|
|
[1] Change settings on Control Node.
: f4 {6 e. K }2 W9 A% ^[root@dlp ~(keystone)]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
& a) q: N# S# j6 E* Z" K9 k9 L# add a value to [tenant_network_types]
% C6 G5 o, m- `5 S; D6 N[ml2]( l2 ~/ I7 d y( a
type_drivers = flat,vlan,gre,vxlan
. K5 L. C$ L5 ~ G5 t3 Wtenant_network_types = vxlan/ J) k, N: w `" \. D
# add to the end& r, a1 r) h* o4 H' Q6 n
[ml2_type_flat]! J( h6 F' S: X5 ~
flat_networks = physnet1) e* a$ P% i" @" |
[ml2_type_vxlan]
b, U" @* Y+ jvni_ranges = 1:1000( p& b+ b6 B& e [8 \
[root@dlp ~(keystone)]# systemctl restart neutron-server
|! f( F" J- @, \4 |2 W! H[2] Change settings on Network Node.; Y8 b5 K6 V4 |( p
# add bridge( ^4 x6 _6 G( k4 Q+ g
[root@network ~]# ovs-vsctl add-br br-eth1, L+ g$ q4 {+ ^, L4 v
# add [eth1] to the port of the bridge above4 W6 ~2 G2 a+ R
# replace the interface name [eth1] to your own environment* u6 A. O* I0 b8 C. m; Q/ k
[root@network ~]# ovs-vsctl add-port br-eth1 eth1
; ~, P* z3 Y7 E/ P {0 e5 t[root@network ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini! D) [% j& f1 _9 @* V% `4 b
# add a value to [tenant_network_types]3 ^1 H, H, R2 Q5 a- ]9 l
[ml2]& L+ t$ {$ O- J
type_drivers = flat,vlan,gre,vxlan
1 ]+ f, \: X8 j# Dtenant_network_types = vxlan
+ u8 D% b6 {% s) y# Y1 g, b/ b9 n8 T/ n# add to the end Y$ |: f" }' x; v' }, i3 i! f/ U) J6 V
[ml2_type_flat]
, b0 ^' W8 u4 dflat_networks = physnet1
* D3 }: L0 s, g9 g[ml2_type_vxlan]
6 _& k/ G* l1 A+ B. Xvni_ranges = 1:10005 C* H7 I- v& z; Y7 r' X Q) u$ Q% c
[root@network ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini
! P, a C7 h, t/ V a" `- k( ?5 z# add to the end
+ @6 z/ P8 w2 d' x6 [( }5 ]/ z# g8 y[agent]
. k5 K$ d$ Z4 f8 ]! P" ctunnel_types = vxlan i3 g2 m ^: j* C; j! f
prevent_arp_spoofing = True
P* m3 O7 W2 P) ?; c0 b6 g0 t[ovs]
6 S" S2 a4 w* [0 ?( O# specify IP address of this host for [local_ip]2 n& k( D# r1 m
local_ip = 10.0.0.50
5 ^0 e/ E( a1 ~7 e: ]$ pbridge_mappings = physnet1:br-eth1
5 D5 {' a g& M* l q[root@network ~]# systemctl restart neutron-dhcp-agent neutron-l3-agent neutron-metadata-agent neutron-openvswitch-agent
: J% W( w' T) e+ c2 a# if Firewalld is running, allow VXLAN port9 ~8 I. b) C3 H7 L7 l7 o: {
[root@network ~]# firewall-cmd --add-port=4789/udp
$ J+ g7 {5 ?) R) M( f" d8 f[root@network ~]# firewall-cmd --runtime-to-permanent8 P# P" ?/ |) q3 s+ ^0 n
[3] Change settings on Compute Node.
0 g; [( }# x4 @8 l7 y! v[root@node01 ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
; D- M. y x6 ~3 e- w# add a value to [tenant_network_types]
/ O7 z, g8 y$ f- \+ E[ml2]
6 O& E" Z5 p m; O3 mtype_drivers = flat,vlan,gre,vxlan- H4 ?, \& p8 n1 D
tenant_network_types = vxlan7 X: D6 u! b0 b; ~7 ?0 W4 V1 h9 T
# add to the end: `% o# {1 g* ^) f3 ?4 J7 t
[ml2_type_flat]1 z* d1 V: L: R# N2 J
flat_networks = physnet1
) ^; ^/ N' ?7 ~, u[ml2_type_vxlan]: i% b5 b) X' W# L- x! J4 t$ c
vni_ranges = 1:1000
6 M5 G4 l, H1 D# n. z3 i[root@node01 ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini
$ x) m. g( T; j" N6 }# add to the end5 l0 h# ]( h* o) H! Q" E/ J& w
[agent]9 |: W. j0 a0 ~3 W4 Q: }. f
tunnel_types = vxlan8 D( a* C s3 V
prevent_arp_spoofing = True
8 P/ [" }6 ^" B' g$ ^/ Q+ `[ovs]; q- O F, ?1 @' @% ?! o
# specify IP address of this host for [local_ip]9 f/ q3 ]$ N4 \
local_ip = 10.0.0.51
% I0 S7 w7 `0 E/ f[root@node01 ~]# systemctl restart neutron-openvswitch-agent
- B h* I' U; s0 t4 O' v8 e- f# if Firewalld is running, allow VXLAN port3 t3 d6 N3 g- \6 x" E: \0 T) m+ M
[root@node01 ~]# firewall-cmd --add-port=4789/udp
, q+ q2 T8 f! n. ~) \6 f[root@node01 ~]# firewall-cmd --runtime-to-permanent
$ H6 J) L2 e! v1 i2 f- h[4] Create a Virtual router. It's OK to work on any node. (This example is on Control Node)
