浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 云计算开源区 OpenStack介绍版 openstack添加vrrp安全组规则入口配置
返回列表 发新帖
查看: 1493|回复: 3

openstack添加vrrp安全组规则入口配置

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2021-12-7 15:01:06 | 显示全部楼层 |阅读模式
       valid_lft forever preferred_lft forever
5 H  L  s" F5 D# j[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp
; n7 N2 \- V) w9 K$ r/ {tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
/ h0 l3 o- n" Z% x) ?' K, j1 Xlistening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
8 k5 D$ ~  o7 S5 x: a+ D; h15:01:31.166318 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
* }  x2 E! s$ e9 O* t15:01:32.166682 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
* W9 l! S6 h8 Y) e8 Y15:01:33.167075 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
" @6 Z, m3 S1 R, ?4 Q^C  q5 R* ]* h! u$ n: [4 M) e
& Z+ N( D+ y" K: E7 U9 a
[root@keepalived-2 ~]# tcpdump -i eth1  vrrp. s8 Y  P! n; r# e0 C5 Q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
# F+ U: r' m: u1 Elistening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
& J+ d2 @- F4 C! j' w5 m15:01:22.170651 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
1 q! J' ^( r  P( F15:01:23.171685 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20+ Q9 O' l" x; n) w
15:01:24.172739 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
2 W' Q* X6 ?( }) J  K+ T1 q15:01:25.173771 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
: l7 w* y# Q( B6 r& F15:01:26.174855 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 205 y) y0 k/ a) Y, K4 g; M
^C, p. ?6 B* [# k; k- V+ e

/ ^, E( k5 ]$ G! L6 a) l1 Q
# f7 G, \5 Q4 q6 g% w在openstack平台上创建的keepalived虚机因安全组不通而导致vrrp不通,openstack上需要调整vrrp安全组规则入口配置:; e" Z  C/ y( Z* P. p* a
4 r5 _5 u- ]) l% z+ d

& n+ N/ Q+ K, g# {, W! i4 d. P入口		IPv4112任何192.168.0.0/24
# j8 f, m- E8 u9 ~3 e: @3 {# c

$ l( h4 q0 T! _0 \: k入口
0 a+ V0 ]9 G3 S		IPv4112任何0.0.0.0/0
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2021-12-7 15:04:32 | 显示全部楼层
[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp
  Z, Q. D7 `; O; G* ktcpdump: verbose output suppressed, use -v or -vv for full protocol decode: W1 N  H) W3 B: G5 I6 R
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
7 Y; Z4 C" G  |' [5 g# k" l; B  L6 ~15:03:08.894788 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20( `1 ]( j) |/ i( \5 J& b( }
15:03:09.132334 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
  z: X  m! Q! {2 l8 Z: U$ V# ]' O15:03:09.895798 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
, S' e) e6 j- z15:03:10.133082 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
/ G6 r2 H6 k% R( U7 W$ D15:03:10.896827 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20/ k* @2 z5 t5 ?5 u4 }
15:03:11.133514 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
7 Y2 [; q1 ~( N7 Z15:03:11.897792 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
; j% w) a: W, b% H" h0 b15:03:12.134724 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
1 p$ l8 M+ N' z( ?) s! o3 l( @- U; E- W( D* a
第二台设备:
* Z  Q- }5 k  k/ `7 c$ |, z
; `# z& `; V9 @8 o$ c7 O% f- ^[root@keepalived-2 ~]# tcpdump -i eth1  vrrp
! O% P- X; F4 ?- o' \" k  _tcpdump: verbose output suppressed, use -v or -vv for full protocol decode2 D, O0 a8 O4 y# s$ z! f
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
% }' B, ^1 z4 z15:03:03.277349 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20" ]6 v6 D$ l! _" O% ]5 a" ?
15:03:03.516783 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
) Y) T7 ^) C8 W15:03:04.278375 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
" c% d; k  D/ M  K+ |6 H/ l0 I15:03:04.517146 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
5 n) B, Z. H: e  x; j( ^( {. I+ C15:03:05.279264 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20& u0 g1 K5 m( \) G1 G( [5 _
15:03:05.517812 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
2 W8 H+ }" e5 J15:03:06.280214 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
9 R( d: `! M$ l. ?+ d: o, i^C
4 D8 c7 d8 c' K& y' J+ j2 t- C" i1 ^. f* i  e3 l
地址通了。
" P! j4 }5 X% D8 Q, Z" B7 q8 G$ x
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2021-12-7 15:10:16 | 显示全部楼层
安全组允许VRRP协议9 S6 A4 z! I8 y; P" S4 l1 ?
直接在控制台导航:项目-访问&安全,搜索虚机所在的安全组, 然后点击后面的管理规则按钮进入规则列表;点击添加规则按钮,弹出框里,在规则的下拉选里选择 其他协议, 然后再 端口 文本框输入 112, 最后点击添加按钮即可 # VRRP协议的端口号是112
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2021-12-7 15:29:28 | 显示全部楼层
对于负载均衡,G版本已经集成了haproxy插件,对haproxy的配置做了一层封装,可以很方便的通过quantum去创建一个负载均衡池,为相同或者不同宿主机上的虚拟机提供负载均衡的能力。6 M# ]; p8 M9 f

