马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
一个具有网络管理接口的控制器节点。 U/ C3 \) R$ x e
两个网络节点有四个网络接口:管理、项目隧道网络、项目VLAN网络和外部(通常是Internet)。Open vSwitch网桥br-vlan必须包含VLAN接口上的一个端口,而Open vSwitch桥的br- ex必须在外部接口上包含一个端口。6 n C9 f: }7 w0 s
, T9 O" e% H0 n" P* u: h5 L9 H8 w! L) d
至少有一个具有三个网络接口的计算节点:管理、项目隧道网络和项目VLAN网络。Open vSwitch网桥br-vlan必须在VLAN接口上包含一个端口。 为了提高对网络流量的理解,网络和计算节点包含一个独立的网络接口,用于项目VLAN网络。在生产环境中,项目VLAN网络可以使用任何Open vSwitch网桥来访问网络接口。例如br-tun网桥
5 i% S+ }. o. Q( n. J在示例配置中,管理网络使用10.0.0 / 24,隧道网络使用10.0.1.0 / 24,VRRP网络使用169.254.192.0 / 18,外部网络使用203.0.113.0 / 24。VLAN网络不需要IP地址范围,因为它只处理二级连接。 2 L5 o& t% S7 o3 ~3 \+ M
硬件要求6 E/ E6 B; V5 K4 `) A3 Z
/ M- p' a2 t7 @. ^* [- }" \
网络布局0 `4 e9 S- l, x% d( Y2 [3 ?- p
5 E% r g) a+ y2 w
; [# V. t# l, g ]' f' P" l5 N; i+ i- r
服务布局5 y! \# g0 W8 ]8 l
, A6 `) G/ l# d, w& h; D
注意:对于VLAN外部和项目网络,网络基础设施必须支持VLAN标记。为了获得VXLAN和GRE项目网络的最佳性能,网络基础设施应该支持巨型帧。 7 q4 M, P' Z* V( G' x
控制节点的openstack服务" I9 a# ?! ~' h9 g( j
在neutron.conf文件中具有数据库服务器的合适配置在neutron.conf文件中具有消息队列服务的合适配置。" }5 ?. A. i1 g' O1 a( a
在neutron.conf文件中具有openstack keystone服务的合适配置
' O+ N( c2 k4 _4 M* D在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack 网络- \* j8 f s [& w1 O( K. Y
neutron服务器服务、ML2插件和任何依赖关系。/ H$ E! c4 X; y: z4 ?( M
$ q3 L$ ], K% z [6 U" J3 Z
网络节点的Openstack服务在neutron.conf文件中具有openstack keystone服务的合适配置2 r' ~2 A% {$ T# f9 x
Open vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理和任何依赖关系。' U# B7 _* e$ l2 R. b3 b1 t" r
( c/ x( c' ?6 D2 H }
计算节点的Openstack服务( }6 ]" Q9 E$ U1 S
在neutron.conf文件中具有openstack keystone服务的合适配置
! l7 y# Y3 t. |5 G. S3 D
. }9 {2 g- G4 V$ o" D在nova.conf文件中具有openstack计算 控制/管理服务的合适配置去使用Openstack网络Open vSwitch服务,ML2插件,OpenvSwitch代理,以及任何依赖项。
2 M. T1 z3 J3 f! i( P2 j6 N0 T' E8 S+ |$ f. x* K; E( K
体系结构1 |" N5 w* h' r9 G! S( ]
一般的体系架构
% U, |+ J3 B5 g! [+ I6 Y 网络节点包含以下组件:
# D7 R9 |( n% b; _4 _, I1 P- G
) }5 `& v0 M' o3 V; LOpen vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
9 W/ [8 `- s/ G/ W' G: `3 x9 }; H- ?7 Q) y
