- neutron 安全组相关配置
部署时,安全组相关功能要正确配置,而不是直接在配置中移除
(py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-linuxbridge-agent/linuxbridge_agent.ini
[agent]
[linux_bridge]
physical_interface_mappings = physnet1:eno1,physnet2:eno2,physnet3:ens4f1
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = False
(py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-linuxbridge-agent/linuxbridge_agent.ini
[agent]
[linux_bridge]
physical_interface_mappings = physnet1:eno1,physnet2:eno2,physnet3:ens4f1
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = False
(py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-server/ml2_conf.ini
[ml2]
type_drivers = flat
tenant_network_types =
mechanism_drivers = linuxbridge
extension_drivers = port_security
[ml2_type_vlan]
[securitygroup]
[ml2_type_flat]
flat_networks = physnet1,physnet2,physnet3
[ml2_type_vxlan]
- 创建网络时 指定disable安全组即可
node(vm) 管理provider 网络
openstack network create --disable-port-security --share --external --provider-physical-network physnet3 --provider-network-type flat manage
openstack subnet create --subnet-range 10.120.24.0/21 --gateway 10.120.31.254 --network manage --allocation-pool start=10.120.29.0,end=10.120.30.200 manage-subnet
业务 provider 网络
openstack network create --disable-port-security --no-default --share --external --provider-physical-network physnet2 --provider-network-type flat pubnet
openstack subnet create --subnet-range 10.120.32.0/20 --gateway none --network pubnet --allocation-pool start=10.120.32.100,end=10.120.33.255 --dns-nameserver 10.100.1.10 --dns-nameserver 114.114.114.114 pub-subnet
存储 provider 网络
openstack network create --disable-port-security --no-default --share --external --provider-physical-network physnet1 --provider-network-type flat storage
openstack subnet create --subnet-range 10.120.13.0/24 --gateway none --network storage --allocation-pool start=10.120.13.128,end=10.120.13.159 storage-subnet
确认网络节点 网桥 ns有正常生成
每个provider 网络对应1个网桥 1个ns
基于horizon UI 补充dhcp agent
ansible control -i /root/pre.ha -m shell -a "brctl show"
第一次初始化 neutron 网桥有报错,最好重启下服务
ansible control -i /root/pre.ha -m shell -a "docker restart neutron_server neutron_metadata_agent neutron_dhcp_agent neutron_linuxbridge_agent"
############ 修正 #############
neutron-安全组-小结
- 只有ml 配置安全组是有效的
ansible/roles/neutron/templates/ml2_conf.ini.j2
[securitygroup]
{% if neutron_plugin_agent == "linuxbridge" %}
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
{% endif %}
enable_security_group 和 firewall_driver,必须同时具备
enable_security_group = True
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
这种配置组合是无效的,
neutron\neutron\agent\securitygroups_rpc.py
def is_firewall_enabled():
return cfg.CONF.SECURITYGROUP.enable_security_group
def _disable_extension(extension, aliases):
if extension in aliases:
aliases.remove(extension)
def disable_security_group_extension_by_config(aliases):
if not is_firewall_enabled():
LOG.info('Disabled security-group extension.')
_disable_extension('security-group', aliases)
_disable_extension(rbac_sg_apidef.ALIAS, aliases)
_disable_extension(stateful_sg.ALIAS, aliases)
LOG.info('Disabled allowed-address-pairs extension.')
_disable_extension('allowed-address-pairs', aliases) # 可以看到编码中 aap 依赖安全组
LOG.info('Disabled address-group extension.')
_disable_extension('address-group', aliases)
只要
enable_security_group = True
创建出来的port,即使network禁用了安全组,但是
(py3env) [root@ccn01 ~]# openstack port show ab26985f-f8d5-4497-bb25-e6324cdc0385
+-------------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | None |
| binding_host_id | ccn03 |
| binding_profile | |
| binding_vif_details | connectivity='l2', port_filter='True' | # 这里依然是True, 非neutron网络管理的port依旧不可用
...
| port_security_enabled | False
(py3env) [root@ccn01 ~]# openstack port show a06b18e8-8347-48c1-848f-cebeb9048cc4
+-------------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | None |
| binding_host_id | ccn03 |
| binding_profile | |
| binding_vif_details | connectivity='l2', port_filter='False' |
...
| port_security_enabled | False
也就是说 不禁用安全组,即使网络创建时禁用安全组,也是无效的
其余都是无效配置,如下
ansible/roles/neutron/templates/linuxbridge_agent.ini.j2
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
{% if neutron_plugin_agent == "linuxbridge" %}
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
{% endif %}
ansible/roles/nova-cell/templates/nova.conf.j2
{% if neutron_plugin_agent == "linuxbridge" %}
firewall_driver = nova.virt.firewall.NoopFirewallDriver
{% endif %}
否则可能出现的问题:
手动分配不在neutron管理的ip,跨虚拟机,跨host是可以ping通的,
但是 虚拟机内部部署ovs kube-ovn underlay 模式,无法ping通,该问题相对比较隐晦。
