|
|
[1] Change settings on Control Node.
+ j$ N: D3 \* \; g5 A- T6 C' M, [[root@dlp ~(keystone)]# vi /etc/neutron/plugins/ml2/ml2_conf.ini2 i; J& \- \/ ]9 z4 [4 S
# add a value to [tenant_network_types]! P5 ]0 j( `5 n" ^* F5 {5 Y5 n
[ml2]
5 I8 ?+ A4 u, h ptype_drivers = flat,vlan,gre,vxlan
% R2 Z' R* l5 f3 Ytenant_network_types = vxlan
% N( q5 [3 C) h# h0 I1 S7 {4 o# add to the end0 h2 U, t6 M7 x& H/ k9 k
[ml2_type_flat]& [" o) d8 P: p6 k
flat_networks = physnet1- M% ~3 q1 z. U" }( @7 @
[ml2_type_vxlan]
' g' j, a2 |: @# P* z2 y0 kvni_ranges = 1:1000
& m- H! Z! o$ Q: L% m( q$ h[root@dlp ~(keystone)]# systemctl restart neutron-server
: _& O% L% p' d1 ]$ t) [* e9 b[2] Change settings on Network Node.4 R* i1 A) ?1 e3 m7 W) }6 I
# add bridge
7 v8 R4 q1 m( h# i' ^7 U[root@network ~]# ovs-vsctl add-br br-eth1
- l6 B: q. D& I0 a# add [eth1] to the port of the bridge above
& a' V0 i a* @' ]6 L8 v# replace the interface name [eth1] to your own environment
! w! r% i8 ~+ O/ B0 }" V$ c[root@network ~]# ovs-vsctl add-port br-eth1 eth17 z/ ?2 b8 w! S3 q! s2 S$ t; q
[root@network ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
2 [, e. l3 f- _$ I' v! I6 E# add a value to [tenant_network_types]/ H$ v0 H/ [. g, j/ \
[ml2]
' I( I* V7 h! l0 e5 v5 ?type_drivers = flat,vlan,gre,vxlan! N# @- j/ C( w U# c
tenant_network_types = vxlan4 j u* n. H7 J$ [4 M. A
# add to the end
) e( |% N1 _' W[ml2_type_flat]* n8 b1 V9 y3 t+ l/ }
flat_networks = physnet1
' n. Y2 ]! y# p1 e* n( ^3 q[ml2_type_vxlan]) i4 t) i E: v) D) ?
vni_ranges = 1:1000
/ C5 x, O6 M' Z9 s) W. X[root@network ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini9 D' a; b1 t) m2 X/ H. z0 {5 Y
# add to the end
/ B: Q9 k# F* {: D[agent]& m3 j N" D% A/ `" P6 `; x
tunnel_types = vxlan& W$ M9 G+ D. w+ Y# o! W
prevent_arp_spoofing = True, e9 H. A( |' V0 @0 W" V& v, q
[ovs]
" }% S$ a# r& J. S, p7 V: D# specify IP address of this host for [local_ip]
8 L+ n2 D0 T; P$ Jlocal_ip = 10.0.0.50
3 S' a6 I& @7 ` q% I' x* `3 Qbridge_mappings = physnet1:br-eth1- j d7 e. y* J4 {4 l" z* H
[root@network ~]# systemctl restart neutron-dhcp-agent neutron-l3-agent neutron-metadata-agent neutron-openvswitch-agent$ y+ n' L3 R% ^6 d
# if Firewalld is running, allow VXLAN port/ S! T7 }2 y6 h X2 W; d
[root@network ~]# firewall-cmd --add-port=4789/udp
" k, N+ M* ], x[root@network ~]# firewall-cmd --runtime-to-permanent
5 T: M1 `( I! \- e[3] Change settings on Compute Node.0 Q# Q- h0 p; @, _" ~- n1 V
[root@node01 ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini
* c5 ?8 @2 W! V- Q# s- O# add a value to [tenant_network_types]
2 A# _5 I/ |2 m( v# Y) B6 Q* p- L6 I[ml2]7 l) s, N- [; y
type_drivers = flat,vlan,gre,vxlan
. O7 C# c! D w5 b p3 `9 atenant_network_types = vxlan
$ A N* v \2 V, s; [) Y' f+ @2 p# add to the end
6 i2 a; ]0 F) h4 X+ R4 x- s. u[ml2_type_flat]3 n7 [' v/ B) y, D0 A5 ?/ r
flat_networks = physnet1
* X) y# G- [& e8 ]' C* F[ml2_type_vxlan]
: D! q" f9 W, c0 [( H: yvni_ranges = 1:10003 d, o4 Q$ h8 H* r* K2 v
[root@node01 ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini
6 ~/ {4 e2 v' |. w# add to the end/ V' ^$ C( C! B" I, C. W
[agent], X, ^( j8 K3 R$ l, a
tunnel_types = vxlan
5 D4 o- T- L% y1 [prevent_arp_spoofing = True
w" u9 l* N* V& Z/ F[ovs]
V2 i$ F, L* j# specify IP address of this host for [local_ip]
" r7 O" G c2 I" c) ?" l2 @local_ip = 10.0.0.51
# [; H: W+ J6 n. I3 }9 h; _1 K[root@node01 ~]# systemctl restart neutron-openvswitch-agent
- e' h( ]! U# ?8 }% k) U- t# if Firewalld is running, allow VXLAN port
& P: I; i: i$ b4 \' t9 h6 |3 c[root@node01 ~]# firewall-cmd --add-port=4789/udp. @- i. y2 R1 M% _
[root@node01 ~]# firewall-cmd --runtime-to-permanent
+ Y( g: a. ^( I# Y) S: z' X+ j[4] Create a Virtual router. It's OK to work on any node. (This example is on Control Node)0 A1 i& B( ]$ C0 t: q" h
[root@dlp ~(keystone)]# openstack router create router01. O% J! m7 Z _, M
+-------------------------+--------------------------------------+
