openstack-8实现内外网结构
openstack-8实现内外网结构
双网络-内外网
控制节点
修改配置文件
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = external:eth0,internal:eth1
vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2_type_flat]
flat_networks = external,internal
服务重启
systemctl restart neutron-linuxbridge-agent neutron-server
计算节点
修改配置文件
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = external:eth0,internal:eth1
服务重启
systemctl restart neutron-linuxbridge-agent
控制端创建网络
neutron net-create --shared --provider:physical_network external --provider:network_type flat external-net
neutron net-create --shared --provider:physical_network internal --provider:network_type flat internal-net
[root@controller1 ~]# neutron net-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+--------------+----------------------------------+---------+
| id | name | tenant_id | subnets |
+--------------------------------------+--------------+----------------------------------+---------+
| 037aabee-0ac5-4b42-8b7c-88ad612a90a7 | external-net | 8b265ee23ae24aaabae6fd984af19b41 | |
| 9b041b34-530b-4177-92be-809a7cabdb2d | internal-net | 8b265ee23ae24aaabae6fd984af19b41 | |
+--------------------------------------+--------------+----------------------------------+---------+
创建子网
neutron subnet-create --name external-subnet --allocation-pool start=192.168.10.50,end=192.168.10.100 --dns-nameserver 8.8.8.8 external-net 192.168.10.0/24
neutron subnet-create --name external-subnet --allocation-pool start=192.168.20.50,end=192.168.20.100 --dns-nameserver 8.8.8.8 internal-net 192.168.20.0/24
列出已创建的子网
[root@controller1 ~]# neutron subnet-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+-----------------+----------------------------------+-----------------+-----------------------------------------------------+
| id | name | tenant_id | cidr | allocation_pools |
+--------------------------------------+-----------------+----------------------------------+-----------------+-----------------------------------------------------+
| 38be1447-015d-4298-8955-90dac5635f9b | external-subnet | 8b265ee23ae24aaabae6fd984af19b41 | 192.168.10.0/24 | {"start": "192.168.10.50", "end": "192.168.10.100"} |
| dcd75bf8-a59b-481f-bdae-574f3d4812dd | external-subnet | 8b265ee23ae24aaabae6fd984af19b41 | 192.168.20.0/24 | {"start": "192.168.20.50", "end": "192.168.20.100"} |
+--------------------------------------+-----------------+----------------------------------+-----------------+-----------------------------------------------------+
创建 m1.nano 类型 (使用ADMIN凭证)
默认的最小规格的主机需要 512 MB 内存。对于环境中计算节点内存不足 4 GB 的,我们推荐创建只需要 64 MB 的 m1.nano
规格的主机。若单纯为了测试的目的,请使用 m1.nano
规格的主机来加载 CirrOS 镜像
[root@controller1 ~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
+----------------------------+---------+
| Field | Value |
+----------------------------+---------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| id | 0 |
| name | m1.nano |
| os-flavor-access:is_public | True |
| properties | |
| ram | 64 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+---------+
为启动一个实例做准备前
创建demo项目
- 创建demo项目:
openstack project create --domain default --description "Demo Project" demo
- 创建demo用户并设置密码为demo
openstack user create --domain default --password-prompt demo
- 创建一个user角色
openstack role create user
- 把demo用户添加到demo项目
openstack role add --project demo --user demo user
生成一个键值对(免密钥登陆)
大部分云镜像支持 :term:public key authentication
而不是传统的密码登陆。在启动实例前,你必须添加一个公共密钥到计算服务。
导入 demo
项目凭证
[root@controller1 ~]# source demo-ocata.sh
Generate a key pair and add a public key:
[root@controller1 ~]# ssh-keygen -q -N ""
Enter file in which to save the key (/root/.ssh/id_rsa):
[root@controller1 ~]#
[root@controller1 ~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
+-------------+-------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------+
| fingerprint | df:7d:85:2e:d3:ee:6c:a0:77:f5:50:0b:4f:a5:4b:a1 |
| name | mykey |
| user_id | 7776247dcc724b0686415797a1bc72dd |
+-------------+-------------------------------------------------+
验证公钥的添加
[root@controller1 ~]# openstack keypair list
+-------+-------------------------------------------------+
| Name | Fingerprint |
+-------+-------------------------------------------------+
| mykey | df:7d:85:2e:d3:ee:6c:a0:77:f5:50:0b:4f:a5:4b:a1 |
+-------+-------------------------------------------------+
增加安全组规则
默认情况下, default
安全组适用于所有实例并且包括拒绝远程访问实例的防火墙规则。对诸如 CirrOS 这样的 Linux 镜像,我们推荐至少允许 ICMP (ping) 和安全 shell (SSH) 规则。
