SlideShare ist ein Scribd-Unternehmen logo

CloudStackユーザ会〜仮想ルータの謎に迫る

S
samemoon

CloudStackユーザ会 advent calendar 2012年12月12日 フォントが綺麗にならない。文字をきちんと見たい方はPDF版をどうぞ。

1 von 23
CloudStack 仮想ルータの謎に迫る KVM+NFS環境    ⽇日本CloudStackユーザ会 @MayumiK0 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 1
さぁ受け取るといい。それが君の運命だ。 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 2
CloudStack構成例例 ・典型的な構成例例   -‐‑‒Management  Server -‐‑‒NFS  Server  (Primary/Secondary領領域) -‐‑‒Compute  Node Compute  Compute   Management   NFS Node   Node      Server   ここは仮想サーバでも可 Primary   (node04) (node05) Storage Secondary   Storage Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 3
仮想ルータの謎に迫る ・仮想ルータにログインしてみる 仮想ルータとCompute  NodeはLink  Local  Networkで通信可能 仮想ルータが起動しているCompute  Nodeにログインし そこから仮想ルータのリンクローカルアドレスにsshする      Compute  Compute   Management   NFS Node   Node   Server   (node04) インスタンス (node05 仮想ルータ Primary   Storage Secondary   Storage Link  Local  Network Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 4
仮想ルータの謎に迫る ・LinkLocal確認 間違ってはいないね
仮想ルータの謎に迫る ・ssh鍵認証でログイン [root@node006  ~]#  ssh  -­‐i  .ssh/id_rsa.cloud  169.254.3.116  -­‐p  3922   Linux  r-­‐5-­‐VM  2.6.32-­‐5-­‐686-­‐bigmem  #1  SMP  Mon  Jan  16  16:42:05  UTC  2012  i686     The  programs  included  with  the  Debian  GNU/Linux  system  are  ate  ;  up]me   root@r-­‐5-­‐VM:~#  d free  so[ware;   the  exact  distribu]on  terms  for  each  program  are  described  in  the  TC  2012   Mon  Dec  10  15:54:59  U individual  files  in  /usr/share/doc/*/copyright.    15:54:59  up  1  day,    1:01,    1  user,    load  average:  0.00,  0.00,  0.00       root@r-­‐5-­‐VM:~#  date;  ifconfig  -­‐a   Debian  GNU/Linux  comes  with  ABSOLUTELY  NO  WARRANTY,  to  the  e2012   Mon  Dec  10  15:55:08  UTC   xtent   permihed  by  applicable  law.   eth0            Link  encap:Ethernet    HWaddr  02:00:6b:3d:00:02                          inet  addr:10.1.1.1    Bcast:10.1.1.255    Mask:255.255.255.0   Last  login:  Sun  Dec    9  14:20:04  2012  from  169.254.0.1  P  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1                      U Linux  r-­‐5-­‐VM  2.6.32-­‐5-­‐686-­‐bigmem  #1  SMP  Mon    J  an    1X  p16:42:05  Uerrors:0  dropped:0  overruns:0  frame:0                 R 6   ackets:11592   TC  2012  i686                        TX  packets:8741  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000     The  programs  included  with  the  Debian  GNU/Linux    s  ystem  are  free  so[ware;  bytes:2582211  (2.4  MiB)                  RX  bytes:972709  (949.9  KiB)    TX   the  exact  distribu]on  terms  for  each  program  are  described  in  the     individual  files  in  /usr/share/doc/*/copyright.   eth1            Link  encap:Ethernet    HWaddr  0e:00:a9:fe:03:74                          inet  addr:169.254.3.116    Bcast:169.254.255.255    Mask:255.255.0.0                        UP  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1   Debian  GNU/Linux  comes  with  ABSOLUTELY  NO  W  ARRANTY,  to  the  rrors:0  dropped:0  overruns:0  frame:0                    RX  packets:12285  e extent   permihed  by  applicable  law.                      TX  packets:10166  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000     root@r-­‐5-­‐VM:~#                      RX  bytes:1937229  (1.8  MiB)    TX  bytes:1915520  (1.8  MiB) 6
仮想ルータの謎に迫る ・実は再起動するとLinkLocalが変わる root@node006  ~]#  ssh  -­‐i  .ssh/id_rsa.cloud  169.254.3.221  -­‐p  3922   Last  login:  Mon  Dec  10  16:00:04  2012  from  169.254.0.1   Linux  r-­‐5-­‐VM  2.6.32-­‐5-­‐686-­‐bigmem  #1  SMP  Mon  Jan  16  16:42:05  UTC  2012  i686     /)( ◕ ‿‿ ◕ )(\ root@r-­‐5-­‐VM:~#  date;  up]me   Mon  Dec  10  16:18:29  UTC  2012   知らなければ知らないままで  16:18:29  up  1  min,    1  user,    load  average:  0.00,  0.00,  0.00   何の不都合もないからね   root@r-­‐5-­‐VM:~#  date  ;ifconfig  -­‐a   Mon  Dec  10  16:18:34  UTC  2012   でいいのか? eth0            Link  encap:Ethernet    HWaddr  02:00:6b:3d:00:02                          inet  addr:10.1.1.1    Bcast:10.1.1.255    Mask:255.255.255.0                      UP  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1                      RX  packets:12  errors:0  dropped:0  overruns:0  frame:0                      TX  packets:0  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000                        RX  bytes:844  (844.0  B)    TX  bytes:0  (0.0  B)     eth1            Link  encap:Ethernet    HWaddr  0e:00:a9:fe:03:dd                          inet  addr:169.254.3.221    Bcast:169.254.255.255    Mask:255.255.0.0                      UP  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1                      RX  packets:3373  errors:0  dropped:0  overruns:0  frame:0                      TX  packets:3244  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000                        RX  bytes:629043  (614.2  KiB)    TX  bytes:607306  (593.0  KiB)  
仮想ルータの謎に迫る ・テスト構成      Public  IP  :  202.228.225.32 Compute  Compute   Management   NFS Node   Node   Server   (node04) (node05 Primary   Storage インスタンス   仮想ルータ   test01:10.1.1.207 r-­‐5-­‐VM Secondary   Storage インスタンス   test02:10.1.1.131 仮想ルータが裏で どんなコト(処理)を しているか覗いてみましょう Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 8
仮想ルータの謎に迫る ・起動時に⾏行行なっている処理理 Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  dnsmasq Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  cloud-‐‑‒passwd-‐‑‒srvr Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  ssh 仮想インスタンスが2台あり Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  haproxy Firewallや負荷分散設定は   Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  apache2 Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Stopping  cloud 何もされていない状態での起動 Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Stopping  nfs-‐‑‒common Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Stopping  portmap Dec  10  16:16:48  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Adding  first  ip  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:48  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  SourceNAT  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:48  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  first  ip  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:50  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Add  routing  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Add  routing  202.228.225.32/26  rules  added Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  created  VPN  chain  for  202.228.225.32 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  created  firewall  chain  for  202.228.225.32 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  edithosts:  update  02:00:3e:53:00:01  10.1.1.207  test01  to  hosts Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  default  router  for  10.1.1.207  to  10.1.1.1 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  dns  server  for  10.1.1.207  to  10.1.1.1 Dec  10  16:16:53  r-‐‑‒5-‐‑‒VM  cloud:  edithosts:  update  02:00:79:6c:00:03  10.1.1.131  test02  to  hosts Dec  10  16:16:53  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  default  router  for  10.1.1.131  to  10.1.1.1 Dec  10  16:16:53  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  dns  server  for  10.1.1.131  to  10.1.1.1 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 9
仮想ルータの謎に迫る ・dnsmasq:   DNSサーバのフォワーダとDHCPサーバをもつソフト root@r-‐‑‒5-‐‑‒VM:~∼#  ps  afxwwww  |  grep  dnsmasq 2079  ?                S            0:00  /usr/sbin/dnsmasq  -‐‑‒x  /var/run/dnsmasq/dnsmasq.pid  -‐‑‒u  dnsmasq  -‐‑‒7  /etc/dnsmasq.d,.dpkg-‐‑‒ dist,.dpkg-‐‑‒old,.dpkg-‐‑‒new Dec  10  16:16:55  dnsmasq[2079]:  started,  version  2.55  cachesize  150 Dec  10  16:16:55  dnsmasq[2079]:  compile  time  options:  IPv6  GNU-‐‑‒getopt  DBus  I18N  DHCP  TFTP Dec  10  16:16:55  dnsmasq-‐‑‒dhcp[2079]:  DHCP,  static  leases  only  on  10.1.1.1,  lease  time  1h Dec  10  16:16:55  dnsmasq[2079]:  using  local  addresses  only  for  domain  cs2cloud.internal 意外な展開ではないよ Dec  10  16:16:55  dnsmasq[2079]:  reading  /etc/dnsmasq-‐‑‒resolv.conf Dec  10  16:16:55  dnsmasq[2079]:  using  nameserver  8.8.8.8#53 Dec  10  16:16:55  dnsmasq[2079]:  using  local  addresses  only  for  domain  cs2cloud.internal Dec  10  16:16:55  dnsmasq[2079]:  read  /etc/hosts  -‐‑‒  15  addresses Dec  10  16:16:55  dnsmasq-‐‑‒dhcp[2079]:  read  /etc/dhcphosts.txt Dec  10  16:16:55  dnsmasq-‐‑‒dhcp[2079]:  read  /etc/dhcpopts.txt root@r-‐‑‒5-‐‑‒VM:/etc#  cat  /etc/dhcpopts.txt 10_̲1_̲1_̲207,3,10.1.1.1 10_̲1_̲1_̲207,6,10.1.1.1 10_̲1_̲1_̲131,3,10.1.1.1 10_̲1_̲1_̲131,6,10.1.1.1 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 10
仮想ルータの謎に迫る ・haproxy:   L7ロードバランサ root@r-‐‑‒5-‐‑‒VM:~∼#  ps  afxwwww  |  grep  haproxy  1501  ?                Ss          0:00  /usr/sbin/haproxy  -‐‑‒f  /etc/haproxy/haproxy.cfg  -‐‑‒D  -‐‑‒p  /var/run/haproxy.pid root@r-‐‑‒5-‐‑‒VM:~∼#  cat  /etc/haproxy/haproxy.cfg global 願い事(設定)を決めるんだ log  127.0.0.1:3914      local0  warning 早く! maxconn  4096 chroot  /var/lib/haproxy user  haproxy group  haproxy daemon   defaults log          global mode        tcp option    dontlognull          (中略略)   listen    vmops  0.0.0.0:9 option  transparent Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 11
仮想ルータの謎に迫る ・仮想ルータで実⾏行行されているsh root@r-5-VM:~# pwd /root ■firewall_rule.shの一部 ゴリゴリ   root@r-5-VM:~# ls -rwxr-xr-x 1 root root 824 Oct 24 05:25 bumpup_priority.sh root@r-5-VM:~# cat firewall_rule.sh #!/usr/bin/env bash iptableに   -rwxr-xr-x 1 root root 1462 Oct 24 05:25 clearUsageRules.sh -rwxr-xr-x 1 root root 3545 Oct 24 05:25 edithosts.sh 書いてる模様 fw_chain_for_ip () { -rwxr-xr-x 1 root root 6332 Oct 24 05:25 firewall_rule.sh local pubIp=$1 fw_remove_backup $1 -rwxr-xr-x 1 root root 12404 Oct 24 05:25 firewall.sh sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/ -rwxr-xr-x 1 root root 2429 Oct 24 05:25 func.sh null -rw-r--r-- 1 root root 13600 Feb 6 2012 ipassoc.sh sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null # drop if no rules match (this will be the last rule in the chain) -rwxr-xr-x 1 root root 8239 Oct 24 05:25 loadbalancer.sh sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null -rw-r--r-- 1 root root 3464 Feb 6 2012 netusage.sh # ensure outgoing connections are maintained (first rule in chain) sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state -rwxr-xr-x 1 root root 1667 Oct 24 05:25 reconfigLB.sh RELATED,ESTABLISHED -j ACCEPT> /dev/null drwxr-xr-x 2 root root 4096 Nov 25 09:28 redundant_router #ensure that this table is after VPN chain sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp -rwxr-xr-x 1 root root 1441 Oct 24 05:25 savepassword.sh success=$? -rwxr-xr-x 1 root root 2497 Oct 24 05:25 userdata.py if [ $success -gt 0 ] -rwxr-xr-x 1 root root 3235 Oct 24 05:25 userdata.sh then # if VPN chain is not present for various reasons, try to add in to the first slot */ sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp fi } Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 12