9 t% l( ^- O* ]6 n5 O7 u| Field | Value |. Q: D: M" h5 c" m/ Z
+-------------------------+--------------------------------------+
! F# w# H/ k- ?) Y/ M| admin_state_up | UP |
) d/ h2 F7 u0 e: G0 N: m6 ?- P% G0 c| availability_zone_hints | |! D. o' y V+ G1 T2 q7 C' C( ^
| availability_zones | |/ z! w- Z+ p) T. i( L# G0 b
| created_at | 2022-05-31T09:59:08Z |4 F9 o' J' @; \7 i( X
| description | |
( T% d8 S) k& u1 W6 M5 L) m| distributed | False |6 R8 O( H- T% n+ ?6 h5 v& b
| external_gateway_info | null |7 \ g/ M4 C7 ?+ g
| flavor_id | None |7 b; [/ w/ i5 n* E% V
| ha | False |2 j V# p$ R0 _% K3 A
| id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |
$ c$ u3 u* M8 k( t) e2 \+ || name | router01 |
" X7 b( x+ p9 I9 n| project_id | 0609d3b3b398456187fb705ec9224c4a |
' j# {7 m5 s6 m" E( ~| revision_number | 1 |" Q* s S/ ]1 F4 S9 ]9 z
| routes | |& |- p! U' h2 j. s' @* S
| status | ACTIVE |2 V) ^: D$ Z( p- Q: F2 L
| tags | |
) F G8 l. z* k( t! {2 c4 O| updated_at | 2022-05-31T09:59:08Z |5 E" C$ X2 X6 n, s
+-------------------------+--------------------------------------+* B' b$ e) l1 b' ^
[5] Create internal network and associate with the router above.7 `' Q$ t: ?) Q4 F$ r
# create internal network
( X& B* e) z4 V% S, l p+ M! R[root@dlp ~(keystone)]# openstack network create private --provider-network-type vxlan
{$ N5 }6 l! X- |$ y/ {8 _+---------------------------+--------------------------------------+7 D% \& N4 f, }/ A; e
| Field | Value |
6 y# O9 T2 V4 d8 C+---------------------------+--------------------------------------+
" g# x. y# `* ]9 A! G| admin_state_up | UP |; |# e$ B% G/ I% e# [
| availability_zone_hints | |
# _9 {/ T/ A0 [) h| availability_zones | |
t% M# G; r7 e$ D; `| created_at | 2022-05-31T09:59:43Z |5 Y% v2 p& Q6 U: j; A6 {
| description | |
( j' w& w( e3 j| dns_domain | None |
' D8 r Z. g+ T6 ~$ d" m% H( z! J| id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |& }/ {4 Q1 G- i2 q# j
| ipv4_address_scope | None |
y! g, N+ o% o1 l3 }/ a| ipv6_address_scope | None |$ |, z& D$ O+ E2 T* v6 u3 X
| is_default | False |( o# Y1 X7 \' _% q1 D) ]8 r
| is_vlan_transparent | None |$ l/ r3 _& z1 T1 d3 p" Z! ?
| mtu | 1450 |# j* H9 M% G4 Y1 V5 L
| name | private |
# _9 z l) O8 ?' y( W9 y* R0 `| port_security_enabled | True |
; w- n: ~1 J9 ~4 f| project_id | 0609d3b3b398456187fb705ec9224c4a |7 i, C ?! h/ r6 U- f
| provider:network_type | vxlan |5 C8 |6 h0 k- N9 A6 X
| provider:physical_network | None |
( u. X g1 R' t| provider:segmentation_id | 423 |3 H: {$ X# ]" @4 B+ {
| qos_policy_id | None |+ I* V( H9 T+ G3 n
| revision_number | 1 |
7 `4 i3 ~: [2 Q/ i, O7 v& r+ P4 U3 Q1 _| router:external | Internal |
6 P5 L; Z' L) @. w6 f( y| segments | None |1 s* O; o! d m, F7 \2 U9 X
| shared | False |* B0 q8 `; E( a1 Z
| status | ACTIVE |5 l1 T$ l! [- S; ~
| subnets | |' ?1 E7 r y ]" D$ A# k/ M2 R
| tags | |
4 ?; H9 D" @7 r| updated_at | 2022-05-31T09:59:43Z |
e) \' Z p, Z0 ~' {( P( i( S5 F+---------------------------+--------------------------------------+
. m% o) J6 u c$ F# create subnet in the internal network
( Q8 E/ j/ r) I# h$ O' z- o9 p% M[root@dlp ~(keystone)]# openstack subnet create private-subnet --network private \
9 Z! x5 d e3 `! I- Y5 W% F--subnet-range 192.168.100.0/24 --gateway 192.168.100.1 \- d% i" B" T3 u( t/ N
--dns-nameserver 10.0.0.10
1 p9 ~# F5 W! n& {, D# v( M+ _+----------------------+--------------------------------------+2 P% G2 |6 S0 Q$ y' k n' u
| Field | Value |# @- ~+ ^% V& T" e( ~
+----------------------+--------------------------------------+
o6 x1 j1 _9 G0 A! C; I/ b" {| allocation_pools | 192.168.100.2-192.168.100.254 |
1 ]) O. ]( ~- }| cidr | 192.168.100.0/24 |# ^6 W3 J/ f) v: g: q
| created_at | 2022-05-31T10:00:30Z |
' [ E4 E' m9 ?% l$ d& R| description | |% S* G" a9 R) X
| dns_nameservers | 10.0.0.10 |
. k* f7 V0 b1 C* N| dns_publish_fixed_ip | None |
* A, ]- |6 T6 O| enable_dhcp | True |
. m: ~& C) O" _0 q| gateway_ip | 192.168.100.1 | P0 S* ~ N# k; T$ K/ ?
