openstack添加vrrp安全组规则入口配置

admin

       valid_lft forever preferred_lft forever
& M5 m3 f: \# J[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
' U3 L" x1 S% Y1 e15:01:31.166318 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
" f( c) ]; F! ?. [8 x  |15:01:32.166682 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:01:33.167075 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
8 k7 S2 y1 S) `+ f4 U1 K^C

! O0 I+ B7 X& @. m# n7 z. t9 a[root@keepalived-2 ~]# tcpdump -i eth1  vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
. {( {* D$ {4 Ulistening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
% W* ]/ d. s- i) Y8 j15:01:22.170651 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
$ I% U5 A4 I9 C$ o4 p; ^. S3 k15:01:23.171685 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
- L6 V5 O9 h( x, p& i% [15:01:24.172739 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
15:01:25.173771 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
15:01:26.174855 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
1 M; b* F/ d+ M/ N1 Y^C
3 H8 A9 ?& _  K! B
2 p1 N6 J2 N! F: x
7 R, t2 H* K: c: F5 ~7 n3 H在openstack平台上创建的keepalived虚机因安全组不通而导致vrrp不通，openstack上需要调整vrrp安全组规则入口配置：
2 r/ V! K- G3 O, f- {
7 }; }3 V+ o, X

2 k6 p$ i+ I0 V, I4 Q+ \7 }  Y( N入口

IPv4

112

任何

192.168.0.0/24

) h9 h7 u) z5 A7 e0 y

入口

IPv4

112

任何

0.0.0.0/0

admin

[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:03:08.894788 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
6 ?( O9 T8 F" \" ?  a& ^15:03:09.132334 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
2 j$ l1 D  @7 ^8 L9 C% Z15:03:09.895798 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
% f& I" c4 W1 |) r$ L, N15:03:10.133082 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
! |; X- c! k. s! [: n* C, \2 f" u, p! L7 M15:03:10.896827 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
' \3 h9 [7 U* J9 l/ v0 _3 a, t15:03:11.133514 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
15:03:11.897792 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:03:12.134724 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20

/ Z4 y$ h2 g# V5 \6 ?0 I' K$ _第二台设备：

[root@keepalived-2 ~]# tcpdump -i eth1  vrrp
; x: p  ^2 X7 {  x3 Btcpdump: verbose output suppressed, use -v or -vv for full protocol decode
) ?7 E1 T2 \7 ^listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:03:03.277349 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
, j+ D* l( I$ ~- i  g! r* d6 J15:03:03.516783 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
15:03:04.278375 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
" U8 f! b/ c* ~, G7 I8 X7 K1 A8 D15:03:04.517146 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
15:03:05.279264 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:03:05.517812 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
' N0 n) F" l' |* M15:03:06.280214 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
$ C+ v! s- s0 `+ u^C
. Z% X2 X: V  P) i
地址通了。
( c( S& K% N  e' i- S, n

admin

安全组允许VRRP协议
' c7 |; O5 A+ T' `$ B直接在控制台导航：项目-访问&安全，搜索虚机所在的安全组, 然后点击后面的管理规则按钮进入规则列表；点击添加规则按钮，弹出框里，在规则的下拉选里选择 其他协议, 然后再 端口 文本框输入 112, 最后点击添加按钮即可 # VRRP协议的端口号是112

admin

对于负载均衡，G版本已经集成了haproxy插件，对haproxy的配置做了一层封装，可以很方便的通过quantum去创建一个负载均衡池，为相同或者不同宿主机上的虚拟机提供负载均衡的能力。

