|
|
[1] Change settings on Control Node.! Z+ N- y1 Q4 ~ p
[root@dlp ~(keystone)]# vi /etc/neutron/plugins/ml2/ml2_conf.ini. `9 X( q" X: d
# add a value to [tenant_network_types]
) X9 m- {8 \- V[ml2]
. \1 q) Y% d8 r Mtype_drivers = flat,vlan,gre,vxlan/ M% K; y% |( x3 W. Q! p' D
tenant_network_types = vxlan
) [' v: \$ U; t8 O0 p3 j. t# add to the end
9 Y, d- P# p( C: n) u8 s[ml2_type_flat]
, }" M% f+ k, w5 s& w8 p1 Zflat_networks = physnet1) X5 ^2 ?. `" _9 k* f9 f( Y
[ml2_type_vxlan]3 ?! a" k& s! l1 t2 e
vni_ranges = 1:1000
3 v& b6 u: j9 W5 r1 u' r[root@dlp ~(keystone)]# systemctl restart neutron-server! g E' Q# ?# A; X& s- N
[2] Change settings on Network Node.
+ D+ D& Y) d& S0 l; h. M# add bridge
w8 C3 X6 b0 R/ g: P# _) B5 A[root@network ~]# ovs-vsctl add-br br-eth1
+ @$ Y( j. s( U' t3 E! N' d# add [eth1] to the port of the bridge above
5 `) Y+ o7 w6 p+ z# replace the interface name [eth1] to your own environment
1 _' j- p5 Q q; Z( M/ L, w[root@network ~]# ovs-vsctl add-port br-eth1 eth15 x, N3 x$ s/ P' M$ {5 U/ {# Y
[root@network ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini9 a: A8 E6 p/ l6 y5 A$ A
# add a value to [tenant_network_types]
9 y( P7 ~$ k1 `$ U7 w$ X9 m$ q) o, v[ml2]
. s3 h& q# Z; j% m$ p' S. Wtype_drivers = flat,vlan,gre,vxlan
$ N0 @' q$ i' Z, J; M. v( qtenant_network_types = vxlan
. Y9 @& }% \. C$ l# add to the end
! d6 ]3 U( `3 g[ml2_type_flat]
4 U2 k& Z) E! A Q; s7 K1 t) u1 h& gflat_networks = physnet1% n% b- j8 f( ]4 F q. N6 C
[ml2_type_vxlan]8 v2 |, G) g. ^6 l
vni_ranges = 1:1000" v# k. u6 c; Z- R* C0 O. b# C0 C
[root@network ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini
5 z3 D% l' S7 ~7 I+ t# add to the end
) r/ i1 M+ |. A! Q' \! x[agent]% O4 b1 l3 M. o( f7 v0 N# o
tunnel_types = vxlan; H/ h4 N/ t% S) @: I
prevent_arp_spoofing = True
' f; ]4 F- `- Z. T+ _ d i L9 \; N[ovs]5 C, |' c' C* \( o2 _
# specify IP address of this host for [local_ip]
& o( S1 h, U0 I1 N5 S- K# N- klocal_ip = 10.0.0.50, Y# I0 R0 M1 f& O* k& U. K# Z
bridge_mappings = physnet1:br-eth1
' R! n. i0 Z* {[root@network ~]# systemctl restart neutron-dhcp-agent neutron-l3-agent neutron-metadata-agent neutron-openvswitch-agent, a4 ^: ^& ]! x" _& Y: ~
# if Firewalld is running, allow VXLAN port
' D' \2 X* J q' B[root@network ~]# firewall-cmd --add-port=4789/udp: ^1 D# {4 L, ^; ^, K) O
[root@network ~]# firewall-cmd --runtime-to-permanent, V$ | T9 _( A5 V9 K2 r% v
[3] Change settings on Compute Node.9 }) ?7 x0 {3 H, q; d: T- S
[root@node01 ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini2 |4 o9 T) B; i' t
# add a value to [tenant_network_types]( x7 ~$ J" l4 P# f( |6 H# f* w
[ml2]8 `$ d/ F x8 f. j( B* w7 I
type_drivers = flat,vlan,gre,vxlan
( W! c. Q: d2 p1 a4 b6 Wtenant_network_types = vxlan
7 ]! L$ t+ A: I; C5 N$ `5 m# add to the end0 }* ~6 q) @$ Q$ x0 p- S
[ml2_type_flat]2 [* F4 g; J4 }% R) }: K
flat_networks = physnet1
l, v" Y/ U. D: G7 K& r[ml2_type_vxlan]
8 D4 k9 o4 g8 a. Y" a6 }vni_ranges = 1:1000
) c6 I4 R1 y3 Y9 f9 v' |[root@node01 ~]# vi /etc/neutron/plugins/ml2/openvswitch_agent.ini( V* A( P) V# W8 n
# add to the end
, r- b; T' {9 R6 F4 D$ }/ Y! k6 b) B[agent]7 o: P) x) q0 i
tunnel_types = vxlan9 A/ P/ M3 q( ]' ^; [5 m
prevent_arp_spoofing = True
# s# h' u* ^1 a8 @! {[ovs]' }7 D; p. j) O2 A8 X. Y
# specify IP address of this host for [local_ip]6 b1 O8 i! ?1 ?# j& |
local_ip = 10.0.0.51
* R. V, o; V- W. Z1 U4 I* M: \[root@node01 ~]# systemctl restart neutron-openvswitch-agent8 n0 y2 o0 p1 q9 u
# if Firewalld is running, allow VXLAN port# H; A* ^4 E. f# u$ F* R
[root@node01 ~]# firewall-cmd --add-port=4789/udp3 K2 R9 P7 j: C; z
[root@node01 ~]# firewall-cmd --runtime-to-permanent
* ?: q, ^( z! K& ?/ ?[4] Create a Virtual router. It's OK to work on any node. (This example is on Control Node)
2 y4 C3 A' e; v$ T; w' P[root@dlp ~(keystone)]# openstack router create router01
