Application of KeepAlive in OpenStack Nova KVM

Application of KeepAlive in OpenStack Nova KVM _keepalive

Last Update:2018-08-23 Source: Internet

Author: User

Tags iptables openvswitch

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

In some projects, ha-related issues are encountered, and keepalive is a widely used functional module, and as OpenStack is common in cloud computing, more and more projects migrate into the KVM environment created by OpenStack.

Disclaimer: This document is only for learning and exchange, please do not use for other commercial purposes
Author: Chaoyang _tony
E-mail:linzhaolover@163.com
Create date:2016-2-27 14:10:01
Last change:2016-2-27 14:50:08
Reprint please specify the Source: Http://blog.csdn.net/linzhaolover Create KVM

Using Nova to create 3 Kvm,baseimage:rhel 7.1 ppc64le in the OpenStack environment, both internal IP and floating IP should be mounted

Nova list +--------------------------------------+-----------------------------------+--------+------------+---- ---------+--------------------------------------+
| ID | Name | Status | Task State | Power state |
Networks | +--------------------------------------+-----------------------------------+--------+------------+------------- +--------------------------------------+
| ef1f1a66-1375-4d9a-b99b-580c8340b59d | Linzhbj-kvm.ppc64le-keepalived-n0 | ACTIVE | -          | Running | ent_vlan=192.168.33.14, 172.16.0.237 | | 3eb18869-97c5-42cb-94e7-466d52d4199d | linzhbj-kvm.ppc64le-keepalived-n1 | ACTIVE | -          | Running | ent_vlan=192.168.33.15, 172.16.0.238 | | daf4b686-c33d-48e5-89cc-0a0f99d8fb73 | linzhbj-kvm.ppc64le-keepalived-n2 | ACTIVE | -          | Running |
ent_vlan=192.168.33.91, 172.16.0.239 | +--------------------------------------+-----------------------------------+--------+------------+-------------+--------------------------------------+ Create internal IP and floating IP One will be used as a total virtual IP neutron port-create internal_vlan nova floating-ip-create Floating_vlan Neutron | 5c09376e-bd65-4aed-9f4e-dd6ba2879a27 | Linzhbj_keepalived_vip0 | fa:16:3e:4f:47:21 | {"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.91"} | | 0e0c48e6-2e32-48c5-a01d-c059c4931064 | Linzhbj_keepalived_vip1 | fa:16:3e:f9:4f:41 | {"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.14"} | | b133aa34-a2fc-4c05-a962-18118de6db83 | LINZHBJ_KEEPALIVED_VIP2 | Fa:16:3e:aa:02:ea | {"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.15"} | | 5ffd38c7-9ec3-4661-84f9-048eda70f738 | Linzhbj_keepalived_vip_total | fa:16:3e:ea:81:6a |
{"subnet_id": "585b7e7e-e890-4b4b-90f9-e877605f5d5e", "IP_Address": "192.168.33.92"} | Nova Floating-ip-list +--------------------------------------+--------------+--------------------------------------+---------------+---------+
| Id | IP | Server Id | Fixed IP |
Pool | +--------------------------------------+--------------+--------------------------------------+---------------+- --------+
| 0730073b-9758-409f-843a-0f40e8f9b300 | 172.16.0.238 | 3eb18869-97c5-42cb-94e7-466d52d4199d | 192.168.33.15 | ext_net | | 1c9c3745-d7d4-435c-b8c5-c19d415fde71 | 172.16.0.239 | daf4b686-c33d-48e5-89cc-0a0f99d8fb73 | 192.168.33.91 | ext_net | | 7d056ad6-b2d9-47ae-92f3-d383d2aab366 |                                      172.16.1.60 | | 192.168.33.92 | ext_net | | A948ef38-01b6-4922-8025-067c0c610f17 | 172.16.0.237 | ef1f1a66-1375-4d9a-b99b-580c8340b59d | 192.168.33.14 |
ext_net | +--------------------------------------+--------------+--------------------------------------+---------------+- --------+ to mount floating IP and internal IP, neutron floatingip-associate 7d056ad6-b2d9-47ae-92f3-d383d2aab366 5ffd38c7-9ec3-4661-84f9-048eda70f738

Configure keepalived

Go to each KVM install keepalived and configure boot

Yum Install keepalived

Edit Keepalived Configuration

vim/etc/keepalived/keepalived.conf
global_defs
{
    notification_email
    {
        linzhaolover@163.com
    }
    Notification_email_from linzhaolover@163.com
    smtp_server 127.0.0.1
    stmp_connect_timeout router_id
    NodeA
}

vrrp_instance lnmp {State
            BACKUP
    interface eth0
    virtual_router_id
    Priority 170
    Advert_int 5
    track_interface {
        eth0
    }
    Authentication {
        Auth_type Pass
        auth_pass 123456
    }
    virtual_ipaddress {
      192.168.33.92/20 dev eth0
    }
}

