|
|
[1] Change settings on Control Node.
2 \0 u# R6 W, H1 O[root@dlp ~(keystone)]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
, t+ e( Z5 h4 Y) @; k* H# add a value to [tenant_network_types]
. N0 L. _4 F. l[ml2]
5 ~, ?/ n6 [9 M& }, Utype_drivers = flat,vlan,gre,vxlan, [- o4 l/ `6 Y6 i( d# f; m8 a/ }
tenant_network_types = vxlan: ^ V5 _$ C! D# j1 q4 r
# add to the end
$ K* p; N" G% T% V4 s[ml2_type_flat]8 e9 v- j- L' L' H2 R
flat_networks = physnet16 F5 S; y1 B" Z* @7 |$ S
[ml2_type_vxlan]" d4 O* z; J9 F D
vni_ranges = 1:1000" G2 D, _" S5 ~
[root@dlp ~(keystone)]# systemctl restart neutron-server. J% R) R1 S& g0 M, x* S+ X
[2] Change settings on Network Node.3 V" V. ^# _0 [ v i) d" s- D, @
# add bridge
1 |+ @/ y. ?8 \* T- M7 G# M0 }[root@network ~]# ovs-vsctl add-br br-eth1
! b& r; h1 \. w% |5 P* t P7 M# add [eth1] to the port of the bridge above
# M0 J8 a0 @9 e' I5 r5 y2 W# replace the interface name [eth1] to your own environment
( \1 X5 R- o1 v$ y* O6 O[root@network ~]# ovs-vsctl add-port br-eth1 eth1
* D: V! H# c2 M, \, ~[root@network ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
( ^+ ?2 B$ V% Y& N$ }# add a value to [tenant_network_types]( k# m% F) L* ^. z) y8 B
[ml2]: t0 S( q* h4 w, I8 {8 Q- L7 K O
type_drivers = flat,vlan,gre,vxlan
q3 z7 a3 ~4 C7 L5 xtenant_network_types = vxlan9 O; a) G! s% \+ ]3 d7 I
# add to the end4 U9 g7 ~& v! q3 w8 u7 M
[ml2_type_flat]
/ |& y3 J4 a7 M2 M, G- u3 e, sflat_networks = physnet1
& ]: e) Q3 j. K2 ], y7 i, a[ml2_type_vxlan]
; u7 b& e$ m- H/ g0 u; I$ ivni_ranges = 1:1000
5 O8 r2 w. q- b9 X0 r[root@network ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini+ G8 b, m J; a
# add to the end
: ?# w. a# @& N: N4 y+ S[agent] @9 e8 w5 [7 P* [
tunnel_types = vxlan. l3 P! d' v h$ M p
prevent_arp_spoofing = True0 e! Y( x) I3 s2 x+ K
[ovs] }3 M% l- p& y+ E
# specify IP address of this host for [local_ip]4 J" v. Z2 }) w6 \+ R! W
local_ip = 10.0.0.50
7 e7 S: o4 q6 n9 Pbridge_mappings = physnet1:br-eth1) J8 I3 P g5 s0 ?5 D" z3 L9 g
[root@network ~]# systemctl restart neutron-dhcp-agent neutron-l3-agent neutron-metadata-agent neutron-openvswitch-agent
- }/ _( }# M# C# if Firewalld is running, allow VXLAN port
+ t) |3 a3 R9 h4 z! m4 `1 `[root@network ~]# firewall-cmd --add-port=4789/udp
" V* O+ D& @8 W& C9 L[root@network ~]# firewall-cmd --runtime-to-permanent
) F' `* I- y2 L5 k' X[3] Change settings on Compute Node. H+ @+ E( F4 z" c, h6 {' I
[root@node01 ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
) w' `: l: W! h+ q% P# add a value to [tenant_network_types]" O* u1 C7 l* z+ {# R8 Y
[ml2]) r+ f0 r |* q- H2 M
type_drivers = flat,vlan,gre,vxlan- @2 ]1 b g6 d p
tenant_network_types = vxlan9 L: P4 {- \6 J: Z
# add to the end z7 y/ P2 d0 E# |% B
[ml2_type_flat]
' i7 d* B' a$ y ~! b$ Lflat_networks = physnet12 K# m) l' U5 u# b* y& \
[ml2_type_vxlan]
* G* j! J5 v3 y: u" f( Fvni_ranges = 1:1000
/ r5 x a' h: Y[root@node01 ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini
" n3 @0 _' J f3 y# ~3 b, S7 W# add to the end7 ~, N% Z' [! w1 F( F( X% y% R8 R
[agent]
4 M% V. k/ D5 w. Q( Ltunnel_types = vxlan
4 {2 Z% t( U0 `0 ]4 L9 F$ Q, [* Uprevent_arp_spoofing = True: J- z/ B/ t2 L5 e0 Z; N& j( B
[ovs]5 u" @' g: I) w& C, \3 p! b
# specify IP address of this host for [local_ip]. x+ h2 | s: u0 @
local_ip = 10.0.0.514 k f) r" _2 ^" l; Z
[root@node01 ~]# systemctl restart neutron-openvswitch-agent$ M5 u; G1 K4 ?8 @9 f
# if Firewalld is running, allow VXLAN port4 ]8 i/ a/ |6 x3 H
[root@node01 ~]# firewall-cmd --add-port=4789/udp