| host_routes | |
7 n/ r7 Q- i" f6 o; a a% T| id | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |
2 l: ` w9 c) r| ip_version | 4 |; Q! m! s5 L* ?1 K$ h4 @3 W: J/ d/ }
| ipv6_address_mode | None |# c) z9 ]4 b8 [& o3 T
| ipv6_ra_mode | None |0 b! k0 @2 w9 ]3 m
| name | private-subnet |
' l& A. s3 X$ d| network_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |
2 c {! e& F/ i- O* r. ]0 \| project_id | 0609d3b3b398456187fb705ec9224c4a |
* Q s2 L+ j$ q- Y( X| revision_number | 0 |, {; }' g0 r: p: x" `& [2 ~ O: Y
| segment_id | None |& T' B6 r# i( S; x7 R: u- h
| service_types | |
" T8 c& L7 h. i9 {| subnetpool_id | None |4 }5 U( Q; c7 h* l) m
| tags | |
" Z& f! s1 i) H$ w- I2 h) S| updated_at | 2022-05-31T10:00:30Z |
; N- v# x* ~$ ]7 n+----------------------+--------------------------------------+
3 f; {5 s5 }, M- \& h# set internal network to the router above
& A* q7 A& U4 U9 q5 ~- C& }* _. }2 Y6 ?[root@dlp ~(keystone)]# openstack router add subnet router01 private-subnet
% L8 A0 ~( X- H+ L2 {[6] Create external network and associate with the router above.
( U- u. Y* \9 x, [+ _& F( I# create external network7 K# E: G1 t4 A/ |8 d
[root@dlp ~(keystone)]# openstack network create \
9 @6 B+ r& o) J+ [2 A) e--provider-physical-network physnet1 \5 V0 y: G" H9 E# H
--provider-network-type flat --external public
! M; F3 E r |9 I* l0 ~" y, Q+---------------------------+--------------------------------------+- N& J( ^3 [& M1 o* C G
| Field | Value |& b: t0 q& `5 m$ r& `# T* I) O
+---------------------------+--------------------------------------+1 U' g" d, ~: O
| admin_state_up | UP |* K) S+ ?. D' ^) t" T6 t9 v
| availability_zone_hints | |. ]) f, m% H5 q' X
| availability_zones | |" ?# o& g8 }; L( c: y+ F
| created_at | 2022-05-31T10:01:17Z |7 Q8 D: y9 F3 e3 G* ^# o2 X% D
| description | |
; E( j& @3 m# || dns_domain | None |% i7 R% x2 s* ~- {
| id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |: I1 q0 z# A) t! R1 T3 `
| ipv4_address_scope | None |
3 J6 ?6 [- J6 x( s. ^) p$ z| ipv6_address_scope | None |
) M# _% a& U$ }/ X- G1 s/ h7 B, c| is_default | False |6 [* q4 M7 M8 z: t
| is_vlan_transparent | None |
- Q; `! C& V' c! i| mtu | 1500 |
, X8 m6 R& i0 Q3 P6 @| name | public |9 I5 }- j) p x7 r
| port_security_enabled | True |% n5 x6 l% H/ D. S
| project_id | 0609d3b3b398456187fb705ec9224c4a |7 q; ~* p" g! y: C; W1 c
| provider:network_type | flat |, f" |0 }7 H' }& R/ n0 c% p
| provider:physical_network | physnet1 |; a% J3 Q2 ?6 ^, |) C
| provider:segmentation_id | None |6 B2 h0 `7 J$ a4 Q3 z5 u7 q b
| qos_policy_id | None |
1 |- ~/ v) [/ \0 b2 }| revision_number | 1 |* S' P. Y. z+ I) d# @
| router:external | External |8 Y0 |, t+ E% }9 C' Z: z8 T. s, u
| segments | None |% P; F4 M: v8 r2 E) J$ Z: _( f0 x
| shared | False |
0 g7 |' N, E/ U- B) y/ \4 Y| status | ACTIVE |, J+ C( ]5 n B8 R: e% y( t, @# V
| subnets | |
y8 |. q. S7 w. m# l| tags | |
' {5 f( E6 ]/ O+ C4 _* T| updated_at | 2022-05-31T10:01:17Z |
5 ~ v$ U/ H$ y7 [+---------------------------+--------------------------------------+" c* b6 a0 B {9 j+ n
# create subnet in the external network
- k5 R: d5 P5 \% B4 M[root@dlp ~(keystone)]# openstack subnet create public-subnet \
/ L P: c5 K. ]' G% y--network public --subnet-range 10.0.0.0/24 \. u% p* p/ w3 ?7 G7 [: I$ L
--allocation-pool start=10.0.0.200,end=10.0.0.254 \
) \: j6 u2 @& R6 [--gateway 10.0.0.1 --dns-nameserver 10.0.0.10 --no-dhcp& t6 T. {+ x$ O1 Z- @8 f
+----------------------+--------------------------------------+4 ^2 x9 H. I- L `8 a0 `' f
| Field | Value |2 V9 `8 |, o/ j6 r& Q% N9 u0 o. W
+----------------------+--------------------------------------+
