Die OpenStack-Gast-VM kann nicht von einem anderen Computer im Providernetzwerk angepingt werden.
Ich habe ein kleines Setup von Openstack Zed auf Ubuntu 22.04. Ein Kontrollhost, ein Rechenhost und ein „externer“ Host in denselben Netzwerken, die auch von Openstack verwendet werden (Management und Anbieter). Die 3 Hosts sind VMs in Oracle Virtual Box (Netzwerküberbrückung, Promiscuous für alle erlaubt, verschachtelte VMs erlaubt)
----+-------------------+-----provider-net ---+--------------
| | |
|---------------| |----+------------| |----+-------------|
| eth1 | | eth1 | | eth1 |
| 172.30.0.101 | | 172.30.0.102 | | 172.30.0.109 |
| | | | | |
| | | |-------------| | | |
| | | | guestVM | | | |
| | | | FIP | | | |
| | | | 172.30.0.77 | | | |
| | | |-------------| | | |
| | | | | EXTERNAL |
| OS CONTROL | | OS COMPUTE | | no OS |
| "zoscontrol" | | "zoscompute1" | | "zostmpl" |
| | | | | |
| 192.168.2.101 | | 192.168.2.102 | | 192.168.2.109 |
| eth0 | | eth0 | | eth0 |
|---------------| |---+-------------| |----+-------------|
| | |
----+------------------+------managementnet--+--------------
Ich KANN die Gast-VM vom Kontrollknoten aus über ihre Floating-IP erreichen (Ping/SSH). Allerdings KANN ich die Gast-VM vom externen Host aus NICHT erreichen.
Die IP-Verbindung sagt:
root@external:~# ip neigh
...
172.30.0.77 dev eth1 FAILED
...
root@external:~#
root@control:~# openstack security group rule list default
+-------------+-----------+-----------+------------+-----------+--------------------------------------+
| IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+
| None | IPv4 | 0.0.0.0/0 | | ingress | a6021c94-6638-423b-b243-514df718e07b |
| None | IPv6 | ::/0 | | egress | None |
| icmp | IPv4 | 0.0.0.0/0 | | ingress | None |
| tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None |
| None | IPv4 | 0.0.0.0/0 | | egress | None |
| None | IPv6 | ::/0 | | ingress | a6021c94-6638-423b-b243-514df718e07b |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-
root@control:~#
Obwohl ich der Standarddokumentation gefolgt bin, fehlen mir wohl einige Routing- oder Sicherheitseinstellungen?? Ich bin für alle Hinweise dankbar!
========== Konfiguration auf Steuerung
root@zoscontrol:/etc/neutron# cat l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
[agent]
[network_log]
[ovs]
root@zoscontrol:/etc/neutron# cat neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
transport_url = rabbit://openstack:****@zoscontrol
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[agent]
root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
[cache]
[cors]
[database]
#connection = sqlite:////var/lib/neutron/neutron.sqlite
connection = mysql+pymysql://neutron:*****@zoscontrol/neutron
[experimental]
# https://stackoverflow.com/questions/74133695/feature-linuxbridge-is-experimental
# https://docs.openstack.org/neutron/latest//admin/config-experimental-framework.html
linuxbridge = true
[healthcheck]
[ironic]
[keystone_authtoken]
www_authenticate_uri = http://zoscontrol:5000
auth_url = http://zoscontrol:5000
memcached_servers = zoscontrol:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = *****
[nova]
auth_url = http://zoscontrol:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = *****
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
...
[ssl]
root@zoscontrol:/etc/neutron#
root@zoscontrol:/etc/neutron/plugins/ml2# cat linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth1
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = true
local_ip = 192.168.2.101
l2_population = true
root@zoscontrol:/etc/neutron/plugins/ml2# cat ml2_conf.ini
[DEFAULT]
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
vni_ranges = 1:1000
[ovs_driver]
[securitygroup]
enable_ipset = true
[sriov_driver]
root@zoscontrol:/etc/neutron/plugins/ml2#
========== Konfiguration auf Compute1
root@zoscompute1:/etc/neutron# cat neutron.conf
[DEFAULT]
core_plugin = ml2
transport_url = rabbit://openstack:****@zoscontrol
auth_strategy = keystone
[agent]
root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
[cache]
[cors]
[database]
connection = sqlite:////var/lib/neutron/neutron.sqlite
[healthcheck]
[ironic]
[keystone_authtoken]
www_authenticate_uri = http://zoscontrol:5000
auth_url = http://zoscontrol:5000
memcached_servers = zoscontrol:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = *******
[nova]
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[oslo_reports]
[placement]
[privsep]
[quotas]
[ssl]
root@zoscompute1:/etc/neutron#
root@zoscompute1:/etc/neutron/plugins/ml2# cat linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth1
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = true
local_ip = 192.168.2.102
l2_population = true
========== Konfiguration von VM und Selfservice-Netzwerk
root@zoscontrol:/etc/neutron/plugins/ml2# openstack subnet show 062b9969-8d2d-4a02-aadc-0b18c6b2f180
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 10.10.10.2-10.10.10.99 |
| cidr | 10.10.10.0/24 |
| created_at | 2022-11-06T12:17:40Z |
| description | |
| dns_nameservers | |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 10.10.10.1 |
| host_routes | |
| id | 062b9969-8d2d-4a02-aadc-0b18c6b2f180 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | doznetsub |
| network_id | b6b682b3-2b43-42db-90fe-9edd3722d716 |
| project_id | 587e458aa2cf49aea5d13e4a0f0c899c |
| revision_number | 1 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-06T19:44:06Z |
+----------------------+--------------------------------------+
root@zoscontrol:~# openstack subnet show 0501c11f-36f2-4738-80ff-017232596de1
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 172.30.0.1-172.30.0.99 |
| cidr | 172.30.0.0/24 |
| created_at | 2022-11-06T12:14:11Z |
| description | |
| dns_nameservers | 172.30.0.254 |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 172.30.0.254 |
| host_routes | |
| id | 0501c11f-36f2-4738-80ff-017232596de1 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | provider |
| network_id | 3543a56b-a743-4bc7-b0ec-0811b1678ca0 |
| project_id | fe07028a3944415ca0022c7082a5b4f9 |
| revision_number | 1 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-06T19:52:19Z |
+----------------------+--------------------------------------+