使用VRRP和Open vSwitch实现OpenStack网络服务高可用性部署
本方案阐述通过ML2插件与Open vSwitch(OVS)组合方式部署OpenStack网络服务的高可用性架构。
该方案在传统架构基础上增加了VRRP虚拟路由器冗余协议支持,利用keepalived实现第三层服务的快速故障切换。
与标准部署模式相同,项目网络内的所有流量均需经过路由转发,无论部署多少网络节点,实际仅需一个活跃的网络节点负责路由功能。因此,本高可用性方案主要针对故障场景进行优化,而非针对带宽性能限制进行设计。同时,该方案支持路由器在不同网络节点间的分散部署,以降低带宽瓶颈并提升扩展能力。但需注意,该方案未覆盖第三层代理全部失效且底层虚拟网络继续运行的场景。
部署考量:可采用分布式虚拟路由(DVR)机制增强冗余性能。
版本限制:在Kilo版本中,DVR与L3HA机制不可同时启用。
故障转移范围说明:故障转移过程仅保留关联浮动IP地址的实例网络连接状态。
网络类型支持:示例配置创建Flat类型外部网络及VXLAN项目网络,同时支持VLAN外部网络、VLAN项目网络和GRE项目网络。
版本缺陷说明:由于Juno和Kilo版本存在相关缺陷,VXLAN和GRE项目网络必须采用多播模式而非第二层封装机制。
部署前置条件
基础设施要求
控制器节点需配备网络管理接口。网络节点需要配置四个网络接口分别用于管理网络、项目隧道网络、项目VLAN网络及外部网络。Open vSwitch网桥br-vlan需在VLAN接口上配置端口,br-ex网桥需在外部接口上配置端口。计算节点至少需要三个网络接口,配置要求与网络节点类似。
为便于理解网络流量走向,网络节点和计算节点应配置独立的网络接口用于项目VLAN网络。在生产环境中,项目VLAN网络可通过任意Open vSwitch网桥(如br-tun)连接物理网络接口。
网络地址规划:
- 管理网络:10.0.0.0/24
- 隧道网络:10.0.1.0/24
- VRRP网络:169.254.192.0/18
- 外部网络:203.0.113.0/24
- VLAN网络无需IP地址配置
硬件配置要求
参考对应硬件配置图表。
网络拓扑结构
参考对应网络布局图表。
服务组件分布
参考对应服务布局图表。
重要提示:对于VLAN类型的外部网络和项目网络,网络基础设施必须支持VLAN标签。为获得VXLAN和GRE项目网络的最佳性能,建议网络基础设施支持巨型帧(Jumbo Frames)。
控制节点服务配置
neutron.conf文件中配置数据库连接参数
neutron.conf文件中配置消息队列服务
neutron.conf文件中配置OpenStack Keystone认证服务
nova.conf文件中配置OpenStack计算控制/管理服务以使用网络服务
neutron服务器服务、ML2插件及相关依赖组件
网络节点服务配置
neutron.conf文件中配置OpenStack Keystone认证服务
Open vSwitch服务、ML2插件、Open vSwitch代理、L3代理、DHCP代理、元数据代理及相关依赖组件
计算节点服务配置
neutron.conf文件中配置OpenStack Keystone认证服务
nova.conf文件中配置OpenStack计算控制/管理服务以使用网络服务
Open vSwitch服务、ML2插件、Open vSwitch代理及相关依赖组件
架构设计
整体架构概览
参考架构示意图。
网络节点包含以下核心组件:
Open vSwitch代理负责管理虚拟交换机间的连接,并通过虚拟端口与命名空间、Linux网桥、底层接口等网络组件进行交互。
DHCP代理负责管理qdhcp命名空间,为使用项目网络的实例提供DHCP服务。
L3代理使用keepalived管理qrouter命名空间和VRRP实例。qrouter命名空间提供项目网络与外部网络间的路由功能,同时负责项目网络内部的路由转发。此外,还处理实例与元数据代理之间的元数据通信路由。
元数据代理负责处理实例的元数据请求操作。
网络节点组件详解
参考组件关系图表。
网络节点连接拓扑
参考连接示意图。
计算节点包含以下核心组件:
Open vSwitch代理同样负责虚拟交换机的连接管理及与其他网络组件的交互。
Linux网桥负责安全组规则的实施。
注意:由于Open vSwitch与iptables的架构限制,网络服务采用Linux网桥管理实例的安全组。
计算节点组件详解
参考组件关系图表。
计算节点连接拓扑
参考连接示意图。
数据包流转机制
L3HA机制的工作原理如下:当主路由器发生故障时,通过Open vSwitch实现向备用路由器的快速故障转移。
正常运行状态下,主路由器通过一个专用的隐藏项目网络定期发送VRRP心跳数据包,该网络连接所有HA路由器实例。
默认情况下,此网络类型采用neutron.conf配置文件中tenant_network_types选项的首个网络类型。
当备用路由器停止接收心跳数据包时,判定主路由器已失效,随后通过在qrouter命名空间配置IP地址的方式将自己提升为主路由器。在存在多个备用路由器的场景中,具备次高优先级的路由器将被提升为主路由器。
注意:L3HA机制为所有路由器配置相同优先级。因此VRRP将把IP地址数值最高的备用路由器提升为主路由器。
配置示例
以下配置示例可作为部署参考模板。
控制节点配置
- 配置通用参数。编辑/etc/neutron/neutron.conf:
[DEFAULT]
verbose = True
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
router_distributed = False
l3_ha = True
l3_ha_net_cidr = 169.254.192.0/18
max_l3_agents_per_router = 3
min_l3_agents_per_router = 2
dhcp_agents_per_network = 2
- 配置ML2插件。编辑/etc/neutron/plugins/ml2/ml2_conf.ini:
[ml2]
type_drivers = flat,vlan,gre,vxlan
tenant_network_types = vlan,gre,vxlan
mechanism_drivers = openvswitch
[ml2_type_flat]
flat_networks = external
[ml2_type_vlan]
network_vlan_ranges = external,vlan:100:200
[ml2_type_gre]
tunnel_id_ranges = 1001:2000
[ml2_type_vxlan]
vni_ranges = 5001:8000
vxlan_group = 239.1.1.1
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True
enable_ipset = True
