在前邊的部落格中,我們主要聊了下openstack的基礎環境、核心服務(認證服務keystone/映象服務glance/計算服務nova/網路服務neutron)的安裝配置;回顧請檢視前邊的部落格;今天我們主要來聊一聊基於前邊安裝配置的服務來啟動一個虛擬機器例項;
我們知道在openstack中要啟動一個虛擬機器例項,通常會經過這樣幾步,第一步我們要有一個使用者登入到openstack上,進行建立虛擬機器的操作,而這一步通常由keystone服務來驗證登入的使用者,並返回一個token給使用者,如果keystone驗證成功,則使用者就可以到openstack上進行對應的操作,反之亦然;第二步,使用者在keystone上完成登入驗證,並拿到keystone給的token後,使用者就可以在openstack上進行建立虛擬機器,在建立虛擬機器之前,使用者要選擇建立的虛擬機器用那個模板進行建立,用那個映象來安裝系統,選擇什麼網路,安全組策略等等;這些都必須事先建立好;使用者選擇好必要的元件後;使用者就可以把建立虛擬機器的需求傳送給openstack 控制節點,由openstack的控制節點間的各服務呼叫,最後建立一個虛擬機器例項;這裡需要強調一點,在openstack上建立虛擬機器不能像我們使用kvm-qemu工具建立虛擬機器指定要使用的虛擬cpu,記憶體,磁碟等等資訊;在openstack上建立虛擬機器,它是通過模板來定義虛擬機器的基礎資訊的;專業術語叫flavor;瞭解了建立虛擬機器的大致過程後,我們基於之前配置的環境來跑一個虛擬機器例項在openstack上;
1、建立模板
在控制節點上匯出admin環境變數,建立flavor
[root@node01 ~]# source admin.sh [root@node01 ~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano +----------------------------+---------+ | Field | Value | +----------------------------+---------+ | OS-FLV-DISABLED:disabled | False | | OS-FLV-EXT-DATA:ephemeral | 0 | | disk | 1 | | id | 0 | | name | m1.nano | | os-flavor-access:is_public | True | | properties | | | ram | 64 | | rxtx_factor | 1.0 | | swap | | | vcpus | 1 | +----------------------------+---------+ [root@node01 ~]#
匯出demo使用者環境變數,建立一個keypair
[root@node01 ~]# source demo.sh [root@node01 ~]# ssh-keygen -q -N "" Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y [root@node01 ~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub demo_key +-------------+-------------------------------------------------+ | Field | Value | +-------------+-------------------------------------------------+ | fingerprint | ed:28:2f:00:14:3d:f0:80:6d:0a:0c:ca:41:60:f9:e1 | | name | demo_key | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | +-------------+-------------------------------------------------+ [root@node01 ~]#
列出安全組
[root@node01 ~]# openstack security group list +--------------------------------------+---------+------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+---------+------------------------+----------------------------------+------+ | 06b13f55-8beb-48d4-9994-490acc5488cf | default | Default security group | 1a918887f38a42c28f9d0d3774f34b16 | [] | +--------------------------------------+---------+------------------------+----------------------------------+------+ [root@node01 ~]#
檢視default安全組中的規則
[root@node01 ~]# openstack security group rule list +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ | 361377d6-c836-416f-a00b-245d4f62baf2 | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 65618465-214b-49ae-8516-888380a0475c | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 72796899-293a-40fc-ba1a-4d67f0009af9 | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 870614db-372d-4f10-8b81-71b473f586ad | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ [root@node01 ~]#
提示:openstack上的安全組我們可以理解為一個虛擬的防火牆,裡面的rule我們可以理解為iptabels規則;從上面檢視default安全組中的規則來看,它預設是禁止任何ip任何協議連線內部虛擬機器;這很顯然不符合我們需求,至少我們應該把ssh埠開放出去;
新增開放ssh埠的rule到default安全組中
[root@node01 ~]# openstack security group rule create --proto tcp --dst-port 22 default +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2020-10-31T09:12:25Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 703d962b-7321-4103-be77-4f1383f6d97d | | name | None | | port_range_max | 22 | | port_range_min | 22 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 06b13f55-8beb-48d4-9994-490acc5488cf | | updated_at | 2020-10-31T09:12:25Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:這裡建立安全組規則還是使用demo使用者的環境變數;
新增開放icmp協議rule到default安全組中
[root@node01 ~]# openstack security group rule create --proto icmp default +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2020-10-31T09:14:29Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | f00b068c-fe94-4aa5-af81-83e6d94c6ec4 | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | protocol | icmp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 06b13f55-8beb-48d4-9994-490acc5488cf | | updated_at | 2020-10-31T09:14:29Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:這一步不是必須,我們這裡新增icmp到default安全組是方便後面測試用;
驗證:檢視default安全組中的規則,看看我們新增到規則是否都新增上了?
