马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
一个具有网络管理接口的控制器节点。+ X* p& U# O- K) \7 ^
两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。( H0 G" i1 u6 N$ l& U( O
6 O5 d& k" z" {: d# y
至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥
( Q2 z! J3 b3 `, `在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。 / S) e d5 q8 z# d9 h6 _: z
硬件要求; [) P% u( r5 ~* r
9 M' o- @8 A7 d: J8 ] ~9 Z6 V
网络布局3 _* r$ Q: H8 ]! e( Z* _
) G( G5 D" `+ h3 g
: r1 y8 F9 I" `9 I' `* j 服务布局
3 h* z/ b' P- i! N3 t- r4 u& D$ f0 D8 p2 J4 S, |. [' y; g" z
注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。 ' ?9 l7 `" J/ G/ S: Z
控制节点的openstack服务# J* F4 C5 p; h: [% @. t$ o0 T
在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。: E+ G4 w1 A$ ?8 ~$ y1 g: M
在neutron.conf文件中具有openstack keystone服务的合适配置( I. s1 V, ~8 a/ K6 V- b6 H
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络
: H# F; s* [. Y) s+ E1 \neutron服务器服务、ML2插件和任何依赖关系。; Y. G# `: |1 \5 X; _
; I5 B& J& o. ~* X. a+ P
网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置5 O# i7 |0 |% t8 S7 O. `; u8 B
Open vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。
, s6 n: A' v3 o$ ^$ v4 i
* |4 t& v6 \7 V: h2 t+ P计算节点的Openstack服务0 | F* \6 G( C- g7 A+ d: N
在neutron.conf文件中具有openstack keystone服务的合适配置
' Q! J5 r8 O+ y; T( d# ?6 i: |+ c7 }% e7 A) v2 _# l M
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。
7 i! a% O$ n+ J/ G: C4 n+ n) ]' O- z- L ]( ~7 E9 I% T# n2 g& ?
体系结构
6 X3 g- Y& k2 J一般的体系架构
6 d2 w) Q9 p" q7 v) h* n9 y/ { 网络节点包含以下组件:
q* a* |3 b l: @( H8 D9 g% P M' U, g% I6 X2 L" o
Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。& E# Y- B4 [5 `. l
- P- {; ~* I% P; q0 F" j管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。, k' b l, U6 y) [% \
0 W) p9 i3 ~8 ?" q
L3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。( ~8 W8 ^2 q. |. R: H. f4 H2 ], R
5 O, r' M, I6 p4 U; m. u3 K8 l" }6 M
元数据代理处理实例的元数据操作。 - X$ r! y# S; S" i; r( @
% C u, g* ?3 O网络节点组件回顾
. {7 h6 s3 `. @% m8 C
& j# _8 d) L' @# n. b7 J& L
" D; A! ]* [9 g1 \) ^) z4 r- g7 e 网络节点组件连接5 g0 Q3 L' ^% }! f$ g8 j' l9 Z
g0 ?0 l3 m; e, @5 x
计算节点包含以下组件:
/ i( H) k+ l0 E
3 E' _* ?$ E2 n* n. J1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。1 R$ J' c. ~7 N7 p, n7 |
' ]. z8 r% X' G
2.Linux网桥处理安全组。
7 X" i7 \4 m; W. q注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。
; M! ? T+ I- p! a4 I2 l: m' w计算节点组件回顾, p* B/ W- v5 A% S- A O% @
$ G" q; J$ M7 W! X2 Q 计算节点组件连接
3 ]/ H0 r- q! }" A( f
4 I4 P( N; s4 j& `, ^1 g' e* m数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。: N! L( Z! z4 U3 z5 g0 z
# B" b5 L! F( S1 G4 n, Z5 i
在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。
8 A5 J1 d. g* v4 H3 k' O2 l# D- Z! s7 F* Z& y7 G8 f3 i: Q% p
如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器 $ {1 J% ^' a# o' t$ u
注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。 , H0 S- \4 _" b3 U0 W+ n# P. k
示例配置
* {2 C9 t0 h9 d使用下面的示例配置作为在您的环境中部署该场景的模板。
# U4 p) g! D1 i8 l S4 v4 v! |
控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
# }7 T1 I/ I. S[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]4 ?9 u0 k( z) h4 H8 U
/ h2 \3 n# Y: @- q* H& j
+ @; B& N5 Y( ^ 2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件:
" m" `5 M; {2 l1 T7 t" u/ k5 U! n[backcolor=rgb(245, 245, 245) !important][url=][/url]9 D2 p0 Y' T+ b/ `