仮想ルータの謎に迫る ・新規インスタンス作成 root@r-‐‑‒5-‐‑‒VM:/var/log#  cat  dnsmasq.log Dec  11  17:11:09  dnsmasq[8541]:  started,  version  2.55  cachesize  150 Dec  11  17:11:09  dnsmasq[8541]:  compile  time  options:  IPv6  GNU-‐‑‒ getopt  DBus  I18N  DHCP  TFTP Dec  11  17:11:09  dnsmasq-‐‑‒dhcp[8541]:  DHCP,  static  leases  only  on   10.1.1.1,  lease  time  1h Dec  11  17:11:09  dnsmasq[8541]:  using  local  addresses  only  for   domain  cs2cloud.internal Dec  11  17:11:09  dnsmasq[8541]:  reading  /etc/dnsmasq-‐‑‒resolv.conf Dec  11  17:11:09  dnsmasq[8541]:  using  nameserver  8.8.8.8#53 Dec  11  17:11:09  dnsmasq[8541]:  using  local  addresses  only  for   domain  cs2cloud.internal Dec  11  17:11:09  dnsmasq[8541]:  read  /etc/hosts  -‐‑‒  16  addresses Dec  11  17:11:09  dnsmasq-‐‑‒dhcp[8541]:  read  /etc/dhcphosts.txt Dec  11  17:11:09  dnsmasq-‐‑‒dhcp[8541]:  read  /etc/dhcpopts.txt Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPDISCOVER(eth0)   10.0.2.15  02:00:62:c8:00:04   dnsmasqが   Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPOFFER(eth0)  10.1.1.100   02:00:62:c8:00:04   インスタンスにIPを   Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPREQUEST(eth0)   払い出す 10.1.1.100  02:00:62:c8:00:04   Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPACK(eth0)   10.1.1.100  02:00:62:c8:00:04  test03 13
仮想ルータの謎に迫る ・Firewall設定 ■/var/log/messages 設定スクリプト ipassoc.sh Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  FirewallRule  public  interfaces  =    eth2 firewall.sh Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  enter  apply  firewall  rules  for   firewall_rule.sh public  ip  202.228.225.32:tcp:10001:10003:0.0.0.0/0 Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  exit  apply  firewall  rules  for  public   ip  202.228.225.32 Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  successful  in  applying  fw  rules  for   Firewall設定 ip  202.228.225.32 Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  deleting  backup  for  ip:   202.228.225.32 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 14
仮想ルータの謎に迫る ・ポートフォワーディング設定 ■/var/log/messages Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  creating  port  fwd  entry  for  PAT:  public   設定スクリプト ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  port=10001:10001   ipassoc.sh dport=22-‐‑‒22  op=-‐‑‒A firewall.sh Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  creating  port  fwd  entry  for  PAT:  public   ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  port=10001:10001   dport=22-‐‑‒22  op=-‐‑‒D Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  create  HairPin  entry  :  public   ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  portRange=22-‐‑‒22  op=-‐‑‒D ポートフォワーディ Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  done  port  fwd  entry  for  PAT:  public   ip=202.228.225.32  op=-‐‑‒D  result=1 ング設定 Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  create  HairPin  entry  :  public   ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  portRange=22-‐‑‒22  op=-‐‑‒A Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  done  port  fwd  entry  for  PAT:  public   Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   ip=202.228.225.32  op=-‐‑‒A  result=0 Reserved. 15
仮想ルータの謎に迫る ・負荷分散設定 ■/var/log/messages Dec  11  17:37:22  r-‐‑‒5-‐‑‒VM  cloud:  Loadbalancer  public  interfaces  =    eth2 Dec  11  17:37:24  r-‐‑‒5-‐‑‒VM  cloud:  New  haproxy  instance  successfully   loaded,  stopping  previous  one. Dec  11  17:37:25  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Adding  first  ip   202.228.225.32/26  on  interface  eth2 Dec  11  17:37:25  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  SourceNAT   202.228.225.32/26  on  interface  eth2 Dec  11  17:37:25  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  first  ip   202.228.225.32/26  on  interface  eth2 Dec  11  17:37:27  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Add  routing  202.228.225.32/26   on  interface  eth2 Dec  11  17:37:27  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  VPN  chain  for  202.228.225.32   already  exists root@r-‐‑‒5-‐‑‒VM:/var/log#  cat  /etc/haproxy/haproxy.cfg Dec  11  17:37:27  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  firewall  chain  for   global 202.228.225.32  already  exists log  127.0.0.1:3914      local0  warning (中略略)   listen  202_̲228_̲225_̲32-‐‑‒80  202.228.225.32:80 balance  roundrobin server  202_̲228_̲225_̲32-‐‑‒80_̲0  10.1.1.207:80  check haproxy.cfgに設定 server  202_̲228_̲225_̲32-‐‑‒80_̲1  10.1.1.131:80  check mode  http option  httpclose Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 16
仮想ルータの謎に迫る ・負荷分散設定 root@r-‐‑‒5-‐‑‒VM:/var/log#  cat  haproxy.log Dec  10  14:44:02  localhost  haproxy[1486]:  Pausing  proxy  cloud-‐‑‒default. Dec  10  14:44:04  localhost  haproxy[8711]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  3ms. Dec  10  14:44:04  localhost  haproxy[8711]:  proxy  202_̲228_̲225_̲32-‐‑‒80  has  no  server  available! Dec  10  14:44:19  localhost  haproxy[8712]:  Pausing  proxy  stats_̲on_̲public. Dec  10  14:44:19  localhost  haproxy[8712]:  Pausing  proxy  202_̲228_̲225_̲32-‐‑‒80. Dec  10  14:44:21  localhost  haproxy[9064]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  0ms. Dec  10  14:44:22  localhost  haproxy[9065]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  5ms. Dec  10  14:44:22  localhost  haproxy[9065]:  proxy  202_̲228_̲225_̲32-‐‑‒80  has  no  server  available! Dec  10  15:58:10  localhost  haproxy[1527]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  5ms. Dec  10  15:58:10  localhost  haproxy[1527]:  proxy  202_̲228_̲225_̲32-‐‑‒80  has  no  server  available! Dec  10  15:58:16  localhost  haproxy[1527]:  Pausing  proxy  stats_̲on_̲public. Dec  10  15:58:16  localhost  haproxy[1527]:  Pausing  proxy  202_̲228_̲225_̲32-‐‑‒80. Dec  10  15:58:18  localhost  haproxy[2432]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0  is  DOWN,  reason:   ヘルスチェックの   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  0ms. Dec  10  15:58:19  localhost  haproxy[2433]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1  is  DOWN,  reason:   ログも出る Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  0ms. Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 17
仮想ルータの謎に迫る ・iptables root@r-5-VM:/etc/init.d# /etc/init.d/iptables-persistent status Filter Rules: -------------- Chain INPUT (policy DROP 2503 packets, 101K bytes) pkts bytes target prot opt in out source destination 64324 6276K NETWORK_STATS all -- any any anywhere anywhere 0 0 ACCEPT all -- any any anywhere vrrp.mcast.net 0 0 ACCEPT all -- any any anywhere 225.0.0.50 37401 3291K ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 14833 2394K ACCEPT all -- eth1 any anywhere anywhere state RELATED,ESTABLISHED 390 34943 ACCEPT all -- eth2 any anywhere anywhere state RELATED,ESTABLISHED 453 38052 ACCEPT icmp -- any any anywhere anywhere 13 1401 ACCEPT all -- lo any anywhere anywhere 2 656 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:bootps 1961 133K ACCEPT udp -- eth0 any anywhere anywhere udp dpt:domain 719 43140 ACCEPT tcp -- eth1 any anywhere anywhere state NEW tcp dpt:3922 0 0 ACCEPT tcp -- eth0 any anywhere anywhere state NEW tcp dpt:http-alt 0 0 ACCEPT tcp -- eth0 any anywhere anywhere state NEW tcp dpt:www 0 0 load_balancer_eth0 tcp -- eth0 any anywhere anywhere 0 0 load_balancer_eth2 tcp -- eth2 any anywhere anywhere 0 0 lb_stats tcp -- any any anywhere anywhere 18
仮想ルータの謎に迫る ・iptables Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 10587 7297K NETWORK_STATS all -- any any anywhere anywhere 0 0 ACCEPT all -- eth0 eth1 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 anywhere anywhere state NEW 0 0 ACCEPT all -- eth0 eth0 anywhere anywhere state RELATED,ESTABLISHED 528 106K ACCEPT tcp -- any any anywhere test01 state RELATED,ESTABLISHED /* 202.228.225.32:10001:10001 */ 0 0 ACCEPT tcp -- any any anywhere test01 tcp dpt:ssh state NEW /* 202.228.225.32:10001:10001 */ 2195 4043K ACCEPT all -- eth2 eth0 anywhere anywhere state RELATED,ESTABLISHED 2062 142K ACCEPT all -- eth0 eth2 anywhere anywhere Chain OUTPUT (policy ACCEPT 41154 packets, 2856K bytes) pkts bytes target prot opt in out source destination 54494 5162K NETWORK_STATS all -- any any anywhere anywhere Chain NETWORK_STATS (3 references) pkts bytes target prot opt in out source destination 4863 349K all -- eth0 eth2 anywhere anywhere 5724 6948K all -- eth2 eth0 anywhere anywhere 0 0 tcp -- !eth0 eth2 anywhere anywhere 0 0 tcp -- eth2 !eth0 anywhere anywhere 19
仮想ルータの謎に迫る ・iptables Chain lb_stats (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere 202.228.225.32 state NEW tcp dpt:tproxy Chain load_balancer_eth0 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere 202.228.225.32 tcp dpt:www Chain load_balancer_eth2 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere 202.228.225.32 tcp dpt:www NAT Rules: ------------- Chain PREROUTING (policy ACCEPT 41247 packets, 1685K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- eth2 any anywhere 202.228.225.32 tcp dpt:10001 to:10.1.1.207:22 0 0 DNAT tcp -- eth0 any anywhere 202.228.225.32 tcp dpt:10001 to:10.1.1.207:22 Chain POSTROUTING (policy ACCEPT 37392 packets, 2244K bytes) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- any eth0 10.1.1.0/24 test01 tcp dpt:10001 to:10.1.1.1 581 35575 SNAT all -- any eth2 anywhere anywhere to:202.228.225.32 Chain OUTPUT (policy ACCEPT 37543 packets, 2253K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any any anywhere 202.228.225.32 tcp dpt:10001 to:10.1.1.207:22 20
仮想ルータの謎に迫る Mangle Rules: ---------------- Chain PREROUTING (policy ACCEPT 84426 packets, 5631K bytes) pkts bytes target prot opt in out source destination 6411 7002K VPN_202.228.225.32 all -- any any anywhere 202.228.225.32 81 4769 FIREWALL_202.228.225.32 all -- any any anywhere 202.228.225.32 55712 5951K CONNMARK all -- any any anywhere anywhere state RELATED,ESTABLISHED CONNMARK restore 0 0 MARK tcp -- eth2 any anywhere 202.228.225.32 tcp dpt:10001 MARK set 0x2 0 0 CONNMARK tcp -- eth2 any anywhere 202.228.225.32 tcp dpt:10001 state NEW CONNMARK save Chain INPUT (policy ACCEPT 44607 packets, 3987K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 4785 packets, 4291K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41524 packets, 2927K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 46309 packets, 7218K bytes) pkts bytes target prot opt in out source destination 2 670 CHECKSUM udp -- any any anywhere anywhere udp dpt:bootpc CHECKSUM fill Chain FIREWALL_202.228.225.32 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 RETURN tcp -- any any anywhere anywhere tcp dpts:10001:10003 81 4769 DROP all -- any any anywhere anywhere Chain VPN_202.228.225.32 (1 references) pkts bytes target prot opt in out source destination 6123 6984K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 288 18062 RETURN all -- any any anywhere anywhere 21
仮想ルータの謎に迫る わけがわからないよ 仮想ルータの謎に ⽣生々しく迫る予定でしたが 諸般の事情により 仮想ルータ内で実⾏行行されている処理理の ほんのサワリだけでした ごめんなさい Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 22
仮想ルータの謎に迫る ありがとうございました See  You  Next  Time  ! Some  Time  Some  Where Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 23

