首先要明确几个概念:

外网:可分配floating ip绑定到虚拟机,外部就可以访问虚拟机。

虚拟网络(内部网络,私有网络):虚拟机的虚拟网卡所在的私有网络。

子网:用户创建的每个网络至少要有一个子网(也可以有多个子网)

路由:用户创建的每个网络至少有一个路由,该路由的接口要关联这个网络

fixed ip:虚拟机网卡在虚拟网络上的ip

floating ip:虚拟网络对应的外部网络上的ip

interface:一个网络接口

端口:子网有多个端口(一般会有MAC地址和IP地址),在GRE模式中子网中一般会有qdhcp端口,qrouter端口和为虚拟机实例分配的端口,它们的ip地址属于这个子网

一、查看nova和neutron服务,确保都是笑脸

#Nova-manage service list

1
2
3
4
5
6
7
root
@controller
:~# nova-manage service list
Binary           Host                                 Zone             Status     State Updated_At
nova-cert        controller                           internal         enabled    :-)  
2015
-
01
-
12
00
:
39
:
05
nova-consoleauth controller                           internal         enabled    :-)  
2015
-
01
-
12
00
:
38
:
59
nova-scheduler   controller                           internal         enabled    :-)  
2015
-
01
-
12
00
:
39
:
00
nova-conductor   controller                           internal         enabled    :-)  
2015
-
01
-
12
00
:
39
:
03
nova-compute     compute1                             nova             enabled    :-)  
2015
-
01
-
12
00
:
39
:
03

#neutron agent-list

1
2
3
4
5
6
7
8
9
10
root
@controller
:~# neutron agent-list
+--------------------------------------+--------------------+----------+-------+----------------+
| id                                   | agent_type         | host     | alive | admin_state_up |
+--------------------------------------+--------------------+----------+-------+----------------+
| 7a1f9910-62d8-
4461
-b31d-1a562bd0b76e | DHCP agent         | network  | :-)   | True           |
| 86d1c916-8b05-
4840
-965c-e9152388e0c2 | Open vSwitch agent | compute1 | :-)   | True           |
| 8809b0e3-010d-4d2f-b552-10be24002684 | Open vSwitch agent | network  | :-)   | True           |
| aca01734-
7522
-427a-b3f2-45400d22121c | Metadata agent     | network  | :-)   | True           |
| e964a21a-4b8d-403b-9c81-2a95f387285e | L3 agent           | network  | :-)   | True           |
+--------------------------------------+--------------------+----------+-------+----------------+

二、创建租户和用户

创建租户

# keystone tenant-create –name TenantA

1
2
3
4
5
6
7
8
9
10
root
@controller
:~# keystone tenant-create --name TenantA
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | 60a10cd7a61b493d910eabd353c07567 |
|     name    |             TenantA              |
+-------------+----------------------------------+

创建用户

# keystone user-create –name=UserA –pass=password –tenant-id TenantA –email=usera@test.com

1
2
3
4
5
6
7
8
9
10
11
12
root
@controller
:~# keystone user-create --name=UserA --pass=password --tenant-id TenantA --email=usera
@test
.com
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |          usera
@test
.com          |
| enabled  |               True               |
|    id    | be1db0d2fd134025accd2654cfc66056 |
|   name   |              UserA               |
| tenantId | 60a10cd7a61b493d910eabd353c07567 |
| username |              UserA               |
+----------+----------------------------------+

为租户添加用户

#keystone user-role-add –tenant TenantA  –user UserA –role Member

1
2
root
@controller
:~# keystone user-role-add --tenant TenantA --user UserA --role Member
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).

三、准备neutron网络

创建外网

# neutron net-create Ext-Net –provider:network_type gre –provider:segmentation_id 1 –router:external true

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root
@controller
:~# neutron net-create Ext-Net --provider:network_type gre --provider:segmentation_id
1
--router:external
true
Created a
new
network:
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| id                        | c8699820-7c6d-
4441
-
9602
-3425f2c630ec |
| name                      | Ext-Net                              |
| provider:network_type     | gre                                  |
| provider:physical_network |                                      |
| provider:segmentation_id  |
1                                   
|
| router:external           | True                                 |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tenant_id                 | c91d0723aaea4985a77801a15ef66438     |
+---------------------------+--------------------------------------+

