马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
一个具有网络管理接口的控制器节点。
4 H; c5 i$ t3 i1 e& _; f0 i5 I两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。
5 R' F v& M8 b% N/ {
( @+ b3 a, n" j+ z+ @至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥 $ k( f5 y8 V! z7 d- l! ^
在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。 * X8 j) U9 g: a* ~2 ~0 U' O
硬件要求9 a/ z$ N+ d# B6 X/ j( @( v% r
4 V4 j# J& Z+ M+ L% O- C 网络布局. c7 o& @. g+ x3 r: T. M0 O- u: j, j' a
' f9 }" W* X0 J7 h. y
+ Z) t4 F1 F# p
服务布局
# w: c2 I- |+ v$ n9 S* z
* e' N# H& K5 h* m. ~ 注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。 8 D/ X) c5 K0 p' n; W4 k
控制节点的openstack服务
0 o" h6 i1 [% W3 I0 L ~: K4 u在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。
' J& D! H" h, E9 L6 O在neutron.conf文件中具有openstack keystone服务的合适配置
0 S& [+ J4 X l1 B! y/ x在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络
+ S4 `3 t" j e# A Y- y8 eneutron服务器服务、ML2插件和任何依赖关系。
\5 r7 }: l) |: B5 S0 u8 F- f
9 t* m" i/ G% A! |& H; s3 R# U# n8 {网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置
6 L/ u F8 |9 l# O9 J0 jOpen vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。! U, ^0 B1 f% G9 `+ d- p6 }) K
; ^# e' e' X& p, G4 F% Y. o计算节点的Openstack服务1 l9 O; `! V, h% o- k; G7 |. C
在neutron.conf文件中具有openstack keystone服务的合适配置
- d# P, s- s; e+ Z) D0 n9 c V( ~. |' ~
在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。
7 i3 V, e& U0 A4 S4 z& n- L' B# t0 K w8 G5 p, h# E
体系结构
: O$ ~, W4 b% w/ g! c, F+ q一般的体系架构
6 x9 a" V5 d7 r* { ?* X! K 网络节点包含以下组件:. V+ O, ^# c% W9 k" G2 Q* \
) U q! k5 M! x
Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
' K d1 z. x9 K
3 b' F( q3 d' S管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。9 n/ L' v3 S& V3 k
- @4 G& i5 j6 XL3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。
+ e# J- l0 g% u. C( P$ O9 _; }" p" |) _4 D
元数据代理处理实例的元数据操作。
4 C; v$ m0 B7 A% j4 B1 y/ [: r! l; t/ F% R, p2 X8 I% C+ L
网络节点组件回顾' p1 C" ^. A* x: `8 p( {$ H% L0 v
! Q. t3 ]2 M( z5 \
5 h: b- P5 x; p$ H: ^5 H
网络节点组件连接 n/ j/ _ l) C, W
t4 i6 g( d$ W7 J 计算节点包含以下组件:+ ^5 q+ d' L0 C8 l1 w9 n
4 P* I0 ~5 m# W" }+ S1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。, a1 [# N& i& ~
( }, m; U6 g6 K( h
2.Linux网桥处理安全组。
! |* i' G s! t. G' e2 L注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。
) L! r1 b3 y- f3 k, Z计算节点组件回顾
. \) I9 E: I: r# [* b
3 }+ c0 X* w2 d7 a) I+ G- O 计算节点组件连接
& W2 Q% o% }+ X! [2 ?" ]# m3 _$ L4 {$ w5 m* f
数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。) w6 m i7 L, _0 Y8 r2 X( y3 q8 p- W
' ]- ~! z% V& `2 o: P( h在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。, w' z7 y h5 s( M y9 M# }
d: ~& E! f' L) G" b, @9 r如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器 + m: v, r+ B$ e& s5 D
注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。
1 V E2 C5 O1 m f示例配置
9 _8 E# C/ n9 y2 P: K5 k K9 W7 p0 j使用下面的示例配置作为在您的环境中部署该场景的模板。
0 c" u+ \6 B9 }7 J3 C& f7 p+ H控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
- `# l* T* p4 X6 M- P. q$ x8 ?[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]) ~& l& j/ @/ e; u# G! n
' t; q$ H. b# d/ u! Q7 v
( O' \' R" {1 p$ G6 o3 w7 ^ J 2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件:
% b/ n1 H1 m, ~: h8 v5 E[backcolor=rgb(245, 245, 245) !important][url=][/url], U9 c8 q1 c0 Z& i
[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]9 i' N9 q( t, J& E* W& g9 p
: g# i. r" A& i _3 M6 p
* g$ U- {& a6 }8 w0 A4 g) Y' p) I' m" a8 u替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。 ( r2 Q; u" g+ c: `9 A
请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。
c0 G5 s& s* V* ]" c2 ?
