|
一个具有网络管理接口的控制器节点。$ N# \' W. A3 H2 C& X6 I, \
两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。
' a2 K1 D5 l) `: @
) j! |" j+ W3 b% Z0 n至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥 7 \8 t- f+ N$ N! t4 ]! Q+ A
在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。
, _$ @; L) |& l3 f: B* ]: L: V硬件要求
5 v( Y. |6 f7 o6 \& r0 d0 M; D1 v& {1 u
网络布局
' T) ^1 f( Y1 ?) }+ h
+ }. e0 n; b& [2 P9 @1 G8 l
1 B& {( g) Q. Q( |+ _ 服务布局5 Q* m, R- _! H6 n: p
( O) G! \3 v3 w2 ~! @* m: o 注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。 . C7 i( C( D! W Q* G) n
控制节点的OpenStack服务- Y$ H" P9 P) l* I. h
在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。* {: D8 u( [/ x
在neutron.conf文件中具有openstack keystone服务的合适配置0 I$ r% E L- H# f4 F; Z. y7 U
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络
- w" h! r( J0 r! a( H8 d! s. sneutron服务器服务、ML2插件和任何依赖关系。' D7 R) x: f6 z$ J/ l ]
, h! T2 L& r- c7 C5 g0 w) ^$ c网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置
, ]! i: v% H1 F, l5 m4 I* \5 LOpen vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。7 @, b6 K3 y% e4 l! c3 @3 X$ A
4 E { r) U3 |" ]# [
计算节点的Openstack服务- A9 C( l* }3 o, r
在neutron.conf文件中具有openstack keystone服务的合适配置
: ^2 R- d- N+ P; u+ V2 ]; x6 m$ F M! M3 F! t! ^: z! H
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。
3 |6 e' a% D1 \( Q1 C- H& l3 |5 i7 D6 H. x4 y6 O6 S
体系结构. z, f: S! b8 h$ o
一般的体系架构
6 G7 f1 g, X, X* Z 网络节点包含以下组件:
5 d) ~* ^5 \8 r1 B1 X, t# b6 r4 l2 N2 D8 s# C$ S: F
Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
# [& l+ X6 V+ W8 @. s8 K: H, E4 Q
1 C! N6 G7 P8 d! A管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。) U; }0 h& i/ y* G
) b/ `6 Q: d/ _7 ?* W% ~; Q" R. }L3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。; Y- o' R ^# H9 l; X
. G6 W Z# h. ^$ G9 \& _& V$ w
元数据代理处理实例的元数据操作。 3 d0 V2 w; a$ f4 E; @( X- @ p2 {
* V6 Y7 D; A# @5 K/ G, R
网络节点组件回顾0 T" H9 @, c# m6 D
4 I$ U. o" r' S" R
0 y' d4 U G% u" W 网络节点组件连接5 X4 v. \* ]7 f* ~: G8 j
# p$ L0 n% ~2 K0 F/ D+ g" }: A
计算节点包含以下组件:3 |4 f8 Z; R* z5 P& K1 v
" b8 P- |4 k9 D; r0 e% N
1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
. I% }" M) W9 E, J3 l! ~
% v H* F6 O- i; n" s- N; a2.Linux网桥处理安全组。 ( e7 R3 A0 S P# r f3 J
注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。
5 F! d: @1 }( Q4 P( ]/ ]计算节点组件回顾" f8 k! e1 ^( _ }3 l+ J" [
# r" \) _" t; F! M! B9 U+ P3 G* W8 Y2 c 计算节点组件连接
9 X8 [7 o- F; u/ W/ q. u, b4 Q
+ R* W; l9 P' f; c8 e$ n数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。/ Y! f5 h8 y n! L9 D( H5 L" q
2 M3 F/ K' |) }( W% _' e
在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。
' `! P1 f7 |6 X6 ]1 \) f) p8 E4 Y+ S' g
如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器 0 b( o) r% y5 _/ j& w& Z8 ^4 O
注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。 5 Y4 x- h; T; V, e
示例配置
/ `# D/ o) i' O# O使用下面的示例配置作为在您的环境中部署该场景的模板。
) J3 j o# `( U