将VLAN、GRE、VXLAN的ID范围替换为适合实际环境的数值。
配置说明:
tenant_network_types选项中的首个值将作为常规用户创建网络时的默认项目网络类型。
network_vlan_ranges中的external参数不限制VLAN ID范围,便于管理员使用任意VLAN标识符。
- 启动服务组件
网络节点配置
- 配置内核参数以启用数据包转发并禁用反向路径过滤。编辑/etc/sysctl.conf:
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
- 加载新内核配置:
$ sysctl -p
- 配置通用参数。编辑/etc/neutron/neutron.conf:
[DEFAULT]
verbose = True
- 配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini:
[ovs]
local_ip = TUNNEL_INTERFACE_IP_ADDRESS
bridge_mappings = vlan:br-vlan,external:br-ex
[agent]
tunnel_types = gre,vxlan
l2_population = False
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True
enable_ipset = True
将TUNNEL_INTERFACE_IP_ADDRESS替换为处理GRE/VXLAN项目网络的接口实际IP地址。
- 配置L3代理。编辑/etc/neutron/l3_agent.ini:
[DEFAULT]
verbose = True
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True
external_network_bridge =
router_delete_namespaces = True
agent_mode = legacy
注意:external_network_bridge参数故意留空。
- 配置DHCP代理。编辑/etc/neutron/dhcp_agent.ini:
[DEFAULT]
verbose = True
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
use_namespaces = True
dhcp_delete_namespaces = True
- (可选)为VXLAN项目网络调整MTU值。
编辑/etc/neutron/dhcp_agent.ini:
[DEFAULT]
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
编辑/etc/neutron/dnsmasq-neutron.conf:
dhcp-option-force=26,1450
- 配置元数据代理。编辑/etc/neutron/metadata_agent.ini:
[DEFAULT]
verbose = True
nova_metadata_ip = controller
metadata_proxy_shared_secret = METADATA_SECRET
将METADATA_SECRET替换为实际环境参数值。
- 启动以下服务:
Open vSwitch
Open vSwitch agent
L3 agent
DHCP agent
Metadata agent
计算节点配置
- 配置内核参数以启用网桥iptables并禁用反向路径过滤。编辑/etc/sysctl.conf:
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
- 加载新内核配置:
$ sysctl -p
- 配置通用参数。编辑/etc/neutron/neutron.conf:
[DEFAULT]
verbose = True
- 配置Open vSwitch代理。编辑/etc/neutron/plugins/ml2/ml2_conf.ini:
[ovs]
local_ip = TUNNEL_INTERFACE_IP_ADDRESS
bridge_mappings = vlan:br-vlan
[agent]
tunnel_types = gre,vxlan
l2_population = False
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True
enable_ipset = True
将TUNNEL_INTERFACE_IP_ADDRESS替换为实际接口IP地址。
- 启动以下服务:
Open vSwitch
Open vSwitch agent
服务运行验证
-
加载管理员项目凭证。
-
验证代理组件状态:
$ neutron agent-list
+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+
| id | agent_type | host | alive | admin_state_up | binary |
+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+
| 0bfe5b5d-0b82-434e-b8a0-524cc18da3a4 | DHCP agent | network1 | :-) | True | neutron-dhcp-agent |
| 25224bd5-0905-4ec9-9f2d-3b17cdaf5650 | Open vSwitch agent | compute2 | :-) | True | neutron-openvswitch-agent |
| 29afe014-273d-42f3-ad71-8a226e40dea6 | L3 agent | network1 | :-) | True | neutron-l3-agent |
| 3bed5093-e46c-4b0f-9460-3309c62254a3 | DHCP agent | network2 | :-) | True | neutron-dhcp-agent |
| 54aefb1c-35f7-4ebf-a848-3bb4fe81dcf7 | Open vSwitch agent | network1 | :-) | True | neutron-openvswitch-agent |
| 91c9cc03-1678-4d7a-b0a7-fa1ac24e5516 | Open vSwitch agent | compute1 | :-) | True | neutron-openvswitch-agent |
| ac7b3f77-7e4d-47a6-9dbd-3358cfb67b61 | Open vSwitch agent | network2 | :-) | True | neutron-openvswitch-agent |