) o% C5 {0 u1 X在这个模式下，haproxy是运行在宿主机上的。
遗憾的是，目前还不能通过openstack做到haproxy的高可用。

/ r# j- G# g( b1 E3 w& F7 p想要做高可用，只能在虚拟机中去飘VIP了

# ~7 U- h, t# L2 T但是创建了虚拟机之后，在这个虚拟机实例中只能使用指定的IP。
2 v% w+ z! M5 @# |; j3 ?! G* K! U% K这就导致想在虚拟机中部署高可用去飘VIP是不可行的。
- X4 t) [# U4 f4 H+ ~+ _" ?2 @
% P- K8 p+ N3 _0 E1 _( K6 a( ]可以理解，在公有云环境下，是不可能让用户在虚拟机中随意去配置额外地址的。
但我们是私有云环境，这个规则对私有云环境下很是麻烦。
在openstack中创建虚拟机，通过nova boot的--nic选项指定网卡和IP地址：
--nic net-id=${NETWORK_ID},v4-fixed-ip=${Host_IP}
/ u+ s4 T( w8 v+ @: F
8 @' j# x$ t  o5 [& C* x之前一直以为是iptables规则导致的。于是去看了一遍宿主机中的iptables规则
- Z3 x/ C" \3 m/ V- X6 n1 Froot@node1:~# iptables -vnL
2 g, c8 L1 |8 H; N; d) _1 \Chain INPUT (policy ACCEPT 3556K packets, 744M bytes)
pkts bytes target prot opt in out source destination
1778K 372M nova-compute-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
% y* X0 {6 R5 c2 K/ U: l0 Ppkts bytes target prot opt in out source destination
9 r0 `; E; b( t! Z" U4 F150 13488 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
: e0 u6 Y3 z1 y& e' I, e6 1392 nova-compute-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
9 |& j1 `9 y6 I9 b0 d6 t- r
, U/ p7 Z3 N) M# M5 i( fChain OUTPUT (policy ACCEPT 4208K packets, 567M bytes)
pkts bytes target prot opt in out source destination
& `/ h1 z+ ~. {$ E' m4 X4202K 567M nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
; U/ A! H2 @0 G: m3 j2106K 284M nova-compute-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
# S$ y( e' C) k' t; L
Chain nova-compute-FORWARD (1 references)
pkts bytes target prot opt in out source destination
. F$ _/ E# i+ h3 C8 x3 }4 1312 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67
2 a! g' j4 Z* p2 80 ACCEPT all -- brq3eefcd79-07 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * brq3eefcd79-07 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-INPUT (1 references)
pkts bytes target prot opt in out source destination
2 656 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67
  S- H$ w9 M4 n3 \4 g
! x5 B3 q, G1 y& LChain nova-compute-OUTPUT (1 references)
8 `  F0 s8 C: M6 E4 c9 g, F/ zpkts bytes target prot opt in out source destination
) H; o* j. G  @: U: {) |) L
Chain nova-compute-inst-15 (1 references)
; B- Z% l& G1 l+ R% opkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0
6 l8 G; v. N: k" w# S! b7 g$ v" F0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68
" l7 g+ R3 A9 U' q0 X- S0 {0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0
: U: v. x9 \% s( X0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
% T2 ?. o  z1 o  L% e( V0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8
0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0
9 u) x( V1 s  o4 d+ |6 l0 Q
Chain nova-compute-inst-17 (1 references)
( T' L& j& K$ z: K- B' F% E$ jpkts bytes target prot opt in out source destination
, R1 B6 y& r1 l* G5 a/ Q  j4 z7 M0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
; U  V+ ]( p0 U$ M0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
  D% o" D5 r9 i# G! T2 k4 B0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 t6 ~: f6 ]7 {0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8
0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-local (1 references)
pkts bytes target prot opt in out source destination
0 0 nova-compute-inst-15 all -- * * 0.0.0.0/0 10.16.0.111
0 0 nova-compute-inst-17 all -- * * 0.0.0.0/0 10.16.0.131

Chain nova-compute-provider (2 references)
4 e7 V' T- Z# f1 u6 Jpkts bytes target prot opt in out source destination