管理qdhcp名称空间的DHCP代理。qdhcp名称空间为使用项目网络的实例提供DHCP服务。
/ a2 W- T- d/ U) Y4 d6 w E' V3 m
& K0 P) e* D% ?9 d' \ N7 Y. XL3代理使用keepalived管理qrouter名称空间和VRRP。qrouter名称空间提供了项目和外部网络之间以及项目网络之间的路由。它们还在实例和元数据代理之间路由元数据通信。- z7 J$ R& C: c9 K7 K
- i' a5 ~; L* J- i9 c0 K- @) g
元数据代理处理实例的元数据操作。
! q& o: O" S5 n, L4 n( u; A
1 c3 @' `% c8 @: q. y/ ]- `( R% {. F) L网络节点组件回顾5 F/ d& Z# D' N( e+ a w% |& Q- o
+ `8 K5 \( d* Q7 `
6 E& J3 A- ?. b# K 网络节点组件连接' l. K- O+ I% t# o) C" m/ N1 U
' x% g$ M: K) M+ ~5 I5 H: ^$ w 计算节点包含以下组件:
8 d, X B8 c4 S+ r7 I2 t) U% E8 g( I B( j( Q+ w r
1.Open vSwitch代理管理虚拟交换机之间的连接,以及通过虚拟端口与其他网络组件(如名称空间、Linux网桥和底层接口)进行交互。
2 W0 k9 x9 n8 p" z, }4 o! ` d1 \; I1 F* \8 i
2.Linux网桥处理安全组。 9 s8 {* ~! Z) m4 A& k9 y1 |! c
注意:由于Open vSwitch和iptables的限制,网络服务使用Linux桥来管理实例的安全组。
% g7 T" h6 h3 e( M, C+ [+ [6 N5 y. N计算节点组件回顾
* _- ^4 C, _! r( E# P3 H4 V, d% Z' A4 h& p" z: z. S; e
计算节点组件连接
1 T( y3 I' `9 G( c
8 b) O2 [- J% E5 R" L3 W数据包流 L3HA机制简单地增加了场景:如果主路由器失败,则使用Open vSwitch提供给另一个路由器的快速故障转移到另一个路由器。
9 o2 }6 }0 d, O0 m" ?1 j6 X9 j3 f" r* F- }: d O! l4 b: \3 A
在正常的操作过程中,主路由器定期地通过一个隐藏的项目网络来传输心跳数据包,该网络连接所有的HA路由器以完成特定的项目。 在默认情况下,这个网络使用的类型是在/etc/neutron/plugins/ml2_conf.ini的tenant_network_types选项中第一个值的类型。
' c/ S1 _3 `) M, k
& L. |$ R' \4 P/ x. A, X如果备份路由器停止接收这些数据包,它就假定主路由器失效,并通过在qrouter名称空间中配置IP地址来提升自己到主路由器。在具有多个备份路由器的环境中,具有下一个最高优先级的路由器成为主路由器 3 `) n& b% J4 b9 J& J( z
注意:L3HA机制对所有路由器使用相同的优先级。因此,VRRP会将IP地址最高的备份路由器提升到主路由器。
9 F$ U7 b8 K: i+ [; l示例配置. H1 g" W1 F6 g5 n; h) t: G
使用下面的示例配置作为在您的环境中部署该场景的模板。 1 m& I6 ^1 T9 a- D1 W' d
控制节点1.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
2 f0 e# p% d/ D[DEFAULT]verbose = Truecore_plugin = ml2service_plugins = routerallow_overlapping_ips = Truerouter_distributed = Falsel3_ha = Truel3_ha_net_cidr = 169.254.192.0/18max_l3_agents_per_router = 3min_l3_agents_per_router = 2dhcp_agents_per_network = 2[backcolor=rgb(245, 245, 245) !important][url=][/url]: ^; W. R9 P' i
/ e1 g3 G D4 d6 y0 M" ?
