- A+
在前边的博客中,我们主要聊了下openstack的基础环境、核心服务(认证服务keystone/镜像服务glance/计算服务nova/网络服务neutron)的安装配置;回顾请查看前边的博客;今天我们主要来聊一聊基于前边安装配置的服务来启动一个虚拟机实例;
我们知道在openstack中要启动一个虚拟机实例,通常会经过这样几步,第一步我们要有一个用户登录到openstack上,进行创建虚拟机的操作,而这一步通常由keystone服务来验证登录的用户,并返回一个token给用户,如果keystone验证成功,则用户就可以到openstack上进行对应的操作,反之亦然;第二步,用户在keystone上完成登录验证,并拿到keystone给的token后,用户就可以在openstack上进行创建虚拟机,在创建虚拟机之前,用户要选择创建的虚拟机用那个模板进行创建,用那个镜像来安装系统,选择什么网络,安全组策略等等;这些都必须事先创建好;用户选择好必要的组件后;用户就可以把创建虚拟机的需求发送给openstack 控制节点,由openstack的控制节点间的各服务调用,最后创建一个虚拟机实例;这里需要强调一点,在openstack上创建虚拟机不能像我们使用kvm-qemu工具创建虚拟机指定要使用的虚拟cpu,内存,磁盘等等信息;在openstack上创建虚拟机,它是通过模板来定义虚拟机的基础信息的;专业术语叫flavor;了解了创建虚拟机的大致过程后,我们基于之前配置的环境来跑一个虚拟机实例在openstack上;
1、创建模板
在控制节点上导出admin环境变量,创建flavor
[root@node01 ~]# source admin.sh [root@node01 ~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano +----------------------------+---------+ | Field | Value | +----------------------------+---------+ | OS-FLV-DISABLED:disabled | False | | OS-FLV-EXT-DATA:ephemeral | 0 | | disk | 1 | | id | 0 | | name | m1.nano | | os-flavor-access:is_public | True | | properties | | | ram | 64 | | rxtx_factor | 1.0 | | swap | | | vcpus | 1 | +----------------------------+---------+ [root@node01 ~]#
导出demo用户环境变量,创建一个keypair
[root@node01 ~]# source demo.sh [root@node01 ~]# ssh-keygen -q -N "" Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y [root@node01 ~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub demo_key +-------------+-------------------------------------------------+ | Field | Value | +-------------+-------------------------------------------------+ | fingerprint | ed:28:2f:00:14:3d:f0:80:6d:0a:0c:ca:41:60:f9:e1 | | name | demo_key | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | +-------------+-------------------------------------------------+ [root@node01 ~]#
列出安全组
[root@node01 ~]# openstack security group list +--------------------------------------+---------+------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+---------+------------------------+----------------------------------+------+ | 06b13f55-8beb-48d4-9994-490acc5488cf | default | Default security group | 1a918887f38a42c28f9d0d3774f34b16 | [] | +--------------------------------------+---------+------------------------+----------------------------------+------+ [root@node01 ~]#
查看default安全组中的规则
[root@node01 ~]# openstack security group rule list +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ | 361377d6-c836-416f-a00b-245d4f62baf2 | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 65618465-214b-49ae-8516-888380a0475c | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 72796899-293a-40fc-ba1a-4d67f0009af9 | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 870614db-372d-4f10-8b81-71b473f586ad | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | +--------------------------------------+-------------+----------+------------+--------------------------------------+--------------------------------------+ [root@node01 ~]#
提示:openstack上的安全组我们可以理解为一个虚拟的防火墙,里面的rule我们可以理解为iptabels规则;从上面查看default安全组中的规则来看,它默认是禁止任何ip任何协议连接内部虚拟机;这很显然不符合我们需求,至少我们应该把ssh端口开放出去;
添加开放ssh端口的rule到default安全组中
[root@node01 ~]# openstack security group rule create --proto tcp --dst-port 22 default +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2020-10-31T09:12:25Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 703d962b-7321-4103-be77-4f1383f6d97d | | name | None | | port_range_max | 22 | | port_range_min | 22 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 06b13f55-8beb-48d4-9994-490acc5488cf | | updated_at | 2020-10-31T09:12:25Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:这里创建安全组规则还是使用demo用户的环境变量;
添加开放icmp协议rule到default安全组中
[root@node01 ~]# openstack security group rule create --proto icmp default +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2020-10-31T09:14:29Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | f00b068c-fe94-4aa5-af81-83e6d94c6ec4 | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | protocol | icmp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 06b13f55-8beb-48d4-9994-490acc5488cf | | updated_at | 2020-10-31T09:14:29Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:这一步不是必须,我们这里添加icmp到default安全组是方便后面测试用;
验证:查看default安全组中的规则,看看我们添加到规则是否都添加上了?