- q, t5 w7 d, s! l; r1 \1 A6 X9 y[root@node01 ~]# firewall-cmd --runtime-to-permanent
9 B# `3 }3 ?& F6 H# s[4] Create a Virtual router. It's OK to work on any node. (This example is on Control Node)" z7 s' x8 g7 r
[root@dlp ~(keystone)]# openstack router create router01
* \8 D" V# t2 R: _& j7 ^+-------------------------+--------------------------------------+
" f0 v: _: C" f. B9 ^/ U| Field | Value |! |6 e; r+ G& c1 R
+-------------------------+--------------------------------------+' \; ]2 m8 n! u3 v3 x8 L* e
| admin_state_up | UP |" M( Y4 |: u3 \& W7 z- C
| availability_zone_hints | |
4 n8 c" c4 o) o% n6 s" u| availability_zones | |- a7 s% y/ u' {( X# `
| created_at | 2022-05-31T09:59:08Z |. o, t$ p; a2 o' P: j& d3 I# p- Z
| description | |* I) H- ^2 {6 M- V: h) N( N2 b. Z% q
| distributed | False |9 }) P1 K9 u. O
| external_gateway_info | null |
8 M8 B9 P2 }/ x; m6 Q& z/ l) l| flavor_id | None |% P& g3 c6 R1 ^; r; X. x9 F+ D [# L/ }
| ha | False |
: I- |8 }+ X7 T# || id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |9 H$ c* Z; f: L2 S
| name | router01 |4 r- w3 w& H: U% x+ u3 D1 v" e
| project_id | 0609d3b3b398456187fb705ec9224c4a |
$ U1 H: E [) { e8 I' ~# || revision_number | 1 |' D" z9 i% ~- u' r& K
| routes | |2 w! r5 w9 h3 ]/ H( S
| status | ACTIVE |) ]& n+ w, R9 y
| tags | |
- V9 g$ k0 r& e9 w2 i| updated_at | 2022-05-31T09:59:08Z |) g I5 ^6 n- F# v7 }. s. c5 f4 S
+-------------------------+--------------------------------------+
, f! X$ P1 K+ G: V; l3 A[5] Create internal network and associate with the router above." U" ]9 O0 K& V Y& Z4 g" D7 o+ R
# create internal network
' ]! a q+ E2 h7 @[root@dlp ~(keystone)]# openstack network create private --provider-network-type vxlan2 ^9 p: J3 R, P: D8 |; g" N. e/ B k% s
+---------------------------+--------------------------------------+
3 }' v9 e1 q6 ?2 t9 i| Field | Value |/ X& |' K4 f; ^1 V
+---------------------------+--------------------------------------+8 F" W0 Y' x8 I/ I/ L8 w+ l5 G5 \
| admin_state_up | UP |
/ v; d4 L# Q0 A( n* }| availability_zone_hints | |6 A# O M4 x0 o) {' V/ x% U6 `
| availability_zones | |
" i/ e' L; p8 R9 c h9 A; ]| created_at | 2022-05-31T09:59:43Z |
, S2 b6 a/ B, H y- S w| description | |
3 G8 w! K9 f1 s) o| dns_domain | None |/ u+ g& U2 M" G5 Q9 q' C% ?' _
| id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |7 B- w) j% Z" c
| ipv4_address_scope | None |
; x/ j7 `* V' J! O- ? X' w$ c5 s/ v| ipv6_address_scope | None |% C+ } z5 S+ T5 d2 _" E6 j
| is_default | False |! J G) F: h% ^! Y6 x% O
| is_vlan_transparent | None |
2 T4 b6 ^! \0 C( |4 L1 ?| mtu | 1450 |
% ]) o5 K, |7 `& v2 R: x2 F| name | private |3 p P: i8 p- R! A: _8 d
| port_security_enabled | True |1 o3 q- H3 J8 K
| project_id | 0609d3b3b398456187fb705ec9224c4a |$ C3 L4 v) y- M' o, }
| provider:network_type | vxlan |
1 {' c/ X6 x; F {) ?/ O D( F! Z| provider:physical_network | None |4 j0 G: A$ t; f9 g- q4 P
| provider:segmentation_id | 423 |3 `* g5 a" B7 C* w* f3 i
| qos_policy_id | None |: E9 e+ Q4 n8 n
| revision_number | 1 |) O* @: v0 F: t4 B4 [) I# f8 ]- \
| router:external | Internal |' o2 V& q- }4 H2 m
| segments | None |* _3 f4 e; m& T) p+ t' `
| shared | False |; W2 p9 I& k' f, m4 K( h* P
| status | ACTIVE |5 C& ~' f0 Z/ N0 H$ R( w8 T& j
| subnets | |" c2 Z) |/ m7 V* o) Y9 O5 W' M
| tags | |
. _9 o5 Y5 M$ x, j- N| updated_at | 2022-05-31T09:59:43Z |. U9 i) b4 s1 s' m: m5 R$ b- G! d
+---------------------------+--------------------------------------+9 Q( [! G7 ~* g3 B5 `: U9 J
# create subnet in the internal network' Z1 [. `% M! ]
[root@dlp ~(keystone)]# openstack subnet create private-subnet --network private \ L& g( p" @! w: A4 B% e! c