7 U5 w. y8 `7 ?1 D* G+ \4 w2 c 2.配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件:
9 J3 k- Z+ u: z2 u8 _$ ^6 e; x9 ]8 i[backcolor=rgb(245, 245, 245) !important][url=][/url]2 O) ~& X- p8 R* D! b! |
[ml2]type_drivers = flat,vlan,gre,vxlantenant_network_types = vlan,gre,vxlanmechanism_drivers = openvswitch[ml2_type_flat]flat_networks = external[ml2_type_vlan]network_vlan_ranges = external,vlan:MIN_VLAN_ID:MAX_VLAN_ID[ml2_type_gre]tunnel_id_ranges = MIN_GRE_ID:MAX_GRE_ID[ml2_type_vxlan]vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_IDvxlan_group = 239.1.1.1[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]8 _% H0 ~0 L: _+ B0 ?/ K$ S
$ ?4 t0 |( [' ^+ n
: P* P* i' P% o, ?, w' n' o替换MIN_VLAN_ID、MAX_VLAN_ID、MIN_GRE_ID、MAX_GRE_ID、MIN_VXLAN_ID和MAX_VXLAN_ID和VLAN、GRE和VXLAN ID最小值,以及适合您的环境的最大值。
- Y% k( D% J% w请注意: tenant_network_types选项中的第一个值在常规用户创建网络时成为默认项目网络类型。network_vlan_range选项中的外部值缺少VLAN ID范围,以支持管理用户使用任意VLAN ID。
6 ^0 C# r4 D) V& q5 z2 }" ?! v* D/ }8 V. ^# r& V
3.启动服务 8 U K& H) \' t' a# e
5 k/ e! G& h2 u0 \
! ?* H0 R d1 @: q' @2 B2 ^
网络节点1.配置内核以启用包转发和禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.ip_forward=1net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=09 u6 u/ \/ _6 X5 P) o/ L2 \
2.加载新内核配置: $ sysctl -p
( z! W( G. ^6 g2 a7 F- Q# T6 z0 ^$ W+ f5 { s% a
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True/ C8 a, f4 C% w, [, v# e( J5 X4 e
+ ~# Q }: n0 t/ M. ^
4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]3 L: Y! Q1 {1 q
[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan,external:br-ex[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]
+ x5 o# f/ [( i9 |
0 L; A, ]: k) z6 g* |7 D
8 ]: Z2 v% c: [使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。 2 K2 g1 c0 W U$ U$ Y9 Z# \' Y/ q. ^; K
5.配置L3代理。编辑/etc/neutron/l3_agent.ini文件:
) @2 |4 O Y% }1 E[backcolor=rgb(245, 245, 245) !important][url=][/url]6 y j$ B2 g, x. T
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriveruse_namespaces = Trueexternal_network_bridge =router_delete_namespaces = Trueagent_mode = legacy[backcolor=rgb(245, 245, 245) !important][url=][/url]" E% |, ^4 t; b* @$ |4 n8 O
. t$ c# \& g: c' |- s9 K注意:external_network_bridge选项故意不包含任何值。 6 t0 O: w# k2 |) g! I- i
6.配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini文件: 6 Z4 B% ^! a7 h
[backcolor=rgb(245, 245, 245) !important][url=][/url]/ ? l; T+ [, z3 k' g' ^7 p ]
[DEFAULT]verbose = Trueinterface_driver = neutron.agent.linux.interface.OVSInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasquse_namespaces = Truedhcp_delete_namespaces = True[backcolor=rgb(245, 245, 245) !important][url=][/url]2 O' ]# R# G( W: o
5 ^6 d" z6 k0 b" R4 n5 Z( P
4 O; s# Z& M# `7 b: n+ V( |" p7.(可选)为VXLAN项目网络减少MTU。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
. J; T# W4 o x- ]$ w
! ]. M+ U" H! y# p e. a
/ B( ^" q$ {9 [# X$ m* {4 |1.编辑/etc/neutron/dhcp_agent。ini文件:[DEFAULT]dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf2.编辑/etc/neutron/dnsmasq-neutron.conf文件:dhcp-option-force=26,1450
7 e: P; |% i$ |) v9 \8 e- g1 c0 j7 O; d2 ^
[backcolor=rgb(245, 245, 245) !important][url=][/url]+ v- X4 A/ S2 s6 D4 q% x0 u( R' y
' A8 T! P: G1 H& I2 y4 k0 z
* B. \ u( l8 j9 I U& O8.配置元数据代理。编辑/etc/neutron/metadata_agent.ini文件: [DEFAULT]verbose = Truenova_metadata_ip = controllermetadata_proxy_shared_secret = METADATA_SECRET5 `* m4 i9 w4 J7 O
5 h( {9 I+ Z5 D6 M用合适的环境值替换METADATA_SECRET。
