Невозможно выполнить ping гостевой виртуальной машины Openstack с другой машины в сети провайдера.
У меня есть небольшая установка Openstack Zed на Ubuntu 22.04. Управляющий хост, вычислительный хост и один хост "внешний" в тех же сетях, которые использует Openstack (управление и поставщик). 3 хоста — это виртуальные машины в Oracle Virtual Box (сетевой мост, разрешены все неразборчивые, разрешены вложенные виртуальные машины)
----+-------------------+-----provider-net ---+--------------
| | |
|---------------| |----+------------| |----+-------------|
| eth1 | | eth1 | | eth1 |
| 172.30.0.101 | | 172.30.0.102 | | 172.30.0.109 |
| | | | | |
| | | |-------------| | | |
| | | | guestVM | | | |
| | | | FIP | | | |
| | | | 172.30.0.77 | | | |
| | | |-------------| | | |
| | | | | EXTERNAL |
| OS CONTROL | | OS COMPUTE | | no OS |
| "zoscontrol" | | "zoscompute1" | | "zostmpl" |
| | | | | |
| 192.168.2.101 | | 192.168.2.102 | | 192.168.2.109 |
| eth0 | | eth0 | | eth0 |
|---------------| |---+-------------| |----+-------------|
| | |
----+------------------+------managementnet--+--------------
Я МОГУ связаться (ping/ssh) с гостевой виртуальной машиной с контрольного узла, используя ее плавающий IP. Однако - я НЕ МОГУ связаться с гостевой виртуальной машиной с внешнего хоста.
IP-подключение говорит:
root@external:~# ip neigh
...
172.30.0.77 dev eth1 FAILED
...
root@external:~#
root@control:~# openstack security group rule list default
+-------------+-----------+-----------+------------+-----------+--------------------------------------+
| IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+
| None | IPv4 | 0.0.0.0/0 | | ingress | a6021c94-6638-423b-b243-514df718e07b |
| None | IPv6 | ::/0 | | egress | None |
| icmp | IPv4 | 0.0.0.0/0 | | ingress | None |
| tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None |
| None | IPv4 | 0.0.0.0/0 | | egress | None |
| None | IPv6 | ::/0 | | ingress | a6021c94-6638-423b-b243-514df718e07b |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-
root@control:~#
Хотя я следовал стандартной документации, полагаю, я упускаю некоторые настройки маршрутизации или безопасности?? Любые подсказки приветствуются!
========== конфигурация на элементе управления
root@zoscontrol:/etc/neutron# cat l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
[agent]
[network_log]
[ovs]
root@zoscontrol:/etc/neutron# cat neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
transport_url = rabbit://openstack:****@zoscontrol
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[agent]
root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
[cache]
[cors]
[database]
#connection = sqlite:////var/lib/neutron/neutron.sqlite
connection = mysql+pymysql://neutron:*****@zoscontrol/neutron
[experimental]
# https://stackoverflow.com/questions/74133695/feature-linuxbridge-is-experimental
# https://docs.openstack.org/neutron/latest//admin/config-experimental-framework.html
linuxbridge = true
[healthcheck]
[ironic]
[keystone_authtoken]
www_authenticate_uri = http://zoscontrol:5000
auth_url = http://zoscontrol:5000
memcached_servers = zoscontrol:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = *****
[nova]
auth_url = http://zoscontrol:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = *****
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
...
[ssl]
root@zoscontrol:/etc/neutron#
root@zoscontrol:/etc/neutron/plugins/ml2# cat linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth1
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = true
local_ip = 192.168.2.101
l2_population = true
root@zoscontrol:/etc/neutron/plugins/ml2# cat ml2_conf.ini
[DEFAULT]
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
vni_ranges = 1:1000
[ovs_driver]
[securitygroup]
enable_ipset = true
[sriov_driver]
root@zoscontrol:/etc/neutron/plugins/ml2#
========== конфигурация на compute1
root@zoscompute1:/etc/neutron# cat neutron.conf
[DEFAULT]
core_plugin = ml2
transport_url = rabbit://openstack:****@zoscontrol
auth_strategy = keystone
[agent]
root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf"
[cache]
[cors]
[database]
connection = sqlite:////var/lib/neutron/neutron.sqlite
[healthcheck]
[ironic]
[keystone_authtoken]
www_authenticate_uri = http://zoscontrol:5000
auth_url = http://zoscontrol:5000
memcached_servers = zoscontrol:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = *******
[nova]
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[oslo_reports]
[placement]
[privsep]
[quotas]
[ssl]
root@zoscompute1:/etc/neutron#
root@zoscompute1:/etc/neutron/plugins/ml2# cat linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth1
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = true
local_ip = 192.168.2.102
l2_population = true
========== конфигурация виртуальной машины и сети самообслуживания
root@zoscontrol:/etc/neutron/plugins/ml2# openstack subnet show 062b9969-8d2d-4a02-aadc-0b18c6b2f180
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 10.10.10.2-10.10.10.99 |
| cidr | 10.10.10.0/24 |
| created_at | 2022-11-06T12:17:40Z |
| description | |
| dns_nameservers | |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 10.10.10.1 |
| host_routes | |
| id | 062b9969-8d2d-4a02-aadc-0b18c6b2f180 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | doznetsub |
| network_id | b6b682b3-2b43-42db-90fe-9edd3722d716 |
| project_id | 587e458aa2cf49aea5d13e4a0f0c899c |
| revision_number | 1 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-06T19:44:06Z |
+----------------------+--------------------------------------+
root@zoscontrol:~# openstack subnet show 0501c11f-36f2-4738-80ff-017232596de1
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 172.30.0.1-172.30.0.99 |
| cidr | 172.30.0.0/24 |
| created_at | 2022-11-06T12:14:11Z |
| description | |
| dns_nameservers | 172.30.0.254 |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 172.30.0.254 |
| host_routes | |
| id | 0501c11f-36f2-4738-80ff-017232596de1 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | provider |
| network_id | 3543a56b-a743-4bc7-b0ec-0811b1678ca0 |
| project_id | fe07028a3944415ca0022c7082a5b4f9 |
| revision_number | 1 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-06T19:52:19Z |
+----------------------+--------------------------------------+