|
一个具有网络管理接口的控制器节点。
) s0 V# H0 u* X" Y1 ]5 G B两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。/ o- I' K3 r$ u4 k1 i* I
" ?8 w5 y, v) R
至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥
) e( d4 q4 h0 M5 g+ W在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。
, r0 h9 ~0 D7 Y/ V5 F硬件要求
3 K9 Y3 \) ~6 J* f2 L
3 T4 H7 O1 o$ Q! h1 \1 Q5 U 网络布局$ u3 |4 K3 }+ ?. M( ?' l1 c: K
- W0 X- A0 J/ f i$ @' n p/ A O b
服务布局7 r# T! G! Q4 z6 Q2 C$ l
* \: {) r6 Z# ?4 M2 C
注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。
4 F* Z8 H8 r- \1 G控制节点的OpenStack服务5 W! w! T3 F7 {* w$ [: L$ {
在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。
! u# {$ R: F! s9 `! I/ ~! j# u在neutron.conf文件中具有openstack keystone服务的合适配置) b3 z/ T1 A# N" m& D/ E& p
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络+ l/ b" b% _& E1 l
neutron服务器服务、ML2插件和任何依赖关系。2 J) C, [# f) q, ^, n
; H* g0 p( X* ^# O网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置8 v5 [- O4 ?% d: |4 v2 t: h- M8 w
Open vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。4 y+ ~6 }9 K8 T1 o
1 D" p: B- x% D% S D! T
计算节点的Openstack服务! f3 v! h& P$ L7 a$ F
在neutron.conf文件中具有openstack keystone服务的合适配置
2 H' ~# o; \0 T& C/ g
) i$ X2 S _9 o i( u在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。0 V6 X3 K! d4 X& F
. y6 l! _+ ^, k" d1 W! r0 I% W体系结构
7 J" [$ e: B3 ?- z w8 d# V一般的体系架构7 w% D# s+ d- ~
网络节点包含以下组件:* f1 N1 R/ g3 X2 L
# c9 P V8 r$ B3 l1 k# p3 ^0 Q2 DOpen vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。) v# y) L" s$ ]5 q: f
+ g E) X7 z* }8 J* Y
管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。5 [4 ^& Z' z6 I6 i
8 r' Y5 C+ ~$ W; w
L3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。 R. b/ w2 W1 V7 W
- s, K3 C* s+ o9 G. @2 @+ F1 i; C元数据代理处理实例的元数据操作。 ' W& Q5 h4 m* x6 y. j$ T! |
4 h' c- l* R8 q; D9 |$ K5 F9 s5 ]网络节点组件回顾) J9 T# O* j7 J
0 m) A' B o1 D4 B: \3 f
! ?& u: z6 ?5 w5 p& p 网络节点组件连接0 ?1 c9 V$ o: q
8 j+ A. Q4 [/ r 计算节点包含以下组件:9 d$ z' P n" c. b p
( e" M- h5 F3 F1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。$ \* g8 Z' B5 m9 y
" c x: i1 @5 n2.Linux网桥处理安全组。
8 \3 q! G/ Q# Q% [$ ~# c注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。
4 Y& Y6 Y! @) B+ W9 B计算节点组件回顾" b: f6 X7 {$ v, o3 k* B# V0 Z1 O
% _+ \3 D# n3 m, @( M0 r
计算节点组件连接& p; z) X: J9 M/ E
0 F* y8 C; \0 ^$ C% N! \数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。
* {; R- f/ N3 ~* t$ e# p. j* `8 u6 Q/ C
在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。
9 Y/ B O+ S7 @ ?! E! k7 o: k- K1 M3 @1 ]8 V1 [$ M: W" e
如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器
' l& D" S6 W: Q! M, q* k. @ 注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。
0 n3 x& M' @5 Z6 o示例配置. I6 d& ~! E+ r, ?
