Neutron组件详情
一、Neutron概述
如何快速响应业务的需求对网络管理提出了更高的要求。传统的网络管理方式已经很难胜任这项工作,而“软件定义网络(software-defined networking, SDN)”所具有的灵活性和自动化优势使其成为云时代网络管理的主流。
Neutron 的设计目标是实现“网络即服务(Networking as a Service)”。为了达到这一目标,在设计上遵循了基于 SDN 实现网络虚拟化的原则,在实现上充分利用了 Linux 系统上的各种网络相关的技术。
SDN 模式服务— NeutronSDN( 软件定义网络 ), 通过使用它,网络管理员和云计算操作员可以通过程序来动态定义虚拟网络设备。Openstack 网络中的 SDN 组件就是 Quantum.但因为版权问题而改名为Neutron 。
https://www.cnblogs.com/mh20131118/p/12954641.html
1、概念
(1)网桥/Bridge
Bridge类似于交换机,用于连接不同的网络设备。
Neutron 将网桥分为内部网桥(bridge-internal,bri-int)和外部网桥(bridge-external,ex-int)两种。
- 内部网桥:实现内部网络功能
- 外部网桥:负责与外部网络通信
(1)网络/Network
Network是一个隔离的二层广播域。neutron支持多种类型的Network:
Local:与其他网络和节点隔离,Local网络中的instance只能与位于同一节点同一网络的Instance通信,主要是用于单机测试。Flat:不支持VLAN,不支持二层隔离,所有虚拟机都在一个广播域中。用虚拟网桥建立了云主机网卡和物理网卡之间的联系,云主机和物理机可直接联系。容易产生广播风暴、能容纳的云主机数量不太多。VLAN:具有802.1q tagging的网络,可以将若干云主机按逻辑划分属于不同的VLAN。同一VLAN的云主机可以通信,不同VLAN的云主机只能通过router通信。最多只能标识4094个网络,无法满足超大规模用户需求。Vxlan:基于隧道技术的overlay网络,Vxlan是UDP隧道,可穿越IP网络,使得虚拟VLAN实现二层联通,能克服VLAN和物理网络基础设置限制,可提供多达1600万的虚拟网络容量。GRE:基于‘GRE Tunnel’隧道技术的overlay网络,主要区别是使用IP包而非UDP进行封装。
(2)子网/Subnet
Subnet 是挂载在网络中的一个IP 地址段(IPv4 或 IPv6)。它的主要功能是当网络中创建新的端口时为其分配IP地址。
- Network与Subnet是一对多的关系
- 同一网络的子网可以是不同的IP段,但CIDR不能重叠;
- 一个子网必须属于一个网络,一个网络可以有多个子网;
- 不同Network的Subnet的CIDR和IP都可以重叠。因为 Neutron 的 router 是通过 linux network namespace 实现的。
Network Namespace是一种网络隔离机制,通过网络命令空间的每个router都有自己独立的路由表。- 若两个subnet是通过同一个router路由,根据router配置,只有指定的一个subnet可被路由;
- 若两个subnet是通过不同的router路由,因为router的路由表独立,因此两个subnet都可以被路由。
(3)端口/Port
Port 是挂载在子网中的用于连接云主机虚拟网卡的接口。也是虚拟交换机的一个端口,定义了MAC地址和IP地址。
当实例的虚拟网卡(VIF,Virtual interface)绑定到 Port 时,Port 就会将 MAC 地址和IP地址分配给虚拟网卡。
子网和端口是一对多关系,一个端口必须属于某个子网,一个子网可以有多个端口。
2、功能
Neutron 为整个 OpenStack 环境提供网络支持,包括二层交换,三层路由,负载均衡,防火墙和 VPN 等。
(1)二层交换Switching
Neutron支持多种虚拟交换机,一般使用Linux Bridge和Open vSwitch创建传统的VLAN网络,以及基于隧道技术的Overlay网络,如VxLAN和GRE(Linux Bridge 目前只支持 VxLAN)。
(2)三层路由Routing
Neutron从Juno版开始正式加入的DVR(Distributed Virtual Router)服务,它将原本集中在网络节点的部分服务分散到了计算节点上。可以通过namespace中使用ip route或者iptables实现路由或NAT,也可以通过openflow给OpenvSwitch下发流表来实现。
(3)负载均衡Load Balancing
LBaaS 支持多种负载均衡产品和方案,不同的实现以 Plugin 的形式集成到 Neutron,通过HAProxy来实现。
(4)防火墙Firewalling
Neutron有两种方式来保障instance和网络的安全性,分别是安全组以及防火墙功能,均可以通过iptables来实现,前者是限制进出instance的网络包,后者是进出虚拟路由器的网络包。
3、架构
Neutron有以下组件构成:
- Neutron Server:对外提供OpenStack网络API,接收请求,并调用Plugin处理请求。
- Plugin:处理Neutron Server发来的请求,维护OpenStack逻辑网络的状态,并调用Agent处理请求。
- Agent:处理Plugin的请求,负责在Network Provider上真正实现各种网络功能。
- Network Provider:提供网络服务的虚拟或者物理网络设备,比如Linux Bridge,OpenVSwitch或者其他支持Neutron的物理交换机。
- Queue:Neutron Server,Plugin和Agent之间通过Messaging Queue通信和调用。
- Database:存放OpenStack的网络状态信息,包括Network,Subnet,Port,Router等。
4、Open vSwitch
Open vSwitch,简称OVS,是一个虚拟交换软件,主要用于虚拟机VM环境,作为一个虚拟交换机,支持Xen/XenServer, KVM, and VirtualBox多种虚拟化技术
作用:让大规模网络自动化可以通过编程扩展,支持跨越多个物理服务器的分布式环境,同时仍然支持标准的管理接口和协议(例如NetFlow, sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag)。
二、常用操作
1、网络管理
Openstack 的网络是一个虚拟设备构成的OSI二层网络。
(1)openstack命令行格式案例
openstack
network create Create new network # 创建网络
network delete Delete network(s) # 删除网络
network list List networks # 列出网络
network set Set network properties # 设置网络参数
network unset Unset network properties # 取消网络参数——标签tag
network show Show network details # 显示网络详情
# 创建flat类型共享外部网络
[root@controller ~]# openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type flat \
vm-network
+---------------------------+--------------------------------------------------+
| Field | Value |
+---------------------------+-------------------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2022-11-25T10:53:34Z |
| description | |
| dns_domain | None |
| id | 10f3ff17-a6aa-48de-977d-0b11740e9bd1 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | None |
| is_vlan_transparent | None |
| location | cloud='', project.domain_id=, project.domain_name='Default', project.id='4188570a34464b938ed3fa7e08681df8', project.name='admin', region_name='', zone= |
| mtu | 1500 |
| name | vm-network |
| port_security_enabled | True |
| project_id | 4188570a34464b938ed3fa7e08681df8 |
| provider:network_type | flat |
| provider:physical_network | provider |
| provider:segmentation_id | None |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | External |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2022-11-25T10:53:34Z |
+---------------------------+---------------------------+