* J* M7 L4 z6 k[root@dlp ~(keystone)]# openstack router create router01
3 M- x5 Z! P! M6 }2 E" \; R+-------------------------+--------------------------------------+
9 ]: z6 K+ Y1 o0 o: \* P( Z$ r* {' I6 m| Field | Value |
2 q1 [. K: j5 ^. U0 f% v. X% o8 ]! |- r+-------------------------+--------------------------------------+
2 P; v: p1 |1 } A1 R/ @| admin_state_up | UP |1 n& l5 j0 b1 n$ u
| availability_zone_hints | |% _: ^: u b9 V# _8 x. \
| availability_zones | |/ V% D, ^* j E1 f" Q! B4 A T% X
| created_at | 2022-05-31T09:59:08Z |
+ q# {! y* P9 S. y7 y# l7 a| description | |
5 H. c: B* W0 v: w: @. p2 P| distributed | False |, G2 x0 T: T4 i! i
| external_gateway_info | null |
$ t7 Z# w8 F2 I2 K% A| flavor_id | None |. m( _9 j# \6 S- L C' R; A) ]: Z
| ha | False |
+ W# R4 s. z% i* S% C( a* i X| id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |& E5 _2 R: O7 q! h. |& S2 V
| name | router01 |0 O I5 O5 I2 u. a7 j- L
| project_id | 0609d3b3b398456187fb705ec9224c4a |
# F7 b1 g4 x$ _/ R1 \9 n3 || revision_number | 1 |9 j" q3 P( C0 b% {9 ]( a2 j; K" i
| routes | |' S1 _: j' a- ]" N+ @
| status | ACTIVE |7 S d% u( e6 Q& a
| tags | |( t* r% b- \0 M8 F% b+ ^) R8 Z
| updated_at | 2022-05-31T09:59:08Z | d9 H ] {: \4 t% M
+-------------------------+--------------------------------------+
9 U) D/ p" Q# z' }2 v2 p" s) {[5] Create internal network and associate with the router above.
) }& U( @, i" [ I5 _# create internal network
6 X& |4 k4 E) F; |. A# ~" x[root@dlp ~(keystone)]# openstack network create private --provider-network-type vxlan
- G* S: `1 Y3 B1 G; H+---------------------------+--------------------------------------+
6 V$ Q- c* x1 Z5 T$ g6 r| Field | Value |
# P2 ~5 t3 j9 z* Y4 U8 l+---------------------------+--------------------------------------+! T8 Q$ m1 a2 c1 Z! n8 p
| admin_state_up | UP |
5 k; D6 L. i# c2 M2 A$ F| availability_zone_hints | |
" ^! l+ Z' `8 X| availability_zones | |
?7 h7 ^ q% n- Z2 v. w: E| created_at | 2022-05-31T09:59:43Z | D& I) Z0 W5 W7 ^ W9 m: h
| description | |, f2 G, }+ A% |4 F4 h1 B) u" H
| dns_domain | None |+ f- D# g& f. k) ~' @8 p p( ?
| id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |
/ [+ w# t& x4 S( M/ F# o l| ipv4_address_scope | None |
" v% @; k: o7 x0 D% i| ipv6_address_scope | None |
6 c1 F; ?! {* k$ j. [! S| is_default | False |1 A0 R; }" H8 N5 Y/ L& m5 Q
| is_vlan_transparent | None |
6 F. Q) c) y4 M6 w| mtu | 1450 |
- f0 ~; F# `+ u+ B, U* U- l3 o| name | private |& }2 l, e) X k, i
| port_security_enabled | True |
. ?: G( j# `0 a9 u) p| project_id | 0609d3b3b398456187fb705ec9224c4a |- T- n% t B8 q! X
| provider:network_type | vxlan |7 f* w0 g5 T) b7 _
| provider:physical_network | None |
$ r, M2 j ~8 Q| provider:segmentation_id | 423 |
V( v0 Q; K4 ? F! |6 ?4 M| qos_policy_id | None |
$ G# S# b; A, H3 ~: ~! c; q _1 c v; ]| revision_number | 1 |9 c% O4 [: c, u" T: l
| router:external | Internal |9 G! D9 h$ \: N9 V, d+ I2 H! J2 G
| segments | None |4 t. s* }& S9 M# A g. y
| shared | False |
$ ~! `# q/ I& j" o| status | ACTIVE |
4 ]: x: v* N. X2 U) r| subnets | |
% e& b' ~$ [/ Z A; _# C" v| tags | |! h/ v# S6 a3 v) U: ?/ B5 u
| updated_at | 2022-05-31T09:59:43Z |- |6 }, ?+ j0 I8 s3 P1 `5 i9 V" B
+---------------------------+--------------------------------------++ j: o0 s" G% R8 i: \! e
# create subnet in the internal network" x. m% O, H O
[root@dlp ~(keystone)]# openstack subnet create private-subnet --network private \# ^# k+ P) H6 J2 L3 L" Y
--subnet-range 192.168.100.0/24 --gateway 192.168.100.1 \: N- T- o' w2 }# i; h8 v9 F8 g
--dns-nameserver 10.0.0.10
/ H! N* H( f6 T) b0 ~1 R) c+----------------------+--------------------------------------+
) g' B4 j) |* O4 {- p |( U| Field | Value |
6 [0 q7 Z8 q' z. ^: J+----------------------+--------------------------------------+8 \+ G$ G/ ?8 R