/ T. c7 S: o, Q+ w3.启动服务
( l7 s7 y. r% C' c- N9 |: K8 y/ @
) I7 I* @: S( W. T网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0
( S( q( ?8 G0 D! b+ B) _, }" x2.加载新内核配置: $ sysctl -p
, v* x# g u" {; e& b; A
2 S0 w0 Z$ e: `5 W4 P; m9 b 3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
' C$ [. E/ U: G+ A) N1 I+ a4 d! V) m2 V
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]7 q+ V6 d4 ?8 `$ |
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
+ e6 j1 A, q1 I8 B" t# H8 i5 l! l0 M) Y" R. w/ K& u* P2 y* _
$ R' _; L; B9 r }5 T$ V! P
使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 ! Q1 @: T, w+ P1 x" h. _
5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件:
" f4 a! W$ z r2 `" M5 i[backcolor=rgb(245, 245, 245) !important][url=][/url]8 R( {$ Y Y( Y+ k, g$ r
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]
5 t0 m3 F9 }6 y6 d e9 l1 @* B- R6 w) b* m" V3 {% H$ \
注意:external_network_bridge选项故意不包含任何值。
# Q, r! d& L# \6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件: 5 L7 Z' i; o3 z. z6 |9 \
[backcolor=rgb(245, 245, 245) !important][url=][/url]
# t* T p5 d! `6 A[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]7 z' k! A" H" y3 x' g
- M& t& i7 y% k5 }7 V5 u. j, m" |# z$ C
3 o, ^. M7 I( c6 i w
7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]! a% }' W9 v y3 e8 E5 L; N
% ]9 S* A* `. I4 h" ?# C" T* L* c+ `' v/ ]
1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450
* H, l. c# A% w. z9 s; Q7 C" H( F- e+ y8 B
[backcolor=rgb(245, 245, 245) !important][url=][/url]3 T, R8 p$ G; j. t6 `
9 g) E5 [. l) T$ N$ C5 R
2 z( s2 v3 H/ M- R9 @8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET
6 d5 x! t, W, _7 A5 I) ~
( }( c/ R% V9 I+ A* E用合适的环境值替换METADATA_SECRET。 3 L$ j# m$ q! k
9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent; W8 W; K/ i& |8 H
& C y& m- n0 T. k; C; v$ s计算节点; W, y4 q! x% T$ }& a' [* f/ |
1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=1( {% J. P$ N0 ]3 g* a3 ~& d
2.加载新内核配置: $ sysctl -p
- h% L# d3 m. O2 L: Y1 c4 P5 z6 p) i' N* K+ S
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True
# k6 E0 X8 w- `5 W& ~& D! Z' ~
5 s" W/ @' X9 o1 e: O% H4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
, r0 G2 }& H0 H& B[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
/ D2 a6 L8 e* f1 L5 d
0 p' G1 L% I" P9 m U; a W
6 O* F' W. N" {: r使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 & s- M7 _' [& k/ P/ I [
7.启动以下服务: Open vSwitch Open vSwitch agent- h- K- D8 p+ ^0 O' H: c5 O
4 s% b) i1 c) `* C7 U7 b验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]
% C6 A. U$ o& V) n4 L B$ u$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 s) Y" l$ C. z$ J* |. c3 F7 V$ j7 D0 R8 Z6 }1 N1 J! `
' n2 T' i+ r+ f p) s创建初始网络7 N% s+ C& t6 Z9 T- }
这个示例创建了一个flat外部网络和一个VXLAN项目网络。
) |8 s3 v& C+ Z) P- v+ c5 l1 b9 P1 Y& `& v
1.提供管理项目凭据。
: o5 J/ }1 g7 n$ _2 f2 c0 _* s
2 b' ]% Y9 s+ T, l* ^2.创建外部网络:
1 S, o4 E4 J; g7 n& G+ r[backcolor=rgb(245, 245, 245) !important][url=][/url]
+ B4 w. ]! Z' D$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]9 b7 I: _/ h' j) p9 }& M* n0 F
1 f* s+ j" @) [- C f2 |
4 s( z4 x, y2 y4 k9 k3.在外部网络上创建子网:
0 B/ Y w7 o! |6 C @: b[backcolor=rgb(245, 245, 245) !important][url=][/url]