2 F2 i# Y V* j+-------------------------+--------------------------------------+
4 e: n1 `7 K! f$ ]4 L0 n6 `) d! q) y| Field | Value |4 t# L) M- k2 |+ ^
+-------------------------+--------------------------------------+' D5 p' C6 H; |# W$ ^. ^) q4 |4 T
| admin_state_up | UP |) j0 y- O! T3 O7 G; I3 H! Z8 Q
| availability_zone_hints | |
) J3 u( j/ A% @2 k| availability_zones | |
' ^0 D5 z5 t& W/ d; _. i| created_at | 2022-05-31T09:59:08Z |0 H$ j: p/ Q9 k
| description | |
1 p3 Q3 K+ c' ^3 W* D| distributed | False |
( E _/ \( T8 H! k: A0 K4 K1 t| external_gateway_info | null |& I: S) j2 P. w: H
| flavor_id | None |
( {2 n* d; p5 Z+ L( ?| ha | False |2 \1 N+ M& L# E3 G# Z: O0 `
| id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |+ c/ u! G% w. l+ K& z$ |! F
| name | router01 |
6 ~- O( `4 T( Z# ~6 Y# |7 _| project_id | 0609d3b3b398456187fb705ec9224c4a |
5 m. ^6 _; P6 J2 V, O2 d) Z| revision_number | 1 |
2 u1 o1 m% |6 u- w" N, n! R# X| routes | |
- |9 S$ b+ A6 W" [| status | ACTIVE |
: i' ^5 t6 l' e- x: `| tags | |
; M. ^8 H7 a% O6 M Q3 O c4 K| updated_at | 2022-05-31T09:59:08Z |% b) r0 r6 v" K8 v) _* @( z. A9 a9 C+ @
+-------------------------+--------------------------------------+
" q$ P1 s; f* g {* z[5] Create internal network and associate with the router above.4 [8 B. t* q2 z1 ]1 l7 x7 m
# create internal network0 h. i) H$ |- _* b9 M; G( x% e
[root@dlp ~(keystone)]# openstack network create private --provider-network-type vxlan
3 ^! X/ @" y) u Q7 _+---------------------------+--------------------------------------+ G Q5 }) u U: D- _2 ^8 c3 d0 A
| Field | Value |. ^& _$ o, I0 i( Y3 d1 P
+---------------------------+--------------------------------------+
' v. r" M* c8 R! o/ Q| admin_state_up | UP |; Y6 h' r1 P6 k( H7 e: o0 V
| availability_zone_hints | |
' V7 O1 F- c% E6 a| availability_zones | |
" j! r# y1 F' ?0 V- t; {9 c8 G2 v| created_at | 2022-05-31T09:59:43Z |
* Y) Q9 ^7 t% g0 Q% _$ @; J" G| description | |$ G1 R) O; N+ X r
| dns_domain | None |8 b7 F9 G4 F/ q& F# F- Z% F R
| id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |; a% w2 N9 k% s- A4 S3 |
| ipv4_address_scope | None |$ H# L3 v0 |+ k/ l1 S
| ipv6_address_scope | None |
2 i8 a" H6 Z6 c4 c0 b; ]| is_default | False |
& [ ?+ {& A- o) G- Z| is_vlan_transparent | None |9 E$ `+ s* W$ v! b0 m7 ?
| mtu | 1450 |
' W9 F! }) k+ r! w/ [; y* v* h( i" S| name | private |9 f) P1 V; P2 T/ l) h; `' t: e
| port_security_enabled | True |1 J6 q/ k2 Y( W6 W1 @
| project_id | 0609d3b3b398456187fb705ec9224c4a |1 ^- M) O9 @2 x# d. C- p; v. W
| provider:network_type | vxlan |
8 K0 m, ^0 O9 o+ @| provider:physical_network | None |
' M* @4 a) X& s% J2 l6 t* c' K9 M, _| provider:segmentation_id | 423 |
6 |: v5 a8 W2 P; N9 _% A( G- o| qos_policy_id | None |6 x9 l) p1 l3 }* q
| revision_number | 1 |
/ r1 N) v. c7 ?/ J| router:external | Internal |
. X2 u; P0 s0 W4 u" O+ B g3 T! w| segments | None |* U9 H, B0 G% v3 @) J- W6 `! X# J0 P
| shared | False |% v+ O* v! h3 Q% v
| status | ACTIVE | ^" G9 [) K3 j" J8 \# @2 Z, @/ ~
| subnets | |
- j5 `) @' L1 [; f% @9 ^| tags | |
8 w; {! ^, W4 i7 m$ w| updated_at | 2022-05-31T09:59:43Z | U0 b2 b! B8 [5 x( {
+---------------------------+--------------------------------------+
5 I6 |# W) T W! o: d* k# create subnet in the internal network
0 F2 @2 M; ~2 d/ [[root@dlp ~(keystone)]# openstack subnet create private-subnet --network private \
" [. e @! ]( M, M( l--subnet-range 192.168.100.0/24 --gateway 192.168.100.1 \
: Q9 Q2 E E7 y8 ?2 o( i9 E--dns-nameserver 10.0.0.10
* U6 v! k$ W2 E/ `: B+----------------------+--------------------------------------+
" x! x& R9 H/ m9 d3 h& `. M9 u| Field | Value |
4 r/ q: i5 t% L* @% }. h) K4 y3 D, C+----------------------+--------------------------------------+0 W$ ~3 L4 E0 Z; n# I: b; P
| allocation_pools | 192.168.100.2-192.168.100.254 |5 E. j1 {' D P; b8 |0 X! ?
