首先要明确几个概念:
外网:可分配floating ip绑定到虚拟机,外部就可以访问虚拟机。
虚拟网络(内部网络,私有网络):虚拟机的虚拟网卡所在的私有网络。
子网:用户创建的每个网络至少要有一个子网(也可以有多个子网)
路由:用户创建的每个网络至少有一个路由,该路由的接口要关联这个网络
fixed ip:虚拟机网卡在虚拟网络上的ip
floating ip:虚拟网络对应的外部网络上的ip
interface:一个网络接口
端口:子网有多个端口(一般会有MAC地址和IP地址),在GRE模式中子网中一般会有qdhcp端口,qrouter端口和为虚拟机实例分配的端口,它们的ip地址属于这个子网
一、查看nova和neutron服务,确保都是笑脸
#Nova-manage service list
1
2
3
4
5
6
7
|
root @controller :~# nova-manage service list
Binary Host Zone Status State Updated_At
nova-cert controller internal enabled :-) 2015 - 01 - 12 00 : 39 : 05
nova-consoleauth controller internal enabled :-) 2015 - 01 - 12 00 : 38 : 59
nova-scheduler controller internal enabled :-) 2015 - 01 - 12 00 : 39 : 00
nova-conductor controller internal enabled :-) 2015 - 01 - 12 00 : 39 : 03
nova-compute compute1 nova enabled :-) 2015 - 01 - 12 00 : 39 : 03
|
#neutron agent-list
1
2
3
4
5
6
7
8
9
10
|
root @controller :~# neutron agent-list
+--------------------------------------+--------------------+----------+-------+----------------+
| id | agent_type | host | alive | admin_state_up |
+--------------------------------------+--------------------+----------+-------+----------------+
| 7a1f9910-62d8- 4461 -b31d-1a562bd0b76e | DHCP agent | network | :-) | True |
| 86d1c916-8b05- 4840 -965c-e9152388e0c2 | Open vSwitch agent | compute1 | :-) | True |
| 8809b0e3-010d-4d2f-b552-10be24002684 | Open vSwitch agent | network | :-) | True |
| aca01734- 7522 -427a-b3f2-45400d22121c | Metadata agent | network | :-) | True |
| e964a21a-4b8d-403b-9c81-2a95f387285e | L3 agent | network | :-) | True |
+--------------------------------------+--------------------+----------+-------+----------------+
|
二、创建租户和用户
创建租户
# keystone tenant-create –name TenantA
1
2
3
4
5
6
7
8
9
10
|
root @controller :~# keystone tenant-create --name TenantA
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 60a10cd7a61b493d910eabd353c07567 |
| name | TenantA |
+-------------+----------------------------------+
|
创建用户
# keystone user-create –name=UserA –pass=password –tenant-id TenantA –email=usera@test.com
1
2
3
4
5
6
7
8
9
10
11
12
|
root @controller :~# keystone user-create --name=UserA --pass=password --tenant-id TenantA --email=usera @test .com
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | usera @test .com |
| enabled | True |
| id | be1db0d2fd134025accd2654cfc66056 |
| name | UserA |
| tenantId | 60a10cd7a61b493d910eabd353c07567 |
| username | UserA |
+----------+----------------------------------+
|
为租户添加用户
#keystone user-role-add –tenant TenantA –user UserA –role Member
1
2
|
root @controller :~# keystone user-role-add --tenant TenantA --user UserA --role Member
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
|
三、准备neutron网络
创建外网
# neutron net-create Ext-Net –provider:network_type gre –provider:segmentation_id 1 –router:external true
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
root @controller :~# neutron net-create Ext-Net --provider:network_type gre --provider:segmentation_id 1 --router:external true
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | c8699820-7c6d- 4441 - 9602 -3425f2c630ec |
| name | Ext-Net |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 1 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | c91d0723aaea4985a77801a15ef66438 |
+---------------------------+--------------------------------------+
|
创建外网的子网
# neutron subnet-create –allocation-pool start=10.1.101.80,end=10.1.101.100 –gateway 10.1.101.254 Ext-Net 10.1.101.0/24 –enable_dhcp=False
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
root @controller :~# neutron subnet-create --allocation-pool start= 10.1 . 101.80 ,end= 10.1 . 101.100 --gateway 10.1 . 101.254 Ext-Net 10.1 . 101.0 / 24 --enable_dhcp=False
Created a new subnet:
+------------------+-------------------------------------------------+
| Field | Value |
+------------------+-------------------------------------------------+
| allocation_pools | { "start" : "10.1.101.80" , "end" : "10.1.101.100" } |
| cidr | 10.1 . 101.0 / 24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 10.1 . 101.254 |
| host_routes | |
| id | 2c4155c9-5a2e-471c-a4d8-40a86b45ab0a |
| ip_version | 4 |
| name | |
| network_id | c8699820-7c6d- 4441 - 9602 -3425f2c630ec |
| tenant_id | c91d0723aaea4985a77801a15ef66438 |
