Я использую экземпляр KVM внутри OpenStack, и он не получает IP-адрес от DHCP-сервера.
Используя tcpdump, я могу видеть пакеты запроса и ответа на vnet0 вычислительного хоста:
# tcpdump -i vnet0 -n port 67 or port 68
tcpdump: WARNING: vnet0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:44:56.176727 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.176785 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:44:56.177315 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319
19:45:02.179834 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.179904 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from fa:16:3e:46:f6:11, length 300
19:45:02.180375 IP 10.40.0.1.67 > 10.40.0.3.68: BOOTP/DHCP, Reply, length 319
Однако, если я сделаю то же самое с eth0 внутри экземпляра KVM, я вижу только пакеты запроса, а не пакеты ответа. Что может помешать пакетам попасть из vnet0 хоста в eth0 гостя?
Мой хост работает под управлением Ubuntu 12.04, а мой гость - под управлением CentOS 6.3.
Обратите внимание, что я добавил это правило в свои iptables, но это не решает проблему:
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
Экземпляр соответствует vnet0 и подключен через br100:
# brctl show
bridge name bridge id STP enabled interfaces
br100 8000.54781a8605f2 no eth1
vnet0
vnet1
virbr0 8000.000000000000 yes
Вот полный файл iptables-save:
# Generated by iptables-save v1.4.12 on Tue Apr 2 19:47:27 2013
*nat
:PREROUTING ACCEPT [8323:2553683]
:INPUT ACCEPT [7993:2494942]
:OUTPUT ACCEPT [6158:461050]
:POSTROUTING ACCEPT [6455:511595]
:nova-compute-OUTPUT - [0:0]
:nova-compute-POSTROUTING - [0:0]
:nova-compute-PREROUTING - [0:0]
:nova-compute-float-snat - [0:0]
:nova-compute-snat - [0:0]
:nova-postrouting-bottom - [0:0]
-A PREROUTING -j nova-compute-PREROUTING
-A OUTPUT -j nova-compute-OUTPUT
-A POSTROUTING -j nova-compute-POSTROUTING
-A POSTROUTING -j nova-postrouting-bottom
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A nova-compute-snat -j nova-compute-float-snat
-A nova-postrouting-bottom -j nova-compute-snat
COMMIT
# Completed on Tue Apr 2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr 2 19:47:27 2013
*mangle
:PREROUTING ACCEPT [7969:5385812]
:INPUT ACCEPT [7905:5363718]
:FORWARD ACCEPT [158:48190]
:OUTPUT ACCEPT [6877:8647975]
:POSTROUTING ACCEPT [7035:8696165]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Apr 2 19:47:27 2013
# Generated by iptables-save v1.4.12 on Tue Apr 2 19:47:27 2013
*filter
:INPUT ACCEPT [2196774:15856921923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2447201:1170227646]
:nova-compute-FORWARD - [0:0]
:nova-compute-INPUT - [0:0]
:nova-compute-OUTPUT - [0:0]
:nova-compute-inst-19 - [0:0]
:nova-compute-inst-20 - [0:0]
:nova-compute-local - [0:0]
:nova-compute-provider - [0:0]
:nova-compute-sg-fallback - [0:0]
:nova-filter-top - [0:0]
-A INPUT -j nova-compute-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-compute-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-compute-OUTPUT
-A nova-compute-FORWARD -i br100 -j ACCEPT
-A nova-compute-FORWARD -o br100 -j ACCEPT
-A nova-compute-inst-19 -m state --state INVALID -j DROP
-A nova-compute-inst-19 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-provider
-A nova-compute-inst-19 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-19 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-19 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-19 -p icmp -j ACCEPT
-A nova-compute-inst-19 -j nova-compute-sg-fallback
-A nova-compute-inst-20 -m state --state INVALID -j DROP
-A nova-compute-inst-20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-provider
-A nova-compute-inst-20 -s 10.40.0.1/32 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A nova-compute-inst-20 -s 10.40.0.0/16 -j ACCEPT
-A nova-compute-inst-20 -p tcp -m tcp --dport 22 -j ACCEPT
-A nova-compute-inst-20 -p icmp -j ACCEPT
-A nova-compute-inst-20 -j nova-compute-sg-fallback
-A nova-compute-local -d 10.40.0.3/32 -j nova-compute-inst-19
-A nova-compute-local -d 10.40.0.4/32 -j nova-compute-inst-20
-A nova-compute-sg-fallback -j DROP
-A nova-filter-top -j nova-compute-local
COMMIT
# Completed on Tue Apr 2 19:47:27 2013
Была аналогичная проблема, для меня это исправило:
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables #To disable Iptables in the bridge.
Подробнее см. Здесь: http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge#No_traffic_gets_trough_.28except_ARP_and_STP.29