) {7 Y7 x: ~5 H7 |* o" ?Chain nova-compute-sg-fallback (2 references)
pkts bytes target prot opt in out source destination
+ N; e: c3 S7 {) v0 h; O- f0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
" l/ F4 D# D4 l, z  e' t
Chain nova-filter-top (2 references)
! X6 G5 e7 V& m3 |1 v3 Vpkts bytes target prot opt in out source destination
2106K 284M nova-compute-local all -- * * 0.0.0.0/0 0.0.0.0/0

分析一下这些openstack自动生成的规则，可以看到input，forword和output链默认都是accept状态。分析每条链对数据包的跳转和过滤，如果在虚拟机中配置新的地址，是不会被过滤的。
. a- f. U7 o3 z( }; z# ~  P( v
经过一番折腾，最终发现限制IP的原因是ebtables在起作用
root@node1:~# ebtables -t nat -L
Bridge table: nat

Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
2 D( C1 `+ f$ e1 f) {& o; E0 b& B" o-i tap0678bf1d-41 -j libvirt-I-tap0678bf1d-41
-i tap496fa038-9e -j libvirt-I-tap496fa038-9e
1 S& ~$ K: C/ y' R  j
8 {( q) E- i8 p: V6 H" y6 ~9 PBridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
+ W4 W5 X0 Q. l/ z
# `6 a- L. N' E9 oBridge chain: libvirt-I-tap0678bf1d-41, entries: 4, policy: ACCEPT
-j I-tap0678bf1d-41-mac
-p IPv4 -j I-tap0678bf1d-41-ipv4-ip
' ^& ]# Z7 ~: i- u-p ARP -j I-tap0678bf1d-41-arp-mac
-p ARP -j I-tap0678bf1d-41-arp-ip

Bridge chain: I-tap0678bf1d-41-mac, entries: 2, policy: ACCEPT
-s fa:16:3e:a6:5f:70 -j RETURN
-j DROP

Bridge chain: I-tap0678bf1d-41-ipv4-ip, entries: 3, policy: ACCEPT
, F3 N7 ?& f& ~- o3 a5 t, R2 e-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
9 T- h& w/ U5 s0 V4 J-p IPv4 --ip-src 10.16.0.131 -j RETURN
6 F. w" t) T! P( ]+ {+ z3 c-j DROP

Bridge chain: I-tap0678bf1d-41-arp-mac, entries: 2, policy: ACCEPT
-p ARP --arp-mac-src fa:16:3e:a6:5f:70 -j RETURN
' d/ L% f% O9 E& W  ?-j DROP

Bridge chain: I-tap0678bf1d-41-arp-ip, entries: 2, policy: ACCEPT
6 I# r' B6 j/ E3 H, \8 F' i. Z  Z-p ARP --arp-ip-src 10.16.0.131 -j RETURN
-j DROP

Bridge chain: libvirt-I-tap496fa038-9e, entries: 4, policy: ACCEPT
& ~0 G" n( D. H; ?2 A2 D-j I-tap496fa038-9e-mac
-p IPv4 -j I-tap496fa038-9e-ipv4-ip
4 J8 W3 u% m# W- y-p ARP -j I-tap496fa038-9e-arp-mac
-p ARP -j I-tap496fa038-9e-arp-ip
% p5 E) R( ?: c
; B  B. V! N% T' V  F4 ~& I/ C. FBridge chain: I-tap496fa038-9e-mac, entries: 2, policy: ACCEPT
& M4 d6 ]- v. t+ [' K-s fa:16:3e:58:1:ac -j RETURN
+ }  {* d" S  _0 F0 ^-j DROP

! ~% `) e; v, [* \Bridge chain: I-tap496fa038-9e-ipv4-ip, entries: 3, policy: ACCEPT
-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 10.16.0.111 -j RETURN
6 K- q6 y! M) H3 d$ K- t-j DROP

