算节点上只能ping通该实例内部IP，ping不通浮动IP

我现在怀疑和NAT转换有关系.可能是数据包回流的问题造成的.收起

在做一个实验.
把那个虚拟机的floating ip去掉,然后ping一台物理主机(最好不要用控制和计算节点,找个其他的机器),ping之前在那个机器上写好路由,把去往虚拟机地址的包都转发给控制节点.是在虚拟机内部ping物理主机.收起

回复 22# zhanghao001122
会不会是iptables有问题，计算节点需要配置iptables吗？
控制节点iptables：
root@hwnode1:/home/ubuntu# iptables-save -t nat
# Generated by iptables-save v1.4.21 on Wed May 20 16:19:33 2015
*nat
:PREROUTING ACCEPT [133143:41811752]
:INPUT ACCEPT [130199:41418480]
:OUTPUT ACCEPT [63379:3994496]
:POSTROUTING ACCEPT [67196:4405430]
:nova-api-OUTPUT - [0:0]
:nova-api-POSTROUTING - [0:0]
:nova-api-PREROUTING - [0:0]
:nova-api-float-snat - [0:0]
:nova-api-snat - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-network-OUTPUT - [0:0]
:nova-network-POSTROUTING - [0:0]
:nova-network-PREROUTING - [0:0]
:nova-network-float-snat - [0:0]
:nova-network-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-network-PREROUTING
-A PREROUTING -j nova-compute-PREROUTING
-A PREROUTING -j nova-api-PREROUTING
-A OUTPUT -j nova-network-OUTPUT
-A OUTPUT -j nova-compute-OUTPUT
-A OUTPUT -j nova-api-OUTPUT
-A POSTROUTING -j nova-network-POSTROUTING
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j nova-api-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A nova-api-snat -j nova-api-float-snat
-A nova-compute-snat -j nova-compute-float-snat
-A nova-network-OUTPUT -d 110.1.20.41/32 -j DNAT --to-destination 192.168.200.3
-A nova-network-OUTPUT -d 110.1.20.47/32 -j DNAT --to-destination 192.168.200.7
-A nova-network-OUTPUT -d 110.1.20.70/32 -j DNAT --to-destination 192.168.200.4
-A nova-network-OUTPUT -d 110.1.20.69/32 -j DNAT --to-destination 192.168.200.6
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 127.0.0.1/32 -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.0/24 -d 192.168.200.0/24 -m conntrack ! --ctstate DNAT -j ACCEPT
-A nova-network-POSTROUTING -s 192.168.200.3/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.41
-A nova-network-POSTROUTING -s 192.168.200.7/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.47
-A nova-network-POSTROUTING -s 192.168.200.4/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.70
-A nova-network-POSTROUTING -s 192.168.200.6/32 -m conntrack --ctstate DNAT -j SNAT --to-source 110.1.20.69
-A nova-network-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775
-A nova-network-PREROUTING -d 110.1.20.41/32 -j DNAT --to-destination 192.168.200.3
-A nova-network-PREROUTING -d 110.1.20.47/32 -j DNAT --to-destination 192.168.200.7
-A nova-network-PREROUTING -d 110.1.20.70/32 -j DNAT --to-destination 192.168.200.4
-A nova-network-PREROUTING -d 110.1.20.69/32 -j DNAT --to-destination 192.168.200.6
-A nova-network-float-snat -s 192.168.200.3/32 -d 192.168.200.3/32 -j SNAT --to-source 110.1.20.41
-A nova-network-float-snat -s 192.168.200.3/32 -o br100 -j SNAT --to-source 110.1.20.41
-A nova-network-float-snat -s 192.168.200.7/32 -d 192.168.200.7/32 -j SNAT --to-source 110.1.20.47
-A nova-network-float-snat -s 192.168.200.7/32 -o br100 -j SNAT --to-source 110.1.20.47
-A nova-network-float-snat -s 192.168.200.4/32 -d 192.168.200.4/32 -j SNAT --to-source 110.1.20.70
-A nova-network-float-snat -s 192.168.200.4/32 -o br100 -j SNAT --to-source 110.1.20.70
-A nova-network-float-snat -s 192.168.200.6/32 -d 192.168.200.6/32 -j SNAT --to-source 110.1.20.69
-A nova-network-float-snat -s 192.168.200.6/32 -o br100 -j SNAT --to-source 110.1.20.69
-A nova-network-snat -j nova-network-float-snat
-A nova-network-snat -s 192.168.200.0/24 -o br100 -j SNAT --to-source 110.1.20.21
-A nova-postrouting-bottom -j nova-network-snat
-A nova-postrouting-bottom -j nova-compute-snat
-A nova-postrouting-bottom -j nova-api-snat
COMMIT
# Completed on Wed May 20 16:19:33 2015

计算节点iptables
root@hwnode2:/home/ubuntu# iptables-save -t nat
# Generated by iptables-save v1.4.21 on Wed May 20 16:20:36 2015
*nat
:PREROUTING ACCEPT [111:22279]
:INPUT ACCEPT [19:5930]
:OUTPUT ACCEPT [205:13563]
:POSTROUTING ACCEPT [273:28920]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A nova-compute-snat -j nova-compute-float-snat
-A nova-postrouting-bottom -j nova-compute-snat
COMMIT
# Completed on Wed May 20 16:20:36 2015
root@hwnode2:/home/ubuntu#收起

回复 22# zhanghao001122
试过不行哦，只有在控制节点ping才通。收起

做这么一个实验.找一个和管理网络同一网段的机器,ping那个floating ip,别用计算节点去ping,看看能通吗收起

回复 20# zhanghao001122
试过将控制节点及计算节点路由转发都打开了，没有效果。
root@hwnode1:/home/ubuntu# sysctl -p
net.ipv4.ip_forward = 1

root@hwnode2:/home/ubuntu# sysctl -p
net.ipv4.ip_forward = 1收起

#net.ipv4.ip_forward=1
去掉注释
sysctl -p收起

回复 16# zhanghao001122
不是手动建的
在计算节点上创建虚拟机实例时自动生成的。应该是nova.conf配置文件里面指定了br100才会自动生成br100吧。收起

回复 17# zhanghao001122
是不是查看/etc/sysctl.conf
root@hwnode1:/home/ubuntu# more /etc/sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#收起

看看控制节点的路由转发是否打开了收起