--subnet-range 192.168.100.0/24 --gateway 192.168.100.1 \$ p1 {5 ^& E$ R* k" U" E
--dns-nameserver 10.0.0.10
8 L" ?+ x+ d& v5 H+----------------------+--------------------------------------+/ _9 a. `/ x3 B" u9 o
| Field | Value | o. C7 Y+ q# o* y9 |& L7 e0 z- j
+----------------------+--------------------------------------+
6 m; g7 D% f# h: c$ ^! T6 |7 @| allocation_pools | 192.168.100.2-192.168.100.254 |0 K9 c* c9 Y3 G" J( h7 R
| cidr | 192.168.100.0/24 |5 q& D- J5 ^) p7 |
| created_at | 2022-05-31T10:00:30Z |
3 x0 v% h& U2 j; n# T9 N# L| description | |- ~+ V% R- R L4 e3 x
| dns_nameservers | 10.0.0.10 |
6 F+ N. [6 p+ _| dns_publish_fixed_ip | None |7 ~5 k i7 X3 V7 h* `* v
| enable_dhcp | True |/ K9 x3 U+ [3 W: X; t- p$ y
| gateway_ip | 192.168.100.1 |
% H+ G# O- L) ^) S. `2 ^) d| host_routes | |
7 H; o5 z' o* P G! q| id | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |; s9 O; i# \$ F( i% @
| ip_version | 4 |2 t8 ?/ p. E' @ I
| ipv6_address_mode | None |
, ? p: r* \8 Y1 d" A9 j' t5 \+ U| ipv6_ra_mode | None |, E2 r+ |5 E% b/ B; y" Y f p
| name | private-subnet |+ [% C$ C" P& b3 Z: w, a ?( d' Z0 l
| network_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |1 p1 _# m" B0 Y; {. K0 L
| project_id | 0609d3b3b398456187fb705ec9224c4a |! w3 W6 X8 d. K O; V
| revision_number | 0 |
9 c1 `! F( R2 t- D: o- h| segment_id | None |* ~0 H' j7 k( v2 F5 _
| service_types | |
1 |( n4 b3 O! r/ n. `| subnetpool_id | None |
) J$ @( D1 D7 q/ g| tags | | P1 A0 H" g% p2 h5 }1 x- ]
| updated_at | 2022-05-31T10:00:30Z |
! w9 ?+ ?% l& Y4 c1 h/ R+----------------------+--------------------------------------+# l" X( r. v3 C. i- @4 _+ T. g
# set internal network to the router above
3 ~- {2 |7 w# w$ o4 [/ H[root@dlp ~(keystone)]# openstack router add subnet router01 private-subnet
E3 K' B7 ~( Y- @[6] Create external network and associate with the router above.5 P4 t# i& z5 [( D6 D
# create external network
$ F: i& y2 v* c5 h9 F% b[root@dlp ~(keystone)]# openstack network create \
8 a; m- k/ n3 ?! g0 ~# t) i" _--provider-physical-network physnet1 \
3 y1 T- V6 d9 M7 g) K--provider-network-type flat --external public3 g' b3 k9 M. j; _2 T0 `" s
+---------------------------+--------------------------------------+2 @3 h- R0 a; c j7 q F, j7 D
| Field | Value |
' H& x6 \ r4 ~0 a: |& O+---------------------------+--------------------------------------+
, T; O, [4 k* S; W| admin_state_up | UP |
. i; G q3 f: W7 N| availability_zone_hints | |
! r+ M4 y b N/ S" j- s| availability_zones | |
4 s Y) h. X2 C# r" U. x8 J| created_at | 2022-05-31T10:01:17Z | o' S1 E1 f h" p
| description | |
; r) F8 n. O/ O| dns_domain | None |
# t* B, }' n- h4 e1 t" l" c| id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
9 U9 O3 W3 s8 J7 ~3 c| ipv4_address_scope | None |* |0 l% ~% m# _3 v! M2 t, E
| ipv6_address_scope | None |: X& J3 J7 T0 y. K2 P4 M7 q
| is_default | False |
X v* V; X( P3 a9 i| is_vlan_transparent | None |
/ `; D% g, H! ^7 E| mtu | 1500 |
# ^5 o2 ^5 _, s| name | public |
6 V6 N( R7 W8 [" p6 g( G| port_security_enabled | True |( A2 o- c3 i. E" l0 g: m
| project_id | 0609d3b3b398456187fb705ec9224c4a |) V. \$ b, z6 Y
| provider:network_type | flat |/ S# g, F+ ]0 D& N; D/ G4 }! g6 U+ {
| provider:physical_network | physnet1 |3 c" g3 p3 \9 Q" n! O" R
| provider:segmentation_id | None | o" g# d' {# x$ O2 g2 q% N9 s
| qos_policy_id | None |
+ F! x" q. `/ |& l ~, r| revision_number | 1 |: [# j6 Q; e& \; I
| router:external | External |
3 R( }6 h9 z' ~9 f V6 Z. R| segments | None |0 s& W0 ~) b3 }* M% C