Empfohlen

CloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るCloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るsamemoon
 
How Quantum configures Virtual Networks under the Hood?
How Quantum configures Virtual Networks under the Hood?How Quantum configures Virtual Networks under the Hood?
How Quantum configures Virtual Networks under the Hood?Etsuji Nakai
 
2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310a2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310aKen Igarashi
 
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...Novell
 
Practical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesPractical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesNovell
 
Cl306
Cl306Cl306
Cl306Juliette Ponnet
 
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-DeviceSUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-DeviceSUSE
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...npinto
 

Empfohlen

CloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るCloudStackユーザ会〜仮想ルータの謎に迫る
CloudStackユーザ会〜仮想ルータの謎に迫るsamemoon
 
How Quantum configures Virtual Networks under the Hood?
How Quantum configures Virtual Networks under the Hood?How Quantum configures Virtual Networks under the Hood?
How Quantum configures Virtual Networks under the Hood?Etsuji Nakai
 
2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310a2014-4Q-OpenStack-Fall-presentation-public-20150310a
2014-4Q-OpenStack-Fall-presentation-public-20150310aKen Igarashi
 
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...High Availability with Novell Cluster Services for Novell Open Enterprise Ser...
High Availability with Novell Cluster Services for Novell Open Enterprise Ser...Novell
 
Practical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesPractical Tips for Novell Cluster Services
Practical Tips for Novell Cluster ServicesNovell
 
