马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
一个具有网络管理接口的控制器节点。& S! o, v% K3 N1 _6 S n
两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。
- X7 g; d/ S8 ?2 H# s; x" f0 T
4 X0 F; J Y s+ Z h" Q8 y- p至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥
$ ~/ G$ _6 g5 N在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。 * g: b+ ?& W5 Q6 Q& d6 C8 |$ n9 z
硬件要求
5 N/ |- ^6 m/ `9 t7 Q( h+ ^+ ` o3 h+ r7 Z( e% E @
网络布局
( [/ y( @6 r1 d% w
: c1 [. P; ]" g5 l; z
: z v" l6 F" A* z7 K) ?: U$ _ 服务布局0 p# D0 ?. L5 _4 ^) {( M4 L( B
7 i% f6 n7 @" p0 s0 M 注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。 1 p5 B7 L$ Z& g8 [7 I
控制节点的openstack服务
0 s0 r& G/ g$ w, ~+ Y# `, j9 V在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。
! B# T3 a9 H* N/ i- r在neutron.conf文件中具有openstack keystone服务的合适配置
: E) u5 O0 o5 ^! a( q0 g在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络
" c( ~/ P! l c" x: B3 Nneutron服务器服务、ML2插件和任何依赖关系。
, r: p6 ^6 X9 q/ w) W+ l/ d' X! v+ q) X8 I7 P
网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置 m. T& \& m( i! J
Open vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。7 i: J; E- m# M) X0 Y8 y& I
3 _- O. z" b) z1 q1 a
计算节点的Openstack服务
) C% {6 _/ m0 w4 z# y+ o2 ]& f在neutron.conf文件中具有openstack keystone服务的合适配置, ~( P+ c5 _) F1 h& D& ^
$ w9 n3 K' }# f8 P2 ?# t; V- a
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。
5 M/ n0 L: o& F, T1 n- }1 v: d; W& ~5 [5 }/ B9 K8 Z* E
体系结构
5 J( A7 Z- W2 |1 n: f' W/ }一般的体系架构
/ q& C/ L" {, s1 T0 u 网络节点包含以下组件:
& ] C- K" x' o3 B8 G/ N l4 F. y$ x' e# r( Y! S% t4 `) F
Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
: E, T8 x' ^9 q. A
) ^8 P- e; h* Y" ^管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。
" Y: N0 c7 z( y% S0 T2 d6 J% X1 ~9 j
L3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。- ?9 Y- ~( `2 Y/ m
* O) ^5 r+ S; N0 G元数据代理处理实例的元数据操作。 4 h* h8 [" X3 _/ n
% [; \. z8 D+ {% R3 w9 F网络节点组件回顾2 ?2 P. {! t7 m9 h
$ {- E- X* L+ n/ p+ n- p3 U1 O4 {0 w
网络节点组件连接
- u; M- P2 Q. W" T3 c8 C
1 G. d; K( U! L0 R) L$ L* ^ 计算节点包含以下组件:, k l, `& k- Y2 s9 D9 k1 a
* I" B# q Z. \7 P
1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。0 N2 m! m; i' u4 e. k& n
% y: x; z3 U3 V
2.Linux网桥处理安全组。
/ t, f; a, @- g1 f ]* m- `注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。 ' b; O @7 K9 U: r
计算节点组件回顾
( a. G8 B1 _7 Z+ {0 b. ]# c$ F a' Q6 n
计算节点组件连接
1 v8 \4 O/ D0 o; O2 r
7 ]9 u; O+ O3 m1 \6 l/ c数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。% V6 o' d) X) }( y, B
7 r& f2 K* ~( f- b8 G
在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。
# }" s! M% s: a) a# A1 @- ~5 I' i# S$ K0 @" Z- F4 }8 }, Y
如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器
% Y% f5 L) i* h" s3 S# N 注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。
/ t6 y1 t( ~3 X! B" X示例配置
' r G; L7 l: o使用下面的示例配置作为在您的环境中部署该场景的模板。
( A# @; y2 t e% ~: ]8 {/ Z
控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
- N+ ~0 ~. U! Z- _[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]
- g4 s* f3 G/ W5 B5 [2 a) S$ s9 E: ^* F
0 w7 y* g6 d2 ]' R 2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: 7 k4 }& ^ L1 r% T& G6 q# w
[backcolor=rgb(245, 245, 245) !important][url=][/url]7 n. K& \2 e6 B, \% h9 p* x
[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
/ T: K9 N* z/ T1 @6 ]1 X
7 [ r5 @+ v* P7 c$ H