8 V7 W% g1 P* L* t" e$ {; W# g9.开始以下服务: Open vSwitch Open vSwitch agent L3 agent DHCP agent Metadata agent: g! M6 o5 ]0 j2 z& S
! Y, b% i) O% d计算节点5 ~3 q6 m `, i7 U0 T
1.配置内核以启用网桥上的iptables并禁用反向路径过滤。编辑/etc/sysctl.配置文件: net.ipv4.conf.default.rp_filter=0net.ipv4.conf.all.rp_filter=0net.bridge.bridge-nf-call-iptables=1net.bridge.bridge-nf-call-ip6tables=15 ~$ q5 z, i$ }7 S* o) d
2.加载新内核配置: $ sysctl -p
7 L; S2 y& {5 ^6 e8 r7 C6 W4 j) I9 f' k7 p) W
3.配置常见的选项。编辑/etc/neutron/neutron.配置文件: [DEFAULT]verbose = True9 x( ~* I/ ?' ]0 ]2 {) b& A4 j1 y
- J4 C$ [' L& z* K. d+ A% l7 d9 r4.配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件: [backcolor=rgb(245, 245, 245) !important][url=][/url]
1 W7 ], j U: a$ ~/ S8 r[ovs]local_ip = TUNNEL_INTERFACE_IP_ADDRESSbridge_mappings = vlan:br-vlan[agent]tunnel_types = gre,vxlanl2_population = False[securitygroup]firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriverenable_security_group = Trueenable_ipset = True[backcolor=rgb(245, 245, 245) !important][url=][/url]3 }7 \( D3 H# [0 S( w* e
& c9 P$ ]$ a9 ]! v, L( K; L6 t
, k' N- U' T% Z& {使用处理GRE / VXLAN项目网络的接口的IP地址替换TUNNEL_INTERFACE_IP_ADDRESS。
* g5 o4 o5 L) l2 I7.启动以下服务: Open vSwitch Open vSwitch agent+ U) _; H+ y" C0 G8 ~! j
5 o0 r9 o- a/ t" d7 G1 E. X
验证服务操作1.提供管理项目凭据。 2.验证代理的存在和操作: [backcolor=rgb(245, 245, 245) !important][url=][/url]9 V, U' T" u4 \& K' x3 C
$ neutron agent-list+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| id | agent_type | host | alive | admin_state_up | binary |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent || 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent || 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent || 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent || 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent || 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent || ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent || ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent || f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]1 C% K! _& Z0 H' k( }
^6 p) l" e, r
8 P- g; }0 b$ f5 \
创建初始网络
) {4 O# u1 e8 p; \/ D$ K3 l$ J% a- |这个示例创建了一个flat外部网络和一个VXLAN项目网络。
2 @- @' ?) B6 {* ^' x, i( r/ m+ { M' m. f" S) m
1.提供管理项目凭据。" e; s! C* B: Y! S5 a( g3 W. X
# j0 X" t# J) B" h2.创建外部网络:
( c' h0 P3 l/ a# V3 \[backcolor=rgb(245, 245, 245) !important][url=][/url]
: y+ i1 ?6 l( z' D6 E7 E$ neutron net-create ext-net --router:external True \ --provider:physical_network external --provider:network_type flatCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 5266fcbc-d429-4b21-8544-6170d1691826 || name | ext-net || provider:network_type | flat || provider:physical_network | external || provider:segmentation_id | || router:external | True || shared | False || status | ACTIVE || subnets | || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]* h5 t, e( R; ?# b
3 {( A h4 {- i& G' r# N
( X' {. ^9 ~+ q( B3.在外部网络上创建子网: 8 e* j* ]; G4 o% Z" t$ n
[backcolor=rgb(245, 245, 245) !important][url=][/url]
3 O& q3 U9 e/ _$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ --disable-dhcp --gateway 203.0.113.1Created a new subnet:+-------------------+----------------------------------------------------+| Field | Value |+-------------------+----------------------------------------------------+| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} || cidr | 203.0.113.0/24 || dns_nameservers | || enable_dhcp | False || gateway_ip | 203.0.113.1 || host_routes | || id | b32e0efc-8cc3-43ff-9899-873b94df0db1 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | ext-subnet || network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || tenant_id | 96393622940e47728b6dcdb2ef405f50 |+-------------------+----------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