[root@node01 ~]# openstack security group rule list +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | 361377d6-c836-416f-a00b-245d4f62baf2 | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 65618465-214b-49ae-8516-888380a0475c | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 703d962b-7321-4103-be77-4f1383f6d97d | tcp | 0.0.0.0/0 | 22:22 | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 72796899-293a-40fc-ba1a-4d67f0009af9 | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 870614db-372d-4f10-8b81-71b473f586ad | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | f00b068c-fe94-4aa5-af81-83e6d94c6ec4 | icmp | 0.0.0.0/0 | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到default安全組裡多了兩條rule;
2、基於provider network建立虛擬機器例項
在控制節點匯出demo使用者的環境變數,驗證是否有可用模板?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack flavor list +----+---------+-----+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +----+---------+-----+------+-----------+-------+-----------+ | 0 | m1.nano | 64 | 1 | 0 | 1 | True | +----+---------+-----+------+-----------+-------+-----------+ [root@node01 ~]#
驗證是否有可用映象?
[root@node01 ~]# openstack image list +--------------------------------------+--------+--------+ | ID | Name | Status | +--------------------------------------+--------+--------+ | 94dd2ba0-1736-4307-865d-7cb86b85d32e | cirros | active | +--------------------------------------+--------+--------+ [root@node01 ~]#
驗證是否有安全組?
[root@node01 ~]# openstack security group list +--------------------------------------+---------+------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+---------+------------------------+----------------------------------+------+ | 06b13f55-8beb-48d4-9994-490acc5488cf | default | Default security group | 1a918887f38a42c28f9d0d3774f34b16 | [] | +--------------------------------------+---------+------------------------+----------------------------------+------+ [root@node01 ~]#
驗證是否有可用網路?
[root@node01 ~]# openstack network list [root@node01 ~]#
提示:這裡顯示為空,表示沒有任何可用網路;
建立provider network
在控制節點匯出admin使用者的環境變數,建立provider network
[root@node01 ~]# source admin.sh [root@node01 ~]# openstack network create --share --external \ > --provider-physical-network provider \ > --provider-network-type flat provider-net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T09:27:26Z | | description | | | dns_domain | None | | id | d4732915-a968-499d-b34b-00a6fa4c401d | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1500 | | name | provider-net | | port_security_enabled | True | | project_id | b4e56eeb160948c581e98d685133d19a | | provider:network_type | flat | | provider:physical_network | provider | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | External | | segments | None | | shared | True | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2020-10-31T09:27:26Z | +---------------------------+--------------------------------------+ [root@node01 ~]#
提示:--share表示建立一個共享網路(橋接網路),--external表示建立一個外部的網路,如果希望建立的是內部網路,可以使用--internal選項來指明即可;--provider-network-type flat表示建立的網路型別為平面網路;最後是給我們建立的網路起一個名稱叫provider-net;這裡需要注意一點,--provider-physical-network這個選項的值要和我們在配置neutron服務時,在ml2_conf.ini檔案中【ml2_type_flat】配置段中的flat_networks 的值保持一致;如下所示
提示:/etc/neutron/plugins/ml2/ml2_conf.ini 這個配置檔案中的【ml2_type_flat】配置段中的flat_networks的值要和/etc/neutron/plugins/ml2/linuxbridge_agent.ini配置檔案中的【linux_bridge】配置段中的physical_interface_mappings中的provider名稱保持一致;如下所示
提示:以上兩個配置檔案中標記的部分都需要同這裡建立網路時指定的--provider-physical-network 選項的值保持一致;
建立子網
