+ l: Q& G; M5 i+ X: K: z, d

2 V( {$ L8 v* ~2 Y) _7 I6 y# k0 WChain nova-compute-inst-15 (1 references)1 ]& l4 z9 D4 z2 x
pkts bytes target prot opt in out source destination
  `6 n7 ~' E1 d& H0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
6 N1 T( ]) u8 p2 }- q0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED+ j# A" J, O/ H! p" U/ v$ k$ Y
0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0
5 g$ J3 r6 q" [% G0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:688 P* o- u$ I9 {5 m) |2 V- _' ]( c
0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0  X# T- W2 U; y% R4 a
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
4 {8 w( ^; P& l, s0 l3 I1 V* U& L0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
4 @( {6 ~5 C4 W* A0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
( h! t8 G0 D" Y) {! K1 L1 i. K' u( i0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8
  o+ i& Y7 [7 j# _0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0
9 v/ D: c" [7 B! @7 n4 H, k, Z
' y' g% V1 L; w3 zChain nova-compute-inst-17 (1 references)
  B0 g: l: x3 O' d) spkts bytes target prot opt in out source destination) b5 C  {! F$ c+ g* W" T
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
" A8 H1 b9 |1 Z# j3 k2 n0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
; Z" \! D4 f6 \0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0
0 u9 F' I; c% }+ l3 h) v0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68
+ {# i6 \: P+ H% W) x0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/01 C; _; R: c" C; q
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535* Q% W/ u4 A. y5 J6 v, h
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
& b4 W$ V0 [4 E) p  v0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
! p  u9 o; J+ ?) v6 A0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8: @- ^7 S& U+ h
0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0
$ s& h  s! F& }& u. G' f; _
0 o, s! O- D* G& x, r7 F* s8 f9 ^Chain nova-compute-local (1 references). W4 Z/ V- n8 F' x9 d
pkts bytes target prot opt in out source destination
( ^; ~* J; R' p+ d3 b8 g0 0 nova-compute-inst-15 all -- * * 0.0.0.0/0 10.16.0.111
/ Q5 I3 ]9 d! A3 F% ^% M- p0 0 nova-compute-inst-17 all -- * * 0.0.0.0/0 10.16.0.1313 u" ~. d- q$ x  `9 \2 i2 ~- [

4 i) r/ w7 S/ h( c! S  GChain nova-compute-provider (2 references)
' ]9 u, p: M! T0 Q* W# u$ bpkts bytes target prot opt in out source destination( n6 c5 O  h/ A5 i) l

( _. K5 m* G% o! n% W2 RChain nova-compute-sg-fallback (2 references)
' |4 ^+ \; I" M1 X3 w' apkts bytes target prot opt in out source destination
; h, r: n+ j" Q% y4 o3 i0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
; n/ c5 `: g& N, O9 X' j8 h% U. y7 H' M/ D' f
Chain nova-filter-top (2 references)
+ c; V6 v2 t7 y3 S4 Z- R5 ]% {6 Spkts bytes target prot opt in out source destination
9 W5 {( J! E) w2 e. V) P2106K 284M nova-compute-local all -- * * 0.0.0.0/0 0.0.0.0/0; p; R% S& C! o& Y8 J
. P" c& Z. z% q4 E7 {1 o% j
分析一下这些openstack自动生成的规则,可以看到input,forword和output链默认都是accept状态。分析每条链对数据包的跳转和过滤,如果在虚拟机中配置新的地址,是不会被过滤的。, W* z' N, G0 P+ k
3 C  L5 m6 e& f! ^
经过一番折腾,最终发现限制IP的原因是ebtables在起作用
4 Y7 `+ m6 |1 J! ^; M9 L9 m( |root@node1:~# ebtables -t nat -L
+ D% _6 e( P/ l+ u& lBridge table: nat) a/ ]% z" T, W0 d4 A7 @8 l