使用下面的示例配置作为在您的环境中部署该场景的模板。
' i/ C' S ~+ L% D# y& F控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=] [/url]* N# ?; l) W. O6 e9 d
[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]
1 F9 |6 e4 z8 H- b
6 I0 k8 z! ?# h& a5 V& V* V l; H- {- f
2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件:
z9 r3 F' B) f2 m$ P2 c- D[backcolor=rgb(245, 245, 245) !important][url=][/url]
% I/ w6 o- L: J( j3 l+ x[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]& q" I1 R* L& Z2 G
" {( e, s% O3 i: ^* M" n
$ R2 `& Y; W/ r, `- x8 t
替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。 3 h3 g1 {) P4 |, A1 O+ \2 G
请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。
& V4 M) E8 K6 ^: R' i/ b# Y3 O; v/ O2 O0 Z% p! {
3.启动服务 ) I, g+ |" h0 t3 E* d5 R% G) r
9 I/ A I+ G& o5 @
' n' }, K/ f: W网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0( t; ^; v! ]) Y- A: o+ z
2.加载新内核配置: $ sysctl -p! `7 I6 C. E: L! t3 P$ j& x
* y ?* \% H8 ?0 ]; ~0 ^' Y 3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True2 `! c" s9 K: g
/ `: ~! X+ ]3 O) n/ F! w
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]+ ]) J& O. W$ D7 S+ I, b1 J
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 ^8 q" f& ?9 I: N$ Z! ]" c* q9 L& {4 \1 V. F
3 u+ ^: h: k' V: D; ~- v* h! f使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 8 I8 ~9 G$ b& @. w1 w. M- W
5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件:
$ W5 V7 ^+ Z" ^6 U[backcolor=rgb(245, 245, 245) !important][url=][/url]
4 b1 H, a% z) C; g( u. [8 D: K* u[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]4 ^, D% L% `7 n+ Q' c: G* i I
8 L) r9 |4 N: N
注意:external_network_bridge选项故意不包含任何值。
" n/ W: Y' P- y5 L6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件:
+ `; z) {, i ~8 L" P$ f) f9 h[backcolor=rgb(245, 245, 245) !important][url=][/url]
* _( B; R2 x7 G. b[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]% Q" P7 u: ]6 ~+ a, Z8 t) g1 r
4 O6 T' o6 }* W/ R7 C# P% ]: K
* a& }1 v3 |) d0 R7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]. \4 a2 U- z+ e. a. k
( G; F. J+ Q, ?. i& |# h
. p6 n8 ]7 z8 `& u' _1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450+ ~; A# M8 k) e( h+ s' t6 k( r
( m( D6 E( {0 k: u5 K7 _[backcolor=rgb(245, 245, 245) !important][url=][/url]% q- y" j- W# W8 q
" ]/ k" I% X& m/ Y. z8 J
7 z9 l1 d! g! i8 t8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET, {- s0 `+ R+ J
& d; F) Y/ T) E2 T) o
用合适的环境值替换METADATA_SECRET。 9 \ P. |) |) s4 B3 l
9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent& t" ^+ V4 Z* o) B' ]
6 f5 V+ t+ N% R# F
计算节点6 e2 z( \. d: ^( C# [6 D
1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=1. P- f2 C1 P; S* U* d- H
2.加载新内核配置: $ sysctl -p
3 y5 f6 N2 k2 }9 ~0 o
( W M9 u- J6 P6 y3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True! y" y1 S& s+ l/ V3 m
7 W5 U: S& j) V. V& o9 E! @( `
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
V" B P. K5 b. @ Y- X/ T% p+ G7 w9 H6 o[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]7 ?; K# t7 v9 G& U) H
2 m6 G6 m/ G1 u9 f3 R* k% P
+ V F( g: d& `( Z5 F k使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
2 ~7 Y# \% G- G. c& z1 Q7.启动以下服务: Open vSwitch Open vSwitch agent$ t( r) [' G" z# ~9 }3 n$ i
* X5 l6 U+ G5 X! u5 ^: F8 t验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]3 i2 n. H; X0 S6 n: y e