添加规则到 default 安全组。
Permit ICMP (ping):(开放PING包)
openstack security group rule create --proto icmp default
允许安全 shell (SSH) 的访问:(开放SSH)
openstack security group rule create --proto tcp --dst-port 22 default
创建实例
在控制节点上,获得 admin 凭证来获取只有管理员能执行的命令的访问权限
[root@controller1 ~]# source demo-ocata.sh
一个实例指定了虚拟机资源的大致分配,包括处理器、内存和存储。
列出可用类型:
[root@controller1 ~]# openstack flavor list
+----+---------+-----+------+-----------+-------+-----------+
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+---------+-----+------+-----------+-------+-----------+
| 0 | m1.nano | 64 | 1 | 0 | 1 | True |
+----+---------+-----+------+-----------+-------+-----------+
列出可用镜像
[root@controller1 ~]# openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 4c871eda-5086-45d3-a194-f9bcdd8b509c | cirros | active |
+--------------------------------------+--------+--------+
列出可用网络
[root@controller1 ~]# openstack network list
+--------------------------------------+--------------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+--------------+--------------------------------------+
| 037aabee-0ac5-4b42-8b7c-88ad612a90a7 | external-net | 38be1447-015d-4298-8955-90dac5635f9b |
| 9b041b34-530b-4177-92be-809a7cabdb2d | internal-net | dcd75bf8-a59b-481f-bdae-574f3d4812dd |
+--------------------------------------+--------------+--------------------------------------+
列出可用的安全组
[root@controller1 ~]# openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+---------+------------------------+----------------------------------+------+
| 67c31f24-06b9-44af-8131-d1137e9766f9 | default | Default security group | e9012ed0859f41fc9e0b48ab8c4a2c8b | [] |
+--------------------------------------+---------+------------------------+----------------------------------+------+
启动云主机
- openstack server create --flavor m1.nano --image 镜像名字(openstack image list)
--nic net-id=网络ID(通过openstack network list获取) --security-group default
--key-name mykey 你的虚拟机名字
openstack server create --flavor m1.nano --image cirros \
--nic net-id=037aabee-0ac5-4b42-8b7c-88ad612a90a7 --security-group default \
--key-name mykey cirros-vm1
检查实例的状态:
[root@controller1 ~]# openstack server list
+--------------------------------------+------+--------+----------------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+------+--------+----------------------------+--------+---------+
| 314fc0ae-f7d8-419a-902d-47f008e40626 | vm1 | ACTIVE | external-net=192.168.10.97 | cirros | m1.nano |
+--------------------------------------+------+--------+----------------------------+--------+---------+
使用虚拟控制台访问实例
[root@controller1 ~]# openstack console url show vm1
+-------+-----------------------------------------------------------------------------------------------+
| Field | Value |
+-------+-----------------------------------------------------------------------------------------------+
| type | novnc |
| url | http://192.168.10.233:6080/vnc_auto.html?path=%3Ftoken%3D70051afe-f81e-42f6-a984-21b30d6078b3 |
+-------+-----------------------------------------------------------------------------------------------+
登陆openstack
![openstack openstack](./images/1569297600578.png)
openstack
![openstack openstack](./images/1569297629794.png)
openstack
使用SSH登陆(要使用cirros用户)
[root@controller1 ~]# ssh 192.168.10.97
Please login as 'cirros' user, not as root
^CConnection to 192.168.10.97 closed.
[root@controller1 ~]# ssh cirros@192.168.10.97
$ cat /etc/issue
login as 'cirros' user. default password: 'cubswin:)'. use 'sudo' for root.
$ sudo su -
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr FA:16:3E:C1:A4:32
inet addr:192.168.10.97 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fec1:a432/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:322 errors:0 dropped:0 overruns:0 frame:0
TX packets:241 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:72155 (70.4 KiB) TX bytes:28716 (28.0 KiB)
启动一个双网络实例
#先导入一个centos7.2镜像,后而会写如何制作镜像
openstack image create "centos7.2" --file CentOS-7-x86_64-GenericCloud-1511.qcow2 --disk-format qcow2 --container-format bare --public
![openstack openstack](./images/1569308237597.png)
openstack
![openstack openstack](./images/1569308349183.png)
openstack
![openstack openstack](./images/1569308375411.png)
openstack
![openstack openstack](./images/1569308390866.png)
openstack
加网卡是有次序是分的,1代表eth0,2代表eth1,有次序之分
![openstack openstack](./images/1569308472362.png)
要等一会
![openstack openstack](./images/1569308489668.png)
查看安全组(ping ssh 都是刚才添加的)