服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OpenStack实例无法访问外部networking
Intereting Posts
在环回地址上禁用IPv6(本地主机,计算机名称…) 在Linux上的隐藏的服务生活的USB 寻找configuration我的服务器的最佳方式 带有JSON响应的Nginx错误页面 如何获得 – 每个进程的线程数量? 使用cas服务器与mongodb后端 执行时,服务是好的monit 我在哪里可以下载一套完整的bash源代码来解决“shellshock”漏洞 WatchGuard代理错误 – 标题行太大 星号Sip干线虽然PIX 501防火墙 2008R2上的非共享文件夹的影子副本 在各种限制的networking中build立VPN 如何在Linux下将连接从一个接口转发到另一个接口 与HTTP相比HTTPS开销 Linux DNS客户端更新工具

OpenStack实例无法访问外部networking

我是OpenStack的新手。 我正在使用RDO packstack –allinone安装。

所有OpenStack节点都驻留在一台机器上,只有一个物理以太网接口(eth0,192.168.0.11)

我启动了两个实例(Test6和Test7),build立了公网和私网,然后分配了两个浮点。

networking拓扑图像请看这里: http : //postimg.org/image/yumejw07n/

公网是192.168.0.192/26,私网是10.0.0.0/24。

Test6networking是10.0.0.15和192.168.0.204,Test7networking是10.0.0.17和192.168.0.199

一台路由器在test6 test7和公网之间连接,10.0.0.1连接到私网,192.168.0.203连接到公网。

在专用networking中,Test6,Test7和Router可以相互ping通或访问。 (任何公共networking地址或专用networking地址)。

在Public中,公共networking中的主机不能访问Test6,Test7或Router(192.168.0.203),实例也不能访问主机。

我想我错过了桥的一些iptablesconfiguration,但我没有弄清楚我应该添加什么样的filter。

主持人: 