$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
~ ^0 S: Q/ E+ e/ v' O$ Z& Y- ~# j
; T$ E, ~9 S4 N! }+ P; h! A, {创建初始网络: \; q9 H2 V! g
这个示例创建了一个flat外部网络和一个VXLAN项目网络。
. ?! g# ^+ b( C+ b& U
8 L U: D: J$ p5 Y m2 i: b+ [1.提供管理项目凭据。0 g2 A0 J: v- L/ q
* k8 _8 B$ z1 o4 N: c# x; H2.创建外部网络: 3 q' B# F' B* }$ \! I6 z
[backcolor=rgb(245, 245, 245) !important][url=][/url] e% x/ A$ `) M
$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
f& K7 `6 d! `% N7 l
: m) X8 x, z, \+ ~
9 F, z9 n7 W/ E( x# \3.在外部网络上创建子网:
) {" z# }* u! n[backcolor=rgb(245, 245, 245) !important][url=][/url]' H/ y; p- t, Y
$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]3 ?- j+ @7 O" e' y
. i2 y1 ?" @+ a; o, P; D
& W5 w" R, s- {& ^( { B- I请注意:; s4 i# S1 X/ i( D' b& W
, Z8 Y2 A. X4 V) z) B0 S6 ]
示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。1 {; j2 V& d' I- R2 w
' L w/ T" y6 h( B1.获得常规项目的ID。例如使用demo项目: + i9 ~( `1 D. c* ~4 y5 A
[backcolor=rgb(245, 245, 245) !important][url=][/url]
( U$ Q- f7 m* U7 p" }: W, @8 s$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]$ D; U% }) V: U5 [- @" t
1 z% m, h7 m! q/ V- f7 Z. ~
; y+ k* _6 z" a7 A6 y) B+ E2.创建项目网络: + d$ Y+ s( x! q
[backcolor=rgb(245, 245, 245) !important][url=][/url] l7 i7 V' e H( X- T/ |5 O" A$ h
$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
( v, k: ~% w. ~$ x8 r/ b" O
% B4 J) j2 J' Q0 t) \5 q. t8 B* T6 j! s( p
# U( y5 e# v |$ y8 _; D0 ]
3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网: 3 `1 k6 i) V: `( i v, ~" z3 ^
[backcolor=rgb(245, 245, 245) !important][url=][/url], L+ O: x/ b v3 k
$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]% P9 c2 Y. j8 K0 C5 u
' o# S2 E; G+ a0 a0 {5 f) _
& b- C) k8 j* d$ ]
5.创建一个项目路由器:
5 }' _' U7 r1 q; @[backcolor=rgb(245, 245, 245) !important][url=][/url]3 p( s5 j5 j, P( z ?
$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]1 ^" k9 y& T: z" A' J+ K1 k% e
% K9 C( d5 w. a
, T! S* J: X$ q8 k! j( Z* G注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。
' j0 c" i! K6 Y- e, l; ~6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.
: x' M( p# ]; F0 ~/ i+ H- l" o6 D' t3 j
7.在路由器上添加一个通向外部网络的网关: - w; l2 `: d }) |0 h- \5 I
$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router, \- K, e: f2 L& T' E
' R2 s" X/ k0 ]- Y- ~
验证网络操作
" X+ {% g3 ]3 n& C. O$ b( E1.提供管理项目凭据。
! G& x" U2 r/ `6 f" I# ]: J8 ^0 q. v7 T: B1 C
2.在控制器节点上,验证HA网络的创建:
[backcolor=rgb(245, 245, 245) !important][url=][/url]1 w) z7 U) }! }/ r- L ~
$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]- C# l' L k( V5 d1 ~8 o' p/ b" B
% H0 d' X# Q% F* y+ I* f; W* b& h: {
3.在控制器节点上,在多个网络节点上验证路由器的创建:
: S, J8 f. N) Z c7 J# k[backcolor=rgb(245, 245, 245) !important][url=][/url]
! Q Y. V. K0 s- G: r, F; k$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]& c: c: _. ~# v5 R/ {3 b2 \
a, Q+ U! p- G6 x/ |
; ?3 ~( y d$ S4 l3 }+ Z
注意:老版本的python - neutronclient不支持ha_state字段。
- b3 }9 o1 ~5 v0 v, l" D7 ]* B% }4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]: L0 C5 ]+ @8 L: M! ^
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 W# z8 i' e. N
) ]( c, k$ v0 Y7 q! D# F# _4 M, P
% [: c/ X8 n; @
" i7 s; C5 \ V' t% X, q, [5.在网络节点上,验证qrouter和qdhcp名称空间的创建: + H u% b: T; c
[backcolor=rgb(245, 245, 245) !important][url=][/url]$ l n6 b. A+ x% Y0 Q0 y
网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]. P+ U; I G, T
% R! Z, K4 f2 B T( S9 ]
