在前邊的博客中,我們主要聊了下openstack的基礎環境、核心服務(認證服務keystone/鏡像服務glance/計算服務nova/網絡服務neutron)的安裝配置;回顧請查看前邊的博客;今天我們主要來聊一聊基於前邊安裝配置的服務來啟動一個虛擬機實例;
我們知道在openstack中要啟動一個虛擬機實例,通常會經過這樣幾步,第一步我們要有一個用戶登錄到openstack上,進行創建虛擬機的操作,而這一步通常由keystone服務來驗證登錄的用戶,並返回一個token給用戶,如果keystone驗證成功,則用戶就可以到openstack上進行對應的操作,反之亦然;第二步,用戶在keystone上完成登錄驗證,並拿到keystone給的token后,用戶就可以在openstack上進行創建虛擬機,在創建虛擬機之前,用戶要選擇創建的虛擬機用那個模板進行創建,用那個鏡像來安裝系統,選擇什么網絡,安全組策略等等;這些都必須事先創建好;用戶選擇好必要的組件后;用戶就可以把創建虛擬機的需求發送給openstack 控制節點,由openstack的控制節點間的各服務調用,最后創建一個虛擬機實例;這里需要強調一點,在openstack上創建虛擬機不能像我們使用kvm-qemu工具創建虛擬機指定要使用的虛擬cpu,內存,磁盤等等信息;在openstack上創建虛擬機,它是通過模板來定義虛擬機的基礎信息的;專業術語叫flavor;了解了創建虛擬機的大致過程后,我們基於之前配置的環境來跑一個虛擬機實例在openstack上;
1、創建模板
在控制節點上導出admin環境變量,創建flavor
[root@node01 ~]# source admin.sh [root@node01 ~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano +----------------------------+---------+ | Field | Value | +----------------------------+---------+ | OS-FLV-DISABLED:disabled | False | | OS-FLV-EXT-DATA:ephemeral | 0 | | disk | 1 | | id | 0 | | name | m1.nano | | os-flavor-access:is_public | True | | properties | | | ram | 64 | | rxtx_factor | 1.0 | | swap | | | vcpus | 1 | +----------------------------+---------+ [root@node01 ~]#
導出demo用戶環境變量,創建一個keypair
[root@node01 ~]# source demo.sh [root@node01 ~]# ssh-keygen -q -N "" Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y [root@node01 ~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub demo_key +-------------+-------------------------------------------------+ | Field | Value | +-------------+-------------------------------------------------+ | fingerprint | ed:28:2f:00:14:3d:f0:80:6d:0a:0c:ca:41:60:f9:e1 | | name | demo_key | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | +-------------+-------------------------------------------------+ [root@node01 ~]#
列出安全組
[root@node01 ~]# openstack security group list +--------------------------------------+---------+------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+---------+------------------------+----------------------------------+------+ | 06b13f55-8beb-48d4-9994-490acc5488cf | default | Default security group | 1a918887f38a42c28f9d0d3774f34b16 | [] | +--------------------------------------+---------+------------------------+----------------------------------+------+ [root@node01 ~]#
查看default安全組中的規則
[root@node01 ~]# openstack security group rule list +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ | 361377d6-c836-416f-a00b-245d4f62baf2 | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 65618465-214b-49ae-8516-888380a0475c | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 72796899-293a-40fc-ba1a-4d67f0009af9 | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 870614db-372d-4f10-8b81-71b473f586ad | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ [root@node01 ~]#
提示:openstack上的安全組我們可以理解為一個虛擬的防火牆,里面的rule我們可以理解為iptabels規則;從上面查看default安全組中的規則來看,它默認是禁止任何ip任何協議連接內部虛擬機;這很顯然不符合我們需求,至少我們應該把ssh端口開放出去;
添加開放ssh端口的rule到default安全組中
[root@node01 ~]# openstack security group rule create --proto tcp --dst-port 22 default +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2020-10-31T09:12:25Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 703d962b-7321-4103-be77-4f1383f6d97d | | name | None | | port_range_max | 22 | | port_range_min | 22 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 06b13f55-8beb-48d4-9994-490acc5488cf | | updated_at | 2020-10-31T09:12:25Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:這里創建安全組規則還是使用demo用戶的環境變量;
添加開放icmp協議rule到default安全組中
[root@node01 ~]# openstack security group rule create --proto icmp default +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2020-10-31T09:14:29Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | f00b068c-fe94-4aa5-af81-83e6d94c6ec4 | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | protocol | icmp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 06b13f55-8beb-48d4-9994-490acc5488cf | | updated_at | 2020-10-31T09:14:29Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:這一步不是必須,我們這里添加icmp到default安全組是方便后面測試用;
驗證:查看default安全組中的規則,看看我們添加到規則是否都添加上了?