| ceef5c49-3148-4c39-9e15-4985fc995113 | Metadata agent | network1 | :-) | True | neutron-metadata-agent |
| d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | L3 agent | network2 | :-) | True | neutron-l3-agent |
| f072a1ec-f842-4223-a6b6-ec725419be85 | Metadata agent | network2 | :-) | True | neutron-metadata-agent |
+--------------------------------------+--------------------+----------+-------+----------------+---------------------------+
创建初始网络
本示例创建Flat类型外部网络及VXLAN项目网络。
-
加载管理员项目凭证。
-
创建外部网络:
$ neutron net-create ext-net --router:external True \
--provider:physical_network external --provider:network_type flat
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 5266fcbc-d429-4b21-8544-6170d1691826 |
| name | ext-net |
| provider:network_type | flat |
| provider:physical_network | external |
| provider:segmentation_id | |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 96393622940e47728b6dcdb2ef405f50 |
+---------------------------+--------------------------------------+
- 在外部网络上创建子网:
$ neutron subnet-create ext-net 203.0.113.0/24 --name ext-subnet \
--allocation-pool start=203.0.113.101,end=203.0.113.200 \
--disable-dhcp --gateway 203.0.113.1
Created a new subnet:
+-------------------+----------------------------------------------------+
| Field | Value |
+-------------------+----------------------------------------------------+
| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} |
| cidr | 203.0.113.0/24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 203.0.113.1 |
| host_routes | |
| id | b32e0efc-8cc3-43ff-9899-873b94df0db1 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | ext-subnet |
| network_id | 5266fcbc-d429-4b21-8544-6170d1691826 |
| tenant_id | 96393622940e47728b6dcdb2ef405f50 |
+-------------------+----------------------------------------------------+
配置说明:示例中vlan作为首个项目网络类型,仅管理员可创建其他类型网络(如GRE或VXLAN)。以下命令使用admin凭证创建VXLAN项目网络。
- 获取常规项目ID(以demo项目为例):
$ openstack project show demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Tenant |
| enabled | True |
| id | 443cd1596b2e46d49965750771ebbfe1 |
| name | demo |
+-------------+----------------------------------+
- 创建项目网络:
$ neutron net-create demo-net \
--tenant-id 443cd1596b2e46d49965750771ebbfe1 \
--provider:network_type vxlan
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 7ac9a268-1ddd-453f-857b-0fd9552b645f |
| name | demo-net |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 443cd1596b2e46d49965750771ebbfe1 |
+---------------------------+--------------------------------------+
-
加载常规项目凭证(使用demo项目)。
-
在项目网络上创建子网:
$ neutron subnet-create demo-net 192.168.1.0/24 --name demo-subnet \
--gateway 192.168.1.1
Created a new subnet:
+-------------------+--------------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------------+
| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} |
| cidr | 192.168.1.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 192.168.1.1 |
| host_routes | |
| id | 2945790c-5999-4693-b8e7-50a9fc7f46f5 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | demo-subnet |
