When deploying the keepalved active and standby clusters in the openstack cloud environment, it will be found that the vip cannot be pinged, even if it is on the same network.
What I think is that the vip created by keepalived may not be recognized by neutron. Later , the iptables on the host where the port of openstack is located restricts the MAC address and IP. It is to prevent arp spoofing. I don't think the host machine iptables can be turned off. Production environments must never allow such operations.
Finally found a good method (the source is referring to a foreign blog Aaron's Blog . )
The method is to use a new feature of the Havana version "Allowed-Address-Pairs", in short, is to associate an openstack with each vm to create an ip, This solves the problem mentioned above; it is quite suitable for keepalived usage scenarios.
First log in to openstack's horizon to create a port
Here I have created
It is better to create such a state. Next, we need to perform cli command line operations. However, the author cannot directly operate the host remotely. The next step is to use the RC file of our openstack.
Please see my other blog post. Use of openstack RC files
Associate the created ip 192.168.111.44 with the allwed_address_pairs parameter
Usage of --allowed-address- pair:
neutron port-update --allowed-address-pair ip_address=[CIDR] [port_id]
To perform operations on two keepliveds in our environment:
neutron port-update --allowed-address-pair ip_address=192.168.111.44 c5a456dc-94fa-4f7d-a9a7-e9933afef632
neutron port-update --allowed-address-pair ip_address=192.168.111.44 aea3e3af-5bb0-4ad7-b1a0-0463d7290bd1
Then you can check the port status
neutron port-show c5a456dc-94fa-4f7d-a9a7-e9933afef632
You can see that the allowed_address_pairs attribute has been bound, and the two mac addresses are the same
At this point, the vip configured in the cloud host is ready to use .
Next we bind the floating point ip to the vip
Also log in to openstack's horizon to create a floating point ip
Then bind the allocated floating-point ip and select the pre-created vip.
This is the state after binding
It doesn't show where it is bound to, don't worry, so vip can communicate with the external network