# 查看当前网络列表
[root@controller ~]# openstack network list
+--------------------------------------+------------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+------------+--------------------------------------+
| 10f3ff17-a6aa-48de-977d-0b11740e9bd1 | vm-network | |
| 23adff00-a120-45ea-8c1b-0c1e6362e2f7 | asd | 21a98fd0-f156-45e0-822a-05a74e023770 |
+--------------------------------------+------------+--------------------------------------+
# 查看网络详情————可以使用名称或ID
[root@controller ~]# openstack network show 10f3ff17-a6aa-48de-977d-0b11740e9bd1
[root@controller ~]# openstack network show vm-network
# 设置网络参数
# 1.改名、改非共享
[root@controller ~]# openstack network set --name new-vnet --no-share vm-network
# 查看更改效果
# 改之前 shared 值为 True,改之后 shared 值为 False
[root@controller ~]# openstack network show new-vnet
# 2.加标签tag
# 执行查看详情可看到:tags 的值为hqs
[root@controller ~]# openstack network set --tag hqs new-vnet
# 取消网络参数(仅限标签)
[root@controller ~]# openstack network unset -h new-vnet
usage: openstack network unset [-h] [--tag <tag> | --all-tag] <network>
Unset network properties
positional arguments:
<network> Network to modify (name or ID)
optional arguments:
-h, --help show this help message and exit
--tag <tag> Tag to be removed from the network (repeat option to remove
multiple tags)
--all-tag Clear all tags associated with the network
# 去除tags对应的值
[root@controller ~]# openstack network unset --tag hqs new-vnet
# 去除所有tags对应的值
[root@controller ~]# openstack network unset --all-tag new-vnet
# 删除网络
[root@controller ~]# openstack network delete vm-network
(2)neutron命令行格式案例。
neutron
net-create Create a network for a given tenant.
net-delete Delete a given network.
net-list List networks that belong to a given tenant.
net-list-on-dhcp-agent List the networks on a DHCP agent.
net-show Show information of a given network.
net-update Update network information.
# 查看网络列表
[root@controller ~]# neutron net-list
+--------------------------------------+--------------+------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+--------------+------------------------------------------------------+
| 451fd2af-e1eb-4437-bf71-53b5f91c10b5 | int-gre | 948ee8fd-8700-4f17-a356-f2b8c5880396 172.25.2.0/24 |
| 8a87c829-f1d2-452b-9d0d-2ff7f3c628c5 | acme-int-gre | aa96a0f8-7f32-4c4f-aadc-467ebf02bcf5 192.168.30.0/24 |
| 702c5142-f227-45ad-ab02-b5773ae0a166 | net-gre | ace98613-346e-4973-9364-99ae0fb1a3ce 192.168.20.0/24 |
+--------------------------------------+--------------+------------------------------------------------------+
# 创建外部网络
[root@controller ~]# neutron net-create --shared --router:external=true --provider:network_type gre net-test-gre
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-11-01T22:02:46 |
| description | |
| id | 0268d645-e55f-4d0c-ba0c-a358d5b36eaa |
| ipv4_address_scope | |
| ipv6_address_scope | |
| is_default | False |
| mtu | 1458 |
| name | net-test-gre |
| port_security_enabled | True |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 46 |
| router:external | True |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-01T22:02:46 |
+---------------------------+--------------------------------------+
# 创建内部网络
[root@controller ~]# neutron net-create --shared --provider:network_type gre int-test-gre
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-11-01T22:03:45 |
| description | |
| id | 77f5fe53-15f4-4775-a04e-86aeb355c49e |
| ipv4_address_scope | |
| ipv6_address_scope | |
| mtu | 1458 |
| name | int-test-gre |
| port_security_enabled | True |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 75 |
| router:external | False |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-01T22:03:45 |
+---------------------------+--------------------------------------+
# 查看网络详情
[root@controller ~]# neutron net-show int-test-gre
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-11-01T22:03:45 |
| description | |
| id | 77f5fe53-15f4-4775-a04e-86aeb355c49e |
| ipv4_address_scope | |
| ipv6_address_scope | |
| mtu | 1458 |
| name | int-test-gre |
| port_security_enabled | True |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 75 |
| router:external | False |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-01T22:03:45 |
+---------------------------+--------------------------------------+
# 删除网络
[root@controller ~]# neutron net-delete int-test-gre