[root@node01 ~]# openstack security group rule list +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | 361377d6-c836-416f-a00b-245d4f62baf2 | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 65618465-214b-49ae-8516-888380a0475c | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 703d962b-7321-4103-be77-4f1383f6d97d | tcp | 0.0.0.0/0 | 22:22 | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 72796899-293a-40fc-ba1a-4d67f0009af9 | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 870614db-372d-4f10-8b81-71b473f586ad | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | f00b068c-fe94-4aa5-af81-83e6d94c6ec4 | icmp | 0.0.0.0/0 | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到default安全組里多了兩條rule;
2、基於provider network創建虛擬機實例
在控制節點導出demo用戶的環境變量,驗證是否有可用模板?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack flavor list +----+---------+-----+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +----+---------+-----+------+-----------+-------+-----------+ | 0 | m1.nano | 64 | 1 | 0 | 1 | True | +----+---------+-----+------+-----------+-------+-----------+ [root@node01 ~]#
驗證是否有可用鏡像?
[root@node01 ~]# openstack image list +--------------------------------------+--------+--------+ | ID | Name | Status | +--------------------------------------+--------+--------+ | 94dd2ba0-1736-4307-865d-7cb86b85d32e | cirros | active | +--------------------------------------+--------+--------+ [root@node01 ~]#
驗證是否有安全組?
[root@node01 ~]# openstack security group list +--------------------------------------+---------+------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+---------+------------------------+----------------------------------+------+ | 06b13f55-8beb-48d4-9994-490acc5488cf | default | Default security group | 1a918887f38a42c28f9d0d3774f34b16 | [] | +--------------------------------------+---------+------------------------+----------------------------------+------+ [root@node01 ~]#
驗證是否有可用網絡?
[root@node01 ~]# openstack network list [root@node01 ~]#
提示:這里顯示為空,表示沒有任何可用網絡;
創建provider network
在控制節點導出admin用戶的環境變量,創建provider network
[root@node01 ~]# source admin.sh [root@node01 ~]# openstack network create --share --external \ > --provider-physical-network provider \ > --provider-network-type flat provider-net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T09:27:26Z | | description | | | dns_domain | None | | id | d4732915-a968-499d-b34b-00a6fa4c401d | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1500 | | name | provider-net | | port_security_enabled | True | | project_id | b4e56eeb160948c581e98d685133d19a | | provider:network_type | flat | | provider:physical_network | provider | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | External | | segments | None | | shared | True | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2020-10-31T09:27:26Z | +---------------------------+--------------------------------------+ [root@node01 ~]#
提示:--share表示創建一個共享網絡(橋接網絡),--external表示創建一個外部的網絡,如果希望創建的是內部網絡,可以使用--internal選項來指明即可;--provider-network-type flat表示創建的網絡類型為平面網絡;最后是給我們創建的網絡起一個名稱叫provider-net;這里需要注意一點,--provider-physical-network這個選項的值要和我們在配置neutron服務時,在ml2_conf.ini文件中【ml2_type_flat】配置段中的flat_networks 的值保持一致;如下所示
提示:/etc/neutron/plugins/ml2/ml2_conf.ini 這個配置文件中的【ml2_type_flat】配置段中的flat_networks的值要和/etc/neutron/plugins/ml2/linuxbridge_agent.ini配置文件中的【linux_bridge】配置段中的physical_interface_mappings中的provider名稱保持一致;如下所示
提示:以上兩個配置文件中標記的部分都需要同這里創建網絡時指定的--provider-physical-network 選項的值保持一致;
創建子網
[root@node01 ~]# openstack subnet create --network provider-net \ > --allocation-pool start=192.168.0.100,end=192.168.0.150 \ > --dns-nameserver 61.139.2.69 --gateway 192.168.0.1 \ > --subnet-range 192.168.0.0/24 provider-net-sub +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 192.168.0.100-192.168.0.150 | | cidr | 192.168.0.0/24 | | created_at | 2020-10-31T09:48:35Z | | description | | | dns_nameservers | 61.139.2.69 | | enable_dhcp | True | | gateway_ip | 192.168.0.1 | | host_routes | | | id | 08341b97-47d0-4c81-bb04-385f36c6b609 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | provider-net-sub | | network_id | d4732915-a968-499d-b34b-00a6fa4c401d | | project_id | b4e56eeb160948c581e98d685133d19a | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2020-10-31T09:48:35Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:--network使用來指定使用那個網絡來創建子網,或者說給那個網絡創建子網,這個名稱要和我們創建網絡時給的名稱保持一致;這里需要說明一點,provider network是橋接到物理網卡上,所以這里的子網要根據你物理網絡來划分子網;