[root@node01 ~]# openstack subnet create --network provider-net \ > --allocation-pool start=192.168.0.100,end=192.168.0.150 \ > --dns-nameserver 61.139.2.69 --gateway 192.168.0.1 \ > --subnet-range 192.168.0.0/24 provider-net-sub +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 192.168.0.100-192.168.0.150 | | cidr | 192.168.0.0/24 | | created_at | 2020-10-31T09:48:35Z | | description | | | dns_nameservers | 61.139.2.69 | | enable_dhcp | True | | gateway_ip | 192.168.0.1 | | host_routes | | | id | 08341b97-47d0-4c81-bb04-385f36c6b609 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | provider-net-sub | | network_id | d4732915-a968-499d-b34b-00a6fa4c401d | | project_id | b4e56eeb160948c581e98d685133d19a | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2020-10-31T09:48:35Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:--network使用來指定使用那個網路來建立子網,或者說給那個網路建立子網,這個名稱要和我們建立網路時給的名稱保持一致;這裡需要說明一點,provider network是橋接到物理網路卡上,所以這裡的子網要根據你物理網路來劃分子網;
驗證:匯出demo環境變數,看看demo使用者是否有可用網路?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network list +--------------------------------------+--------------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+--------------+--------------------------------------+ | d4732915-a968-499d-b34b-00a6fa4c401d | provider-net | 08341b97-47d0-4c81-bb04-385f36c6b609 | +--------------------------------------+--------------+--------------------------------------+ [root@node01 ~]#
建立虛擬機器
[root@node01 ~]# openstack server create --flavor m1.nano --image cirros \ > --nic net-id=d4732915-a968-499d-b34b-00a6fa4c401d --security-group default \ > --key-name demo_key demo_vm1 +-----------------------------+-----------------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | kCjHs82pTgRp | | config_drive | | | created | 2020-10-31T09:55:13Z | | flavor | m1.nano (0) | | hostId | | | id | a9f76200-0636-48ab-9eda-69526dab0653 | | image | cirros (94dd2ba0-1736-4307-865d-7cb86b85d32e) | | key_name | demo_key | | name | demo_vm1 | | progress | 0 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | properties | | | security_groups | name='06b13f55-8beb-48d4-9994-490acc5488cf' | | status | BUILD | | updated | 2020-10-31T09:55:13Z | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | | volumes_attached | | +-----------------------------+-----------------------------------------------+ [root@node01 ~]#
檢視虛擬機器狀態
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+----------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+----------------------------+--------+---------+ | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+----------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到demo_vm1處於active狀態,使用的網路上provicder-net,ip地址為192.168.0.103,使用的映象是cirros映象,使用的模板是m1.nano;
驗證:在計算節點使用virsh命令看看是否能夠看到啟動的虛擬機器?
[root@node03 ~]# virsh list Id Name State ---------------------------------------------------- 1 instance-00000001 running [root@node03 ~]#
提示:在計算節點上用virsh命令檢視虛擬機器,它有它自己的命名;從上面的命令結果可以看到,在計算節點上有一個虛擬機器例項處於running狀態;
驗證:使用其他主機ping虛擬機器的ip地址,看看是否能夠ping通?
[root@node02 ~]# ping 192.168.0.103 PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data. 64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=7.14 ms 64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=1.92 ms 64 bytes from 192.168.0.103: icmp_seq=3 ttl=64 time=0.905 ms ^C --- 192.168.0.103 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.905/3.325/7.148/2.735 ms [root@node02 ~]#
檢視虛擬機器例項的vnc地址
[root@node01 ~]# openstack console url show demo_vm1 +-------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------+-------------------------------------------------------------------------------------------+ | type | novnc | | url | http://controller:6080/vnc_auto.html?path=%3Ftoken%3Dbe38cbc9-7742-41b4-aef4-2d94ea510ca8 | +-------+-------------------------------------------------------------------------------------------+ [root@node01 ~]#
使用瀏覽器訪問上述命令返回的url,看看是否能夠訪問到對應虛擬機器的vnc控制檯?
提示:使用windows訪問,需要在windows上對controller做地址解析;
驗證:登入虛擬機器系統,看看虛擬機器是否可正常訪問外部網路?
提示:可以看到使用虛擬機器ping外部網路能夠正常ping通,並且虛擬機器獲取到地址和我們宿主機在同一網段中;說明我們基於provider network啟動的虛擬機器例項執行正常;
驗證:使用控制節點 用ssh連線虛擬機器,看看是否是免密登入?
