openstack添加vrrp安全组规则入口配置

admin

       valid_lft forever preferred_lft forever
% M- h) T, }/ S0 W[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
. m1 }. Y0 A1 b7 k, S" K5 A$ [: X15:01:31.166318 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:01:32.166682 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:01:33.167075 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
^C
* B7 z/ Q  x% S; _7 h( D6 u! p0 D
[root@keepalived-2 ~]# tcpdump -i eth1  vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:01:22.170651 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
* C  A3 a' B/ n0 u) E  G  q8 @! I% e15:01:23.171685 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
15:01:24.172739 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
( @1 R8 x; U" b$ P15:01:25.173771 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
15:01:26.174855 IP keepalived-2.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 99, authtype simple, intvl 1s, length 20
^C


9 a3 N2 a: C; P在openstack平台上创建的keepalived虚机因安全组不通而导致vrrp不通，openstack上需要调整vrrp安全组规则入口配置：
/ w- X; q" H* P0 \3 ?; _5 d$ `

入口

IPv4

112

任何

192.168.0.0/24

入口 . O3 f) k& ?  _" }+ s( ~* D3 R

IPv4

112

任何

0.0.0.0/0

admin

[root@keepalievd-1 ~]# tcpdump -i eth1 vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:03:08.894788 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
7 E% _. L- Z8 k15:03:09.132334 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
! V: Y5 x2 w5 l5 k7 z15:03:09.895798 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:03:10.133082 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
8 i1 O) G9 l) O( \" k" n15:03:10.896827 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:03:11.133514 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
15:03:11.897792 IP keepalievd-1.novalocal > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
# |  J2 k4 V, _. c& z( |( k5 |15:03:12.134724 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20

& q1 Q/ |3 n2 S5 k8 H% C, x) e$ i, {5 y第二台设备：

( `7 @; B1 d4 Q+ A" p" N[root@keepalived-2 ~]# tcpdump -i eth1  vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
* }9 h8 i! B: R6 w. g6 `15:03:03.277349 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
' L6 T) Y, v1 L' Z4 X$ e, R& g2 _) k15:03:03.516783 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
6 |( o! f6 A, C: ^) D15:03:04.278375 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:03:04.517146 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
15:03:05.279264 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
15:03:05.517812 IP 192.168.0.62 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 52, prio 2, authtype simple, intvl 1s, length 20
$ T+ s9 l) k1 \" U+ G) m8 D15:03:06.280214 IP 192.168.0.186 > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20
6 |% q/ z+ k3 f0 [8 o3 d9 z^C
( M5 k/ \/ G1 F7 ?* U
地址通了。
2 T2 e6 x5 r$ a3 v

admin

安全组允许VRRP协议
8 B1 a( @% K  t( C5 }( M直接在控制台导航：项目-访问&安全，搜索虚机所在的安全组, 然后点击后面的管理规则按钮进入规则列表；点击添加规则按钮，弹出框里，在规则的下拉选里选择 其他协议, 然后再 端口 文本框输入 112, 最后点击添加按钮即可 # VRRP协议的端口号是112

admin

对于负载均衡，G版本已经集成了haproxy插件，对haproxy的配置做了一层封装，可以很方便的通过quantum去创建一个负载均衡池，为相同或者不同宿主机上的虚拟机提供负载均衡的能力。

在这个模式下，haproxy是运行在宿主机上的。
遗憾的是，目前还不能通过openstack做到haproxy的高可用。

. Z0 l; f1 X4 T* m4 {9 K想要做高可用，只能在虚拟机中去飘VIP了
( e5 A8 E) R! F
但是创建了虚拟机之后，在这个虚拟机实例中只能使用指定的IP。
9 L$ e* x8 G1 H/ D! ]! G这就导致想在虚拟机中部署高可用去飘VIP是不可行的。
* P& D9 X" g: `! z6 W# P! C; v9 O
) d+ j  o& T' L6 S可以理解，在公有云环境下，是不可能让用户在虚拟机中随意去配置额外地址的。
9 i" X! h+ C3 a0 O+ i但我们是私有云环境，这个规则对私有云环境下很是麻烦。
在openstack中创建虚拟机，通过nova boot的--nic选项指定网卡和IP地址：
--nic net-id=${NETWORK_ID},v4-fixed-ip=${Host_IP}