#ovs-vsctl show bc3a6627-8bfa-4d4a-b75a-a360b1d9ebe2 Bridge br-int Port patch-tun Interface patch-tun type: patch options: {peer=patch-int} Port "qvoa86f386a-84" tag: 1 Interface "qvoa86f386a-84" Port "tap816bfb16-c3" tag: 4095 Interface "tap816bfb16-c3" Port "qvof5f02caa-df" tag: 1 Interface "qvof5f02caa-df" Port "tapa37e0f14-18" tag: 1 Interface "tapa37e0f14-18" Port "qr-095473ef-8f" tag: 1 Interface "qr-095473ef-8f" type: internal Port br-int Interface br-int type: internal Port "qr-34feb8f5-dd" tag: 2 Interface "qr-34feb8f5-dd" type: internal Bridge br-ex Port "eth0" Interface "eth0" Port br-ex Interface br-ex type: internal Bridge br-tun Port patch-int Interface patch-int type: patch options: {peer=patch-tun} Port br-tun Interface br-tun type: internal ovs_version: "1.11.0" 
 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-ex 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1044 0 0 br-ex 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br-ex 
 #route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.192 0.0.0.0 255.255.255.192 U 0 0 0 qg-92cfa1a7-94 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-095473ef-8f 
 #iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 49201 packets, 7639K bytes) pkts bytes target prot opt in out source destination 49201 7639K neutron-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 42619 6708K nova-api-metadat-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 42619 6708K nova-api-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 15292 packets, 934K bytes) pkts bytes target prot opt in out source destination 15292 934K neutron-openvswi-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 15292 934K neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0 12768 779K nova-api-metadat-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 12791 781K nova-api-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 15292 934K nova-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 15266 packets, 932K bytes) pkts bytes target prot opt in out source destination 15266 932K neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 12760 779K nova-api-metadat-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 12783 780K nova-api-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-openvswi-OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-POSTROUTING (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-PREROUTING (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-float-snat (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-snat (1 references) pkts bytes target prot opt in out source destination 15292 934K neutron-openvswi-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-postrouting-bottom (1 references) pkts bytes target prot opt in out source destination 15292 934K neutron-openvswi-snat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain nova-api-OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain nova-api-POSTROUTING (1 references) pkts bytes target prot opt in out source destination Chain nova-api-PREROUTING (1 references) pkts bytes target prot opt in out source destination Chain nova-api-float-snat (1 references) pkts bytes target prot opt in out source destination Chain nova-api-metadat-OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain nova-api-metadat-POSTROUTING (1 references) pkts bytes target prot opt in out source destination Chain nova-api-metadat-PREROUTING (1 references) pkts bytes target prot opt in out source destination Chain nova-api-metadat-float-snat (1 references) pkts bytes target prot opt in out source destination Chain nova-api-metadat-snat (1 references) pkts bytes target prot opt in out source destination 12768 779K nova-api-metadat-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain nova-api-snat (1 references) pkts bytes target prot opt in out source destination 12791 781K nova-api-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain nova-postrouting-bottom (1 references) pkts bytes target prot opt in out source destination 12768 779K nova-api-metadat-snat all -- * * 0.0.0.0/0 0.0.0.0/0 12791 781K nova-api-snat all -- * * 0.0.0.0/0 0.0.0.0/0 
 #iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-openvswi-FORWARD -N neutron-openvswi-INPUT -N neutron-openvswi-OUTPUT -N neutron-openvswi-ia86f386a-8 -N neutron-openvswi-if5f02caa-d -N neutron-openvswi-local -N neutron-openvswi-oa86f386a-8 -N neutron-openvswi-of5f02caa-d -N neutron-openvswi-sa86f386a-8 -N neutron-openvswi-sf5f02caa-d -N neutron-openvswi-sg-chain -N neutron-openvswi-sg-fallback -N nova-api-FORWARD -N nova-api-INPUT -N nova-api-OUTPUT -N nova-api-local -N nova-api-metadat-FORWARD -N nova-api-metadat-INPUT -N nova-api-metadat-OUTPUT -N nova-api-metadat-local -N nova-filter-top -A INPUT -j neutron-openvswi-INPUT -A INPUT -j nova-api-metadat-INPUT -A INPUT -j nova-api-INPUT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.0.81" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.0.81" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_192.168.0.81" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80 incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb-server incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_192.168.0.11" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 nagios incoming" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5666 -m comment --comment "001 nagios-nrpe incoming nagios_nrpe" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.11_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_192.168.0.81_192.168.0.81" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.11_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_192.168.0.81_192.168.0.81" -j ACCEPT -A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.11_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 49152:49215 -m comment --comment "001 nova qemu migration incoming nova_qemu_migration_192.168.0.81_192.168.0.81" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.11" -j ACCEPT -A INPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_192.168.0.81" -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -j nova-filter-top -A FORWARD -j nova-api-metadat-FORWARD -A