Cl306
Cl306Cl306
Cl306Juliette Ponnet
 
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-DeviceSUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-DeviceSUSE
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...npinto
 
Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Etsuji Nakai
 
XS Oracle 2009 Fujitsu
XS Oracle 2009 FujitsuXS Oracle 2009 Fujitsu
XS Oracle 2009 FujitsuThe Linux Foundation
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IOTakuya ASADA
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Linux con europe_2014_f
Linux con europe_2014_fLinux con europe_2014_f
Linux con europe_2014_fsprdd
 
GlusterFS Update and OpenStack Integration
GlusterFS Update and OpenStack IntegrationGlusterFS Update and OpenStack Integration
GlusterFS Update and OpenStack IntegrationEtsuji Nakai
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
Secure lustre on openstack
Secure lustre on openstackSecure lustre on openstack
Secure lustre on openstackJames Beal
 
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...npinto
 
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServer
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServerUnder the Hood: Open vSwitch & OpenFlow in XCP & XenServer
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServerThe Linux Foundation
 
Unix Automation using centralized configuration management tool
Unix Automation using centralized configuration management toolUnix Automation using centralized configuration management tool
Unix Automation using centralized configuration management toolTorrid Networks Private Limited
 
Virtual net performance
Virtual net performanceVirtual net performance
Virtual net performanceStephen Hemminger
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Boden Russell
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUITommy Lee
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroupsKernel TLV
 
DTrace talk at Oracle Open World
DTrace talk at Oracle Open WorldDTrace talk at Oracle Open World
DTrace talk at Oracle Open WorldAngelo Rajadurai
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
SSD based storage tuning for databases
SSD based storage tuning for databasesSSD based storage tuning for databases
SSD based storage tuning for databasesAngelo Rajadurai
 
Docker vs kvm
Docker vs kvmDocker vs kvm
Docker vs kvmWilson Cunalata
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌
CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌
CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌Satoshi Shimazaki
 
CloudStackユーザ会 OSC.cloud
CloudStackユーザ会 OSC.cloudCloudStackユーザ会 OSC.cloud
CloudStackユーザ会 OSC.cloudsamemoon
 

Weitere ähnliche Inhalte

Was ist angesagt?

Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Etsuji Nakai
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IOTakuya ASADA
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Linux con europe_2014_f
Linux con europe_2014_fLinux con europe_2014_f
Linux con europe_2014_fsprdd
 
GlusterFS Update and OpenStack Integration
GlusterFS Update and OpenStack IntegrationGlusterFS Update and OpenStack Integration
GlusterFS Update and OpenStack IntegrationEtsuji Nakai
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntuSim Janghoon
 
Secure lustre on openstack
Secure lustre on openstackSecure lustre on openstack
Secure lustre on openstackJames Beal
 
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...npinto
 
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServer
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServerUnder the Hood: Open vSwitch & OpenFlow in XCP & XenServer
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServerThe Linux Foundation
 
Unix Automation using centralized configuration management tool
Unix Automation using centralized configuration management toolUnix Automation using centralized configuration management tool
Unix Automation using centralized configuration management toolTorrid Networks Private Limited
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Boden Russell
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUITommy Lee
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroupsKernel TLV
 
DTrace talk at Oracle Open World
DTrace talk at Oracle Open WorldDTrace talk at Oracle Open World
DTrace talk at Oracle Open WorldAngelo Rajadurai
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
SSD based storage tuning for databases
SSD based storage tuning for databasesSSD based storage tuning for databases
SSD based storage tuning for databasesAngelo Rajadurai
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 

Was ist angesagt? (20)

Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7
 
XS Oracle 2009 Fujitsu
XS Oracle 2009 FujitsuXS Oracle 2009 Fujitsu
XS Oracle 2009 Fujitsu
 
イマドキなNetwork/IO
イマドキなNetwork/IOイマドキなNetwork/IO
イマドキなNetwork/IO
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Linux con europe_2014_f
Linux con europe_2014_fLinux con europe_2014_f
Linux con europe_2014_f
 
GlusterFS Update and OpenStack Integration
GlusterFS Update and OpenStack IntegrationGlusterFS Update and OpenStack Integration
GlusterFS Update and OpenStack Integration
 
Kvm performance optimization for ubuntu
Kvm performance optimization for ubuntuKvm performance optimization for ubuntu
Kvm performance optimization for ubuntu
 
Secure lustre on openstack
Secure lustre on openstackSecure lustre on openstack
Secure lustre on openstack
 
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
 
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServer
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServerUnder the Hood: Open vSwitch & OpenFlow in XCP & XenServer
Under the Hood: Open vSwitch & OpenFlow in XCP & XenServer
 
Unix Automation using centralized configuration management tool
Unix Automation using centralized configuration management toolUnix Automation using centralized configuration management tool
Unix Automation using centralized configuration management tool
 
Virtual net performance
Virtual net performanceVirtual net performance
Virtual net performance
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
 
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
제4회 한국IBM과 함께하는 난공불락 오픈소스 인프라 세미나-CRUI
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
 
DTrace talk at Oracle Open World
DTrace talk at Oracle Open WorldDTrace talk at Oracle Open World
DTrace talk at Oracle Open World
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zun
 
SSD based storage tuning for databases
SSD based storage tuning for databasesSSD based storage tuning for databases
SSD based storage tuning for databases
 
Docker vs kvm
Docker vs kvmDocker vs kvm
Docker vs kvm
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 

Andere mochten auch

CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌
CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌
CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌Satoshi Shimazaki
 
CloudStackユーザ会 OSC.cloud
CloudStackユーザ会 OSC.cloudCloudStackユーザ会 OSC.cloud
CloudStackユーザ会 OSC.cloudsamemoon
 
第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介
第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介
第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介Midori Oge
 
私がCloudStackを使う4つの理由
私がCloudStackを使う4つの理由私がCloudStackを使う4つの理由
私がCloudStackを使う4つの理由Takuma Nakajima
 
OSSのクラウド基盤 OpenStack / CloudStack
OSSのクラウド基盤 OpenStack / CloudStackOSSのクラウド基盤 OpenStack / CloudStack
OSSのクラウド基盤 OpenStack / CloudStackNobuyuki Tamaoki
 
CloudStack再入門!15分でおさらいするCloudStackの基礎
CloudStack再入門!15分でおさらいするCloudStackの基礎CloudStack再入門!15分でおさらいするCloudStackの基礎
CloudStack再入門!15分でおさらいするCloudStackの基礎Satoshi Shimazaki
 

Andere mochten auch (6)

CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌
CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌
CloudStack 4.1 AutoScaling - CloudStackユーザ会 第14回 in 東京 & 第15回 in 札幌
 
CloudStackユーザ会 OSC.cloud
CloudStackユーザ会 OSC.cloudCloudStackユーザ会 OSC.cloud
CloudStackユーザ会 OSC.cloud
 
第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介
第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介
第20回CloudStackユーザ会_ApacheCloudStack4.4新機能紹介
 
私がCloudStackを使う4つの理由
私がCloudStackを使う4つの理由私がCloudStackを使う4つの理由
私がCloudStackを使う4つの理由
 
OSSのクラウド基盤 OpenStack / CloudStack
OSSのクラウド基盤 OpenStack / CloudStackOSSのクラウド基盤 OpenStack / CloudStack
OSSのクラウド基盤 OpenStack / CloudStack
 
CloudStack再入門!15分でおさらいするCloudStackの基礎
CloudStack再入門!15分でおさらいするCloudStackの基礎CloudStack再入門!15分でおさらいするCloudStackの基礎
CloudStack再入門!15分でおさらいするCloudStackの基礎
 

Ähnlich wie CloudStackユーザ会〜仮想ルータの謎に迫る

Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksAdrien Blind
 
Meetup docker using software defined networks
Meetup docker using software defined networksMeetup docker using software defined networks
Meetup docker using software defined networksOCTO Technology
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosBrent Salisbury
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features雄也 日下部
 
Ryu: network operating system
Ryu: network operating systemRyu: network operating system
Ryu: network operating systemIsaku Yamahata
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Anatoliy Okhotnikov
 
Olive Introduction for TOI
Olive Introduction for TOIOlive Introduction for TOI
Olive Introduction for TOIJohnson Liu
 
Programming TCP/IP with Sockets
Programming TCP/IP with SocketsProgramming TCP/IP with Sockets
Programming TCP/IP with Socketselliando dias
 
Building a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerBuilding a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerJorge Juan Mendoza
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
(NET403) Another Day, Another Billion Packets
(NET403) Another Day, Another Billion Packets(NET403) Another Day, Another Billion Packets
(NET403) Another Day, Another Billion PacketsAmazon Web Services
 
Another day, another billion packets - Toronto
Another day, another billion packets - TorontoAnother day, another billion packets - Toronto
Another day, another billion packets - TorontoAmazon Web Services
 