[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]6 D: P, i4 ?2 W$ p2 O* k) J6 f. F# x
4 [, X4 D+ N/ _" O7 v
4 y5 p7 t+ b0 O# B# i$ X; J* b: q替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。
, s! o# C4 d$ ]: S) z3 n6 g请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。, N1 ~3 v7 Q/ q# {0 K
8 z+ E9 l2 T z0 k6 O2 l3.启动服务 3 l' `) r6 F% T1 o8 Q/ Q% f
. C4 l" l- O8 g1 w- R
) r& p* b' K$ s网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0
' w. i" e1 w5 c) ?# V& A) r2.加载新内核配置: $ sysctl -p
' _; q7 c! w" u9 ^' W7 D) h5 ^- `. ?9 F, G5 i- f y4 w0 t3 j
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
) g5 j4 o$ M8 ]( o4 D
; y2 {8 e5 r1 J/ l3 ` G4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
) ?8 {. V2 c3 J2 k$ M[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
/ a2 U% K" x! p' d L: D8 ?$ z% y9 {' d0 \! g0 ]4 o8 m" j
' ]& I# ^$ s$ ]" H5 @- ~& F% Z使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 , s* g# ~' u0 F; O$ C% B
5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件: - k; f2 u5 r: ]
[backcolor=rgb(245, 245, 245) !important][url=][/url]$ X' B2 j) f0 q% E& _6 x6 D
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]
1 v( G$ N/ n7 G+ P2 Y3 m6 ]+ H# q1 e
注意:external_network_bridge选项故意不包含任何值。
" ?6 q- N; D) G6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件: 2 r4 B! \, J" N* |8 y
[backcolor=rgb(245, 245, 245) !important][url=][/url]
/ Z- P- I0 p8 m8 c* [% Z7 ][DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
Y" I* l9 R/ F. Y" b
' q9 T. \% @- x; M1 u
" B8 r8 p: p* W+ W4 B7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]& G! h2 h, A8 b0 I
* {6 N$ W: ?' m6 H4 o5 N, H: Q$ O# t& P9 G& o. O$ d
1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450
7 u: @1 Q6 ^/ G# [! r x5 M. |+ h& _( h. I& |
[backcolor=rgb(245, 245, 245) !important][url=][/url]
% d0 k: d: m/ _, c) d, e
) b4 N- v j+ ]9 G) [- W2 p9 Z; D4 b; Z
8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET; \7 q- c Y% D# s
0 V2 s2 H! z x4 R
用合适的环境值替换METADATA_SECRET。 ( m: d# \" {0 f: X2 i! B2 k" |) t
9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent V# g) x3 J& a. W6 `: l2 A
$ d( p# E; }! a+ ?% ]3 I; R& L计算节点% g* y6 n7 g" W U2 I9 R" P& }
1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=1
) m D! p' Q4 U- f5 g2.加载新内核配置: $ sysctl -p
/ k* |) D7 l* v Z$ ^# R6 f5 i* U& F. j2 J$ x& g
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
; _9 S4 r/ |* ?7 c1 Y
; {1 @5 d" }8 b9 \5 _4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
! x5 {; {8 M7 v7 p3 W' H[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]$ J0 s T A: q8 k! R9 {) o$ B) f
1 G; f6 ]9 Y+ ^2 @" }# |$ Z% ^! `
使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
& G) M4 i3 b8 v9 j1 E" o7.启动以下服务: Open vSwitch Open vSwitch agent4 @: r: v# i* a& E( {
) Q, }0 l# A1 h3 L8 q
验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]3 s# e8 \- D" x/ o
$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 c% d. ?" z$ X' v' m/ Z" c! i" O
9 @% `0 n' n8 R创建初始网络
3 x* |$ k! t3 r1 z: ?这个示例创建了一个flat外部网络和一个VXLAN项目网络。% s4 T: X' H1 g4 r! m5 |6 p
& r0 ~6 X" r3 H
1.提供管理项目凭据。
0 j$ ^' x: @! l/ o/ Y2 i3 d0 N. ?/ u8 Q& ~7 n; j+ R' k- ~
2.创建外部网络: - o. a: D+ i1 |# B& v1 W S( F
