如何将Devstack浮动IP暴露给外部世界?
对于这个项目,我的硬件配置是主机ESXi 6.7(操作系统引导USB 8GB),i7、8个vCPU,16GB RAM,128GB SSD和500GB HDD.
然后我创建了一个虚拟机(7个vCPU,15GB RAM,100GB SSD,1个NIC),并安装了Ubuntu 18.04(LVM文件系统).
我用"stack.sh"安装了Devstack.
我的Devstack"local.conf"包括有关网络的那些行:
To this project, my hardware configuration is a host ESXi 6.7 (OS boot USB 8GB), i7, 8 vCPU, 16GB RAM, 128GB SSD and 500GB HDD.
And I created a single vm (7 vCPU, 15GB RAM, 100GB SSD, 1 NIC) and I installed Ubuntu 18.04 (LVM filesystems).
I installed the Devstack with "stack.sh".
My Devstack "local.conf" includes those lines about the network:
[[local|localrc]]
...
IP_VERSION=4
HOST_IP=192.168.1.104
FLOATING_RANGE="192.168.1.224/27"
Q_FLOATING_ALLOCATION_POOL=start=192.168.1.226,end=192.168.1.254
Devstack脚本添加了vibr0和br-ex:
Devstack script added vibr0 and br-ex:
ens160: 192.168.1.104,
virbr0: 192.168.122.1
br-ex: 192.168.1.225
stack@devstack:~$ ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.1.104/24 brd 192.168.1.255 scope global ens160
valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
8: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
inet 192.168.1.225/27 scope global br-ex
valid_lft forever preferred_lft forever
使用仪表板Horizon和Project演示完成安装:
Installation done, using the dashboard Horizon and Project demo :
- 在安全组"中,我向ICMP,SSH以及HTTP和HTTPS添加了入口规则;
- 在专用网络中,我编辑了专用子网以添加DNS名称服务器(8.8.8.8、1.1.1.1等);
- 我分配了一些浮动IP;
- 我启动了一些Cirros实例;
- 我将浮动IP关联到每个实例.
提示1:创建密钥对并保存私钥的好主意.
提示2:在Ubuntu 16上,要将用户/密码设置为云映像,请在启动实例"中将这些行放在配置"中:
Tip 1: Good idea to create a key pair and save the private key.
Tip 2: WIth Ubuntu 16, to set a user/password to the cloud image, in "Launch instance", you can put those lines in Configuration:
#!/bin/bash
echo "root:secret" | chpasswd
现在,我可以:
- 从我的Cirros VM到达我的本地网络和Internet(ping google.com);
- 从Cirros VM ping另一个Cirros VM(ping 10.0.0.x或192.168.1.x);
- 从我的Devstack VM中,通过ip(ping 192.168.1.236)ping Cirros VM.
我什至可以在Devstack主机中创建iptable NAT规则来公开VM特定的端口.例如:
I can even, in the Devstack host, create iptable NAT rules to expose VM specific ports. By example:
sudo iptables -t nat -A PREROUTING -p tcp --dport 60080 -j DNAT --to 192.168.1.236:80
但是,这是我的问题:
我无法直接从外部devstack主机访问我的Cirros VM浮动ip.
我不知道如何向世界公开浮动IP!
BUT, and this is my problem:
I can not to directly reach my Cirros VM floating ip from outer devstack host machine.
I don't know how to expose a floating ip to the world!
更多说明:
- 由于我可以在Devstack主机外部ping 192.168.1.225,因此我测试了如何在路由器中创建一条静态路由,但这并不能解决我的问题(或者我犯了一些错误!).
- 我将VMware vSwitch设置为混杂模式,但没有效果.
在经过5天的研究,演讲和来自*审阅者的骚扰之后,我发现了以下几行可以解决我的问题:
Well, after 5 days of research, lecture and harassment from * reviewers, I found those lines to solve my problem:
echo 1 > /proc/sys/net/ipv4/conf/ens160/proxy_arp
iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE