社区单节点OpenStack环境验证VPC二三层通信

公司信息安全很严格,不像之前猪厂互联网公司那么开放,离开了公司基本连套自己玩耍的测试环境也没,于是最近重新自己机器上devstack搭建单节点环境,对于openstack的钟爱粉来说,不到4G内存的一个虚拟机,就可以完成一个openstack环境,虽然没法分布式(其实有激情的人可以多弄几个低内存的虚拟机一步一步搭建),但学习或者提升下相关知识还是十分方便的

上篇已经将虚拟机里面public IP的问题找到解决,那么测试就比较方便了,vpc,router,创建vm,测试连通性,想测试三层就给router绑两个subnet,最新O版整体无脑流程如下:

创建network-1

neutron net-create $network-1

创建subnet-1

neutron subnet-create --name $subnet-1-name $network-1-id $cidr-1

创建router-1,这里需要注意,单节点就不要创建分布式router了,否则L3-Agent没法绑

neutron router-create $router-1

router-interface-add

neutron router-interface-add $router-1-id $subnet-1-id

router-gateway-set

public-network-id默认会创建,没啥要求直接用default的好了,网段可以在安装的时候stackrc里面改,搜172即可

router-gateway-set $router-1-id $public-network-id

这时候可检查一下router namespace以及l3-agent,反正是单节点,一切都在此处

网络就绪,创建虚拟机

nova boot --flavor $flavor --image $image --nic net-id=$network-1-id --nic net-id=$public-network-id $vm-1-name

这里需要注意的是,验证VPC是验证自己创建的network,subnet,而public network是给我用来登陆虚拟机用的,也可以理解为floating ip

此时注意,默认安全组ingress是不开放的,因此查找security-group-id进行放通

先获取内网PORT和public IP

nova interface-list $vm_uuid

获取security-group-id

neutron port-show $port_id

这里都绑的default安全组,直接改掉,所有的都开放

neutron security-group-rule-create --direction ingress --remote-ip-prefix 0.0.0.0/0 $security-group-id

此时,由于public ip所在网卡没UP起来(上篇有说),因此需要从namespace里依靠内网IP登陆进去,将public网卡UP起来,就可以不需要进namespace里登陆了

sudo ip netns exec qrouter-$router-1 ssh cirros@$private-ip-1

虚拟机里,将public 网卡UP起来

sudo ifconfig eth1 $public-ip/24 up

这样$vm-1-name就彻底Ok了

如果要验证二层网络,上面创建虚拟机的命令再执行一次,换个名字,两个虚拟机验证private ip连通性即可

假如是要验证三层网络,可以再创建一个不同网段,绑上同一个router进行验证,即

创建network-2

neutron net-create $network-2

创建subnet-2

neutron subnet-create --name $subnet-2-name $network-2-id $cidr-2

router-interface-add

neutron router-interface-add $router-1-id $subnet-2-id

如此一来,就可以用不同网段创建虚拟机

nova boot --flavor $flavor --image $image --nic net-id=$network-2-id --nic net-id=$public-network-id $vm-2-name

如此一来,就可以验证三层通信

下面是一些要关注的点

router namespace里的qr,三层通信就在这里打了个酱油

[lihui@openstack ~]$ ip netns exec qrouter-e294bb21-a54d-45db-ad0f-ff85e54d49b1 ip a
setting the network namespace "qrouter-e294bb21-a54d-45db-ad0f-ff85e54d49b1" failed: Operation not permitted
[lihui@openstack ~]$ sudo ip netns exec qrouter-e294bb21-a54d-45db-ad0f-ff85e54d49b1 ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
24: qr-8271c0d3-5a:  mtu 1450 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:1a:b3:62 brd ff:ff:ff:ff:ff:ff
    inet 2.2.2.1/24 brd 2.2.2.255 scope global qr-8271c0d3-5a
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe1a:b362/64 scope link
       valid_lft forever preferred_lft forever
25: qr-1498f31f-33:  mtu 1450 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:82:a7:70 brd ff:ff:ff:ff:ff:ff
    inet 3.3.3.1/24 brd 3.3.3.255 scope global qr-1498f31f-33
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe82:a770/64 scope link
       valid_lft forever preferred_lft forever
26: qg-5dd8990a-60:  mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:36:d7:cf brd ff:ff:ff:ff:ff:ff
    inet 7.7.7.11/24 brd 7.7.7.255 scope global qg-5dd8990a-60
       valid_lft forever preferred_lft forever
    inet6 2001:db8::9/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe36:d7cf/64 scope link
       valid_lft forever preferred_lft forever

router-port-list的结果

[lihui@openstack ~]$ neutron router-port-list e294bb21-a54d-45db-ad0f-ff85e54d49b1
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+----------------------------------+-------------------+-------------------------------------------+
| id                                   | name | tenant_id                        | mac_address       | fixed_ips                                 |
+--------------------------------------+------+----------------------------------+-------------------+-------------------------------------------+
| 1498f31f-33e8-4b63-81b3-46369b94006a |      | 97f3eff9ffb94cd581d7a7d4c2957c63 | fa:16:3e:82:a7:70 | {"subnet_id": "e8e3a8e1-1a5c-45d2-94ed-   |
|                                      |      |                                  |                   | b187c07293bf", "ip_address": "3.3.3.1"}   |
| 5dd8990a-6030-43fc-a258-487697ae04f6 |      |                                  | fa:16:3e:36:d7:cf | {"subnet_id": "e031226c-449f-             |
|                                      |      |                                  |                   | 4b97-96c2-38cb3852a52a", "ip_address":    |
|                                      |      |                                  |                   | "2001:db8::9"}                            |
|                                      |      |                                  |                   | {"subnet_id": "c3fea021-65c7-418e-        |
|                                      |      |                                  |                   | aff8-f9ec8c8c866e", "ip_address":         |
|                                      |      |                                  |                   | "7.7.7.11"}                               |
| 8271c0d3-5aa6-4fb9-81ec-b601399a6750 |      | 97f3eff9ffb94cd581d7a7d4c2957c63 | fa:16:3e:1a:b3:62 | {"subnet_id": "2aa83c3e-                  |
|                                      |      |                                  |                   | 8d6c-4461-9c59-9c69c3a2f92c",             |
|                                      |      |                                  |                   | "ip_address": "2.2.2.1"}                  |
+--------------------------------------+------+----------------------------------+-------------------+-------------------------------------------+

三层通信

$ ip a
1: lo:  mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1450 qdisc pfifo_fast qlen 1000
    link/ether fa:16:3e:0f:6b:55 brd ff:ff:ff:ff:ff:ff
    inet 3.3.3.11/24 brd 3.3.3.255 scope global eth0
    inet6 fe80::f816:3eff:fe0f:6b55/64 scope link
       valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether fa:16:3e:f6:73:7e brd ff:ff:ff:ff:ff:ff
    inet 7.7.7.10/8 brd 7.255.255.255 scope global eth1
    inet6 fe80::f816:3eff:fef6:737e/64 scope link
       valid_lft forever preferred_lft forever
$
$ ping 2.2.2.9
PING 2.2.2.9 (2.2.2.9): 56 data bytes
64 bytes from 2.2.2.9: seq=0 ttl=63 time=4.342 ms
64 bytes from 2.2.2.9: seq=1 ttl=63 time=1.491 ms
64 bytes from 2.2.2.9: seq=2 ttl=63 time=1.601 ms
64 bytes from 2.2.2.9: seq=3 ttl=63 time=1.466 ms
^C
--- 2.2.2.9 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.466/2.225/4.342 ms

 抓抓包,疏通下流程,看看流表,挺爽的

发表回复