之前一直以为是iptables规则导致的。于是去看了一遍宿主机中的iptables规则
; k+ D& V& V, N+ _0 A8 w: mroot@node1:~# iptables -vnL
Chain INPUT (policy ACCEPT 3556K packets, 744M bytes)
pkts bytes target prot opt in out source destination
1 x, y4 d8 l* a7 i/ {, \1778K 372M nova-compute-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
150 13488 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
6 1392 nova-compute-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4208K packets, 567M bytes)
: G6 e) Q$ y/ q' Jpkts bytes target prot opt in out source destination
3 x2 C' ~" m% K( U( b' R2 z4202K 567M nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0
0 T2 s# L1 S6 }4 H2106K 284M nova-compute-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
: Q$ X  }! a& b0 l- Y! W3 X/ _6 N
1 I4 k2 ?) ~: o0 J  |" Q8 K) AChain nova-compute-FORWARD (1 references)
pkts bytes target prot opt in out source destination
4 1312 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67
2 80 ACCEPT all -- brq3eefcd79-07 * 0.0.0.0/0 0.0.0.0/0
. }, r0 d' q) _+ m- r+ ^$ @8 Z0 0 ACCEPT all -- * brq3eefcd79-07 0.0.0.0/0 0.0.0.0/0

Chain nova-compute-INPUT (1 references)
pkts bytes target prot opt in out source destination
2 _- s: k. O3 L' N* _1 p5 `7 U2 656 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67

Chain nova-compute-OUTPUT (1 references)
3 f, H- r0 t0 H: V. lpkts bytes target prot opt in out source destination

6 [  K( e7 @7 Q, Z& z9 N( SChain nova-compute-inst-15 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
( N% A: C8 m+ `0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0
6 g9 ^5 W5 M/ Z% ^- |0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
; m& K- Q% b- y" v# a6 N, `2 @0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8
6 s! Z  P' v5 K/ S9 V% B0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0

: E3 V& X3 x4 L/ iChain nova-compute-inst-17 (1 references)
pkts bytes target prot opt in out source destination
( V, M* l1 \  M3 T7 U& N8 G0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0
  @7 z2 V! s2 a6 t1 k4 z1 d0 0 ACCEPT udp -- * * 10.16.0.102 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT all -- * * 10.16.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:65535
1 _9 H7 ]* X2 K. k& _0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 8
/ g% y  g; Q  v  j( q# T0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0

  Z' Z; R* Z5 A+ E- n" l  v; @# v, qChain nova-compute-local (1 references)
pkts bytes target prot opt in out source destination
0 0 nova-compute-inst-15 all -- * * 0.0.0.0/0 10.16.0.111
0 0 nova-compute-inst-17 all -- * * 0.0.0.0/0 10.16.0.131
  r6 o! Y; [. Z2 b# Z- P9 @
% v9 g; v7 }; a2 E' t/ Z( i+ ^Chain nova-compute-provider (2 references)
* Z; ^1 k9 B# l; d7 wpkts bytes target prot opt in out source destination

" d, O3 p, A7 a6 a/ B5 n! yChain nova-compute-sg-fallback (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain nova-filter-top (2 references)
! @8 ?# h- \* H& m" s" rpkts bytes target prot opt in out source destination
* u9 M; i) n3 Y8 c' G8 {2106K 284M nova-compute-local all -- * * 0.0.0.0/0 0.0.0.0/0