Service keepalived Restart
IP addr

[root@host-192-168-33-15 ~]# IP addr
1:lo: <LOOPBACK,UP,LOWER_UP> MTU 65536 Qdisc-noqueue state UNKNOWN
    Li Nk/loopback 00:00:00:00:00:00 BRD 00:00:00:00:00:00
    inet 127.0.0.1/8 Scope host lo
       valid_lft forever Preferred_ LfT Forever
    Inet6:: 1/128 scope host
       Valid_lft forever Preferred_lft Forever
: 2:eth0, Multicast,up,lower_up> MTU 1454 Qdisc pfifo_fast State up Qlen 1000 link/ether fa:16:3e:aa:02:ea brd ff:ff:ff:ff:f
    F:ff
    inet 192.168.33.15/20 BRD 192.168.47.255 scope Global dynamic eth0
       valid_lft 85999sec preferred_lft 85999sec
    inet 192.168.33.92/20 Scope Global secondary eth0
       valid_lft
    Forever Preferred_lft Forever Inet6 fe80::f816:3eff:feaa:2ea/64 scope link
       valid_lft forever preferred_lft Forever

View Log generated by keepalive
tail-f/var/log/messages

All three KVM keepalived configuration, the test does not pass,
Ping 192.168.33.92
It doesn't make sense, seems to be missing something, is less iptable Rules key config allow pairs

# neutron port-update <port-uuid>--allowed-address-pairs type=dict list=true mac_address=<mac_address> Ip_address=<ip_cidr> Mac_address is a KVM MAC address, IP_Address is the address of virtual IP, this must not be mistaken neutron port-update 5c09376e-bd6 5-4aed-9f4e-dd6ba2879a27--name linzhbj_keepalived_vip0--allowed-address-pairs type=dict list=true mac_address= "fa : 16:3e:4f:47:21 ", ip_address=192.168.33.92 neutron port-update 0e0c48e6-2e32-48c5-a01d-c059c4931064--name linzhbj_ Keepalived_vip1--allowed-address-pairs type=dict list=true mac_address= "fa:16:3e:f9:4f:41", ip_address= 192.168.33.92 Neutron port-update b133aa34-a2fc-4c05-a962-18118de6db83--name linzhbj_keepalived_vip2-- Allowed-address-pairs type=dict list=true mac_address= "Fa:16:3e:aa:02:ea", ip_address=192.168.33.92 node in compute Middle check iptables Rule iptables-s | grep 192.168.33.92-a neutron-openvswi-s0e0c48e6-2-S 192.168.33.92/32-m mac--mac-source fa:16:3e:f9:4f:41-m Comment- Comment "Allow traffic from defined Ip/mac pairs."-j Return-a Neutron-openvswi-s5c09376e-b-S 192.168.33.92/32-m mac--mac-source fa:16:3e:4f:47:21-m comment--comment "Al Low traffic from defined Ip/mac pairs. "-j return-a neutron-openvswi-sb133aa34-a-S 192.168.33.92/32-m MAC--mac-source Fa:16:3e:aa:02:ea-m comment--comment "Allow traffic from defined Ip/mac." Pairs return this is the corresponding-j rule for each KVM MAC

Summarize

OpenStack KVM, in order to run properly, run the corresponding service, must be configured in the neutron to allow the appropriate rules to be allowed to run. Although very troublesome, but played a very good protective effect; Use your head more often than the problem, O (∩_∩) o~ bug port-update when you encounter bugs

nt-628a69c Policy doesn ' t allow (Rule:update_port and Rule:update_port:allowed_address_pairs) to be performed.

Vim/etc/neutron/policy.json
Change 
"Update_port:allowed_address_pairs": "Rule:admin_or_network_owner", 
to "update_port:allowed_address_pairs": "Rule:admin_or_owner",

whether Nova or neutron have their own policy, So you have to set it up so you can.

System does not have individual KVM iptables rules

vim/etc/sysctl.conf net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 make configuration effective sysctl-p vim/etc/neutron/ Plugins/openvswitch/ovs_neutron_plugin.ini [Securitygroup] firewall_driver = Neutron.agent.linux.iptables_firewall . Ovshybridiptablesfirewalldriver Restart Agent service neutron-plugin-openvswitch-agent Restart # Iptables-s | grep 192.168.33-a neutron-openvswi-s0e0c48e6-2-S 192.168.33.92/32-m mac--mac-source fa:16:3e:f9:4f:41-m Comment--com ment "Allow traffic from defined Ip/mac pairs."-j return-a neutron-openvswi-s0e0c48e6-2-S 192.168.33.14/32-m MAC--mac -source fa:16:3e:f9:4f:41-m Comment--comment "Allow traffic from defined Ip/mac." Pairs-j return-a C09376e-b-S 192.168.33.92/32-m mac--mac-source fa:16:3e:4f:47:21-m comment--comment "Allow traffic from defined Ip/ma C pairs. "-j return-a neutron-openvswi-s5c09376e-b-S 192.168.33.91/32-m mac--mac-source fa:16:3e:4f:47:21-m Comment- -comment "Allow traffic from defined Ip/mac PAIRS. "-j return

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More