| cidr | 192.168.100.0/24 |% z( P3 f6 n2 S/ t0 o7 @
| created_at | 2022-05-31T10:00:30Z |) R/ c3 t& N0 a5 \. E0 p6 S' n! ?! H
| description | |! ~; v0 p* r5 V2 L
| dns_nameservers | 10.0.0.10 |1 K" V0 A3 [: f% q/ a
| dns_publish_fixed_ip | None |/ s: [& N+ E$ d$ C
| enable_dhcp | True | o& U- U: U. K0 u0 z- c9 @
| gateway_ip | 192.168.100.1 |% H& W! h% Y( O. d+ d* Y5 l
| host_routes | |6 Q/ D) v% R3 Z) d+ a
| id | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |
" ?% V& `2 S' m) E7 e' }* }| ip_version | 4 |
3 D8 D+ Y d! ~7 I- K| ipv6_address_mode | None |7 M. k. ?$ L# e
| ipv6_ra_mode | None |
3 h3 J4 B6 Y5 w7 }8 _| name | private-subnet |
' v2 H8 G3 W( G. _ ^+ R| network_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |
7 M1 U4 m, w6 s- ]8 o4 I! n. x| project_id | 0609d3b3b398456187fb705ec9224c4a |
! o# `( M" t) r| revision_number | 0 |& X4 b8 R- m$ y4 P1 \3 y" H7 e
| segment_id | None |
; F; g3 L: X6 p* D| service_types | |! B d* F3 f6 w# Y8 ^" ^
| subnetpool_id | None |
8 e7 Z5 X0 ~: p3 o1 V| tags | |
6 r# J1 c ^* V; _| updated_at | 2022-05-31T10:00:30Z |% ^. u1 f% {# g# B; ?8 L
+----------------------+--------------------------------------+
" D l) F2 C" _! R1 R( n F# set internal network to the router above* }& I/ j. d* Q. q t
[root@dlp ~(keystone)]# openstack router add subnet router01 private-subnet/ T+ ^5 V8 M) U X
[6] Create external network and associate with the router above.9 k( O( _* Y1 N* H l) N5 a. g. R
# create external network4 r7 R* p$ q. w5 |) e* ~5 F
[root@dlp ~(keystone)]# openstack network create \
& e% U( B5 t' A+ F. L--provider-physical-network physnet1 \1 R6 ?- ^7 V9 S3 D. ]6 I
--provider-network-type flat --external public) [" ?& U9 v' b6 P
+---------------------------+--------------------------------------+
# K. y1 l5 Z0 \| Field | Value |
; R$ u# j! @+ f! y) A( K+---------------------------+--------------------------------------+
, K! A2 _- K% S9 n1 ?4 i8 a| admin_state_up | UP |
$ m8 c2 n8 b: n" g$ R C| availability_zone_hints | |6 h) N0 o3 R: n& U2 I, F2 ?
| availability_zones | |. u' X$ t* e* W: t
| created_at | 2022-05-31T10:01:17Z |
" U6 G" N& b+ \* I| description | |
+ c, ^! {) v% T5 A# d( X| dns_domain | None |' O, U( G0 O: H2 R( e6 I0 O7 f, ^
| id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
' {3 n% H) ~& v! Q6 V| ipv4_address_scope | None |: G, w! t$ ?$ [
| ipv6_address_scope | None |
N5 f- E- s/ ^" d| is_default | False |- H( o1 T* q0 m7 v( Y# V8 x$ {. n
| is_vlan_transparent | None |! D K( _+ I1 R; ?" z7 d' l5 t* w. p
| mtu | 1500 |% W$ \- {, S. q a) m2 J
| name | public |
. u( e6 T/ g" r$ c+ T: u| port_security_enabled | True |
+ w5 `; u1 Y5 g- V) {# c| project_id | 0609d3b3b398456187fb705ec9224c4a |
' E2 _6 o$ X. Z) Q4 o( r) ]/ o| provider:network_type | flat |
& Y6 C' `- X3 I$ g- T| provider:physical_network | physnet1 |
/ u" k0 h: M$ [! }8 z8 z) j| provider:segmentation_id | None |8 H) r8 Q3 q/ ?4 D$ C2 u8 Y
| qos_policy_id | None |& n. O1 b q% y8 x
| revision_number | 1 |) @& f) u! M% N7 G! ?' P6 ~& e! p# U
| router:external | External |
9 m2 P$ |& Z. e6 `+ a# O6 q2 R9 y| segments | None |
8 z% [* g! ^- {! } B E) S% u| shared | False |* ?' d- l$ X& d
| status | ACTIVE |
+ x: C# D C. A| subnets | |$ z6 m! C6 s( L
| tags | |
7 L5 X, R$ m' h% r| updated_at | 2022-05-31T10:01:17Z |6 v' ~) [0 g. b& D8 X% e' K
+---------------------------+--------------------------------------+: }/ { i! o+ _! |! `
# create subnet in the external network* Q- f9 b, A5 e5 ]# k
[root@dlp ~(keystone)]# openstack subnet create public-subnet \
4 ~! {4 t: F+ u--network public --subnet-range 10.0.0.0/24 \: S4 @3 m+ v' K9 H9 S% }4 I- k
--allocation-pool start=10.0.0.200,end=10.0.0.254 \5 i5 r% q0 d( Z% m
--gateway 10.0.0.1 --dns-nameserver 10.0.0.10 --no-dhcp7 L' Q) |' V5 q, o4 g1 u' X
+----------------------+--------------------------------------+
% ^$ x3 P/ G+ O# K2 H, y* o) _| Field | Value |( A7 ~" {5 D5 j" L! m