" N5 ^) r9 ]% J3 A* Q7 \* L; L$ W. {; B' m2 D
+ l- j1 g1 P6 V. {5 L* `! s' q请注意:
- ?6 P+ k/ C( Z' t' ^$ e
! l2 g* j( e: b! s- s% Q7 y+ q( v 示例配置包含vlan作为第一个项目网络类型。只有管理用户才能创建其他类型的网络,比如GRE或VXLAN。下面的命令使用admin项目凭证创建一个VXLAN项目网络。( l) g% J! u* o& [6 _$ @
% _' W4 W# H+ V& u" z$ K
1.获得常规项目的ID。例如使用demo项目: ) i7 j- _* w7 C; O- P z# i4 J
[backcolor=rgb(245, 245, 245) !important][url=][/url]
: ] |3 k2 _3 Q0 A" e3 t- y$ openstack project show demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Tenant || enabled | True || id | 443cd1596b2e46d49965750771ebbfe1 || name | demo |+-------------+----------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]4 {; C3 N) P8 l8 Q$ ^7 F* V
& s- n5 f1 r" V! z
) R2 v- o% `! H7 a9 K2.创建项目网络:
9 u5 g! k6 Y% t[backcolor=rgb(245, 245, 245) !important][url=][/url]. ]# k; O; v4 C& M! T6 C k
$ neutron net-create demo-net \ --tenant-id 443cd1596b2e46d49965750771ebbfe1 \ --provider:network_type vxlanCreated a new network:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || name | demo-net || provider:network_type | vxlan || provider:physical_network | || provider:segmentation_id | 1 || router:external | False || shared | False || status | ACTIVE || subnets | || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]/ m7 K+ E/ z% X" \4 R
' y) l) g$ H r7 v5 p' \7 \' b! Z" E0 `$ }3 _% `) `7 F
6 M% U, O; N9 |3 q* T3.提供常规项目凭证。下面的步骤使用demo项目。 4.在项目网络上创建子网: ! j" k8 z) Y+ L: C% d0 I A3 q
[backcolor=rgb(245, 245, 245) !important][url=][/url]
$ y# f# k& O/ V" Y# f, f$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \ --gateway 192.168.1.1Created a new subnet:+-------------------+--------------------------------------------------+| Field | Value |+-------------------+--------------------------------------------------+| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} || cidr | 192.168.1.0/24 || dns_nameservers | || enable_dhcp | True || gateway_ip | 192.168.1.1 || host_routes | || id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode | || name | demo-subnet || network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-------------------+--------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
2 j9 R4 A: }( e& N1 k; u" Y O2 U4 \# c
, i8 t' Y( S7 L# Y$ i1 r' ^: B' z5 e' s6 {. g
5.创建一个项目路由器:
: o/ m% m4 y7 I% @6 \3 b O+ V% k[backcolor=rgb(245, 245, 245) !important][url=][/url]
$ l7 B- j. F# E$ neutron router-create demo-routerCreated a new router:+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| admin_state_up | True || distributed | False || external_gateway_info | || ha | True || id | 7a46dba8-8846-498c-9e10-588664558473 || name | demo-router || routes | || status | ACTIVE || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+-----------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
. f* `* J' {2 l2 o% A1 O6 P3 K5 F a6 G/ D
7 ~+ z: R+ E7 C+ B# A F注意:默认policy.json文件只允许管理项目在路由器创建期间启用/禁用HA,并查看路由器的HA标志。
+ x) n! _! _9 W1 r! i- ?6.在路由器上添加项目子网作为接口: $ neutron router-interface-add demo-router demo-subnetAdded interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.