| allocation_pools | 192.168.100.2-192.168.100.254 |
0 [, l& O y! c. g/ \| cidr | 192.168.100.0/24 |
5 _6 h) E6 D( ~% ~/ F( _| created_at | 2022-05-31T10:00:30Z |
. Q: D% |- u! f7 M) M" m| description | |; P, a) F! r& n5 m/ l3 \* a
| dns_nameservers | 10.0.0.10 |# s) @/ _2 |) F
| dns_publish_fixed_ip | None |
7 ?1 p7 A0 k$ I( j* c v- t* `| enable_dhcp | True |4 j% Z; s0 s8 q1 R; V* Y
| gateway_ip | 192.168.100.1 |$ [* O. @/ `( h# a
| host_routes | |: B Z" f) X7 Y0 W" i8 |% | @1 Y- |
| id | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |/ k! L+ K/ q/ f% s
| ip_version | 4 |
/ e% z5 c# N, w" ?8 y0 k' P| ipv6_address_mode | None |
, {* t( t- |! Z/ F4 ?! [4 X1 B" S| ipv6_ra_mode | None |- G" z. j( V' r2 D5 u) ~8 J3 c
| name | private-subnet |
4 [$ O' Y2 O8 g% g& j; y9 |" \| network_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |+ U* u3 |* u7 z2 D! q
| project_id | 0609d3b3b398456187fb705ec9224c4a |
1 H3 J- ~' u w' C" Q& j2 l/ I| revision_number | 0 |
6 n l; C! M4 Z, q$ s4 s| segment_id | None |
" E( r; \* Q. Y: c! O# E" K* ^| service_types | |
6 [; b; Q/ H8 H" a: D3 H% `| subnetpool_id | None |
& S+ H6 J) f" z3 x# y: Q/ W| tags | |" R- G3 F. E5 I3 p" n4 o9 c2 d
| updated_at | 2022-05-31T10:00:30Z |8 ?7 G6 {5 D K& Z5 D0 F
+----------------------+--------------------------------------+
% U/ z' ]7 h+ l. }8 [( M# set internal network to the router above
0 v* i) g- p |1 O: l( x. m1 c6 r[root@dlp ~(keystone)]# openstack router add subnet router01 private-subnet) u$ w/ ~% }$ e6 G* t4 y! a
[6] Create external network and associate with the router above.
" @7 `1 a$ K5 H; P# create external network9 |- \! F: A& N7 F3 {
[root@dlp ~(keystone)]# openstack network create \; {( i8 c3 }" B, ~/ w! c
--provider-physical-network physnet1 \
$ c; t1 d) ^) d& @4 U: y* T6 \--provider-network-type flat --external public* J; b% K6 A2 x9 X$ _7 B
+---------------------------+--------------------------------------+
9 Q3 h- V- j$ f3 E* v4 o P| Field | Value |
' j- B$ O% L0 r F0 ?+---------------------------+--------------------------------------+
2 ^$ t% s) ]. F2 C| admin_state_up | UP |$ K: }/ ?1 |! N! T, S9 D5 x$ h
| availability_zone_hints | |
! p+ F2 T1 X$ a5 ^9 R| availability_zones | |% W: M, K) K4 s$ S1 q" M
| created_at | 2022-05-31T10:01:17Z |
/ F! U/ z9 R# p2 Q A; o4 C1 k5 z| description | |
9 J+ ^+ U1 Z* ]& \& o# ^| dns_domain | None |4 b7 d1 G' R- t/ e0 v# R. l
| id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
( A, `3 r+ b) Y) W0 a- X| ipv4_address_scope | None |
9 s/ O& `$ Z- i| ipv6_address_scope | None |. E" v# E7 s$ X" t
| is_default | False |, `7 e' J; @8 H. T( ~
| is_vlan_transparent | None |9 Y. {6 [. e1 }- b0 e/ i* Y2 F; x
| mtu | 1500 |4 `8 q7 I/ O' p( h0 _
| name | public |
5 S$ w3 u8 V# v3 I0 o+ A| port_security_enabled | True |( ]; D1 b. C+ d* }* P! T
| project_id | 0609d3b3b398456187fb705ec9224c4a |4 W0 r2 \/ ?/ V K& s
| provider:network_type | flat |
7 T+ Q; j- X# ^, E| provider:physical_network | physnet1 |/ b3 Q+ }5 f* p6 Z' W6 s7 ?+ |" y2 E4 U! v
| provider:segmentation_id | None |
6 V5 t+ T& y" t ? Y0 o| qos_policy_id | None |# J- E+ F+ U7 @, M& P- O" R4 r
| revision_number | 1 |& \7 ]) P2 A+ N& {
| router:external | External |
- Z( }) K+ w) |! N0 X4 ]9 U1 H| segments | None |- o3 M6 [" c( y
| shared | False | O5 r9 ?& y7 O% c
| status | ACTIVE |, S# v- Y5 Z( }$ ~
| subnets | |
2 M+ F' M5 N+ {. A: Z$ {# Y| tags | |2 [: N! v( x* I" B) I4 U! j
| updated_at | 2022-05-31T10:01:17Z |: ]' n9 `% N+ y7 n1 d1 V, h- ]. H
+---------------------------+--------------------------------------+
/ {: F. f% e: V0 F3 u% _# create subnet in the external network7 l, S4 w+ I+ g, D
[root@dlp ~(keystone)]# openstack subnet create public-subnet \