[root@node01 ~]# openstack security group rule list +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | 361377d6-c836-416f-a00b-245d4f62baf2 | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 65618465-214b-49ae-8516-888380a0475c | None | None | | 06b13f55-8beb-48d4-9994-490acc5488cf | 06b13f55-8beb-48d4-9994-490acc5488cf | | 703d962b-7321-4103-be77-4f1383f6d97d | tcp | 0.0.0.0/0 | 22:22 | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 72796899-293a-40fc-ba1a-4d67f0009af9 | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | 870614db-372d-4f10-8b81-71b473f586ad | None | None | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | | f00b068c-fe94-4aa5-af81-83e6d94c6ec4 | icmp | 0.0.0.0/0 | | None | 06b13f55-8beb-48d4-9994-490acc5488cf | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到default安全组里多了两条rule;
2、基于provider network创建虚拟机实例
在控制节点导出demo用户的环境变量,验证是否有可用模板?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack flavor list +----+---------+-----+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +----+---------+-----+------+-----------+-------+-----------+ | 0 | m1.nano | 64 | 1 | 0 | 1 | True | +----+---------+-----+------+-----------+-------+-----------+ [root@node01 ~]#
验证是否有可用镜像?
[root@node01 ~]# openstack image list +--------------------------------------+--------+--------+ | ID | Name | Status | +--------------------------------------+--------+--------+ | 94dd2ba0-1736-4307-865d-7cb86b85d32e | cirros | active | +--------------------------------------+--------+--------+ [root@node01 ~]#
验证是否有安全组?
[root@node01 ~]# openstack security group list +--------------------------------------+---------+------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+---------+------------------------+----------------------------------+------+ | 06b13f55-8beb-48d4-9994-490acc5488cf | default | Default security group | 1a918887f38a42c28f9d0d3774f34b16 | [] | +--------------------------------------+---------+------------------------+----------------------------------+------+ [root@node01 ~]#
验证是否有可用网络?