| network_id | 7ac9a268-1ddd-453f-857b-0fd9552b645f |
| tenant_id | 443cd1596b2e46d49965750771ebbfe1 |
+-------------------+--------------------------------------------------+
- 创建项目路由器:
$ neutron router-create demo-router
Created a new router:
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| distributed | False |
| external_gateway_info | |
| ha | True |
| id | 7a46dba8-8846-498c-9e10-588664558473 |
| name | demo-router |
| routes | |
| status | ACTIVE |
| tenant_id | 443cd1596b2e46d49965750771ebbfe1 |
+-----------------------+--------------------------------------+
注意:默认policy.json文件仅允许管理员在路由器创建时启用/禁用HA功能及查看HA状态标志。
- 将项目子网作为接口添加到路由器:
$ neutron router-interface-add demo-router demo-subnet
Added interface 8de3e172-5317-4c87-bdc1-f69e359de92e to router demo-router.
- 在路由器上配置外部网络网关:
$ neutron router-gateway-set demo-router ext-net
Set gateway for router demo-router
网络功能验证
-
加载管理员项目凭证。
-
在控制器节点验证HA网络创建:
$ neutron net-list
+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+
| 5266fcbc-d429-4b21-8544-6170d1691826 | ext-net | b32e0efc-8cc3-43ff-9899-873b94df0db1 203.0.113.0/24 |
| e029b568-0fd7-4d10-bb16-f9e014811d10 | HA network tenant 443cd1596b2e46d49965750771ebbfe1 | ee30083f-eb4c-41ea-8937-1bae65740af4 169.254.192.0/18 |
| 7ac9a268-1ddd-453f-857b-0fd9552b645f | demo-net | 2945790c-5999-4693-b8e7-50a9fc7f46f5 192.168.1.0/24 |
+--------------------------------------+----------------------------------------------------+-------------------------------------------------------+
- 在控制器节点验证路由器在多个网络节点上的部署:
$ neutron l3-agent-list-hosting-router demo-router
+--------------------------------------+----------+----------------+-------+----------+
| id | host | admin_state_up | alive | ha_state |
+--------------------------------------+----------+----------------+-------+----------+
| 29afe014-273d-42f3-ad71-8a226e40dea6 | network1 | True | :-) | active |
| d27ac19b-fb4d-4fec-b81d-e8c65557b6ec | network2 | True | :-) | standby |
+--------------------------------------+----------+----------------+-------+----------+
注意:旧版本python-neutronclient不支持ha_state字段。
- 在控制器节点验证路由器HA端口创建:
$ neutron router-port-list demo-router
+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+
| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} |
| 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} |
| 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} |
| 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |
+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+
- 在网络节点验证qrouter和qdhcp命名空间创建:
网络节点1:
$ ip netns
qrouter-7a46dba8-8846-498c-9e10-588664558473
网络节点2:
$ ip netns
qrouter-7a46dba8-8846-498c-9e10-588664558473
两个qrouter命名空间应使用相同的UUID。
注意:qdhcp命名空间在启动实例前可能不存在。
- 在网络节点验证HA运行状态:
网络节点1:
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show
11: ha-255d2e4b-33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether fa:16:3e:25:05:d7 brd ff:ff:ff:ff:ff:ff
inet 169.254.192.1/18 brd 169.254.255.255 scope global ha-255d2e4b-33
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe25:5d7/64 scope link