# D; p- k6 ]+ a) {* I6 C+ k- N9 [--network public --subnet-range 10.0.0.0/24 \
- l/ d- e G8 V2 D2 M--allocation-pool start=10.0.0.200,end=10.0.0.254 \
4 l0 y* y$ R# C7 A7 V$ p--gateway 10.0.0.1 --dns-nameserver 10.0.0.10 --no-dhcp! o; d u0 g0 {1 U" f2 E
+----------------------+--------------------------------------+3 v3 I7 V1 q0 I* X7 z
| Field | Value |! N* E+ c4 e7 ~* A1 Y; w9 |
+----------------------+--------------------------------------+
$ _; g* \) S# [6 s" y| allocation_pools | 10.0.0.200-10.0.0.254 |
5 q; k4 i1 x+ {& G* C6 k| cidr | 10.0.0.0/24 |
& A, b3 |) t3 j| created_at | 2022-05-31T10:01:44Z |
T8 I% n- }8 K* O" M9 v5 W| description | |) V0 b3 M. N/ `, A( E
| dns_nameservers | 10.0.0.10 |
% q' n# U' ~) }% G| dns_publish_fixed_ip | None |
/ X5 F/ G" Q3 S* {| enable_dhcp | False |% p" L* Y4 A6 H' ^
| gateway_ip | 10.0.0.1 |. T5 T8 {, m7 U7 q0 c
| host_routes | |7 z# H- u! z$ K
| id | ecccfdc5-2917-41d4-a957-88facca5c4d4 |$ h# L7 D& S5 n! p1 L7 ]
| ip_version | 4 |% ~: ?( {4 R# V( P: x, D5 F' \
| ipv6_address_mode | None |3 n7 J) Y, z. X& I' Z1 {4 S" t
| ipv6_ra_mode | None |
% Q6 e# g2 P! K4 S( y# C| name | public-subnet |
! I4 _- B" |: p0 v6 Q. z" A| network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |/ i7 P! Z% E8 V3 g! n
| project_id | 0609d3b3b398456187fb705ec9224c4a |9 ?! y+ W" v; a* H/ Z
| revision_number | 0 |
4 L+ x7 c$ D3 l, a| segment_id | None |
! M7 U9 F% x- c3 K; A| service_types | |
: E. E1 K5 V4 g2 @; Q| subnetpool_id | None |
3 u) E& f0 ]2 q7 R7 G% ~ H| tags | |
$ D' M2 k1 c) R6 q| updated_at | 2022-05-31T10:01:44Z |
2 S* w6 ?& W; P+----------------------+--------------------------------------+) u1 a# D4 t3 E* w% h# v: S* X4 x+ P
# set gateway to the router above" B4 P1 j- O9 l/ e3 K! |6 h! Y0 L0 N
[root@dlp ~(keystone)]# openstack router set router01 --external-gateway public
3 K( M& }4 H. V8 m; E[7] By default, it's possible to access for all projects to external network, however, for internal network, only admin projects can access to it, so grant access permission of internal network to a project you'd like to let users in the project use.+ S$ K3 E; d1 d4 |# N
# show network RBAC list( t5 l1 s$ u5 n, J0 y+ Y$ @
[root@dlp ~(keystone)]# openstack network rbac list
2 g' ]" r# ^' _+--------------------------------------+-------------+--------------------------------------+: t5 T6 }( h. \% D0 Q
| ID | Object Type | Object ID |8 R& C" q$ ^6 ^! r, c6 ^
+--------------------------------------+-------------+--------------------------------------+$ Y& ^- w& r+ p6 h# x; \
| a37b34cd-e686-443f-b3ef-4a4c722b5d63 | network | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
`0 V) ?& N8 X$ s6 d+--------------------------------------+-------------+--------------------------------------+
: H- O2 h; \4 z y, |2 J# RBAC details1 S4 \( ~/ A3 R& e
# all projects can access only to [access_as_external]
% n" `" j# X0 Z" o. ^[root@dlp ~(keystone)]# openstack network rbac show a37b34cd-e686-443f-b3ef-4a4c722b5d63$ ~! d2 V4 N" I: E. u( n/ V; c
+-------------------+--------------------------------------+- p4 ^' c9 a" i4 N, k4 b/ ]7 [
| Field | Value |
) [% }) w2 ?1 A/ c% d1 ~+-------------------+--------------------------------------+
0 Q$ D% u4 _" b| action | access_as_external |, M* D0 b$ d2 f. y4 q% o
| id | a37b34cd-e686-443f-b3ef-4a4c722b5d63 |( \& B: z/ g6 @6 |' C, {! U
| name | None |
( K! V; x I! E% V| object_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
/ C; }, K) f+ Q G! Y* F: t7 {| object_type | network |
, ^4 v- U: g5 o3 k; G7 R w| project_id | 0609d3b3b398456187fb705ec9224c4a |
9 v: R. r L5 i) ]| target_project_id | * |) B$ U$ y) K! ~0 M Z8 p
+-------------------+--------------------------------------+" p6 i; _7 j/ N5 Y
# show network list
- |' F4 b) Y9 [* J2 v# O) {[root@dlp ~(keystone)]# openstack network list