Deleted network: int-test-gre
# 更新网络
[root@controller ~]# openstack network set net-test-gre --name net-test11-gre --disable --no-share
[root@controller ~]# neutron net-show net-test11-gre
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | False |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2021-11-01T22:02:46 |
| description | |
| id | 0268d645-e55f-4d0c-ba0c-a358d5b36eaa |
| ipv4_address_scope | |
| ipv6_address_scope | |
| is_default | False |
| mtu | 1458 |
| name | net-test11-gre |
| port_security_enabled | True |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 46 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-01T22:06:50 |
+---------------------------+--------------------------------------+
2、子网管理
子网(Subnet)是挂载在网络中的一个IP地址段,主要功能:当网络中创建新的端口时为其分配IP地址。
子网和网络是多对一的关系。
(1)openstack命令行格式案例
openstack
subnet create Create a subnet # 创建子网
subnet delete Delete subnet(s) # 删除子网
subnet list List subnets # 列出子网
subnet set Set subnet properties # 设置子网参数
subnet show Display subnet details # 显示子网详细信息
subnet unset Unset subnet properties # 取消子网参数设置
# 修改网络名称为vm-network
[root@controller ~]# openstack network set --name vm-network new-vnet
# 创建子网
[root@controller ~]# openstack subnet create --network vm-network \ # 设置子网所属的网络
> --allocation-pool start=10.10.10.101,end=10.10.10.201 \ # DHCP分配的IP地址池
> --dns-nameserver 114.114.114.114 \ # 设置DNS服务器地址
> --subnet-range 10.10.10.0/24 \ # 设置子网网段
> vm-subnetwork # 子网名称
+-------------------+------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------+---------------------------------------------------------------------------+
| allocation_pools | 10.10.10.101-10.10.10.201 |
| cidr | 10.10.10.0/24 |
| created_at | 2022-11-25T11:36:57Z |
| description | |
| dns_nameservers | 114.114.114.114 |
| enable_dhcp | True |
| gateway_ip | 10.10.10.1 |
| host_routes | |
| id | 83faafb8-4660-40d6-86bb-5030b37af4eb |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| location | cloud='', project.domain_id=, project.domain_name='Default', project.id='4188570a34464b938ed3fa7e08681df8', project.name='admin', region_name='', zone= |
| name | vm-subnetwork |
| network_id | 10f3ff17-a6aa-48de-977d-0b11740e9bd1 |
| prefix_length | None |
| project_id | 4188570a34464b938ed3fa7e08681df8 |
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-25T11:36:57Z |
+-------------------+---------------------------------------------+
# 查看子网列表
[root@controller ~]# openstack subnet list
+-------------------------------+---------------+-----------------------+---------------+
| ID | Name | Network | Subnet |
+--------------------------------------+---------------+--------------------------------------+---------------+
| 21a98fd0-f156-45e0-822a-05a74e023770 | asd | 23adff00-a120-45ea-8c1b-0c1e6362e2f7 | 10.10.1.0/24 |
| 83faafb8-4660-40d6-86bb-5030b37af4eb | vm-subnetwork | 10f3ff17-a6aa-48de-977d-0b11740e9bd1 | 10.10.10.0/24 |
+------------------------------+---------------+-----------------------------+---------------+
# 查看子网详情(名称或ID均可)
[root@controller ~]# openstack subnet show vm-subnetwork
[root@controller ~]# openstack subnet show 21a98fd0-f156-45e0-822a-05a74e023770
# 修改子网名称并设置网关
[root@controller ~]# openstack subnet set --name new-subvnet --gateway 10.10.10.2 vm-subnetwork
# 取消子网参数
[root@controller ~]# openstack subnet unset -h
optional arguments:
-h, --help show this help message and exit
--allocation-pool start=<ip-address>,end=<ip-address> 删除DHCP地址池
--dns-nameserver <dns-nameserver> 删除dns
--host-route destination=<subnet>,gateway=<ip-address> 删除路由网关
--service-type <service-type> 删除服务类型
--tag <tag> 删除指定的标签
--all-tag 删除所有的标签
[root@controller ~]# openstack subnet unset --allocation-pool start=172.16.1.101,end=172.16.1.240 vm-subnetwork
[root@controller ~]# openstack subnet show vm-subnetwork
+-------------------+-----------------------------------------------------+
| Field | Value |
+-------------------+-----------------------------------------------------+
# 删除子网
[root@controller ~]# openstack subnet delete new-subvnet
(2)neutron命令行格式案例
neutron
subnet-create Create a subnet for a given tenant.
subnet-delete Delete a given subnet.
subnet-list List subnets that belong to a given tenant.
subnet-show Show information of a given subnet.
subnet-update Update subnet information.
# 创建外网子网
[root@controller ~]# neutron subnet-create net-gre 192.168.20.0/24 --name net-subnet01 --gateway 192.168.20.2 --allocation-pool start=192.168.20.101,end=192.168.20.240 --enable-dhcp --dns-nameserver 8.8.8.8
Created a new subnet:
+-------------------+------------------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------------------+
| allocation_pools | {"start": "192.168.20.101", "end": "192.168.20.240"} |
| cidr | 192.168.20.0/24 |
| created_at | 2021-11-02T02:12:44 |
| description | |
| dns_nameservers | 8.8.8.8 |
| enable_dhcp | True |
| gateway_ip | 192.168.20.2 |
| host_routes | |
| id | 0a750744-648a-4072-8e3b-453ee4123d3d |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | net-subnet01 |
| network_id | 8c27039d-7652-4e70-ab16-3681ff8d128f |
| subnetpool_id | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-02T02:12:44 |
+-------------------+------------------------------------------------------+
# 创建内网子网
[root@controller ~]# neutron subnet-create int-gre 10.10.1.0/24 --name int-subnet01 --gateway 10.10.1.2 --allocation-pool start=10.10.1.101,end=10.10.1.240 --enable-dhcp
Created a new subnet:
+-------------------+------------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------------+
| allocation_pools | {"start": "10.10.1.101", "end": "10.10.1.240"} |
| cidr | 10.10.1.0/24 |
| created_at | 2021-11-07T01:54:48 |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.10.1.2 |
| host_routes | |
| id | 0ca0d421-d90f-4082-943b-ad24fb620821 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | int-subnet01 |
| network_id | 3b264885-ea04-45f4-abb9-27d6a88aa02a |
| subnetpool_id | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-07T01:54:48 |
+-------------------+------------------------------------------------+
# 查看子网列表信息
[root@controller ~]# neutron subnet-list
+--------------------------------------+--------------+-----------------+------------------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+--------------+-----------------+------------------------------------------------------+
| d6b592a6-ce17-4e52-924b-1d7c5963c4cf | int-subnet01 | 10.10.0.0/24 | {"start": "10.10.0.101", "end": "10.10.0.240"} |
| 0a750744-648a-4072-8e3b-453ee4123d3d | net-subnet01 | 192.168.20.0/24 | {"start": "192.168.20.101", "end": "192.168.20.240"} |
+--------------------------------------+--------------+-----------------+------------------------------------------------------+
# 查看子网详细信息
[root@controller ~]# neutron subnet-show net-subnet01
+-------------------+------------------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------------------+
| allocation_pools | {"start": "192.168.20.101", "end": "192.168.20.198"} |
| cidr | 192.168.20.0/24 |
| created_at | 2021-11-08T23:21:38 |
| description | |
| dns_nameservers | 8.8.8.8 |
| enable_dhcp | True |
| gateway_ip | 192.168.20.2 |
| host_routes | |
| id | f2f78780-c255-4392-9a25-10b84221b004 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | net-subnet01 |
| network_id | 74568ca5-10cb-4635-b0d9-bd8464df036b |
| subnetpool_id | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-08T23:21:38 |
+-------------------+------------------------------------------------------+
# 删除子网
[root@controller ~]# neutron subnet-delete int-subnet01
Deleted subnet: int-subnet01
[root@controller ~]# neutron subnet-delete net-subnet-test
Deleted subnet: net-subnet-test
# 修改子网
# 参数如下:
positional arguments:
SUBNET ID or name of subnet to update.
optional arguments:
-h, --help show this help message and exit
--request-format {json}
DEPRECATED! Only JSON request format is supported.
--name NAME Name of this subnet.
--gateway GATEWAY_IP Gateway IP of this subnet.
--no-gateway No distribution of gateway.
--allocation-pool start=IP_ADDR,end=IP_ADDR
Allocation pool IP addresses for this subnet (This
option can be repeated).
--host-route destination=CIDR,nexthop=IP_ADDR
Additional route (This option can be repeated).
--dns-nameserver DNS_NAMESERVER
DNS name server for this subnet (This option can be
repeated).
--disable-dhcp Disable DHCP for this subnet.
--enable-dhcp Enable DHCP for this subnet.