[root@node01 ~]# openstack network list [root@node01 ~]#
提示:这里显示为空,表示没有任何可用网络;
创建provider network
在控制节点导出admin用户的环境变量,创建provider network
[root@node01 ~]# source admin.sh [root@node01 ~]# openstack network create --share --external > --provider-physical-network provider > --provider-network-type flat provider-net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T09:27:26Z | | description | | | dns_domain | None | | id | d4732915-a968-499d-b34b-00a6fa4c401d | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1500 | | name | provider-net | | port_security_enabled | True | | project_id | b4e56eeb160948c581e98d685133d19a | | provider:network_type | flat | | provider:physical_network | provider | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | External | | segments | None | | shared | True | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2020-10-31T09:27:26Z | +---------------------------+--------------------------------------+ [root@node01 ~]#
提示:--share表示创建一个共享网络(桥接网络),--external表示创建一个外部的网络,如果希望创建的是内部网络,可以使用--internal选项来指明即可;--provider-network-type flat表示创建的网络类型为平面网络;最后是给我们创建的网络起一个名称叫provider-net;这里需要注意一点,--provider-physical-network这个选项的值要和我们在配置neutron服务时,在ml2_conf.ini文件中【ml2_type_flat】配置段中的flat_networks 的值保持一致;如下所示
提示:/etc/neutron/plugins/ml2/ml2_conf.ini 这个配置文件中的【ml2_type_flat】配置段中的flat_networks的值要和/etc/neutron/plugins/ml2/linuxbridge_agent.ini配置文件中的【linux_bridge】配置段中的physical_interface_mappings中的provider名称保持一致;如下所示
提示:以上两个配置文件中标记的部分都需要同这里创建网络时指定的--provider-physical-network 选项的值保持一致;
创建子网
[root@node01 ~]# openstack subnet create --network provider-net > --allocation-pool start=192.168.0.100,end=192.168.0.150 > --dns-nameserver 61.139.2.69 --gateway 192.168.0.1 > --subnet-range 192.168.0.0/24 provider-net-sub +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 192.168.0.100-192.168.0.150 | | cidr | 192.168.0.0/24 | | created_at | 2020-10-31T09:48:35Z | | description | | | dns_nameservers | 61.139.2.69 | | enable_dhcp | True | | gateway_ip | 192.168.0.1 | | host_routes | | | id | 08341b97-47d0-4c81-bb04-385f36c6b609 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | provider-net-sub | | network_id | d4732915-a968-499d-b34b-00a6fa4c401d | | project_id | b4e56eeb160948c581e98d685133d19a | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2020-10-31T09:48:35Z | +-------------------+--------------------------------------+ [root@node01 ~]#
提示:--network使用来指定使用那个网络来创建子网,或者说给那个网络创建子网,这个名称要和我们创建网络时给的名称保持一致;这里需要说明一点,provider network是桥接到物理网卡上,所以这里的子网要根据你物理网络来划分子网;
验证:导出demo环境变量,看看demo用户是否有可用网络?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network list +--------------------------------------+--------------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+--------------+--------------------------------------+ | d4732915-a968-499d-b34b-00a6fa4c401d | provider-net | 08341b97-47d0-4c81-bb04-385f36c6b609 | +--------------------------------------+--------------+--------------------------------------+ [root@node01 ~]#
创建虚拟机
[root@node01 ~]# openstack server create --flavor m1.nano --image cirros > --nic net-id=d4732915-a968-499d-b34b-00a6fa4c401d --security-group default > --key-name demo_key demo_vm1 +-----------------------------+-----------------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | kCjHs82pTgRp | | config_drive | | | created | 2020-10-31T09:55:13Z | | flavor | m1.nano (0) | | hostId | | | id | a9f76200-0636-48ab-9eda-69526dab0653 | | image | cirros (94dd2ba0-1736-4307-865d-7cb86b85d32e) | | key_name | demo_key | | name | demo_vm1 | | progress | 0 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | properties | | | security_groups | name='06b13f55-8beb-48d4-9994-490acc5488cf' | | status | BUILD | | updated | 2020-10-31T09:55:13Z | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | | volumes_attached | | +-----------------------------+-----------------------------------------------+ [root@node01 ~]#
查看虚拟机状态
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+----------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+----------------------------+--------+---------+ | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+----------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到demo_vm1处于active状态,使用的网络上provicder-net,ip地址为192.168.0.103,使用的镜像是cirros镜像,使用的模板是m1.nano;
验证:在计算节点使用virsh命令看看是否能够看到启动的虚拟机?
[root@node03 ~]# virsh list Id Name State ---------------------------------------------------- 1 instance-00000001 running [root@node03 ~]#
提示:在计算节点上用virsh命令查看虚拟机,它有它自己的命名;从上面的命令结果可以看到,在计算节点上有一个虚拟机实例处于running状态;
验证:使用其他主机ping虚拟机的ip地址,看看是否能够ping通?