% k' Q; X; V( O+--------------------------------------+---------+--------------------------------------+3 P, z" L6 Z& A n9 }2 s
| ID | Name | Subnets |* p& \0 S/ t/ {8 q b
+--------------------------------------+---------+--------------------------------------+
- h: J9 l. }3 _| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |
. z* E# s/ _: u) e. \2 G; B| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |% B4 S: C( M9 }9 V6 P8 f/ L9 C
+--------------------------------------+---------+--------------------------------------+
0 V: H2 H. y. H' _+ ]! ^# show project list
9 v. ?( |% e- I* G. r$ m[root@dlp ~(keystone)]# openstack project list
3 v3 k/ X/ K% [6 @- ?+----------------------------------+-----------+% d4 W( a$ ~3 P! } V4 X; H
| ID | Name |
! V) e: o; O. E+----------------------------------+-----------+' M" L- \$ C" y# G# }7 ~3 A) z
| 0609d3b3b398456187fb705ec9224c4a | admin |
! ]/ e* Q, m1 e6 C. Q9 \% C+ d| 3d85d1e79d654b3dade01eb5bfbf0679 | hiroshima |1 C, a0 ~4 \+ W! }6 v. M& o
| 8787527217494c6a87dd5a3b68dce1ef | service |. o2 N8 G$ o' E, ^( j
+----------------------------------+-----------+
! a, D( _* P1 X& U" U+ k+ y" f# grant [access_as_shared] permission for [private] to [hiroshima] project
! J& F* j Q+ a2 N6 h[root@dlp ~(keystone)]# netID=$(openstack network list | grep private | awk '{ print $2 }')0 p* H5 G- Y! d6 v# {+ ?" T2 Y
[root@dlp ~(keystone)]# prjID=$(openstack project list | grep hiroshima | awk '{ print $2 }'). n N" c! h% ?8 ?) G2 h
[root@dlp ~(keystone)]# openstack network rbac create --target-project $prjID --type network --action access_as_shared $netID
& |8 |5 F( [- p5 Z" ]0 V$ T2 ]+-------------------+--------------------------------------+
/ B' p9 W! ~% e" M3 V7 s| Field | Value |( s' n: O, ]6 g" X+ i5 q
+-------------------+--------------------------------------+
% f- k# N3 V/ R8 K. t3 J5 B+ @9 V| action | access_as_shared |
' p5 Y+ t K w* }7 Q3 l; K7 \5 u| id | dfb0e656-0983-46a9-8345-13a03ddbc3e9 |" @% W# I+ E: p' Y1 _. ?& [
| name | None |5 P% _! F$ F2 t$ N# {
| object_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |9 W# s. g/ O; p
| object_type | network |
5 i8 |3 a3 R" Y N| project_id | 0609d3b3b398456187fb705ec9224c4a |
/ T; {' R. T: I0 ~7 W& I" x6 B| target_project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |8 q5 m) o+ l% _8 e
+-------------------+--------------------------------------+6 `0 |& H U: f- G# `
[8] Login with a user who is in the project you granted access permission to internal network and Create and boot an instance.: i3 @. o+ f; V2 Q5 A- R
# show available [flavor] list
4 e8 g3 c4 a4 ][cent@dlp ~(keystone)]$ openstack flavor list
! Y" ?1 }+ E, M+----+----------+------+------+-----------+-------+-----------++ d) o6 s$ y& W
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |9 ]+ b6 K4 @' w' ]. f
+----+----------+------+------+-----------+-------+-----------+/ A( c% ~6 q* I
| 0 | m1.small | 2048 | 10 | 0 | 1 | True |
7 A- O) C4 o; C2 {3 w5 o7 U9 y+----+----------+------+------+-----------+-------+-----------+
( U2 |/ E# f: t2 Z' p5 T6 l# show available image list0 w, j5 b/ F1 Q2 U7 ^: g+ k6 W
[cent@dlp ~(keystone)]$ openstack image list/ [( q: E; l" P0 G
+--------------------------------------+-----------------+--------+
0 \9 l+ ?. A/ g+ v: B| ID | Name | Status |
0 w3 J6 ^' @* a- \+--------------------------------------+-----------------+--------+
' [9 h( f% S- ~: ~! f" p. L8 ~8 D4 W| 7be5b7ab-36e8-43c7-95dd-34b4139a0e44 | CentOS-Stream-8 | active |
" X& g1 |9 L5 r: f) j# h+--------------------------------------+-----------------+--------+; J! p. e' g y K3 k' k
# show available network list
* x3 `1 h+ O4 n[cent@dlp ~(keystone)]$ openstack network list+ ~5 x7 A0 E) t. N0 b5 n4 ^
+--------------------------------------+---------+--------------------------------------+
