公司信息安全很严格,不像之前猪厂互联网公司那么开放,离开了公司基本连套自己玩耍的测试环境也没,于是最近重新自己机器上devstack搭建单节点环境,对于openstack的钟爱粉来说,不到4G内存的一个虚拟机,就可以完成一个openstack环境,虽然没法分布式(其实有激情的人可以多弄几个低内存的虚拟机一步一步搭建),但学习或者提升下相关知识还是十分方便的
上篇已经将虚拟机里面public IP的问题找到解决,那么测试就比较方便了,vpc,router,创建vm,测试连通性,想测试三层就给router绑两个subnet,最新O版整体无脑流程如下:
创建network-1
neutron net-create $network-1
创建subnet-1
neutron subnet-create --name $subnet-1-name $network-1-id $cidr-1
创建router-1,这里需要注意,单节点就不要创建分布式router了,否则L3-Agent没法绑
neutron router-create $router-1
router-interface-add
neutron router-interface-add $router-1-id $subnet-1-id
router-gateway-set
public-network-id默认会创建,没啥要求直接用default的好了,网段可以在安装的时候stackrc里面改,搜172即可
router-gateway-set $router-1-id $public-network-id
这时候可检查一下router namespace以及l3-agent,反正是单节点,一切都在此处
网络就绪,创建虚拟机
nova boot --flavor $flavor --image $image --nic net-id=$network-1-id --nic net-id=$public-network-id $vm-1-name
这里需要注意的是,验证VPC是验证自己创建的network,subnet,而public network是给我用来登陆虚拟机用的,也可以理解为floating ip
此时注意,默认安全组ingress是不开放的,因此查找security-group-id进行放通
先获取内网PORT和public IP
nova interface-list $vm_uuid
获取security-group-id
neutron port-show $port_id
这里都绑的default安全组,直接改掉,所有的都开放
neutron security-group-rule-create --direction ingress --remote-ip-prefix 0.0.0.0/0 $security-group-id
此时,由于public ip所在网卡没UP起来(上篇有说),因此需要从namespace里依靠内网IP登陆进去,将public网卡UP起来,就可以不需要进namespace里登陆了
sudo ip netns exec qrouter-$router-1 ssh cirros@$private-ip-1
虚拟机里,将public 网卡UP起来
sudo ifconfig eth1 $public-ip/24 up
这样$vm-1-name就彻底Ok了
如果要验证二层网络,上面创建虚拟机的命令再执行一次,换个名字,两个虚拟机验证private ip连通性即可
假如是要验证三层网络,可以再创建一个不同网段,绑上同一个router进行验证,即
创建network-2
neutron net-create $network-2
创建subnet-2
neutron subnet-create --name $subnet-2-name $network-2-id $cidr-2
router-interface-add
neutron router-interface-add $router-1-id $subnet-2-id
如此一来,就可以用不同网段创建虚拟机
nova boot --flavor $flavor --image $image --nic net-id=$network-2-id --nic net-id=$public-network-id $vm-2-name
如此一来,就可以验证三层通信
下面是一些要关注的点
router namespace里的qr,三层通信就在这里打了个酱油
[lihui@openstack ~]$ ip netns exec qrouter-e294bb21-a54d-45db-ad0f-ff85e54d49b1 ip a
setting the network namespace "qrouter-e294bb21-a54d-45db-ad0f-ff85e54d49b1" failed: Operation not permitted
[lihui@openstack ~]$ sudo ip netns exec qrouter-e294bb21-a54d-45db-ad0f-ff85e54d49b1 ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
24: qr-8271c0d3-5a: mtu 1450 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:1a:b3:62 brd ff:ff:ff:ff:ff:ff
inet 2.2.2.1/24 brd 2.2.2.255 scope global qr-8271c0d3-5a
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe1a:b362/64 scope link
valid_lft forever preferred_lft forever
25: qr-1498f31f-33: mtu 1450 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:82:a7:70 brd ff:ff:ff:ff:ff:ff
inet 3.3.3.1/24 brd 3.3.3.255 scope global qr-1498f31f-33
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe82:a770/64 scope link
valid_lft forever preferred_lft forever
26: qg-5dd8990a-60: mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:36:d7:cf brd ff:ff:ff:ff:ff:ff
inet 7.7.7.11/24 brd 7.7.7.255 scope global qg-5dd8990a-60
valid_lft forever preferred_lft forever
inet6 2001:db8::9/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe36:d7cf/64 scope link
valid_lft forever preferred_lft forever
router-port-list的结果
[lihui@openstack ~]$ neutron router-port-list e294bb21-a54d-45db-ad0f-ff85e54d49b1
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------+----------------------------------+-------------------+-------------------------------------------+
| id | name | tenant_id | mac_address | fixed_ips |
+--------------------------------------+------+----------------------------------+-------------------+-------------------------------------------+
| 1498f31f-33e8-4b63-81b3-46369b94006a | | 97f3eff9ffb94cd581d7a7d4c2957c63 | fa:16:3e:82:a7:70 | {"subnet_id": "e8e3a8e1-1a5c-45d2-94ed- |
| | | | | b187c07293bf", "ip_address": "3.3.3.1"} |
| 5dd8990a-6030-43fc-a258-487697ae04f6 | | | fa:16:3e:36:d7:cf | {"subnet_id": "e031226c-449f- |
| | | | | 4b97-96c2-38cb3852a52a", "ip_address": |
| | | | | "2001:db8::9"} |
| | | | | {"subnet_id": "c3fea021-65c7-418e- |
| | | | | aff8-f9ec8c8c866e", "ip_address": |
| | | | | "7.7.7.11"} |
| 8271c0d3-5aa6-4fb9-81ec-b601399a6750 | | 97f3eff9ffb94cd581d7a7d4c2957c63 | fa:16:3e:1a:b3:62 | {"subnet_id": "2aa83c3e- |
| | | | | 8d6c-4461-9c59-9c69c3a2f92c", |
| | | | | "ip_address": "2.2.2.1"} |
+--------------------------------------+------+----------------------------------+-------------------+-------------------------------------------+
三层通信
$ ip a
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1450 qdisc pfifo_fast qlen 1000
link/ether fa:16:3e:0f:6b:55 brd ff:ff:ff:ff:ff:ff
inet 3.3.3.11/24 brd 3.3.3.255 scope global eth0
inet6 fe80::f816:3eff:fe0f:6b55/64 scope link
valid_lft forever preferred_lft forever
3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether fa:16:3e:f6:73:7e brd ff:ff:ff:ff:ff:ff
inet 7.7.7.10/8 brd 7.255.255.255 scope global eth1
inet6 fe80::f816:3eff:fef6:737e/64 scope link
valid_lft forever preferred_lft forever
$
$ ping 2.2.2.9
PING 2.2.2.9 (2.2.2.9): 56 data bytes
64 bytes from 2.2.2.9: seq=0 ttl=63 time=4.342 ms
64 bytes from 2.2.2.9: seq=1 ttl=63 time=1.491 ms
64 bytes from 2.2.2.9: seq=2 ttl=63 time=1.601 ms
64 bytes from 2.2.2.9: seq=3 ttl=63 time=1.466 ms
^C
--- 2.2.2.9 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.466/2.225/4.342 ms
抓抓包,疏通下流程,看看流表,挺爽的