& @  j3 z7 y$ K! ~* ~$ t# k在这个模式下,haproxy是运行在宿主机上的。7 t4 K, I! P+ q& s( M  Y. F
遗憾的是,目前还不能通过openstack做到haproxy的高可用。
+ a8 H1 e9 n* @& Z7 S2 \
3 ]  g; C1 y# X6 S" a2 O想要做高可用,只能在虚拟机中去飘VIP了
, {/ t  N- s; ?" H0 m: f  S4 G! l9 D: F
但是创建了虚拟机之后,在这个虚拟机实例中只能使用指定的IP。
0 H  N* x  k. S1 t8 X' n) J. [这就导致想在虚拟机中部署高可用去飘VIP是不可行的。
) j% g  t7 _9 n" k) F- F/ Y
) J- N, [7 B" G0 A0 E* g9 j可以理解,在公有云环境下,是不可能让用户在虚拟机中随意去配置额外地址的。1 f) E( Q; m; U9 U% }& P5 H
但我们是私有云环境,这个规则对私有云环境下很是麻烦。
* G7 C, ~1 S- ^' ^2 ~( Y& O在openstack中创建虚拟机,通过nova boot的--nic选项指定网卡和IP地址:9 \9 c0 q& N. W- A
--nic net-id=${NETWORK_ID},v4-fixed-ip=${Host_IP}
* J. m0 g$ f6 ]- p5 d& {' t4 y1 M6 B. s4 \
之前一直以为是iptables规则导致的。于是去看了一遍宿主机中的iptables规则" a$ O3 T3 V3 k# w9 `' w3 j# h
root@node1:~# iptables -vnL
5 j2 J! \/ j3 @8 {- B' o5 PChain INPUT (policy ACCEPT 3556K packets, 744M bytes)+ S& d8 d, }! W
pkts bytes target prot opt in out source destination; @6 z# C" C0 e! i
1778K 372M nova-compute-INPUT all -- * * 0.0.0.0/0 0.0.0.0/00 E  O; {1 M: r8 c& [* C9 a
# W6 X* ?0 G. n) i4 r$ D- V! p
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
) ]+ i7 Q# g# L" |9 b: opkts bytes target prot opt in out source destination
2 s/ I( E  p; J/ Y' U3 v5 O% N150 13488 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0; {% B) h  d4 l& b: a
6 1392 nova-compute-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0% a/ J, N, Y, e/ u% e

