juno neutron与gre隧道,qrouter没有ping vm和vm没有从dhcp获取ip

时间:2015-09-02 05:50:24

标签: openstack openstack-nova openstack-neutron

我有openstack juno setup的3节点架构。

在控制器和计算上一切正常。 VM已创建并且全部。

但似乎我的网络节点和计算节点在数据网络上存在一些问题,因为虚拟机没有从DHCP获取IP。此外,当我检查并手动将IP分配给vm时,它正在ping网关,但是qrouter没有ping VM实例。

正确配置了qrouter,并且附加了租户网络。 qrouter也在ping租户网络默认网关,因为它只是其中一个接口。

帮助我们,我被困在这里不知道该怎么做。为细节输入一些命令输出:

[root@network ~]# ip netns show
qdhcp-ade4d591-6016-4a11-8e07-6718340d673e
qrouter-99ed72a2-b69c-41f8-854e-4c6c8448f50d

[root@network ~]# ovs-vsctl show
c6e9b29e-9dac-4e74-a31a-c8cba6a8c977
Bridge br-tun
    fail_mode: secure
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
    Port "gre-0a00011f"
        Interface "gre-0a00011f"
            type: gre
            options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.31"}
    Port br-tun
        Interface br-tun
            type: internal
Bridge br-int
    fail_mode: secure
    Port int-br-ex
        Interface int-br-ex
            type: patch
            options: {peer=phy-br-ex}
    Port "tap1c21fba3-49"
        tag: 1
        Interface "tap1c21fba3-49"
            type: internal
    Port "qr-d8ce18d8-96"
        tag: 1
        Interface "qr-d8ce18d8-96"
            type: internal
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
    Port br-int
        Interface br-int
            type: internal
Bridge br-ex
    Port br-ex
        Interface br-ex
            type: internal
    Port phy-br-ex
        Interface phy-br-ex
            type: patch
            options: {peer=int-br-ex}
    Port "eth1"
        Interface "eth1"
    Port "qg-3a032814-ae"
        Interface "qg-3a032814-ae"
            type: internal
ovs_version: "2.3.1"

[root@network ~]# ip netns exec qrouter-99ed72a2-b69c-41f8-854e-4c6c8448f50d iptables-save
# Generated by iptables-save v1.4.21 on Wed Sep  2 11:16:12 2015
*filter
:INPUT ACCEPT [9733:4197036]
:FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [34:2617]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Wed Sep  2 11:16:12 2015
# Generated by iptables-save v1.4.21 on Wed Sep  2 11:16:12 2015
*nat
:PREROUTING ACCEPT [7984:630587]
:INPUT ACCEPT [173:20642]
:OUTPUT ACCEPT [16:1201]
:POSTROUTING ACCEPT [12:865]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-3a032814-ae ! -o qg-3a032814-ae -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 192.168.10.0/24 -j SNAT --to-source 135.249.88.101
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Sep  2 11:16:12 2015
# Generated by iptables-save v1.4.21 on Wed Sep  2 11:16:12 2015
*raw
:PREROUTING ACCEPT [17544:4806981]
:OUTPUT ACCEPT [34:2617]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
COMMIT
# Completed on Wed Sep  2 11:16:12 2015

在计算节点上

[root@compute1 ~]# ovs-vsctl show
491cdefe-00ef-46ad-b4a8-5b57ac630968
Bridge br-int
    fail_mode: secure
    Port "qvoc4e1f1c6-dd"
        tag: 1
        Interface "qvoc4e1f1c6-dd"
    Port br-int
        Interface br-int
            type: internal
    Port patch-tun
        Interface patch-tun
            type: patch
            options: {peer=patch-int}
Bridge br-tun
    fail_mode: secure
    Port br-tun
        Interface br-tun
            type: internal
    Port "gre-0a000115"
        Interface "gre-0a000115"
            type: gre
            options: {df_default="true", in_key=flow, local_ip="10.0.1.31", out_key=flow, remote_ip="10.0.1.21"}
    Port patch-int
        Interface patch-int
            type: patch
            options: {peer=patch-tun}
ovs_version: "2.3.1"

如果需要任何其他详细信息,请与我们联系。

1 个答案:

答案 0 :(得分:0)

我得到了答案:配置中没有问题,一切都很好。唯一的问题是security group :- default.

上的规则

默认安全组规则不允许您从qrouter或qdhcp ping vm。

因此,解决方案是您必须使用适当的规则为项目添加另一个安全组,或者将规则添加到默认安全组。

我在下面添加了两个可访问性规则:

Ingress IPv4    ICMP    -   0.0.0.0/0 (CIDR)
Egress  IPv4    ICMP    -   0.0.0.0/0 (CIDR)

解决了我的问题,现在我可以从qrouter到达VM了。