[backcolor=rgb(245, 245, 245) !important][url=][/url] t& Y) l( F& j' l' N! B
$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 N+ a( |! e( h% H {
; I0 a3 F- R7 u4 `1 E+ }. Q
3 T- f8 w& I% z H
3.在外部网络上创建子网:
$ f1 \& t+ P* z+ c0 s+ u6 Z[backcolor=rgb(245, 245, 245) !important][url=][/url]
- P- [3 j) a- ^0 V3 r( }2 w$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url] ^6 E0 t! w1 Q8 h5 d
+ q( |0 p# k. z0 B8 T
; e$ m" z3 h, k% g1 P6 F
请注意:
3 B+ N& @2 q. L2 K
( I9 P/ p4 @/ k4 _, d6 T3 O 示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。8 C- r `8 N! s0 L! Y
" G( d- X h. n( ~6 U3 a' v1 P1.获得常规项目的ID。例如使用demo项目: & {; T& y4 C: p, F
[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 Y* B+ f8 @9 V3 y( w; [) c8 n) w$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]$ s) T R8 ?* a( o4 ]
( N6 @; G& w- o5 Z' N7 g5 {
3 I6 D5 A3 V+ L6 H; h. V
2.创建项目网络:
. {) `/ L5 F! u; |[backcolor=rgb(245, 245, 245) !important][url=][/url]
6 p. o/ t) F' C; p5 Z: G# a$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]' M. n. C6 ]1 w$ N! g3 L4 [. |
# T \, W4 v! G6 L$ {, U; l3 u" z" l3 ?. {0 b1 S+ i) W k G: ?/ W
. R4 c1 m- y4 ?' q
3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网: & _# ]- P" j! I1 n' j: I
[backcolor=rgb(245, 245, 245) !important][url=][/url]; `8 T5 m# V9 A+ q6 p# U
$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 S; f. I& C) E
# u# c V: v1 g1 w
6 a$ Q3 R& D. ]( }) R8 c5.创建一个项目路由器:
' v5 o% G8 a- B4 y! w4 Q[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 p1 A& g7 s3 d& Z7 @$ r$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]( c# D* C# R+ y( i
5 N# Y0 U5 a0 @- J" Z; `; M7 L5 x0 e) U Y$ w
注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。 3 h- t1 O6 I( }0 a( Y" _8 S
6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router. u: Z7 {% e2 i
1 z6 b3 S. }" o: k) x
7.在路由器上添加一个通向外部网络的网关: 8 H% H1 V; H" A7 V
$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router: i6 ^/ _4 w" Z- g
6 s- l* |; }" G( e' ~% ?+ ^, Y. ?
验证网络操作
* m: i: V) J' l/ e( {9 H ]" T1.提供管理项目凭据。
+ I6 G. d: D9 G* n) m* O/ ^0 `/ i0 a) M& w8 h
2.在控制器节点上,验证HA网络的创建:
[backcolor=rgb(245, 245, 245) !important][url=][/url]
5 b/ n: }; ^# P$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]5 P, R) Z R z; E' u& i
3 w5 A9 x Q) y: J4 O
2 i% Z+ a$ D- g9 _- h& U3.在控制器节点上,在多个网络节点上验证路由器的创建: ; @. F% {; r* g4 c: ^9 a* L
[backcolor=rgb(245, 245, 245) !important][url=][/url]
! l R! t; {3 |$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]" J1 _0 H6 K/ g# | J0 c
) F* `, m: w; d/ c9 {( M, Z* O
3 d# J( T7 h# b6 V/ i0 _- }9 z
注意:老版本的python - neutronclient不支持ha_state字段。
# U3 [! h* M) t' y4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]6 p( S) S( k. [' \2 m& _$ f0 X3 a
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 f% ~9 Q7 X: }
# _. @' x ~- Z# r! q+ I
+ T7 \3 T4 N( s. s0 ?* }+ L0 K, a' U
5.在网络节点上,验证qrouter和qdhcp名称空间的创建: + Q( e0 V! V0 ^* I( }5 R* P) G
[backcolor=rgb(245, 245, 245) !important][url=][/url]/ y! w; l' `' _- F1 o }
网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]# Z9 t- T( e" X" b% _
2 Z; |/ F# |' B8 w$ v两个qrouter名称空间都应该使用相同的UUID。
- d/ @1 i3 S! S3 y, K请注意
( A( [ i3 }0 o- S
f+ f! U- g& z$ u9 d 在启动实例之前,qdhcp名称空间可能不存在。
. A% e- [9 ]2 a4 _1 o* F; D ^- }3 m0 x% w% O) m
6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]
