|
一个具有网络管理接口的控制器节点。1 O; I: c- G1 w6 Z9 c+ l% I' C
两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。
% {& v7 i! r6 V `* w
( H! B. r- W T& k$ g至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥
8 O3 t6 k7 ^, a! U在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。
9 y# S0 S: D8 M' u+ w硬件要求
@1 E& z) X8 M& J/ Q2 S) K6 n6 A
$ `; _' H% D& i7 d+ A& j 网络布局
. k* d# x* E7 m2 D3 P5 O% i& e0 N1 }+ o N7 Y
8 w$ `& ?% A' i X2 ]" Z 服务布局
$ c+ ^" }/ V5 W) \8 }" R7 W! ]1 b* o7 Q- A+ O3 ]! A0 ^% e; M
注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。 * x( \! S4 r y$ D1 W
控制节点的OpenStack服务
+ |: }2 p6 H+ b0 N" t1 Z/ j在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。
2 }0 ?0 i, b1 j; a, Y/ Z在neutron.conf文件中具有openstack keystone服务的合适配置4 I! ]. {4 Q4 B, v' f. f
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络
; I' R. ~; m0 a: D4 S+ Eneutron服务器服务、ML2插件和任何依赖关系。
% m# Y) |0 y& j* ]" R @9 F! a4 {+ `, {3 K* V! u
网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置: s) I L# k s! P( \- Z
Open vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。
^. U9 a# T- n0 a! O. M9 A) C- `- T% T2 S: O& C4 x
计算节点的Openstack服务
/ b5 A+ L4 d1 n& Z) D& M& c在neutron.conf文件中具有openstack keystone服务的合适配置5 v& |4 M$ i% |; H+ o4 k8 E
r. ^; f+ n, w& N" n+ ]
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。
' c W% A* I p% f3 b$ l- A- i" A8 U9 ]( d$ `* j# {8 G6 C9 A. Z4 c
体系结构% z. g7 ^& E( N4 R! M N2 R- m
一般的体系架构
7 v, a+ V5 C, V4 \% T) x 网络节点包含以下组件:
" d# L% A6 w" ~0 g- `, A
( K0 ^. L* d- W% oOpen vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
z5 X6 F. r) ], G) t( b- J. T
* s5 r7 X" x: W. l管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。
' r9 S% s, A6 q' O& \2 L, C3 `
; i# H2 J9 _# _8 ~6 K, l4 v. sL3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。" N) ^9 d2 n% }$ L
9 U4 m& E; F, b! ~" ~7 f
元数据代理处理实例的元数据操作。
7 J A1 _. k! @7 ]- T/ S5 D8 }& H% C+ S! ]$ X2 M( S+ g
网络节点组件回顾. i/ P& P2 h { Y3 |7 j1 Q
. L: l* Y+ c( j C& U
2 K# F7 t: p# h0 a 网络节点组件连接
$ O2 Z0 K% Q; n- G/ L' O: W" F( X ]
计算节点包含以下组件:
7 I" j& z$ D5 f+ f/ W& Y h. k
. K* x( D% |+ Z1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。+ i- Y/ h8 l1 Q9 v6 @
; c* Q9 E: ?7 E# j4 @' n" E
2.Linux网桥处理安全组。 9 R, z) S7 ^6 x0 s
注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。 # {( C% s |7 o N4 n r
计算节点组件回顾# N& b* x) ?' P+ h! }
2 v3 ^* U, N2 W% J7 |2 d1 \
计算节点组件连接 w. l6 I% r1 t4 S8 Y; e
6 h0 \2 b3 |: [7 u
数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。
* l/ V( r' [3 n9 J6 A- P9 W7 s4 N* U; ?6 X2 f# D4 I" E: N
在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。& G) O* t6 A5 {! F) x) B
2 y; E* T& i# ?, ]2 I. Y9 _如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器
7 {3 z3 d# r- t" a9 O 注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。 5 r( a) I, v3 ~5 ^
示例配置$ v8 V+ p. a1 a# S
使用下面的示例配置作为在您的环境中部署该场景的模板。 Z+ G8 L: O$ B( F
控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=] [/url]0 }, R# j. g6 }6 w# a0 H- ]
[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]5 d- g. Q( Y/ v5 H& ]
2 z( n5 U/ o4 D$ J) M5 T
! n/ v# w. S: C; b; ]. A! m [ 2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件:
% f' a( M5 a3 p3 c! l1 K9 a' G[backcolor=rgb(245, 245, 245) !important][url=][/url]