' E$ y; i$ W! A% b( w替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。 f( k! ?& h! k/ `5 l8 I
请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。 x# u) T p6 M+ L/ }
" j3 d3 k+ A# n" d9 O3 G
3.启动服务
2 L, z8 E: u) u @7 O6 m2 G, }8 H+ c0 V
% u; G' I7 T9 g8 O- I网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0" _! Z' f8 P; | a
2.加载新内核配置: $ sysctl -p6 h) l7 ]3 B+ f5 Z9 N5 D+ f) d9 X
7 y) a0 W! k$ D& s* X2 X4 _2 A; M1 N
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True4 N9 |0 v! j8 k$ n
( g5 n" W. R1 P4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]/ j0 t! l( \0 Y9 r% Z
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
% |7 i0 K' B* U- L! k! V* K/ U& {9 y: L
0 R s X& r$ i) x: l使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 9 C& @; B: [+ _) c% a) N
5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件:
/ l2 @ r! C( c8 R8 G[backcolor=rgb(245, 245, 245) !important][url=][/url]
0 O7 u+ W. x( x+ N# @3 C[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]
\0 S" @, Y, I; B, t; r, N; i5 O, b/ B
注意:external_network_bridge选项故意不包含任何值。 5 E( `- W b" s7 B
6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件:
" s* g8 {' t* X[backcolor=rgb(245, 245, 245) !important][url=][/url]4 q1 u x: a9 w
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
/ o! D1 L) Y, W, C3 @) P9 n( }; ?! g, w' _, o% n6 ?
: p/ C/ G( ]; C/ _! z3 ]) Z$ r6 V
7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
7 Z1 S |, l4 r2 N/ k7 }1 t' C/ j f4 Q, J* n; n% @+ A, Z
% W. S- o4 f4 V* |/ n) t( `* @' x
1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,14500 ^5 P, x* a% F$ `6 p. H1 } W
1 D. B, `; `1 V" j
[backcolor=rgb(245, 245, 245) !important][url=][/url]
. L' o, I& C X9 c! k2 M$ j6 X; p- S# Q/ G( f, v
% N6 e' r5 F5 B- l8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET% t" I' v* n. |7 z7 c% A3 N
- g& O: S# {5 E- {9 ?
用合适的环境值替换METADATA_SECRET。
" G# L p c" N. r7 \: M% {6 K9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent2 G2 o3 F0 }) w
) p2 Y! @- l4 {
计算节点
/ Y3 h3 ]9 x: y1 R, \( f5 A1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=17 [7 W0 e- z5 M3 L; a- D' \) c+ J
2.加载新内核配置: $ sysctl -p) {2 K$ s, t# p, V, [/ r) _
. |% B6 m# d8 J6 D( B
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True j& Z9 v% d: |. d
: o# `+ u/ }6 ]
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
/ {+ {* g3 |3 R2 ~[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]' \0 H" Y, I% A; E7 m) T7 o
' o) U* c% b7 u/ Q% T( f j
& ^3 k8 S9 V& C
使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 5 n W( E4 v/ \/ z* v5 K- O
7.启动以下服务: Open vSwitch Open vSwitch agent
9 u: M+ [+ X$ H( q
/ f2 @& ^+ H# y# ^$ c# z8 ~+ u验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]
( z) a" `" m7 V6 q4 @$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]" z. m: I* I6 v. H7 k2 e) V
6 G- {8 g& V1 E v0 h+ b. T
9 p7 k* W3 f) X% |; L6 a$ A创建初始网络
! P Z1 k: G, C) H+ o- I6 S% Q这个示例创建了一个flat外部网络和一个VXLAN项目网络。
5 z7 S: ` {3 ~) G+ B! _7 Q
' z% N3 q; }9 D5 A9 j- u1.提供管理项目凭据。
7 l9 I% L1 z; f5 M% x0 E$ }
+ o; ~' e: ?6 l2 N2.创建外部网络: + q/ A p( d9 A& W! V# S. P
[backcolor=rgb(245, 245, 245) !important][url=][/url]3 T# ~( d+ X: b6 b- D
$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 L. x) L( E" Z1 b6 |, P/ q; d. T ]' m2 q
! u) y. Y* w1 j. C. e3.在外部网络上创建子网: ! z+ O9 X0 H! P3 E i( n) I& U+ C) O