控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=] [/url]" J; d' p* i) P+ B# o* |9 h9 H
[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url], J6 a' F( G4 P9 }: M5 D2 n5 M3 F; }0 ]
+ C& l% @+ P" n: ]) t8 k
' I& A* V+ R- q8 K1 J 2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: ; U( z' w- w! G3 K' ~; Z7 I @
[backcolor=rgb(245, 245, 245) !important][url=][/url]
; w' {) l0 F+ f0 L[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]: h# k* F5 @7 E
) j- ? F: a! D k1 Z
7 b$ J) K3 ?+ M& m# E5 T
替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。 , X; `! h4 s/ R9 H$ N' r& r P
请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。+ I* z; T& b9 K
! H$ ~9 u( a/ ^0 b- Y3.启动服务 + M( r0 `) | ~/ D
: m5 b0 ] Q2 q3 A0 a
2 I; H8 S n; {( F& o7 _网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0+ \% X1 v' @( O* m. s
2.加载新内核配置: $ sysctl -p
7 ^7 S2 U# Q/ `' I* _
# m, |+ {2 H" i' m( I4 [+ r: U 3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True* }# E6 W3 a! c4 J
* L6 W# w# ?* e1 I4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
* ]3 B3 H" q, J! H6 z[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]; H# Z% @! k5 `; D
H$ g& k/ F5 e
8 o) q( S( t3 L8 M$ u
使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
! @! D2 g& [* }6 d5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件: ! w# S8 u& m- P) W v- R0 `
[backcolor=rgb(245, 245, 245) !important][url=][/url]2 D! |5 b$ X9 e7 T4 }! h5 ^
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]
+ H t2 q/ P3 z+ W, L& i1 l. z0 i- h5 T
注意:external_network_bridge选项故意不包含任何值。 " O6 E- S2 L0 V' B8 t1 @
6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件:
! x* b9 H3 _$ Y[backcolor=rgb(245, 245, 245) !important][url=][/url] e% c+ u Q! S; d( m* q( k
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
' y8 a8 [" P! f' `+ ^3 |4 o9 m3 @2 k* }! X3 ~
$ R" Q' C0 m& n) B
7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
$ a! U" Q% ? q7 g7 @
9 [- Y7 T" B; Q4 |
5 R( F4 E8 w* ~+ L1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450/ M! c4 {0 @+ n0 b3 D
& K9 J8 C- t+ f1 j[backcolor=rgb(245, 245, 245) !important][url=][/url]" u& D/ g3 c' n- `: W$ N K
\9 ~) B5 R2 ~9 ]1 \8 V
/ x. ?: M$ w2 [6 P, r2 e8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET
' S& d: U) v6 [: f( i
5 }+ y6 m) z& P2 j3 }2 Q用合适的环境值替换METADATA_SECRET。 % |- v: H8 o$ X" `! v$ f
9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent+ b3 G. f1 M3 D3 J8 b2 w. P
+ Q, P' i% p8 o ^8 u7 I7 Q计算节点6 U5 i0 b( }# U9 j5 u
1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=1
+ \' L4 z& T2 ~2.加载新内核配置: $ sysctl -p
4 W8 z* j# t4 V9 Z9 G
3 H6 K. i2 [1 _) |) Q3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
4 s/ Z Y4 t$ i+ D) `- Y
! f r& `. a0 R4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]) u0 I; x1 e# @1 O3 i1 T: K
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]: U' l L1 s& y7 x0 }9 G! ?5 D# G