+----------------------+--------------------------------------+
, s* c4 h* \9 W; T; o* J8 g& m$ J| allocation_pools | 10.0.0.200-10.0.0.254 |
3 X$ \! I c0 l& k. R' }/ u" C3 U| cidr | 10.0.0.0/24 |8 c! r+ _+ i) I
| created_at | 2022-05-31T10:01:44Z |& Q1 q! A. m% N& S* H
| description | |9 U" H$ F! z7 P/ Z0 C2 K
| dns_nameservers | 10.0.0.10 |' S9 [% o% J' z0 Q
| dns_publish_fixed_ip | None |, N; o8 J& T8 P+ G
| enable_dhcp | False |3 f! ^2 { a& ~, \3 R0 p5 d5 t& m
| gateway_ip | 10.0.0.1 |
- i9 K0 A1 N0 _; F3 f2 }| host_routes | |1 S' |2 H9 s$ U% f& P
| id | ecccfdc5-2917-41d4-a957-88facca5c4d4 |
! ^$ R, e- M4 o- q$ u$ Q i| ip_version | 4 |
! l1 {/ o7 S% g/ j. j7 f| ipv6_address_mode | None |8 N' D# D/ \8 D1 G0 C2 T
| ipv6_ra_mode | None |
$ e( Z) _3 y0 z" C| name | public-subnet |
4 }9 T7 C- N; O W$ q| network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
- K* m; y# ^$ [( ^$ \2 l| project_id | 0609d3b3b398456187fb705ec9224c4a |
, q9 l6 l2 m% n1 Y9 ]7 D1 b| revision_number | 0 |9 m" j( |7 ?" }9 V
| segment_id | None |
x' f: G+ a9 ~9 i| service_types | |3 q+ f/ n. Q1 p) i( d
| subnetpool_id | None |$ h- K' e+ _: J `" v6 M9 y
| tags | |2 ]! q* Q7 S: J) @# |
| updated_at | 2022-05-31T10:01:44Z |3 u, \" {; d, D/ k! m" [8 \+ N# z4 H
+----------------------+--------------------------------------+
9 g7 o0 q- f) t0 m# set gateway to the router above
' F1 q9 C4 _ V+ i& \0 r[root@dlp ~(keystone)]# openstack router set router01 --external-gateway public
: ]4 v9 j5 o; @, n) H0 ][7] By default, it's possible to access for all projects to external network, however, for internal network, only admin projects can access to it, so grant access permission of internal network to a project you'd like to let users in the project use.
3 n v0 N; p5 X/ Q {; ]: z# show network RBAC list
2 b9 z# c% I6 n2 S# q! s[root@dlp ~(keystone)]# openstack network rbac list
0 e6 ^" T2 O/ ]8 T$ x/ W! m) B+--------------------------------------+-------------+--------------------------------------+
3 |+ m D5 B- n7 J. J0 G| ID | Object Type | Object ID |
$ t7 H& P" x+ l7 g1 e( N+--------------------------------------+-------------+--------------------------------------++ U/ R" }% C( \# g6 K7 X# x
| a37b34cd-e686-443f-b3ef-4a4c722b5d63 | network | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |9 L) d( v! h6 y5 s
+--------------------------------------+-------------+--------------------------------------+. l8 `+ D$ c) E4 Y
# RBAC details2 N. F; w3 \' s
# all projects can access only to [access_as_external]
E0 g$ o5 y8 p' P[root@dlp ~(keystone)]# openstack network rbac show a37b34cd-e686-443f-b3ef-4a4c722b5d63
+ x! F5 I9 |5 g' K+-------------------+--------------------------------------+3 l" h8 ]. w, @$ K3 c: o
| Field | Value |! ^% p" r/ ?5 M; d
+-------------------+--------------------------------------+& W( \: F- W. v y$ B
| action | access_as_external |
+ w6 \+ y# ]7 {0 z# k* r| id | a37b34cd-e686-443f-b3ef-4a4c722b5d63 |
) f6 K$ ^# Z% i3 x& J7 [| name | None |, t# y4 P) I+ o4 M; i5 a
| object_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |- q5 @3 b! k2 B
| object_type | network |9 r" Q' o2 L5 I$ f7 J
| project_id | 0609d3b3b398456187fb705ec9224c4a |# d! m! a( S. d6 G u1 |0 J
| target_project_id | * |
# W. m8 e4 u0 p. _; u+-------------------+--------------------------------------+
9 l3 u9 H# d3 c" l3 X# ^. ]7 z3 W# show network list
[8 Z- B& l3 Q5 u* T2 A1 C4 \[root@dlp ~(keystone)]# openstack network list& R; r4 ?' V! g+ B% N) D; }: \7 t
+--------------------------------------+---------+--------------------------------------+* F8 Q3 Q6 u8 O! \. J3 g: b2 }
| ID | Name | Subnets |+ R4 H1 q1 a, ]9 D5 Q; b# ~3 t# O
+--------------------------------------+---------+--------------------------------------+! T" p0 {, W- U& C7 {: g
| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |6 J9 l0 t# A; B+ m& ~
| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |) q) @! Q+ h4 |6 ~& P2 L1 F+ ^5 N