: u. o" i8 \8 |. S[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
! R8 |+ H( N$ \0 O
; K; E" {: @6 Q2 i8 P2 P) t4 I' I4 P5 z; ^+ x$ \
替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。 + q3 E8 t" a+ N' G) }8 M
请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。$ h6 u% y2 K" r d# K( b# B3 y4 Z7 `; a
6 {! D% p: Q9 z3.启动服务
. k! I( N# e/ [& n5 W. D6 ^8 x7 o3 m3 h5 U* ]
. V# P7 B+ C0 Y3 U# V5 n9 P
网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0
! d8 n( i! @) J& ^$ h' W2.加载新内核配置: $ sysctl -p4 w: t# c- I [& Z0 _$ P/ i
# h7 n1 j2 e) u9 o2 L# O
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
4 [% ^: x! I/ O1 |8 r! }# v. E5 L
* j, q) E( Z" [' G4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url], ]$ o. P. o. ?4 o# L( d4 P
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
b4 E q$ K% D/ ^8 R$ l/ n8 x7 Y9 L" {, A4 t1 L
- |0 ?# \3 e1 G- W, I( Z0 R
使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
4 Y |! |7 Z. h# ]. i, Z2 @) s5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件: 1 p0 E, X. C. d X8 y
[backcolor=rgb(245, 245, 245) !important][url=][/url]# X0 g' ` c! b
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]& u$ _3 I/ ?3 t I+ }# T* {
4 G: m2 @: ?: u/ W! e1 m& _注意:external_network_bridge选项故意不包含任何值。
3 y# j+ b, n% i6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件: 1 Q; P U% ]( N( ?! `# k* r; @% a5 g
[backcolor=rgb(245, 245, 245) !important][url=][/url]
9 s2 e F1 v: X9 ?( c[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
! Y8 X# m( ^# z! G# t
8 ?, B. T* ]# c
# u2 w3 A. d. _4 J I: c) Z7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
8 v4 D. s U. }9 Y$ A" Q3 n; j) \4 e2 g! x
8 J" K m8 r/ G: e
1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450- }8 }1 z% {9 J& s. B) f
+ T& O+ q! {$ O! ~1 ?* b+ Y+ x1 i" d[backcolor=rgb(245, 245, 245) !important][url=][/url]
1 G! |1 A" j% B6 y& u0 Z' E9 ]1 M1 p) v$ m+ @
5 _" V% y5 P( G/ Q: `( l: c5 \8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET. X0 w& ~+ Y4 r
$ P' a8 H& a; Q3 G# t; I
用合适的环境值替换METADATA_SECRET。 9 c! {, h. r- u3 V' h# Y; }- W
9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent
2 |: V4 \1 \8 p: k6 s
- e" z/ n/ Z1 Y4 S3 }计算节点
- ?" X# T; V& d2 t, q" @1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=1
% _8 ]8 h0 D6 `( C+ O2.加载新内核配置: $ sysctl -p
3 Z! Y* |$ j) F/ s7 n7 ^
- q7 \2 l# w$ E& `! g* }3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
. a* n+ {9 R" N. ^2 _$ K# M3 F" ]; \
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
2 A x# x# i; a- U! o* u[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
) `4 w! v3 Y; T$ {$ [
) d& P z$ a, O- j! y- i# Q1 c9 K2 V1 b% {# r9 Q2 p
使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
0 d' e6 [' e O9 p# O' w7.启动以下服务: Open vSwitch Open vSwitch agent
3 _" p" u+ b* |4 X3 E- k/ K7 K0 F. V0 h+ K
验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]( w: t6 O# s7 _# g! n
$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
8 x; J* o# q+ _) Q) J$ q8 v. k: F# r$ Q+ E+ i! B+ Y
5 t3 E$ W3 A- p) G创建初始网络
% w8 A8 F' f8 U. j1 W' g4 E/ {这个示例创建了一个flat外部网络和一个VXLAN项目网络。) o; M; O4 n0 L1 a+ K: z
' S* @# }/ ^$ {5 s; N' r6 H1.提供管理项目凭据。: d5 b! W" R/ l1 A" ~ G |$ _