* V$ G" @; ^ K# @| allocation_pools | 10.0.0.200-10.0.0.254 |% m4 _/ D7 m+ T* H2 B9 F
| cidr | 10.0.0.0/24 |/ K( s, j" j: F; r/ h. _
| created_at | 2022-05-31T10:01:44Z |9 f) ]7 e' D/ O+ ^
| description | |1 U( u. d( D3 T6 m2 G: n
| dns_nameservers | 10.0.0.10 |% y- R8 u+ q; m1 [0 [# q
| dns_publish_fixed_ip | None |
, V7 G* |' J3 C6 c7 I1 t. b7 N/ v| enable_dhcp | False |
3 s9 o$ _+ a$ A6 R- t| gateway_ip | 10.0.0.1 |3 |# t. @: o' m: V$ g% J
| host_routes | |
, n/ Q; r- j+ s' j# Z. A| id | ecccfdc5-2917-41d4-a957-88facca5c4d4 |! n3 _3 y0 n' F8 d
| ip_version | 4 |3 z6 s- p0 B# u( W1 X
| ipv6_address_mode | None |. I I! `; B" b, l3 X
| ipv6_ra_mode | None |% @3 X4 J6 } {9 s- \) ?8 k3 X- E
| name | public-subnet |
. N6 T( A# m. Y; q( \$ N| network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |( m! S3 I, f5 q+ B
| project_id | 0609d3b3b398456187fb705ec9224c4a |
8 q9 A2 A0 ^, r- m| revision_number | 0 |7 p1 T' c* j3 i; ~' N. W8 I
| segment_id | None |
3 m& b& d' b/ l: M! A7 ]# T$ M2 F| service_types | |
( c8 r3 c1 d: P* q1 X, V( p' p| subnetpool_id | None |
7 c- u( k/ X& v) c* n, T6 c. o" b| tags | |
( e) k/ I- i- `8 A9 z0 ]% l| updated_at | 2022-05-31T10:01:44Z |
. e+ y6 c3 f) W+ ^" ~9 [+----------------------+--------------------------------------+
8 E3 Z+ b" J1 t' n/ y v0 N" }' F# set gateway to the router above) |8 T( M7 u& R; a+ v* E! N
[root@dlp ~(keystone)]# openstack router set router01 --external-gateway public* H% u& A2 W: L% v+ n
[7] By default, it's possible to access for all projects to external network, however, for internal network, only admin projects can access to it, so grant access permission of internal network to a project you'd like to let users in the project use.
+ v5 C6 C- m2 m: h. S' W! z# show network RBAC list/ B( o% m% B2 S
[root@dlp ~(keystone)]# openstack network rbac list! Y1 j4 p. J0 u
+--------------------------------------+-------------+--------------------------------------+
9 c9 M ~5 z8 _% u! ]9 W2 a! q| ID | Object Type | Object ID |
, k* a6 n* K' C% V8 J/ o+--------------------------------------+-------------+--------------------------------------+
, M$ g# g& z# o| a37b34cd-e686-443f-b3ef-4a4c722b5d63 | network | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
* t1 r, L m8 r' c$ h( z4 H+--------------------------------------+-------------+--------------------------------------+
+ B$ G& s- C9 }+ ^4 B% x# RBAC details) _- T/ h9 c) l! u% Y: i& r0 x
# all projects can access only to [access_as_external]- {: f1 e0 p9 r$ X1 E
[root@dlp ~(keystone)]# openstack network rbac show a37b34cd-e686-443f-b3ef-4a4c722b5d63
A+ ]5 D" n$ u+ P4 c* ?9 d" X1 F+-------------------+--------------------------------------+
4 y0 ?/ O7 T+ T" V& q| Field | Value |8 S8 Z+ W# h* d
+-------------------+--------------------------------------+
/ Y9 ?% e2 r- p' S| action | access_as_external |
J/ l# B: F4 n l( ^| id | a37b34cd-e686-443f-b3ef-4a4c722b5d63 |6 O' F. y8 ]0 `2 s
| name | None |
, |) h4 `& c- F7 [. S| object_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |6 K i! ~9 o; y0 [7 q; Z
| object_type | network |
8 v, N! }# d. E+ s0 \# `| project_id | 0609d3b3b398456187fb705ec9224c4a |) ]5 n+ P" M+ d- n7 U; v1 O
| target_project_id | * |3 N4 x$ T' m$ ^9 V
+-------------------+--------------------------------------+
: \: t: J1 s2 r# show network list- b# h* @( \( r# r( P
[root@dlp ~(keystone)]# openstack network list0 F9 L3 C# ^7 W$ T+ z- C2 Q9 q, H
+--------------------------------------+---------+--------------------------------------+# C" \/ @) A8 R7 p& \
| ID | Name | Subnets |
9 X7 F2 q2 M' s$ Q1 H+ b+--------------------------------------+---------+--------------------------------------+
