马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
一个具有网络管理接口的控制器节点。
. `( x2 o, n- o/ b两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。
! H, [$ j* v6 `) J0 b$ P9 f7 o
至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥
7 R. m; u; e2 g; Q( a在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。 : J3 \8 W- @9 `; ^9 R* |. M/ i
硬件要求' Y( K, m! I/ S2 k+ e4 {' v4 h. X4 r
0 x& J5 k* `2 y- d- E+ ]3 d
网络布局3 r, ~5 N( W2 _ C4 ?# r! @' D+ L$ w
$ x* c; R+ ^4 J. z) L
2 z# A9 I! T6 A/ v9 u
服务布局2 K3 j1 D( F2 o' m
0 S6 K4 S' F1 _3 x0 p 注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。
3 h& T2 O' M7 O% }2 ^控制节点的openstack服务
# ^( v$ F/ G! e' @$ W在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。
- V- j3 d3 Y# t+ n( E. q在neutron.conf文件中具有openstack keystone服务的合适配置
5 S5 j) U4 t$ ?4 s8 T在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络
+ ?5 T7 W, I" W; t/ ~& lneutron服务器服务、ML2插件和任何依赖关系。
4 ?/ F) s' V$ [
9 l+ E( [ a( s/ ^! u网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置
" |$ H7 T R9 l3 `2 x1 OOpen vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。 |5 K4 J) g! g; H+ m
6 W9 F# i7 m: `$ z0 v计算节点的Openstack服务- m6 a+ n5 F; k4 Q
在neutron.conf文件中具有openstack keystone服务的合适配置8 o( N% |' _/ h$ W: |
; }; n+ T3 ~2 Q3 ?4 i- z
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。4 l) c9 ~) t4 W: I3 h7 j
% `0 P; k8 N* B0 k2 p0 j3 I体系结构( I" s1 u/ ?3 J
一般的体系架构
+ Z+ c( z3 O: j% P+ {& T& R 网络节点包含以下组件:& Y! L+ K8 `+ s1 Q6 Q3 s; B+ N/ K
5 A% t' E. \4 z) [Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
; Z |2 ^' }, r+ h
. [( ]1 r+ r) Y6 }9 m管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。( U3 j! r& _2 {- v# S P4 X9 K2 q
3 B i6 |6 X6 F8 r8 \/ S1 h& EL3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。
! Q! q7 e9 F8 T
2 ]1 b6 N, K w8 |元数据代理处理实例的元数据操作。 - j4 _: Z7 o$ z
- h3 ^% N7 g9 d, v }- n& ^网络节点组件回顾7 a" s; y7 d& S/ Q
) L7 N, [4 ^/ x
, a2 K& g+ `) |# x 网络节点组件连接; b) R+ t- ]1 {0 c1 R* M% i, E
% k2 e4 h, ~- n6 P9 x- j 计算节点包含以下组件:
+ ^8 Q8 O. W6 y( h" @
" Q+ n/ ]7 A: H2 b$ {3 g( \1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。8 M: i- R( O) c. N
# I& Z2 X6 k( o" F4 r1 [+ E; A
2.Linux网桥处理安全组。 7 j, o( \& f6 F4 X1 q$ Q( o
注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。 + h; X$ f7 S( i& P9 m' Y
计算节点组件回顾 t" j) I x9 h$ ^' U+ ^( d8 U/ y2 x
, O3 }3 K; e1 [' S) ?; l+ | l
计算节点组件连接2 g! M0 J: M1 P# A x8 m7 _+ c: F* T" D
7 [% m( Q# O# e' B4 F9 O数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。* w8 x9 r3 Z6 R" h4 N" G
4 }/ ]4 x* W( R0 M1 I在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。' ] f1 @2 @( a: t7 z J( t; L
2 i5 K F0 ^( V5 Z7 U
如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器
4 {) }# \# Q& T$ W4 ~6 ]9 ^ 注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。 * q' [0 w: E! J& Z; H5 _
示例配置# C$ \, O3 D' ]5 H8 F' c
使用下面的示例配置作为在您的环境中部署该场景的模板。 ; P) z1 c$ z/ L4 ?+ u0 G' y
控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]+ x# g; v, o7 p3 j
[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]% [+ g7 ~- }( y2 z( \% M7 Q9 d
7 X& ^4 i1 V) b1 `( M
( a& [6 V; W7 R' H
2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: - }: w1 s X" {/ q* p
[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 G. x3 Q' Z( ~- l[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]+ U, z5 ]: t3 a
0 l( c5 m, d! Y/ O4 a" @