Ähnlich wie CloudStackユーザ会〜仮想ルータの謎に迫る (20)

Docker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined NetworksDocker networking basics & coupling with Software Defined Networks
Docker networking basics & coupling with Software Defined Networks
 
Meetup docker using software defined networks
Meetup docker using software defined networksMeetup docker using software defined networks
Meetup docker using software defined networks
 
CloudStack Networking
CloudStack NetworkingCloudStack Networking
CloudStack Networking
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow Demos
 
Openstack Networking and ML2
Openstack Networking and ML2Openstack Networking and ML2
Openstack Networking and ML2
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
Ryu: network operating system
Ryu: network operating systemRyu: network operating system
Ryu: network operating system
 
Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)Ubuntu server wireless access point (eng)
Ubuntu server wireless access point (eng)
 
Userspace networking
Userspace networkingUserspace networking
Userspace networking
 
Olive Introduction for TOI
Olive Introduction for TOIOlive Introduction for TOI
Olive Introduction for TOI
 
Ryu ods2012-spring
Ryu ods2012-springRyu ods2012-spring
Ryu ods2012-spring
 
Lev
LevLev
Lev
 
Programming TCP/IP with Sockets
Programming TCP/IP with SocketsProgramming TCP/IP with Sockets
Programming TCP/IP with Sockets
 
Building a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in dockerBuilding a sdn solution for the deployment of web application stacks in docker
Building a sdn solution for the deployment of web application stacks in docker
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
(NET403) Another Day, Another Billion Packets
(NET403) Another Day, Another Billion Packets(NET403) Another Day, Another Billion Packets
(NET403) Another Day, Another Billion Packets
 
Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for Containers
 
Deep Dive Into Quantum
Deep Dive Into QuantumDeep Dive Into Quantum
Deep Dive Into Quantum
 
Another day, another billion packets - Toronto
Another day, another billion packets - TorontoAnother day, another billion packets - Toronto
Another day, another billion packets - Toronto
 

Mehr von samemoon

おぷ☆すたあど彼
おぷ☆すたあど彼おぷ☆すたあど彼
おぷ☆すたあど彼samemoon
 
Openstack calendar20141222
Openstack calendar20141222Openstack calendar20141222
Openstack calendar20141222samemoon
 
Eucalyptus calendar20141222
Eucalyptus calendar20141222Eucalyptus calendar20141222
Eucalyptus calendar20141222samemoon
 
Eucalyptus calendar 20141221
Eucalyptus calendar 20141221Eucalyptus calendar 20141221
Eucalyptus calendar 20141221samemoon
 
CloudStack Advent Calendar 2014/12/12
CloudStack Advent Calendar 2014/12/12CloudStack Advent Calendar 2014/12/12
CloudStack Advent Calendar 2014/12/12samemoon
 
20141201_OpenStack_Advent_Calendar
20141201_OpenStack_Advent_Calendar20141201_OpenStack_Advent_Calendar
20141201_OpenStack_Advent_Calendarsamemoon
 
CloudStack概要と最新動向_JulyTechFesta
CloudStack概要と最新動向_JulyTechFestaCloudStack概要と最新動向_JulyTechFesta
CloudStack概要と最新動向_JulyTechFestasamemoon
 
Developer Summit_20140214
Developer Summit_20140214Developer Summit_20140214
Developer Summit_20140214samemoon
 
20131213 OSC enterprise
20131213 OSC enterprise20131213 OSC enterprise
20131213 OSC enterprisesamemoon
 
20131212 advent calender
20131212 advent calender20131212 advent calender
20131212 advent calendersamemoon
 
Cloud OS「Apache CloudStack」をお手軽に使ってみる方法
Cloud OS「Apache CloudStack」をお手軽に使ってみる方法Cloud OS「Apache CloudStack」をお手軽に使ってみる方法
Cloud OS「Apache CloudStack」をお手軽に使ってみる方法samemoon
 
20131030 developer lounge
20131030 developer lounge20131030 developer lounge
20131030 developer loungesamemoon
 
20131019 OSC@Tokyo CloudStackユーザー会
20131019 OSC@Tokyo CloudStackユーザー会20131019 OSC@Tokyo CloudStackユーザー会
20131019 OSC@Tokyo CloudStackユーザー会samemoon
 
第15回cloudstackユーザー会
第15回cloudstackユーザー会第15回cloudstackユーザー会
第15回cloudstackユーザー会samemoon
 
第14回cloudstackユーザー会
第14回cloudstackユーザー会第14回cloudstackユーザー会
第14回cloudstackユーザー会samemoon
 
使ってみよう CloudStack
使ってみよう CloudStack 使ってみよう CloudStack
使ってみよう CloudStack samemoon
 
CloudStack Collaboration Conference 2013 レポート
CloudStack Collaboration Conference 2013 レポートCloudStack Collaboration Conference 2013 レポート
CloudStack Collaboration Conference 2013 レポートsamemoon
 
20130803 OSC@Kyoto CloudStackユーザー会
20130803 OSC@Kyoto CloudStackユーザー会20130803 OSC@Kyoto CloudStackユーザー会
20130803 OSC@Kyoto CloudStackユーザー会samemoon
 
20130714 July Tech Festa 日本CloudStackユーザー会
20130714 July Tech Festa 日本CloudStackユーザー会20130714 July Tech Festa 日本CloudStackユーザー会
20130714 July Tech Festa 日本CloudStackユーザー会samemoon
 
OSC 2013.Cloud@Osaka
OSC 2013.Cloud@OsakaOSC 2013.Cloud@Osaka
OSC 2013.Cloud@Osakasamemoon
 

Mehr von samemoon (20)

おぷ☆すたあど彼
おぷ☆すたあど彼おぷ☆すたあど彼
おぷ☆すたあど彼
 
Openstack calendar20141222
Openstack calendar20141222Openstack calendar20141222
Openstack calendar20141222
 
Eucalyptus calendar20141222
Eucalyptus calendar20141222Eucalyptus calendar20141222
Eucalyptus calendar20141222
 
Eucalyptus calendar 20141221
Eucalyptus calendar 20141221Eucalyptus calendar 20141221
Eucalyptus calendar 20141221
 
CloudStack Advent Calendar 2014/12/12
CloudStack Advent Calendar 2014/12/12CloudStack Advent Calendar 2014/12/12
CloudStack Advent Calendar 2014/12/12
 
20141201_OpenStack_Advent_Calendar
20141201_OpenStack_Advent_Calendar20141201_OpenStack_Advent_Calendar
20141201_OpenStack_Advent_Calendar
 
CloudStack概要と最新動向_JulyTechFesta
CloudStack概要と最新動向_JulyTechFestaCloudStack概要と最新動向_JulyTechFesta
CloudStack概要と最新動向_JulyTechFesta
 
Developer Summit_20140214
Developer Summit_20140214Developer Summit_20140214
Developer Summit_20140214
 
20131213 OSC enterprise
20131213 OSC enterprise20131213 OSC enterprise
20131213 OSC enterprise
 
20131212 advent calender
20131212 advent calender20131212 advent calender
20131212 advent calender
 
Cloud OS「Apache CloudStack」をお手軽に使ってみる方法
Cloud OS「Apache CloudStack」をお手軽に使ってみる方法Cloud OS「Apache CloudStack」をお手軽に使ってみる方法
Cloud OS「Apache CloudStack」をお手軽に使ってみる方法
 
20131030 developer lounge
20131030 developer lounge20131030 developer lounge
20131030 developer lounge
 
20131019 OSC@Tokyo CloudStackユーザー会
20131019 OSC@Tokyo CloudStackユーザー会20131019 OSC@Tokyo CloudStackユーザー会
20131019 OSC@Tokyo CloudStackユーザー会
 
第15回cloudstackユーザー会
第15回cloudstackユーザー会第15回cloudstackユーザー会
第15回cloudstackユーザー会
 
第14回cloudstackユーザー会
第14回cloudstackユーザー会第14回cloudstackユーザー会
第14回cloudstackユーザー会
 
使ってみよう CloudStack
使ってみよう CloudStack 使ってみよう CloudStack
使ってみよう CloudStack
 
CloudStack Collaboration Conference 2013 レポート
CloudStack Collaboration Conference 2013 レポートCloudStack Collaboration Conference 2013 レポート
CloudStack Collaboration Conference 2013 レポート
 
20130803 OSC@Kyoto CloudStackユーザー会
20130803 OSC@Kyoto CloudStackユーザー会20130803 OSC@Kyoto CloudStackユーザー会
20130803 OSC@Kyoto CloudStackユーザー会
 
20130714 July Tech Festa 日本CloudStackユーザー会
20130714 July Tech Festa 日本CloudStackユーザー会20130714 July Tech Festa 日本CloudStackユーザー会
20130714 July Tech Festa 日本CloudStackユーザー会
 