[root@node02 ~]# ping 192.168.0.103 PING 192.168.0.103 (192.168.0.103) 56(84) bytes of data. 64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=7.14 ms 64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=1.92 ms 64 bytes from 192.168.0.103: icmp_seq=3 ttl=64 time=0.905 ms ^C --- 192.168.0.103 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 0.905/3.325/7.148/2.735 ms [root@node02 ~]#
查看虚拟机实例的vnc地址
[root@node01 ~]# openstack console url show demo_vm1 +-------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------+-------------------------------------------------------------------------------------------+ | type | novnc | | url | http://controller:6080/vnc_auto.html?path=%3Ftoken%3Dbe38cbc9-7742-41b4-aef4-2d94ea510ca8 | +-------+-------------------------------------------------------------------------------------------+ [root@node01 ~]#
使用浏览器访问上述命令返回的url,看看是否能够访问到对应虚拟机的vnc控制台?
提示:使用windows访问,需要在windows上对controller做地址解析;
验证:登录虚拟机系统,看看虚拟机是否可正常访问外部网络?
提示:可以看到使用虚拟机ping外部网络能够正常ping通,并且虚拟机获取到地址和我们宿主机在同一网段中;说明我们基于provider network启动的虚拟机实例运行正常;
验证:使用控制节点 用ssh连接虚拟机,看看是否是免密登录?
[root@node01 ~]# ssh cirros@192.168.0.103 The authenticity of host '192.168.0.103 (192.168.0.103)' can't be established. ECDSA key fingerprint is SHA256:NnU0otuUa4VYObeLL4BmFMdHEvgsdvMzZadGnP/xcW4. ECDSA key fingerprint is MD5:e3:b5:be:67:99:cb:12:f4:3f:dd:ad:af:2c:86:7d:c7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.103' (ECDSA) to the list of known hosts. $ sudo su - # ifconfig eth0 Link encap:Ethernet HWaddr FA:16:3E:03:80:17 inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::f816:3eff:fe03:8017/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:173 errors:0 dropped:0 overruns:0 frame:0 TX packets:177 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20633 (20.1 KiB) TX bytes:17495 (17.0 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # exit $ exit Connection to 192.168.0.103 closed. [root@node01 ~]#
提示:在控制节点使用ssh命令能够免密登录到虚拟机,是因为在控制节点上有对应虚拟机的密钥对,在创建虚拟机时我们创建的密钥对会通过openstack把密钥注入到虚拟机里;从上面的验证过程也说明了我们在default安全组添加的放行ssh 22端口也是生效了;到此基于provider network启动一个虚拟机实例就完成了;
3、基于self-sevice network创建虚拟机实例
在控制节点导出demo用户环境变量,创建self-service network
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network create demo_selfservice_net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T10:33:55Z | | description | | | dns_domain | None | | id | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | demo_selfservice_net | | port_security_enabled | True | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2020-10-31T10:33:55Z | +---------------------------+--------------------------------------+ [root@node01 ~]#
提示:创建self-service network请确保/etc/neutron/plugins/ml2/ml2_conf.ini配置文件中的【ml2】配置段中配置的tenant_network_types = vxlan,以及【ml2_type_vxlan】配置段中配置的有vxlan的标识范围,如下所示
创建子网
[root@node01 ~]# openstack subnet create --network demo_selfservice_net > --dns-nameserver 61.139.2.69 --gateway 10.0.0.254 > --subnet-range 10.0.0.0/8 demo_selfservice_net_sub +-------------------+-----------------------------------------------+ | Field | Value | +-------------------+-----------------------------------------------+ | allocation_pools | 10.0.0.255-10.255.255.254,10.0.0.1-10.0.0.253 | | cidr | 10.0.0.0/8 | | created_at | 2020-10-31T10:42:52Z | | description | | | dns_nameservers | 61.139.2.69 | | enable_dhcp | True | | gateway_ip | 10.0.0.254 | | host_routes | | | id | 1f2e1eca-d827-4d30-8c33-2ed1a5420d86 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | demo_selfservice_net_sub | | network_id | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2020-10-31T10:42:52Z | +-------------------+-----------------------------------------------+ [root@node01 ~]#