* m4 t; d6 r6 R! {1 ^ d# Z网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]* ~$ m- R ^* ]& i% ^7 M% a
5 S9 t5 k U% Y2 v* J; D
5 F4 n( a7 F" c# g, C N1 b5 _' b
网络节点2:; A D( ^% j1 G6 @8 x/ H& Q
[backcolor=rgb(245, 245, 245) !important][url=][/url]! f6 y1 c+ ]( z. V
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]6 J3 b u+ @2 v% W- ?( L
, }6 U. L% m" I+ ?5 `8 a( c5 o* w在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。
3 ~1 m, w0 V) @" A. Z9 g, z7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements : 3 h3 x# f$ Q8 E( o
网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]0 F# r% c/ [- b& W+ j8 j9 z9 _
$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
) V: P+ ~& r/ Z1 N! k" j* X! a7 m0 G4 h
4 R( q6 B7 \9 z网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]4 B. Z8 ^$ W+ Z ` D/ {
$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
/ B% \8 _- T) r- C4 }" E( f$ F$ L# R
8 P' j! {1 x1 u+ N" b) o0 B示例输出使用网络接口eth1。
! m+ F( G) L/ M* S
0 b& P' Z1 C m% r; i8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
) \5 g, l% A' `$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]0 T$ v0 O0 C8 g- L. S( p' x2 k" e
7 @( X% d7 e u8 b7 ]5 M$ p7 D/ r3 z! N- G; F
' {* J( t' a& Y' d# m9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]. p" O7 m4 } ^' g# R) k
$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]4 T b/ n( r8 @: g, |9 C3 B5 ^6 V
: Q1 [/ `% ~5 Q* \7 T5 I1 J" b. t3 i, u9 k x4 H( u
0 J7 m% u: c" g( ]2 J10.提供常规项目凭证。下面的步骤使用演示项目。
7 _! Y8 ]2 u* m8 h6 h! X
" f4 Z4 h* r O7 A11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]
- Z% ~3 s, m8 u8 e; b; [$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]* @7 S2 _, o K8 ~8 j. ^" |
% ~% L5 x2 Q- J2 Y0 e4 w
4 q3 Q2 Y0 o l5 [' P8 b% z12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像:
3 K5 ]$ ~! B8 `! P[backcolor=rgb(245, 245, 245) !important][url=][/url]
9 k Z5 m* [0 V8 B* }$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]8 N! O) x: k8 |" T
2 E. n c+ U/ H
+ P+ {% y) d" r# d" ^13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
: t% E, \# F6 d. {: D4 a
z3 U7 }/ t3 g; U1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
0 {; n1 ], W, y+ u[backcolor=rgb(245, 245, 245) !important][url=][/url]
$ R% B8 A' e' K V! ~& ?! p9 M8 ? K+ n4 |# i
" x$ q5 F- I: o8 H+ Z! }
14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
- Y) I% V7 h; D9 e0 u/ K* z$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]2 q1 o7 j4 l3 `. p+ x: ^6 r) {
8 d0 |* m5 |8 c( B- J
: N Q3 ~ q: U; s15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102
! o Q9 ~; b/ s. [4 h* I8 l# W( k+ X
16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]0 |- g) @6 R7 E
$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 U9 a" o/ F( C0 B0 ~4 S! y/ G
/ Z/ e2 B& ]: ^6 u @2 t5 S5 I+ u6 O2 Z* ]) Y/ Y6 t* k( |# {9 {
17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址:
) z" Q- D- E6 [1 f0 L[backcolor=rgb(245, 245, 245) !important][url=][/url]& K7 [' a, G! P4 ~: |! q& m
$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms' J# t1 i5 ~, n
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2021-6-25 11:21:40
) C0 S4 B! c. v e8 s
" p" l6 [- c o5 K- ?6 r
9 g3 X' G! y6 s
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主