Eu tenho uma configuração muito semelhante, então mostrarei minha configuração, talvez isso ajude você.
Todos os nós são implantados com maas e juju e cada nó tem duas interfaces:
- eth0 - wake on lan, inicialização na lan, rede maas - 10.5.0.0/16, gw 10.5.0.1
- eth1 - rede externa da empresa - 172.16.62.0/24 gw 172.16.62.254
Instalei o Openstack com a ajuda dos guias de árvore
-
h20564.www2.hp.com/hpsc/doc/public/display?docId=c04330703 (Eu não posso colá-lo como um link, por causa da minha baixa reputação do askubuntu)
Minha configuração de rede em nós normais:
#/etc/network/interfaces
auto lo
auto eth0
iface eth0 inet manual
auto juju-br0
iface juju-br0 inet dhcp
bridge_ports eth0
auto eth1
iface eth1 inet static
address 172.16.62.10
netmask 255.255.255.0
#gateway commented
#gateway 172.16.62.254
$route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.5.0.1 0.0.0.0 UG 0 0 0 juju-br0
10.5.0.0 0.0.0.0 255.255.0.0 U 0 0 0 juju-br0
172.16.62.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
no nó de nêutrons de rede (quantum):
#/etc/network/interfaces
auto lo
auto eth0
iface eth0 inet manual
auto juju-br0
iface juju-br0 inet dhcp
bridge_ports eth0
auto eth1
iface eth1 inet manual
up ip link set dev $IFACE up
down ip link set dev $IFACE down
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.5.0.1 0.0.0.0 UG 0 0 0 juju-br0
10.5.0.0 0.0.0.0 255.255.0.0 U 0 0 0 juju-br0
na rede eu também editei /etc/sysctl.conf e descomentei estas linhas
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
depois repita as alterações
# sysctl -p
Depois de inscrever os nós no maas, começo a implementar os encantos do juju Openstack.
Configuração de pilha aberta pós-instalação via Horizon:
Como Admin eu fiz:
- faça upload da imagem do cirros,
- crie um novo inquilino e usuário
- crie uma nova rede externa na minha empresa, 172.16.62.192/26, mas de uma maneira que não se sobreponha ao pull normal do endereço dhcp, que é 172.16.62.10 - 172.16.62.100
- crie o roteador e defina o gatway para a rede externa
Como usuário eu fiz:
- crie uma nova rede privada 192.168.0.1
- adicionar nova interface ao roteador (criada nas etapas anteriores)
- inicializar nova instância
- altere o grupo de segurança padrão e permita conexões ICMP (ping) e ssh
A configuração de rede pós-implantação é semelhante a esta:
#list of ovs ports
ubuntu@fair-stone:~$ sudo ovs-vsctl show
b4a92be0-56d3-4cd5-b113-9657c21daf8a
Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port "tapf199827f-4f" #interface appears after creation new
Interface "tapf199827f-4f"
Port "eth1"
Interface "eth1"
Bridge br-tun
Port br-tun
Interface br-tun
type: internal
Port "gre-0a050104"
Interface "gre-0a050104"
type: gre
options: {in_key=flow, local_ip="10.5.1.1", out_key=flow, remote_ip="10.5.1.4"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "tap08438cff-fc"
tag: 1
Interface "tap08438cff-fc"
Port "tap592b1f29-da"
tag: 1
Interface "tap592b1f29-da"
Port br-int
Interface br-int
type: internal
ovs_version: "2.0.2"
Espaços de nomes de rede
ubuntu@fair-stone:~$ ip netns list
qdhcp-9d699ab8-940b-478e-ac98-ba3fd38e5d9d
qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3
Lista de interfaces no namespace qrouter-xxx
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: qr-08438cff-fc: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:61:dd:b7 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global qr-08438cff-fc
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe61:ddb7/64 scope link
valid_lft forever preferred_lft forever
3: qg-f199827f-4f: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fa:16:3e:1b:c3:d7 brd ff:ff:ff:ff:ff:ff
inet 172.16.62.193/26 brd 172.16.62.255 scope global qg-f199827f-4f #router interface
valid_lft forever preferred_lft forever
inet 172.16.62.194/32 brd 172.16.62.194 scope global qg-f199827f-4f #instance floating ip addres
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe1b:c3d7/64 scope link
valid_lft forever preferred_lft forever
Tabela de roteamento no namespace qrouter-xxxx
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 ip r
default via 172.16.62.254 dev qg-f199827f-4f
172.16.62.192/26 dev qg-f199827f-4f proto kernel scope link src 172.16.62.193
192.168.0.0/24 dev qr-08438cff-fc proto kernel scope link src 192.168.0.1
Iptables no namespace qrouter-xxx
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 1721 packets, 628K bytes)
pkts bytes target prot opt in out source destination
1848 635K neutron-vpn-agen-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 908 packets, 372K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 542 bytes)
pkts bytes target prot opt in out source destination
8 542 neutron-vpn-agen-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 98 packets, 6014 bytes)
pkts bytes target prot opt in out source destination
108 6773 neutron-vpn-agen-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
104 6485 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
104 6485 neutron-vpn-agen-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-vpn-agen-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 172.16.62.194 to:192.168.0.3
Chain neutron-vpn-agen-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
4 288 ACCEPT all -- !qg-f199827f-4f !qg-f199827f-4f 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-vpn-agen-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
15 900 REDIRECT tcp -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
97 5940 DNAT all -- * * 0.0.0.0/0 172.16.62.194 to:192.168.0.3
Chain neutron-vpn-agen-float-snat (1 references)
pkts bytes target prot opt in out source destination
6 471 SNAT all -- * * 192.168.0.3 0.0.0.0/0 to:172.16.62.194
Chain neutron-vpn-agen-snat (1 references)
pkts bytes target prot opt in out source destination
104 6485 neutron-vpn-agen-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * * 192.168.0.0/24 0.0.0.0/0 to:172.16.62.193
Regras nat do IPtables no namespace qrouter-xxx
ubuntu@fair-stone:~$ sudo ip netns exec qrouter-a2e0f664-e969-4df1-a2df-16adfbe82cf3 iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N neutron-postrouting-bottom
-N neutron-vpn-agen-OUTPUT
-N neutron-vpn-agen-POSTROUTING
-N neutron-vpn-agen-PREROUTING
-N neutron-vpn-agen-float-snat
-N neutron-vpn-agen-snat
-A PREROUTING -j neutron-vpn-agen-PREROUTING
-A OUTPUT -j neutron-vpn-agen-OUTPUT
-A POSTROUTING -j neutron-vpn-agen-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-postrouting-bottom -j neutron-vpn-agen-snat
-A neutron-vpn-agen-OUTPUT -d 172.16.62.194/32 -j DNAT --to-destination 192.168.0.3
-A neutron-vpn-agen-POSTROUTING ! -i qg-f199827f-4f ! -o qg-f199827f-4f -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-vpn-agen-PREROUTING -d 172.16.62.194/32 -j DNAT --to-destination 192.168.0.3
-A neutron-vpn-agen-float-snat -s 192.168.0.3/32 -j SNAT --to-source 172.16.62.194
-A neutron-vpn-agen-snat -j neutron-vpn-agen-float-snat
-A neutron-vpn-agen-snat -s 192.168.0.0/24 -j SNAT --to-source 172.16.62.193