驗證:導出demo環境變量,看看demo用戶是否有可用網絡?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network list +--------------------------------------+--------------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+--------------+--------------------------------------+ | d4732915-a968-499d-b34b-00a6fa4c401d | provider-net | 08341b97-47d0-4c81-bb04-385f36c6b609 | +--------------------------------------+--------------+--------------------------------------+ [root@node01 ~]#
創建虛擬機
[root@node01 ~]# openstack server create --flavor m1.nano --image cirros \ > --nic net-id=d4732915-a968-499d-b34b-00a6fa4c401d --security-group default \ > --key-name demo_key demo_vm1 +-----------------------------+-----------------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | kCjHs82pTgRp | | config_drive | | | created | 2020-10-31T09:55:13Z | | flavor | m1.nano (0) | | hostId | | | id | a9f76200-0636-48ab-9eda-69526dab0653 | | image | cirros (94dd2ba0-1736-4307-865d-7cb86b85d32e) | | key_name | demo_key | | name | demo_vm1 | | progress | 0 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | properties | | | security_groups | name='06b13f55-8beb-48d4-9994-490acc5488cf' | | status | BUILD | | updated | 2020-10-31T09:55:13Z | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | | volumes_attached | | +-----------------------------+-----------------------------------------------+ [root@node01 ~]#
查看虛擬機狀態
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+----------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+----------------------------+--------+---------+ | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+----------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到demo_vm1處於active狀態,使用的網絡上provicder-net,ip地址為192.168.0.103,使用的鏡像是cirros鏡像,使用的模板是m1.nano;
驗證:在計算節點使用virsh命令看看是否能夠看到啟動的虛擬機?
[root@node03 ~]# virsh list Id Name State ---------------------------------------------------- 1 instance-00000001 running [root@node03 ~]#
提示:在計算節點上用virsh命令查看虛擬機,它有它自己的命名;從上面的命令結果可以看到,在計算節點上有一個虛擬機實例處於running狀態;
驗證:使用其他主機ping虛擬機的ip地址,看看是否能夠ping通?
[root@node02 ~]# ping 192.168.0.103 PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data. 64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=7.14 ms 64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=1.92 ms 64 bytes from 192.168.0.103: icmp_seq=3 ttl=64 time=0.905 ms ^C --- 192.168.0.103 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.905/3.325/7.148/2.735 ms [root@node02 ~]#
查看虛擬機實例的vnc地址
[root@node01 ~]# openstack console url show demo_vm1 +-------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------+-------------------------------------------------------------------------------------------+ | type | novnc | | url | http://controller:6080/vnc_auto.html?path=%3Ftoken%3Dbe38cbc9-7742-41b4-aef4-2d94ea510ca8 | +-------+-------------------------------------------------------------------------------------------+ [root@node01 ~]#
使用瀏覽器訪問上述命令返回的url,看看是否能夠訪問到對應虛擬機的vnc控制台?
提示:使用windows訪問,需要在windows上對controller做地址解析;
驗證:登錄虛擬機系統,看看虛擬機是否可正常訪問外部網絡?
提示:可以看到使用虛擬機ping外部網絡能夠正常ping通,並且虛擬機獲取到地址和我們宿主機在同一網段中;說明我們基於provider network啟動的虛擬機實例運行正常;
驗證:使用控制節點 用ssh連接虛擬機,看看是否是免密登錄?
[root@node01 ~]# ssh cirros@192.168.0.103
The authenticity of host '192.168.0.103 (192.168.0.103)' can't be established.
ECDSA key fingerprint is SHA256:NnU0otuUa4VYObeLL4BmFMdHEvgsdvMzZadGnP/xcW4.
ECDSA key fingerprint is MD5:e3:b5:be:67:99:cb:12:f4:3f:dd:ad:af:2c:86:7d:c7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.103' (ECDSA) to the list of known hosts.