[root@controller ~]# neutron subnet-update net-subnet01 --name net-subnet-test --no-gateway --allocation-pool start=192.168.20.99,end=192.168.20.110
[root@controller ~]# neutron subnet-show net-subnet-test
+-------------------+-----------------------------------------------------+
| Field | Value |
+-------------------+-----------------------------------------------------+
| allocation_pools | {"start": "192.168.20.99", "end": "192.168.20.110"} |
| cidr | 192.168.20.0/24 |
| created_at | 2021-11-02T02:12:44 |
| description | |
| dns_nameservers | 8.8.8.8 |
| enable_dhcp | True |
| gateway_ip | |
| host_routes | |
| id | 0a750744-648a-4072-8e3b-453ee4123d3d |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | net-subnet-test |
| network_id | 8c27039d-7652-4e70-ab16-3681ff8d128f |
| subnetpool_id | |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-02T02:30:18 |
+-------------------+-----------------------------------------------------+
3、路由管理
注意:set修改路由没有完成测试完成,记得补全。
(1)openstack命令行格式案例
openstack
router add port Add a port to a router # 给路由添加端口
router add subnet Add a subnet to a router # 给路由添加子网
router create Create a new router # 创建新路由
router delete Delete router(s) # 删除路由
router list List routers # 查看路由列表
router remove port Remove a port from a router # 从路由删除端口
router remove subnet Remove a subnet from a router # 从路由删除子网
router set Set router properties # 修改路由属性
router show Display router details # 查看路由详情
router unset Unset router properties # 取消路由属性
# 创建路由
[root@controller ~]# openstack router create router
+-------------------------+---------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2022-11-30T03:40:07Z |
| description | |
| distributed | False |
| external_gateway_info | null |
| flavor_id | None |
| ha | False |
| id | cbbbff98-f8ca-45ff-9ff8-81abe9972fcb |
| location | cloud='', project.domain_id=, project.domain_name='Default', project.id='4188570a34464b938ed3fa7e08681df8', project.name='admin', region_name='', zone= |
| name | router |
| project_id | 4188570a34464b938ed3fa7e08681df8 |
| revision_number | 1 |
| routes | |
| status | ACTIVE |
| tags | |
| updated_at | 2022-11-30T03:40:07Z |
+-------------------------+---------------------------------------------------------+
# 查看路由列表
[root@controller ~]# openstack router list
+-----------------------+--------+--------+-------+----------------+--------+-------+
| ID | Name | Status | State | Project | Distributed | HA |
+-----------------------+--------+--------+-------+--------------------+-----+-------+
| cbbbff98-f8ca-45ff-9ff8-81abe9972fcb | router | ACTIVE | UP | 4188570a34464b938ed3fa7e08681df8 | False | False |
+-------------------------+--------+--------+-------+-------------+--------+-------+
# 查看路由详情
[root@controller ~]# openstack router show cbbbff98-f8ca-45ff-9ff8-81abe9972fcb
# 删除路由
[root@controller ~]# openstack router delete router
# 创建内网子网
[root@controller ~]# openstack subnet create --network vm-network \
--subnet-range 10.10.1.0/24 --gateway 10.10.1.2 \
int-net
+-------------------+-----------------------------------------------------+
| Field | Value |
+-------------------+-----------------------------------------------------------+
| allocation_pools | 10.10.1.1-10.10.1.1,10.10.1.3-10.10.1.254 |
| cidr | 10.10.1.0/24 |
| created_at | 2022-11-30T06:06:19Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.10.1.2 |
| host_routes | |
| id | ba596a0a-3a91-4268-a5e7-0da8aa9041e8 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| location | cloud='', project.domain_id=, project.domain_name='Default', project.id='4188570a34464b938ed3fa7e08681df8', project.name='admin', region_name='', zone= |
| name | int-net |
| network_id | c825a616-0e7e-41d9-8cde-a184c14d0db2 |
| prefix_length | None |
| project_id | 4188570a34464b938ed3fa7e08681df8 |
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2022-11-30T06:06:19Z |
+-------------------+--------------------------------------------------------------+
# 给路由添加子网(子网连接路由)
openstack router add subnet
usage: openstack router add subnet [-h] <router> <subnet>
Add a subnet to a router
positional arguments:
<router> Router to which subnet will be added (name or ID)
<subnet> Subnet to be added (name or ID)
# 内外子网分别连接路由
[root@controller ~]# openstack subnet list
+----------------------------+---------------+------------------------+---------------+
| ID | Name | Network | Subnet |
+------------------------+---------------+-------------------+---------------+
| 85b59f1f-dc8b-4ad6-b920-a65a9abb46e7 | vm-subnetwork | c825a616-0e7e-41d9-8cde-a184c14d0db2 | 172.16.1.0/24 |
| ba596a0a-3a91-4268-a5e7-0da8aa9041e8 | int-net | c825a616-0e7e-41d9-8cde-a184c14d0db2 | 10.10.1.0/24 |
+--------------------+---------------+-------------------+---------------+
[root@controller ~]# openstack router add subnet router int-net
[root@controller ~]# openstack router add subnet router vm-subnetwork
# 删除子网和路由的关联
[root@controller ~]# openstack router remove subnet router int-net
[root@controller ~]# openstack router remove subnet router vm-subnetwork
# 修改路由
openstack router set
--external-gateway <network> External Network used as router s gateway (name or ID) # 外部网络用作路由的网关
# 添加外部网关
[root@controller ~]# openstack router set router --external-gateway vm-network
(1)neutron命令行格式案例
neutron
router-create Create a router for a given tenant.
router-delete Delete a given router.
router-gateway-clear Remove an external network gateway from a router.
router-gateway-set Set the external network gateway for a router.
router-interface-add Add an internal network interface to a router.
router-interface-delete Remove an internal network interface from a router.
router-list List routers that belong to a given tenant.
router-list-on-l3-agent List the routers on a L3 agent.
router-port-list List ports that belong to a given tenant, with specified router.
router-show Show information of a given router.
router-update Update router information.
