Verificación del Flujo de Tráfico de IP Flotante DVR Norte-Sur de HOS (3 de 4)
2015-11-25
Machine-translated — the English original is authoritative.
Flujo de Tráfico de Dirección IP Flotante Neutron Norte-Sur DVR
Compruebe si hay direcciones IP flotantes libres
nova floating-ip-list
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-list
+----+-----------+----------+------+
| Ip | Server Id | Fixed Ip | Pool |
+----+-----------+----------+------+
+----+-----------+----------+------+
[Nota: si no hay IP flotantes disponibles, cree algunas]
nova floating-ip-create
nova floating-ip-create ext-net
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-create ext-net
+--------------+-----------+----------+---------+
| Ip | Server Id | Fixed Ip | Pool|
+--------------+-----------+----------+---------+
| 10.254.27.48 | - | - | ext-net |
+--------------+-----------+----------+---------+
nova floating-ip-associate
nova floating-ip-associate 374b3e1c-0e89-4481-b9dd-a9a420a498e1 10.254.27.48
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-associate 374b3e1c-0e89-4481-b9dd-a9a420a498e1 10.254.27.48
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~#
nova show
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova show 374b3e1c-0e89-4481-b9dd-a9a420a498e1
+--------------------------------------+--------------------------------------------------------------------------+
| Property | Value|
+--------------------------------------+--------------------------------------------------------------------------+
| HPinternal network | 10.0.0.5, 10.254.27.48 |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw |
| OS-EXT-SRV-ATTR:hypervisor_hostname | overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw.novalocal|
| OS-EXT-SRV-ATTR:instance_name | instance-00000084|
| OS-EXT-STS:power_state | 1|
| OS-EXT-STS:task_state | -|
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2015-11-23T10:06:14.000000 |
| OS-SRV-USG:terminated_at | -|
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2015-11-23T10:05:35Z |
| flavor | m1.tiny (1) |
| hostId | 528ae3e885715e8a63ee541508e197b78e24fd194b4f0da6af44edb6 |
| id | 374b3e1c-0e89-4481-b9dd-a9a420a498e1 |
| image | debian-wheezy-amd64-20140929-disk (1cb50c3f-4606-4e94-b85f-1d323f6a70fd) |
| key_name | pilot-key|
| metadata | {} |
| name | HPdemo-instance1 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0|
| security_groups | default |
| status | ACTIVE |
| tenant_id | 3935f5d20d2848b69324bb8bd75a0389 |
| updated | 2015-11-23T10:06:14Z |
| user_id | 86fe8295656d495db6b06c57274adbf2 |
+--------------------------------------+--------------------------------------------------------------------------+
Verificar Espacios de Nombres de Red
ip netns
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns
fip-35510045-decf-491e-9990-87a3f77f0284
qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573
qrouter-6903d563-80f4-40b0-ba77-8774a915a323
qrouter-8497d1cb-c2fa-46a5-9e42-1bfceb810204
qrouter-64b856f2-00a7-4e2f-8abd-aa34ab454c34
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip a | grep “inet “
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip a | grep "inet "
inet 127.0.0.1/8 scope host lo
inet 169.254.31.28/31 scope global rfp-8c8a0159-2
inet 10.254.27.48/32 brd 10.254.27.48 scope global rfp-8c8a0159-2
inet 10.0.0.1/24 brd 10.0.0.255 scope global qr-2202c460-bb
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 iptables-save -t nat | grep “^-A”|grep l3-agent
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 iptables-save -t nat | grep "^-A"|grep l3-agent
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A neutron-l3-agent-OUTPUT -d 10.254.27.48/32 -j DNAT --to-destination 10.0.0.5
-A neutron-l3-agent-POSTROUTING ! -i rfp-8c8a0159-2 ! -o rfp-8c8a0159-2 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 10.254.27.48/32 -j DNAT --to-destination 10.0.0.5
-A neutron-l3-agent-float-snat -s 10.0.0.5/32 -j SNAT --to-source 10.254.27.48
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
ip netns exec
ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip a | grep “inet “
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip a | grep "inet "
inet 127.0.0.1/8 scope host lo
inet 169.254.31.29/31 scope global fpr-8c8a0159-2
inet 10.254.27.49/24 brd 10.254.27.255 scope global fg-9da149e3-be
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip rule ls
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip rule ls
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
32768: from 10.0.0.5 lookup 16
167772161: from 10.0.0.1/24 lookup 167772161
167772161: from 10.0.0.1/24 lookup 167772161
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip route show table 167772161
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip route show table 167772161
default via 10.0.0.4 dev qr-2202c460-bb
ip netns exec
ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip route
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip route
default via 10.254.27.1 dev fg-9da149e3-be
10.254.27.0/24 dev fg-9da149e3-be proto kernel scope link src 10.254.27.49
10.254.27.48 via 169.254.31.28 dev fpr-8c8a0159-2
169.254.31.28/31 dev fpr-8c8a0159-2 proto kernel scope link src 169.254.31.29
Tanto Ping como SSH fallarán debido a la configuración predeterminada del grupo de seguridad de OpenStack
Agregar las reglas apropiadas para ICMP y SSH permite que el tráfico fluya a través del firewall
Ping al Gateway desde la instancia
debian@hpdemo-instance1:~$ ping 10.254.27.49
PING 10.254.27.49 (10.254.27.49) 56(84) bytes of data.
64 bytes from 10.254.27.49: icmp_req=1 ttl=63 time=0.252 ms
64 bytes from 10.254.27.49: icmp_req=2 ttl=63 time=0.295 ms
64 bytes from 10.254.27.49: icmp_req=3 ttl=63 time=0.280 ms
64 bytes from 10.254.27.49: icmp_req=4 ttl=63 time=0.271 ms
64 bytes from 10.254.27.49: icmp_req=5 ttl=63 time=0.278 ms
^C
--- 10.254.27.49 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.252/0.275/0.295/0.017 ms
Originally published on allthingscloud.eu (2015-11-25).