FORWARD -j nova-api-FORWARD -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A OUTPUT -j nova-filter-top -A OUTPUT -j nova-api-metadat-OUTPUT -A OUTPUT -j nova-api-OUTPUT -A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.11_192.168.0.11" -j ACCEPT -A OUTPUT -s 192.168.0.11/32 -p tcp -m multiport --dports 68 -m comment --comment "001 neutron dhcp out outgoing neutron_dhcp_out_192.168.0.81_192.168.0.81" -j ACCEPT -A neutron-filter-top -j neutron-openvswi-local -A neutron-openvswi-FORWARD -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-INPUT -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d -A neutron-openvswi-INPUT -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8 -A neutron-openvswi-ia86f386a-8 -m state --state INVALID -j DROP -A neutron-openvswi-ia86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-ia86f386a-8 -s 10.0.0.17/32 -j RETURN -A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 443 -j RETURN -A neutron-openvswi-ia86f386a-8 -p icmp -j RETURN -A neutron-openvswi-ia86f386a-8 -p tcp -m tcp --dport 80 -j RETURN -A neutron-openvswi-ia86f386a-8 -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-ia86f386a-8 -j neutron-openvswi-sg-fallback -A neutron-openvswi-if5f02caa-d -m state --state INVALID -j DROP -A neutron-openvswi-if5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-if5f02caa-d -s 10.0.0.15/32 -j RETURN -A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 443 -j RETURN -A neutron-openvswi-if5f02caa-d -p icmp -j RETURN -A neutron-openvswi-if5f02caa-d -p tcp -m tcp --dport 80 -j RETURN -A neutron-openvswi-if5f02caa-d -s 10.0.0.16/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-if5f02caa-d -j neutron-openvswi-sg-fallback -A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sa86f386a-8 -A neutron-openvswi-oa86f386a-8 -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-oa86f386a-8 -m state --state INVALID -j DROP -A neutron-openvswi-oa86f386a-8 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-oa86f386a-8 -j RETURN -A neutron-openvswi-oa86f386a-8 -j neutron-openvswi-sg-fallback -A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sf5f02caa-d -A neutron-openvswi-of5f02caa-d -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-of5f02caa-d -m state --state INVALID -j DROP -A neutron-openvswi-of5f02caa-d -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-of5f02caa-d -j RETURN -A neutron-openvswi-of5f02caa-d -j neutron-openvswi-sg-fallback -A neutron-openvswi-sa86f386a-8 -s 10.0.0.15/32 -m mac --mac-source FA:16:3E:55:7F:B5 -j RETURN -A neutron-openvswi-sa86f386a-8 -j DROP -A neutron-openvswi-sf5f02caa-d -s 10.0.0.17/32 -m mac --mac-source FA:16:3E:AC:1F:2A -j RETURN -A neutron-openvswi-sf5f02caa-d -j DROP -A neutron-openvswi-sg-chain -m physdev --physdev-out tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-if5f02caa-d -A neutron-openvswi-sg-chain -m physdev --physdev-in tapf5f02caa-df --physdev-is-bridged -j neutron-openvswi-of5f02caa-d -A neutron-openvswi-sg-chain -m physdev --physdev-out tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-ia86f386a-8 -A neutron-openvswi-sg-chain -m physdev --physdev-in tapa86f386a-84 --physdev-is-bridged -j neutron-openvswi-oa86f386a-8 -A neutron-openvswi-sg-chain -j ACCEPT -A neutron-openvswi-sg-fallback -j DROP -A nova-api-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT -A nova-api-metadat-INPUT -d 192.168.0.11/32 -p tcp -m tcp --dport 8775 -j ACCEPT -A nova-filter-top -j nova-api-metadat-local -A nova-filter-top -j nova-api-local 
 # ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -L -nv -t nat Chain PREROUTING (policy ACCEPT 1034 packets, 177K bytes) pkts bytes target prot opt in out source destination 1040 177K neutron-l3-agent-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 9 packets, 616 bytes) pkts bytes target prot opt in out source destination 15 1120 neutron-l3-agent-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 12 868 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes) pkts bytes target prot opt in out source destination 8 576 neutron-l3-agent-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-l3-agent-OUTPUT (1 references) pkts bytes target prot opt in out source destination 5 324 DNAT all -- * * 0.0.0.0/0 192.168.0.199 to:10.0.0.17 0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.204 to:10.0.0.15 Chain neutron-l3-agent-POSTROUTING (1 references) pkts bytes target prot opt in out source destination 3 252 ACCEPT all -- !qg-92cfa1a7-94 !qg-92cfa1a7-94 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT Chain neutron-l3-agent-PREROUTING (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697 0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.199 to:10.0.0.17 0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.204 to:10.0.0.15 Chain neutron-l3-agent-float-snat (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 10.0.0.17 0.0.0.0/0 to:192.168.0.199 0 0 SNAT all -- * * 10.0.0.15 0.0.0.0/0 to:192.168.0.204 Chain neutron-l3-agent-snat (1 references) pkts bytes target prot opt in out source destination 12 868 neutron-l3-agent-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 SNAT all -- * * 10.0.0.0/24 0.0.0.0/0 to:192.168.0.203 Chain neutron-postrouting-bottom (1 references) pkts bytes target prot opt in out source destination 12 868 neutron-l3-agent-snat all -- * * 0.0.0.0/0 0.0.0.0/0 
 # ip netns exec qrouter-46f858f1-aec7-4516-b148-9110f7d9d90c iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-l3-agent-FORWARD -N neutron-l3-agent-INPUT -N neutron-l3-agent-OUTPUT -N neutron-l3-agent-local -A INPUT -j neutron-l3-agent-INPUT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-l3-agent-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-l3-agent-OUTPUT -A neutron-filter-top -j neutron-l3-agent-local -A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT

我刚刚重新安装openstack软件包,然后packstack –allinone。

现在networking正常工作!

我认为唯一不同的设置是public_netnetworking地址CIDR,是192.168.0.192/26,现在是192.168.0.0/24。

我不擅长networkingpipe理。 networking掩码是否会影响networking路由表?

有可能ip和arp代理没有在你的机器上configuration。

这些可以像这样在主机上设置: 

 echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

一些更多的细节可以在这里find: OpenStack in a Box