In some projects, ha-related issues are encountered, and keepalive is a widely used functional module, and as OpenStack is common in cloud computing, more and more projects migrate into the KVM environment created by OpenStack.
Disclaimer: This document is only for learning and exchange, please do not use for other commercial purposes
Author: Chaoyang _tony
E-mail:linzhaolover@163.com
Create date:2016-2-27 14:10:01
Last change:2016-2-27 14:50:08
Reprint please specify the Source: Http://blog.csdn.net/linzhaolover Create KVM
Using Nova to create 3 Kvm,baseimage:rhel 7.1 ppc64le in the OpenStack environment, both internal IP and floating IP should be mounted
Nova list +--------------------------------------+-----------------------------------+--------+------------+---- ---------+--------------------------------------+
| ID | Name | Status | Task State | Power state |
Networks | +--------------------------------------+-----------------------------------+--------+------------+------------- +--------------------------------------+
| ef1f1a66-1375-4d9a-b99b-580c8340b59d | Linzhbj-kvm.ppc64le-keepalived-n0 | ACTIVE | - | Running | ent_vlan=192.168.33.14, 172.16.0.237 | | 3eb18869-97c5-42cb-94e7-466d52d4199d | linzhbj-kvm.ppc64le-keepalived-n1 | ACTIVE | - | Running | ent_vlan=192.168.33.15, 172.16.0.238 | | daf4b686-c33d-48e5-89cc-0a0f99d8fb73 | linzhbj-kvm.ppc64le-keepalived-n2 | ACTIVE | - | Running |
ent_vlan=192.168.33.91, 172.16.0.239 | +--------------------------------------+-----------------------------------+--------+------------+-------------+--------------------------------------+ Create internal IP and floating IP One will be used as a total virtual IP neutron port-create internal_vlan nova floating-ip-create Floating_vlan Neutron | 5c09376e-bd65-4aed-9f4e-dd6ba2879a27 | Linzhbj_keepalived_vip0 | fa:16:3e:4f:47:21 | {"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.91"} | | 0e0c48e6-2e32-48c5-a01d-c059c4931064 | Linzhbj_keepalived_vip1 | fa:16:3e:f9:4f:41 | {"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.14"} | | b133aa34-a2fc-4c05-a962-18118de6db83 | LINZHBJ_KEEPALIVED_VIP2 | Fa:16:3e:aa:02:ea | {"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.15"} | | 5ffd38c7-9ec3-4661-84f9-048eda70f738 | Linzhbj_keepalived_vip_total | fa:16:3e:ea:81:6a |
{"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.92"} | Nova Floating-ip-list +--------------------------------------+--------------+--------------------------------------+---------------+---------+
| Id | IP | Server Id | Fixed IP |
Pool | +--------------------------------------+--------------+--------------------------------------+---------------+- --------+
| 0730073b-9758-409f-843a-0f40e8f9b300 | 172.16.0.238 | 3eb18869-97c5-42cb-94e7-466d52d4199d | 192.168.33.15 | ext_net | | 1c9c3745-d7d4-435c-b8c5-c19d415fde71 | 172.16.0.239 | daf4b686-c33d-48e5-89cc-0a0f99d8fb73 | 192.168.33.91 | ext_net | | 7d056ad6-b2d9-47ae-92f3-d383d2aab366 | 172.16.1.60 | | 192.168.33.92 | ext_net | | A948ef38-01b6-4922-8025-067c0c610f17 | 172.16.0.237 | ef1f1a66-1375-4d9a-b99b-580c8340b59d | 192.168.33.14 |
ext_net | +--------------------------------------+--------------+--------------------------------------+---------------+- --------+ to mount floating IP and internal IP, neutron floatingip-associate 7d056ad6-b2d9-47ae-92f3-d383d2aab366 5ffd38c7-9ec3-4661-84f9-048eda70f738
Configure keepalived
Go to each KVM install keepalived and configure boot
Yum Install keepalived
Edit Keepalived Configuration
vim/etc/keepalived/keepalived.conf
global_defs
{
notification_email
{
linzhaolover@163.com
}
Notification_email_from linzhaolover@163.com
smtp_server 127.0.0.1
stmp_connect_timeout router_id
NodeA
}
vrrp_instance lnmp {State
BACKUP
interface eth0
virtual_router_id
Priority 170
Advert_int 5
track_interface {
eth0
}
Authentication {
Auth_type Pass
auth_pass 123456
}
virtual_ipaddress {
192.168.33.92/20 dev eth0
}
}
Service keepalived Restart
IP addr
[root@host-192-168-33-15 ~]# IP addr