! I0 A5 V5 r- ?5 v: }6 _2 dChain OUTPUT (policy ACCEPT 4208K packets, 567M bytes)
" L2 F# R" l/ @; ]pkts bytes target prot opt in out source destination
7 E' O- ?% L+ M- s4202K 567M nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
. O  e1 |% E, y4 [2106K 284M nova-compute-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0' D. W& N6 ?% x6 r: [) `4 v# R

6 M! V1 B0 d9 y+ l) @Chain nova-compute-FORWARD (1 references)& M* I9 c. V; k6 W8 Z0 a5 }
pkts bytes target prot opt in out source destination
! E; k4 a; a  v' {4 1312 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67
$ r5 _: c/ J. X/ m2 80 ACCEPT all -- brq3eefcd79-07 * 0.0.0.0/0 0.0.0.0/06 A$ d" R, C& {; p
0 0 ACCEPT all -- * brq3eefcd79-07 0.0.0.0/0 0.0.0.0/0
8 b! D  N0 i( `2 s5 I* A, C. B1 e1 F/ u: m" n3 g$ _
Chain nova-compute-INPUT (1 references)' d) @9 {. K6 {
pkts bytes target prot opt in out source destination& n- ]2 m* L" R. {
2 656 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67! f! |: U8 o: [/ {3 B( D& v  Y3 o
) q% H# m$ \2 e" X: n* }% z* ]
Chain nova-compute-OUTPUT (1 references), U; z8 Z5 I7 Y5 P. ~2 F( e
pkts bytes target prot opt in out source destination* O5 c! d" r: }5 p+ F

! [* o  z, n" R' PChain nova-compute-inst-15 (1 references)
' d& Z  J3 e. Ipkts bytes target prot opt in out source destination
4 j5 V1 P3 Z/ V5 q+ r" V; e! L0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
  c# ]  ~! A3 {" {5 e8 A6 `4 f& n0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
$ N7 L+ m8 [# U. x# {0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/00 N" V" V3 ?& e6 v- Q8 |7 `6 s
0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:681 P" k1 C" w: w2 `. d1 \! y
0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0
3 @, i, I' [, T+ r6 I( G9 T, }! ?0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
( {7 c( C( [8 q. [0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535; y4 m; l& o  t/ A# C; l
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
8 z+ q  I: F% m; F6 Q/ F0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 81 C/ \0 \2 |# p0 v7 K. i4 U- @; U# A* P  ~
0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0
5 F0 y/ M. `9 q
% Z! P5 T/ h0 ?- Q1 a% L# OChain nova-compute-inst-17 (1 references)  S3 W; s, F. H& {% w2 B$ _4 \
pkts bytes target prot opt in out source destination  L5 A2 b. o1 y
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
. m' R% @1 u# J5 v  x0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED+ W6 e. R4 c% Z: f
0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/04 h0 y+ B: k" P3 u1 I
0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68
6 I# \, _/ z9 Y3 B# _0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0! ]9 `/ T$ E/ E. t
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
6 A; r# w" g, {7 n0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
0 P( l- A) }, J+ j0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
6 r9 a) J% \4 w. |2 P0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 81 t) ?- c; J5 S8 ?5 f# B; F5 ]( ~
0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/09 z4 ~- r8 w' l

' Y- {  n* K' j! o2 [& FChain nova-compute-local (1 references)3 K4 H6 q9 {6 p1 p! t
pkts bytes target prot opt in out source destination
: P+ M& _/ A# s' C% f0 0 nova-compute-inst-15 all -- * * 0.0.0.0/0 10.16.0.111
9 [# R2 C' `% Y% A8 h0 0 nova-compute-inst-17 all -- * * 0.0.0.0/0 10.16.0.131
) H" `, ]' @% m0 m1 i
# l/ z5 u; ~, R. C% X. J* E) ]1 pChain nova-compute-provider (2 references)
, R( Y  ~  o$ ^7 q8 Xpkts bytes target prot opt in out source destination
7 U) g' @0 y$ j! n) S$ a3 m$ m9 F) o
Chain nova-compute-sg-fallback (2 references)
! e! t. P8 m& }$ Z4 s4 dpkts bytes target prot opt in out source destination+ J& \" l3 \+ s) q
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
- ?8 ]( a; `& R. ~( |" ^
$ Q% P# v  }. _0 y; V7 R% c0 c* FChain nova-filter-top (2 references)* ~  f7 v# T/ ]/ ?, s; V# y) {
pkts bytes target prot opt in out source destination
) t5 A3 O% O# Q6 @2106K 284M nova-compute-local all -- * * 0.0.0.0/0 0.0.0.0/0& K, T' [* a4 T) D8 q9 V3 G