$ [! R! o8 [; c, v! O: i替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。
9 Z4 O; o" b# ?8 h$ g请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。/ \( i l7 o" W1 D" G
3 r7 M- t* J- g R( X" x3.启动服务 1 u0 T5 o3 b5 Y" b, b
, h. o# k3 r, e: G
% u& a6 o4 Z( |/ b! R8 w
网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0
* b( G( ^% q4 [$ U' [- Q2.加载新内核配置: $ sysctl -p: A( G8 B/ E; j# I2 M, M
& v; F$ g, J2 a% N( D
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
3 x! \6 y4 w) a3 R! Z
5 J3 b3 H7 P8 ?# O! C4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
0 U) `& k) {1 S* k/ o[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]# L( l/ O! {) o% Y( U# x' o
# m: [& B1 g: _3 _" Q% U* U0 Z; ~% k" G
使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
: _' \8 P$ B8 y- `. v; n" g5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件: 3 S' @/ r0 T6 M3 _7 }
[backcolor=rgb(245, 245, 245) !important][url=][/url]0 R7 [6 w, g& k+ ]& ~- G6 p* i
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]1 I# m' f( \% y# K9 [3 ^
$ [$ A, a% m, k7 o
注意:external_network_bridge选项故意不包含任何值。
4 J) A. {1 A- p& K7 u c4 i6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件:
1 R2 Q* R% w5 x7 B. ^[backcolor=rgb(245, 245, 245) !important][url=][/url]
0 r% l; s b a2 N$ {! h2 ][DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
" Y, h" f9 [" f! r( s. n, @, F0 G: T& L. I' H: V2 }; ^' z5 V
- C4 ^; p/ ]1 N6 l
7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
5 l8 L1 x. z, g5 k
% A- D: O0 E' F/ Q8 Q
0 g0 I. m* F9 a5 W7 n0 W1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450
. w4 C' o6 G8 H& E2 a) Q% Y# Y+ J
0 }# \) c" ]2 n) m2 c; N( V5 T[backcolor=rgb(245, 245, 245) !important][url=][/url]
6 ]6 l! |; m: S9 p/ B
/ N- U0 a7 K" Q: s) |0 k: u) |
; E3 b' \* u3 s9 g8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET
; V2 g* t' z1 n5 t1 N: H' p# q5 E/ U1 R6 X9 F9 }5 H# H$ ~) |
用合适的环境值替换METADATA_SECRET。 3 x$ C' d1 y) N H
9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent
( ~$ w- v* N4 r7 A, n% R4 j H+ G& }% n/ I- m# A' e$ F1 g1 ]. ?' a8 Z
计算节点8 n5 ]- Q G6 z3 [4 w
1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=1- n6 n; r* G& `9 }4 p K8 u; S- c- u
2.加载新内核配置: $ sysctl -p3 I) k' d# J/ S* Q7 O
0 @8 M9 q" S; _1 U) _1 Z. u2 F3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
3 ]3 h; U! ?! O6 F! F- b; y0 E* @ t u% N; K7 K- B
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
: ~( M$ s$ n8 t' [! K[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]$ H! g X; t' T6 W2 y# v$ N: |, K6 m
6 Y- o- j0 ^# W& h# x
' T) M6 d# Y7 l1 P' U3 s- C8 q5 q使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 / M) K, J0 d; Q" s; ]; q5 j* T
7.启动以下服务: Open vSwitch Open vSwitch agent& ?+ J% v6 h* P! U
4 m$ b( T! u1 Q. f- \% ]( \% G6 ]
验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]
0 ]* Z1 g" [6 z( m+ c" p/ b7 w; Z$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]9 y, ]. ]! U) p. r
, h! p( I' e2 l5 ~
9 [/ f$ H0 n1 N- u
创建初始网络. [1 d! [( h) r4 B( i; A; T( f8 j
这个示例创建了一个flat外部网络和一个VXLAN项目网络。: K: {9 o3 R+ D& I6 W3 e- q; D, K. {
. d( D' k$ W" W2 x, J6 A1.提供管理项目凭据。
$ V9 q2 U4 O5 x4 o+ |* ?' M: v& ?& w- K; `, ]
2.创建外部网络:
, T" ?7 t7 K( U( M$ F[backcolor=rgb(245, 245, 245) !important][url=][/url]
