neutron keepalived vip

当我们在 openstack 虚拟机中部署 keepalived 负载均衡时,会需要vip,但是由于 neutron 的安全组规则默认只允许分配的ip和mac流量才能出来

原理

查看 port 信息

1
2
3
4
5
6
7
8
9
root ~ # neutron port-show 32316d3b-6e2e-47c6-bc14-13d0aafb6b31 -c fixed_ips -c mac_address -c allowed_address_pairs
+-----------------------+-----------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------------+
| allowed_address_pairs | |
| binding:host_id | compute2 |
| fixed_ips | {"subnet_id": "1e9bcfc1-cac5-4952-ba96-8f3fc2ea6336", "ip_address": "172.16.1.4"} |
| mac_address | fa:16:3e:6f:13:82 |
+-----------------------+-----------------------------------------------------------------------------------+

查看 port 对应的 iptables ebtables 信息

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@compute2 ~]# iptables-save | grep s32316d3b-6
:neutron-linuxbri-s32316d3b-6 - [0:0]
-A neutron-linuxbri-o32316d3b-6 -j neutron-linuxbri-s32316d3b-6
-A neutron-linuxbri-s32316d3b-6 -s 172.16.1.4/32 -m mac --mac-source FA:16:3E:6F:13:82 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s32316d3b-6 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP

[root@compute2 ~]# ebtables-save | grep 32316d3b-6
:neutronMAC-tap32316d3b-6e DROP
:neutronARP-tap32316d3b-6e DROP
-A FORWARD -i tap32316d3b-6e -j neutronMAC-tap32316d3b-6e
-A FORWARD -p ARP -i tap32316d3b-6e -j neutronARP-tap32316d3b-6e
-A neutronMAC-tap32316d3b-6e -i tap32316d3b-6e --among-src fa:16:3e:6f:13:82, -j RETURN
-A neutronARP-tap32316d3b-6e -p ARP --arp-ip-src 172.16.1.4 -j ACCEPT

更新端口在原 ip mac 基础上添加允许如下规则

ip_address mac_address
10.10.10.10 fa:16:3e:6f:13:82
10.10.20.0/24 fa:16:3e:6f:13:82
10.10.30.11 fa:16:3e:6f:13:83
10.10.40.0/24 fa:16:3e:6f:13:84
1
2
3
4
5
6
neutron port-update 32316d3b-6e2e-47c6-bc14-13d0aafb6b31 \
--allowed_address_pairs type=dict list=true \
ip_address=10.10.10.10 \
ip_address=10.10.20.0/24 \
ip_address=10.10.30.11,mac_address=fa:16:3e:6f:13:83 \
ip_address=10.10.40.0/24,mac_address=fa:16:3e:6f:13:84

查看 iptables ebtables 规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@compute2 ~]# iptables-save | grep s32316d3b-6
:neutron-linuxbri-s32316d3b-6 - [0:0]
-A neutron-linuxbri-o32316d3b-6 -j neutron-linuxbri-s32316d3b-6
-A neutron-linuxbri-s32316d3b-6 -s 10.10.10.10/32 -m mac --mac-source FA:16:3E:6F:13:82 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s32316d3b-6 -s 10.10.20.0/24 -m mac --mac-source FA:16:3E:6F:13:82 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s32316d3b-6 -s 10.10.30.11/32 -m mac --mac-source FA:16:3E:6F:13:83 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s32316d3b-6 -s 10.10.40.0/24 -m mac --mac-source FA:16:3E:6F:13:84 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s32316d3b-6 -s 172.16.1.4/32 -m mac --mac-source FA:16:3E:6F:13:82 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-linuxbri-s32316d3b-6 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP

[root@compute2 ~]# ebtables-save | grep 32316d3b-6
:neutronMAC-tap32316d3b-6e DROP
:neutronARP-tap32316d3b-6e DROP
-A FORWARD -i tap32316d3b-6e -j neutronMAC-tap32316d3b-6e
-A FORWARD -p ARP -i tap32316d3b-6e -j neutronARP-tap32316d3b-6e
-A neutronMAC-tap32316d3b-6e -i tap32316d3b-6e --among-src fa:16:3e:6f:13:82,fa:16:3e:6f:13:83,fa:16:3e:6f:13:84, -j RETURN
-A neutronARP-tap32316d3b-6e -p ARP --arp-ip-src 10.10.40.0/24 -j ACCEPT
-A neutronARP-tap32316d3b-6e -p ARP --arp-ip-src 172.16.1.4 -j ACCEPT
-A neutronARP-tap32316d3b-6e -p ARP --arp-ip-src 10.10.30.11 -j ACCEPT
-A neutronARP-tap32316d3b-6e -p ARP --arp-ip-src 10.10.20.0/24 -j ACCEPT
-A neutronARP-tap32316d3b-6e -p ARP --arp-ip-src 10.10.10.10 -j ACCEPT

清空规则

1
neutron port-update 32316d3b-6e2e-47c6-bc14-13d0aafb6b31 --allowed_address_pairs action=clear

业务场景

查看 ext-net 网络下的所有port

1
neutron port-list --network_id=`neutron net-list | grep ext-net | awk '{print $2}'`

创建 keepalived 的 vip

1
neutron port-create --fixed-ip ip_address=<VIP> --security-group default ext-net

web1

1
neutron port-update <PORT_ID> --allowed_address_pairs list=true type=dict ip_address=<VIP>

web2

1
neutron port-update <PORT_ID> --allowed_address_pairs list=true type=dict ip_address=<VIP>
0%