我有openstack juno setup的3节点架构。
在控制器和计算上一切正常。 VM已创建并且全部。
但似乎我的网络节点和计算节点在数据网络上存在一些问题,因为虚拟机没有从DHCP获取IP。此外,当我检查并手动将IP分配给vm时,它正在ping网关,但是qrouter没有ping VM实例。
正确配置了qrouter,并且附加了租户网络。 qrouter也在ping租户网络默认网关,因为它只是其中一个接口。
帮助我们,我被困在这里不知道该怎么做。为细节输入一些命令输出:
[root@network ~]# ip netns show
qdhcp-ade4d591-6016-4a11-8e07-6718340d673e
qrouter-99ed72a2-b69c-41f8-854e-4c6c8448f50d
[root@network ~]# ovs-vsctl show
c6e9b29e-9dac-4e74-a31a-c8cba6a8c977
Bridge br-tun
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port "gre-0a00011f"
Interface "gre-0a00011f"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.31"}
Port br-tun
Interface br-tun
type: internal
Bridge br-int
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port "tap1c21fba3-49"
tag: 1
Interface "tap1c21fba3-49"
type: internal
Port "qr-d8ce18d8-96"
tag: 1
Interface "qr-d8ce18d8-96"
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port "eth1"
Interface "eth1"
Port "qg-3a032814-ae"
Interface "qg-3a032814-ae"
type: internal
ovs_version: "2.3.1"
[root@network ~]# ip netns exec qrouter-99ed72a2-b69c-41f8-854e-4c6c8448f50d iptables-save
# Generated by iptables-save v1.4.21 on Wed Sep 2 11:16:12 2015
*filter
:INPUT ACCEPT [9733:4197036]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34:2617]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Wed Sep 2 11:16:12 2015
# Generated by iptables-save v1.4.21 on Wed Sep 2 11:16:12 2015
*nat
:PREROUTING ACCEPT [7984:630587]
:INPUT ACCEPT [173:20642]
:OUTPUT ACCEPT [16:1201]
:POSTROUTING ACCEPT [12:865]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-3a032814-ae ! -o qg-3a032814-ae -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 192.168.10.0/24 -j SNAT --to-source 135.249.88.101
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Sep 2 11:16:12 2015
# Generated by iptables-save v1.4.21 on Wed Sep 2 11:16:12 2015
*raw
:PREROUTING ACCEPT [17544:4806981]
:OUTPUT ACCEPT [34:2617]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
COMMIT
# Completed on Wed Sep 2 11:16:12 2015
在计算节点上
[root@compute1 ~]# ovs-vsctl show
491cdefe-00ef-46ad-b4a8-5b57ac630968
Bridge br-int
fail_mode: secure
Port "qvoc4e1f1c6-dd"
tag: 1
Interface "qvoc4e1f1c6-dd"
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Bridge br-tun
fail_mode: secure
Port br-tun
Interface br-tun
type: internal
Port "gre-0a000115"
Interface "gre-0a000115"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.0.1.31", out_key=flow, remote_ip="10.0.1.21"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
ovs_version: "2.3.1"
如果需要任何其他详细信息,请与我们联系。
答案 0 :(得分:0)
我得到了答案:配置中没有问题,一切都很好。唯一的问题是security group :- default.
默认安全组规则不允许您从qrouter或qdhcp ping vm。
因此,解决方案是您必须使用适当的规则为项目添加另一个安全组,或者将规则添加到默认安全组。
我在下面添加了两个可访问性规则:
Ingress IPv4 ICMP - 0.0.0.0/0 (CIDR)
Egress IPv4 ICMP - 0.0.0.0/0 (CIDR)
解决了我的问题,现在我可以从qrouter到达VM了。