创建外网的子网

# neutron subnet-create –allocation-pool start=10.1.101.80,end=10.1.101.100 –gateway 10.1.101.254 Ext-Net 10.1.101.0/24 –enable_dhcp=False

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root
@controller
:~# neutron subnet-create --allocation-pool start=
10.1
.
101.80
,end=
10.1
.
101.100
--gateway
10.1
.
101.254
Ext-Net
10.1
.
101.0
/
24
--enable_dhcp=False
Created a
new
subnet:
+------------------+-------------------------------------------------+
| Field            | Value                                           |
+------------------+-------------------------------------------------+
| allocation_pools | {
"start"
:
"10.1.101.80"
,
"end"
:
"10.1.101.100"
} |
| cidr             |
10.1
.
101.0
/
24                                  
|
| dns_nameservers  |                                                 |
| enable_dhcp      | False                                           |
| gateway_ip       |
10.1
.
101.254                                   
|
| host_routes      |                                                 |
| id               | 2c4155c9-5a2e-471c-a4d8-40a86b45ab0a            |
| ip_version       |
4                                              
|
| name             |                                                 |
| network_id       | c8699820-7c6d-
4441
-
9602
-3425f2c630ec            |
| tenant_id        | c91d0723aaea4985a77801a15ef66438                |
+------------------+-------------------------------------------------+

接下来创建租户的子网和虚拟路由

创建租户网络

# neutron –os-tenant-name TenantA  –os-username UserA –os-password password  –os-auth-url=http://localhost:5000/v2.0 net-create tenantA-Net

1
2
3
4
5
6
7
8
9
10
11
12
13
root
@controller
:~# neutron --os-tenant-name TenantA  --os-username UserA --os-password password  --os-auth-url=http:
//localhost:5000/v2.0 net-create tenantA-Net
Created a
new
network:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| admin_state_up | True                                 |
| id             | 7c22bbd9-166c-
4610
-9a3d-3b8b92c77518 |
| name           | tenantA-Net                          |
| shared         | False                                |
| status         | ACTIVE                               |
| subnets        |                                      |
| tenant_id      | 60a10cd7a61b493d910eabd353c07567     |
+----------------+--------------------------------------+

创建租户子网

# neutron –os-tenant-name TenantA –os-username UserA –os-password password  –os-auth-url=http://localhost:5000/v2.0 subnet-create tenantA-Net 10.0.0.0/24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root
@controller
:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password  --os-auth-url=http:
//localhost:5000/v2.0 subnet-create tenantA-Net 10.0.0.0/24
Created a
new
subnet:
+------------------+--------------------------------------------+
| Field            | Value                                      |
+------------------+--------------------------------------------+
| allocation_pools | {
"start"
:
"10.0.0.2"
,
"end"
:
"10.0.0.254"
} |
| cidr             |
10.0
.
0.0
/
24                               
|
| dns_nameservers  |                                            |
| enable_dhcp      | True                                       |
| gateway_ip       |
10.0
.
0.1                                  
|
| host_routes      |                                            |
| id               | c37d8ed0-372e-4b24-9ba2-897c38c6ddbf       |
| ip_version       |
4                                         
|
| name             |                                            |
| network_id       | 7c22bbd9-166c-
4610
-9a3d-3b8b92c77518       |
| tenant_id        | 60a10cd7a61b493d910eabd353c07567           |
+------------------+--------------------------------------------+

创建租户虚拟路由

neutron –os-tenant-name TenantA –os-username UserA –os-password password  –os-auth-url=http://localhost:5000/v2.0 router-create tenant-R1

1
2
3
4
5
6
7
8
9
10
11
12
root
@controller
:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password  --os-auth-url=http:
//localhost:5000/v2.0 router-create tenant-R1
Created a
new
router:
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | True                                 |
| external_gateway_info |                                      |
| id                    | 680944ad-679c-4fe8-ae4b-258cd8ac337f |
| name                  | tenant-R1                            |
| status                | ACTIVE                               |
| tenant_id             | 60a10cd7a61b493d910eabd353c07567     |
+-----------------------+--------------------------------------+

增加路由接口

(替换${subnet_id}为子网ID)

neutron –os-tenant-name TenantA –os-username UserA –os-password password  –os-auth-url=http://localhost:5000/v2.0 router-interface-add tenant-R1  ${subnet_id}

1
2
root
@controller
:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password  --os-auth-url=http:
//localhost:5000/v2.0 router-interface-add tenant-R1  c37d8ed0-372e-4b24-9ba2-897c38c6ddbf
Added
interface
81388454
-30e0-45e4-b3dd-b7b2e8dbf067 to router tenant-R1.

