Pacotes de resposta DHCP não são convertidos em instância do KVM no OpenStack

3

Estou executando uma instância do KVM dentro do OpenStack e não está obtendo um endereço IP do servidor DHCP.

Usando o tcpdump, posso ver o pedido e responder pacotes no vnet0 do host de computação:

# tcpdump -i vnet0 -n port 67 or port 68
tcpdump: WARNING: vnet0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:44:56.176727 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.176785 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.177315 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319
19:45:02.179834 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.179904 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.180375 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319

No entanto, se eu fizer a mesma coisa no eth0 dentro da instância do KVM, eu só vejo os pacotes de requisição, não os pacotes de resposta. O que impediria que os pacotes passassem de vnet0 do host para eth0 do guest?

Meu host está executando o Ubuntu 12.04 e meu convidado está executando o CentOS 6.3.

Note que eu adicionei esta regra no meu iptables, mas isso não resolve o problema:

-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

A instância corresponde a vnet0 e está conectada via br100:

# brctl show
bridge name bridge id       STP enabled interfaces
br100       8000.54781a8605f2   no      eth1
                            vnet0
                            vnet1
virbr0      8000.000000000000   yes

Aqui está o completo iptables-save:

# Generated by iptables-save v1.4.12 on Tue Apr  2 19:47:27 2013
*nat
:PREROUTING ACCEPT [8323:2553683]
:INPUT ACCEPT [7993:2494942]
:OUTPUT ACCEPT [6158:461050]
:POSTROUTING ACCEPT [6455:511595]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A nova-compute-snat -j nova-compute-float-snat
-A nova-postrouting-bottom -j nova-compute-snat
COMMIT
# Completed on Tue Apr  2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr  2 19:47:27 2013
*mangle
:PREROUTING ACCEPT [7969:5385812]
:INPUT ACCEPT [7905:5363718]
:FORWARD ACCEPT [158:48190]
:OUTPUT ACCEPT [6877:8647975]
:POSTROUTING ACCEPT [7035:8696165]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Apr  2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr  2 19:47:27 2013
*filter
:INPUT ACCEPT [2196774:15856921923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2447201:1170227646]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-19 - [0:0]
:nova-compute-inst-20 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-compute-OUTPUT
-A nova-compute-FORWARD -i br100 -j ACCEPT
-A nova-compute-FORWARD -o br100 -j ACCEPT
-A nova-compute-inst-19 -m state --state INVALID -j DROP
-A nova-compute-inst-19 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-provider
-A nova-compute-inst-19 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-19 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-19 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-19 -p icmp -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-sg-fallback
-A nova-compute-inst-20 -m state --state INVALID -j DROP
-A nova-compute-inst-20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-provider
-A nova-compute-inst-20 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-20 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-20 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-20 -p icmp -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-sg-fallback
-A nova-compute-local -d 10.40.0.3/32 -j nova-compute-inst-19
-A nova-compute-local -d 10.40.0.4/32 -j nova-compute-inst-20
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-compute-local
COMMIT
# Completed on Tue Apr  2 19:47:27 2013
    
por Lorin Hochstein 03.04.2013 / 01:48

1 resposta

1

Teve um problema semelhante, para mim isso resolveu:

echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables #To disable Iptables in the bridge.

Veja aqui para mais detalhes: link

    
por 30.04.2013 / 08:57