|
一个具有网络管理接口的控制器节点。
8 w( V; a( E: c两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。3 j* q! D$ `9 s9 K( H: N P! U) ^
: n' h5 ~$ S i' P& p+ Q) n/ s至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥 # t! N/ e/ X0 ?5 \: [9 R O
在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。 # M/ \: @: ^4 R. b
硬件要求: I% `4 t f, S3 b- ~
) ]% w! z$ \3 Q, o+ i& W
网络布局 ]/ e# Q6 k% C; O8 R2 I/ B6 I
6 X& J; ~9 I q6 P/ [0 C
: I( @, a7 w& O! r9 T) _6 |1 | 服务布局4 I3 k$ C" [; C" t ?( }
. s: J9 [3 a5 D 注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。 7 E. z' K& g" T+ {8 m. l
控制节点的OpenStack服务
: f& u; \6 t& H7 _/ s5 \, T在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。; {$ x5 }9 h2 H9 q, i$ P
在neutron.conf文件中具有openstack keystone服务的合适配置
& B4 W" _: \" |) J$ `6 f在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络
$ A/ V8 }6 R* O. p1 [: mneutron服务器服务、ML2插件和任何依赖关系。
; P, e6 B7 ]/ ]+ A: i% H& k V
: h' g$ K( J" X8 _; e5 _网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置
8 J0 W. E5 h9 \" S; W0 @% MOpen vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。
7 {/ J' }5 b: U9 Z
. _/ q7 D) I0 S h4 z计算节点的Openstack服务6 b- |, E6 N8 W) S, E
在neutron.conf文件中具有openstack keystone服务的合适配置, f( i. V6 V- E( A e) X
. E3 ` p" z5 o1 A+ ?' B* y6 _
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。
* u! R* |% w! R, _! V% x
6 f3 O: E8 k7 r3 z# G: Q7 O" k体系结构
4 W! K5 k9 o8 j$ d9 v5 |一般的体系架构
( x" R( O y6 n& H* S 网络节点包含以下组件:& \4 |3 `7 V0 \3 ~& C8 n: E+ L
+ c5 E% W! W" x( Y! D8 AOpen vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
[0 v2 c4 O L. a4 u6 Q- z+ ?
/ u) j5 `! c7 u; ]管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。
7 L- q/ s7 ~% X0 Q( c% d; x) u- ~) ?) Q2 P1 W
L3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。. `# Q& s# \$ c
- }. s9 `' C$ k& P8 }( Q
元数据代理处理实例的元数据操作。 ( t4 ~8 S7 ~ [ m6 n' t( J+ b
9 S! S4 I! m. D网络节点组件回顾1 h8 s" B9 E! T
! C9 u* u0 o6 i: g8 b6 h1 w6 l
网络节点组件连接3 f2 v6 N: L( r I6 r2 U) t0 j
p) L% y3 I7 s- U2 `/ I 计算节点包含以下组件:5 r6 |( _' j1 a) R
( }1 j3 z' i' D2 p( h! k1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。( o: F6 v* l' ^8 V
% b, x/ s/ U. c- @; U! p* j4 r2.Linux网桥处理安全组。
: w& r) j5 C! }1 C" c注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。 % W* G& G/ L% H
计算节点组件回顾
2 D2 C) S. A, @' l' ^ D9 t' j9 X8 T0 T2 j# d( X0 a) [" b: h
计算节点组件连接
L4 K2 L9 s8 f& s
# D( K/ s$ ]7 c4 C6 F" E, G6 Z数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。5 }, O& g9 _8 A
- E' h" d+ J+ E1 y; Z在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。
9 U9 I5 ?4 b- t$ d# B: i
2 \, {8 [% g# s# Z: e" }- k; b: {如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器
: |# g, b5 C7 K/ r- L 注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。 & O; `! k0 a7 V1 G+ x4 C$ n
示例配置1 U# v$ v& F+ Q! n8 U2 Z
使用下面的示例配置作为在您的环境中部署该场景的模板。 $ V; l+ d' X; C# s- f
控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=] [/url]/ f. o8 u+ ^$ [( }: P
[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]8 `6 F1 v7 c6 I# S! Y: L
) K5 [3 |6 V8 D( `3 z3 J/ k+ p
/ K6 ~. |8 U) q6 M: J 2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件:
% D3 r2 y' o' X$ y6 u: V! x# g[backcolor=rgb(245, 245, 245) !important][url=][/url]( J( H5 x0 s) e$ c- M; _
[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 p& f6 d6 {6 [! p! @0 p/ R+ ^3 @( {+ L