& _! Z3 \1 T, C! B- V$ z3 N- q2 t$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
: F) N# |7 j) q# N/ [- f" @
. ^9 A' I9 A* Q" V4 U" f. U, ~6 |/ C/ I) B! k9 R. y
请注意:
7 |; f* a1 s4 Q' V" R8 y4 D1 |; s- W3 ~5 }9 S- e7 q; o) Q1 i' D
示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。6 R' }: ?! H) [0 t
3 P6 }. b7 I2 J' k: q: N1.获得常规项目的ID。例如使用demo项目:
5 f5 V/ {8 v" s4 Z: {, j[backcolor=rgb(245, 245, 245) !important][url=][/url]
* h3 N, [, s- w9 J% q5 i$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
) c3 M3 {; o* b3 r
1 w8 q5 S1 b7 q6 H4 x5 Y6 n% l7 d8 K; h& d: H
2.创建项目网络:
, p+ ~( }# s% S- C! ]3 p* ?[backcolor=rgb(245, 245, 245) !important][url=][/url]
: |7 u( b, E1 f- Y7 X. u( J' i$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]- ]# G* T$ Q% c/ I% l! M8 t
E8 _ A7 [. o: r! ]2 Y5 }' M/ f9 f1 d% Y) O4 O5 w
* G; s* f" ?6 m0 I1 ?# l
3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网: 6 [3 `+ G' y* ]. X# }4 J
[backcolor=rgb(245, 245, 245) !important][url=][/url]
; t1 R% ?% w; X1 ]! i/ P$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]1 B6 Z/ ^4 c3 d0 X* z% W
5 ?# g! r) L2 _; r- B0 i7 f- y6 x4 {6 I0 c7 }
5.创建一个项目路由器:
1 Q/ ~3 [9 h2 y' E[backcolor=rgb(245, 245, 245) !important][url=][/url]* O- w7 c: d/ A e% r8 l8 s
$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
) I: v% n* t! q" P7 X5 n) ]
( e. x9 Q5 b& o" k) g/ ? V2 I' e# P- F/ \& ^
注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。
/ ^) q( v: {* C8 H: k6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.3 S5 L$ Y0 C$ k! l' G
9 j d8 s( p8 x, b) I7 s4 R
7.在路由器上添加一个通向外部网络的网关:
. b% J" Z. a( T; g$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router
/ @! S8 J' g4 P3 P9 h4 C
0 r% @% t: S8 h6 w验证网络操作 l! J; A" Y9 O
1.提供管理项目凭据。 _) X# N" Z9 T' d& t2 d1 v
: w" _" d" ?& z5 n: C9 B2.在控制器节点上,验证HA网络的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]7 x+ l5 `) f& J7 R0 e0 ]
$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
( {4 k, O7 D* t: S2 D9 H d& X5 H4 s6 F% J# E
" \ Z/ G C& @4 q! Y7 h4 I3.在控制器节点上,在多个网络节点上验证路由器的创建: ' A: o% C1 R1 C R
[backcolor=rgb(245, 245, 245) !important][url=][/url]. _! @) S5 ~9 T! L+ ^+ Y$ H: z
$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
) u: y! j5 @0 n' R7 f5 \. @& u! a j& n+ b. v7 n
$ |3 U0 u9 F [/ e注意:老版本的python - neutronclient不支持ha_state字段。 0 p: z$ X; X0 r) i: Q4 j
4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]% w' K( p, b% N2 [7 k7 Y
$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
# U" t& D" A) U/ |7 b4 l# [
5 q& b, B, ~+ ~' J7 Y; P" p( `( k2 t, E- G* l4 U; r7 O
$ X. W' ]; l) D" t! C! Z
5.在网络节点上,验证qrouter和qdhcp名称空间的创建: ! d8 C, K; }; J7 e2 y( n
[backcolor=rgb(245, 245, 245) !important][url=][/url]' v4 H I% l: D6 A. @
网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]4 p+ o4 r% ?4 d8 @( Y @
7 o0 k% W# Q; w: ?! m2 }两个qrouter名称空间都应该使用相同的UUID。
6 g; J8 ^, y) b0 d* Y) K. `- @8 c请注意
! @/ I" \1 n9 w& s C8 P4 x
# F6 P8 K/ m5 e( w7 G5 d; x 在启动实例之前,qdhcp名称空间可能不存在。
4 D) G) u: a8 i, M9 w- p+ s' w1 C1 h5 d% K- Y
6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]
* V( `2 w' n6 a& {+ Q0 Q网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
+ V1 N0 Q' [1 b$ f4 m/ A% n. A6 r Y) }# o( i& w( D0 i& u
