プロバイダー ネットワーク内の別のマシンから Openstack ゲスト VM に ping できません。
Ubuntu 22.04 に Openstack Zed の小規模なセットアップがあります。コントロール ホスト、コンピューティング ホスト、および Openstack (管理とプロバイダー) で使用される同じネットワーク内の「外部」ホスト 1 台です。3 つのホストは Oracle Virtual Box 内の VM です (ネットワーク ブリッジ、すべてに対して無差別アクセスが許可され、ネストされた VM が許可されています)
----+-------------------+-----provider-net ---+--------------
| | |
|---------------| |----+------------| |----+-------------|
| eth1 | | eth1 | | eth1 |
| 172.30.0.101 | | 172.30.0.102 | | 172.30.0.109 |
| | | | | |
| | | |-------------| | | |
| | | | guestVM | | | |
| | | | FIP | | | |
| | | | 172.30.0.77 | | | |
| | | |-------------| | | |
| | | | | EXTERNAL |
| OS CONTROL | | OS COMPUTE | | no OS |
| "zoscontrol" | | "zoscompute1" | | "zostmpl" |
| | | | | |
| 192.168.2.101 | | 192.168.2.102 | | 192.168.2.109 |
| eth0 | | eth0 | | eth0 |
|---------------| |---+-------------| |----+-------------|
| | |
----+------------------+------managementnet--+--------------
フローティング IP を使用して、コントロール ノードからゲスト VM にアクセス (ping/ssh) できます。ただし、外部ホストからゲスト VM にアクセスすることはできません。
IP 接続には次のように記載されています:
root@external:~# ip neigh
...
172.30.0.77 dev eth1 FAILED
...
root@external:~#
root@control:~# openstack security group rule list default
+-------------+-----------+-----------+------------+-----------+--------------------------------------+
| IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+
| None | IPv4 | 0.0.0.0/0 | | ingress | a6021c94-6638-423b-b243-514df718e07b |
| None | IPv6 | ::/0 | | egress | None |
| icmp | IPv4 | 0.0.0.0/0 | | ingress | None |
| tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None |
| None | IPv4 | 0.0.0.0/0 | | egress | None |
| None | IPv6 | ::/0 | | ingress | a6021c94-6638-423b-b243-514df718e07b |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-
root@control:~#
標準のドキュメントに従いましたが、ルーティングやセキュリティ設定がいくつか抜けているようです。ヒントがあれば教えてください。
=========== コントロールの設定
root@zoscontrol:/etc/neutron# cat l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
[agent]
[network_log]
[ovs]
root@zoscontrol:/etc/neutron# cat neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
transport_url = rabbit://openstack:****@zoscontrol
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[agent]
root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
[cache]
[cors]
[database]
#connection = sqlite:////var/lib/neutron/neutron.sqlite
connection = mysql+pymysql://neutron:*****@zoscontrol/neutron
[experimental]
# https://stackoverflow.com/questions/74133695/feature-linuxbridge-is-experimental
# https://docs.openstack.org/neutron/latest//admin/config-experimental-framework.html
linuxbridge = true
[healthcheck]
[ironic]
[keystone_authtoken]
www_authenticate_uri = http://zoscontrol:5000
auth_url = http://zoscontrol:5000
memcached_servers = zoscontrol:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = *****
[nova]
auth_url = http://zoscontrol:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = *****
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
...
[ssl]
root@zoscontrol:/etc/neutron#
root@zoscontrol:/etc/neutron/plugins/ml2# cat linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth1
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = true
local_ip = 192.168.2.101
l2_population = true
root@zoscontrol:/etc/neutron/plugins/ml2# cat ml2_conf.ini
[DEFAULT]
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
vni_ranges = 1:1000
[ovs_driver]
[securitygroup]
enable_ipset = true
[sriov_driver]
root@zoscontrol:/etc/neutron/plugins/ml2#
========== compute1 の設定
root@zoscompute1:/etc/neutron# cat neutron.conf
[DEFAULT]
core_plugin = ml2
transport_url = rabbit://openstack:****@zoscontrol
auth_strategy = keystone
[agent]
root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
[cache]
[cors]
[database]
connection = sqlite:////var/lib/neutron/neutron.sqlite
[healthcheck]
[ironic]
[keystone_authtoken]
www_authenticate_uri = http://zoscontrol:5000
auth_url = http://zoscontrol:5000
memcached_servers = zoscontrol:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = *******
[nova]
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[oslo_reports]
[placement]
[privsep]
[quotas]
[ssl]
root@zoscompute1:/etc/neutron#
root@zoscompute1:/etc/neutron/plugins/ml2# cat linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth1
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = true
local_ip = 192.168.2.102
l2_population = true
========== VM とセルフサービス ネットワークの構成
root@zoscontrol:/etc/neutron/plugins/ml2# openstack subnet show 062b9969-8d2d-4a02-aadc-0b18c6b2f180
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 10.10.10.2-10.10.10.99 |
| cidr | 10.10.10.0/24 |
| created_at | 2022-11-06T12:17:40Z |
| description | |
| dns_nameservers | |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 10.10.10.1 |
| host_routes | |
| id | 062b9969-8d2d-4a02-aadc-0b18c6b2f180 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | doznetsub |
| network_id | b6b682b3-2b43-42db-90fe-9edd3722d716 |
| project_id | 587e458aa2cf49aea5d13e4a0f0c899c |
| revision_number | 1 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-06T19:44:06Z |
+----------------------+--------------------------------------+
root@zoscontrol:~# openstack subnet show 0501c11f-36f2-4738-80ff-017232596de1
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 172.30.0.1-172.30.0.99 |
| cidr | 172.30.0.0/24 |
| created_at | 2022-11-06T12:14:11Z |
| description | |
| dns_nameservers | 172.30.0.254 |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 172.30.0.254 |
| host_routes | |
| id | 0501c11f-36f2-4738-80ff-017232596de1 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | provider |
| network_id | 3543a56b-a743-4bc7-b0ec-0811b1678ca0 |
| project_id | fe07028a3944415ca0022c7082a5b4f9 |
| revision_number | 1 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-06T19:52:19Z |
+----------------------+--------------------------------------+