1:lo: <LOOPBACK,UP,LOWER_UP> MTU 65536 Qdisc-noqueue state UNKNOWN
Li Nk/loopback 00:00:00:00:00:00 BRD 00:00:00:00:00:00
inet 127.0.0.1/8 Scope host lo
valid_lft forever Preferred_ LfT Forever
Inet6:: 1/128 scope host
Valid_lft forever Preferred_lft Forever
: 2:eth0, Multicast,up,lower_up> MTU 1454 Qdisc pfifo_fast State up Qlen 1000 link/ether fa:16:3e:aa:02:ea brd ff:ff:ff:ff:f
F:ff
inet 192.168.33.15/20 BRD 192.168.47.255 scope Global dynamic eth0
valid_lft 85999sec preferred_lft 85999sec
inet 192.168.33.92/20 Scope Global secondary eth0
valid_lft
Forever Preferred_lft Forever Inet6 fe80::f816:3eff:feaa:2ea/64 scope link
valid_lft forever preferred_lft Forever
View Log generated by keepalive
tail-f/var/log/messages
All three KVM keepalived configuration, the test does not pass,
Ping 192.168.33.92
It doesn't make sense, seems to be missing something, is less iptable Rules key config allow pairs
# neutron port-update <port-uuid>--allowed-address-pairs type=dict list=true mac_address=<mac_address> Ip_address=<ip_cidr> Mac_address is a KVM MAC address, IP_Address is the address of virtual IP, this must not be mistaken neutron port-update 5c09376e-bd6 5-4aed-9f4e-dd6ba2879a27--name linzhbj_keepalived_vip0--allowed-address-pairs type=dict list=true mac_address= "fa : 16:3e:4f:47:21 ", ip_address=192.168.33.92 neutron port-update 0e0c48e6-2e32-48c5-a01d-c059c4931064--name linzhbj_ Keepalived_vip1--allowed-address-pairs type=dict list=true mac_address= "fa:16:3e:f9:4f:41", ip_address= 192.168.33.92 Neutron port-update b133aa34-a2fc-4c05-a962-18118de6db83--name linzhbj_keepalived_vip2-- Allowed-address-pairs type=dict list=true mac_address= "Fa:16:3e:aa:02:ea", ip_address=192.168.33.92 node in compute Middle check iptables Rule iptables-s | grep 192.168.33.92-a neutron-openvswi-s0e0c48e6-2-S 192.168.33.92/32-m mac--mac-source fa:16:3e:f9:4f:41-m Comment- Comment "Allow traffic from defined Ip/mac pairs."-j Return-a Neutron-openvswi-s5c09376e-b-S 192.168.33.92/32-m mac--mac-source fa:16:3e:4f:47:21-m comment--comment "Al Low traffic from defined Ip/mac pairs. "-j return-a neutron-openvswi-sb133aa34-a-S 192.168.33.92/32-m MAC--mac-source Fa:16:3e:aa:02:ea-m comment--comment "Allow traffic from defined Ip/mac." Pairs return this is the corresponding-j rule for each KVM MAC
Summarize
OpenStack KVM, in order to run properly, run the corresponding service, must be configured in the neutron to allow the appropriate rules to be allowed to run. Although very troublesome, but played a very good protective effect; Use your head more often than the problem, O (∩_∩) o~ bug port-update when you encounter bugs
nt-628a69c Policy doesn ' t allow (Rule:update_port and Rule:update_port:allowed_address_pairs) to be performed.
Vim/etc/neutron/policy.json
Change
"Update_port:allowed_address_pairs": "Rule:admin_or_network_owner",
to "update_port:allowed_address_pairs": "Rule:admin_or_owner",
whether Nova or neutron have their own policy, So you have to set it up so you can.
System does not have individual KVM iptables rules
vim/etc/sysctl.conf net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 make configuration effective sysctl-p vim/etc/neutron/ Plugins/openvswitch/ovs_neutron_plugin.ini [Securitygroup] firewall_driver = Neutron.agent.linux.iptables_firewall . Ovshybridiptablesfirewalldriver Restart Agent service neutron-plugin-openvswitch-agent Restart # Iptables-s | grep 192.168.33-a neutron-openvswi-s0e0c48e6-2-S 192.168.33.92/32-m mac--mac-source fa:16:3e:f9:4f:41-m Comment--com ment "Allow traffic from defined Ip/mac pairs."-j return-a neutron-openvswi-s0e0c48e6-2-S 192.168.33.14/32-m MAC--mac -source fa:16:3e:f9:4f:41-m Comment--comment "Allow traffic from defined Ip/mac." Pairs-j return-a C09376e-b-S 192.168.33.92/32-m mac--mac-source fa:16:3e:4f:47:21-m comment--comment "Allow traffic from defined Ip/ma C pairs. "-j return-a neutron-openvswi-s5c09376e-b-S 192.168.33.91/32-m mac--mac-source fa:16:3e:4f:47:21-m Comment- -comment "Allow traffic from defined Ip/mac PAIRS. "-j return