+------------------+-------------------------------------------------+
|
接下来创建租户的子网和虚拟路由
创建租户网络
# neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 net-create tenantA-Net
1
2
3
4
5
6
7
8
9
10
11
12
13
|
root @controller :~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 net-create tenantA-Net
Created a new network:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| admin_state_up | True |
| id | 7c22bbd9-166c- 4610 -9a3d-3b8b92c77518 |
| name | tenantA-Net |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 60a10cd7a61b493d910eabd353c07567 |
+----------------+--------------------------------------+
|
创建租户子网
# neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 subnet-create tenantA-Net 10.0.0.0/24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
root @controller :~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 subnet-create tenantA-Net 10.0.0.0/24
Created a new subnet:
+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | { "start" : "10.0.0.2" , "end" : "10.0.0.254" } |
| cidr | 10.0 . 0.0 / 24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0 . 0.1 |
| host_routes | |
| id | c37d8ed0-372e-4b24-9ba2-897c38c6ddbf |
| ip_version | 4 |
| name | |
| network_id | 7c22bbd9-166c- 4610 -9a3d-3b8b92c77518 |
| tenant_id | 60a10cd7a61b493d910eabd353c07567 |
+------------------+--------------------------------------------+
|
创建租户虚拟路由
neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 router-create tenant-R1
1
2
3
4
5
6
7
8
9
10
11
12
|
root @controller :~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 router-create tenant-R1
Created a new router:
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | 680944ad-679c-4fe8-ae4b-258cd8ac337f |
| name | tenant-R1 |
| status | ACTIVE |
| tenant_id | 60a10cd7a61b493d910eabd353c07567 |
+-----------------------+--------------------------------------+
|
增加路由接口
(替换${subnet_id}为子网ID)
neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 router-interface-add tenant-R1 ${subnet_id}
1
2
|
root @controller :~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 router-interface-add tenant-R1 c37d8ed0-372e-4b24-9ba2-897c38c6ddbf
Added interface 81388454 -30e0-45e4-b3dd-b7b2e8dbf067 to router tenant-R1.
|
给路由增加网关
# neutron router-gateway-set tenant-R1 Ext-Net
1
2
|
root @controller :~# neutron router-gateway-set tenant-R1 Ext-Net
Set gateway for router tenant-R1
|
到此为止UserA看到的网络拓扑如下:
四、安全组规则
安全组规则会影响到外面ping虚拟机和ssh登录虚拟机,所以在controller节点中为openstack设置好ICMP和TCP规则。
获得TenantA的default安全组规则
# neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 security-group-list
1
2
3
4
5
6
|
root @controller :~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 security-group-list
+--------------------------------------+---------+-------------+
| id | name | description |
+--------------------------------------+---------+-------------+
| 8bd8fb6b- 7141 - 4900 - 8321 -390cc1a5d999 | default | default |
+--------------------------------------+---------+-------------+
|
默认default规则:
设置nova中default的 ICMP/TCP/UDP安全组规则
# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 secgroup-add-rule default tcp 1 65535 0.0.0.0/0
1
2
3
4
5
6
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 secgroup-add-rule default tcp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 1 | 65535 | 0.0 . 0.0 / 0 | |
+-------------+-----------+---------+-----------+--------------+
|
# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 secgroup-add-rule default udp 1 65535 0.0.0.0/0
1
2
3
4
5
6
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 secgroup-add-rule default udp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp | 1 | 65535 | 0.0 . 0.0 / 0 | |
+-------------+-----------+---------+-----------+--------------+
|
# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 secgroup-add-rule default icmp -1 -1 0.0.0.0/0
1
2
3
4
5
6
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | - 1 | - 1 | 0.0 . 0.0 / 0 | |
+-------------+-----------+---------+-----------+--------------+
|
五、起虚拟机
查看镜像:
# glance index
1
2
3
4
|
root @controller :~# glance index
ID Name Disk Format Container Format Size
------------------------------------ ------------------------------ -------------------- -------------------- --------------