( F0 m8 ]0 v2 D分析一下这些openstack自动生成的规则,可以看到input,forword和output链默认都是accept状态。分析每条链对数据包的跳转和过滤,如果在虚拟机中配置新的地址,是不会被过滤的。
' w4 t" E4 `7 _6 I; F
) F" F3 A$ Z( Y+ A% f, s+ v3 ^7 E+ k经过一番折腾,最终发现限制IP的原因是ebtables在起作用
1 t0 W9 [! C# _! a- ^: M0 C8 {root@node1:~# ebtables -t nat -L* y; |2 _( g! b7 J( J
Bridge table: nat) C6 m0 \# G9 V

; r$ a8 _% N4 `- x3 `* RBridge chain: PREROUTING, entries: 2, policy: ACCEPT
1 m. L- @, m0 t, E; }% |-i tap0678bf1d-41 -j libvirt-I-tap0678bf1d-41' k4 A3 v' W5 F4 p7 z
-i tap496fa038-9e -j libvirt-I-tap496fa038-9e/ H: G' ~' m$ L+ F- }& K

) L! Y9 q% `! m; x( ^Bridge chain: OUTPUT, entries: 0, policy: ACCEPT6 }9 `7 E6 p8 x) _7 r  }. V

7 j$ S! g6 l4 g6 _# l1 aBridge chain: POSTROUTING, entries: 0, policy: ACCEPT$ X7 `8 n, k# x9 {7 i  a0 \" X

$ e8 ], W* I/ A, `; b: xBridge chain: libvirt-I-tap0678bf1d-41, entries: 4, policy: ACCEPT
( }- a2 U  U! b- A' ~+ ~$ Y$ C0 o" e-j I-tap0678bf1d-41-mac; q8 y& Y4 B) U( \
-p IPv4 -j I-tap0678bf1d-41-ipv4-ip
" w3 ]8 Y3 g2 L4 g/ W+ y( {: G-p ARP -j I-tap0678bf1d-41-arp-mac2 [9 y0 y1 ?3 i, V; M  O  `3 b  v
-p ARP -j I-tap0678bf1d-41-arp-ip
) t$ Y7 }1 m$ Z8 L3 o  N
5 N' d+ |8 M2 C) _% `3 e2 O0 LBridge chain: I-tap0678bf1d-41-mac, entries: 2, policy: ACCEPT
) x' _. r8 {) ]-s fa:16:3e:a6:5f:70 -j RETURN, k6 g$ ~3 H2 t0 |' M; F
-j DROP" @  E' i3 s- |5 F