OSC 2013.Cloud@Osaka
OSC 2013.Cloud@OsakaOSC 2013.Cloud@Osaka
OSC 2013.Cloud@Osaka
 

CloudStackユーザ会〜仮想ルータの謎に迫る

  • 1. CloudStack 仮想ルータの謎に迫る KVM+NFS環境    ⽇日本CloudStackユーザ会 @MayumiK0 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 1
  • 2. さぁ受け取るといい。それが君の運命だ。 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 2
  • 3. CloudStack構成例例 ・典型的な構成例例   -‐‑‒Management  Server -‐‑‒NFS  Server  (Primary/Secondary領領域) -‐‑‒Compute  Node Compute  Compute   Management   NFS Node   Node      Server   ここは仮想サーバでも可 Primary   (node04) (node05) Storage Secondary   Storage Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 3
  • 4. 仮想ルータの謎に迫る ・仮想ルータにログインしてみる 仮想ルータとCompute  NodeはLink  Local  Networkで通信可能 仮想ルータが起動しているCompute  Nodeにログインし そこから仮想ルータのリンクローカルアドレスにsshする      Compute  Compute   Management   NFS Node   Node   Server   (node04) インスタンス (node05 仮想ルータ Primary   Storage Secondary   Storage Link  Local  Network Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 4
  • 6. 仮想ルータの謎に迫る ・ssh鍵認証でログイン [root@node006  ~]#  ssh  -­‐i  .ssh/id_rsa.cloud  169.254.3.116  -­‐p  3922   Linux  r-­‐5-­‐VM  2.6.32-­‐5-­‐686-­‐bigmem  #1  SMP  Mon  Jan  16  16:42:05  UTC  2012  i686     The  programs  included  with  the  Debian  GNU/Linux  system  are  ate  ;  up]me   root@r-­‐5-­‐VM:~#  d free  so[ware;   the  exact  distribu]on  terms  for  each  program  are  described  in  the  TC  2012   Mon  Dec  10  15:54:59  U individual  files  in  /usr/share/doc/*/copyright.    15:54:59  up  1  day,    1:01,    1  user,    load  average:  0.00,  0.00,  0.00       root@r-­‐5-­‐VM:~#  date;  ifconfig  -­‐a   Debian  GNU/Linux  comes  with  ABSOLUTELY  NO  WARRANTY,  to  the  e2012   Mon  Dec  10  15:55:08  UTC   xtent   permihed  by  applicable  law.   eth0            Link  encap:Ethernet    HWaddr  02:00:6b:3d:00:02                          inet  addr:10.1.1.1    Bcast:10.1.1.255    Mask:255.255.255.0   Last  login:  Sun  Dec    9  14:20:04  2012  from  169.254.0.1  P  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1                      U Linux  r-­‐5-­‐VM  2.6.32-­‐5-­‐686-­‐bigmem  #1  SMP  Mon    J  an    1X  p16:42:05  Uerrors:0  dropped:0  overruns:0  frame:0                 R 6   ackets:11592   TC  2012  i686                        TX  packets:8741  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000     The  programs  included  with  the  Debian  GNU/Linux    s  ystem  are  free  so[ware;  bytes:2582211  (2.4  MiB)                  RX  bytes:972709  (949.9  KiB)    TX   the  exact  distribu]on  terms  for  each  program  are  described  in  the     individual  files  in  /usr/share/doc/*/copyright.   eth1            Link  encap:Ethernet    HWaddr  0e:00:a9:fe:03:74                          inet  addr:169.254.3.116    Bcast:169.254.255.255    Mask:255.255.0.0                        UP  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1   Debian  GNU/Linux  comes  with  ABSOLUTELY  NO  W  ARRANTY,  to  the  rrors:0  dropped:0  overruns:0  frame:0                    RX  packets:12285  e extent   permihed  by  applicable  law.                      TX  packets:10166  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000     root@r-­‐5-­‐VM:~#                      RX  bytes:1937229  (1.8  MiB)    TX  bytes:1915520  (1.8  MiB) 6
  • 7. 仮想ルータの謎に迫る ・実は再起動するとLinkLocalが変わる root@node006  ~]#  ssh  -­‐i  .ssh/id_rsa.cloud  169.254.3.221  -­‐p  3922   Last  login:  Mon  Dec  10  16:00:04  2012  from  169.254.0.1   Linux  r-­‐5-­‐VM  2.6.32-­‐5-­‐686-­‐bigmem  #1  SMP  Mon  Jan  16  16:42:05  UTC  2012  i686     /)( ◕ ‿‿ ◕ )(\ root@r-­‐5-­‐VM:~#  date;  up]me   Mon  Dec  10  16:18:29  UTC  2012   知らなければ知らないままで  16:18:29  up  1  min,    1  user,    load  average:  0.00,  0.00,  0.00   何の不都合もないからね   root@r-­‐5-­‐VM:~#  date  ;ifconfig  -­‐a   Mon  Dec  10  16:18:34  UTC  2012   でいいのか? eth0            Link  encap:Ethernet    HWaddr  02:00:6b:3d:00:02                          inet  addr:10.1.1.1    Bcast:10.1.1.255    Mask:255.255.255.0                      UP  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1                      RX  packets:12  errors:0  dropped:0  overruns:0  frame:0                      TX  packets:0  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000                        RX  bytes:844  (844.0  B)    TX  bytes:0  (0.0  B)     eth1            Link  encap:Ethernet    HWaddr  0e:00:a9:fe:03:dd                          inet  addr:169.254.3.221    Bcast:169.254.255.255    Mask:255.255.0.0                      UP  BROADCAST  RUNNING  MULTICAST    MTU:1500    Metric:1                      RX  packets:3373  errors:0  dropped:0  overruns:0  frame:0                      TX  packets:3244  errors:0  dropped:0  overruns:0  carrier:0                      collisions:0  txqueuelen:1000                        RX  bytes:629043  (614.2  KiB)    TX  bytes:607306  (593.0  KiB)  
  • 8. 仮想ルータの謎に迫る ・テスト構成      Public  IP  :  202.228.225.32 Compute  Compute   Management   NFS Node   Node   Server   (node04) (node05 Primary   Storage インスタンス   仮想ルータ   test01:10.1.1.207 r-­‐5-­‐VM Secondary   Storage インスタンス   test02:10.1.1.131 仮想ルータが裏で どんなコト(処理)を しているか覗いてみましょう Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 8
  • 9. 仮想ルータの謎に迫る ・起動時に⾏行行なっている処理理 Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  dnsmasq Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  cloud-‐‑‒passwd-‐‑‒srvr Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  ssh 仮想インスタンスが2台あり Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  haproxy Firewallや負荷分散設定は   Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Starting  apache2 Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Stopping  cloud 何もされていない状態での起動 Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Stopping  nfs-‐‑‒common Dec  10  16:16:46  r-‐‑‒5-‐‑‒VM  cloud:  Stopping  portmap Dec  10  16:16:48  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Adding  first  ip  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:48  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  SourceNAT  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:48  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  first  ip  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:50  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Add  routing  202.228.225.32/26  on  interface  eth2 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Add  routing  202.228.225.32/26  rules  added Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  created  VPN  chain  for  202.228.225.32 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  created  firewall  chain  for  202.228.225.32 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  edithosts:  update  02:00:3e:53:00:01  10.1.1.207  test01  to  hosts Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  default  router  for  10.1.1.207  to  10.1.1.1 Dec  10  16:16:51  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  dns  server  for  10.1.1.207  to  10.1.1.1 Dec  10  16:16:53  r-‐‑‒5-‐‑‒VM  cloud:  edithosts:  update  02:00:79:6c:00:03  10.1.1.131  test02  to  hosts Dec  10  16:16:53  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  default  router  for  10.1.1.131  to  10.1.1.1 Dec  10  16:16:53  r-‐‑‒5-‐‑‒VM  cloud:  /root/edithosts.sh:  setting  dns  server  for  10.1.1.131  to  10.1.1.1 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 9