[root@node01 ~]# ssh cirros@192.168.0.103 The authenticity of host '192.168.0.103 (192.168.0.103)' can't be established. ECDSA key fingerprint is SHA256:NnU0otuUa4VYObeLL4BmFMdHEvgsdvMzZadGnP/xcW4. ECDSA key fingerprint is MD5:e3:b5:be:67:99:cb:12:f4:3f:dd:ad:af:2c:86:7d:c7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.103' (ECDSA) to the list of known hosts. $ sudo su - # ifconfig eth0 Link encap:Ethernet HWaddr FA:16:3E:03:80:17 inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::f816:3eff:fe03:8017/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:173 errors:0 dropped:0 overruns:0 frame:0 TX packets:177 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20633 (20.1 KiB) TX bytes:17495 (17.0 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # exit $ exit Connection to 192.168.0.103 closed. [root@node01 ~]#
提示:在控制節點使用ssh命令能夠免密登入到虛擬機器,是因為在控制節點上有對應虛擬機器的金鑰對,在建立虛擬機器時我們建立的金鑰對會通過openstack把金鑰注入到虛擬機器裡;從上面的驗證過程也說明了我們在default安全組新增的放行ssh 22埠也是生效了;到此基於provider network啟動一個虛擬機器例項就完成了;
3、基於self-sevice network建立虛擬機器例項
在控制節點匯出demo使用者環境變數,建立self-service network
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network create demo_selfservice_net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T10:33:55Z | | description | | | dns_domain | None | | id | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | demo_selfservice_net | | port_security_enabled | True | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2020-10-31T10:33:55Z | +---------------------------+--------------------------------------+ [root@node01 ~]#
提示:建立self-service network請確保/etc/neutron/plugins/ml2/ml2_conf.ini配置檔案中的【ml2】配置段中配置的tenant_network_types = vxlan,以及【ml2_type_vxlan】配置段中配置的有vxlan的標識範圍,如下所示
建立子網
[root@node01 ~]# openstack subnet create --network demo_selfservice_net \ > --dns-nameserver 61.139.2.69 --gateway 10.0.0.254 \ > --subnet-range 10.0.0.0/8 demo_selfservice_net_sub +-------------------+-----------------------------------------------+ | Field | Value | +-------------------+-----------------------------------------------+ | allocation_pools | 10.0.0.255-10.255.255.254,10.0.0.1-10.0.0.253 | | cidr | 10.0.0.0/8 | | created_at | 2020-10-31T10:42:52Z | | description | | | dns_nameservers | 61.139.2.69 | | enable_dhcp | True | | gateway_ip | 10.0.0.254 | | host_routes | | | id | 1f2e1eca-d827-4d30-8c33-2ed1a5420d86 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | demo_selfservice_net_sub | | network_id | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2020-10-31T10:42:52Z | +-------------------+-----------------------------------------------+ [root@node01 ~]#
提示:這裡我們建立子網就不用admin使用者的環境變數,用demo使用者的環境變數即可;因為self-service network建立的就是一個租戶網路,由租戶自行管理;
建立虛擬路由器
[root@node01 ~]# openstack router create demo_selfservice_net_sub_router1 +-------------------------+--------------------------------------+ | Field | Value | +-------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T10:48:53Z | | description | | | external_gateway_info | None | | flavor_id | None | | id | 2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 | | name | demo_selfservice_net_sub_router1 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | revision_number | 1 | | routes | | | status | ACTIVE | | tags | | | updated_at | 2020-10-31T10:48:53Z | +-------------------------+--------------------------------------+ [root@node01 ~]#
將上面建立的子網新增到路由器
[root@node01 ~]# openstack router add subnet demo_selfservice_net_sub_router1 demo_selfservice_net_sub [root@node01 ~]#
提示:openstack router add subnet 後面跟虛擬路由啟動名稱(或id)和子網的名稱(或id);
設定虛擬路由器的上游網路,有點類似設定路由器的wlan口網路
[root@node01 ~]# openstack router set demo_selfservice_net_sub_router1 --external-gateway provider-net [root@node01 ~]#
到此虛擬路由器就建立和配置完成
驗證:在控制節點匯出admin使用者環境變數,檢視網路名稱空間資訊
[root@node01 ~]# source admin.sh [root@node01 ~]# ip netns qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 (id: 2) qdhcp-ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d (id: 1) qdhcp-d4732915-a968-499d-b34b-00a6fa4c401d (id: 0) [root@node01 ~]#
提示:能看到一個qrouter名稱空間和兩個qdhcp名稱空間。就表示我們建立的虛擬路由器沒有問題;
驗證:列出路由器上的埠資訊,看看對應埠是否是我們設定的網路ip地址資訊?