valid_lft forever preferred_lft forever
12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 scope global qr-8de3e172-53
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe10:9ff6/64 scope link
valid_lft forever preferred_lft forever
13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff
inet 203.0.113.101/24 scope global qg-374587d7-2a
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fe82:a059/64 scope link
valid_lft forever preferred_lft forever
网络节点2:
$ ip netns exec qrouter-7a46dba8-8846-498c-9e10-588664558473 ip addr show
11: ha-90d1a59f-b1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether fa:16:3e:ae:3b:22 brd ff:ff:ff:ff:ff:ff
inet 169.254.192.2/18 brd 169.254.255.255 scope global ha-90d1a59f-b1
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:feae:3b22/64 scope link
valid_lft forever preferred_lft forever
12: qr-8de3e172-53: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether fa:16:3e:10:9f:f6 brd ff:ff:ff:ff:ff:ff
inet6 fe80::f816:3eff:fe10:9ff6/64 scope link
valid_lft forever preferred_lft forever
13: qg-374587d7-2a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
link/ether fa:16:3e:82:a0:59 brd ff:ff:ff:ff:ff:ff
inet6 fe80::f816:3eff:fe82:a059/64 scope link
valid_lft forever preferred_lft forever
状态说明:每个网络节点上的qrouter命名空间均应包含ha、qr、qg三个接口。在主节点上,qr接口配置项目网络网关IP地址,qg接口配置外部网络的项目路由器IP地址。在备用节点上,qr和qg接口不应包含IP地址。两个节点上的ha接口应在169.254.192.0/18范围内配置唯一IP地址。
- 在网络节点上,使用tcpdump验证来自主节点HA接口IP地址的VRRP advertisements:
网络节点1:
$ tcpdump -lnpi eth1
16:50:16.857294 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20
16:50:18.858436 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20
16:50:20.859677 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20
网络节点2:
$ tcpdump -lnpi eth1
16:51:44.911640 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20
16:51:46.912591 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20
16:51:48.913900 IP 169.254.192.1 > 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 50, authtype none, intvl 2s, length 20
本示例使用eth1网络接口。
- 获取路由器外部网络网关IP地址(通常为外部子网分配池中的最低地址):
$ neutron router-port-list demo-router
+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+
| 255d2e4b-33ba-4166-a13f-6531122641fe | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:25:05:d7 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.1"} |
| 374587d7-2acd-4156-8993-4294f788b55e | | fa:16:3e:82:a0:59 | {"subnet_id": "b32e0efc-8cc3-43ff-9899-873b94df0db1", "ip_address": "203.0.113.101"} |
| 8de3e172-5317-4c87-bdc1-f69e359de92e | | fa:16:3e:10:9f:f6 | {"subnet_id": "2945790c-5999-4693-b8e7-50a9fc7f46f5", "ip_address": "192.168.1.1"} |
| 90d1a59f-b122-459d-a94a-162a104de629 | HA port tenant 443cd1596b2e46d49965750771ebbfe1 | fa:16:3e:ae:3b:22 | {"subnet_id": "8e8e4c7d-fa38-417d-a4e3-03ee5ab5493c", "ip_address": "169.254.192.2"} |
+--------------------------------------+-------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+
- 在控制器节点或任何可访问外部网络的主机上,测试ping项目路由器外部网关IP:
$ ping -c 4 203.0.113.101
PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.
