6.虚机添加floating ip
为虚机添加floating ip的功能是在neutron网络功能中非常重要的一项,在虚机创建完成后,如果此虚机所在的网络已经加入一个与外网的router中,那这个虚机可以通过SNAT的方式直接访问外网,但外网用户无法访问进虚机。如果想让外网用户访问虚机需要为虚机分配外网的floating ip。以下是为vm4虚机分配外网ip的具体步骤:
1)fixip与floating ip对应
vm4 fixip:10.0.2.84 floating ip:10.255.253.84
2)创建外网桥br-ex,这里我们使用了网络节点上eth3这个网卡通过10.255.253.*段访问外网
ovs-vsctl --timeout=10 -- --if-exists del-br br-ex ovs-vsctl --timeout=10 -- --may-exist add-br br-ex ovs-vsctl add-port br-ex eth3 ip link set dev eth3 up ip link set dev br-ex up
3)在网络节点上创建qrouter02命名空间和qr03默认网关(10.0.2.1)
ovs-vsctl -- --if-exists del-port qr03 -- add-port br-int qr03 -- set interface qr03 type=internal ovs-vsctl --timeout=10 set Port qr03 tag=3 ip netns add qrouter02 ip netns exec qrouter02 ip link set lo up ip link set qr03 netns qrouter02 ip netns exec qrouter02 ip link set qr03 up ip netns exec qrouter02 ip -4 addr add 10.0.2.1/24 brd 10.0.2.255 scope global dev qr03
4)在外网桥br-ex上创建qg02并分配外网ip(10.255.253.11)
ovs-vsctl -- --if-exists del-port qg02 -- add-port br-ex qg02 -- set interface qg02 type=internal ip link set qg02 netns qrouter02 ip netns exec qrouter02 ip link set qg02 up ip netns exec qrouter02 ip -4 addr add 10.255.253.11/24 brd 10.255.253.255 scope global dev qg02 ip netns exec qrouter02 ip route replace default via 10.255.253.1 dev qg02 ip netns exec qrouter02 sysctl -w net.ipv4.ip_forward=1
5)下发iptables防火墙规则实现虚机内网ip与外网ip的snat与dnat映射
ip netns exec qrouter02 iptables -N neutron-filter-top ip netns exec qrouter02 iptables -A FORWARD -j neutron-filter-top ip netns exec qrouter02 iptables -A OUTPUT -j neutron-filter-top ip netns exec qrouter02 iptables -N neutron-l3-agent-local ip netns exec qrouter02 iptables -A neutron-filter-top -j neutron-l3-agent-local ip netns exec qrouter02 iptables -N neutron-l3-agent-INPUT ip netns exec qrouter02 iptables -N neutron-l3-agent-OUTPUT ip netns exec qrouter02 iptables -N neutron-l3-agent-FORWARD ip netns exec qrouter02 iptables -A INPUT -j neutron-l3-agent-INPUT ip netns exec qrouter02 iptables -A OUTPUT -j neutron-l3-agent-OUTPUT ip netns exec qrouter02 iptables -A FORWARD -j neutron-l3-agent-FORWARD ip netns exec qrouter02 iptables -t nat -N neutron-l3-agent-PREROUTING ip netns exec qrouter02 iptables -t nat -N neutron-l3-agent-OUTPUT ip netns exec qrouter02 iptables -t nat -N neutron-l3-agent-POSTROUTING ip netns exec qrouter02 iptables -t nat -A PREROUTING -j neutron-l3-agent-PREROUTING ip netns exec qrouter02 iptables -t nat -A OUTPUT -j neutron-l3-agent-OUTPUT ip netns exec qrouter02 iptables -t nat -A POSTROUTING -j neutron-l3-agent-POSTROUTING ip netns exec qrouter02 iptables -t nat -N neutron-postrouting-bottom ip netns exec qrouter02 iptables -t nat -N neutron-l3-agent-snat ip netns exec qrouter02 iptables -t nat -N neutron-l3-agent-float-snat ip netns exec qrouter02 iptables -t nat -A POSTROUTING -j neutron-postrouting-bottom ip netns exec qrouter02 iptables -t nat -A neutron-postrouting-bottom -j neutron-l3-agent-snat ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat ip netns exec qrouter02 iptables -A neutron-l3-agent-INPUT -s 0.0.0.0/0 -d 127.0.0.1 -p tcp -m tcp --dport 9697 -j ACCEPT ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-PREROUTING -s 0.0.0.0/0 -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 9697 ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-POSTROUTING ! -i qg02 ! -o qg02 -m conntrack ! --ctstate DNAT -j ACCEPT ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-snat -s 10.0.2.0/24 -j SNAT --to-source 10.255.253.11 ip netns exec qrouter02 ip -4 addr add 10.255.253.84/24 brd 10.255.253.255 scope global dev qg02 ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-PREROUTING -d 10.255.253.84/32 -j DNAT --to 10.0.2.84 ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-OUTPUT -d 10.255.253.84/32 -j DNAT --to 10.0.2.84 ip netns exec qrouter02 iptables -t nat -A neutron-l3-agent-float-snat -s 10.0.2.84 -j SNAT --to 10.255.253.84
通过以上配置后外网通过ping 10.255.253.84即可ping通内网虚机。
总结
通过以上介绍了neutron的为虚机分配floating ip的配置规则,对于iptables的理解还是需要比较深入的,如果想完全理解iptables配置的思路请阅读参考资料里SammyLiu的系列文章中关于floating ip的章节,谢谢。
参考资料:
SammyLiu的《Neutron 理解》系列 http://www.cnblogs.com/sammyliu/p/4622563.html
深入理解Neutron -- OpenStack 网络实现 https://www.gitbook.com/book/yeasy/openstack_understand_neutron/details
作者简介:赵俊峰,现为北京新云东方系统科技有限责任公司 云计算部Openstack开发工程师。主要从事Power和x86混合环境下Openstack相关计算、网络、存储相关服务软件开发和系统架构设计工作。
从头搭建Openstack运行环境(五)--虚机添加floating ip
原文:http://www.cnblogs.com/run4life/p/5240219.html