提示:这里我们创建子网就不用admin用户的环境变量,用demo用户的环境变量即可;因为self-service network创建的就是一个租户网络,由租户自行管理;
创建虚拟路由器
[root@node01 ~]# openstack router create demo_selfservice_net_sub_router1 +-------------------------+--------------------------------------+ | Field | Value | +-------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2020-10-31T10:48:53Z | | description | | | external_gateway_info | None | | flavor_id | None | | id | 2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 | | name | demo_selfservice_net_sub_router1 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | revision_number | 1 | | routes | | | status | ACTIVE | | tags | | | updated_at | 2020-10-31T10:48:53Z | +-------------------------+--------------------------------------+ [root@node01 ~]#
将上面创建的子网添加到路由器
[root@node01 ~]# openstack router add subnet demo_selfservice_net_sub_router1 demo_selfservice_net_sub [root@node01 ~]#
提示:openstack router add subnet 后面跟虚拟路由启动名称(或id)和子网的名称(或id);
设置虚拟路由器的上游网络,有点类似设置路由器的wlan口网络
[root@node01 ~]# openstack router set demo_selfservice_net_sub_router1 --external-gateway provider-net [root@node01 ~]#
到此虚拟路由器就创建和配置完成
验证:在控制节点导出admin用户环境变量,查看网络名称空间信息
[root@node01 ~]# source admin.sh [root@node01 ~]# ip netns qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 (id: 2) qdhcp-ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d (id: 1) qdhcp-d4732915-a968-499d-b34b-00a6fa4c401d (id: 0) [root@node01 ~]#
提示:能看到一个qrouter名称空间和两个qdhcp名称空间。就表示我们创建的虚拟路由器没有问题;
验证:列出路由器上的端口信息,看看对应端口是否是我们设置的网络ip地址信息?
[root@node01 ~]# openstack port list --router demo_selfservice_net_sub_router1 +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ | 111f53eb-4b47-4f15-8141-f2a500db1103 | | fa:16:3e:21:af:3c | ip_address='10.0.0.254', subnet_id='1f2e1eca-d827-4d30-8c33-2ed1a5420d86' | ACTIVE | | ab87a282-b78b-4193-8873-c9336aaaf04e | | fa:16:3e:ae:31:03 | ip_address='192.168.0.107', subnet_id='08341b97-47d0-4c81-bb04-385f36c6b609' | ACTIVE | +--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+ [root@node01 ~]#
验证:查看路由器的网络接口信息
[root@node01 ~]# ip netns exec qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 ifconfig lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 qg-ab87a282-b7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.107 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::f816:3eff:feae:3103 prefixlen 64 scopeid 0x20<link> ether fa:16:3e:ae:31:03 txqueuelen 1000 (Ethernet) RX packets 215 bytes 76407 (74.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 22 bytes 1452 (1.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 qr-111f53eb-4b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450 inet 10.0.0.254 netmask 255.0.0.0 broadcast 10.255.255.255 inet6 fe80::f816:3eff:fe21:af3c prefixlen 64 scopeid 0x20<link> ether fa:16:3e:21:af:3c txqueuelen 1000 (Ethernet) RX packets 109 bytes 9850 (9.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 79 bytes 8047 (7.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@node01 ~]#
验证:在其他主机上ping虚拟路由器地址,看看是否能够ping通?
[root@node03 ~]# ping 192.168.0.107 PING 192.168.0.107 (192.168.0.107) 56(84) bytes of data. 64 bytes from 192.168.0.107: icmp_seq=1 ttl=64 time=1.63 ms 64 bytes from 192.168.0.107: icmp_seq=2 ttl=64 time=1.16 ms ^C --- 192.168.0.107 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 1.161/1.397/1.633/0.236 ms [root@node03 ~]#
到此,self-service network就创建完成;
启动一个虚拟机实例
在控制节点导出demo用户环境变量,验证是否有可用的网络?