# 创建路由
neutron router-create <router-name>
[root@controller ~]# neutron router-create router
Created a new router:
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| description | |
| distributed | False |
| external_gateway_info | |
| ha | False |
| id | 6936356c-878c-4470-943b-f971c14b8348 |
| name | router |
| routes | |
| status | ACTIVE |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
+-------------------------+--------------------------------------+
# 查看路由列表
neutron router-list
[root@controller ~]# neutron router-list
+--------------------------------------+--------+-----------------------+-------------+-------+
| id | name | external_gateway_info | distributed | ha |
+--------------------------------------+--------+-----------------------+-------------+-------+
| 6936356c-878c-4470-943b-f971c14b8348 | router | null | False | False |
+--------------------------------------+--------+-----------------------+-------------+-------+
# 查看路由详情
neutron router-show <router>
[root@controller ~]# neutron router-show router
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| description | |
| distributed | False |
| external_gateway_info | |
| ha | False |
| id | 6936356c-878c-4470-943b-f971c14b8348 |
| name | router |
| routes | |
| status | ACTIVE |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
+-------------------------+--------------------------------------+
# 删除路由
neutron router-delete <router>
[root@controller ~]# neutron router-delete router
Deleted router: router
# 添加外部网关
neutron router-gateway-set <router> <external-network(用neutron net-list查看)>
[root@controller ~]# neutron router-gateway-set router01 net-gre
Set gateway for router router01
[root@controller ~]# neutron router-port-list router01
+--------------------------------------+------+-------------------+----------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------+
| 712873bf-5971-4047-bf85-9b983652a084 | | fa:16:3e:10:4c:5f | {"subnet_id": |
| | | | "d2e87691-4901-4606-bcb3-0c573ab56914", |
| | | | "ip_address": "192.168.20.102"} |
+--------------------------------------+------+-------------------+----------------------------------------------------+
# 删除外部网关
neutron router-gateway-clear <router>
[root@controller ~]# neutron router-gateway-clear router01
Removed gateway from router router01
[root@controller ~]# neutron router-port-list router01
[空]
# 添加内部接口
neutron router-interface-add <router> <inner-subnet>
[root@controller ~]# neutron router-interface-add router01 int-subnet
Added interface 43d0492c-2e44-448c-8e54-3a06976ccb55 to router router01.
[root@controller ~]# neutron router-port-list router01
+--------------------------------------+------+-------------------+----------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------+
| 43d0492c-2e44-448c-8e54-3a06976ccb55 | | fa:16:3e:9b:cd:01 | {"subnet_id": "0ca0d421-d90f-4082-943b- |
| | | | ad24fb620821", "ip_address": "10.10.1.2"} |
| b341273e-28a5-4616-baa0-1aaebe95c557 | | fa:16:3e:1d:54:0f | {"subnet_id": |
| | | | "d2e87691-4901-4606-bcb3-0c573ab56914", |
| | | | "ip_address": "192.168.20.103"} |
+--------------------------------------+------+-------------------+----------------------------------------------------+
# 删除内部接口
neutron router-interface-delete <router> subnet=<subnet>
[root@controller ~]# neutron router-interface-delete router01 subnet=int-subnet
Removed interface from router router01.
[root@controller ~]# neutron router-port-list router01
+--------------------------------------+------+-------------------+----------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------+
| b341273e-28a5-4616-baa0-1aaebe95c557 | | fa:16:3e:1d:54:0f | {"subnet_id": |
| | | | "d2e87691-4901-4606-bcb3-0c573ab56914", |
| | | | "ip_address": "192.168.20.103"} |
+--------------------------------------+------+-------------------+----------------------------------------------------+
# 查看路由端口信息列表(外部网关、内部接口都添加好的情况)
[root@controller ~]# neutron router-port-list router01
+--------------------------------------+------+-------------------+----------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------+
| b341273e-28a5-4616-baa0-1aaebe95c557 | | fa:16:3e:1d:54:0f | {"subnet_id": |
| | | | "d2e87691-4901-4606-bcb3-0c573ab56914", |
| | | | "ip_address": "192.168.20.103"} |
| c699cb6b-ce9e-41e2-ac1f-3bdad0f49ca3 | | fa:16:3e:6d:21:72 | {"subnet_id": "0ca0d421-d90f-4082-943b- |
| | | | ad24fb620821", "ip_address": "10.10.1.2"} |
+--------------------------------------+------+-------------------+----------------------------------------------------+
4、端口管理
端口(Port)是挂载在子网上用于连接云主机虚拟网卡的接口。
端口定义了MAC地址和独立IP地址,当云主机虚拟网卡连接端口时,端口会将MAC地址和IP地址分配给虚拟网卡。
子网和端口时一对多关系,一个端口必须属于某个子网;一个子网可拥有多个端口。(类似交换机上有多个端口)
(1)openstack命令行格式案例
openstack
port create Create a new port # 创建端口
port delete Delete port(s) # 删除端口
port list List ports # 查看端口列表
port set Set port properties # 设置端口参数
port show Display port details # 查看端口详情