[root@node01 ~]# openstack port list --router demo_selfservice_net_sub_router1 +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | 111f53eb-4b47-4f15-8141-f2a500db1103 | | fa:16:3e:21:af:3c | ip_address='10.0.0.254', subnet_id='1f2e1eca-d827-4d30-8c33-2ed1a5420d86' | ACTIVE | | ab87a282-b78b-4193-8873-c9336aaaf04e | | fa:16:3e:ae:31:03 | ip_address='192.168.0.107', subnet_id='08341b97-47d0-4c81-bb04-385f36c6b609' | ACTIVE | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ [root@node01 ~]#
驗證:檢視路由器的網路介面資訊
[root@node01 ~]# ip netns exec qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 ifconfig lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 qg-ab87a282-b7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.107 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::f816:3eff:feae:3103 prefixlen 64 scopeid 0x20<link> ether fa:16:3e:ae:31:03 txqueuelen 1000 (Ethernet) RX packets 215 bytes 76407 (74.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 22 bytes 1452 (1.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 qr-111f53eb-4b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450 inet 10.0.0.254 netmask 255.0.0.0 broadcast 10.255.255.255 inet6 fe80::f816:3eff:fe21:af3c prefixlen 64 scopeid 0x20<link> ether fa:16:3e:21:af:3c txqueuelen 1000 (Ethernet) RX packets 109 bytes 9850 (9.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 79 bytes 8047 (7.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@node01 ~]#
驗證:在其他主機上ping虛擬路由器地址,看看是否能夠ping通?
[root@node03 ~]# ping 192.168.0.107 PING 192.168.0.107 (192.168.0.107) 56(84) bytes of data. 64 bytes from 192.168.0.107: icmp_seq=1 ttl=64 time=1.63 ms 64 bytes from 192.168.0.107: icmp_seq=2 ttl=64 time=1.16 ms ^C --- 192.168.0.107 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 1.161/1.397/1.633/0.236 ms [root@node03 ~]#
到此,self-service network就建立完成;
啟動一個虛擬機器例項
在控制節點匯出demo使用者環境變數,驗證是否有可用的網路?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network list +--------------------------------------+----------------------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------------------+--------------------------------------+ | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | demo_selfservice_net | 1f2e1eca-d827-4d30-8c33-2ed1a5420d86 | | d4732915-a968-499d-b34b-00a6fa4c401d | provider-net | 08341b97-47d0-4c81-bb04-385f36c6b609 | +--------------------------------------+----------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到現在又多了一個網路;
建立虛擬機器
[root@node01 ~]# openstack server create --flavor m1.nano --image cirros \ > --nic net-id=ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d --security-group default \ > --key-name demo_key demo_vm2 +-----------------------------+-----------------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | BwSt52FxL4Nk | | config_drive | | | created | 2020-10-31T11:10:59Z | | flavor | m1.nano (0) | | hostId | | | id | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | | image | cirros (94dd2ba0-1736-4307-865d-7cb86b85d32e) | | key_name | demo_key | | name | demo_vm2 | | progress | 0 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | properties | | | security_groups | name='06b13f55-8beb-48d4-9994-490acc5488cf' | | status | BUILD | | updated | 2020-10-31T11:10:59Z | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | | volumes_attached | | +-----------------------------+-----------------------------------------------+ [root@node01 ~]#
檢視當前使用者虛擬機器列表
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+-------------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+-------------------------------+--------+---------+ | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | demo_vm2 | ACTIVE | demo_selfservice_net=10.0.1.2 | cirros | m1.nano | | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+-------------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到demo_vm2已經執行,並且所使用的ip地址是10.0.1.2;
檢視虛擬機器的vnc地址
[root@node01 ~]# openstack console url show demo_vm2 +-------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------+-------------------------------------------------------------------------------------------+ | type | novnc | | url | http://controller:6080/vnc_auto.html?path=%3Ftoken%3D96aa104b-c603-41ee-aaa5-1e1bbc0e522f | +-------+-------------------------------------------------------------------------------------------+ [root@node01 ~]#
驗證:使用瀏覽器訪問,看看是否能夠訪問到對應的虛擬機器vnc介面?
提示:可以看到能夠使用返回的url訪問到demo_vm2例項;
驗證:登入虛擬機器系統,檢視ip地址是否是我們指定的網路?
驗證:是否可以和外部網路通訊?
提示:可以看到虛擬機器是可以正常和外部網路通訊;
檢視虛擬機器的路由,看看閘道器是否是我們指定的閘道器呢?
驗證:在控制節點使用ssh連線demo_vm2,看看是否能夠正常連線呢?