' S2 I2 F' }6 m) C4 y2 I| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |( ?' O$ Q* K) p: ~% @; g& s0 m6 f( D
| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |- r: P2 ~; q9 y" |( {0 U4 \0 z
+--------------------------------------+---------+--------------------------------------+
) I7 V# M- Y: k8 \9 K& _5 U! D# show project list$ {. r1 ?2 S" {: `
[root@dlp ~(keystone)]# openstack project list9 @7 t9 v7 X$ u0 [
+----------------------------------+-----------+
! u& m7 E; f0 `9 p# |+ X& ~: T| ID | Name |
0 P) W) P3 u3 J+----------------------------------+-----------+3 k# P' s) w# b
| 0609d3b3b398456187fb705ec9224c4a | admin |& o/ `- P. F& X* ^
| 3d85d1e79d654b3dade01eb5bfbf0679 | hiroshima |2 D2 F6 m. b6 m7 O: S3 X. [
| 8787527217494c6a87dd5a3b68dce1ef | service |: w" d% b9 }; a8 [* j: a
+----------------------------------+-----------+
) `+ O& o& Q ?" j# grant [access_as_shared] permission for [private] to [hiroshima] project
9 Y9 V, O' c0 b# ]5 X0 c1 A$ O[root@dlp ~(keystone)]# netID=$(openstack network list | grep private | awk '{ print $2 }')6 T0 V9 E6 ?$ o3 ^% y
[root@dlp ~(keystone)]# prjID=$(openstack project list | grep hiroshima | awk '{ print $2 }')% E. [, O* Q; J
[root@dlp ~(keystone)]# openstack network rbac create --target-project $prjID --type network --action access_as_shared $netID
- V! Z; F; c e& ?( f! r i+-------------------+--------------------------------------+
* ^8 l8 J" l! Q e4 I! w d| Field | Value |
( e+ `* @0 Q4 ]: m/ N, a* i+-------------------+--------------------------------------+( _& ^9 \+ ~* B6 a7 a" S0 W
| action | access_as_shared |
& C* G* f$ w) y8 H. x| id | dfb0e656-0983-46a9-8345-13a03ddbc3e9 | |. \' ~7 I+ t
| name | None |" r! d( j9 N3 v" Q. w% z
| object_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |- \% b* ?' V m/ a
| object_type | network |
; u4 d+ }9 S( Y; K* J| project_id | 0609d3b3b398456187fb705ec9224c4a |* U" T1 k6 V* j a; Q( F* n0 J
| target_project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
2 v3 I3 i+ F. F/ }% P8 b+-------------------+--------------------------------------+) r/ n, C0 [0 v1 L* M# U0 y6 u
[8] Login with a user who is in the project you granted access permission to internal network and Create and boot an instance.
$ ]5 _# B! a* D- L; j7 o2 a. t/ v, ]# show available [flavor] list
0 c8 N6 W1 @% p5 M[cent@dlp ~(keystone)]$ openstack flavor list
" r4 Y: g7 S4 P9 g2 `' z8 |+----+----------+------+------+-----------+-------+-----------+3 W- u0 [' x! U9 J7 K( T( k1 l
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
! W" R5 d/ X D4 L: D) N+----+----------+------+------+-----------+-------+-----------++ e. D3 I, X8 l
| 0 | m1.small | 2048 | 10 | 0 | 1 | True |6 V7 G: X$ I7 [
+----+----------+------+------+-----------+-------+-----------+
3 U3 J) }3 \& l# show available image list3 Z* w# e: O5 h5 b6 _5 o+ y
[cent@dlp ~(keystone)]$ openstack image list
: ~3 C* I0 y# D+--------------------------------------+-----------------+--------+
& `- z3 I c5 [0 j/ Q( j4 r0 n- v| ID | Name | Status |
, a9 l, i; L6 J) d4 R2 ]2 f+--------------------------------------+-----------------+--------+
) q* q' M6 y4 q9 f) u R| 7be5b7ab-36e8-43c7-95dd-34b4139a0e44 | CentOS-Stream-8 | active |
% t) U# O2 U$ l8 t! M: I' w8 ?9 g2 i+--------------------------------------+-----------------+--------+/ C$ Z' I4 R9 X; K1 q/ j
# show available network list
8 _9 I- L# w9 t( G. I) A[cent@dlp ~(keystone)]$ openstack network list1 S5 L+ l2 c R. n7 M
+--------------------------------------+---------+--------------------------------------+
$ Z3 f* L+ Z' y& X9 Z| ID | Name | Subnets |
+ \' r4 l' \: J, [! c+--------------------------------------+---------+--------------------------------------+