3 o t5 h/ b+ f! P' y& V" N/ ?( i* U: \' S+ [; l
替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。 6 `$ { Y' {( {& n9 i
请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。' z _5 a8 G# C6 i
6 o u/ V6 M/ d5 y3.启动服务
4 m( t' Q1 K4 f/ d7 h3 v8 v7 X8 q+ {, i, H4 R, ~
, I$ j; M1 C9 A/ L, {! m
网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0
* C; V0 N9 e% f9 e2.加载新内核配置: $ sysctl -p
9 {& s: C$ k- A4 N! ^, I, i5 f& S: U6 ~; l Y( t7 Q
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
4 ]+ p& h' Q4 f# N; z F9 P0 Y" d+ G% z. g. `; t
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]2 p3 b% f- l) B/ }
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url] t. O( M$ n" |: ?/ r" f; |
$ P" Y- E" U. U. @: s
" m+ g: P' f$ M5 o使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
( I7 o* q% S" { ?- c s5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件:
7 a8 g* I3 n9 d9 h8 `[backcolor=rgb(245, 245, 245) !important][url=][/url]$ ~! X! n$ y. t" z, L3 O
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]
, _: {- a |, @1 s7 ]; ]* A" T. ~+ h- T3 q5 S; s. t% h
注意:external_network_bridge选项故意不包含任何值。
, Q. @$ G# g2 z2 Y! w' x6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件: % n# `/ |9 d& v: b. o/ R
[backcolor=rgb(245, 245, 245) !important][url=][/url]" x# L; ~: b! L' Y/ x6 y, u
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]; H7 G4 i; ] T8 f$ o2 B
0 B7 \: f5 d/ p7 p3 D- v* v+ a5 G) m: |+ P% K& G
7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]9 g" z$ {2 b/ s
2 l# C0 [; J" U7 W5 X! Z% H3 P
: a$ s- V p9 X1 U) \6 ?! @6 I1 Y+ M
1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450
6 ^* c# v# F) Z" n2 ^- g
7 f L$ Q$ a* h% X) U, r5 A9 L[backcolor=rgb(245, 245, 245) !important][url=][/url]
e+ Q5 Y8 M: b: T2 y, M3 x# e ^- K' o \1 ^! A Z
# ]7 w0 z D" ^2 O% J
8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET
5 U3 e5 x1 h: o4 ~4 Y9 J4 F
6 k( v. q# P/ p8 `' B1 O用合适的环境值替换METADATA_SECRET。 * V/ y7 ]' b2 U% s* O
9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent, i, C; Q* k( ~. Y) x& r
: l* n" M, m D计算节点: e# d8 q% j: ]) d4 t3 s) K
1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=1. A2 b, z& \! J( C# H2 o
2.加载新内核配置: $ sysctl -p
. t+ F( F5 i1 v7 g* p( _1 F- c+ d1 D6 e) I+ k3 G* q
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True* d3 x5 R X0 T
3 ] W* t+ ? k1 g
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]: J; z; D+ G: v, x! I
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
1 _5 R3 j% I$ s2 \7 B
: z* P9 U8 [, u$ {+ o8 _
$ u7 L6 q! X# i) u) ]使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 9 D- g6 K! X1 r3 c
7.启动以下服务: Open vSwitch Open vSwitch agent
% N. s5 l. ~5 | S% a F
4 d3 }$ t$ K; ^1 y" f* J# ?( d验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]5 [1 c9 F3 j: c1 P0 q, I0 N2 h# W
$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]' m' D" X3 q/ d, @* u# W+ Q
, C) ~* v. T# Z
4 S3 E( ] }! W% R, m
创建初始网络
% `$ e8 j: z) [( \: e) e, |/ t这个示例创建了一个flat外部网络和一个VXLAN项目网络。
9 e5 o+ s' |2 F* @+ ?- I- H$ l* u% u, z- D! S X0 F; e
1.提供管理项目凭据。" t O( ~: K- W7 G# N: F4 T) [9 a
@4 \4 _! P x2 I m( I2.创建外部网络:
) a3 O5 `$ }0 N/ \3 ~[backcolor=rgb(245, 245, 245) !important][url=][/url]. K3 A2 k8 p5 h/ Z