| shared | False |6 H# F, X. {% ~5 w! Y7 Z4 t5 t
| status | ACTIVE |
$ {& V( V4 y6 F! K0 D| subnets | |$ L3 }9 a \# _+ c" v6 @
| tags | |
' w! `# J# a0 V8 z4 S| updated_at | 2022-05-31T10:01:17Z |5 G5 p( S- m' z$ U' @ S9 [
+---------------------------+--------------------------------------+% I, Q" `8 T& h E0 `- \
# create subnet in the external network
x- [( Q7 U0 x' k( L5 l* g[root@dlp ~(keystone)]# openstack subnet create public-subnet \9 b' G( }" m. x+ X; I5 `2 w
--network public --subnet-range 10.0.0.0/24 \3 `- h; n; k! k
--allocation-pool start=10.0.0.200,end=10.0.0.254 \
8 V0 T# ]4 S) w" u--gateway 10.0.0.1 --dns-nameserver 10.0.0.10 --no-dhcp
4 i* ?4 T+ }$ o; ~1 w8 A; Y& N+----------------------+--------------------------------------+$ T7 R/ I8 ~ K) Q, @9 n" \+ ~
| Field | Value |6 S+ R% P7 T/ q! E9 N# n
+----------------------+--------------------------------------+/ Y* w6 ~' h2 ?, a @6 \! {
| allocation_pools | 10.0.0.200-10.0.0.254 |9 u; g0 B, x0 D- `
| cidr | 10.0.0.0/24 |
4 t/ w, T; T% c0 r h* q; || created_at | 2022-05-31T10:01:44Z |
2 I; y2 i7 }' [ h| description | |- ^( A9 p5 q" C5 w/ V* d! U- b( J
| dns_nameservers | 10.0.0.10 | }/ R0 v% l1 z& x0 H! z$ f6 g
| dns_publish_fixed_ip | None |
& E4 ]# j0 u. R1 _( B| enable_dhcp | False |
" Q/ r3 _ I) `; H$ Y| gateway_ip | 10.0.0.1 |' I- p6 R0 {3 e7 U
| host_routes | |/ |/ }" y6 Q# @ U/ z# @+ c
| id | ecccfdc5-2917-41d4-a957-88facca5c4d4 |$ {1 I. H/ ?4 f' ~$ P
| ip_version | 4 |
+ n1 y- I& v3 u/ j4 \| ipv6_address_mode | None |
8 z- W& E8 X7 s3 q4 I) p' g% u( E| ipv6_ra_mode | None |
3 b9 P+ n& z; ^| name | public-subnet |$ z8 @/ c8 R9 a
| network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
: O [5 T* O" |# {% t7 S" n| project_id | 0609d3b3b398456187fb705ec9224c4a |
1 S* g0 u1 I2 _9 P| revision_number | 0 |
3 _, D( c/ O: o% _: ?| segment_id | None |0 X o* ]- h' m5 @, U
| service_types | |& V; B' u* u! d# u& W- |
| subnetpool_id | None |
* M9 C9 Z% j/ h- B6 i" D1 ~* V5 b| tags | |' _. x# w! ]4 V6 Q; N
| updated_at | 2022-05-31T10:01:44Z |2 o: G3 v o/ q1 L
+----------------------+--------------------------------------+
8 k& `1 I; o, F. g$ _( E! o# set gateway to the router above8 ~2 a8 X( L6 I& N _, Q) z6 e) @
[root@dlp ~(keystone)]# openstack router set router01 --external-gateway public0 {: t4 p- K3 D$ |/ r8 _; ]
[7] By default, it's possible to access for all projects to external network, however, for internal network, only admin projects can access to it, so grant access permission of internal network to a project you'd like to let users in the project use.
7 j" d, s6 e& @$ B* A# show network RBAC list
7 M# V6 C# t2 p' b[root@dlp ~(keystone)]# openstack network rbac list
+ S5 P& G- O( \2 M& F d# j+--------------------------------------+-------------+--------------------------------------+0 O6 |. _& C3 C6 F9 g
| ID | Object Type | Object ID |" `$ a- N. h7 X, b, D) L) V
+--------------------------------------+-------------+--------------------------------------+& \9 w. ^2 p- F# Y) b- G" Y: l* |
| a37b34cd-e686-443f-b3ef-4a4c722b5d63 | network | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |+ K: `- |$ n3 o. s! m
+--------------------------------------+-------------+--------------------------------------+, u/ d" M7 G( b- f& J+ s
# RBAC details
; B; q w# X! z+ {5 `! P" F: ]1 K# all projects can access only to [access_as_external] B7 p% |: a6 X( G7 V7 H
[root@dlp ~(keystone)]# openstack network rbac show a37b34cd-e686-443f-b3ef-4a4c722b5d63/ W9 p2 p3 ~5 P% i0 y, a5 U