[backcolor=rgb(245, 245, 245) !important][url=][/url]& d( _! Z% }# {4 g' l# j
$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]9 a0 q {7 z. r2 r& g
$ z# t2 A+ t$ f+ {+ Y8 h
- K7 B/ Y7 i/ i/ }1 z D请注意:
. o% f! {; b: B. ]7 q, V: `) {% T& b* ^
示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。
: C7 k& i) {$ C- n$ X/ b5 c2 @
; C+ o6 i1 R! E* w1.获得常规项目的ID。例如使用demo项目: / Q3 o5 z5 {0 p) K4 _0 D- t
[backcolor=rgb(245, 245, 245) !important][url=][/url]( ]' n% S; y$ _8 Z, _
$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]: O- ?7 i3 ~% E1 `3 Q: a& q
+ ]: J5 Q4 U; E- Z- V
, [9 @1 C6 m7 p: ?$ j) w& ^2.创建项目网络:
! N1 q0 Z# X K3 v+ `* ?[backcolor=rgb(245, 245, 245) !important][url=][/url]4 F' t; T5 [; [9 P/ n
$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
' M* |7 p1 U/ g0 z7 G7 P; K6 d& }' n0 E9 x+ i
+ ?1 c2 q3 P7 g3 l/ e/ `: w
$ o% A" | U, f) j. u
3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网:
9 d9 L8 N+ W2 }6 B Q) f; N[backcolor=rgb(245, 245, 245) !important][url=][/url]
" P: }; N5 k0 I$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
+ B% Z8 [5 A# U+ q7 A/ E
& a' S1 V6 K# R( R) i" a4 m" @+ S% P, N
5.创建一个项目路由器: $ c# S2 f9 ]/ {2 h
[backcolor=rgb(245, 245, 245) !important][url=][/url]" t- z2 ]( a0 W0 @# i
$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]/ p& Y+ i$ }/ J1 f; h' g
0 | g9 _$ g$ ]( `5 p6 G9 N, u
n8 M. ~! L7 {6 D4 |6 q注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。 ; a* ~8 E0 f& a( r
6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.
- L$ {7 o0 d* P- ^+ Z* C) u+ t5 [- G7 n' l/ }- E
7.在路由器上添加一个通向外部网络的网关: ! \# B0 g9 ^& [9 Y# Q3 Y! H
$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router
5 n4 W j: A# @* ?& f# X
: E$ ^9 X( ^; x. k( Z6 {验证网络操作9 E3 Z P/ \8 u+ d
1.提供管理项目凭据。
8 W! \1 b1 Q! S- }- Q% X% W/ c" `4 h# K
2.在控制器节点上,验证HA网络的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]
+ m6 U% F3 Z* |$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]; g! |- A% ^; T# `- k
9 ?/ D/ y! Y7 C7 V/ f$ m
/ L+ I" N0 e4 O8 h" @
3.在控制器节点上,在多个网络节点上验证路由器的创建: $ q# w ]( G" ^: l5 ~; K4 p- [
[backcolor=rgb(245, 245, 245) !important][url=][/url]
$ t$ d- Q i! L( Y$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
# `8 ?6 `; T. g) O
0 a: T/ P" @6 @7 _. p. R: A" H9 q" S4 Q! F. q
注意:老版本的python - neutronclient不支持ha_state字段。
: N7 p% L3 G* `) _) I8 ]: H: s4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]! _1 L& T" B" R1 m" n
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
9 F0 i: O* ]: d8 y/ \) x @
/ F9 b) L3 u$ @% C/ c, s2 s h# R- b8 r
4 A3 ~' P, [. U! H5 T0 @1 u5.在网络节点上,验证qrouter和qdhcp名称空间的创建:
5 L2 [) }% o# B: ]9 M% ^" ^2 z[backcolor=rgb(245, 245, 245) !important][url=][/url]
6 R6 @4 M; d( j' G3 G网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]9 Y6 j& s6 a- E5 ?' L
. e: {- J* z4 A0 p
两个qrouter名称空间都应该使用相同的UUID。 - g8 D% S9 I5 T1 ^, ]
请注意8 K8 |9 i" @+ x2 J0 x, L) p
5 b/ w! x. t/ _# E 在启动实例之前,qdhcp名称空间可能不存在。
* }8 g1 m# t( a& L2 e" R$ u7 G9 |) V: T# K r, f
6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]
! y# g% l. e( I网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
0 X* C+ R7 X6 a% o' w0 K$ R$ A4 |( @4 a `( l: o j; [
" l1 M8 K- V: _. t0 L' }
网络节点2:) V% _! K# O+ m$ q& K6 R# s5 U: d: R7 [
[backcolor=rgb(245, 245, 245) !important][url=][/url]7 d: ~1 l. R N% ?