分析一下这些openstack自动生成的规则，可以看到input，forword和output链默认都是accept状态。分析每条链对数据包的跳转和过滤，如果在虚拟机中配置新的地址，是不会被过滤的。
9 ~8 f8 P7 |& {' G- C; n
经过一番折腾，最终发现限制IP的原因是ebtables在起作用
root@node1:~# ebtables -t nat -L
# A" m9 [* G5 h! K* cBridge table: nat
& U! ]0 ?" p, Q: m
Bridge chain: PREROUTING, entries: 2, policy: ACCEPT
- A+ a) S5 r4 t. D9 x* m* w' L-i tap0678bf1d-41 -j libvirt-I-tap0678bf1d-41
3 W$ w7 J5 ^& C& i+ O-i tap496fa038-9e -j libvirt-I-tap496fa038-9e

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
! D! ]( Y- x6 v, T$ J8 c, G
! j" o  L# g: a; @Bridge chain: libvirt-I-tap0678bf1d-41, entries: 4, policy: ACCEPT
-j I-tap0678bf1d-41-mac
* c8 m( k" x4 V8 Z7 i- g( N-p IPv4 -j I-tap0678bf1d-41-ipv4-ip
" |$ r3 }+ a* v& D2 y- v6 j-p ARP -j I-tap0678bf1d-41-arp-mac
( ?8 q- S! l5 k-p ARP -j I-tap0678bf1d-41-arp-ip

Bridge chain: I-tap0678bf1d-41-mac, entries: 2, policy: ACCEPT
2 c2 @$ I( P. j! k1 p, t-s fa:16:3e:a6:5f:70 -j RETURN
& N' B4 _. x+ I1 [* t-j DROP
) i3 L" I8 C! m
/ Z4 p! d* S4 O" L$ n0 L9 a: ABridge chain: I-tap0678bf1d-41-ipv4-ip, entries: 3, policy: ACCEPT
& d' y& d3 F4 |0 }5 n-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
-p IPv4 --ip-src 10.16.0.131 -j RETURN
: Y! q9 |4 S. y: d$ y# X$ Y; }-j DROP
$ V9 h$ o" K4 U( ?. X/ e' z3 k) x: |
Bridge chain: I-tap0678bf1d-41-arp-mac, entries: 2, policy: ACCEPT
-p ARP --arp-mac-src fa:16:3e:a6:5f:70 -j RETURN
$ u( p  N7 Y) P9 O' F-j DROP
6 N9 X( [$ F% L4 S2 W7 k
* }6 A* f5 `, e+ h0 OBridge chain: I-tap0678bf1d-41-arp-ip, entries: 2, policy: ACCEPT
8 t$ |6 p+ K5 n  W5 F% ]; b-p ARP --arp-ip-src 10.16.0.131 -j RETURN
6 W4 }  W( B1 E-j DROP

Bridge chain: libvirt-I-tap496fa038-9e, entries: 4, policy: ACCEPT
-j I-tap496fa038-9e-mac
-p IPv4 -j I-tap496fa038-9e-ipv4-ip
-p ARP -j I-tap496fa038-9e-arp-mac
-p ARP -j I-tap496fa038-9e-arp-ip

% w' r0 W; Q7 W) t0 d2 t& G% EBridge chain: I-tap496fa038-9e-mac, entries: 2, policy: ACCEPT
-s fa:16:3e:58:1:ac -j RETURN
-j DROP
' {; n9 Z' H3 \+ d
8 z% A& K( q* l5 l) \Bridge chain: I-tap496fa038-9e-ipv4-ip, entries: 3, policy: ACCEPT
+ ]1 K. ^/ I9 Y* I% l: P-p IPv4 --ip-src 0.0.0.0 --ip-proto udp -j RETURN
! a% n) q' k/ B-p IPv4 --ip-src 10.16.0.111 -j RETURN
-j DROP
" _& ?& z( _: \% A* L
Bridge chain: I-tap496fa038-9e-arp-mac, entries: 2, policy: ACCEPT
" ]. G. p& m4 x- F. W! Z* n-p ARP --arp-mac-src fa:16:3e:58:1:ac -j RETURN
-j DROP