+-------------------+--------------------------------------+
0 Q6 U$ n8 L p# y| Field | Value |
' V4 l0 L% q. }2 K% Q! w4 @0 B; [3 E+-------------------+--------------------------------------+. O6 Q; o' F; p& q6 q' R( ^5 Q; Y3 |
| action | access_as_external |3 t) n, K# s0 d& g
| id | a37b34cd-e686-443f-b3ef-4a4c722b5d63 |
4 o$ ?+ A' g, {! r3 Q. B9 c) s3 A$ w| name | None |) W' P" `5 M8 C0 h
| object_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
2 ?3 k- u" v$ J6 j% n| object_type | network |
1 I9 n) y5 a/ y9 \5 G| project_id | 0609d3b3b398456187fb705ec9224c4a |2 |; s) N5 b4 y+ S- M3 h7 j
| target_project_id | * |+ p! U9 H7 Q; k$ Q
+-------------------+--------------------------------------+# K0 b/ a) g2 i4 }% r
# show network list2 O" H+ C. P3 X; a; _) a" J; R) I6 J
[root@dlp ~(keystone)]# openstack network list( T @: a; d i9 Q( r, Y
+--------------------------------------+---------+--------------------------------------+) K' X. _ R1 v; g4 T; P Q
| ID | Name | Subnets | |' Q2 b3 u: |) `. R& S
+--------------------------------------+---------+--------------------------------------+
5 b) t' g' e2 f* ~3 C/ [1 e| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |2 V. t# d4 i. c3 t5 r: y6 t
| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |8 [- W4 A0 j# G( b4 c; w
+--------------------------------------+---------+--------------------------------------+ }/ d% h3 w! y& Q! o
# show project list! |! x1 p- W0 H( i! _$ I
[root@dlp ~(keystone)]# openstack project list
8 H1 s! r" r, p1 @% H, [5 U+----------------------------------+-----------+
* b8 m4 j- W# I' H9 n' x| ID | Name |5 D* Y: K' {4 y) z6 j2 g5 u
+----------------------------------+-----------+0 W, s% W8 R6 R" B
| 0609d3b3b398456187fb705ec9224c4a | admin |# C3 i n- ]8 ?2 J# I) k
| 3d85d1e79d654b3dade01eb5bfbf0679 | hiroshima |+ U5 u( D9 q& X0 v& R
| 8787527217494c6a87dd5a3b68dce1ef | service |
- X3 Z: C$ s4 K. e+----------------------------------+-----------+
. @; _5 ?" {: t4 O* N7 x( r; \1 z# grant [access_as_shared] permission for [private] to [hiroshima] project
& b& Y0 ~1 l% u2 E. Z; v: `[root@dlp ~(keystone)]# netID=$(openstack network list | grep private | awk '{ print $2 }')1 I2 Z4 v1 q0 d* T! T* I) S5 D3 e
[root@dlp ~(keystone)]# prjID=$(openstack project list | grep hiroshima | awk '{ print $2 }')9 Y, j; d& P+ D3 |4 ~
[root@dlp ~(keystone)]# openstack network rbac create --target-project $prjID --type network --action access_as_shared $netID
" r) g" d! F, C7 g `+-------------------+--------------------------------------+, z6 p( T+ q0 A6 y
| Field | Value |9 K" Y& ^( m" S/ J5 W: ~ k
+-------------------+--------------------------------------+4 D2 m- D1 X: w: G
| action | access_as_shared |& X$ _! H) m8 ~4 @0 `* L
| id | dfb0e656-0983-46a9-8345-13a03ddbc3e9 |
6 Z+ f" D2 B$ X/ n+ _6 V| name | None |
! k# f& F. {2 r# }" t/ |- r| object_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |
- O& n9 a6 J, q1 L| object_type | network |7 D5 o+ }9 L( z) e3 K1 N# s
| project_id | 0609d3b3b398456187fb705ec9224c4a |' h7 E" B; H7 C, [; [5 U1 x
| target_project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |" h# `& D* r, Q
+-------------------+--------------------------------------+6 v- a Y4 b2 k3 e* E0 ^, ]7 e
[8] Login with a user who is in the project you granted access permission to internal network and Create and boot an instance.
8 ^) B% R/ \0 }, X4 S$ m0 O# show available [flavor] list9 r, @& y0 w# B/ g1 V1 [$ v
[cent@dlp ~(keystone)]$ openstack flavor list& g; ]9 }9 o+ H
+----+----------+------+------+-----------+-------+-----------+% E) O$ X) B' A8 W* ?