[root@node01 ~]# source demo.sh [root@node01 ~]# openstack network list +--------------------------------------+----------------------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+----------------------+--------------------------------------+ | ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d | demo_selfservice_net | 1f2e1eca-d827-4d30-8c33-2ed1a5420d86 | | d4732915-a968-499d-b34b-00a6fa4c401d | provider-net | 08341b97-47d0-4c81-bb04-385f36c6b609 | +--------------------------------------+----------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到现在又多了一个网络;
创建虚拟机
[root@node01 ~]# openstack server create --flavor m1.nano --image cirros > --nic net-id=ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d --security-group default > --key-name demo_key demo_vm2 +-----------------------------+-----------------------------------------------+ | Field | Value | +-----------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | BwSt52FxL4Nk | | config_drive | | | created | 2020-10-31T11:10:59Z | | flavor | m1.nano (0) | | hostId | | | id | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | | image | cirros (94dd2ba0-1736-4307-865d-7cb86b85d32e) | | key_name | demo_key | | name | demo_vm2 | | progress | 0 | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | properties | | | security_groups | name='06b13f55-8beb-48d4-9994-490acc5488cf' | | status | BUILD | | updated | 2020-10-31T11:10:59Z | | user_id | 5453d68782a34429a7dab7da9c51f0d9 | | volumes_attached | | +-----------------------------+-----------------------------------------------+ [root@node01 ~]#
查看当前用户虚拟机列表
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+-------------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+-------------------------------+--------+---------+ | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | demo_vm2 | ACTIVE | demo_selfservice_net=10.0.1.2 | cirros | m1.nano | | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+-------------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到demo_vm2已经运行,并且所使用的ip地址是10.0.1.2;
查看虚拟机的vnc地址
[root@node01 ~]# openstack console url show demo_vm2 +-------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------+-------------------------------------------------------------------------------------------+ | type | novnc | | url | http://controller:6080/vnc_auto.html?path=%3Ftoken%3D96aa104b-c603-41ee-aaa5-1e1bbc0e522f | +-------+-------------------------------------------------------------------------------------------+ [root@node01 ~]#
验证:使用浏览器访问,看看是否能够访问到对应的虚拟机vnc界面?
提示:可以看到能够使用返回的url访问到demo_vm2实例;
验证:登录虚拟机系统,查看ip地址是否是我们指定的网络?
验证:是否可以和外部网络通信?
提示:可以看到虚拟机是可以正常和外部网络通信;
查看虚拟机的路由,看看网关是否是我们指定的网关呢?
验证:在控制节点使用ssh连接demo_vm2,看看是否能够正常连接呢?
提示:很明显使用外部网络是无法正常连接到虚拟机;
使用路由器的网络名称空间,连接虚拟机
[root@node01 ~]# ip netns qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 (id: 2) qdhcp-ad433d82-6fe1-4e51-9fe2-4cfa0fa2040d (id: 1) qdhcp-d4732915-a968-499d-b34b-00a6fa4c401d (id: 0) [root@node01 ~]# ip netns exec qrouter-2c288a0c-c2ce-4bca-b0a8-d795844ea3e6 ssh cirros@10.0.1.2 The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established. ECDSA key fingerprint is SHA256:7jOPWda8qBsteCnjUOHFvwq0YLeZzSOh2Sd7qJlMCFU. ECDSA key fingerprint is MD5:24:ec:79:49:99:62:74:e3:20:ad:ba:94:4c:b5:fb:c5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.1.2' (ECDSA) to the list of known hosts. $ sudo su - # ifconfig eth0 Link encap:Ethernet HWaddr FA:16:3E:70:34:63 inet addr:10.0.1.2 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::f816:3eff:fe70:3463/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1 RX packets:153 errors:0 dropped:0 overruns:0 frame:0 TX packets:165 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20183 (19.7 KiB) TX bytes:17629 (17.2 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # exit $ exit Connection to 10.0.1.2 closed. [root@node01 ~]#
