安全组
Security group通过Linux IPtables来实现,为此,在Compute节点上引入了qbr*这样的Linux传统bridge(iptables规则目前无法加载到直接挂在到ovs的tap设备上)。
首先在Control节点上用neutron port-list命令列出虚拟机的端口id,例如:
# neutron port-list
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
| 2a169bb4-4d8b-4c67-802c-a24bdafe1312 | | fa:16:3e:2f:e9:72 | {"subnet_id": "a2456a2c-5eea-416d-8757-d10bc0aa2aaa", "ip_address": "192.168.0.1"} |
| 583c7038-d341-41ec-a0d1-0cd2c33866ca | | fa:16:3e:9c:dc:3a | {"subnet_id": "a2456a2c-5eea-416d-8757-d10bc0aa2aaa", "ip_address": "192.168.0.2"} |
| 9b2db4ac-3145-401c-8dc6-486ca6e303b6 | | fa:16:3e:4e:f1:b5 | {"subnet_id": "ea4ed31b-e05a-4735-8c3f-9b430e656b64", "ip_address": "192.168.122.200"} |
| c5a7d51b-9934-40bd-befa-adff840462d2 | | fa:16:3e:21:1d:00 | {"subnet_id": "ea4ed31b-e05a-4735-8c3f-9b430e656b64", "ip_address": "192.168.122.201"} |
| db2f5a49-7c0d-45dd-acad-908931f9a654 | | fa:16:3e:17:5c:36 | {"subnet_id": "a2456a2c-5eea-416d-8757-d10bc0aa2aaa", "ip_address": "192.168.0.3"} |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------------+
其中id的前10位数字被用作虚机对外连接的qbr(同时也是tap口)的id。i或o加上前9位数字被用作安全组chain的id。
所有的规则默认都在Compute节点上的filter表(默认表)中实现,分别来查看filter表的INPUT、OUTPUT、FORWARD三条链上的规则。
在Compute节点上,可以用 iptables --line-numbers -vnL [CHAIN]
来获得filter表(可以指定某个链上的)规则。