port unset Unset port properties # 取消端口参数设置
# 创建端口
openstack port create
--network <network> Network this port belongs to (name or ID) # 端口属于哪个网络
--fixed-ip subnet=<subnet>,ip-address=<ip-address> # 为端口绑定IP地址
--enable Enable port (default) # 启用端口
--enable-port-security # 启用端口安全设置
[root@controller ~]# openstack port create --network vm-network \
--fixed-ip subnet=vm-subnetwork,ip-address=172.16.1.120 \
hqs-port01
+-------------------------+-----------------------------------------+
| Field | Value
+-------------------------+--------------------------------------+
| admin_state_up | UP
| binding_vif_details | |
| binding_vif_type | unbound |
| binding_vnic_type | normal |
| created_at | 2022-11-30T03:04:58Z
| extra_dhcp_opts | |
| fixed_ips | ip_address='172.16.1.120', subnet_id='85b59f1f-dc8b-4ad6-b920-a65a9abb46e7' |
| id | 156b4f48-564f-45f3-a911-c866eaa41b82 |
| location | cloud='', project.domain_id=, project.domain_name='Default', project.id='4188570a34464b938ed3fa7e08681df8', project.name='admin', region_name='', zone= |
| mac_address | fa:16:3e:aa:e0:3b |
| name | hqs-port01 |
| network_id | c825a616-0e7e-41d9-8cde-a184c14d0db2 |
| port_security_enabled | True |
| project_id | 4188570a34464b938ed3fa7e08681df8 |
| revision_number | 1 |
| security_group_ids | 28eef41f-54f8-4e99-b355-6799f2eedd2d |
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2022-11-30T03:04:58Z |
+-------------------------+-------------------------------------------+
# 查看端口列表
+-------------------+------------+-------------------+----------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+-------------------+------------+-------------------+-------------------------------+--------+
| 156b4f48-564f-45f3-a911-c866eaa41b82 | hqs-port01 | fa:16:3e:aa:e0:3b | ip_address='172.16.1.120', subnet_id='85b59f1f-dc8b-4ad6-b920-a65a9abb46e7' | DOWN |
| f3d30c48-2821-4361-991f-5f162680940e | | fa:16:3e:2c:97:56 | ip_address='172.16.1.101', subnet_id='85b59f1f-dc8b-4ad6-b920-a65a9abb46e7' | ACTIVE |
+--------------------+------------+-------------------+------------------------------+--------+
# 删除端口(端口ID或端口名均可)
[root@controller ~]# openstack port delete f3d30c48-2821-4361-991f-5f162680940e
[root@controller ~]# openstack port delete hqs-port01
# 修改端口
openstack port set
--device <device-id> Port device ID
--host <host-id> Allocate port on host <host-id> (ID only)
--dns-name <dns-name> Set DNS name for this port
--enable Enable port
--disable Disable port
--name <name> Set port name
--fixed-ip subnet=<subnet>,ip-address=<ip-address>
# 新绑定一个地址并改名,且禁用端口
[root@controller ~]# openstack port set --fixed-ip subnet=vm-subnetwork,ip-address=172.16.1.105 \
> --disable --name test-port01 \
> hqs-port01
# 取消绑定一个地址
[root@controller ~]# openstack port unset --fixed-ip subnet=vm-subnetwork,ip-address=172.16.1.120 test-port01
(2)neutron命令行格式案例
neutron
port-create Create a port for a given tenant.
port-delete Delete a given port.
port-list List ports that belong to a given tenant.
port-show Show information of a given port.
port-update Update port information.
# 查看端口列表
[root@controller ~]# neutron port-list
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------+
| 1b46a0d6-0df6-4f96-b3a3-d47aae6ed589 | | fa:16:3e:23:a2:36 | {"subnet_id": "4703dd26-cab3-4daa-ac25-da186e2d7371", "ip_address": "10.10.0.81"} |
| 40e657a2-f196-4fc5-a815-c9dbd613bc05 | | fa:16:3e:e0:95:15 | {"subnet_id": "f2f78780-c255-4392-9a25-10b84221b004", "ip_address": "192.168.20.101"} |
| 7fa18ceb-04aa-4f7e-824e-4ed5dc0ee0ee | | fa:16:3e:90:05:f0 | {"subnet_id": "f2f78780-c255-4392-9a25-10b84221b004", "ip_address": "192.168.20.102"} |
| 7fd9c4fa-9ecc-4cc6-ba72-fe5d8afe1a3c | | fa:16:3e:f2:5f:0c | {"subnet_id": "4703dd26-cab3-4daa-ac25-da186e2d7371", "ip_address": "10.10.0.82"} |
| ae3c993e-c48a-4a0c-9fe3-2f7a8cd0472a | | fa:16:3e:af:6c:ab | {"subnet_id": "f2f78780-c255-4392-9a25-10b84221b004", "ip_address": "192.168.20.103"} |
| c347316f-c880-4643-8eaf-8570e34aefb4 | | fa:16:3e:dd:7e:d3 | {"subnet_id": "4703dd26-cab3-4daa-ac25-da186e2d7371", "ip_address": "10.10.0.2"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------+
# 查看端口详情
[root@controller ~]# neutron port-show 1b46a0d6-0df6-4f96-b3a3-d47aae6ed589
# 创建端口
[root@controller ~]# neutron port-create int-gre --name test-port
Created a new port:
+-----------------------+-----------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| created_at | 2021-11-09T02:03:23 |
| description | |
| device_id | |
| device_owner | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "4703dd26-cab3-4daa-ac25-da186e2d7371", "ip_address": "10.10.0.83"} |
| id | fea92586-6f36-48d6-a67d-8dd7fb21e062 |
| mac_address | fa:16:3e:ce:c2:39 |
| name | test-port |
| network_id | b85cd3c7-a864-422c-8a11-6e034a1539bb |
| port_security_enabled | True |
| security_groups | 486eaa38-8e3d-4214-96bc-e6fee9b81be6 |
| status | DOWN |
| tenant_id | 386dbfcf77e444c7872e4e23d5829fcc |
| updated_at | 2021-11-09T02:03:23 |