% Y- `0 X4 B9 `Bridge chain: I-tap0678bf1d-41-ipv4-ip, entries: 3, policy: ACCEPT! [% I; ^& W% `* |; V# F) F8 t3 d5 W
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
5 Y1 r  s1 v1 s# d$ G-p IPv4 --ip-src 10.16.0.131 -j RETURN; k6 O8 y9 \0 f. ^
-j DROP
& a. H/ Q' b) ~9 |3 @9 y& o4 h8 G5 Y4 y. G$ x
Bridge chain: I-tap0678bf1d-41-arp-mac, entries: 2, policy: ACCEPT7 K9 |2 S: g9 z  A' P6 t
-p ARP --arp-mac-src fa:16:3e:a6:5f:70 -j RETURN! j# P% G$ P- {) Q6 ?) m
-j DROP" e. F# @  f4 P  ]2 D+ U
) I8 m7 E* f* L5 G5 H
Bridge chain: I-tap0678bf1d-41-arp-ip, entries: 2, policy: ACCEPT
! B4 [' a0 s4 F) Q3 e* Q-p ARP --arp-ip-src 10.16.0.131 -j RETURN
! n4 M, i, b) y$ d$ N! T8 V-j DROP  v& Q' P, d- z( m$ c& m0 G
# P5 N8 C4 K2 z+ j6 U9 E! s
Bridge chain: libvirt-I-tap496fa038-9e, entries: 4, policy: ACCEPT
$ M% l! a! w1 V) B* F- |-j I-tap496fa038-9e-mac( P. u1 W8 ]7 v8 I
-p IPv4 -j I-tap496fa038-9e-ipv4-ip/ Q& O  @6 q! |( x; E* }
-p ARP -j I-tap496fa038-9e-arp-mac7 L6 m2 L3 B( L% H1 K+ q2 i
-p ARP -j I-tap496fa038-9e-arp-ip6 x4 P2 i" O* I; q  P. ^( _
( K! r  @: u+ ~, x; {" A( O1 j) J; @
Bridge chain: I-tap496fa038-9e-mac, entries: 2, policy: ACCEPT
. Q0 T5 {+ U& w) `, J-s fa:16:3e:58:1:ac -j RETURN4 @3 K  P* |- `) _  E  J
-j DROP
5 J# m4 s* ?& g% `6 L5 v. l6 |$ f- G
9 m& w% H6 @( \: h& nBridge chain: I-tap496fa038-9e-ipv4-ip, entries: 3, policy: ACCEPT; `% E$ z" u! m8 h4 s' W) t1 n# M
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN3 ]7 `6 q5 V. j1 i
-p IPv4 --ip-src 10.16.0.111 -j RETURN+ V  ^, K( u8 c$ v$ \; J
-j DROP* q; s6 \8 ]  _2 d

* e5 W0 X4 G9 w1 _9 Q) ~& gBridge chain: I-tap496fa038-9e-arp-mac, entries: 2, policy: ACCEPT5 Z5 e. A/ Z$ b& s1 S: T. ]
-p ARP --arp-mac-src fa:16:3e:58:1:ac -j RETURN
+ w5 {4 w+ H9 y. Y0 I( h. p5 k" i( j-j DROP) m3 S" m5 X/ J3 v2 q/ w3 e: N

% [+ P% X/ l  G# B2 ~Bridge chain: I-tap496fa038-9e-arp-ip, entries: 2, policy: ACCEPT+ s; D' |/ G* I; c6 I
-p ARP --arp-ip-src 10.16.0.111 -j RETURN
7 r1 I. d/ J2 L0 M-j DROP6 Y% M% ]8 E( f& I4 p8 F
3 e+ H( J! d/ H1 D
ebtables是linux专门做二层数据链路层过滤的。: Q9 n! ^, ^2 z' u5 G. F

7 y" o. M& ^; Z7 P! L. H在通过nova创建虚拟机后,会生成libvirt的一个xml配置文件- O7 K: v" z% \& U8 v) S6 Z
路径在:/etc/libvirt/nwfilter/nova-base.xml
+ F, \3 _" g# U2 W/ o0 m里面定义了以下规则,这些规则限制了在虚拟机上的地址,在二层上就做了过滤0 R# b! ~* q- N$ L2 a* [" `
<filter name='nova-base' chain='root'>
( ]' j1 Z. C* c$ q1 I2 ~<uuid>12ec8693-253a-7db0-7cd3-f8cc0a1e1b02</uuid>0 }- v! P  j/ z( k$ m
<filterref filter='no-mac-spoofing'/>& h" h% ?, p* Z7 l* e1 E- K  p
<filterref filter='no-ip-spoofing'/>
- h' }: z1 x+ b6 ~3 n+ k<filterref filter='no-arp-spoofing'/>. k! V7 x0 m" Q* c( A$ |9 L
<filterref filter='allow-dhcp-server'/>% e  g* R  H7 V& b5 u
</filter>+ S' F, r7 A0 _. |. R9 {& v( S. ^3 e