2 \) f3 M- g. X! H( m. y| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |
; @4 V: N3 s1 b7 C3 P: Y' V| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |* V4 l; @8 G0 n# ]# e p+ |0 |+ p
+--------------------------------------+---------+--------------------------------------+# U3 h. V9 m ~4 S
# create a security group for instances
, m7 r- d5 q9 f3 p2 ?( X5 R[cent@dlp ~(keystone)]$ openstack security group create secgroup01$ @4 J& K9 H# m1 n
+-----------------+----------------------------------------------------------------------------+- d7 v& B. \# t
| Field | Value |
2 _ w1 w2 f9 U/ k- G) r+-----------------+----------------------------------------------------------------------------+
3 f' `+ _. o8 G0 ]6 t% F| created_at | 2022-05-31T08:14:56Z |" ~) u* C" H+ O8 l5 {/ R! Y0 _
| description | secgroup01 |
$ d; a5 a% E8 U2 V4 {| id | 001bf895-7218-4153-b64b-5c5741697009 |9 P6 ]) w' m& [" C% b: Q& o! h2 m% `
| name | secgroup01 |* z( E& R' A% L6 z* d5 q0 Z6 Q
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
2 ?. C; F- v* V [5 V| revision_number | 1 |
: n; u2 \7 }6 w9 h4 o0 X| rules | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv4'... |! L6 ]: r# i6 ~; H& U- p- \
| | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv6'... |4 R# ^, K5 t; B/ u1 G3 u
| stateful | True |
/ H* d$ J3 o0 l# C0 i5 }, e$ a| tags | [] |
$ g) G6 h) r# X9 h- r/ n| updated_at | 2022-05-31T08:14:56Z |2 g' T, d* J4 q2 w6 s6 f9 G
+-----------------+----------------------------------------------------------------------------+! \8 t' Y9 g; f4 ?# g( _6 S
# create a SSH keypair for connecting to instances
- \2 A$ h4 u& \( X: G6 s( m[cent@dlp ~(keystone)]$ ssh-keygen -q -N ""
5 t* w# l$ r8 g* M( _4 zEnter file in which to save the key (/home/cent/.ssh/id_rsa):
6 y; h2 }6 E- D5 G$ z# add public-key
& x6 h8 M( y9 w# r o" G) @[cent@dlp ~(keystone)]$ openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey) X& y0 h) K- ]7 G
+-------------+-------------------------------------------------+
0 K. J6 f* W( _/ _6 C1 h" e! M| Field | Value |
k# u$ A% t; x- @3 a! j O F3 C8 ~: n+-------------+-------------------------------------------------+
6 S* y, H6 g% D% e/ b| created_at | None |/ z8 h+ {6 o! Y' @6 Q8 X- k
| fingerprint | 64:c1:46:5f:d4:dc:07:76:1c:5e:ee:b8:82:1e:9d:c3 |' R5 r# W5 ?1 }( c) |! N* ]
| id | mykey |
* }( _* V4 y( [/ V3 x8 }| is_deleted | None |
3 N" }0 b P& V| name | mykey |
! c: m# b: B8 O1 K| type | ssh |* x/ Y3 B9 o% {3 j
| user_id | ed0bc393ae81411fa1db0828e1d5e160 |
' J5 h& m( Q) j) @+-------------+-------------------------------------------------+
5 t% K f# ^# T' r; Z[cent@dlp ~(keystone)]$ netID=$(openstack network list | grep private | awk '{ print $2 }')
6 q8 N2 j7 {) u1 g& Q4 S# a& e! @[cent@dlp ~(keystone)]$ openstack server create --flavor m1.small --image CentOS-Stream-8 --security-group secgroup01 --nic net-id=$netID --key-name mykey CentOS-St8* N' d j" o' V2 d
[cent@dlp ~(keystone)]$ openstack server list
. g n' G; l0 }4 Q4 r( \5 w- E+--------------------------------------+------------+--------+------------------------+-----------------+----------+2 f$ l0 O: e1 b! ^
| ID | Name | Status | Networks | Image | Flavor |
1 O2 r4 ]. H/ V' ~; ?% J3 ~0 v+--------------------------------------+------------+--------+------------------------+-----------------+----------+" S5 l* e$ G; S: m7 ^2 U8 f
| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=192.168.100.84 | CentOS-Stream-8 | m1.small |
! T) i9 d" v4 o+--------------------------------------+------------+--------+------------------------+-----------------+----------+
! ?' B4 _+ i( p# J1 q[9] Assign floating IP address to the Instance above.