L3 u3 a0 a3 m| ID | Name | Subnets |# A# U+ n3 b H% \: E% b
+--------------------------------------+---------+--------------------------------------+
3 d2 u' X8 g3 p9 o| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |
3 m% ]9 P$ P* I n! I2 D, e| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |# l1 C8 Y1 v7 p3 ~2 n1 n: e
+--------------------------------------+---------+--------------------------------------+4 m7 A5 a1 z* r, ?$ z% C% L
# create a security group for instances) \# E4 y2 }1 Z* P6 @0 c
[cent@dlp ~(keystone)]$ openstack security group create secgroup013 s! s& w9 r6 _: y6 F5 S
+-----------------+----------------------------------------------------------------------------+! z P1 ~6 i* G5 t6 ]
| Field | Value |/ B2 O6 ]) l5 w# V4 ]! X1 M2 n
+-----------------+----------------------------------------------------------------------------+
5 G. w* C, @0 Z* Q, e) Y| created_at | 2022-05-31T08:14:56Z |
) R6 {! M$ j; r& B: j| description | secgroup01 |
( \8 A; ^/ G) k2 D| id | 001bf895-7218-4153-b64b-5c5741697009 |
# C3 J {& V0 b/ _, G* u/ b| name | secgroup01 |
: b6 z$ X( E' G/ P% p ]| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |8 V3 [* t( Q) H- |1 q4 d4 k
| revision_number | 1 |: j( Z# j8 T) P+ Z/ h* G6 W
| rules | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv4'... |
3 h3 J+ ]* _: H& p# U: w| | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv6'... |0 d- t# e" e$ a1 q5 E' D
| stateful | True |
& R7 Q; T+ X8 P0 L. b" y| tags | [] |3 v) B/ f% q9 j2 S
| updated_at | 2022-05-31T08:14:56Z |* \: h' U, h; V5 j9 E2 g
+-----------------+----------------------------------------------------------------------------+' q9 Z! S' o6 K
# create a SSH keypair for connecting to instances* B, R; t5 e, H; l
[cent@dlp ~(keystone)]$ ssh-keygen -q -N "") d8 N6 X& c8 U# n5 R, f0 q3 F
Enter file in which to save the key (/home/cent/.ssh/id_rsa):5 X3 B7 {5 P0 u/ V- t5 C
# add public-key
- \- Z7 _# p; o( b0 R) q[cent@dlp ~(keystone)]$ openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey2 o! c# _! P- p. f7 p
+-------------+-------------------------------------------------+$ R4 f) q( c1 L1 x% H! d
| Field | Value |6 [6 V: g% ^2 y( B( i9 ?
+-------------+-------------------------------------------------+
" X$ s% q6 R* @" f) z) H7 C| created_at | None |
; Y- z4 K6 Y1 Q/ p6 r| fingerprint | 64:c1:46:5f:d4:dc:07:76:1c:5e:ee:b8:82:1e:9d:c3 |
; ~; y, U q9 {! l| id | mykey |( B9 _3 {- @) V4 j2 u6 y3 c
| is_deleted | None |
) \- f3 r8 T2 G* Q; y| name | mykey |# \8 f. L4 [1 r, Y
| type | ssh |
5 x# f9 g$ | ~. C8 L4 s% s" B( c( O# R| user_id | ed0bc393ae81411fa1db0828e1d5e160 |( k$ {3 x% v3 q# \$ m( q9 Z+ x
+-------------+-------------------------------------------------+: A1 g& }2 n/ L# U% d0 x
[cent@dlp ~(keystone)]$ netID=$(openstack network list | grep private | awk '{ print $2 }')
- y0 h" w- h: Y: V9 c3 `[cent@dlp ~(keystone)]$ openstack server create --flavor m1.small --image CentOS-Stream-8 --security-group secgroup01 --nic net-id=$netID --key-name mykey CentOS-St8, a$ M9 z3 a9 P: d
[cent@dlp ~(keystone)]$ openstack server list, B) h9 X2 M8 ~
+--------------------------------------+------------+--------+------------------------+-----------------+----------+
0 L0 y; y7 m0 Y| ID | Name | Status | Networks | Image | Flavor |- v' D: S! E5 W6 u d
+--------------------------------------+------------+--------+------------------------+-----------------+----------+
. N' }* ^# D+ g! _( O| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=192.168.100.84 | CentOS-Stream-8 | m1.small |; e8 h; A2 m1 Y' F# p% ~& A
+--------------------------------------+------------+--------+------------------------+-----------------+----------+, ]* c& [7 A9 J* J
[9] Assign floating IP address to the Instance above.