" v1 ^2 e* z; J0 g/ l
, w! P4 k8 X. d. _使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
' E3 ]/ O2 z" X- U7.启动以下服务: Open vSwitch Open vSwitch agent
4 a6 s3 G. m' h, s$ H) A/ U; R% e8 G6 J
验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]
; K# p8 Z& }9 t5 H. A% I6 R$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]4 F! c1 g' w- R) O6 ^
0 I9 u8 |' A" l5 S3 i" c: A( z
4 @5 r1 Y$ ?: q( s7 M) e创建初始网络% M1 }3 u. K$ \: r' B
这个示例创建了一个flat外部网络和一个VXLAN项目网络。
: |$ r( ~1 S% T, A0 D5 F+ [5 v3 Z
1.提供管理项目凭据。1 B3 L* Y5 p3 e3 {! x# l
3 z5 P' s; d J' @* }$ r
2.创建外部网络: ( z! ~, b" R1 C. k3 z
[backcolor=rgb(245, 245, 245) !important][url=][/url]
8 Y; R- ]# E; y4 N$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
$ {3 R6 K9 r* Y7 ?! t$ R q' {- ]5 X2 S: S2 Y
( g+ }' i. g- r4 y$ }3.在外部网络上创建子网:
4 [4 D$ }& |3 D* q. I3 v[backcolor=rgb(245, 245, 245) !important][url=][/url]
. n$ n* d! r: X7 C" Y. m9 j0 G$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
( I- n7 x+ _+ y! B, r6 M7 q. j) F, p+ ?" A
# l3 T0 l+ D5 T, z请注意:7 p1 Q5 ^) n6 D2 h3 @& |
- T1 g, i! }2 K
示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。% e, s. ^9 n, w3 ~. O2 S. s) E. D
0 q* ~( C, ]6 o1.获得常规项目的ID。例如使用demo项目: 9 V7 e7 U5 i R# l
[backcolor=rgb(245, 245, 245) !important][url=][/url]
, X1 {- e4 W# I, a$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]' ^/ O) Q$ V( `& H$ K2 h4 R) d* Q
1 B' ?* |3 Q( X4 X
* A3 K. J( A# p- E% v5 X8 H5 w+ |5 t% {
2.创建项目网络: ) c1 S$ e& R) a2 Z, z% T
[backcolor=rgb(245, 245, 245) !important][url=][/url]
h! d9 c+ m6 D- B: c" l$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]; ~# | L1 \5 U* K1 c
0 N3 V* I5 C1 o+ q; h n2 X1 M* c
: b, [* K2 E: k s0 l* f3 r
3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网:
4 C" v/ O x) | e[backcolor=rgb(245, 245, 245) !important][url=][/url]5 i0 I0 g) z) z, S- v. p
$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]1 q( |& @- e3 [: C9 M
# W- g; T2 A5 y" p9 D
" E6 s, B/ g* G5.创建一个项目路由器:
- ~: }1 V, \+ m[backcolor=rgb(245, 245, 245) !important][url=][/url]( c! \& W$ W6 z! u6 G# `
$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]$ W5 b* f6 _+ z4 Y) h9 R z
/ t6 a; i7 _: Y3 p) j( T$ \
1 |" v, ]1 h: A+ i注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。
6 {: \$ n& }( V" s+ l r6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.0 ]: {" N- Q& H" i5 t5 V# V5 A
2 b6 [% k3 u. _* H2 x" t2 r; p7.在路由器上添加一个通向外部网络的网关:
5 F+ @" r, m3 U" U8 L$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router
) W7 E+ t ~9 ]# V! S7 ^; B8 t& i1 F Z/ m
验证网络操作
1 J, l3 T5 k, B7 d% D- A4 [1.提供管理项目凭据。
% @% i9 l& D0 S% c3 F6 P7 A
0 o3 \0 F9 C: l1 M' W8 h5 z2.在控制器节点上,验证HA网络的创建:
[backcolor=rgb(245, 245, 245) !important][url=][/url]
! `5 R- _ J* \& h: `$ p$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]) v$ Y/ j/ t% q6 M! |; b
- a- [. y# T* |2 Y1 ?