提示:使用虚拟路由器的网络名称空间是可以正常从外部网络访问到虚拟机;
设定nat 一对一绑定,实现外部网络能够正常访问到虚拟机
在provider-net网络中创建一个流动ip,用于外部访问内部虚拟机的流量接入地址
[root@node01 ~]# openstack floating ip create provider-net +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | created_at | 2020-10-31T12:29:44Z | | description | | | dns_domain | None | | dns_name | None | | fixed_ip_address | None | | floating_ip_address | 192.168.0.104 | | floating_network_id | d4732915-a968-499d-b34b-00a6fa4c401d | | id | 1bedaaf8-5bdf-492b-8e8b-d009dd62a93f | | name | 192.168.0.104 | | port_details | None | | port_id | None | | project_id | 1a918887f38a42c28f9d0d3774f34b16 | | qos_policy_id | None | | revision_number | 0 | | router_id | None | | status | DOWN | | subnet_id | None | | tags | [] | | updated_at | 2020-10-31T12:29:44Z | +---------------------+--------------------------------------+ [root@node01 ~]#
提示:可以看到流动ip地址为192.168.0.104;
将生成的流动ip地址和虚拟机实例做绑定
[root@node01 ~]# openstack server add floating ip demo_vm2 192.168.0.104 [root@node01 ~]#
再次查看当前用户虚拟机实例
[root@node01 ~]# openstack server list +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ | 3f220e22-50ce-4068-9b0b-cd9c07446e6c | demo_vm2 | ACTIVE | demo_selfservice_net=10.0.1.2, 192.168.0.104 | cirros | m1.nano | | a9f76200-0636-48ab-9eda-69526dab0653 | demo_vm1 | ACTIVE | provider-net=192.168.0.103 | cirros | m1.nano | +--------------------------------------+----------+--------+----------------------------------------------+--------+---------+ [root@node01 ~]#
提示:可以看到流动ip已经在demo_vm2的网卡上了;
验证:使用其他主机ping192.168.0.104 是否可ping通?
[root@node02 ~]# ping 192.168.0.104 PING 192.168.0.104 (192.168.0.104) 56(84) bytes of data. 64 bytes from 192.168.0.104: icmp_seq=1 ttl=63 time=5.82 ms 64 bytes from 192.168.0.104: icmp_seq=2 ttl=63 time=2.07 ms 64 bytes from 192.168.0.104: icmp_seq=3 ttl=63 time=2.62 ms ^C --- 192.168.0.104 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 2.071/3.504/5.820/1.653 ms [root@node02 ~]#
验证:使用外部主机用ssh连接192.168.0.104,看看是否连接至虚拟机?
[root@node01 ~]# ssh cirros@192.168.0.104 The authenticity of host '192.168.0.104 (192.168.0.104)' can't be established. ECDSA key fingerprint is SHA256:7jOPWda8qBsteCnjUOHFvwq0YLeZzSOh2Sd7qJlMCFU. ECDSA key fingerprint is MD5:24:ec:79:49:99:62:74:e3:20:ad:ba:94:4c:b5:fb:c5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.104' (ECDSA) to the list of known hosts. $ ifconfig eth0 Link encap:Ethernet HWaddr FA:16:3E:70:34:63 inet addr:10.0.1.2 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::f816:3eff:fe70:3463/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1 RX packets:376 errors:0 dropped:0 overruns:0 frame:0 TX packets:317 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:46715 (45.6 KiB) TX bytes:38361 (37.4 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) $ exit Connection to 192.168.0.104 closed. [root@node01 ~]#
提示:可以看到现在外部主机通过连接流动ip地址,就可以直接和虚拟机通信;其实在我们给虚拟机添加浮动ip时,它就在虚拟路由器的iptables表中增加了一条DNAT规则,如下所示
提示:上面的DANT规则说明了为什么外部网络访问浮动ip地址能够访问到内网虚拟机;
到此基于self-service network 启动的虚拟机实例配置测试就完成了;