) N. M- y1 o: S" @. V' C" i8 w[cent@dlp ~(keystone)]$ openstack floating ip create public& }1 |' q1 K9 P$ Q d1 ]% |
+---------------------+--------------------------------------+3 o2 _4 J1 C8 J8 `2 |: n9 R
| Field | Value |
4 m# Y# B0 [) t+---------------------+--------------------------------------+
" G9 r5 c. t3 q$ s! P| created_at | 2022-05-31T10:08:01Z |
, O# l, Q, J6 q+ v- {5 j7 {* E| description | |
8 ]; p, w+ A, L- K% U| dns_domain | None |7 L2 O+ h- K+ Z5 g0 E: g
| dns_name | None |: [: v5 i4 `. X7 P) ?( v! Q; F
| fixed_ip_address | None |
! O" h$ s2 [4 N6 Y| floating_ip_address | 10.0.0.216 |: D* g6 ^% T, S$ _9 E
| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |, c+ t* U4 p- J9 V% T u' |) I) o# i
| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |* k- F: n9 N& W9 ]& V8 z
| name | 10.0.0.216 |
* t; Y7 K( ]& n- w2 a| port_details | None |6 M# w% O$ x7 U
| port_id | None |* I, g& e2 x5 J+ G6 H+ v: M
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
! m: Y. A* o8 D' \| qos_policy_id | None |
0 T! i, D' p( C, U: X0 M5 x| revision_number | 0 |
/ A% ?1 m( U8 y% H4 z& M| router_id | None |- B3 h; \/ ^" j5 r' z
| status | DOWN |* }7 b7 a0 D) P! T9 q- @" g# D9 L
| subnet_id | None |
# i4 C/ \' w! l9 T5 S| tags | [] |7 m, `' A/ t/ @, k; j2 W$ V/ Z7 S
| updated_at | 2022-05-31T10:08:01Z |% K# q+ x: W$ {2 h
+---------------------+--------------------------------------+
( q4 w" P; Z. F1 m: |[cent@dlp ~(keystone)]$ openstack server add floating ip CentOS-St8 10.0.0.216
; q/ l. ^0 g$ _9 j7 F% s5 h# confirm settings
3 f$ e, c( p4 X9 H[cent@dlp ~(keystone)]$ openstack floating ip show 10.0.0.216( d# R7 R$ ?; n* g# y
+---------------------+---------------------------------------------------------------------------+
" s2 j0 j& i! o6 {5 b5 @| Field | Value |4 \8 l% d+ g2 A9 r
+---------------------+---------------------------------------------------------------------------+
7 t0 ^' s0 \3 w5 O| created_at | 2022-05-31T10:08:01Z |; k C- E. ^# w3 ?; L. k+ _6 S
| description | |( l1 g# y7 @/ |' Q" W/ L4 L6 `! ]7 l
| dns_domain | None |+ A- C+ e0 M$ p3 K2 E- o: M
| dns_name | None |' p) ]/ z* F- j. F/ I9 @
| fixed_ip_address | 192.168.100.84 | M* t v! S4 ]% t! I' f
| floating_ip_address | 10.0.0.216 |: v7 W6 w3 \! @# F) x2 g
| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
3 E( E! U: R6 T2 B$ f| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |
5 N% J. w. [! L- m' O3 P1 ]" Q" v| name | 10.0.0.216 |- J7 U0 V _7 I
| port_details | admin_state_up='True', device_id='b9422951-8141-45fe-becd-a01c727085..... |
$ l! g- C5 ~$ C/ R| port_id | a0670c7e-2fa9-4be9-801b-d62170f33efd |( ~: {' F6 G R% V1 ^
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |* [. c% Y! V3 R; ?; W" l
| qos_policy_id | None |
" i( V0 g! E3 {| revision_number | 2 |- r3 w. Y$ k/ S3 @0 M/ z W
| router_id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |, A% L6 c% v& ^
| status | ACTIVE |
; H9 |: ?5 [: I+ O9 \" |1 Y| subnet_id | None |( \5 b; p* T1 @7 s) o9 A6 J
| tags | [] |
& i9 {9 T% F$ w$ n8 a; U3 g| updated_at | 2022-05-31T10:08:52Z |
" m) v7 C# Q: U: G3 j+ ^+---------------------+---------------------------------------------------------------------------+
" g# |# v6 ]% t! m5 h' t- c[cent@dlp ~(keystone)]$ openstack server list
' w' r+ F. l8 E: E- v5 x8 B) ~+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
: c+ I+ }5 ~" o; G( U0 `# F8 X9 {| ID | Name | Status | Networks | Image | Flavor |
% k5 T4 m* H2 M6 A6 f5 Z+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+4 O; O) g* G7 o: }4 P
| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |3 f- r R) b% R# z6 `
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
4 }+ z7 q% c! I[10] Configure security settings for the security group you created above to access with SSH and ICMP.