4 i- w  f3 |* T" s% {Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
' E* a  T1 R" y-i tap0678bf1d-41 -j libvirt-I-tap0678bf1d-41
& H% N! k) F- c, M* [) e-i tap496fa038-9e -j libvirt-I-tap496fa038-9e0 g3 j" u# G# R6 l# B; Y- \, i: L
6 ]! y) d( K; ~0 [3 W1 l) v& O
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
0 u7 ]& ^/ v9 R% T4 w
- U5 E- y. f$ U3 CBridge chain: POSTROUTING, entries: 0, policy: ACCEPT
9 N( c+ p  X6 U7 u1 e! l5 h0 j
1 p4 k) x1 ]- ]( }6 M0 T$ |Bridge chain: libvirt-I-tap0678bf1d-41, entries: 4, policy: ACCEPT
) H  f% n# e; G0 N! m7 e8 B-j I-tap0678bf1d-41-mac
. C& \8 t0 e2 Y( U6 \  ]/ g-p IPv4 -j I-tap0678bf1d-41-ipv4-ip* h4 `7 R% L. o+ m
-p ARP -j I-tap0678bf1d-41-arp-mac
9 N: w  S- E. Q9 G3 C-p ARP -j I-tap0678bf1d-41-arp-ip
* T( D' l, ?: A. g/ {
% q8 z7 M2 g7 ~4 V' W% |Bridge chain: I-tap0678bf1d-41-mac, entries: 2, policy: ACCEPT% ~% f3 W4 u! _
-s fa:16:3e:a6:5f:70 -j RETURN3 O( O" E! T6 }, A5 L; [0 r
-j DROP+ }, d: T7 f; l# `, k6 F' E" |
! L& e: M: d2 \" D7 w6 [2 Y; @" V
Bridge chain: I-tap0678bf1d-41-ipv4-ip, entries: 3, policy: ACCEPT2 |& L/ S% A) e) M. C
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN& p8 A' }+ @: J- R1 D
-p IPv4 --ip-src 10.16.0.131 -j RETURN4 b: ^& b9 j" L! C* c( a  }
-j DROP
3 {: y$ m. O. O
: {& Z, o. l( v0 j2 o- g! ?4 EBridge chain: I-tap0678bf1d-41-arp-mac, entries: 2, policy: ACCEPT% R1 R! t% y8 h# g0 H8 v4 D9 J) j
-p ARP --arp-mac-src fa:16:3e:a6:5f:70 -j RETURN
1 d8 u4 }5 |! O-j DROP! Z5 m" \3 Y/ G
# Y8 l, W. k; N% n6 B
Bridge chain: I-tap0678bf1d-41-arp-ip, entries: 2, policy: ACCEPT. B; |" n% a7 j' X, C9 H; M: d
-p ARP --arp-ip-src 10.16.0.131 -j RETURN
. E6 q% K# ~+ {-j DROP* R9 {" O1 Y/ J4 O- w8 V. e

1 G$ a1 I& `# W# z! \Bridge chain: libvirt-I-tap496fa038-9e, entries: 4, policy: ACCEPT. M7 m+ k  j% X0 Q# I
-j I-tap496fa038-9e-mac
" X- I! h8 Z4 A2 p+ z-p IPv4 -j I-tap496fa038-9e-ipv4-ip/ Z9 o) t- M! A  c" S% S, d
-p ARP -j I-tap496fa038-9e-arp-mac  A" c4 }% F8 Y# y) g
-p ARP -j I-tap496fa038-9e-arp-ip) h. E1 H$ j5 K0 s

  Z% F% J" a( s7 i- Y7 Q5 xBridge chain: I-tap496fa038-9e-mac, entries: 2, policy: ACCEPT
1 G; d9 p/ t; W4 G( B-s fa:16:3e:58:1:ac -j RETURN
, b; t/ b% s2 L6 u-j DROP
+ H6 I/ s4 I: j, L  F, b, Z3 ~) v5 a$ @. T
Bridge chain: I-tap496fa038-9e-ipv4-ip, entries: 3, policy: ACCEPT+ V3 \3 z6 r& ^7 Y+ }; e
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
9 c  `' v# I  J- z4 v-p IPv4 --ip-src 10.16.0.111 -j RETURN
$ w4 ^3 f9 @9 N" s-j DROP' x4 N5 g* b# X1 h  z" t
) Y  G/ N% ~. R: [4 o
Bridge chain: I-tap496fa038-9e-arp-mac, entries: 2, policy: ACCEPT
3 b/ \: L/ e' H; Y-p ARP --arp-mac-src fa:16:3e:58:1:ac -j RETURN8 I; l- \7 ~+ z8 a6 @8 B
-j DROP8 T5 a& F$ ^9 L( t: k