+-----------------------+-----------------------------------------------------------------------------------+
# 删除端口
[root@controller ~]# neutron port-delete test-port
Deleted port: test-port
# 修改端口
[root@controller ~]# neutron port-update test-port --name test-port-8080 --security-group 54c9ccb7-7f00-4485-898f-e4bbebafa73b
Updated port: test-port
三、防火墙管理
1、规则管理
2、策略管理
3、防火墙
四、负载均衡管理
1、LBaaS v1管理
2、LBaaS v2管理
五、Open vSwitch管理
1、网桥管理
网桥属于OSI模型的二层设备,类似交换机,负责连在它上面的云主机之间的通讯。
采用网桥管理工具包 bridge-utils中的brctl命令来管理虚拟网桥。
(1)安装和语法
# 安装bridge-utils工具包
[root@controller ~]# yum install -y bridge-utils
# brctl语法
[root@controller ~]# brctl
Usage: brctl [commands]
commands:
addbr <bridge> add bridge # 添加网桥
delbr <bridge> delete bridge # 删除网桥
addif <bridge> <device> add interface to bridge # 网卡接入网桥
delif <bridge> <device> delete interface from bridge # 从网桥删除网卡
hairpin <bridge> <port> {on|off} turn hairpin on/off
setageing <bridge> <time> set ageing time # 设置老化时间(生存周期)
setbridgeprio <bridge> <prio> set bridge priority # 设置网桥优先级
setfd <bridge> <time> set bridge forward delay # 设置网桥转发延迟时间
sethello <bridge> <time> set hello time # 设置hello时间
setmaxage <bridge> <time> set max message age # 设置消息最大生命周期
setpathcost <bridge> <port> <cost> set path cost # 设置路径权值
setportprio <bridge> <port> <prio> set port priority # 设置端口优先级
show [ <bridge> ] show a list of bridges # 显示网桥信息
showmacs <bridge> show a list of mac addrs # 显示MAC信息
showstp <bridge> show bridge stp info # 启用/禁用 STP 信息
stp <bridge> {on|off} turn stp on/off # 启用/禁用 STP
(2)实验案例
# 创建一个网桥
[root@controller ~]# brctl addbr hqs-br
# 从网桥删除网卡
[root@controller ~]# brctl delif brqc825a616-0e ens34
[root@controller ~]# brctl show brqc825a616-0e
bridge name bridge id STP enabled interfaces
brqc825a616-0e 8000.000000000000 no
# 把网卡连上网桥
[root@controller ~]# brctl addif hqs-br ens34
# 查看网桥信息
[root@controller ~]# brctl show hqs-br
bridge name bridge id STP enabled interfaces
hqs-br 8000.000c29ac5c2a no ens34
# 网卡改回默认网桥
[root@controller ~]# brctl delif hqs-br ens34
[root@controller ~]# brctl addif brqc825a616-0e ens34
# 删除网桥
[root@controller ~]# brctl delbr hqs-br
[root@controller ~]# brctl show
bridge name bridge id STP enabled interfaces
brqc825a616-0e 8000.000c29ac5c2a no ens34
(3)flat网络和网桥
Flat类型的网络需要独占一块物理网卡,因此无法创建第二个Flat类型网络。
Flat network是不带tag的网络类型,要求宿主机的网卡直接与linux bridge相连。
Flat网络需要子网和外部网络处于同一个网段,因此子网应该采用和ens34网卡一致的192.168.20.0/24网段。
# 创建虚拟网络
[root@controller ~]# openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type flat \
vm-network
# 创建虚拟子网
[root@controller ~]# openstack subnet create --network vm-network \
--allocation-pool start=192.168.20.100,end=192.168.20.200 \
--dns-nameserver 114.114.114.114 \
--gateway 192.168.20.2 \
--subnet-range 192.168.20.0/24 \
vm-subnetwork
# 查看子网信息
[root@controller ~]# openstack subnet list
+--------------------------------------+---------------+--------------------------------------+-----------------+
| ID | Name | Network | Subnet |
+--------------------------------------+---------------+--------------------------------------+-----------------+
| cc96053f-61f7-42d4-af8a-698133c88197 | vm-subnetwork | 9dc1a761-3bee-4a8f-8f13-2e246f9740cb | 192.168.20.0/24 |
+--------------------------------------+---------------+--------------------------------------+-----------------+
# 查看网络情况
# 此时可发现系统生成了名为`brq9dc1a761-3b`的网卡
# 另外还生成了名为 `tap734037c8-e3@if2` 的云主机虚拟接口
[root@controller ~]# ip a
1:lo 略
2:ens33 略
3: ens34 略
8: tap734037c8-e3@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brq9dc1a761-3b state UP group default qlen 1000
link/ether 0e:14:0a:06:0e:d0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
9: brq9dc1a761-3b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:0c:29:ac:5c:2a brd ff:ff:ff:ff:ff:ff
inet 192.168.20.10/24 brd 192.168.20.255 scope global brq9dc1a761-3b
valid_lft forever preferred_lft forever
inet6 fe80::244e:7dff:fe1e:1568/64 scope link tentative
valid_lft forever preferred_lft forever
# 查看网桥情况
# 网桥与两个设备连接,分别是ens34物理网卡、与云主机连接的tap734037c8-e3网络端口
[root@controller ~]# brctl show
bridge name bridge id STP enabled interfaces
brq9dc1a761-3b 8000.000c29ac5c2a no ens34
tap734037c8-e3
# 然后在控制台创建云主机,在云主机创建完成后,计算节点产生网桥
# 查看计算节点网络情况
[root@compute ~]# ip a
1: lo: 略
2: ens33: 略
3: ens34: 略
4: brq9dc1a761-3b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:0c:29:fc:73:4a brd ff:ff:ff:ff:ff:ff
inet 192.168.20.20/24 brd 192.168.20.255 scope global brq9dc1a761-3b
valid_lft forever preferred_lft forever
5: tapa1786edc-12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master brq9dc1a761-3b state UNKNOWN group default qlen 1000
link/ether fe:16:3e:b3:4f:6f brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc16:3eff:feb3:4f6f/64 scope link
valid_lft forever preferred_lft forever
# 连接云主机
[root@compute ~]# ssh cirros@192.168.20.134
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.20.134' (ECDSA) to the list of known hosts.
cirros@192.168.20.134 password: gocubsgo