5 p! M. G- @9 |2 _) i$ ^# permit ICMP
6 P, a# ~! |, R: W+ C$ w) ~[cent@dlp ~(keystone)]$ openstack security group rule create --protocol icmp --ingress secgroup01# p8 E: T: K: y: |
+-------------------------+--------------------------------------+
- b* t$ @: d2 j9 K6 y# t| Field | Value |
+ w0 O6 W! ~( \" T( n+-------------------------+--------------------------------------+
( x# S) b* m, u2 F: K, y5 b8 S4 h- h9 e| created_at | 2022-05-31T09:42:39Z |
+ V9 E8 ^5 ^' D1 _5 ?. k- I9 r$ Y| description | |
& m f6 x; D1 A0 U) W/ D+ H& f- Z| direction | ingress |
2 a3 J) V+ n% o. |6 `| ether_type | IPv4 |
" ~$ R+ @7 [' o* t2 n| id | 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 |
3 @& n0 G4 O% d) P9 \3 q0 d| name | None |* w; ^3 I2 ]0 H6 u4 \" a: V
| port_range_max | None |
2 Q$ |$ P) t3 m% Y| port_range_min | None |
. M4 l, @/ Y4 I; l. X| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |0 i. @6 O/ } }% S4 Y, T4 a
| protocol | icmp |6 |" P8 i7 O4 o0 k1 M
| remote_address_group_id | None |
. M2 x1 |7 g A+ I| remote_group_id | None |
' J0 ~0 t8 s# x| remote_ip_prefix | 0.0.0.0/0 |6 H$ E1 z7 Z2 `
| revision_number | 0 |
9 Q6 \) X, `8 G" E$ B| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |0 F2 [' l, S* e: Z
| tags | [] |
4 |. [, o& B5 J8 e, r7 I$ @- N+ B/ H| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |* }) J# ]& E" l
| updated_at | 2022-05-31T09:42:39Z |
5 \9 t d0 f, t# D; W3 r+-------------------------+--------------------------------------+
/ |9 E C& K8 [6 {/ y# permit SSH
% H& v/ S% W7 J[cent@dlp ~(keystone)]$ openstack security group rule create --protocol tcp --dst-port 22:22 secgroup01* x+ @8 ~& o" `( b* Q
+-------------------------+--------------------------------------+
2 {+ s. N1 J) Z4 r| Field | Value |
0 l& }5 L0 d! P+-------------------------+--------------------------------------+2 y4 n4 C& e) P
| created_at | 2022-05-31T09:42:58Z |
4 V, H/ ^1 E: [( c| description | |
9 h& l" t. |; s# e| direction | ingress |9 C/ q" s0 F" G6 E- w
| ether_type | IPv4 |
$ `: X$ r! m: t: W7 T" ~| id | 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 |$ O( Q; s y3 c) J
| name | None |5 O6 N( G# F( T5 q; o
| port_range_max | 22 |6 X v$ W' ]# U. Y' F
| port_range_min | 22 |
& n/ \1 j* a5 Y# c) u5 ^| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
% R) R/ L& l6 k$ p/ I| protocol | tcp | K: q( ]7 b4 P
| remote_address_group_id | None |' G- t$ _/ g0 V
| remote_group_id | None |
( K# [1 V9 N9 i# _| remote_ip_prefix | 0.0.0.0/0 |
h) a+ ~# H) ]| revision_number | 0 |
, o! o2 h# P4 |; _1 D| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |* h: \1 P! ?* T" X# `8 ^
| tags | [] |
7 p0 N& a3 \- T| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
' W4 A6 X7 ?7 m2 t| updated_at | 2022-05-31T09:42:58Z |
# ~. m3 J# n. p$ x! J- f+-------------------------+--------------------------------------+
( E& C+ j3 T& S2 M5 ^% h[cent@dlp ~(keystone)]$ openstack security group rule list secgroup01
/ h% i: \; G: s- R" E: J+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
8 Z- c: J8 r X1 P4 E+ \' e| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
# ]8 [! j& B) J5 E- ]( {' G+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+( }' m* x. {4 o4 u/ e! Z4 ]# D7 g
| 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
5 Q/ C, }5 U3 Q0 z6 A1 f$ S1 G| 7a5ce790-613c-433b-b817-75aa20a10fc1 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |+ T/ K, |( P2 z( j: L# g
| 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |- \6 s1 N% u7 g6 y2 m/ f
| cf9e12bd-90d0-4c9c-b852-12d2cd53eb91 | None | IPv6 | ::/0 | | egress | None | None |
& |( J$ A9 N$ v! W- m+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
' O( P1 S3 v. V1 [7 y _3 @: r. T1 I[11] It's possible to login to the Instance to connect to the floating IP address with SSH like follows.
$ d8 f+ @7 Y; m1 q/ P T I0 o- D[cent@dlp ~(keystone)]$ openstack server list
5 y& e/ R4 U$ |9 f. X/ u( ]9 P+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
: d* I0 G/ h( F, R8 f| ID | Name | Status | Networks | Image | Flavor |
5 q6 S, F3 N, V+ o1 ?+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+, C7 ?, e: `6 V3 K6 m; G5 H P, r/ w
| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |. i1 R' G4 F* [ `0 a
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
* N8 v( {6 ]& X$ A/ t[cent@dlp ~(keystone)]$ ssh centos@10.0.0.216
( |1 ]' H8 { K @0 K& o" a( XThe authenticity of host '10.0.0.216 (10.0.0.216)' can't be established.0 m2 H1 x4 U0 }3 ~( o
ECDSA key fingerprint is SHA256:3ubFctH6ulVjsrc2KyvqfRJPIx3ceRuzrogRB2WY1Iw.
7 H8 Z" d' M+ H8 Y( @0 X, c6 a1 ^# eAre you sure you want to continue connecting (yes/no/[fingerprint])? yes" A, ]# S# N0 ` T4 v; e
Warning: Permanently added '10.0.0.216' (ECDSA) to the list of known hosts.
" R" u% H& G0 |" B: Y6 i- P. TActivate the web console with: systemctl enable --now cockpit.socket5 w3 g5 b1 |- P H) \2 S) `3 ^
[centos@centos-st8 ~]$ # logined( t, G% _ R/ E" M+ R% k
|
|
发表于 2022-6-15 09:00:05