美文网首页云计算
neutron linux-bridge 禁用安全组

neutron linux-bridge 禁用安全组

作者: cloudFans | 来源:发表于2021-07-31 10:38 被阅读0次
    1. neutron 安全组相关配置

    部署时,安全组相关功能要正确配置,而不是直接在配置中移除

    (py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-linuxbridge-agent/linuxbridge_agent.ini
    [agent]

    [linux_bridge]
    physical_interface_mappings = physnet1:eno1,physnet2:eno2,physnet3:ens4f1

    [securitygroup]
    enable_security_group = True
    firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

    [vxlan]
    enable_vxlan = False

    (py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-linuxbridge-agent/linuxbridge_agent.ini
    [agent]

    [linux_bridge]
    physical_interface_mappings = physnet1:eno1,physnet2:eno2,physnet3:ens4f1

    [securitygroup]
    enable_security_group = True
    firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

    [vxlan]
    enable_vxlan = False

    (py3env) [root@ccn01 kolla-ansible]# cat /etc/kolla/neutron-server/ml2_conf.ini
    [ml2]
    type_drivers = flat
    tenant_network_types =
    mechanism_drivers = linuxbridge
    extension_drivers = port_security

    [ml2_type_vlan]

    [securitygroup]

    [ml2_type_flat]
    flat_networks = physnet1,physnet2,physnet3

    [ml2_type_vxlan]

    1. 创建网络时 指定disable安全组即可

    node(vm) 管理provider 网络

    openstack network create --disable-port-security --share --external --provider-physical-network physnet3 --provider-network-type flat manage

    openstack subnet create --subnet-range 10.120.24.0/21 --gateway 10.120.31.254 --network manage --allocation-pool start=10.120.29.0,end=10.120.30.200 manage-subnet

    业务 provider 网络

    openstack network create --disable-port-security --no-default --share --external --provider-physical-network physnet2 --provider-network-type flat pubnet

    openstack subnet create --subnet-range 10.120.32.0/20 --gateway none --network pubnet --allocation-pool start=10.120.32.100,end=10.120.33.255 --dns-nameserver 10.100.1.10 --dns-nameserver 114.114.114.114 pub-subnet

    存储 provider 网络

    openstack network create --disable-port-security --no-default --share --external --provider-physical-network physnet1 --provider-network-type flat storage

    openstack subnet create --subnet-range 10.120.13.0/24 --gateway none --network storage --allocation-pool start=10.120.13.128,end=10.120.13.159 storage-subnet

    确认网络节点 网桥 ns有正常生成

    每个provider 网络对应1个网桥 1个ns

    基于horizon UI 补充dhcp agent

    ansible control -i /root/pre.ha -m shell -a "brctl show"

    第一次初始化 neutron 网桥有报错,最好重启下服务

    ansible control -i /root/pre.ha -m shell -a "docker restart neutron_server neutron_metadata_agent neutron_dhcp_agent neutron_linuxbridge_agent"

    ############ 修正 #############

    neutron-安全组-小结

    1. 只有ml 配置安全组是有效的

    ansible/roles/neutron/templates/ml2_conf.ini.j2

    [securitygroup]
    {% if neutron_plugin_agent == "linuxbridge" %}
    enable_security_group = False
    firewall_driver = neutron.agent.firewall.NoopFirewallDriver
    {% endif %}

    enable_security_group 和 firewall_driver,必须同时具备

    enable_security_group = True
    firewall_driver = neutron.agent.firewall.NoopFirewallDriver

    这种配置组合是无效的,

    neutron\neutron\agent\securitygroups_rpc.py

    def is_firewall_enabled():
    return cfg.CONF.SECURITYGROUP.enable_security_group

    def _disable_extension(extension, aliases):
    if extension in aliases:
    aliases.remove(extension)

    def disable_security_group_extension_by_config(aliases):
    if not is_firewall_enabled():
    LOG.info('Disabled security-group extension.')
    _disable_extension('security-group', aliases)
    _disable_extension(rbac_sg_apidef.ALIAS, aliases)
    _disable_extension(stateful_sg.ALIAS, aliases)
    LOG.info('Disabled allowed-address-pairs extension.')
    _disable_extension('allowed-address-pairs', aliases) # 可以看到编码中 aap 依赖安全组
    LOG.info('Disabled address-group extension.')
    _disable_extension('address-group', aliases)

    只要

    enable_security_group = True

    创建出来的port,即使network禁用了安全组,但是

    (py3env) [root@ccn01 ~]# openstack port show ab26985f-f8d5-4497-bb25-e6324cdc0385
    +-------------------------+-----------------------------------------------------------------------------+
    | Field | Value |
    +-------------------------+-----------------------------------------------------------------------------+
    | admin_state_up | UP |
    | allowed_address_pairs | None |
    | binding_host_id | ccn03 |
    | binding_profile | |
    | binding_vif_details | connectivity='l2', port_filter='True' | # 这里依然是True, 非neutron网络管理的port依旧不可用
    ...

    | port_security_enabled | False

    (py3env) [root@ccn01 ~]# openstack port show a06b18e8-8347-48c1-848f-cebeb9048cc4
    +-------------------------+-----------------------------------------------------------------------------+
    | Field | Value |
    +-------------------------+-----------------------------------------------------------------------------+
    | admin_state_up | UP |
    | allowed_address_pairs | None |
    | binding_host_id | ccn03 |
    | binding_profile | |
    | binding_vif_details | connectivity='l2', port_filter='False' |

    ...

    | port_security_enabled | False

    也就是说 不禁用安全组,即使网络创建时禁用安全组,也是无效的

    其余都是无效配置,如下

    ansible/roles/neutron/templates/linuxbridge_agent.ini.j2

    [securitygroup]
    enable_security_group = True
    firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
    {% if neutron_plugin_agent == "linuxbridge" %}
    enable_security_group = False
    firewall_driver = neutron.agent.firewall.NoopFirewallDriver
    {% endif %}

    ansible/roles/nova-cell/templates/nova.conf.j2
    {% if neutron_plugin_agent == "linuxbridge" %}
    firewall_driver = nova.virt.firewall.NoopFirewallDriver
    {% endif %}

    否则可能出现的问题:

    手动分配不在neutron管理的ip,跨虚拟机,跨host是可以ping通的,

    但是 虚拟机内部部署ovs kube-ovn underlay 模式,无法ping通,该问题相对比较隐晦。

    相关文章

      网友评论

        本文标题:neutron linux-bridge 禁用安全组

        本文链接:https://www.haomeiwen.com/subject/aobhvltx.html