+--------------------------------------+---------+--------------------------------------+
. M5 y/ V) b" @# show project list
. s' v+ X& F' \: i5 n! v2 d0 r" g[root@dlp ~(keystone)]# openstack project list
" b, f* p$ g6 w U$ `+----------------------------------+-----------+
/ N2 A' d' G, Z# _| ID | Name |- v; D1 Y7 ]5 @! H
+----------------------------------+-----------+
: u1 I j7 e# N( [& i+ }| 0609d3b3b398456187fb705ec9224c4a | admin |
9 T2 c" e X: O! s9 R) w t| 3d85d1e79d654b3dade01eb5bfbf0679 | hiroshima |
* K" \! e- d" D5 N; P, W# |6 |$ O| 8787527217494c6a87dd5a3b68dce1ef | service |
( p! s& E4 R* r- x- W9 Q+----------------------------------+-----------+
* B: S0 P D. {" y! ~$ h# grant [access_as_shared] permission for [private] to [hiroshima] project& R c1 @; c# h, y' l$ ]/ L# @
[root@dlp ~(keystone)]# netID=$(openstack network list | grep private | awk '{ print $2 }')
, |% j5 d$ I9 S# R- J[root@dlp ~(keystone)]# prjID=$(openstack project list | grep hiroshima | awk '{ print $2 }')
+ w5 v8 V6 E- d8 ~1 O* B[root@dlp ~(keystone)]# openstack network rbac create --target-project $prjID --type network --action access_as_shared $netID# P( J" R9 ]% F0 w0 E' ]6 `. h
+-------------------+--------------------------------------+
+ p$ s; f( _9 E0 w- ^| Field | Value |
+ h1 y8 @; |! t* Z% N1 }3 k3 u Y+-------------------+--------------------------------------+$ w" r9 E% s# Y1 Y3 ?6 C; P
| action | access_as_shared |+ f8 V( C( @8 `' ^8 C& p# i
| id | dfb0e656-0983-46a9-8345-13a03ddbc3e9 |/ V+ N9 g; |# D5 S6 g# g/ ?+ @: G3 ?
| name | None |
( b( Z" h% J4 F# i1 }$ u$ T| object_id | 032d3ae8-1c54-4f0c-bb64-10967d5630ff |! z P; n/ B1 H/ V, g
| object_type | network |0 t% ~2 n" @3 K! G2 T) n; P
| project_id | 0609d3b3b398456187fb705ec9224c4a |9 W7 i3 ]9 a/ e. Z9 P! U: h4 X- E' W
| target_project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
* k: }6 E+ f) ?. P) g l+-------------------+--------------------------------------+" E/ B" R4 D& s1 L) F
[8] Login with a user who is in the project you granted access permission to internal network and Create and boot an instance. O% S6 G4 X& T" d
# show available [flavor] list2 g: g- [4 h4 [" r g E) b. a
[cent@dlp ~(keystone)]$ openstack flavor list
* Z6 b$ o/ _5 b* B' x+----+----------+------+------+-----------+-------+-----------+0 X5 N) f! I% s: C- A
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |* \0 k4 B: U3 i2 w/ \! O, b
+----+----------+------+------+-----------+-------+-----------+
: ~2 E' _2 t8 j, f% b8 |, j X| 0 | m1.small | 2048 | 10 | 0 | 1 | True |. L3 N: }2 \ A/ X9 @
+----+----------+------+------+-----------+-------+-----------+
$ z+ H$ c8 _! y# show available image list1 {/ E8 t# I4 v
[cent@dlp ~(keystone)]$ openstack image list
5 Y; h; c- C2 ~' @7 z# H; X. w$ y( a+--------------------------------------+-----------------+--------+& N% N O; C+ v* y7 j7 j
| ID | Name | Status |: x1 q; f6 p h3 A( [( c, b
+--------------------------------------+-----------------+--------+
9 p. @. Z8 L# t| 7be5b7ab-36e8-43c7-95dd-34b4139a0e44 | CentOS-Stream-8 | active |: |4 i- X4 z Z% ~5 _# a
+--------------------------------------+-----------------+--------+5 Z' g6 L5 T, Y5 q# K( B1 }
# show available network list7 \! Q+ j' \) n7 B2 S+ M
[cent@dlp ~(keystone)]$ openstack network list" V' B3 _. K% y9 Y# ]+ H9 |
+--------------------------------------+---------+--------------------------------------+& [$ ^8 X$ E; K; e
| ID | Name | Subnets |, F- r( K2 _! Y1 q
+--------------------------------------+---------+--------------------------------------+ S+ W& k* L# }: l8 V/ a' L f
| 032d3ae8-1c54-4f0c-bb64-10967d5630ff | private | 57454e98-d4c2-40b2-b0ee-d1ec340e9001 |
+ K. Z- X6 l$ R( s0 M9 a: e! p| fb890e9b-623d-447e-bdfc-d73ecaa619e8 | public | ecccfdc5-2917-41d4-a957-88facca5c4d4 |
% n+ o, w) z- W6 d; j+--------------------------------------+---------+--------------------------------------++ a( B. G3 l* p' T4 Z) k
