美文网首页云计算
neutron linux-bridge 禁用安全组

neutron linux-bridge 禁用安全组

作者: cloudFans | 来源:发表于2021-07-31 10:38 被阅读0次
  1. neutron 安全组相关配置

部署时,安全组相关功能要正确配置,而不是直接在配置中移除

(py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-linuxbridge-agent/linuxbridge_agent.ini
[agent]

[linux_bridge]
physical_interface_mappings = physnet1:eno1,physnet2:eno2,physnet3:ens4f1

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

[vxlan]
enable_vxlan = False

(py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-linuxbridge-agent/linuxbridge_agent.ini
[agent]

[linux_bridge]
physical_interface_mappings = physnet1:eno1,physnet2:eno2,physnet3:ens4f1

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

[vxlan]
enable_vxlan = False

(py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-server/ml2_conf.ini
[ml2]
type_drivers = flat
tenant_network_types =
mechanism_drivers = linuxbridge
extension_drivers = port_security

[ml2_type_vlan]

[securitygroup]

[ml2_type_flat]
flat_networks = physnet1,physnet2,physnet3

[ml2_type_vxlan]

  1. 创建网络时 指定disable安全组即可

node(vm) 管理provider 网络

openstack network create --disable-port-security --share --external --provider-physical-network physnet3 --provider-network-type flat manage

openstack subnet create --subnet-range 10.120.24.0/21 --gateway 10.120.31.254 --network manage --allocation-pool start=10.120.29.0,end=10.120.30.200 manage-subnet

业务 provider 网络

openstack network create --disable-port-security --no-default --share --external --provider-physical-network physnet2 --provider-network-type flat pubnet

openstack subnet create --subnet-range 10.120.32.0/20 --gateway none --network pubnet --allocation-pool start=10.120.32.100,end=10.120.33.255 --dns-nameserver 10.100.1.10 --dns-nameserver 114.114.114.114 pub-subnet

存储 provider 网络

openstack network create --disable-port-security --no-default --share --external --provider-physical-network physnet1 --provider-network-type flat storage

openstack subnet create --subnet-range 10.120.13.0/24 --gateway none --network storage --allocation-pool start=10.120.13.128,end=10.120.13.159 storage-subnet

确认网络节点 网桥 ns有正常生成

每个provider 网络对应1个网桥 1个ns

基于horizon UI 补充dhcp agent

ansible control -i /root/pre.ha -m shell -a "brctl show"

第一次初始化 neutron 网桥有报错,最好重启下服务

ansible control -i /root/pre.ha -m shell -a "docker restart neutron_server neutron_metadata_agent neutron_dhcp_agent neutron_linuxbridge_agent"

############ 修正 #############

neutron-安全组-小结

  1. 只有ml 配置安全组是有效的

ansible/roles/neutron/templates/ml2_conf.ini.j2

[securitygroup]
{% if neutron_plugin_agent == "linuxbridge" %}
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
{% endif %}

enable_security_group 和 firewall_driver,必须同时具备

enable_security_group = True
firewall_driver = neutron.agent.firewall.NoopFirewallDriver

这种配置组合是无效的,

neutron\neutron\agent\securitygroups_rpc.py

def is_firewall_enabled():
return cfg.CONF.SECURITYGROUP.enable_security_group

def _disable_extension(extension, aliases):
if extension in aliases:
aliases.remove(extension)

def disable_security_group_extension_by_config(aliases):
if not is_firewall_enabled():
LOG.info('Disabled security-group extension.')
_disable_extension('security-group', aliases)
_disable_extension(rbac_sg_apidef.ALIAS, aliases)
_disable_extension(stateful_sg.ALIAS, aliases)
LOG.info('Disabled allowed-address-pairs extension.')
_disable_extension('allowed-address-pairs', aliases) # 可以看到编码中 aap 依赖安全组
LOG.info('Disabled address-group extension.')
_disable_extension('address-group', aliases)

只要

enable_security_group = True

创建出来的port,即使network禁用了安全组,但是

(py3env) [root@ccn01 ~]# openstack port show ab26985f-f8d5-4497-bb25-e6324cdc0385
+-------------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | None |
| binding_host_id | ccn03 |
| binding_profile | |
| binding_vif_details | connectivity='l2', port_filter='True' | # 这里依然是True, 非neutron网络管理的port依旧不可用
...

| port_security_enabled | False

(py3env) [root@ccn01 ~]# openstack port show a06b18e8-8347-48c1-848f-cebeb9048cc4
+-------------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | None |
| binding_host_id | ccn03 |
| binding_profile | |
| binding_vif_details | connectivity='l2', port_filter='False' |

...

| port_security_enabled | False

也就是说 不禁用安全组,即使网络创建时禁用安全组,也是无效的

其余都是无效配置,如下

ansible/roles/neutron/templates/linuxbridge_agent.ini.j2

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
{% if neutron_plugin_agent == "linuxbridge" %}
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
{% endif %}

ansible/roles/nova-cell/templates/nova.conf.j2
{% if neutron_plugin_agent == "linuxbridge" %}
firewall_driver = nova.virt.firewall.NoopFirewallDriver
{% endif %}

否则可能出现的问题:

手动分配不在neutron管理的ip,跨虚拟机,跨host是可以ping通的,

但是 虚拟机内部部署ovs kube-ovn underlay 模式,无法ping通,该问题相对比较隐晦。

相关文章

网友评论

    本文标题:neutron linux-bridge 禁用安全组

    本文链接:https://www.haomeiwen.com/subject/aobhvltx.html

    延伸阅读

    深度阅读

    • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

    栏目导航

    热点阅读

    云计算

    关于我们|服务条款|联系我们|neutron linux-bridge 禁用安全组|投稿指南|网站地图|RSS订阅|排版工具|手机版

    提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

    Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

    备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

    本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

    所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!