$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
# S* ]* h" N* k% p3 a/ \6 T3 f3 K4 I+ o: t
1 K# l2 v5 c {$ d9 N3 x( N+ ` a3.在外部网络上创建子网:
' |8 d' E1 d1 D6 D. e. c) @[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 b0 V# N' y2 x: r8 M8 ]% {$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]5 E1 q m/ B; \
' S' _5 ]" }- v2 `1 ~
4 I p! j3 H* A+ \请注意:) D3 i$ P3 ^ n% t! ~: |
( e! F" L5 `- t
示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。4 D' B6 w4 f8 n! [* N/ A& E
: u$ k! G3 @% K/ M% k
1.获得常规项目的ID。例如使用demo项目: : w+ V+ P/ b* a- ^7 @$ B
[backcolor=rgb(245, 245, 245) !important][url=][/url]) t; p( m( c9 T% p
$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url] g' m, W9 i% }. G3 H( A
9 {/ z# _* H/ M# ~0 [# S0 n
3 G7 D2 `$ E" w5 D1 A, \; A2 g2.创建项目网络:
# T. ^3 Q c! q# U7 _[backcolor=rgb(245, 245, 245) !important][url=][/url] z1 E& L( D. G& F- M- [3 w
$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]5 D. C- o- s. p- `4 K2 `+ J% [
8 V1 I2 J V s& ? L8 Q/ |
( B; h2 S: [2 A
5 Q( y8 q% x; t! j" c6 E" ?3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网: 9 q" Z, ?: S2 }" x+ T) n% g
[backcolor=rgb(245, 245, 245) !important][url=][/url]
: }8 |* ?' ^& G/ v) V1 S& m+ ~8 _6 X$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
% m0 E* n% {4 O0 X* u3 ^! Z: @& C/ |$ ]/ z& J6 E/ Z+ P# r9 \
7 N. Y7 f2 U1 y8 J8 }) B$ S( A5.创建一个项目路由器:
% _6 g6 K. T( P0 |! N9 _1 t[backcolor=rgb(245, 245, 245) !important][url=][/url]3 r# q( U9 S) n8 z/ Q# l, I0 ]2 f
$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 C8 e8 n9 m, \1 k2 \' }- J- k( E6 U B7 E# t5 ~
2 _5 w1 a) q9 r) c- @注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。 ! B) `4 y! C8 f
6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.6 ^, G. t V }: @# ?5 p% x
2 v4 v& x3 X' y) }
7.在路由器上添加一个通向外部网络的网关: 6 y: A% t1 T2 ^: `, s/ _
$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router+ K( d% f$ _* _1 m+ S
6 q4 X0 W9 H& Y8 z& N6 e7 w" V# k
验证网络操作
+ T' u% t7 }- O- w. D8 V8 Q1.提供管理项目凭据。; z% d6 m: _- F* I, F2 d' r
1 _( |) b) K6 e8 U. o- z( ~" m4 N2.在控制器节点上,验证HA网络的创建:
[backcolor=rgb(245, 245, 245) !important][url=][/url]
* B" |( f$ `5 t$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
1 _8 X* q( u# s( W1 R
) Y, L5 o8 Z; A' E) x7 l
: k9 h+ p: b& v3.在控制器节点上,在多个网络节点上验证路由器的创建: ! }2 k5 {- S4 \' {
[backcolor=rgb(245, 245, 245) !important][url=][/url]. c" v' g9 Y" V) U
$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
, v6 Z6 A: x6 k- `, i4 t8 y- k( g$ a6 [6 n: l% i J$ S
7 S3 r. O; N. t1 G/ O注意:老版本的python - neutronclient不支持ha_state字段。
# c) q* J7 I! Z- @! U4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]
' u. Z9 D/ Y/ H \) t, e$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
5 V+ B% j3 I; A! _8 ?0 B% r0 s$ D7 Y1 i% B: \ Q/ c: \% D
9 i: a6 S4 T, T( Y# S
" Z7 y; U9 J1 P3 Z0 [+ Q5.在网络节点上,验证qrouter和qdhcp名称空间的创建:
. y( ^- ~5 `) m5 M- C[backcolor=rgb(245, 245, 245) !important][url=][/url]; k0 P2 a- g P
网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]: s. T- i' X% Z6 E# I- W' z# H
. m: T0 |2 w4 g$ }$ L# f) S; e两个qrouter名称空间都应该使用相同的UUID。 6 y! E0 E9 C& u! O$ z
请注意 h5 E* T$ Q) l% n* {: f
5 B8 a. E7 N6 [9 a v; b9 j
在启动实例之前,qdhcp名称空间可能不存在。
. H2 d! Y" n$ b2 U1 u1 a