3 _( ^1 Q3 W s[cent@dlp ~(keystone)]$ openstack floating ip create public
& W O5 T; [* B! B+---------------------+--------------------------------------+
* d4 [ a# L+ B8 Z' i9 f2 m' l| Field | Value |& V& v( m4 e9 Q8 C- u* v
+---------------------+--------------------------------------+
* t. c/ V e: l4 W0 f| created_at | 2022-05-31T10:08:01Z |/ y& z& d& W. ]0 Z [7 M4 a
| description | |/ P8 r ?; T1 r0 l- q9 e0 M1 W
| dns_domain | None |5 V. Z2 d: E x
| dns_name | None |, L8 O. v! z1 Z& Q, o4 k1 K
| fixed_ip_address | None |
- T2 {2 ~6 n% a+ }' \| floating_ip_address | 10.0.0.216 |
7 o! ~& X2 T, q! a" w& x| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |' H! a3 q" z% g1 l: A/ ^" T$ B
| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |
; E) Z" j, `+ U) }/ }, c) O| name | 10.0.0.216 |; v0 n( {* s7 g. `) q
| port_details | None |- V, t7 b- ?6 H2 l' n
| port_id | None |8 P+ Q8 s3 r' [# L
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
6 c# a6 p; G! Y| qos_policy_id | None |' ]8 x/ _6 V3 n# I2 M
| revision_number | 0 |
: D5 o$ m+ p5 t7 f8 L" ~$ {| router_id | None |' D8 Q; Y+ c+ D
| status | DOWN |3 g( L; k6 ?" Y* b
| subnet_id | None |( K2 N; E1 b# d t0 Z
| tags | [] |: p' S5 c6 @- d5 b) o9 m: V3 a7 v3 L
| updated_at | 2022-05-31T10:08:01Z |4 `5 W7 @2 O/ q$ Q
+---------------------+--------------------------------------+
- J+ D6 B0 b+ \, E8 U" U! r6 T; p: ~[cent@dlp ~(keystone)]$ openstack server add floating ip CentOS-St8 10.0.0.2168 S/ s: t# q' w5 j, D; e3 t
# confirm settings* } a% c/ i! |( J! p
[cent@dlp ~(keystone)]$ openstack floating ip show 10.0.0.216- m% G0 s5 X2 [
+---------------------+---------------------------------------------------------------------------+4 h5 o" X$ n+ T/ e) ]* A4 r
| Field | Value |7 d6 Q' @. m5 Z1 c- S7 I2 z
+---------------------+---------------------------------------------------------------------------+& y% f* V' j m1 l' V9 x7 w" Z
| created_at | 2022-05-31T10:08:01Z |2 ^% S* v8 K' L' J
| description | |
$ e }7 P( F0 ]8 p| dns_domain | None |6 ]* a- Q V1 v6 x7 x1 S) L
| dns_name | None |
& F& n) G @$ N8 A$ q, o' ?| fixed_ip_address | 192.168.100.84 |+ G' ~6 ^ ~6 B, ]/ B- V
| floating_ip_address | 10.0.0.216 | L( F: M# s0 c5 x% u9 i, L+ b
| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 | M- n+ O* v( e: z! m
| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |% W& @& c R4 C2 q; r" J3 P
| name | 10.0.0.216 |
9 o& i! O) J) n, ?; |+ B6 Q' v7 m| port_details | admin_state_up='True', device_id='b9422951-8141-45fe-becd-a01c727085..... |4 V7 F& l X: S$ v
| port_id | a0670c7e-2fa9-4be9-801b-d62170f33efd |
/ `# p1 {& _2 d" s| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |. v% o# j- M- e
| qos_policy_id | None |
8 j! r! h% k$ _| revision_number | 2 |
0 l `0 c3 @& b2 X: S| router_id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |
( z4 z$ r# U! X" ?$ E| status | ACTIVE |
4 n8 x+ n' Q) p+ x& u( L' q| subnet_id | None | N& k: z" b! F2 @7 S% g
| tags | [] |6 {1 c6 C. `& a- @, L* L
| updated_at | 2022-05-31T10:08:52Z |) y9 j6 V4 y8 Q: V* s4 w1 J. ?3 m
+---------------------+---------------------------------------------------------------------------+& p& y( j4 `( M1 @$ l; N& S
[cent@dlp ~(keystone)]$ openstack server list
$ l5 }$ ^7 E0 q1 G& K5 U: j+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
- k9 l+ H+ H5 j9 J" T; t| ID | Name | Status | Networks | Image | Flavor |
2 q& W! F) a7 L* C; q. L' @+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
# a6 d) R* m/ P7 D, i+ h| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |
9 o& M k+ m; d% w( W, j( h+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+$ `+ w7 k0 o; W9 p. O8 A, L" a
[10] Configure security settings for the security group you created above to access with SSH and ICMP.& }* M0 N1 h- P5 _. ^; f
# permit ICMP }# b; w K2 I2 a7 d
[cent@dlp ~(keystone)]$ openstack security group rule create --protocol icmp --ingress secgroup015 [# T2 {2 ]. l! w+ O7 O8 G0 P
+-------------------------+--------------------------------------+6 ]3 I8 X0 [5 k+ }- w
| Field | Value |
7 g: Z4 h& [1 U; f, h# \4 Y9 }$ o+-------------------------+--------------------------------------+
6 h7 X$ p# K" U9 S/ O% [7 M. v| created_at | 2022-05-31T09:42:39Z |
" i( f! W5 i! `2 r| description | |
& J$ @9 N# y$ R" B; r; g| direction | ingress |
; U. O8 ?: O# a| ether_type | IPv4 |! }- H5 }2 s9 ~& }" h