3 \5 G& b9 ?- x* u; w4 B1 M1 Q; Z- } E6 t$ H. L4 M# g. y7 e2 P( k+ a
7.在路由器上添加一个通向外部网络的网关: ( Z/ w4 ^5 A$ ]0 g" g! Q
$ neutron router-gateway-set demo-router ext-netSet gateway for router demo-router7 W1 X6 c! b( X' }; Q
$ @1 }4 p; L4 W3 U0 u# M$ }9 k, ^
验证网络操作- R& P2 I: w1 L: U2 p' U
1.提供管理项目凭据。
+ P" m. y% S) g5 ], \3 i& q5 I* Y4 [* u( g3 k; s0 x
2.在控制器节点上,验证HA网络的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]3 t$ F% q0 B% g! o7 e- w3 |8 Q
$ neutron net-list+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| id | name | subnets |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 || e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 || 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url], G, W, q* g7 @" S4 Q6 t
+ X/ s$ ^6 y r0 _% s, S! _: I
$ B1 r( p& G5 M8 p: h- r4 q3.在控制器节点上,在多个网络节点上验证路由器的创建:
, |0 C( \+ T: O2 W& A[backcolor=rgb(245, 245, 245) !important][url=][/url]
" X+ e, F4 |/ q( q4 c1 K6 ]7 @- O$ neutron l3-agent-list-hosting-router demo-router+--------------------------------------+----------+----------------+-------+----------+| id | host | admin_state_up | alive | ha_state |+--------------------------------------+----------+----------------+-------+----------+| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active || d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |+--------------------------------------+----------+----------------+-------+----------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 j4 I# m* o+ v0 U' d
) J* W1 @+ X( h9 G/ ?
/ y5 B; W9 @, q! ~注意:老版本的python - neutronclient不支持ha_state字段。
2 ^; J# r& J% B4.在控制器节点上,在demo - router路由器上验证HA端口的创建: [backcolor=rgb(245, 245, 245) !important][url=][/url]
8 Y5 K8 D: y2 G$ D4 T1 H, l" Q% B1 A$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]% W, I& ]1 Y4 h ~: d
- j5 V4 T! X0 S( i7 j g" y- R3 b# G8 @+ }
( I/ |0 {+ l0 |( K5.在网络节点上,验证qrouter和qdhcp名称空间的创建:
Q( M3 [- D# d" C, h _+ i[backcolor=rgb(245, 245, 245) !important][url=][/url]( ? Q5 j c* a& O5 f6 I* O3 {
网络节点1:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473网络节点2:$ ip netnsqrouter-7a46dba8-8846-498c-9e10-588664558473[backcolor=rgb(245, 245, 245) !important][url=][/url]
& c) `- [& @. g. H0 D% \$ Z5 p2 _% n
两个qrouter名称空间都应该使用相同的UUID。
! B! @/ Z! Q$ s8 t6 v1 o请注意/ j1 P$ L) B0 [$ {6 E* h
; G U5 K" F( @5 g' Z4 g2 o" x
在启动实例之前,qdhcp名称空间可能不存在。
. l3 r( v* A" \& }- y5 W6 d5 D8 z
6.在网络节点上,验证HA操作: 网络节点1:[backcolor=rgb(245, 245, 245) !important][url=][/url]" r9 I4 P4 x* `7 }% H0 q
网络节点1:$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe25:5d7/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 scope global qr-8de3e172-53 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet 203.0.113.101/24 scope global qg-374587d7-2a valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url]
# H8 @6 A4 K, M: y$ m$ M% y P9 h/ |% S/ r3 O
9 n0 e! g8 A, h' ~网络节点2: x3 {( j* S/ u# G
[backcolor=rgb(245, 245, 245) !important][url=][/url]