. n) u3 K* O+ _Bridge chain: I-tap496fa038-9e-arp-ip, entries: 2, policy: ACCEPT
+ N1 i. T5 e7 \( ^$ U8 J-p ARP --arp-ip-src 10.16.0.111 -j RETURN
3 t2 R* P+ }4 P-j DROP
2 d6 Z# `( P7 W- s9 s5 p0 y1 [
: R; k) U2 ~2 i7 Jebtables是linux专门做二层数据链路层过滤的。
/ N; w! M  c1 r
0 `8 F" w; Z8 j8 ]  {. R& V在通过nova创建虚拟机后,会生成libvirt的一个xml配置文件2 ^3 ?8 ]) ?+ A0 v
路径在:/etc/libvirt/nwfilter/nova-base.xml
' O/ X: e1 N0 m* p; Z& r* u: p( h( S里面定义了以下规则,这些规则限制了在虚拟机上的地址,在二层上就做了过滤
* P6 I3 ]. C. G0 Z<filter name='nova-base' chain='root'>
0 @% B3 Z5 J  U- b& ~8 K<uuid>12ec8693-253a-7db0-7cd3-f8cc0a1e1b02</uuid>
  F4 s% ~: Y3 K7 w. l<filterref filter='no-mac-spoofing'/>$ A. z. P3 g0 ?  Z
<filterref filter='no-ip-spoofing'/>
. `6 a% X; i& W7 x0 l* {9 b<filterref filter='no-arp-spoofing'/>
& N' h0 p; e" [5 U% _! |7 k<filterref filter='allow-dhcp-server'/>; m0 V% D! U$ y7 b* M0 i1 E
</filter>
. v9 h1 L. C% c* Q7 ~: r
6 }. V# X7 s. j+ p) O然后为每个虚拟机创建一个xml文件,每个虚拟机的xml配置中包含了nova-base.xml中的配置0 z. x9 }7 Z9 G$ ~# q
打开其中一个虚拟机的xml配置,可以看到,这个配置文件中只放行了指定IP在二层上可以通过,所以其它手动配置的地址是不可用的。1 z0 F3 w8 ^+ K. f$ E  r
cat /etc/libvirt/nwfilter/nova-instance-instance-0000000f-fa163e5801ac.xml
' s/ i& W3 N7 z<filter name='nova-instance-instance-0000000f-fa163e5801ac' chain='root'>: B( ?5 l# B: g( Z* X$ G( |
<uuid>972d18be-2db0-4bf2-2853-a0a61beac036</uuid>2 D; ]  {* @9 |8 D; @
<filterref filter='nova-base'>
: W2 @4 v$ C; T6 V% G! U<parameter name='DHCPSERVER' value='10.16.0.102'/>
8 a% @/ V; _+ E. V- l$ f7 f<parameter name='IP' value='10.16.0.111'/>
* J# e1 @0 j) H% T6 q5 ?1 M<parameter name='PROJMASK' value='255.255.255.0'/>
7 T: l' a6 N$ w0 z1 V4 G1 d, P  `" B7 r<parameter name='PROJNET' value='10.16.0.0'/>
" ~1 q2 Q: ^0 |/ e6 X</filterref>
2 o4 c; g/ j* c: \. X  x9 J' }% H</filter>
1 C$ u. R$ K8 C/ \4 I' a, M
: Q# q# x7 ^. H! U2 Ulibvirt可以通过在这些xml配置的规则,去生成ebtables规则,最终是ebtables做出限制。: j- O, G* o% Z% Q, O

! A. `' ~; S5 t如何破解?
& W6 x3 f& G. R* Z1 N! M修改nova-base.xml文件) f+ Z! ?7 m: p2 p
注释掉以下三行
( p+ Q' e" e* D  [<filterref filter='no-mac-spoofing'/>: t% }; Z0 y. I- k
<filterref filter='no-ip-spoofing'/>
3 N# k# a1 I3 A<filterref filter='no-arp-spoofing'/>: D' z9 f; V* f. d0 P2 x
然后重启libvirt进程,libvirt会重新读取xml中的配置,生成新的ebtables规则。0 Z5 z3 v; Q% j4 @' a4 u
修改后,我通过新建虚拟机,重启nova-computer进程,或者直接重启宿主机,这个base文件都不会发生变化了。* z+ T- x6 ]$ m( O% ~* L" H

$ I$ h8 @0 G7 k& A# ]! y* o还有就是修改nova源码(未测试)2 _. W) [! A7 f2 W6 V) G" ?) C
源码位置在/ T# V! P2 L8 O; l" Q( O
/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py
6 L* J: t; w  e1 \0 l# q! Z/ s( b-----------------------------------
' a8 Y, N5 q0 G2 n- D+ c©著作权归作者所有:来自51CTO博客作者lustlost的原创作品,如需转载,请注明出处,否则将追究法律责任
4 S8 t* P* ]; u3 g9 L. N解除openstack中instance对IP的限制(在虚拟机中飘VIP)
2 s; [$ `# P' `, n, P2 I6 X9 S7 _! whttps://blog.51cto.com/lustlost/1324832
0 N9 V! Y, n4 {5 ]6 Q
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 01:02 , Processed in 0.018018 second(s), 23 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表