0 t# c# ]% C! i N. Y* Q+ o2.创建外部网络: 8 L: B7 _ t( B# @* @ _
[backcolor=rgb(245, 245, 245) !important][url=][/url]- K9 A2 A# V3 r0 u( A8 K
$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 }8 v" g; y; h0 m# h
/ [. O' y& n8 _, t/ n
: w, W' ]7 s; ?# d& l' d( O3.在外部网络上创建子网: 3 ]2 _4 h! w0 Z2 ^7 x8 F" U
[backcolor=rgb(245, 245, 245) !important][url=][/url]/ s, O# k7 z6 D; x
$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 v" L4 v% f8 {3 }
& H# _2 k: l$ [& @$ Y* q) D; [0 _- i" u- a$ ?4 Q* I
请注意:
* E( g$ X; Y L5 s
( B* i* c | Q+ J" o" L 示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。+ b' V7 B2 b0 Z0 i/ J
$ I, O5 h# [/ \9 E' [) u' p5 ]
1.获得常规项目的ID。例如使用demo项目:
+ J+ Z9 S8 }% _/ o! k. Y9 c X+ l[backcolor=rgb(245, 245, 245) !important][url=][/url]& m1 F; k b! l8 L# J6 Y
$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
5 y4 {3 [# t: w! R- E" p
# o- M! w5 I( G2 o4 S" A
" p# M2 K' X' x- b2.创建项目网络:
8 q( C3 V# Z# r E# t[backcolor=rgb(245, 245, 245) !important][url=][/url]
5 R- }+ W* g* k9 y1 T; u$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]; G5 u: S5 X& a# }( R) t/ |
/ z5 s0 U y2 ?1 l3 N
1 \6 n1 O2 P4 c) c* i& S+ g5 s" E9 p, Z S2 z
3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网:
+ g+ ?, c* y5 ?) I3 m7 _[backcolor=rgb(245, 245, 245) !important][url=][/url]2 r6 U. V/ a7 l V2 o7 X
$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 E, L( I7 b3 B! l$ h
1 W. Z/ ^) a: n3 m4 I, j1 k3 M* g1 s# T0 n7 b
5.创建一个项目路由器: ! v: O) b1 k7 g5 m& J
[backcolor=rgb(245, 245, 245) !important][url=][/url]
4 L$ A+ e4 s9 ?% N+ M+ F( S$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
# @7 w% O1 p% Z" E6 P# @8 |' z) y# |8 M6 Q; r
' k& Q2 }' g0 ?( N
注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。 / Y; N& p+ W' a* y( b! E1 g2 D+ S1 g
6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.! T- A# l, @& w$ L
. E$ k+ C; N3 M) _/ m/ ^( D7.在路由器上添加一个通向外部网络的网关:
, E0 F, Z" N. r4 A" [$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router+ z+ l4 s; F% H$ n
" h& F. Q3 [1 G7 K1 d# W验证网络操作, Y& a' f0 F) @9 T. w* P+ q
1.提供管理项目凭据。
( Q( R6 e! R/ D1 U6 \
0 Z; K: X% ^) }/ t3 F2.在控制器节点上,验证HA网络的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]
+ g+ q2 b$ X9 K( @* B6 c$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]* E: F: e1 K) b% ~7 {
$ E$ I8 q3 R5 G7 Q! I
: U, V7 I4 ]5 _/ ?% P& a3.在控制器节点上,在多个网络节点上验证路由器的创建: ) n' W; f. B+ N# ^6 u
[backcolor=rgb(245, 245, 245) !important][url=][/url]' C( b* q5 u- e+ C- _% o
$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]* t' j' w% K$ e' E& d1 X# {" M
2 v7 X% v, D1 L! `" r9 U
1 H; ^* C6 K9 w( f( n* T/ h- N' S. d注意:老版本的python - neutronclient不支持ha_state字段。 1 \% r+ W9 H% W* A- X2 x3 Q
4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]
2 a1 Q: I$ b, }5 M9 h* Q9 N$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
: v3 n, q- u3 O- {) x
3 J/ O. f: T! l' {
! X. ?* Q6 P" Y# X' e+ c6 o: V& ]4 e$ T/ {# p
5.在网络节点上,验证qrouter和qdhcp名称空间的创建:
5 O. r; X U8 w; K. U[backcolor=rgb(245, 245, 245) !important][url=][/url]9 J4 @( q3 w' u; {& B& }( B$ r
网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]
! D+ n! i3 I, r( S5 x! e5 C
4 s3 f. ]/ s; r/ t两个qrouter名称空间都应该使用相同的UUID。 % Y2 j; ?! c% z% j6 q
请注意