# create a security group for instances% U9 Q" D) `1 T, j, ?
[cent@dlp ~(keystone)]$ openstack security group create secgroup01/ X# ]2 f' c' j4 M$ v
+-----------------+----------------------------------------------------------------------------+
* @$ b' D/ c+ c# l| Field | Value |
( X$ ^; @7 g0 f4 b/ I% j+-----------------+----------------------------------------------------------------------------+" @$ E1 _6 z( g0 p0 q
| created_at | 2022-05-31T08:14:56Z |- ~# D4 J' t/ v9 C' S' Y) L
| description | secgroup01 |6 W( w* T, N: g/ ]1 y
| id | 001bf895-7218-4153-b64b-5c5741697009 |5 `0 m8 V c/ K2 ^# J. G# g& z
| name | secgroup01 |
8 H" l2 i' f5 }$ N$ \0 ^| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
) k% ?9 \. O/ [| revision_number | 1 |! k9 ^& y/ q! O& f
| rules | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv4'... |2 P5 ?: Z2 d, I# ?0 j" s( \9 m& ^5 ^
| | created_at='2022-05-31T08:14:56Z', direction='egress', ethertype='IPv6'... |
2 }. f1 q8 O8 { o+ Q1 R1 Y e' x| stateful | True |* T( [4 {+ \( W5 v9 g
| tags | [] |
# A3 F! r m& k; a7 ~8 A' X| updated_at | 2022-05-31T08:14:56Z |
a( A) c' q0 M. |! D% |+ d: M+-----------------+----------------------------------------------------------------------------+
; F: @/ q! d3 _3 s' o" n8 s# create a SSH keypair for connecting to instances
; N( o( w; e" }$ e- n# T+ w& ^[cent@dlp ~(keystone)]$ ssh-keygen -q -N ""* _0 m; R# m' M9 [& J3 h/ g& s/ |
Enter file in which to save the key (/home/cent/.ssh/id_rsa):
$ e5 f7 D" x" ~; I- c# add public-key
9 V8 H3 {/ p! {# B( H[cent@dlp ~(keystone)]$ openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey( ~% x4 s" j# M7 r7 p8 r
+-------------+-------------------------------------------------+
* }& O- D$ v" [$ k/ f; o| Field | Value |8 H. \8 s# s/ t; B9 h
+-------------+-------------------------------------------------+
& N. u2 `* U- S6 x5 G" B$ v9 l| created_at | None |2 J! ^0 K* P [; X9 l
| fingerprint | 64:c1:46:5f:d4:dc:07:76:1c:5e:ee:b8:82:1e:9d:c3 |/ q( r" }( L$ y: y
| id | mykey |6 {9 K4 x- w1 J
| is_deleted | None |
7 e V) H. c& g% U. C. x5 Q| name | mykey |
+ r) `0 w) Y$ H* L| type | ssh |+ u! z* p# E* u9 t5 O% M
| user_id | ed0bc393ae81411fa1db0828e1d5e160 |
8 h6 Z. x' z+ N2 ~+-------------+-------------------------------------------------+' W2 I; y9 I6 }+ I" ~9 ?- ~
[cent@dlp ~(keystone)]$ netID=$(openstack network list | grep private | awk '{ print $2 }')6 q9 W5 \ G5 ~2 v' q: n
[cent@dlp ~(keystone)]$ openstack server create --flavor m1.small --image CentOS-Stream-8 --security-group secgroup01 --nic net-id=$netID --key-name mykey CentOS-St81 Y7 I1 m6 x0 e- b" d. Q
[cent@dlp ~(keystone)]$ openstack server list
4 u# E& G' K8 e+--------------------------------------+------------+--------+------------------------+-----------------+----------+
6 w7 @0 A0 Y" n| ID | Name | Status | Networks | Image | Flavor |, M) L6 Y$ a& Q" y9 i+ c) w3 y
+--------------------------------------+------------+--------+------------------------+-----------------+----------+. X! c6 P K4 }1 D' ~- `! ^) @
| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=192.168.100.84 | CentOS-Stream-8 | m1.small |
1 L2 A+ h& R% C6 I/ p! |/ G+--------------------------------------+------------+--------+------------------------+-----------------+----------+
5 A$ _: z1 w* T$ g' g[9] Assign floating IP address to the Instance above./ `) t9 y2 ?, J4 O0 }+ k
[cent@dlp ~(keystone)]$ openstack floating ip create public
- L: D# ^) |; o8 @" [+---------------------+--------------------------------------+
1 C" w# t; t( t) N- j| Field | Value |
