无法在devstack节点外部访问DevStack实例 [英] DevStack instances can't be reached outside devstack node
问题描述
根据官方文档,我正在尝试在Ubuntu 18.04 Server虚拟机上的操作系统. devstack节点只有一个网卡(ens160)通过以下CIDR 10.20.30.40/24连接到网络.我需要在此网络上公开访问我的实例(从10.20.30.240到10.20.30.250).因此,以下官方浮动IP 文档我设法形成了这个local.conf文件:
Following official documentation, I'm trying to deploy a Devstack on an Ubuntu 18.04 Server OS on a virtual machine. The devstack node has only one network card (ens160) connected to a network with the following CIDR 10.20.30.40/24. I need my instances accessible publicly on this network (from 10.20.30.240 to 10.20.30.250). So again the following the official floating-IP documentation I managed to form this local.conf file:
[[local|localrc]]
ADMIN_PASSWORD=secret
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD
PUBLIC_INTERFACE=ens160
HOST_IP=10.20.30.40
FLOATING_RANGE=10.20.30.40/24
PUBLIC_NETWORK_GATEWAY=10.20.30.1
Q_FLOATING_ALLOCATION_POOL=start=10.20.30.240,end=10.20.30.250
这将导致形成具有全局IP地址10.20.30.40和辅助IP地址10.20.30.1的br-ex(网关已存在于网络上;不是PUBLIC_NETWORK_GATEWAY参数谈论网络上的真实网关) ?)
This would lead to form a br-ex with the global IP address 10.20.30.40 and secondary IP address 10.20.30.1 (The gateway already exists on the network; isn't PUBLIC_NETWORK_GATEWAY parameter talking about real gateway on the network?)
现在,在成功部署之后,禁用ufw(根据此),创建一个具有用于ping和ssh的适当安全组的cirros实例,并附加一个浮动IP,我只能在我的devstack节点上访问我的实例,而不能在整个网络上!同样从cirros实例内部,我无法访问外部世界(即使我可以从devstack节点访问外部世界)
Now, after a successful deployment, disabling ufw (according to this), creating a cirros instance with proper security group for ping and ssh and attaching a floating-IP, I only can access my instance on my devstack node, not on the whole network! Also from within the cirros instance, I cannot access the outside world (even though I can access the outside world from the devstack node)
然后,观看此视频,我像这样修改了local.conf文件:
Afterwards, watching this video, I modified the local.conf file like this:
[[local|localrc]]
ADMIN_PASSWORD=secret
DATABASE_PASSWORD=$ADMIN_PASSWORD
RABBIT_PASSWORD=$ADMIN_PASSWORD
SERVICE_PASSWORD=$ADMIN_PASSWORD
FLAT_INTERFACE=ens160
HOST_IP=10.20.30.40
FLOATING_RANGE=10.20.30.240/28
成功完成部署和实例设置后,我仍然只能在devstack节点上访问我的实例,而不能从外部访问我的实例!但是好消息是我可以从cirros实例内部访问外界..
After a successful deployment and instance setup, I still can access my instance only on devstack node and not from the outside! But the good news is that I can access the outside world from within the cirros instance.
任何帮助将不胜感激!
更新
在第二种配置中,在ping实例浮动IP时检查tcpdump上的数据包,我观察到实例的浮动IP的who-has广播数据包从网络路由器到达devstack节点;但是不会生成is-at答复,因此ICMP数据包不会路由到devstack节点和实例.
On the second configuration, checking packets on tcpdump while pinging the instance floating-IP, I observed that the who-has broadcast packet for the floating-IP of the instance reaches the devstack node from the network router; however no is-at reply is generated and thus ICMP packets are not routed to the devstack node and the instance.
因此,通过一些技巧,我创建了响应,然后一切正常.但这当然不是解决方案,我认为devstack应该开箱即用,无需进行任何调整,这可能是因为devstack的配置错误.
So, with some tricks I created the response and everything works fine afterwards; but certainly this isn't solution and I imagine that the devstack should work out of the box without any tweaking and probably this is because of a misconfiguration of devstack.
推荐答案
After 5 days of tests, research and lecture, I found this: Openstack VM is not accessible on LAN
在devstack节点上输入以下命令:
Enter the following commands on devstack node:
echo 1 > /proc/sys/net/ipv4/conf/ens160/proxy_arp
iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
就可以了!
干杯!
这篇关于无法在devstack节点外部访问DevStack实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