Bridge chain: I-tap496fa038-9e-arp-ip, entries: 2, policy: ACCEPT
( V7 L9 Y7 \; j, a-p ARP --arp-ip-src 10.16.0.111 -j RETURN
-j DROP

4 c: C! ]  \5 E/ r4 y! `- [; uebtables是linux专门做二层数据链路层过滤的。

在通过nova创建虚拟机后，会生成libvirt的一个xml配置文件
路径在：/etc/libvirt/nwfilter/nova-base.xml
里面定义了以下规则，这些规则限制了在虚拟机上的地址，在二层上就做了过滤
1 g8 Q. |* q+ G! y, H: f7 e2 ]<filter name='nova-base' chain='root'>
<uuid>12ec8693-253a-7db0-7cd3-f8cc0a1e1b02</uuid>
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
  a& E/ o* z# u) `<filterref filter='no-arp-spoofing'/>
<filterref filter='allow-dhcp-server'/>
</filter>

% A5 n/ ]# H: z6 i然后为每个虚拟机创建一个xml文件，每个虚拟机的xml配置中包含了nova-base.xml中的配置
5 f* H+ n4 o$ i& {0 B打开其中一个虚拟机的xml配置，可以看到，这个配置文件中只放行了指定IP在二层上可以通过，所以其它手动配置的地址是不可用的。
/ U+ d& E$ t' z! qcat /etc/libvirt/nwfilter/nova-instance-instance-0000000f-fa163e5801ac.xml
<filter name='nova-instance-instance-0000000f-fa163e5801ac' chain='root'>
0 m% J, V" _9 @  \6 @+ b- o8 C6 n+ n<uuid>972d18be-2db0-4bf2-2853-a0a61beac036</uuid>
2 I4 l! B" T  e) \<filterref filter='nova-base'>
3 z9 d7 {. F: A; h" m<parameter name='DHCPSERVER' value='10.16.0.102'/>
<parameter name='IP' value='10.16.0.111'/>
: M% _& F8 A; r. w) y: _3 t. j<parameter name='PROJMASK' value='255.255.255.0'/>
4 p- u* H( G0 b( j" A" V<parameter name='PROJNET' value='10.16.0.0'/>
! @; \6 ^+ E6 m! ^9 G. h</filterref>
" W* L2 r4 \% b, ?' G, W+ |& Q8 {. K</filter>
0 f  ?1 {9 b# M( y& ?% K( P
" Y7 l; l1 v* v5 }libvirt可以通过在这些xml配置的规则，去生成ebtables规则，最终是ebtables做出限制。

  b# K  z. z* n& S0 R  _' T% r2 C如何破解？
2 h$ m* Z, z* o3 E( d. g: ?/ S* s修改nova-base.xml文件
注释掉以下三行
<filterref filter='no-mac-spoofing'/>
<filterref filter='no-ip-spoofing'/>
3 d" Z& T) x1 o! v8 X% f& T* V) y<filterref filter='no-arp-spoofing'/>
+ Q9 e% [  D+ Q$ m$ k0 v7 e然后重启libvirt进程，libvirt会重新读取xml中的配置，生成新的ebtables规则。
修改后，我通过新建虚拟机，重启nova-computer进程，或者直接重启宿主机，这个base文件都不会发生变化了。
& B2 x" |# j: h" R( R) N9 v& L' w
还有就是修改nova源码（未测试）
源码位置在
8 ?' q. w0 ]1 G* l! d+ S) F/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py
1 C0 [; |3 o3 C-----------------------------------
©著作权归作者所有：来自51CTO博客作者lustlost的原创作品，如需转载，请注明出处，否则将追究法律责任
解除openstack中instance对IP的限制（在虚拟机中飘VIP）
: `, Y" c' I* s( r& `5 L3 H1 Fhttps://blog.51cto.com/lustlost/1324832
  L6 n( _3 c1 J9 O) l% ?: P  W