两个qrouter名称空间都应该使用相同的UUID。 # z* u& Y8 A8 g0 O; x* V
请注意
# b, K4 c/ P, e% A9 f4 b
3 x! p1 r- w e0 P; N8 L. B: b 在启动实例之前,qdhcp名称空间可能不存在。! j) D' n* ?6 l0 ]" {! M
: s. [, e4 u! P
6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]7 f" o9 V4 \: r1 \9 z% F1 \# x
网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]' K$ K, t1 h! Q8 c/ O& M
& w9 a/ e; ?) J8 O' T! j! y5 A- G; O$ ]" J
网络节点2:7 v b0 w. w3 i8 J
[backcolor=rgb(245, 245, 245) !important][url=][/url]6 ?+ E0 [8 y2 N, s* N: ^
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]1 B- D: c8 r- u- P% v0 p. F
0 E# n/ H: }% s' A
在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。
$ i) c# W3 w. N# H7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements : 5 o: }8 E Q# ]. m9 u |4 v
网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]1 U6 B+ J" `' } ^* e
$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
7 u: d, ~, Q% L# a
% X# b c/ r( E- J4 ~" ~/ S( b. I6 y7 [) h# C9 x- H
网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]
% M& E/ X8 R& x/ N$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
" B; N9 z# ]9 a# w, d5 m! C# ]+ _1 _
. D6 r/ N' k* m" a" g/ T% R: \示例输出使用网络接口eth1。
& h+ Q, z) E9 C3 k% A0 M9 } l1 ?& F) y
8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]# D; \* e- q/ ^4 g0 [7 t5 `
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]/ f% d3 c( z' A1 w5 U: E
2 e4 Y/ {1 ^/ k/ @( u
3 a6 |, f* P9 K% a0 Z
* o% S. h6 l4 ^7 {+ {9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
% b# c# w9 I6 {5 `* p) @4 \$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]3 m4 I4 l8 j" V9 ^( j" `. g
9 k7 `" M1 `2 d( V9 E
! D& P2 W$ ^7 _9 g1 `0 k" M
% K) Q' K# M$ }0 {, \' A/ \10.提供常规项目凭证。下面的步骤使用演示项目。6 _+ a. h. |! B" f/ ~, [7 o8 n
# B6 m, |: w( {% I" K1 c
11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]
$ t- f" e3 o/ q, X0 g9 b$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
8 i L8 @, t4 x5 l N0 g1 f6 {: N$ K) _
& W* H, o% W- p) y. w/ M12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像:
2 E! X/ h* `# \ G[backcolor=rgb(245, 245, 245) !important][url=][/url]
4 T- r& b Q# A* s& ?2 T; S$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 Y& y) f# [: B' @: |- }" F7 p* D+ ~ |3 b6 t7 A
$ j/ D4 _, [. g/ O0 |- ]13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
; a" {( l* Y) t' n# ]* z7 x+ }1 u
' H6 O; n# @: A+ a p% s1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms$ k/ [) s8 ~. @
[backcolor=rgb(245, 245, 245) !important][url=][/url]' ^& G9 |! h) q& T% V
& B" H' ^ r/ K/ s( m) R- ~; a3 u- r( @" {2 S. U" b$ v
14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
+ U1 B9 d# r' K, A! H' F$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
* L3 z$ G6 {/ C! p9 }
) c1 J: U* a& a" _* y5 f
) |, F& W8 H' r& V* @% u15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102
/ q; l, x v4 G! E& J" w) v7 g6 W+ a: l" S7 }0 E
16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]) ~4 d4 \0 d0 e$ b2 h
$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]0 t, d3 _4 B) R; F
* Z0 A' |1 ?" A* {3 Z0 _( S( n
4 w/ \; |5 e6 R- |# ^4 t
17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址: $ h {, @: v4 M9 n; f/ j
[backcolor=rgb(245, 245, 245) !important][url=][/url]8 Z$ l- J/ h/ O* z+ F$ V
$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
. _0 R' y5 L# q |
发表于 2021-6-25 11:21:40