  • 10. 仮想ルータの謎に迫る ・dnsmasq:   DNSサーバのフォワーダとDHCPサーバをもつソフト root@r-‐‑‒5-‐‑‒VM:~∼#  ps  afxwwww  |  grep  dnsmasq 2079  ?                S            0:00  /usr/sbin/dnsmasq  -‐‑‒x  /var/run/dnsmasq/dnsmasq.pid  -‐‑‒u  dnsmasq  -‐‑‒7  /etc/dnsmasq.d,.dpkg-‐‑‒ dist,.dpkg-‐‑‒old,.dpkg-‐‑‒new Dec  10  16:16:55  dnsmasq[2079]:  started,  version  2.55  cachesize  150 Dec  10  16:16:55  dnsmasq[2079]:  compile  time  options:  IPv6  GNU-‐‑‒getopt  DBus  I18N  DHCP  TFTP Dec  10  16:16:55  dnsmasq-‐‑‒dhcp[2079]:  DHCP,  static  leases  only  on  10.1.1.1,  lease  time  1h Dec  10  16:16:55  dnsmasq[2079]:  using  local  addresses  only  for  domain  cs2cloud.internal 意外な展開ではないよ Dec  10  16:16:55  dnsmasq[2079]:  reading  /etc/dnsmasq-‐‑‒resolv.conf Dec  10  16:16:55  dnsmasq[2079]:  using  nameserver  8.8.8.8#53 Dec  10  16:16:55  dnsmasq[2079]:  using  local  addresses  only  for  domain  cs2cloud.internal Dec  10  16:16:55  dnsmasq[2079]:  read  /etc/hosts  -‐‑‒  15  addresses Dec  10  16:16:55  dnsmasq-‐‑‒dhcp[2079]:  read  /etc/dhcphosts.txt Dec  10  16:16:55  dnsmasq-‐‑‒dhcp[2079]:  read  /etc/dhcpopts.txt root@r-‐‑‒5-‐‑‒VM:/etc#  cat  /etc/dhcpopts.txt 10_̲1_̲1_̲207,3,10.1.1.1 10_̲1_̲1_̲207,6,10.1.1.1 10_̲1_̲1_̲131,3,10.1.1.1 10_̲1_̲1_̲131,6,10.1.1.1 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 10
  • 11. 仮想ルータの謎に迫る ・haproxy:   L7ロードバランサ root@r-‐‑‒5-‐‑‒VM:~∼#  ps  afxwwww  |  grep  haproxy  1501  ?                Ss          0:00  /usr/sbin/haproxy  -‐‑‒f  /etc/haproxy/haproxy.cfg  -‐‑‒D  -‐‑‒p  /var/run/haproxy.pid root@r-‐‑‒5-‐‑‒VM:~∼#  cat  /etc/haproxy/haproxy.cfg global 願い事(設定)を決めるんだ log  127.0.0.1:3914      local0  warning 早く! maxconn  4096 chroot  /var/lib/haproxy user  haproxy group  haproxy daemon   defaults log          global mode        tcp option    dontlognull          (中略略)   listen    vmops  0.0.0.0:9 option  transparent Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 11
  • 12. 仮想ルータの謎に迫る ・仮想ルータで実⾏行行されているsh root@r-5-VM:~# pwd /root ■firewall_rule.shの一部 ゴリゴリ   root@r-5-VM:~# ls -rwxr-xr-x 1 root root 824 Oct 24 05:25 bumpup_priority.sh root@r-5-VM:~# cat firewall_rule.sh #!/usr/bin/env bash iptableに   -rwxr-xr-x 1 root root 1462 Oct 24 05:25 clearUsageRules.sh -rwxr-xr-x 1 root root 3545 Oct 24 05:25 edithosts.sh 書いてる模様 fw_chain_for_ip () { -rwxr-xr-x 1 root root 6332 Oct 24 05:25 firewall_rule.sh local pubIp=$1 fw_remove_backup $1 -rwxr-xr-x 1 root root 12404 Oct 24 05:25 firewall.sh sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/ -rwxr-xr-x 1 root root 2429 Oct 24 05:25 func.sh null -rw-r--r-- 1 root root 13600 Feb 6 2012 ipassoc.sh sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null # drop if no rules match (this will be the last rule in the chain) -rwxr-xr-x 1 root root 8239 Oct 24 05:25 loadbalancer.sh sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null -rw-r--r-- 1 root root 3464 Feb 6 2012 netusage.sh # ensure outgoing connections are maintained (first rule in chain) sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state -rwxr-xr-x 1 root root 1667 Oct 24 05:25 reconfigLB.sh RELATED,ESTABLISHED -j ACCEPT> /dev/null drwxr-xr-x 2 root root 4096 Nov 25 09:28 redundant_router #ensure that this table is after VPN chain sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp -rwxr-xr-x 1 root root 1441 Oct 24 05:25 savepassword.sh success=$? -rwxr-xr-x 1 root root 2497 Oct 24 05:25 userdata.py if [ $success -gt 0 ] -rwxr-xr-x 1 root root 3235 Oct 24 05:25 userdata.sh then # if VPN chain is not present for various reasons, try to add in to the first slot */ sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp fi } Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 12
  • 13. 仮想ルータの謎に迫る ・新規インスタンス作成 root@r-‐‑‒5-‐‑‒VM:/var/log#  cat  dnsmasq.log Dec  11  17:11:09  dnsmasq[8541]:  started,  version  2.55  cachesize  150 Dec  11  17:11:09  dnsmasq[8541]:  compile  time  options:  IPv6  GNU-‐‑‒ getopt  DBus  I18N  DHCP  TFTP Dec  11  17:11:09  dnsmasq-‐‑‒dhcp[8541]:  DHCP,  static  leases  only  on   10.1.1.1,  lease  time  1h Dec  11  17:11:09  dnsmasq[8541]:  using  local  addresses  only  for   domain  cs2cloud.internal Dec  11  17:11:09  dnsmasq[8541]:  reading  /etc/dnsmasq-‐‑‒resolv.conf Dec  11  17:11:09  dnsmasq[8541]:  using  nameserver  8.8.8.8#53 Dec  11  17:11:09  dnsmasq[8541]:  using  local  addresses  only  for   domain  cs2cloud.internal Dec  11  17:11:09  dnsmasq[8541]:  read  /etc/hosts  -‐‑‒  16  addresses Dec  11  17:11:09  dnsmasq-‐‑‒dhcp[8541]:  read  /etc/dhcphosts.txt Dec  11  17:11:09  dnsmasq-‐‑‒dhcp[8541]:  read  /etc/dhcpopts.txt Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPDISCOVER(eth0)   10.0.2.15  02:00:62:c8:00:04   dnsmasqが   Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPOFFER(eth0)  10.1.1.100   02:00:62:c8:00:04   インスタンスにIPを   Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPREQUEST(eth0)   払い出す 10.1.1.100  02:00:62:c8:00:04   Dec  11  17:12:04  dnsmasq-‐‑‒dhcp[8541]:  DHCPACK(eth0)   10.1.1.100  02:00:62:c8:00:04  test03 13
  • 14. 仮想ルータの謎に迫る ・Firewall設定 ■/var/log/messages 設定スクリプト ipassoc.sh Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  FirewallRule  public  interfaces  =    eth2 firewall.sh Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  enter  apply  firewall  rules  for   firewall_rule.sh public  ip  202.228.225.32:tcp:10001:10003:0.0.0.0/0 Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  exit  apply  firewall  rules  for  public   ip  202.228.225.32 Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  successful  in  applying  fw  rules  for   Firewall設定 ip  202.228.225.32 Dec  11  17:18:54  r-‐‑‒5-‐‑‒VM  cloud:  firewall_̲rule.sh:  deleting  backup  for  ip:   202.228.225.32 Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 14
  • 15. 仮想ルータの謎に迫る ・ポートフォワーディング設定 ■/var/log/messages Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  creating  port  fwd  entry  for  PAT:  public   設定スクリプト ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  port=10001:10001   ipassoc.sh dport=22-‐‑‒22  op=-‐‑‒A firewall.sh Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  creating  port  fwd  entry  for  PAT:  public   ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  port=10001:10001   dport=22-‐‑‒22  op=-‐‑‒D Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  create  HairPin  entry  :  public   ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  portRange=22-‐‑‒22  op=-‐‑‒D ポートフォワーディ Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  done  port  fwd  entry  for  PAT:  public   ip=202.228.225.32  op=-‐‑‒D  result=1 ング設定 Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  create  HairPin  entry  :  public   ip=202.228.225.32      instance  ip=10.1.1.207  proto=tcp  portRange=22-‐‑‒22  op=-‐‑‒A Dec  11  17:29:30  r-‐‑‒5-‐‑‒VM  cloud:  firewall.sh:  done  port  fwd  entry  for  PAT:  public   Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   ip=202.228.225.32  op=-‐‑‒A  result=0 Reserved. 15