$ sudo su -
# ifconfig
eth0 Link encap:Ethernet HWaddr FA:16:3E:03:80:17
inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe03:8017/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:173 errors:0 dropped:0 overruns:0 frame:0
TX packets:177 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20633 (20.1 KiB) TX bytes:17495 (17.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# exit
$ exit
Connection to 192.168.0.103 closed.
[root@node01 ~]#
提示:在控制節點使用ssh命令能夠免密登錄到虛擬機,是因為在控制節點上有對應虛擬機的密鑰對,在創建虛擬機時我們創建的密鑰對會通過openstack把密鑰注入到虛擬機里;從上面的驗證過程也說明了我們在default安全組添加的放行ssh 22端口也是生效了;到此基於provider network啟動一個虛擬機實例就完成了;
3、基於self-sevice network創建虛擬機實例
在控制節點導出demo用戶環境變量,創建self-service network
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network create demo_selfservice_net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T10:33:55Z | | description | | | dns_domain | None | | id | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | demo_selfservice_net | | port_security_enabled | True | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2020-10-31T10:33:55Z | +---------------------------+--------------------------------------+ [root@node01 ~]#
提示:創建self-service network請確保/etc/neutron/plugins/ml2/ml2_conf.ini配置文件中的【ml2】配置段中配置的tenant_network_types = vxlan,以及【ml2_type_vxlan】配置段中配置的有vxlan的標識范圍,如下所示
創建子網
[root@node01 ~]# openstack subnet create --network demo_selfservice_net \ > --dns-nameserver 61.139.2.69 --gateway 10.0.0.254 \ > --subnet-range 10.0.0.0/8 demo_selfservice_net_sub +-------------------+-----------------------------------------------+ | Field | Value | +-------------------+-----------------------------------------------+ | allocation_pools | 10.0.0.255-10.255.255.254,10.0.0.1-10.0.0.253 | | cidr | 10.0.0.0/8 | | created_at | 2020-10-31T10:42:52Z | | description | | | dns_nameservers | 61.139.2.69 | | enable_dhcp | True | | gateway_ip | 10.0.0.254 | | host_routes | | | id | 1f2e1eca-d827-4d30-8c33-2ed1a5420d86 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | demo_selfservice_net_sub | | network_id | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2020-10-31T10:42:52Z | +-------------------+-----------------------------------------------+ [root@node01 ~]#
提示:這里我們創建子網就不用admin用戶的環境變量,用demo用戶的環境變量即可;因為self-service network創建的就是一個租戶網絡,由租戶自行管理;
創建虛擬路由器
[root@node01 ~]# openstack router create demo_selfservice_net_sub_router1 +-------------------------+--------------------------------------+ | Field | Value | +-------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T10:48:53Z | | description | | | external_gateway_info | None | | flavor_id | None | | id | 2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 | | name | demo_selfservice_net_sub_router1 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | revision_number | 1 | | routes | | | status | ACTIVE | | tags | | | updated_at | 2020-10-31T10:48:53Z | +-------------------------+--------------------------------------+ [root@node01 ~]#
將上面創建的子網添加到路由器
[root@node01 ~]# openstack router add subnet demo_selfservice_net_sub_router1 demo_selfservice_net_sub [root@node01 ~]#
提示:openstack router add subnet 后面跟虛擬路由啟動名稱(或id)和子網的名稱(或id);
設置虛擬路由器的上游網絡,有點類似設置路由器的wlan口網絡
[root@node01 ~]# openstack router set demo_selfservice_net_sub_router1 --external-gateway provider-net [root@node01 ~]#
到此虛擬路由器就創建和配置完成
驗證:在控制節點導出admin用戶環境變量,查看網絡名稱空間信息
[root@node01 ~]# source admin.sh [root@node01 ~]# ip netns qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 (id: 2) qdhcp-ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d (id: 1) qdhcp-d4732915-a968-499d-b34b-00a6fa4c401d (id: 0) [root@node01 ~]#
提示:能看到一個qrouter名稱空間和兩個qdhcp名稱空間。就表示我們創建的虛擬路由器沒有問題;
驗證:列出路由器上的端口信息,看看對應端口是否是我們設置的網絡ip地址信息?