a1de861a-be9c- 4223 -9a7a-cf5917489ce9 cirros- 0.3 . 2 -x86_64 qcow2 bare 13167616
|
起虚拟机,替换{the cirros ID from Glance}为镜像ID
#root@controller:~# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 boot –flavor 1 –image{the cirros ID from Glance} vm001
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 boot --flavor 1 --image a1de861a-be9c-4223-9a7a-cf5917489ce9 vm001
+--------------------------------------+------------------------------------------------------------+
| Property | Value |
+--------------------------------------+------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | sCekd6U9PcvU |
| config_drive | |
| created | 2015 - 01 -12T01: 18 :27Z |
| flavor | m1.tiny ( 1 ) |
| hostId | |
| id | d4a05267-b610-4c61-86e0-542ae9a7d93f |
| image | cirros- 0.3 . 2 -x86_64 (a1de861a-be9c- 4223 -9a7a-cf5917489ce9) |
| key_name | - |
| metadata | {} |
| name | vm001 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | 60a10cd7a61b493d910eabd353c07567 |
| updated | 2015 - 01 -12T01: 18 :28Z |
| user_id | be1db0d2fd134025accd2654cfc66056 |
+--------------------------------------+------------------------------------------------------------+
|
检查虚拟机状态为ACTIVE
# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 list
1
2
3
4
5
6
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 list
+--------------------------------------+-------+--------+------------+-------------+----------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------+--------+------------+-------------+----------------------+
| d4a05267-b610-4c61-86e0-542ae9a7d93f | vm001 | ACTIVE | - | Running | tenantA-Net= 10.0 . 0.2 |
+--------------------------------------+-------+--------+------------+-------------+----------------------+
|
六、为虚拟机分配浮动IP
创建一个浮动IP
# neutron –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 floatingip-create Ext-Net
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
root @controller :~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 floatingip-create Ext-Net
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 10.1 . 101.81 |
| floating_network_id | c8699820-7c6d- 4441 - 9602 -3425f2c630ec |
| id | 0482a808-e92b-4ae0-a830-6f149d310c30 |
| port_id | |
| router_id | |
| status | DOWN |
| tenant_id | 60a10cd7a61b493d910eabd353c07567 |
+---------------------+--------------------------------------+
|
查看floating-ip
# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 floating-ip-list
1
2
3
4
5
6
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 floating-ip-list
+-------------+-----------+----------+---------+
| Ip | Server Id | Fixed Ip | Pool |
+-------------+-----------+----------+---------+
| 10.1 . 101.81 | | - | Ext-Net |
+-------------+-----------+----------+---------+
|
我创建了一个新的浮动IP10.1.101.82,分配的是10.1.101.82
分配浮动IP给虚拟机,替换{the vm id}为虚拟机ID
# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 floating-ip-associate {the vm id} 10.1.101.82
1
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 floating-ip-associate d4a05267-b610-4c61-86e0-542ae9a7d93f 10.1.101.82
|
检查虚拟机状态,现在就可以看到浮动ip了。
# nova –os-tenant-name TenantA –os-username UserA –os-password password –os-auth-url=http://localhost:5000/v2.0 list
1
2
3
4
5
6
|
root @controller :~# nova --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http: //localhost:5000/v2.0 list
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
| d4a05267-b610-4c61-86e0-542ae9a7d93f | vm001 | ACTIVE | - | Running | tenantA-Net= 10.0 . 0.2 , 10.1 . 101.82 |
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
|
七、SSH到虚拟机(虚拟机状态为ACTIVE,密码是cubswin:))
替换{put_floating_ip_here}为虚拟机的浮动IP
1
|
<strong>ssh</strong> cirros<strong>@</strong><strong>{</strong>put_floating_ip_here<strong>}</strong>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
root @controller :~# ssh cirros @10 .1. 101.82
The authenticity of host '10.1.101.82 (10.1.101.82)' can't be established.
RSA key fingerprint is da:a3:1a: 60 :f1:e9:3a:e2:a7:6c: 35 :cb:f8:9b:b7: 65 .
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.101.82' (RSA) to the list of known hosts.
cirros @10 .1. 101.82 's password:
$
$
$
$ ping 8.8 . 8.8
PING 8.8 . 8.8 ( 8.8 . 8.8 ): 56 data bytes
64 bytes from 8.8 . 8.8 : seq= 3 ttl= 35 time= 295.980 ms
64 bytes from 8.8 . 8.8 : seq= 7 ttl= 35 time= 299.047 ms
|