$ z$ X4 M" U8 Z* ?3 a9 R9 l$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]4 e/ p5 O9 D( c( z
+ o" Q# r* G: s4 V! A
' Q+ W6 X9 q( {& f. a' \& ]3.在外部网络上创建子网:
# v/ m' ?. v1 B; q+ C[backcolor=rgb(245, 245, 245) !important][url=][/url]
) J" K. m Z/ d1 ]" B; O' S$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 u& H q0 T! u4 a1 j/ w( i, o$ e0 m" w, B1 E& ?+ B) O+ u
0 j( t% C3 b3 F6 H2 W/ F R
请注意:
+ u" D2 h3 f6 T. a3 ^
A [! L& ~# ~- g, F 示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。
, J# U8 _* U# z. |
2 N7 b# U4 p, `, R) H1.获得常规项目的ID。例如使用demo项目:
$ |+ q: Y' ], a* @5 D A( y[backcolor=rgb(245, 245, 245) !important][url=][/url]" q1 x) d& q) ~2 M5 i
$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
, Y5 k, b/ [. S g, _6 {' K7 h. {
) F6 g- S/ l* i' ~
* I8 L q4 n- ? T* f2.创建项目网络: / h# c- S1 W" U7 Y9 V0 _
[backcolor=rgb(245, 245, 245) !important][url=][/url]9 G& K/ ^! m% w; s1 k* k( O3 t
$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]$ }9 m8 d7 S& {( N. w9 [' e' E1 u
* R# }! z, ?; M/ f9 Q& s/ k
+ v- H' h3 R* y4 ?
. v3 o5 B- x0 W* [5 b# W9 g
3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网:
. O( W3 w" \& E[backcolor=rgb(245, 245, 245) !important][url=][/url]3 X T6 v' ~" H# G
$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
% o2 \* C4 h- a
+ n- ~1 \9 x; `1 d+ C/ N. k' v3 }1 x+ @0 T3 k# g
5.创建一个项目路由器: _2 C; x9 A2 e+ E% ?3 S4 m& T, n
[backcolor=rgb(245, 245, 245) !important][url=][/url]
% n5 Q$ s: h$ |8 g2 I, I9 I; u+ d; h$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]2 q& }: b7 M( D6 ~) _2 U
, v4 u9 U8 h1 {) r+ W5 l
+ A' m3 |. q6 F& F注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。
* x" G0 L) _# C7 x8 U u6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.
& n* _$ h2 H# t/ L4 J0 ]1 i6 D/ o/ q
j3 c( E( j, r2 u' e7.在路由器上添加一个通向外部网络的网关: + g. D0 T3 T. n' r
$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router" w* I( D7 M2 I; ~9 m! i1 U) U
" ]6 W5 N2 f3 A% t# Z. A
验证网络操作
. P! M3 p: b# ~9 V7 }; A1.提供管理项目凭据。
r5 @1 ]0 e. {* |! ^* f" y2 p5 S3 _; x' X" B/ _% U
2.在控制器节点上,验证HA网络的创建:
[backcolor=rgb(245, 245, 245) !important][url=][/url]
& H7 _ L1 Z7 j3 b; n2 t$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]* z& S1 @6 j. H, q2 O$ i) N) b
8 ?& Q1 Y+ `- R
: S8 i( W0 z, z5 j, t7 G; f' g! b3.在控制器节点上,在多个网络节点上验证路由器的创建: 0 f, L2 W* w) o& ]
[backcolor=rgb(245, 245, 245) !important][url=][/url]! ?/ V1 D) v2 I8 W/ B# ]& r0 g
$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
! p) o: [" R ?& @% N2 t7 \ m' _, r1 Y: c+ I
( g3 L" k$ y* V9 [2 V9 z, C
注意:老版本的python - neutronclient不支持ha_state字段。 " u6 ~& {) N& s% \
4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]
" k1 [2 I, H8 O! p$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url], l I2 X) n4 [0 M9 V1 B
$ u V- Y( m! N
% o. x* s( z8 t6 X8 e/ H3 a, B; o3 t3 u) E) Z, `" [
5.在网络节点上,验证qrouter和qdhcp名称空间的创建: $ X: V) p7 a6 D1 ~/ D$ [) q
[backcolor=rgb(245, 245, 245) !important][url=][/url]
. \* ^$ u& D% q网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]" D' E0 e4 q9 k9 ]6 T: r6 j
/ q1 K0 T( P+ d i
两个qrouter名称空间都应该使用相同的UUID。
% B% Q5 X; O6 r2 G请注意0 q9 p% G% a5 H N$ e
/ k6 e+ M4 D. X4 W* U 在启动实例之前,qdhcp名称空间可能不存在。% Q$ A5 }' J/ e, _
% b- U+ H1 ~6 K6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]& n( J$ h! y; [3 t6 M% g9 e9 l