64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms
64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms
64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms
64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms
--- 203.0.113.101 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms
-
加载常规项目凭证(使用demo项目)。
-
创建适当的安全组规则以允许ping和SSH访问:
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
- 在项目网络上启动带有网络接口的实例(使用CirrOS镜像):
$ nova boot --flavor m1.tiny --image cirros \
--nic net-id=7ac9a268-1ddd-453f-857b-0fd9552b645f demo-instance1
+--------------------------------------+-----------------------------------------------+
| Property | Value |
+--------------------------------------+-----------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | Z3uAd2utPUNu |
| config_drive | |
| created | 2015-08-10T15:06:24Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | 77149598-c839-400f-b948-db6993f0b40b |
| image | cirros (125733d9-8d37-4d70-9a64-1c989cfa8e9c) |
| key_name | |
| metadata | {} |
| name | demo-instance1 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | 443cd1596b2e46d49965750771ebbfe1 |
| updated | 2015-08-10T15:06:25Z |
| user_id | bdd4e165bdf94b258ddd4856340ed01c |
+--------------------------------------+-----------------------------------------------+
- 获取实例控制台访问权限并执行以下测试:
1. 测试到项目路由器的连接:
$ ping -c 4 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.357 ms
64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.473 ms
64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.504 ms
64 bytes from 192.168.1.1: icmp_req=4 ttl=64 time=0.470 ms
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time=2998ms
rtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms
2. 测试互联网连接:
$ ping -c 4 openstack.org
PING openstack.org (174.143.194.225) 56(84) bytes of data.
64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms
64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms
64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms
64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms
--- openstack.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time=3003ms
rtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
- 在外部网络上创建浮动IP地址:
$ neutron floatingip-create ext-net
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 203.0.113.102 |
| floating_network_id | 5266fcbc-d429-4b21-8544-6170d1691826 |
| id | 20a6b5dd-1c5c-460e-8a81-8b5cf1739307 |
| port_id | |
| router_id | |
| status | DOWN |
| tenant_id | 443cd1596b2e46d49965750771ebbfe1 |
+---------------------+--------------------------------------+
- 将浮动IP地址关联到实例:
$ nova floating-ip-associate demo-instance1 203.0.113.102
- 验证实例已添加的浮动IP地址:
$ nova list
+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+
| 77149598-c839-400f-b948-db6993f0b40b | demo-instance1 | ACTIVE | - | Running | demo-net=192.168.1.3, 203.0.113.102 |
+--------------------------------------+----------------+--------+------------+-------------+-----------------------------------------+
- 在控制器节点或可访问外部网络的主机上,ping关联到实例的浮动IP地址:
$ ping -c 4 203.0.113.102
PING 203.0.113.102 (203.0.113.112) 56(84) bytes of data.
64 bytes from 203.0.113.102: icmp_req=1 ttl=63 time=3.18 ms
64 bytes from 203.0.113.102: icmp_req=2 ttl=63 time=0.981 ms
64 bytes from 203.0.113.102: icmp_req=3 ttl=63 time=1.06 ms
64 bytes from 203.0.113.102: icmp_req=4 ttl=63 time=0.929 ms
--- 203.0.113.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time=3002ms
rtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