# s' y- B* V' t& U# F+---------------------+--------------------------------------+, F- C6 a1 v) _% z4 g5 M
| created_at | 2022-05-31T10:08:01Z |
% S' v* I2 q0 A| description | |
3 P; h! h& f; O# n" _2 q| dns_domain | None |1 w+ `4 I+ l) j: C, s N @3 i# a
| dns_name | None |6 ?" e& e0 z% b" D
| fixed_ip_address | None |
2 A2 U/ ^ c9 Y( D; a. A; U| floating_ip_address | 10.0.0.216 |9 h0 Q) r2 F( c8 _, ?2 }7 ~! Z
| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |
/ b1 B1 I9 E/ ~" y) z1 o8 s; `5 h' S1 K| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |
$ f! T* X$ q* `; o; X! W| name | 10.0.0.216 |' Z- L3 n0 |$ o8 ?7 ~7 F
| port_details | None |" r$ p6 x; w4 y& c6 g
| port_id | None |0 }8 w' x7 u0 }
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
& z+ ^( D2 |0 J R| qos_policy_id | None |
8 y6 _; M. V" O/ Y4 P* f" R| revision_number | 0 |
$ L6 Z6 {9 u- p8 v2 n| router_id | None |+ `! q! b! c+ D0 l2 V5 A' }
| status | DOWN |" U* d! L1 \8 Y) p! a
| subnet_id | None |6 V) e( |+ ^3 r5 z5 K. k
| tags | [] |
1 n+ q: t8 Y2 F6 m| updated_at | 2022-05-31T10:08:01Z |
! B( b. P" e6 a$ J% y1 h& i+---------------------+--------------------------------------+6 L) ?, ]! M8 P* p. T
[cent@dlp ~(keystone)]$ openstack server add floating ip CentOS-St8 10.0.0.216
! _' d Y" P( {# confirm settings8 D [' q! E+ ^8 V
[cent@dlp ~(keystone)]$ openstack floating ip show 10.0.0.216
9 y, `' K, A* T; b4 n+---------------------+---------------------------------------------------------------------------+- @ k# d( u- F7 i% C* K" N( g
| Field | Value |
- A& E# J: D; ^1 e9 r. `0 {* u+---------------------+---------------------------------------------------------------------------+# H$ Q [; B1 r$ D$ ]' p/ o: S" n
| created_at | 2022-05-31T10:08:01Z |" w7 k) U9 @9 J4 s
| description | |" ?" s: H4 a; S) R) G2 N
| dns_domain | None |
* _; p! s2 B% G* O, O| dns_name | None |
! ~6 }1 E2 [: _6 T" [$ F$ @| fixed_ip_address | 192.168.100.84 |
5 h1 | S/ Y% [0 s, v| floating_ip_address | 10.0.0.216 |
& G4 Q/ C# d& O+ p# c| floating_network_id | fb890e9b-623d-447e-bdfc-d73ecaa619e8 |6 \' H3 |* C' B2 _0 O
| id | 5f7bc534-0959-4504-b2fb-10c9f7bcf8de |
! _3 E: x, ?) v( ~6 P' q4 C| name | 10.0.0.216 |9 n' }) w. W6 O$ @2 w
| port_details | admin_state_up='True', device_id='b9422951-8141-45fe-becd-a01c727085..... |. Y' i5 P$ r; Q
| port_id | a0670c7e-2fa9-4be9-801b-d62170f33efd |
* Y/ h0 I' d: u; c: Y5 [% o| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
' J1 g1 V* V g& ~3 B) P! I0 B| qos_policy_id | None |4 p0 B+ m6 `0 m; q7 ], w
| revision_number | 2 |
! f- X5 O$ ?1 P \| router_id | 0ed5c019-30e0-4e45-8ed5-f5df12dedeb0 |/ J! a* v) r' A, \
| status | ACTIVE |# h0 o) p, b2 Z- ^6 N
| subnet_id | None |1 h" C7 t% O4 P( ~2 n1 d0 L
| tags | [] |
$ {1 d0 _5 F" _2 A. \$ t& u| updated_at | 2022-05-31T10:08:52Z |
" P6 \' e2 P% t0 k3 g" j+---------------------+---------------------------------------------------------------------------+
* Z- V9 ]9 j5 a" D/ o4 \[cent@dlp ~(keystone)]$ openstack server list* [ ?. n: a# [( q2 b% J
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
$ w1 H4 v! Q; _( ]. e5 Q0 S| ID | Name | Status | Networks | Image | Flavor |9 @' V. M8 W3 M& Q7 S
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
" S0 a! I$ \6 R7 e8 @+ X8 A| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |! L z3 X( X6 b2 e9 C) ]" ?: N1 m
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
: F) ?( ^; b) S: G; F0 k[10] Configure security settings for the security group you created above to access with SSH and ICMP.