给路由增加网关

# neutron router-gateway-set tenant-R1 Ext-Net

1
2
root
@controller
:~# neutron router-gateway-set tenant-R1 Ext-Net
Set gateway
for
router tenant-R1

到此为止UserA看到的网络拓扑如下:

 

四、安全组规则

安全组规则会影响到外面ping虚拟机和ssh登录虚拟机,所以在controller节点中为openstack设置好ICMP和TCP规则。

获得TenantA的default安全组规则

# neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 security-group-list

1
2
3
4
5
6
root
@controller
:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http:
//localhost:5000/v2.0 security-group-list
+--------------------------------------+---------+-------------+
| id                                   | name    | description |
+--------------------------------------+---------+-------------+
| 8bd8fb6b-
7141
-
4900
-
8321
-390cc1a5d999 |
default
|
default    
|
+--------------------------------------+---------+-------------+

默认default规则:

设置nova中default的 ICMP/TCP/UDP安全组规则

# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 secgroup-add-rule default tcp 1 65535 0.0.0.0/0

1
2
3
4
5
6
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http:
//localhost:5000/v2.0 secgroup-add-rule default tcp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         |
1        
|
65535  
|
0.0
.
0.0
/
0
|              |
+-------------+-----------+---------+-----------+--------------+

# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 secgroup-add-rule default udp 1 65535 0.0.0.0/0

1
2
3
4
5
6
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http:
//localhost:5000/v2.0 secgroup-add-rule default udp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         |
1        
|
65535  
|
0.0
.
0.0
/
0
|              |
+-------------+-----------+---------+-----------+--------------+

# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 secgroup-add-rule default icmp -1 -1 0.0.0.0/0

1
2
3
4
5
6
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http:
//localhost:5000/v2.0 secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -
1       
| -
1     
|
0.0
.
0.0
/
0
|              |
+-------------+-----------+---------+-----------+--------------+

五、起虚拟机

查看镜像:

# glance index

1
2
3
4
root
@controller
:~# glance index
ID                                   Name                           Disk Format          Container Format     Size         
------------------------------------ ------------------------------ -------------------- -------------------- --------------
a1de861a-be9c-
4223
-9a7a-cf5917489ce9 cirros-
0.3
.
2
-x86_64            qcow2                bare                      
13167616

起虚拟机,替换{the cirros ID from Glance}为镜像ID

#root@controller:~# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 boot –flavor 1 –image{the cirros ID from Glance} vm001

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http:
//localhost:5000/v2.0 boot --flavor 1 --image a1de861a-be9c-4223-9a7a-cf5917489ce9 vm001
+--------------------------------------+------------------------------------------------------------+
| Property                             | Value                                                      |
+--------------------------------------+------------------------------------------------------------+
| OS-DCF:diskConfig                    | MANUAL                                                     |
| OS-EXT-AZ:availability_zone          | nova                                                       |
| OS-EXT-STS:power_state               |
0                                                         
|
| OS-EXT-STS:task_state                | scheduling                                                 |
| OS-EXT-STS:vm_state                  | building                                                   |
| OS-SRV-USG:launched_at               | -                                                          |
| OS-SRV-USG:terminated_at             | -                                                          |
| accessIPv4                           |                                                            |
| accessIPv6                           |                                                            |
| adminPass                            | sCekd6U9PcvU                                               |
| config_drive                         |                                                            |
| created                              |
2015
-
01
-12T01:
18
:27Z                                       |
| flavor                               | m1.tiny (
1
)                                                |
| hostId                               |                                                            |
| id                                   | d4a05267-b610-4c61-86e0-542ae9a7d93f                       |
| image                                | cirros-
0.3
.
2
-x86_64 (a1de861a-be9c-
4223
-9a7a-cf5917489ce9) |
| key_name                             | -                                                          |
| metadata                             | {}                                                         |
| name                                 | vm001                                                      |
| os-extended-volumes:volumes_attached | []                                                         |
| progress                             |
0                                                         
|
| security_groups                      |
default                                                   
|
| status                               | BUILD                                                      |
| tenant_id                            | 60a10cd7a61b493d910eabd353c07567                           |
| updated                              |
2015
-
01
-12T01:
18
:28Z                                       |
| user_id                              | be1db0d2fd134025accd2654cfc66056                           |
+--------------------------------------+------------------------------------------------------------+