提示:很明顯使用外部網路是無法正常連線到虛擬機器;
使用路由器的網路名稱空間,連線虛擬機器
[root@node01 ~]# ip netns qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 (id: 2) qdhcp-ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d (id: 1) qdhcp-d4732915-a968-499d-b34b-00a6fa4c401d (id: 0) [root@node01 ~]# ip netns exec qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 ssh cirros@10.0.1.2 The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established. ECDSA key fingerprint is SHA256:7jOPWda8qBsteCnjUOHFvwq0YLeZzSOh2Sd7qJlMCFU. ECDSA key fingerprint is MD5:24:ec:79:49:99:62:74:e3:20:ad:ba:94:4c:b5:fb:c5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.1.2' (ECDSA) to the list of known hosts. $ sudo su - # ifconfig eth0 Link encap:Ethernet HWaddr FA:16:3E:70:34:63 inet addr:10.0.1.2 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::f816:3eff:fe70:3463/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1 RX packets:153 errors:0 dropped:0 overruns:0 frame:0 TX packets:165 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20183 (19.7 KiB) TX bytes:17629 (17.2 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # exit $ exit Connection to 10.0.1.2 closed. [root@node01 ~]#
提示:使用虛擬路由器的網路名稱空間是可以正常從外部網路訪問到虛擬機器;
設定nat 一對一繫結,實現外部網路能夠正常訪問到虛擬機器
在provider-net網路中建立一個流動ip,用於外部訪問內部虛擬機器的流量接入地址
[root@node01 ~]# openstack floating ip create provider-net +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | created_at | 2020-10-31T12:29:44Z | | description | | | dns_domain | None | | dns_name | None | | fixed_ip_address | None | | floating_ip_address | 192.168.0.104 | | floating_network_id | d4732915-a968-499d-b34b-00a6fa4c401d | | id | 1bedaaf8-5bdf-492b-8e8b-d009dd62a93f | | name | 192.168.0.104 | | port_details | None | | port_id | None | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | qos_policy_id | None | | revision_number | 0 | | router_id | None | | status | DOWN | | subnet_id | None | | tags | [] | | updated_at | 2020-10-31T12:29:44Z | +---------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到流動ip地址為192.168.0.104;
將生成的流動ip地址和虛擬機器例項做繫結
[root@node01 ~]# openstack server add floating ip demo_vm2 192.168.0.104 [root@node01 ~]#
再次檢視當前使用者虛擬機器例項
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | demo_vm2 | ACTIVE | demo_selfservice_net=10.0.1.2, 192.168.0.104 | cirros | m1.nano | | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到流動ip已經在demo_vm2的網路卡上了;
驗證:使用其他主機ping192.168.0.104 是否可ping通?
[root@node02 ~]# ping 192.168.0.104 PING 192.168.0.104 (192.168.0.104) 56(84) bytes of data. 64 bytes from 192.168.0.104: icmp_seq=1 ttl=63 time=5.82 ms 64 bytes from 192.168.0.104: icmp_seq=2 ttl=63 time=2.07 ms 64 bytes from 192.168.0.104: icmp_seq=3 ttl=63 time=2.62 ms ^C --- 192.168.0.104 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 2.071/3.504/5.820/1.653 ms [root@node02 ~]#
驗證:使用外部主機用ssh連線192.168.0.104,看看是否連線至虛擬機器?
[root@node01 ~]# ssh cirros@192.168.0.104 The authenticity of host '192.168.0.104 (192.168.0.104)' can't be established. ECDSA key fingerprint is SHA256:7jOPWda8qBsteCnjUOHFvwq0YLeZzSOh2Sd7qJlMCFU. ECDSA key fingerprint is MD5:24:ec:79:49:99:62:74:e3:20:ad:ba:94:4c:b5:fb:c5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.104' (ECDSA) to the list of known hosts. $ ifconfig eth0 Link encap:Ethernet HWaddr FA:16:3E:70:34:63 inet addr:10.0.1.2 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::f816:3eff:fe70:3463/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1 RX packets:376 errors:0 dropped:0 overruns:0 frame:0 TX packets:317 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:46715 (45.6 KiB) TX bytes:38361 (37.4 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) $ exit Connection to 192.168.0.104 closed. [root@node01 ~]#
提示:可以看到現在外部主機通過連線流動ip地址,就可以直接和虛擬機器通訊;其實在我們給虛擬機器新增浮動ip時,它就在虛擬路由器的iptables表中增加了一條DNAT規則,如下所示
提示:上面的DANT規則說明了為什麼外部網路訪問浮動ip地址能夠訪問到內網虛擬機器;
到此基於self-service network 啟動的虛擬機器例項配置測試就完成了;