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]4 b* ?" l6 v" ^5 M9 i
; L+ l0 w" A; c& m4 D
在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。 0 H) B; D9 P9 D$ a- s# V L
7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements :
* D; C' r4 I: A. l* d5 W网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]
t( {9 }- \% q$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
, n$ K5 P, e8 y" H, R4 Q# _
1 u) l- L- m" r2 b6 f2 P6 F& g& \. p6 o& g- T, B. e, ^, _
网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]9 U: F8 {: V6 V; S! f
$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]9 V, N! i. A4 r- j- }$ J
# `$ A8 {3 h0 F7 }, S
( _6 G, l8 r7 N8 E) `4 y示例输出使用网络接口eth1。 ; U2 _! D& t+ ]% X7 Y A
; Y+ a% Y! L1 e% M& B2 _: W8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
/ h3 v7 l* C7 U! C; t$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
, y; U4 H% ^; E S( X7 G; m0 W+ @' g. P& x4 U. Y% a3 a
% |! E; s( C% F
; T4 F' o% ^$ d2 e
9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
G5 B! e" |9 d( M# S; K$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]8 k9 @& w7 o" U
* \3 r' T% h$ W# l, j/ A0 x
1 H/ o# o" @1 n3 }) j6 F2 K0 m9 S4 k
9 x' c; x7 w v
10.提供常规项目凭证。下面的步骤使用演示项目。
) {% u+ ]% S& q3 U8 T9 ?4 I: h2 z5 L5 H: P5 D
11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]
- q& h5 O) H2 b$ C* H6 h$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
6 a' Q! F2 }' Z- W: b o; u* D
; `) W. C9 ^, u
6 s3 g2 b7 F3 \& X4 d12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像: ) _' k6 g/ S; {% u6 N! g8 r
[backcolor=rgb(245, 245, 245) !important][url=][/url]
" l6 ?" m3 n& e! {$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]' b+ x* u! r. J+ E
2 m& S |# g$ n% Q. a8 I: F7 o
/ [6 F, o$ ~9 v8 F13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
* n3 }& D% a0 X3 K5 Q* R5 G" ]- [" z% ~5 j
1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms+ D0 C1 ?; N, [1 s1 H
[backcolor=rgb(245, 245, 245) !important][url=][/url]# f( y: Y% l& o0 B
; x* }6 S) N& _) w' [
3 X d" y; N; P$ Q. m7 Z14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]/ m3 v& g r! b
$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]* u) J+ g9 w& S
y2 {1 a/ C. }4 O' b0 g! s
1 K$ ]( v& f1 ^. i% r+ F' A15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102
0 f& s- U) I' i/ }
3 h% y r$ V; [$ A+ s16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]" ^" @4 r# _( ~
$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
# e3 m4 L3 U8 }( K( m0 a; \! ^' k! l3 _/ v! V" H* J
2 r* x! t) L' c2 d9 T
17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址:
0 m. `5 t- ~ T& g5 |[backcolor=rgb(245, 245, 245) !important][url=][/url]
6 s' k+ L: [: q7 H, ? V$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
K4 w/ y, n- a |
/4 
窥视卡
雷达卡
发表于 2021-6-25 11:21:40
# }- w8 c& P( q/ {; k7 s. v
8 i p3 ?7 g4 r6 v+ R, A
" X; q7 u9 o& t7 c2 {$ ~3 b
' M8 w% }; G2 N Z- ~+ r, G
; @* J3 R' [( {: r3 T
1 \& K* W9 t; v/ O; m$ o
/ E: w7 Y# ?; F; X
7 I9 v# U+ G0 [
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主