[root@node01 ~]# openstack port list --router demo_selfservice_net_sub_router1 +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | 111f53eb-4b47-4f15-8141-f2a500db1103 | | fa:16:3e:21:af:3c | ip_address='10.0.0.254', subnet_id='1f2e1eca-d827-4d30-8c33-2ed1a5420d86' | ACTIVE | | ab87a282-b78b-4193-8873-c9336aaaf04e | | fa:16:3e:ae:31:03 | ip_address='192.168.0.107', subnet_id='08341b97-47d0-4c81-bb04-385f36c6b609' | ACTIVE | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ [root@node01 ~]#
驗證:查看路由器的網絡接口信息
[root@node01 ~]# ip netns exec qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
qg-ab87a282-b7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.107 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:feae:3103 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:ae:31:03 txqueuelen 1000 (Ethernet)
RX packets 215 bytes 76407 (74.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 1452 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
qr-111f53eb-4b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 10.0.0.254 netmask 255.0.0.0 broadcast 10.255.255.255
inet6 fe80::f816:3eff:fe21:af3c prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:21:af:3c txqueuelen 1000 (Ethernet)
RX packets 109 bytes 9850 (9.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 79 bytes 8047 (7.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@node01 ~]#
驗證:在其他主機上ping虛擬路由器地址,看看是否能夠ping通?
[root@node03 ~]# ping 192.168.0.107 PING 192.168.0.107 (192.168.0.107) 56(84) bytes of data. 64 bytes from 192.168.0.107: icmp_seq=1 ttl=64 time=1.63 ms 64 bytes from 192.168.0.107: icmp_seq=2 ttl=64 time=1.16 ms ^C --- 192.168.0.107 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 1.161/1.397/1.633/0.236 ms [root@node03 ~]#
到此,self-service network就創建完成;
啟動一個虛擬機實例
在控制節點導出demo用戶環境變量,驗證是否有可用的網絡?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network list +--------------------------------------+----------------------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------------------+--------------------------------------+ | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | demo_selfservice_net | 1f2e1eca-d827-4d30-8c33-2ed1a5420d86 | | d4732915-a968-499d-b34b-00a6fa4c401d | provider-net | 08341b97-47d0-4c81-bb04-385f36c6b609 | +--------------------------------------+----------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到現在又多了一個網絡;
創建虛擬機
[root@node01 ~]# openstack server create --flavor m1.nano --image cirros \ > --nic net-id=ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d --security-group default \ > --key-name demo_key demo_vm2 +-----------------------------+-----------------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | BwSt52FxL4Nk | | config_drive | | | created | 2020-10-31T11:10:59Z | | flavor | m1.nano (0) | | hostId | | | id | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | | image | cirros (94dd2ba0-1736-4307-865d-7cb86b85d32e) | | key_name | demo_key | | name | demo_vm2 | | progress | 0 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | properties | | | security_groups | name='06b13f55-8beb-48d4-9994-490acc5488cf' | | status | BUILD | | updated | 2020-10-31T11:10:59Z | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | | volumes_attached | | +-----------------------------+-----------------------------------------------+ [root@node01 ~]#
查看當前用戶虛擬機列表
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+-------------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+-------------------------------+--------+---------+ | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | demo_vm2 | ACTIVE | demo_selfservice_net=10.0.1.2 | cirros | m1.nano | | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+-------------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到demo_vm2已經運行,並且所使用的ip地址是10.0.1.2;
查看虛擬機的vnc地址
[root@node01 ~]# openstack console url show demo_vm2 +-------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------+-------------------------------------------------------------------------------------------+ | type | novnc | | url | http://controller:6080/vnc_auto.html?path=%3Ftoken%3D96aa104b-c603-41ee-aaa5-1e1bbc0e522f | +-------+-------------------------------------------------------------------------------------------+ [root@node01 ~]#
驗證:使用瀏覽器訪問,看看是否能夠訪問到對應的虛擬機vnc界面?
提示:可以看到能夠使用返回的url訪問到demo_vm2實例;
驗證:登錄虛擬機系統,查看ip地址是否是我們指定的網絡?
驗證:是否可以和外部網絡通信?
提示:可以看到虛擬機是可以正常和外部網絡通信;
查看虛擬機的路由,看看網關是否是我們指定的網關呢?
驗證:在控制節點使用ssh連接demo_vm2,看看是否能夠正常連接呢?
提示:很明顯使用外部網絡是無法正常連接到虛擬機;
使用路由器的網絡名稱空間,連接虛擬機
[root@node01 ~]# ip netns
qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 (id: 2)
qdhcp-ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d (id: 1)
qdhcp-d4732915-a968-499d-b34b-00a6fa4c401d (id: 0)
[root@node01 ~]# ip netns exec qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 ssh cirros@10.0.1.2
The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established.