Bridge chain: I-tap496fa038-9e-arp-mac, entries: 2, policy: ACCEPT
+ I3 y! F, r+ V2 c5 t-p ARP --arp-mac-src fa:16:3e:58:1:ac -j RETURN
8 C& r8 n1 K" o- Y-j DROP
. n* Q  Y" ~6 d3 `# B2 n
Bridge chain: I-tap496fa038-9e-arp-ip, entries: 2, policy: ACCEPT
-p ARP --arp-ip-src 10.16.0.111 -j RETURN
  d" z% ?9 u9 p1 A. r. M-j DROP
+ e7 \7 E; W0 x+ v& s% ~5 M8 @$ y
1 L: _$ l3 p' \9 `ebtables是linux专门做二层数据链路层过滤的。

" V9 ?/ j3 p  z* D8 f( r' }在通过nova创建虚拟机后，会生成libvirt的一个xml配置文件
路径在：/etc/libvirt/nwfilter/nova-base.xml
里面定义了以下规则，这些规则限制了在虚拟机上的地址，在二层上就做了过滤
7 {( ~4 S# P) m$ h( J<filter name='nova-base' chain='root'>
: V. c4 T& o' L- L<uuid>12ec8693-253a-7db0-7cd3-f8cc0a1e1b02</uuid>
2 ], r% X# h' I' W% u% o<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
. A% i/ Y! y, e6 c# D# C<filterref filter='no-arp-spoofing'/>
; @; W$ ^+ h8 c% \' R<filterref filter='allow-dhcp-server'/>
, G- S- I( s* h8 M: G0 `</filter>
; L, p! @1 r+ L# c7 b* F) t  Q
然后为每个虚拟机创建一个xml文件，每个虚拟机的xml配置中包含了nova-base.xml中的配置
打开其中一个虚拟机的xml配置，可以看到，这个配置文件中只放行了指定IP在二层上可以通过，所以其它手动配置的地址是不可用的。
cat /etc/libvirt/nwfilter/nova-instance-instance-0000000f-fa163e5801ac.xml
<filter name='nova-instance-instance-0000000f-fa163e5801ac' chain='root'>
<uuid>972d18be-2db0-4bf2-2853-a0a61beac036</uuid>
<filterref filter='nova-base'>
' V9 X* i7 q5 S# Y) M& n5 |3 F<parameter name='DHCPSERVER' value='10.16.0.102'/>
" Q9 i  o; d+ Y" H" O, d" |<parameter name='IP' value='10.16.0.111'/>
+ F, g5 S( F& ~3 e<parameter name='PROJMASK' value='255.255.255.0'/>
2 u- M5 _' q( Y1 J<parameter name='PROJNET' value='10.16.0.0'/>
</filterref>
</filter>

libvirt可以通过在这些xml配置的规则，去生成ebtables规则，最终是ebtables做出限制。

# `! [2 d* {  t0 A0 M$ M: w如何破解？
修改nova-base.xml文件
7 `" b' l  p2 Q: x# p) b, }; W注释掉以下三行
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
<filterref filter='no-arp-spoofing'/>
3 c& [8 t' B$ w+ X9 n( A然后重启libvirt进程，libvirt会重新读取xml中的配置，生成新的ebtables规则。
& J! L  o; T7 E3 ?- P修改后，我通过新建虚拟机，重启nova-computer进程，或者直接重启宿主机，这个base文件都不会发生变化了。

2 g. h. Y2 P( |. |2 d% Y还有就是修改nova源码（未测试）
源码位置在
/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py
-----------------------------------
©著作权归作者所有：来自51CTO博客作者lustlost的原创作品，如需转载，请注明出处，否则将追究法律责任
解除openstack中instance对IP的限制（在虚拟机中飘VIP）
$ n" c+ M6 L) F7 X7 T/ i. dhttps://blog.51cto.com/lustlost/1324832
# a1 L4 P2 ~; n( o4 `1 g! `/ ]