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | {5 E* _+ z" K8 Q* h8 Z% f) B
+----+----------+------+------+-----------+-------+-----------+
5 k8 A3 ?8 m5 t+ N, t5 b% k2 ]| 0 | m1.small | 2048 | 10 | 0 | 1 | True |$ Q6 h# A+ j, t% D" j+ m
+----+----------+------+------+-----------+-------+-----------+; ]9 s$ U5 B, p3 L
# show available image list
) O! S- w5 b) P. h7 D- y: A6 E[cent@dlp ~(keystone)]$ openstack image list8 z' z9 r8 S2 ]' S0 z- B% }
+--------------------------------------+-----------------+--------++ c9 {4 x- P" E4 `4 a6 L" b
| ID | Name | Status |2 j1 f8 M7 i {
+--------------------------------------+-----------------+--------+" h5 l! r* E) W& k3 }" C
| 7be5b7ab-36e8-43c7-95dd-34b4139a0e44 | CentOS-Stream-8 | active |
5 V4 [( T9 a: q7 R8 ]. r7 Z% N+--------------------------------------+-----------------+--------+! F6 c3 u) t5 ?. w }
# show available network list3 G7 _4 O: @/ k- B
[cent@dlp ~(keystone)]$ openstack network list2 C! t& c( c# V& n: m! Z
+--------------------------------------+---------+--------------------------------------+
8 a) M# ^9 u5 j7 M X7 K| ID | Name | Subnets |6 h+ ?$ m. n w. @5 B. e; @" f+ ~
+--------------------------------------+---------+--------------------------------------+' v5 e. W6 l9 z5 _* s5 w
| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |" O( R5 u9 D5 M- c& }( k
| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |
1 y5 f4 ~2 x% _/ i" J0 g+--------------------------------------+---------+--------------------------------------+, M* s7 x8 L3 M" Q+ e8 I+ Q
# create a security group for instances
, n9 u8 N+ x' l. s[cent@dlp ~(keystone)]$ openstack security group create secgroup010 b5 n6 W) @# {. A' A% Q6 E
+-----------------+----------------------------------------------------------------------------+
3 Y. T* v! f7 K- o| Field | Value |" V; K1 _2 S' g( F2 J, I0 C
+-----------------+----------------------------------------------------------------------------+# t! C: B* f# `6 m
| created_at | 2022-05-31T08:14:56Z |
" C: P: c0 C& E. b0 u# V9 p) b| description | secgroup01 |0 E1 B; d C4 I/ x& B5 O' ~
| id | 001bf895-7218-4153-b64b-5c5741697009 |
" n& [+ J$ A8 x3 c; F| name | secgroup01 |& Y3 M% L) ^' z
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |$ A5 l$ k) J; z3 z% D, Z
| revision_number | 1 |7 W8 s9 G, _) Q4 R: J
| rules | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv4'... |8 t$ L7 j! b* y6 r0 u& z3 P$ P, p
| | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv6'... |1 H: M3 t) O D* R) d- K8 u
| stateful | True |
0 H i) V+ L7 C! I3 @* F, [- B| tags | [] |6 G! k5 |: x1 | g; O& q
| updated_at | 2022-05-31T08:14:56Z |
1 l+ U9 v$ x! K( K9 b O2 e4 S+ _6 a+-----------------+----------------------------------------------------------------------------+
4 {; V \0 O+ Y9 T/ c7 N# create a SSH keypair for connecting to instances0 W& L3 x% ~7 P) l! |" q* L
[cent@dlp ~(keystone)]$ ssh-keygen -q -N ""
! V5 \* z2 Q) ]$ u% J6 r& _3 XEnter file in which to save the key (/home/cent/.ssh/id_rsa):
: t$ Q# y1 p# _9 c i# add public-key: s' ] {0 b- C+ Y
[cent@dlp ~(keystone)]$ openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey! ~: |; H6 x6 t8 Y7 h. k
+-------------+-------------------------------------------------+
( d2 n- P( ]9 p8 ]| Field | Value |
' m1 S1 B1 l, A2 T3 Y$ v: S+-------------+-------------------------------------------------+: W$ F& I; F" H; u8 @
| created_at | None |; w# g" ?: [( }5 W3 Z1 W9 L8 L
| fingerprint | 64:c1:46:5f:d4:dc:07:76:1c:5e:ee:b8:82:1e:9d:c3 |3 D6 v* `5 S, ?- a/ @1 a
| id | mykey |1 I9 A% k9 {% \7 A
| is_deleted | None |, k& H" l3 m3 _. T$ F1 Z
| name | mykey |
; p( u. E: N- N| type | ssh |% L$ v& L* O& o/ e
| user_id | ed0bc393ae81411fa1db0828e1d5e160 |
6 d' _: o k# d7 [) m6 c, `+-------------+-------------------------------------------------+
3 v' [' O- `! o' R' ]1 _[cent@dlp ~(keystone)]$ netID=$(openstack network list | grep private | awk '{ print $2 }')
( c4 ^ y+ @6 R: I: s% Q9 T1 X. d[cent@dlp ~(keystone)]$ openstack server create --flavor m1.small --image CentOS-Stream-8 --security-group secgroup01 --nic net-id=$netID --key-name mykey CentOS-St85 k2 v& ^3 a/ ?) |9 O& N- y
[cent@dlp ~(keystone)]$ openstack server list$ [+ \" g! j1 W, x5 }# Q& }
+--------------------------------------+------------+--------+------------------------+-----------------+----------+4 {1 n5 U+ R5 X. \ P" F; W! H$ l' C