% w( N5 c2 g* m" N! v5 k* c网络节点2:
# Y' B U3 P, D' q[backcolor=rgb(245, 245, 245) !important][url=][/url]0 ~9 \) f5 `; z) P
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
5 u1 [/ ?& u T. f* v& i$ m% T0 x2 S x
在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。 " E; @: x* t2 z. R& j
7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements :
8 J( a% K8 M* [0 Z4 D0 ?网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]
' Y& |# u/ I- i9 j! N5 q0 x: D! ~' m- M8 M$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
4 E4 r/ B) K" ^4 U0 B7 n# d* `1 G, T& ?8 l- J" R4 n1 Q. h
5 Y/ x: t3 ^. r/ ?' J0 f网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]0 [% Y# ^# c2 \& {7 E d1 z
$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]* r2 g$ d$ o( ?6 N% W2 i
, I x2 q! B/ g
+ a5 H: Q0 T& I
示例输出使用网络接口eth1。 ( \4 n2 U# X1 W6 \
& u1 g9 Z+ E+ v3 r8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
+ t% Q) U- V' M0 `$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url], ^ G1 f* d; y. H) N
" ]7 f3 t- o& o0 v6 S) ]7 [( m, q: ^" E" ?
: \* P" g9 w3 D( `& L! p
9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url], t K8 j& u' L' m2 p. Y0 y3 G9 Y) K
$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]
7 W- j& F; _2 I
8 Z# h) X2 F. G6 [. V, I+ B
" X" U2 z4 U0 H; Y7 p( U1 N+ P' j; D- f0 z7 F
10.提供常规项目凭证。下面的步骤使用演示项目。
. p8 ^) M; Q/ r2 Z7 R+ N: u# V6 s+ P! n% ~
11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]; M* d( J# i* Q! ] ^
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]) ^: G+ K) c" c- p5 v
& @! u( q5 D' A* g X; w5 k5 _$ r( J1 B9 d3 b
12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像: $ l# G- Y$ l- \4 M7 w
[backcolor=rgb(245, 245, 245) !important][url=][/url]# a) r% b' i& g
$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
& ^5 @- G* W* V( r: C, R7 P+ M. z7 ^; Y9 X6 u' \- q# T5 L
1 A8 M5 G& Y& ]7 u! K- j; w13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
; E9 E% W+ t" o0 Q, K, M& i; P+ L' d0 ?$ |
1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
. F, c2 _4 W% j2 x# m[backcolor=rgb(245, 245, 245) !important][url=][/url]
|; |; o l' c2 B& X& ], K9 f2 e) E" E; V6 H9 [
; ]' ]* x. v2 S, v3 F! D% M. G14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
( m8 n2 t3 g9 z5 L1 }$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]5 A6 L+ C+ M) I+ @
* H2 ?7 I5 F4 l* j8 j. U e
* ?( p$ c+ R: P# C- u3 w15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102
# \/ D5 X1 u5 _, |0 r
8 J4 ?! B3 s% h; S# b! s# R+ e0 k% Q16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]" k8 m: s6 P* ]! W
$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]5 X7 q0 p' }) K7 z+ v& B- k
# o' K' G' H7 H/ j; n M3 e7 y
) D. R9 G: g$ m; X$ _5 ]; o6 ]17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址:
3 ^0 y9 S( D& u6 B7 U" D[backcolor=rgb(245, 245, 245) !important][url=][/url]
5 E( ?% |' E( R& v$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
. r9 z H7 V5 y) L |
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2021-6-25 11:21:40
/ K3 [- I1 F' P! N# p; L' k* k; W
/ K$ U+ T# ]' s$ y% a& \- W, B/ f' M
8 B6 b- G7 \1 E/ F5 i7 [ _
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主