. y  Y# i5 x) [) B然后为每个虚拟机创建一个xml文件,每个虚拟机的xml配置中包含了nova-base.xml中的配置
- p$ j2 h% ]$ i$ m, w' ]/ }打开其中一个虚拟机的xml配置,可以看到,这个配置文件中只放行了指定IP在二层上可以通过,所以其它手动配置的地址是不可用的。
3 f  A& N* A  I2 g7 q: K2 {cat /etc/libvirt/nwfilter/nova-instance-instance-0000000f-fa163e5801ac.xml7 ?- ~0 Q. I: O# K& n& l0 [
<filter name='nova-instance-instance-0000000f-fa163e5801ac' chain='root'>
/ r; W# `: w0 d9 D<uuid>972d18be-2db0-4bf2-2853-a0a61beac036</uuid>
9 n  ?( n, T! g<filterref filter='nova-base'>
5 x4 m" F- y5 I  D5 S+ K<parameter name='DHCPSERVER' value='10.16.0.102'/>
  U+ V) v# X$ t<parameter name='IP' value='10.16.0.111'/># A! j+ `; w$ E! f: c' l
<parameter name='PROJMASK' value='255.255.255.0'/>' b9 }2 M/ }' t$ r
<parameter name='PROJNET' value='10.16.0.0'/>0 R- F5 l7 f! O: b8 Q1 r
</filterref>/ b. B  J/ ^3 n" T/ {" ?
</filter>  A$ s: K) w2 z

8 s, z8 X, ~" ~( Q3 x# m8 {libvirt可以通过在这些xml配置的规则,去生成ebtables规则,最终是ebtables做出限制。
5 f1 z+ q* E6 N3 P' n8 }! ?9 _4 F5 a8 w& o! E2 {) L  v8 {
如何破解?: f- e) X( ]& Q0 O
修改nova-base.xml文件
( A5 E: C: t- F! |( k5 A4 U7 u注释掉以下三行) g; x# H$ ?- `% B8 O/ `5 q; u
<filterref filter='no-mac-spoofing'/>- l5 }9 N( l* [3 F0 B
<filterref filter='no-ip-spoofing'/>
; I0 N3 ~4 z- M" E<filterref filter='no-arp-spoofing'/>
6 d1 ]! Y0 z. T. a& Z; D5 @$ ]- y8 Z然后重启libvirt进程,libvirt会重新读取xml中的配置,生成新的ebtables规则。# A/ P8 e$ ?. x1 l
修改后,我通过新建虚拟机,重启nova-computer进程,或者直接重启宿主机,这个base文件都不会发生变化了。, N) c1 c$ U7 Y' ^9 i' q+ g9 P

7 J; v) f% H; X! p+ B, k2 B还有就是修改nova源码(未测试)
7 f( v* D; Z$ c4 r1 R; C, J; L0 @源码位置在
9 o; u4 _$ ?, U$ M' y7 o: v% y7 O/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py
# A3 q* K! T1 ^4 {5 ^-----------------------------------& }  i/ x. D2 @0 R! `5 p4 ^* i
©著作权归作者所有:来自51CTO博客作者lustlost的原创作品,如需转载,请注明出处,否则将追究法律责任6 d9 R9 I! s0 E% x: Y1 ?) x5 f
解除openstack中instance对IP的限制(在虚拟机中飘VIP)! Z7 F" z7 t9 q# C- p6 A2 p% Y5 `
https://blog.51cto.com/lustlost/1324832
; N: Z/ s8 W; M1 a
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 00:04 , Processed in 0.016694 second(s), 23 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表