Openstack instance deploy calico network problem

in #openstack7 years ago (edited)

网络问题如下图所示:
QQ截图20171219151837.png

同样的环境,在vmware workstation环境里面不存在问题。怀疑是安全组导致。

先查看下其中一个instancet port信息:
[root@openstack01 ~]# neutron port-list |grep 192.168.184.18
| febc2ed8-73e8-47dc-81ac-1120906f8dda | | 570d912f61a94e83a18f1fa455815cbb | fa:16:3e:90:6e:20 | {"subnet_id": "924f1705-c49d-4e2c-8e8c-b184521d9cc6", "ip_address": "192.168.184.18"} |

查看关于tap设备的iptables信息:
[root@openstack01 ~]# iptables --line-numbers -nvL | grep tapfebc2ed8-73
35 60849 160M neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tapfebc2ed8-73 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. /
36 50385 35M neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfebc2ed8-73 --physdev-is-bridged /
Direct traffic from the VM interface to the security group chain. /
18 0 0 neutron-openvswi-ofebc2ed8-7 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfebc2ed8-73 --physdev-is-bridged /
Direct incoming traffic from VM to the security group chain. /
35 60849 160M neutron-openvswi-ifebc2ed8-7 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tapfebc2ed8-73 --physdev-is-bridged /
Jump to the VM specific chain. /
36 50385 35M neutron-openvswi-ofebc2ed8-7 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfebc2ed8-73 --physdev-is-bridged /
Jump to the VM specific chain. */

关闭port的安全组:
[root@openstack01 ~]# opnestack port set --no-security-group febc2ed8-73e8-47dc-81ac-1120906f8dda
[root@openstack01 ~]# openstack port set --disable-port-security febc2ed8-73e8-47dc-81ac-1120906f8dda

关闭安全组后:
[root@openstack01 ~]# iptables --line-numbers -nvL | grep tapfebc2ed8-73
35 1 52 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tapfebc2ed8-73 --physdev-is-bridged /* Accept all packets when port security is disabled. /
36 1 64 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfebc2ed8-73 --physdev-is-bridged /
Accept all packets when port security is disabled. /
18 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfebc2ed8-73 --physdev-is-bridged /
Accept all packets when port security is disabled. */

此刻,calico网络中的两个容器可以相互通信了。

Sort:  

Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://bugzilla.redhat.com/show_bug.cgi?id=1387390