5 S& s* H2 {5 Y; [* n- u" d2 n3.在控制器节点上,在多个网络节点上验证路由器的创建: . Q; }9 f8 X! h: w1 r7 W$ s
[backcolor=rgb(245, 245, 245) !important][url=][/url]
+ e% l: r! @. O2 d q$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]- { x; p' U8 E3 ~( j$ }
% q' @ P9 w2 _% D
. r w) ~1 h, H' o% V
注意:老版本的python - neutronclient不支持ha_state字段。
0 i# ~" w9 n' h3 N/ k& d4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]6 `! ~9 B1 ^9 T' ?. h2 o
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]2 M( E* l7 P3 _% a# M! x D) u
9 B7 _( R3 n. J' W: h% h6 y
- Q, g) W6 m0 Z2 ?3 F) P
9 v$ W: l/ q n9 w! ~' I4 {
5.在网络节点上,验证qrouter和qdhcp名称空间的创建:
7 [5 l1 n! X: M2 a[backcolor=rgb(245, 245, 245) !important][url=][/url]! q5 |. ~6 L; `; @! Z
网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]
m% H) ?4 \( Y$ u. x
( B) P) N# g6 r) n% J两个qrouter名称空间都应该使用相同的UUID。 ( M% ^3 z+ S* v/ B( p5 F1 p$ f
请注意
+ ]6 E/ r; y# ], d3 Q0 ^: p2 r( ^; T+ m0 j, \- E4 Z4 ]% L
在启动实例之前,qdhcp名称空间可能不存在。- W# L% v- K/ X" S! z8 Z: t& c, ]
2 P& i$ t: ]" K( u; l6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]( \* o8 s% d! j- k+ o5 r
网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
% J H5 F2 t, }" J& }/ t, l5 Z6 F# U. Q6 B* d; I# a' D( u
4 h7 Q, _. R4 b, P" u
网络节点2:
2 k9 h: @! \7 }/ c4 ?+ _- `7 U5 V8 E8 x[backcolor=rgb(245, 245, 245) !important][url=][/url]8 p4 ]6 O& r5 Z. [$ T8 w6 c
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]: o$ C. k7 T) [/ q6 j- B
0 H, h1 w% D( d在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。
5 }: L* R2 e' [: S2 C' x7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements : & r1 b8 N+ n6 Z' N! p
网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]( y4 h Y# r. ^- G; M! O) R
$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]# F. r# w: a/ W$ ^
) e! v/ C( f5 U0 L G2 D4 b
0 B* v2 }' c" Q. a" K网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]) v# T3 T! X5 I5 T: D7 X1 G
$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]! w; u! [) t& Y3 t
" C6 g, T' a* J* s+ x
, K8 U. b' R& e# E7 h4 Q4 `示例输出使用网络接口eth1。 9 W- M: F' `$ d3 b0 O' G6 b
6 C. I7 X; X, z6 I8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
8 J6 K$ s" z* ~2 q7 e+ w$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]) t3 O9 Z7 n! P' y3 W0 w' ]8 S
$ E0 m( E: }5 {( K; a9 B
! X0 M9 P; ], T* g3 ]
! E* R# j% m* H* n, K8 ?% Y! {; F! i
9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
# y3 y0 A- w" G* @$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]( T" ~9 k4 H2 G: u( f; @# B
7 ^' d2 J7 n2 X1 B; |/ o: Q& M& B- q+ R9 Z1 H
g( D4 u' f: A+ t8 L/ d1 f10.提供常规项目凭证。下面的步骤使用演示项目。& k- ]5 Q. [; ~2 e
- P9 r% [* Y) g4 X# ^) U+ _
11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]
. Y$ H9 ~9 y$ e( R, |! m& ?# q$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]0 e/ l$ J8 t6 O1 t" ^
, E3 Y& q+ E% k0 I4 `6 S5 B) g
9 ^+ h4 J& ?' Q: j& o$ F12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像: 6 o( _9 q+ Y" j t
[backcolor=rgb(245, 245, 245) !important][url=][/url]
. Z" s5 K' [' @) B( ~ {4 S* a& C$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]9 q; R4 v' l8 {9 c, Y. |3 h! f5 N
% y. p9 p/ E+ C/ N( y
5 x+ b U% l! i) [0 K% S13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
$ B4 y+ @( {# y# h# S O. V- \9 a- X* u7 P" T
1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
3 b; b# E1 M* D' w1 t+ y: [[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 P7 B( M( H0 R& T/ }7 M
: f. Q% w7 b, Z$ M& s7 }: q1 F& B9 t# z! a& `! S7 A6 k
14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]2 I- c. J( S; M$ H, w
$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 D6 F3 m5 u. n/ C! i9 @' K8 { e8 G( g C: K2 P% t
, F6 X) \0 x& T) a% ~0 ~15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102
5 y% m% V* }4 U7 R* V2 U c" f( H8 @" C6 b
16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]% U! f3 j% a0 o6 s' k5 k
$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]% Y. `0 d- O4 c* I3 o& f2 w6 K
3 S" }, g. \9 x
9 Q |: k; @1 G( a/ M5 I9 s
17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址:
/ Q! Q: U( Z7 K1 v[backcolor=rgb(245, 245, 245) !important][url=][/url]
* M1 q, g3 [$ m; D# j, q1 z2 I" u/ l$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
" V, u/ P1 C) |9 g$ s0 g% t' D |
发表于 2021-6-25 11:21:40