) T4 i! L- u: \1 B7 {# u) |
* d. ~7 m9 L4 w/ m! k 在启动实例之前,qdhcp名称空间可能不存在。
6 a2 z7 N9 k( T, u# E" y' x7 X
6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]0 _% D4 N4 C- K
网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
) H+ l& D1 u7 K& N9 [! `4 r5 _7 m4 T$ K) t; N; \9 c' M
9 V4 V- B* ~ ^网络节点2:2 r8 @) a9 O; V6 c( P/ D
[backcolor=rgb(245, 245, 245) !important][url=][/url]% Y7 H$ S) ]& i6 S
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]" u3 U( c) Z* W e: U# q# l
7 j- N' P' W9 ~+ M) U: i在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。
/ [" b9 J8 d9 Z3 `7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements :
- L7 F1 k, g7 i v网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]
2 B. |9 Z9 ^( W$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]5 H! V7 x, g# @2 M+ j. |
) |) k: |0 q5 d4 V3 t' e; F4 y9 L" Z2 I D2 T
网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]
8 l" O" R2 a! ^, o, g, ]3 v$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
, p# V! t/ k( f4 ?( ]
" H8 o& l, l% `& r, i) ^7 |& ~; C) q5 k) p
示例输出使用网络接口eth1。
& c" [. f) S. d! L1 ]4 O1 S, w- x+ }: z3 J
8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]% Z m% s9 W7 Y }' C
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]( A- C+ I3 R0 f1 @9 _! C
- i9 m6 k4 p* o2 {" i5 d4 q
* d5 |2 ^" {" H
6 I9 ^6 Q! |6 _9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]+ Q, H7 G0 q7 ]6 [
$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]
4 X9 j0 V2 m X8 ^; ^. w$ ?# ]1 b2 R
; _4 T2 s* D% K8 o7 ^ o; E' |) C6 t) N2 H6 q
10.提供常规项目凭证。下面的步骤使用演示项目。) h8 r; d" h5 \3 t7 N
9 p3 O5 t0 Z) M11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]* F, t9 p" @' Z# r2 H, K9 X% r- h
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
! ~$ A2 B7 e. v1 u- G7 t1 d4 x
* p0 j2 M/ M0 r5 p- m7 C7 S! E! k( V
12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像:
0 q5 _* C Y5 p/ i% X$ K[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 {; E/ G k& I$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
4 m; _* m+ S2 l# E \& r$ n: `
3 D) A- w! I5 `( `' K! J1 m& ] H& x, K. o1 e; h# N) W
13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]- \) i. h4 e, r3 M {0 h* b7 H
* a8 m5 h! M2 ?" G( S( Y1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms# J8 ^2 n P) W2 E6 Z: p
[backcolor=rgb(245, 245, 245) !important][url=][/url]
# _! \6 r P- t2 x8 A
9 D$ P- ^3 y1 [0 i5 E" B' U/ [3 \. n, t- i. d8 ]) l6 s+ C
14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
) f$ Z( r8 T2 x6 y6 i' R$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
; O$ i6 ?! E. T, o+ W7 F
' H1 z/ k& r, u+ T6 A
0 f6 T' f& t1 b15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102
4 S; L& @3 u/ S+ u5 F7 x4 e, t6 D1 S, S
16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]5 ^" k6 j1 M% R$ R
$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
) t8 `* m$ w$ w; o6 z0 X% |3 f9 W' X. F T% j" m' D6 h! P
) a; X `% _' ^ k
17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址: 3 u3 K# a7 k2 L6 b
[backcolor=rgb(245, 245, 245) !important][url=][/url]
* K' e/ E# j& t2 `& F E$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
$ L* D4 e1 \7 T1 f4 f4 c) o |
发表于 2021-6-25 11:21:40