! p/ Q ^: e' w# permit ICMP
1 A) m6 l9 z! |. o0 [[cent@dlp ~(keystone)]$ openstack security group rule create --protocol icmp --ingress secgroup01
' G7 l2 [2 ? V3 m4 X1 ]+-------------------------+--------------------------------------+: o- w5 ^9 y9 C3 N& {
| Field | Value |2 f" M/ }; A* O6 H( U
+-------------------------+--------------------------------------+
2 w) |/ Q" \) a' g" V% \| created_at | 2022-05-31T09:42:39Z |
+ h1 o' W q5 ?4 t s" ~| description | |
0 H& |5 \3 g. n4 Y| direction | ingress |% E. U O9 F$ Y. U$ Y7 }
| ether_type | IPv4 |
- {& X! P I( w0 O' \' E* L| id | 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 |. I0 A T; ~) o9 [
| name | None |
$ F) c t1 S1 f) c| port_range_max | None |% h3 K! F" U. ?+ U+ P
| port_range_min | None |, J5 w( y$ q+ a- S- ~
| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
% [! F0 `5 g- U4 y6 Q' }| protocol | icmp |$ n/ V8 D2 e$ ~0 y
| remote_address_group_id | None |
, x6 t1 r0 H8 A) X4 ]4 [- X) A| remote_group_id | None |+ ?" e: t$ u6 x3 R0 {* Y$ W) w& F, V
| remote_ip_prefix | 0.0.0.0/0 |: ], t8 k: G$ r/ }% c/ G
| revision_number | 0 |/ U8 G# n' ]7 T1 o
| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |- A+ A4 J9 _" L4 V
| tags | [] |+ D& c2 E- L# P6 p. J
| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
8 H H8 M: Q$ p8 s1 S& j% u+ U| updated_at | 2022-05-31T09:42:39Z |
b" V$ C) T' d5 n/ e) {2 z' @6 X8 A+-------------------------+--------------------------------------+1 x9 s+ l) J4 @
# permit SSH3 J' O1 W2 s$ O D9 C
[cent@dlp ~(keystone)]$ openstack security group rule create --protocol tcp --dst-port 22:22 secgroup014 M$ V3 C$ K; @( u% t5 @6 A- u
+-------------------------+--------------------------------------+
$ ?/ G# u) E! T1 f) [* k| Field | Value |
3 i9 G5 L! j# w% q+-------------------------+--------------------------------------+& N U. r* P$ V! T1 e
| created_at | 2022-05-31T09:42:58Z |! b7 g$ `$ ]1 J
| description | |
2 X/ y- l4 g% Q$ i: z& y( s8 I7 l/ [| direction | ingress |
$ i: |4 y! Z+ x6 [$ ]| ether_type | IPv4 |) t) B4 z; I' w( |* _1 n3 q+ Z
| id | 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 |. Q% t r, m/ k
| name | None |) H8 Y6 c4 b% C8 _* b
| port_range_max | 22 |) J$ \& v; v- |9 c# B. S R, O
| port_range_min | 22 |
# v* z6 a* E6 n( v9 V| project_id | 3d85d1e79d654b3dade01eb5bfbf0679 |
& J w2 m2 s: m6 t% l| protocol | tcp |; ^ J' Z ~" X0 K- y% _
| remote_address_group_id | None |$ i a& a! }; C5 b( Z" H
| remote_group_id | None |& H* W& R; _, Z
| remote_ip_prefix | 0.0.0.0/0 |! ]- }7 J) \8 y( N9 \+ T
| revision_number | 0 |
6 z+ I2 y' Z# c/ b| security_group_id | 001bf895-7218-4153-b64b-5c5741697009 |$ D/ m. l# |5 Y3 x; ]
| tags | [] |
2 L6 D& R# _& q| tenant_id | 3d85d1e79d654b3dade01eb5bfbf0679 |* D! {9 n% C& G2 E
| updated_at | 2022-05-31T09:42:58Z |
" n. }) a+ H0 r" f9 s E1 e) X+-------------------------+--------------------------------------+
* e9 \# u' Y; W[cent@dlp ~(keystone)]$ openstack security group rule list secgroup01
: H) l3 H- Z$ X }# g- A( W" E+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+% x6 a) D% m/ F5 Y
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |- h+ r8 p8 h) A+ s1 q
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
0 x$ x) j" t$ T1 L/ s& }| 28191a33-6e5a-487d-a7b7-cdef6f4f9dd9 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
2 L" x: N/ z* Q- R; b| 7a5ce790-613c-433b-b817-75aa20a10fc1 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |, _' W7 U" u# n; I$ C' p
| 96122e6a-c9eb-4cb6-b304-2fe0dc0b3219 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |7 A" X7 u7 B4 y% u& R* L
| cf9e12bd-90d0-4c9c-b852-12d2cd53eb91 | None | IPv6 | ::/0 | | egress | None | None |
* Y( o h, d! N% t) {( L/ U9 A4 }; q+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+9 ] ^4 H) F2 M) G- X0 g1 c
[11] It's possible to login to the Instance to connect to the floating IP address with SSH like follows.! N5 n* c. Y7 Z, [
[cent@dlp ~(keystone)]$ openstack server list
, q& q4 f o7 Y2 @: w+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+
$ J) [ v. T# I2 b. W| ID | Name | Status | Networks | Image | Flavor |1 m' F9 m) R) |2 T. e! a
+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+& z9 w: I" Y; M2 y- J5 N! k! ~
| b9422951-8141-45fe-becd-a01c72708504 | CentOS-St8 | ACTIVE | private=10.0.0.216, 192.168.100.84 | CentOS-Stream-8 | m1.small |
2 ?8 G) ^3 K% q6 J# ]+--------------------------------------+------------+--------+------------------------------------+-----------------+----------+: v1 F/ M/ g/ I, t7 L1 q/ g
[cent@dlp ~(keystone)]$ ssh centos@10.0.0.2161 e- h" s6 T3 S& c7 D1 `
The authenticity of host '10.0.0.216 (10.0.0.216)' can't be established.
( E [1 B% U1 U C$ v- b6 NECDSA key fingerprint is SHA256:3ubFctH6ulVjsrc2KyvqfRJPIx3ceRuzrogRB2WY1Iw.
) b4 ?. \: q( }' U7 m- e. @Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
2 _0 V( y8 H. Q! F& X2 \( T# ^% xWarning: Permanently added '10.0.0.216' (ECDSA) to the list of known hosts.5 U* f1 [" ]7 o
Activate the web console with: systemctl enable --now cockpit.socket+ S) |7 }% V) G! B1 g6 r! s' i$ c2 K
[centos@centos-st8 ~]$ # logined
# ?9 p8 Z. ^! }7 S9 Y |
|
发表于 2022-6-15 09:00:05