  • 16. 仮想ルータの謎に迫る ・負荷分散設定 ■/var/log/messages Dec  11  17:37:22  r-‐‑‒5-‐‑‒VM  cloud:  Loadbalancer  public  interfaces  =    eth2 Dec  11  17:37:24  r-‐‑‒5-‐‑‒VM  cloud:  New  haproxy  instance  successfully   loaded,  stopping  previous  one. Dec  11  17:37:25  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Adding  first  ip   202.228.225.32/26  on  interface  eth2 Dec  11  17:37:25  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  SourceNAT   202.228.225.32/26  on  interface  eth2 Dec  11  17:37:25  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Added  first  ip   202.228.225.32/26  on  interface  eth2 Dec  11  17:37:27  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:Add  routing  202.228.225.32/26   on  interface  eth2 Dec  11  17:37:27  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  VPN  chain  for  202.228.225.32   already  exists root@r-‐‑‒5-‐‑‒VM:/var/log#  cat  /etc/haproxy/haproxy.cfg Dec  11  17:37:27  r-‐‑‒5-‐‑‒VM  cloud:  ipassoc.sh:  firewall  chain  for   global 202.228.225.32  already  exists log  127.0.0.1:3914      local0  warning (中略略)   listen  202_̲228_̲225_̲32-‐‑‒80  202.228.225.32:80 balance  roundrobin server  202_̲228_̲225_̲32-‐‑‒80_̲0  10.1.1.207:80  check haproxy.cfgに設定 server  202_̲228_̲225_̲32-‐‑‒80_̲1  10.1.1.131:80  check mode  http option  httpclose Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 16
  • 17. 仮想ルータの謎に迫る ・負荷分散設定 root@r-‐‑‒5-‐‑‒VM:/var/log#  cat  haproxy.log Dec  10  14:44:02  localhost  haproxy[1486]:  Pausing  proxy  cloud-‐‑‒default. Dec  10  14:44:04  localhost  haproxy[8711]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  3ms. Dec  10  14:44:04  localhost  haproxy[8711]:  proxy  202_̲228_̲225_̲32-‐‑‒80  has  no  server  available! Dec  10  14:44:19  localhost  haproxy[8712]:  Pausing  proxy  stats_̲on_̲public. Dec  10  14:44:19  localhost  haproxy[8712]:  Pausing  proxy  202_̲228_̲225_̲32-‐‑‒80. Dec  10  14:44:21  localhost  haproxy[9064]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  0ms. Dec  10  14:44:22  localhost  haproxy[9065]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  5ms. Dec  10  14:44:22  localhost  haproxy[9065]:  proxy  202_̲228_̲225_̲32-‐‑‒80  has  no  server  available! Dec  10  15:58:10  localhost  haproxy[1527]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1  is  DOWN,  reason:   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  5ms. Dec  10  15:58:10  localhost  haproxy[1527]:  proxy  202_̲228_̲225_̲32-‐‑‒80  has  no  server  available! Dec  10  15:58:16  localhost  haproxy[1527]:  Pausing  proxy  stats_̲on_̲public. Dec  10  15:58:16  localhost  haproxy[1527]:  Pausing  proxy  202_̲228_̲225_̲32-‐‑‒80. Dec  10  15:58:18  localhost  haproxy[2432]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲0  is  DOWN,  reason:   ヘルスチェックの   Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  0ms. Dec  10  15:58:19  localhost  haproxy[2433]:  Server  202_̲228_̲225_̲32-‐‑‒80/202_̲228_̲225_̲32-‐‑‒80_̲1  is  DOWN,  reason:   ログも出る Layer4  connection  problem,  info:  "No  route  to  host",  check  duration:  0ms. Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 17
  • 18. 仮想ルータの謎に迫る ・iptables root@r-5-VM:/etc/init.d# /etc/init.d/iptables-persistent status Filter Rules: -------------- Chain INPUT (policy DROP 2503 packets, 101K bytes) pkts bytes target prot opt in out source destination 64324 6276K NETWORK_STATS all -- any any anywhere anywhere 0 0 ACCEPT all -- any any anywhere vrrp.mcast.net 0 0 ACCEPT all -- any any anywhere 225.0.0.50 37401 3291K ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED 14833 2394K ACCEPT all -- eth1 any anywhere anywhere state RELATED,ESTABLISHED 390 34943 ACCEPT all -- eth2 any anywhere anywhere state RELATED,ESTABLISHED 453 38052 ACCEPT icmp -- any any anywhere anywhere 13 1401 ACCEPT all -- lo any anywhere anywhere 2 656 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:bootps 1961 133K ACCEPT udp -- eth0 any anywhere anywhere udp dpt:domain 719 43140 ACCEPT tcp -- eth1 any anywhere anywhere state NEW tcp dpt:3922 0 0 ACCEPT tcp -- eth0 any anywhere anywhere state NEW tcp dpt:http-alt 0 0 ACCEPT tcp -- eth0 any anywhere anywhere state NEW tcp dpt:www 0 0 load_balancer_eth0 tcp -- eth0 any anywhere anywhere 0 0 load_balancer_eth2 tcp -- eth2 any anywhere anywhere 0 0 lb_stats tcp -- any any anywhere anywhere 18
  • 19. 仮想ルータの謎に迫る ・iptables Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 10587 7297K NETWORK_STATS all -- any any anywhere anywhere 0 0 ACCEPT all -- eth0 eth1 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0 anywhere anywhere state NEW 0 0 ACCEPT all -- eth0 eth0 anywhere anywhere state RELATED,ESTABLISHED 528 106K ACCEPT tcp -- any any anywhere test01 state RELATED,ESTABLISHED /* 202.228.225.32:10001:10001 */ 0 0 ACCEPT tcp -- any any anywhere test01 tcp dpt:ssh state NEW /* 202.228.225.32:10001:10001 */ 2195 4043K ACCEPT all -- eth2 eth0 anywhere anywhere state RELATED,ESTABLISHED 2062 142K ACCEPT all -- eth0 eth2 anywhere anywhere Chain OUTPUT (policy ACCEPT 41154 packets, 2856K bytes) pkts bytes target prot opt in out source destination 54494 5162K NETWORK_STATS all -- any any anywhere anywhere Chain NETWORK_STATS (3 references) pkts bytes target prot opt in out source destination 4863 349K all -- eth0 eth2 anywhere anywhere 5724 6948K all -- eth2 eth0 anywhere anywhere 0 0 tcp -- !eth0 eth2 anywhere anywhere 0 0 tcp -- eth2 !eth0 anywhere anywhere 19
  • 20. 仮想ルータの謎に迫る ・iptables Chain lb_stats (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere 202.228.225.32 state NEW tcp dpt:tproxy Chain load_balancer_eth0 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere 202.228.225.32 tcp dpt:www Chain load_balancer_eth2 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- any any anywhere 202.228.225.32 tcp dpt:www NAT Rules: ------------- Chain PREROUTING (policy ACCEPT 41247 packets, 1685K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- eth2 any anywhere 202.228.225.32 tcp dpt:10001 to:10.1.1.207:22 0 0 DNAT tcp -- eth0 any anywhere 202.228.225.32 tcp dpt:10001 to:10.1.1.207:22 Chain POSTROUTING (policy ACCEPT 37392 packets, 2244K bytes) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- any eth0 10.1.1.0/24 test01 tcp dpt:10001 to:10.1.1.1 581 35575 SNAT all -- any eth2 anywhere anywhere to:202.228.225.32 Chain OUTPUT (policy ACCEPT 37543 packets, 2253K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any any anywhere 202.228.225.32 tcp dpt:10001 to:10.1.1.207:22 20
  • 21. 仮想ルータの謎に迫る Mangle Rules: ---------------- Chain PREROUTING (policy ACCEPT 84426 packets, 5631K bytes) pkts bytes target prot opt in out source destination 6411 7002K VPN_202.228.225.32 all -- any any anywhere 202.228.225.32 81 4769 FIREWALL_202.228.225.32 all -- any any anywhere 202.228.225.32 55712 5951K CONNMARK all -- any any anywhere anywhere state RELATED,ESTABLISHED CONNMARK restore 0 0 MARK tcp -- eth2 any anywhere 202.228.225.32 tcp dpt:10001 MARK set 0x2 0 0 CONNMARK tcp -- eth2 any anywhere 202.228.225.32 tcp dpt:10001 state NEW CONNMARK save Chain INPUT (policy ACCEPT 44607 packets, 3987K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 4785 packets, 4291K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41524 packets, 2927K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 46309 packets, 7218K bytes) pkts bytes target prot opt in out source destination 2 670 CHECKSUM udp -- any any anywhere anywhere udp dpt:bootpc CHECKSUM fill Chain FIREWALL_202.228.225.32 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 RETURN tcp -- any any anywhere anywhere tcp dpts:10001:10003 81 4769 DROP all -- any any anywhere anywhere Chain VPN_202.228.225.32 (1 references) pkts bytes target prot opt in out source destination 6123 6984K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 288 18062 RETURN all -- any any anywhere anywhere 21
  • 22. 仮想ルータの謎に迫る わけがわからないよ 仮想ルータの謎に ⽣生々しく迫る予定でしたが 諸般の事情により 仮想ルータ内で実⾏行行されている処理理の ほんのサワリだけでした ごめんなさい Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 22
  • 23. 仮想ルータの謎に迫る ありがとうございました See  You  Next  Time  ! Some  Time  Some  Where Copyright  (C)  2012  Japan  CloudStack  User  Group  All  Rights   Reserved. 23