检查虚拟机状态为ACTIVE

# nova –os-tenant-name TenantA –os-username UserA –os-password password  –os-auth-url=http://localhost:5000/v2.0 list

1
2
3
4
5
6
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password  --os-auth-url=http:
//localhost:5000/v2.0 list
+--------------------------------------+-------+--------+------------+-------------+----------------------+
| ID                                   | Name  | Status | Task State | Power State | Networks             |
+--------------------------------------+-------+--------+------------+-------------+----------------------+
| d4a05267-b610-4c61-86e0-542ae9a7d93f | vm001 | ACTIVE | -          | Running     | tenantA-Net=
10.0
.
0.2
|
+--------------------------------------+-------+--------+------------+-------------+----------------------+

六、为虚拟机分配浮动IP

创建一个浮动IP

# neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 floatingip-create Ext-Net

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root
@controller
:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http:
//localhost:5000/v2.0 floatingip-create Ext-Net
Created a
new
floatingip:
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| fixed_ip_address    |                                      |
| floating_ip_address |
10.1
.
101.81                         
|
| floating_network_id | c8699820-7c6d-
4441
-
9602
-3425f2c630ec |
| id                  | 0482a808-e92b-4ae0-a830-6f149d310c30 |
| port_id             |                                      |
| router_id           |                                      |
| status              | DOWN                                 |
| tenant_id           | 60a10cd7a61b493d910eabd353c07567     |
+---------------------+--------------------------------------+

查看floating-ip

# nova –os-tenant-name TenantA –os-username UserA –os-password password  –os-auth-url=http://localhost:5000/v2.0  floating-ip-list

1
2
3
4
5
6
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password  --os-auth-url=http:
//localhost:5000/v2.0  floating-ip-list
+-------------+-----------+----------+---------+
| Ip          | Server Id | Fixed Ip | Pool    |
+-------------+-----------+----------+---------+
|
10.1
.
101.81
|           | -        | Ext-Net |
+-------------+-----------+----------+---------+

我创建了一个新的浮动IP10.1.101.82,分配的是10.1.101.82

分配浮动IP给虚拟机,替换{the vm id}为虚拟机ID

# nova –os-tenant-name TenantA –os-username UserA –os-password password  –os-auth-url=http://localhost:5000/v2.0 floating-ip-associate  {the vm id} 10.1.101.82

1
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password  --os-auth-url=http:
//localhost:5000/v2.0 floating-ip-associate  d4a05267-b610-4c61-86e0-542ae9a7d93f  10.1.101.82

检查虚拟机状态,现在就可以看到浮动ip了。

# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 list

1
2
3
4
5
6
root
@controller
:~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http:
//localhost:5000/v2.0 list
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
| ID                                   | Name  | Status | Task State | Power State | Networks                          |
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
| d4a05267-b610-4c61-86e0-542ae9a7d93f | vm001 | ACTIVE | -          | Running     | tenantA-Net=
10.0
.
0.2
,
10.1
.
101.82
|
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+

七、SSH到虚拟机(虚拟机状态为ACTIVE,密码是cubswin:))

替换{put_floating_ip_here}为虚拟机的浮动IP

1
<strong>ssh</strong> cirros<strong>@</strong><strong>{</strong>put_floating_ip_here<strong>}</strong>
1
2
3
4
5
6
7
8
9
10
11
12
13
root
@controller
:~# ssh cirros
@10
.1.
101.82
The authenticity of host
'10.1.101.82 (10.1.101.82)'
can't be established.
RSA key fingerprint is da:a3:1a:
60
:f1:e9:3a:e2:a7:6c:
35
:cb:f8:9b:b7:
65
.
Are you sure you want to
continue
connecting (yes/no)? yes
Warning: Permanently added
'10.1.101.82'
(RSA) to the list of known hosts.
cirros
@10
.1.
101.82
's password:
$
$
$
$ ping
8.8
.
8.8
PING
8.8
.
8.8
(
8.8
.
8.8
):
56
data bytes
64
bytes from
8.8
.
8.8
: seq=
3
ttl=
35
time=
295.980
ms
64
bytes from
8.8
.
8.8
: seq=
7
ttl=
35
time=
299.047
ms