; {1 z. O& K( y% m' k. |$ ]. a$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1 valid_lft forever preferred_lft forever inet6 fe80::f816:3eff:feae:3b22/64 scope link valid_lft forever preferred_lft forever12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe10:9ff6/64 scope link valid_lft forever preferred_lft forever13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff inet6 fe80::f816:3eff:fe82:a059/64 scope link valid_lft forever preferred_lft forever[backcolor=rgb(245, 245, 245) !important][url=][/url], f% ?1 O0 x6 k7 {6 W/ X
8 I" u# X- y$ a5 R
在每个网络节点上,qrouter命名空间应该包括ha、qr和qg接口。在主节点上,qr接口包含项目网络网关IP地址,qg接口包含外部网络上的项目路由器IP地址。在备份节点上,qr和qg接口不应该包含IP地址。在这两个节点上,ha接口应该在169.254.192.0 / 18范围内包含唯一的IP地址。 ' w/ k* a; ~0 o+ b5 K- L
7.在网络节点上,在适当的网络接口上从主节点HA接口IP地址验证VRRP advertisements : + @- U5 S; l9 I* H" [4 w7 E( @
网络节点1: [backcolor=rgb(245, 245, 245) !important][url=][/url]. r6 E- E2 Z) n4 _% ]: k% {
$ tcpdump -lnpi eth116:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]
7 g# |, Y& y8 G, n
6 J; J6 ~+ x: G" x
* u- D" A# x: U( L! D. G网络节点2: [backcolor=rgb(245, 245, 245) !important][url=][/url]4 \, j3 W/ u {6 S3 V
$ tcpdump -lnpi eth116:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 2016:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20[backcolor=rgb(245, 245, 245) !important][url=][/url]/ R& s( U0 ~2 P& t
( b' h7 o2 C5 {$ P k4 b9 m
; G$ s' f, m- R5 d+ q! J& w示例输出使用网络接口eth1。 0 K. @9 ~! N* Q2 t; y% b
% {- m1 G, H6 U ` H, b( s8.在路由器上确定项目网络的外部网络网关IP地址,通常是外部子网IP分配范围内的最低IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
6 ~# D) d; p( ~! J$ @$ neutron router-port-list demo-router+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| id | name | mac_address | fixed_ips |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} || 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} || 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} || 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
; w8 J n) P. S* t6 l
' q% z$ S9 W& H3 n1 ?& H+ F7 k) @
% u, L; L7 J1 k1 R4 e- k( _
! E7 I7 ~( B) t- i9.在控制器节点或任何有访问外部网络的主机上,在项目路由器上ping外部网络网关IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]+ j. m6 {- w& I9 ?. r
$ ping -c 4 203.0.113.101PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms--- 203.0.113.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms[backcolor=rgb(245, 245, 245) !important][url=][/url]
! u8 u' ~! Q( G
/ ?2 h% A5 \; g' ~( C5 ^
7 x) X* \ ?6 x
6 \4 O9 _$ R! ^; ~/ T7 G10.提供常规项目凭证。下面的步骤使用演示项目。
$ P9 L% u: |( k7 j5 R
2 F( o- u" a0 A( x8 m11.创建适当的安全组规则,允许ping和SSH访问实例。例如: [backcolor=rgb(245, 245, 245) !important][url=][/url]
" s# t, w; Y7 j {$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]$ D; p( x% p- [- _. }2 e: ?+ ~; y6 Q
9 h1 `6 }; ^ p* C; P; L
; D; U( D3 Z2 O: i' F* t; |! d6 i
12.在项目网络上启动一个具有接口的实例。例如,使用现有的CirrOS镜像: K: c2 J1 q4 m9 N. R9 ~5 C$ q
[backcolor=rgb(245, 245, 245) !important][url=][/url]3 v# ^6 V4 I: z' r# E2 @: `
$ nova boot --flavor m1.tiny --image cirros \ --nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1+--------------------------------------+-----------------------------------------------+| Property | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-STS:power_state | 0 || OS-EXT-STS:task_state | scheduling || OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at | - || OS-SRV-USG:terminated_at | - || accessIPv4 | || accessIPv6 | || adminPass | Z3uAd2utPUNu || config_drive | || created | 2015-08-10T15:06:24Z || flavor | m1.tiny (1) || hostId | || id | 77149598-c839-400f-b948-db6993f0b40b || image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) || key_name | || metadata | {} || name | demo-instance1 || os-extended-volumes:volumes_attached | [] || progress | 0 || security_groups | default || status | BUILD || tenant_id | 443cd1596b2e46d49965750771ebbfe1 || updated | 2015-08-10T15:06:25Z || user_id | bdd4e165bdf94b258ddd4856340ed01c |+--------------------------------------+-----------------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]6 _9 ^) |8 l) r y2 M. s
z" ]9 r# g0 K# a- H2 B1 Q8 R
! l2 K1 U+ {8 L2 O6 j: h13.获得对实例的控制台访问。 [backcolor=rgb(245, 245, 245) !important][url=][/url]
8 [: }5 d2 p, n- A0 ?4 \% F4 [5 V; l3 [, |9 K
1.测试连接到项目路由器:$ ping -c 4 192.168.1.1PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms--- 192.168.1.1 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms2.测试连接到互联网:$ ping -c 4 openstack.orgPING openstack.org (174.143.194.225) 56(84) bytes of data.64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms--- openstack.org ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3003msrtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
1 J! v% [/ `8 y) V1 R( J/ ~6 ?. y[backcolor=rgb(245, 245, 245) !important][url=][/url]' V5 |" i, ]( g [
3 C; e- D" O$ z) F/ f3 j# ]
& }+ h: s! X9 ~ p9 J Y$ r
14.在外部网络上创建浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]. {, `3 O7 I+ T
$ neutron floatingip-create ext-netCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |+---------------------+--------------------------------------+| fixed_ip_address | || floating_ip_address | 203.0.113.102 || floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 || id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 || port_id | || router_id | || status | DOWN || tenant_id | 443cd1596b2e46d49965750771ebbfe1 |+---------------------+--------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]
) j3 o: \1 S8 V+ k
/ P% m9 V; L# V' k1 X& x; D- T" c& [) s5 q$ {; q7 s
15.将浮动IP地址与实例关联: $ nova floating-ip-associate demo-instance1 203.0.113.102
P; z4 M- e' r3 T5 x, r4 A9 A0 ] B2 E) i
16.验证添加到实例的浮动IP地址: [backcolor=rgb(245, 245, 245) !important][url=][/url]
/ C4 A2 B6 o; G: m8 b1 s7 x$ S$ nova list+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| ID | Name | Status | Task State | Power State | Networks |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+[backcolor=rgb(245, 245, 245) !important][url=][/url]* G" l# D7 M2 y: j
; U" N1 W8 ~3 x7 d0 b
% v- U3 [) ]$ ]17.在控制器节点或任何访问外部网络的主机上,ping与实例关联的浮动IP地址: ( E ]; f2 r2 n! ~& A2 E3 O
[backcolor=rgb(245, 245, 245) !important][url=][/url]2 {& B$ R/ k9 c6 _' F
$ ping -c 4 203.0.113.102PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms--- 203.0.113.102 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3002msrtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
1 {, g# b6 U A' |% P3 Y8 K |
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2021-6-25 11:21:40
$ q, E' a# T0 W6 k: B/ L
) \, U. H1 U* [& F% P
1 {1 q7 Y- H. i% u% p1 E
8 E- q% c! N1 H0 z6 |: [8 \
1 r) y; [8 V8 W9 L& C+ {6 z; |
: m5 s) ~$ o j. p4 m% e4 t2 w
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主