| ID | Name | Status | Networks | Image | Flavor |
" N- y: \3 K) q* T! \+--------------------------------------+------------+--------+------------------------+-----------------+----------+
; [ E) [# j6 i, z| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=192.168.100.84 | CentOS-Stream-8 | m1.small |
; p" f( m5 Z) U5 ^5 x5 r* \( A+--------------------------------------+------------+--------+------------------------+-----------------+----------+
5 j; Q! Y3 G- ~& B+ `/ J" h' |/ R5 C[9] Assign floating IP address to the Instance above.& Y# P# Z: J5 Y* e* w
[cent@dlp ~(keystone)]$ openstack floating ip create public! }2 s$ t& X. m: _
+---------------------+--------------------------------------+
0 {( i7 u* C/ _! ~| Field | Value |) @4 c2 ^, X, {/ i$ W8 F
+---------------------+--------------------------------------+
7 S( L" B8 P: O| created_at | 2022-05-31T10:08:01Z |
2 W$ a& y3 B# h; `| description | |
; j2 L f! t7 E4 j6 J. A5 `| dns_domain | None |
' @" K; ?0 h/ N Q# m t| dns_name | None |8 c: H2 e) G$ L, u, _
| fixed_ip_address | None |5 v7 _5 T8 {: h# |
| floating_ip_address | 10.0.0.216 |5 @5 c/ F1 A) j6 d/ ~- a
| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
) i8 J* Y* {! ]; x* N| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |
, d) U i4 i4 n" y| name | 10.0.0.216 |
* o, Q* {0 c e& S4 i: R( I0 ^2 ]| port_details | None |
( K8 c) {( t1 m" W1 M/ I7 S. m| port_id | None |
) M& F0 L8 v) t; V' }! m+ i0 }| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |2 P7 C% }: M- q: O3 L W
| qos_policy_id | None |
; M$ D' k1 R1 n) \: P| revision_number | 0 |
. b" \( }8 j$ s| router_id | None |" ?* P0 i. m- {6 j' ~
| status | DOWN |
9 {1 m5 q5 J7 x# j( u' ~, g* k| subnet_id | None |
$ V! w: Y$ t. i; \! K% u* Y| tags | [] |! U4 x- ]7 n0 W7 p) _
| updated_at | 2022-05-31T10:08:01Z |
% S0 J) U% f3 Y+---------------------+--------------------------------------+: L E0 @9 p2 P( N% T* z! D
[cent@dlp ~(keystone)]$ openstack server add floating ip CentOS-St8 10.0.0.216
/ J+ Z4 {5 a! p5 S: \( Q# confirm settings
+ b1 l. J' g% c- c[cent@dlp ~(keystone)]$ openstack floating ip show 10.0.0.216; t% O8 l4 E9 V" l/ W
+---------------------+---------------------------------------------------------------------------+' w0 ]: o1 P( O0 [# j) _1 s
| Field | Value |# U, w; X: O# d" J
+---------------------+---------------------------------------------------------------------------+
$ Y* N, v; h; w* g' y% g$ z: U| created_at | 2022-05-31T10:08:01Z |
3 f/ D5 [4 J: H$ N- k' H1 O| description | |
- V( Q: p% i. Q C& k9 O4 s% O| dns_domain | None |% [( P& F* _ n& J* W
| dns_name | None |
7 m7 m8 |4 }- u! z) a/ U( p| fixed_ip_address | 192.168.100.84 |
# r* C8 O. y' Q1 X, V: T| floating_ip_address | 10.0.0.216 |
: I; f; |$ W" @5 ~| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
( ]" X/ Q' [+ B| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |4 y8 d. X: s1 n# U' Q! x3 W
| name | 10.0.0.216 |
% x& P* g& c( s' B' t| port_details | admin_state_up='True', device_id='b9422951-8141-45fe-becd-a01c727085..... |
$ @) x8 T H4 t! V| port_id | a0670c7e-2fa9-4be9-801b-d62170f33efd |
5 y% M' \! ] x! h9 K; O| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
' D5 p* b# j$ m: {, [! ^| qos_policy_id | None |
( e. L1 T$ I1 r1 x5 z6 u8 C6 {| revision_number | 2 |
1 R( F) E* u B# S9 S| router_id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |; N+ X! V, [# w, z
| status | ACTIVE |
/ Y6 J( J) E. f* s5 c: z+ H% F| subnet_id | None |
& a) Z# P- p6 p+ A% C- ^; ~| tags | [] |4 Y6 U0 ?* [& q c3 J5 T
| updated_at | 2022-05-31T10:08:52Z |
3 _/ g6 _' A2 m0 u: t+---------------------+---------------------------------------------------------------------------+! ~3 H; O9 Q( {; V9 h1 q3 t# ~
[cent@dlp ~(keystone)]$ openstack server list1 q6 z' k+ S, A* P
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+4 Y* r: d; S# n Y2 b7 k$ ]* T
| ID | Name | Status | Networks | Image | Flavor |
/ n0 z' b% K; ?, e5 U+--------------------------------------+------------+--------+------------------------------------+-----------------+----------++ W6 n/ r4 v$ m( ^) g: `
| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |" P+ j" w, h# p8 l [
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
0 m/ t/ U7 q3 z4 i8 o[10] Configure security settings for the security group you created above to access with SSH and ICMP.
