This method solves the problem of a master that is not linked to salt minion.
Http://www.cnblogs.com/sammyliu/p/4981194.html
Network error location case ICMP Host * * * Unreachable-admin prohibited 1. Environmental
A physical server 9.115.251.86, which creates two virtual machines, two network cards per virtual machine: vm1:eth0-9.*.*.232 eth1:10.0.0.14 vm2:eth0-9.8.*.219 eth1 : 10.0.0.10, running DHCP Agent, managing DNSMASQ, providing DHCP service
Two pieces of eth1 connected to a bridge on the physical machine:
Bridge name Bridge ID STP enabled interfaces
mgtbr0 8000.fa8013216b56 no tap0
Vnet1
vnet12
vnet13
vnet14
vnet16
vnet18 Vnet2 vnet5
2. Error
A virtual machine vmchild1 is created on the VM1, and a BOOTP request is made at startup to obtain the IP address from the DHCP Agent. DHCP Agent-managed DNSMASQ can receive BOOTP requests normally and send back requests, but VM1 cannot receive them.
VM2 on tcpdump:
15:30:14.135874 IP (Tos 0x0, TTL, id 46594, offset 0, flags [None], Proto UDP (), length 401) 10.0.0.10.40589 ; 10.0.0.14.8472:OTV, Flags [I] (0x08), overlay 0, instance 1027 IP (Tos 0xc0, TTL, id 57625, offset 0, flags [None], PR Oto UDP (), length 351) 50-0-0-10.static.sonic.net.bootps > 50-0-0-15.static.sonic.net.bootpc:bootp/dhcp, Reply, Length 323, XID 0x11f7631f, secs, Flags [None] Your-ip 50-0-0-15.static.sonic.net, Server-ip 50-0-0
-10.static.sonic.net client-ethernet-address fa:16:3e:ba:43:4c (oui Unknown) vendor-rfc1048 Extensions Magic Cookie 0x63825363 dhcp-message option, length 1:offer server-id option 54, Length 4:50-0-0-10.static.sonic.net lease-time option, length 4:86400 RN option, length 4: 43200 RB option, length 4:75600 subnet-mask Option 1, length 4:255.255.255.0 BR Option, Length 4:50-0-0-255.static.sonic.net domain-name option, Length: "Openstacklocal" Domain-name-server O
Ption 6, Length 4:50-0-0-10.static.sonic.net default-gateway Option 3, Length 4:50-0-0-1.static.sonic.net Classless-static-route Option 121, Length: (60.0.0.0/24:0.0.0.0), (default:50-0-0-1.static.sonic.net) 15:30:14 .136118 IP (Tos 0xc0, TTL, id 10816, offset 0, flags [None], Proto ICMP (1), length 429) 10.0.0.100 > 10.0.0.10: ICMP host 10.0.0.14 unreachable-admin prohibited, Length 409 IP (Tos 0x0, TTL, id 46594, offset 0, flags [No NE], Proto UDP (a), length 401) 10.0.0.10.40589 > 10.0.0.14.8472:otv, Flags [I] (0x08), overlay 0, instance 1027
And found another problem:
root@controller:~/s1# Ping 10.0.0.13
ping 10.0.0.13 (10.0.0.13) bytes of data.
Bytes from 10.0.0.13:icmp_seq=1 ttl=64 time=0.630 ms from
10.0.0.13:icmp_seq=2 Redirect Host (New nexthop:10.0.0. Bytes from
10.0.0.13:icmp_seq=2 ttl=64 time=0.628 ms from 10.0.0.13:icmp_seq=3 Redirect
Host (New nexthop: 10.0.0.13)
3. Positioning
The initial inference is that a firewall blocked the BOOTP packet, so the firewall on the vm1,vm2 all turned off, invalid. Finally, check the physical machine iptables:
[root@rh65 ~]# iptables-l Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT UDP --Anywhere anywhere UDP dpt:domain ACCEPT TCP--anywhere anywhere TCP Dpt:domain ACCEPT UDP--anywhere anywhere UDP Dpt:bootps ACCEPT TCP--anywhere Anywhere TCP Dpt:bootps ACCEPT all – anywhere anywhere state related,e stablished ACCEPT ICMP--anywhere anywhere ACCEPT all--anywhere anywhere ACCEPT All--anywhere anywhere ACCEPT--anywhere anywhere ACCEPT TCP--anywhere Anywhere state NEW TCP dpt:domain ACCEPT UDP--anywhere anywhere state NE W UDP dpt:domain ACCEPT TCP--Anywhere anywhere state NEW TCP dpt:ftp ACCEPT TCP-- Ywhere ANYWHEre state New TCP dpt:ssh ACCEPT TCP--Anywhere anywhere state new TCP dpt:16509 ACCEPT TCP--Anywhere anywhere state NEW TCP dpt:16514 ACCEPT TCP--anywhere Anywhere state new TCP dpt:http ACCEPT TCP--Anywhere anywhere state new TCP Dpts:vnc-server:cvsup REJECT All--anywhere anywhere Reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all-anywhere 192 .168.122.0/24 state related,established ACCEPT All--192.168.122.0/24 anywhere ACCEPT all-anywhere Anywhere REJECT All--anywhere anywhere Reject-with icmp-port-unreachable REJECT All--anywhere anywhere Reject-with icmp-port-unreachable ACCEPT All-anywhere Anywhere State related,established ACCEPT ICMP--anywhere anywhere ACCEPT all--anywhere a Nywhere ACCEPT all – anywhere anywhere ACCEPT all – anywhere anywhere REJECT all --Anywhere anywhere reject-with icmp-host-prohibited
Discovery FORWARD blocked ICMP-related packages. 4. Address
Run the service iptables on the physical machine stop will iptables shutdown, problem resolution.