ECDSA key fingerprint is SHA256:7jOPWda8qBsteCnjUOHFvwq0YLeZzSOh2Sd7qJlMCFU.
ECDSA key fingerprint is MD5:24:ec:79:49:99:62:74:e3:20:ad:ba:94:4c:b5:fb:c5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.2' (ECDSA) to the list of known hosts.
$ sudo su -
# ifconfig
eth0 Link encap:Ethernet HWaddr FA:16:3E:70:34:63
inet addr:10.0.1.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::f816:3eff:fe70:3463/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:153 errors:0 dropped:0 overruns:0 frame:0
TX packets:165 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20183 (19.7 KiB) TX bytes:17629 (17.2 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# exit
$ exit
Connection to 10.0.1.2 closed.
[root@node01 ~]#
提示:使用虛擬路由器的網絡名稱空間是可以正常從外部網絡訪問到虛擬機;
設定nat 一對一綁定,實現外部網絡能夠正常訪問到虛擬機
在provider-net網絡中創建一個流動ip,用於外部訪問內部虛擬機的流量接入地址
[root@node01 ~]# openstack floating ip create provider-net +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | created_at | 2020-10-31T12:29:44Z | | description | | | dns_domain | None | | dns_name | None | | fixed_ip_address | None | | floating_ip_address | 192.168.0.104 | | floating_network_id | d4732915-a968-499d-b34b-00a6fa4c401d | | id | 1bedaaf8-5bdf-492b-8e8b-d009dd62a93f | | name | 192.168.0.104 | | port_details | None | | port_id | None | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | qos_policy_id | None | | revision_number | 0 | | router_id | None | | status | DOWN | | subnet_id | None | | tags | [] | | updated_at | 2020-10-31T12:29:44Z | +---------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到流動ip地址為192.168.0.104;
將生成的流動ip地址和虛擬機實例做綁定
[root@node01 ~]# openstack server add floating ip demo_vm2 192.168.0.104 [root@node01 ~]#
再次查看當前用戶虛擬機實例
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | demo_vm2 | ACTIVE | demo_selfservice_net=10.0.1.2, 192.168.0.104 | cirros | m1.nano | | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到流動ip已經在demo_vm2的網卡上了;
驗證:使用其他主機ping192.168.0.104 是否可ping通?
[root@node02 ~]# ping 192.168.0.104 PING 192.168.0.104 (192.168.0.104) 56(84) bytes of data. 64 bytes from 192.168.0.104: icmp_seq=1 ttl=63 time=5.82 ms 64 bytes from 192.168.0.104: icmp_seq=2 ttl=63 time=2.07 ms 64 bytes from 192.168.0.104: icmp_seq=3 ttl=63 time=2.62 ms ^C --- 192.168.0.104 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 2.071/3.504/5.820/1.653 ms [root@node02 ~]#
驗證:使用外部主機用ssh連接192.168.0.104,看看是否連接至虛擬機?
[root@node01 ~]# ssh cirros@192.168.0.104
The authenticity of host '192.168.0.104 (192.168.0.104)' can't be established.
ECDSA key fingerprint is SHA256:7jOPWda8qBsteCnjUOHFvwq0YLeZzSOh2Sd7qJlMCFU.
ECDSA key fingerprint is MD5:24:ec:79:49:99:62:74:e3:20:ad:ba:94:4c:b5:fb:c5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.104' (ECDSA) to the list of known hosts.
$ ifconfig
eth0 Link encap:Ethernet HWaddr FA:16:3E:70:34:63
inet addr:10.0.1.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::f816:3eff:fe70:3463/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:376 errors:0 dropped:0 overruns:0 frame:0
TX packets:317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:46715 (45.6 KiB) TX bytes:38361 (37.4 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
$ exit
Connection to 192.168.0.104 closed.
[root@node01 ~]#
提示:可以看到現在外部主機通過連接流動ip地址,就可以直接和虛擬機通信;其實在我們給虛擬機添加浮動ip時,它就在虛擬路由器的iptables表中增加了一條DNAT規則,如下所示
提示:上面的DANT規則說明了為什么外部網絡訪問浮動ip地址能夠訪問到內網虛擬機;
到此基於self-service network 啟動的虛擬機實例配置測試就完成了;