| id | 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 |# n" z& r# p; ]9 `/ C6 N
| name | None |
8 l. ~* R# L3 c- ^, ]7 _$ y| port_range_max | None |
0 }! I# M! z [7 C7 T6 C| port_range_min | None |8 k/ ]) U; a8 K6 ~2 C( ]0 c# |
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |7 O: k2 P2 r1 H3 x' a
| protocol | icmp |+ Q/ B( f8 E7 ^5 C4 |/ y
| remote_address_group_id | None |
& D% S' h+ i& M' ?, s9 i| remote_group_id | None |
6 j, W B! e0 \4 [ w b- o| remote_ip_prefix | 0.0.0.0/0 |9 ?6 N; M9 X( Y& y/ V
| revision_number | 0 |
2 L2 `; }! T4 Y$ T; g" ~5 a| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |
! n4 d p1 _2 u4 i| tags | [] |' |% f3 {% u0 I# t, W
| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
; t3 U: a' q& G( u6 P" J9 V) Z d| updated_at | 2022-05-31T09:42:39Z |
! M8 K: q5 Z4 ? W+-------------------------+--------------------------------------+* H; X2 d# O& K
# permit SSH( ?1 P( X% U5 t/ f) _$ s& {% }" b
[cent@dlp ~(keystone)]$ openstack security group rule create --protocol tcp --dst-port 22:22 secgroup01' I1 J% I" [" o$ }
+-------------------------+--------------------------------------+) r' I) C! T$ v
| Field | Value |
/ L8 ~* G$ o. S- S' N7 @7 i+-------------------------+--------------------------------------+1 a" s+ v/ ?% k. S3 _0 m& m
| created_at | 2022-05-31T09:42:58Z |
' j- n3 R1 i8 j& M| description | |
( c& l) f. P9 d6 _+ c( e| direction | ingress |9 s& C5 }& p4 K
| ether_type | IPv4 |( g, h4 n$ d# B+ ~% P
| id | 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 |
, n" D* H; a2 Y, n+ Y+ d| name | None |
# f. G9 f! H4 j3 L| port_range_max | 22 | ]4 w- ^: \ G6 h3 T+ Z5 `: ]1 t
| port_range_min | 22 | E9 e$ R: A0 b9 R' z9 b
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |( A! B6 P- d) p6 x4 p* ?' D0 T: u) g
| protocol | tcp |- A: b+ a% r/ q5 J f
| remote_address_group_id | None |
9 M% W8 S* |$ V| remote_group_id | None |
2 q1 P' d* E. ]+ v9 A| remote_ip_prefix | 0.0.0.0/0 |7 z" z8 i; o+ @! h9 v, Q; }: f
| revision_number | 0 |
+ t$ X6 ^8 A! j, n* d" u! P: y* M| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |% P6 K5 B5 F* q7 I5 }1 h/ j
| tags | [] |2 T% P5 K/ M0 ? ?, G
| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |, r! f: x1 J6 j; f) ^
| updated_at | 2022-05-31T09:42:58Z |
( l0 I) d1 Z4 r7 {1 u/ C. }: @+-------------------------+--------------------------------------+
! w! e1 k0 }3 t[cent@dlp ~(keystone)]$ openstack security group rule list secgroup014 X/ w( M/ K' D' _6 \+ x1 l
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
+ }. s+ [! X E7 I| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
* x9 k4 v4 L! \' J4 @0 V+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
8 `8 H3 x* G7 z" U7 Q3 b| 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |% S+ Z& o+ B7 g/ L5 {# o
| 7a5ce790-613c-433b-b817-75aa20a10fc1 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |1 g# \2 m3 f- i8 n0 y
| 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |, S* C o5 c! G0 Q
| cf9e12bd-90d0-4c9c-b852-12d2cd53eb91 | None | IPv6 | ::/0 | | egress | None | None |# q( ]6 j+ l7 W! w, X
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
0 q; Z: l" o) \' V8 s: j[11] It's possible to login to the Instance to connect to the floating IP address with SSH like follows." V; I: Y4 H8 ]3 n
[cent@dlp ~(keystone)]$ openstack server list
7 y. N& m# v' H: K m/ U4 t# Q+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
2 G: n0 c; p2 I* o5 \/ C| ID | Name | Status | Networks | Image | Flavor |! h, x/ {5 ~2 V. D3 ]+ E1 Q
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
/ q! X& Q+ q% h. I, r| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |
5 V+ Y( K N' l9 Z0 K5 {) O4 l+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
9 N- u' n% G5 v9 ?" H[cent@dlp ~(keystone)]$ ssh centos@10.0.0.216; |+ z' Q5 E7 S2 r/ m, m
The authenticity of host '10.0.0.216 (10.0.0.216)' can't be established.
- }# s6 g$ c1 i9 k6 N, m/ IECDSA key fingerprint is SHA256:3ubFctH6ulVjsrc2KyvqfRJPIx3ceRuzrogRB2WY1Iw.
2 L( H& a6 r- ^- { f8 K6 S7 cAre you sure you want to continue connecting (yes/no/[fingerprint])? yes
+ X' U: D; t4 ]2 n" j+ n( Y FWarning: Permanently added '10.0.0.216' (ECDSA) to the list of known hosts.% V3 J. \0 p: ~* @5 C- u O% H
Activate the web console with: systemctl enable --now cockpit.socket# u, S; J5 `8 ]( T6 [* e% J# L! U
[centos@centos-st8 ~]$ # logined e! z) `$ @& J( R- s! l
|
|
发表于 2022-6-15 09:00:05