/ j- v2 Z4 |) K! x6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]2 n+ T) e& w$ J# t! {1 j
网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
# T, s- I* h; z, @' J5 N# }0 s% C$ b, E6 ]$ A
8 u: C) j! \# B# k! {2 K
网络节点2:
5 }- W, G( Q. ~/ b; C" n+ s[backcolor=rgb(245, 245, 245) !important][url=][/url]: y3 T4 R) i2 W/ T5 { k
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
' c' i" p3 p2 s% T- }1 F
: Q3 l! I8 Z! q/ l在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。
. i8 d; ~2 q1 S5 B: t+ p+ ~2 D( G7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements : $ ~; ^! H6 @# m; Q
网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]
" j. W& f3 R9 O# r2 B0 j5 D1 J$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]& a2 {: C. \+ n/ Z. y+ w8 @9 M2 \
6 X1 m. `7 Z. g8 s. y b$ v8 T! e7 D c" H# Y9 G, v" E
网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]+ j. }. ^! B* r/ A/ E: d
$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]3 G! f( r2 ]: g% U: u+ n
4 L, L0 o$ }2 i. F# k# l! O
6 a1 x' I" ?" x, w3 }9 n5 K示例输出使用网络接口eth1。
& {8 Z0 n" ^) ^: I, Y) c* d5 ?- e
8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]( c0 l) u$ g) e/ N9 u
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
/ _, x/ z" r/ U/ j8 j
. i7 l$ X7 h' \9 f) T- @- z: w3 O3 A
6 K; h7 X3 F% @6 i& ^' D: K, s' I* F- a- N( S: |; B
9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]! D& I Z, b4 l2 A1 L# V4 t' k/ D: k
$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]
& H& A% ?: m, _
: n6 {5 X# L+ T( x7 _9 c! ]9 b, y: L
+ c* }4 h+ P( v% Y- e/ W0 X
8 Y& u9 z9 ~$ i. O4 X10.提供常规项目凭证。下面的步骤使用演示项目。
+ L* G, D1 d2 b. f% Q# a' |0 S
9 j* P' } E/ j) w2 r' \& e11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]+ t; {4 m( i2 o l7 N) _1 K
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]) M0 n+ [+ ]0 M' l
" l& u; \/ p8 W
( o6 W! M0 C0 a' H2 G* K1 V12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像: 5 H( u& E Y0 |/ o* n$ E
[backcolor=rgb(245, 245, 245) !important][url=][/url]% L4 S/ V" n7 I8 W* m* b* f$ I, P: h
$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
% F- @ g6 _* G) j1 f) I- C; M; N8 N6 b3 q$ F8 U
/ \ |: K* u& E- x; W8 ^) d: {3 p13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]- b6 E6 Y, `" ~% c3 j( H* Q' \
Z; F/ N- F- R o, Q7 e* t. _) p
1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms' W9 W0 Y) o* k- A' f# }
[backcolor=rgb(245, 245, 245) !important][url=][/url]- N% W! B" m- K5 |' f
+ ]7 P( j1 J7 v; ^
6 {' H9 ]& c$ u. T( i9 G6 n5 O14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]$ \+ C( z/ I# ~# B# r" O
$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]' g, a6 P( k6 s; O1 l9 J
' ~- {! v' g t+ L, N* ] L
9 E) T4 h6 `. Q1 Z4 v1 T. G- {15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.1021 _6 p0 ]1 \- P3 b9 S7 {$ E# {, Y
- l4 k& b3 @0 ~' r
16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
/ m- W+ K% b3 w. v$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]4 N [* E2 I/ m
+ X R; l! p+ J0 g# a7 H8 h6 N6 r3 Q; U
17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址:
: f9 {& c; v0 X( M5 g& a[backcolor=rgb(245, 245, 245) !important][url=][/url]
9 T" S* B. V: `" ?" y, j3 {4 f$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms. s$ f: F- R" _0 I2 m0 [ @
|
发表于 2021-6-25 11:21:40