网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]2 u/ f' y8 g" D& \: N
. w& |# U$ M' i' l1 `& N; M) r3 m' p0 Y$ l# w& E
网络节点2:
0 h2 a) Y" y o5 t8 g$ m6 }[backcolor=rgb(245, 245, 245) !important][url=][/url]# O2 }" Y! j9 L( J% w( {2 L1 O
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
W% F6 E4 i5 }) v" W* }9 u% m7 ^8 X7 u6 s
在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。
$ Y* G. d' z9 O5 O! f, Y6 B7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements :
2 `! D. c3 ~" ~2 r" E8 I% ^* W0 u, B网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]) A* t/ m$ ^/ E- H' e) n
$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
' E/ B9 u8 O) ^3 y$ H# r2 @! w# _' M9 z( C5 {0 H6 K0 u
( c P) I" ^( i! z网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]+ Z1 Q, I3 K! w1 j6 d( A
$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]) I4 N- t$ G: _
- ^0 k; n7 [+ Q: z1 r
/ p1 l% x# @7 r: c* u2 r8 h& E示例输出使用网络接口eth1。
6 l% O% O6 G% D/ V: L1 f) L+ |6 t: q$ k# D) y
8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
. x6 x: W% ^9 @$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
9 _7 d8 ~6 X: u$ s+ c
$ L! P. c) s, b/ Q, }; P4 n. u1 P% t2 V2 u1 m8 v: D* Q q
P: W, X/ L2 X$ a5 H! m! }
9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
d I8 v0 p; b+ b' u' j+ S$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]
1 k5 N4 Z6 D- y4 E) P/ k8 e8 e) M4 B6 U! A7 m7 E
7 [- x; [6 R# K: N8 I3 M/ i- ^; U3 _, j6 s: y; S
10.提供常规项目凭证。下面的步骤使用演示项目。
( L3 o1 Z, l1 i9 [' G F( J
" a1 ?, a. c, D) o11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]/ ]' F" d2 L+ l' j+ Z! T4 V {# n
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]1 \! w9 r* b7 I7 Y3 C% P
7 B0 W3 J9 J( Z5 t7 T y- M) G
/ y/ Z9 x6 ~* a$ y/ x0 O+ \) E! [12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像:
3 c* ^/ ^7 m3 L/ w, v* u[backcolor=rgb(245, 245, 245) !important][url=][/url]
7 R9 j0 ^2 O* P( P" o2 I$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]/ B2 k4 m: f4 k; T4 A! ]
8 e9 A$ D+ ~6 _4 @+ v1 p8 M8 T# o8 s9 D: z- b! Q- I3 _ R
13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
- I$ r- Z) q) h: @; J0 \( Z ^( D+ `+ g7 p( }4 R
1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
2 W+ z' r& b* v4 J3 n5 y3 Q8 M3 E! n[backcolor=rgb(245, 245, 245) !important][url=][/url]
) ~7 p8 ]" O9 I( A3 m5 Y
1 T6 q1 U' @& w% k) e) G2 T3 `* K. a4 b- I1 Z" f& _" O
14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
2 R" T: B& n; E9 t- M: t) a$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
6 d$ G8 P# s/ S/ u" G) C- i1 K$ y' i! ^4 q' O* E
1 T2 h- E$ y! d; ~ W15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102! A) ^. K+ w3 _+ J9 _/ v$ c; h
, c" K y b* B8 w* I2 e16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
" R! p0 s, A$ A2 Z& }$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 N; A5 m7 p2 f: S! Y. v
' V. x D* B( P/ L" s7 m6 }7 i0 c
17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址:
. l9 ]# {. r9 S9 B[backcolor=rgb(245, 245, 245) !important][url=][/url]( W( F) C# E- @) ~7 u
$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms8 {; R8 }4 Y5 k9 S' C
|
/4 
窥视卡
雷达卡
发表于 2021-6-25 11:21:40
; q. V( L9 [* W7 p& |$ K
# x9 r3 N a% k D, d1 c% ?
( O( K/ f. Z* L- ]% o0 Z2 q
" @7 g) N* I0 n( U4 l$ S; c
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主