3 X8 {. M+ v5 J t% U# {0 u# permit ICMP
! J$ [8 {2 ?( o T8 y5 M[cent@dlp ~(keystone)]$ openstack security group rule create --protocol icmp --ingress secgroup01
& V0 g! U' V* {& o) A+-------------------------+--------------------------------------+9 {7 W* N& u/ V" h
| Field | Value |! Q2 h# P- D! w" C" D
+-------------------------+--------------------------------------+
$ M* {; R, N0 r| created_at | 2022-05-31T09:42:39Z |
5 \' x( l. S0 k7 ` Z) h| description | |5 J1 ^1 z9 r" R6 m$ _) v
| direction | ingress |( J2 e, Z$ u3 G& {: L
| ether_type | IPv4 |) D- n6 p, w3 f' s1 ]4 Z5 [ N' n
| id | 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 |
% P& h" t; |1 f2 y- q. h' I0 W( _ s| name | None |
6 \/ z1 Y% Y1 y/ b# r6 ]| port_range_max | None |0 M% G# F3 f( g% ]
| port_range_min | None | s, P) ?: S$ S2 c2 F- A, F }
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |) |# Z) p4 m: |3 f4 Z
| protocol | icmp |
) p+ a) T+ Y- G, [, s# d P| remote_address_group_id | None |
! B9 A9 b1 z m$ o. `" J" q! f| remote_group_id | None |
8 h m: z# o3 ^5 T9 x1 P7 ~| remote_ip_prefix | 0.0.0.0/0 |- w& q! p: s+ N) ^$ R% {/ Q, F
| revision_number | 0 |
& l$ `, R0 I$ l$ h5 h; j| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |# K W; P, x; X) `
| tags | [] |
8 C i# v% K' f( @! m| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
% q4 |4 M" n# }5 |% f1 s7 I| updated_at | 2022-05-31T09:42:39Z |& a& h1 y9 \5 @7 a6 s1 Q
+-------------------------+--------------------------------------+
# m: k" ~& x" r' T- H# permit SSH6 C7 t: m8 X m5 W* E' r- g
[cent@dlp ~(keystone)]$ openstack security group rule create --protocol tcp --dst-port 22:22 secgroup016 n: l4 Z# @5 k. h: Z
+-------------------------+--------------------------------------+
. S4 s5 p& [0 y4 [0 h| Field | Value |; H- s2 u2 D7 u/ `2 y
+-------------------------+--------------------------------------+
! Q: S% v* y7 X* |9 T1 r| created_at | 2022-05-31T09:42:58Z |; N' E8 t, r! K) l, D2 K( M, ?
| description | |
# ?" o& M4 x7 z& F" ~| direction | ingress |
. m5 p, n& P8 k: y1 O S6 ^7 g. Q| ether_type | IPv4 |
) ^6 S* U! M( V! ?- P. N& Z" l| id | 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 |* e g' x5 d P, _) R; n
| name | None |- {6 E: J" e2 g
| port_range_max | 22 |
3 N* A) \$ {( c, O0 @ K/ q| port_range_min | 22 |
+ a `1 j7 P6 D7 m" Q| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
( Z. X1 R2 ?( J1 r7 p| protocol | tcp |
: b! D/ E3 ~% l: `| remote_address_group_id | None |; y8 ?: _) }& _0 z6 j3 \! g1 L
| remote_group_id | None |
9 @3 e1 G1 C$ B4 A1 w| remote_ip_prefix | 0.0.0.0/0 |0 j5 Y, O) l2 W! ]4 T. p: {# c
| revision_number | 0 |
: n0 a4 [# b1 q$ ^( R& V& p: D| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |, L! ` v, D: a4 a
| tags | [] |
7 [8 r- ~% p J3 J* T| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
5 P! W' o) O& `| updated_at | 2022-05-31T09:42:58Z |
8 v( d+ p) d4 g; r* I+-------------------------+--------------------------------------+
% W; L0 ?; ~! L1 X! |[cent@dlp ~(keystone)]$ openstack security group rule list secgroup01
, R8 e% j7 b2 x9 j) f a+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+0 j, {0 b$ z+ |1 S% g6 c M
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |8 K6 W. q( e) I- Z9 M; H
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+: G& Z: t) [( a4 f3 o
| 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |5 l" M8 @/ y" ~3 [# {/ A9 u
| 7a5ce790-613c-433b-b817-75aa20a10fc1 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+ o3 K- f7 E1 g0 Y6 T| 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |
2 T8 c9 q, c. r. M8 o& f F| cf9e12bd-90d0-4c9c-b852-12d2cd53eb91 | None | IPv6 | ::/0 | | egress | None | None |
5 r* r1 ~0 J& p) G$ ~+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
1 a. m; K. C& j4 F[11] It's possible to login to the Instance to connect to the floating IP address with SSH like follows.
5 F. s# F6 ]. x1 S. W" s: S' v[cent@dlp ~(keystone)]$ openstack server list
. h6 J+ p' Z/ ?: v+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+, u2 P e' f6 y! Y8 c
| ID | Name | Status | Networks | Image | Flavor |
" j* y6 M$ t" o+ w3 [+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+ V8 G# A% a0 L3 A: d5 V+ M2 z
| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |1 Z/ ~ f' h2 @! v/ E" l
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
$ Z0 S) K9 C0 J, ^5 o+ c[cent@dlp ~(keystone)]$ ssh centos@10.0.0.216
7 D% D5 @$ \0 c- D7 BThe authenticity of host '10.0.0.216 (10.0.0.216)' can't be established.& {8 {4 c& G* f: L8 L" l
ECDSA key fingerprint is SHA256:3ubFctH6ulVjsrc2KyvqfRJPIx3ceRuzrogRB2WY1Iw.' w$ c6 K, O3 e0 Z5 d" l+ q
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes3 P: j8 t- W6 v2 Y, J
Warning: Permanently added '10.0.0.216' (ECDSA) to the list of known hosts.. I( ]/ {2 |; L: M) m* J" }* x
Activate the web console with: systemctl enable --now cockpit.socket2 D! R1 U2 v7 v+ T4 Y& p
[centos@centos-st8 ~]$ # logined3 S% M1 V3 f5 Z, C( e# T
|
|
发表于 2022-6-15 09:00:05