我无法使浮动IP在我的OpenStack安装程序上正常工作。 看起来控制器节点(运行nova-network)不会将stream量转发到实例。
我使用FlatDHCP进行Folsom部署,不运行多主机,运行在Ubuntu 12.04上。
例如,下面是一个运行实例,其固定IP为10.40.0.2,浮动IP为10.20.0.3:
$ nova list +-------+---------+--------+------------------------------+ | ID | Name | Status | Networks | +-------+---------+--------+------------------------------+ | 3d292 | quantal | ACTIVE | private=10.40.0.2, 10.20.0.3 | +-------+---------+--------+------------------------------+ 如果我login到控制器,我可以ping通ssh到任一IP的VM实例。 但是,我不能ping或SSH到外部机器的实例。
如果我尝试从不同networking(192.168.3.5)上的计算机ping通,则可以看到数据包在其公共接口(eth3)上到达控制器,但这些数据包不会被转发到已连接的网桥(br100)到私人界面:
# tcpdump -i any icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 20:33:12.908188 IP 192.168.3.5 > 10.20.0.3: ICMP echo request, id 58378, seq 0, length 64 20:33:13.910759 IP 192.168.3.5 > 10.20.0.3: ICMP echo request, id 58378, seq 1, length 64 20:33:14.910591 IP 192.168.3.5 > 10.20.0.3: ICMP echo request, id 58378, seq 2, length 64
我configuration了nova-network来使用“no-op”防火墙驱动程序,所以在这里不应该有任何安全组问题:
firewall_driver=nova.virt.firewall.NoopFirewallDriver
我已经确认我启用了IP转发function:
$ cat /proc/sys/net/ipv4/ip_forward 1
我不太熟悉iptables,但是看规则(见https://gist.github.com/lorin/5209761 ),我看不出有什么明显的错误。
从控制器连接到虚拟机时,我认为这个规则是有效的:
-A nova-network-OUTPUT -d 10.20.0.3/32 -j DNAT --to-destination 10.40.0.2
而且在前进时它符合这些规则
-A nova-network-PREROUTING -d 10.20.0.3/32 -j DNAT --to-destination 10.40.0.2 -A nova-network-FORWARD -o br100 -j ACCEPT
在这一点上,我不知道为什么它没有正确地进行NAT并转发数据包。
接口是:
eth0 :(不介入) eth1 :连接到内部唯VMnetworking,br100桥接到它。 数据包最终应该出去那个界面 eth2 :(不介入) eth3 :面向公众的界面。 它具有控制器的IP地址(10.20.0.2)以及实例的浮动IP地址(10.20.0.3)。 以下是“ip a”的输出,MAC被遮蔽。
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet 169.254.169.254/32 scope link lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff inet 10.30.0.131/24 brd 10.30.0.255 scope global eth0 inet6 ef23::2345:3aff:fe86:50c8/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br100 state UP qlen 1000 link/ether 11:22:33:44:55:66 brd ff:ff:ff:ff:ff:ff inet6 ef23::2345:3aff:fe86:50c9/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 77:88:99:00:11:22 brd ff:ff:ff:ff:ff:ff inet 10.10.0.131/24 brd 10.10.0.255 scope global eth2 inet6 ef23::2345:3aff:fe68:b4b6/64 scope link valid_lft forever preferred_lft forever 5: eth3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 33:44:55:66:77:88 brd ff:ff:ff:ff:ff:ff inet 10.20.0.2/24 brd 10.20.0.255 scope global eth3 inet 10.20.0.3/32 scope global eth3 inet6 ef23::2345:3aff:fe68:b4b7/64 scope link valid_lft forever preferred_lft forever 6: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 54:78:1a:86:50:c9 brd ff:ff:ff:ff:ff:ff inet 10.40.0.1/16 brd 10.40.255.255 scope global br100 inet6 ef23::2345:3aff:fed1:cd55/64 scope link valid_lft forever preferred_lft forever
路由表:
~$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.0.1 0.0.0.0 UG 100 0 0 eth2 10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 10.30.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.40.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br100
桥接设置:
# brctl show bridge name bridge id STP enabled interfaces br100 8000.54781a8650c9 no eth1
以下是/etc/nova/nova.conf中的一些联网信息
network_manager=nova.network.manager.FlatDHCPManager flat_interface=eth1 flat_network_bridge=br100 public_interface=eth3 firewall_driver=nova.virt.firewall.NoopFirewallDriver
你说在“接口是”eth2是不涉及,但从路由输出它看起来像网关设置为eth2。
我想你会希望它在eth3上设置。 我会检查/ etc / network / interfaces是否设置为反映。