1. 背景说明
neutron在openstack中负责instance的网络,如虚拟机内部网络,虚拟机外部网络等,和实体网络相类似,openstack中的网络也存在路由器router,交换机switch,网络network,子网subnet,端口port等概念,这些功能都有neutron来完成,neutron由有个不同的插件plugins组成,如二层插件neutron-openvswitch-agent,三层插件neutron-l3-agent,动态地址分配neutron-dhcp-agent,元数据服务neutron-metadata-agent等。
此外,为了保障租户tenant之间的网络隔离,neutron支持多种不同的网络隔离技术,包括:Linux-bridge,Flat,vlan,gre和vxlan,对于大规模的环境来说,使用gre和vxlan比较多,linux-bridge和flat在小环境中使用,vlan则能够满足可扩展性且能够和现有的环境对接,我所在的环境中,使用vlan的网络模式,关于neutron各种网络模式的特点对别如下:
| 网络模式 | 功能说明 | 优点 | 缺点 |
| linux-bridge | Linux网桥,和KVM网桥相类似 | 配置简单,易于实现,管理 | 可扩展性差 |
| flat/flat+dhcp | 和桥接相类似,扁平网络模式 | 配置简单,易于实现,管理 | 扁平,随着规模扩大,性能易出现瓶颈 |
| vlan | 通过vlan号隔离网络,划分广播域 | 和现有网络对接,易于理解,可扩展性强 | vlan号只支持4096个,大规模易爆 |
| gre | 隧道封装技术,节点之间构建gre隧道 | 较容易实现流量隔离,没有限制 | GRE包头添加网络开销 |
| vxlan | 和GRE技术相类似,隧道技术 | 没有范围限制,可扩展性强 | 需要增加IP包头开销 |
2.创建网络,并指定VLAN号
由于我所在环境中的opentstack云平台使用了vlan的网络模式,随着业务增长,外网IP会耗尽,此时,会向运营商申请外网IP,申请完之后,需要在openstack中扩容网络号,或者租户tenant自己需要内部的网络,也可以创建网络(tenant没法指定vlan号码,只有管理员才可以),具体操作如下:
1.创建网络,指定vlan范围和桥接的物理接口
a、创建网络,并指定网络模式和vlan号码,以及物理桥接网桥 [root@controller ~]# neutron net-create --provider:network_type=vlan --provider:physical_network=physnet0 --provider:segmentation_id=101 --shared public Created a new network: +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | 0d30322d-8d87-43c3-b4e2-5a2969d3c42e | #网络id号 | name | public | #网络名字 | provider:network_type | vlan | #网络类型为vlan | provider:physical_network | physnet0 | #物理桥接网口 | provider:segmentation_id | 101 | #vlan的号码 | shared | True | #所有的tenant共享 | status | ACTIVE | | subnets | | #暂时没有加入子网,所以为空 | tenant_id | 842ab3268a2c47e6a4b0d8774de805ae | #网络所在的tenant +---------------------------+--------------------------------------+ b、查看创建的网络列表 [root@controller ~]# neutron net-list +--------------------------------------+---------------+-------------------------------------------------------+ | id | name | subnets | +--------------------------------------+---------------+-------------------------------------------------------+ | 0d30322d-8d87-43c3-b4e2-5a2969d3c42e | public | | #刚创建的网络 | 99c68a93-336a-4605-aa78-343d41ca1206 | vmTest | 79cb82a1-eac1-4311-8e6d-badcabd22e44 192.168.100.0/24 | +--------------------------------------+---------------+-------------------------------------------------------+ c、查看网络的详细信息 [root@controller ~]# neutron net-show 0d30322d-8d87-43c3-b4e2-5a2969d3c42e +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | 0d30322d-8d87-43c3-b4e2-5a2969d3c42e | | name | public | | provider:network_type | vlan | | provider:physical_network | physnet0 | | provider:segmentation_id | 101 | | router:external | False | | shared | True | | status | ACTIVE | | subnets | | | tenant_id | 842ab3268a2c47e6a4b0d8774de805ae | +---------------------------+--------------------------------------+
2.创建子网,并将子网加入到网络内
a、创建子网subnet
[root@controller ~]# neutron subnet-create --name public_subnet --ip-version 4 --gateway 192.168.101.1 --allocation-pool start=192.168.101.10,end=192.168.101.250 0d30322d-8d87-43c3-b4e2-5a2969d3c42e 192.168.101.0/24
Created a new subnet:
+------------------+-------------------------------------------------------+
| Field | Value |
+------------------+-------------------------------------------------------+
| allocation_pools | {"start": "192.168.101.10", "end": "192.168.101.250"} | #地址pools起始范围
| cidr | 192.168.101.0/24 | #网络地址块
| dns_nameservers | |
| enable_dhcp | True | #启用DHCP
| gateway_ip | 192.168.101.1 | #子网所在的网关
| host_routes | |
| id | 3d715769-73ce-4984-81b2-ae1ffb284a74 | #subnet ID号
| ip_version | 4 | #IP地址版本为ipv4
| name | public_subnet | #subnet的名字
| network_id | 0d30322d-8d87-43c3-b4e2-5a2969d3c42e | #subnet所在的network
| tenant_id | 842ab3268a2c47e6a4b0d8774de805ae | #subnet所在tenant
+------------------+-------------------------------------------------------+
b、查看subnet的列表
[root@controller ~]# neutron subnet-list
+--------------------------------------+----------------+------------------+-------------------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+----------------+------------------+-------------------------------------------------------+
| 3d715769-73ce-4984-81b2-ae1ffb284a74 | public_subnet | 192.168.101.0/24 | {"start": "192.168.101.10", "end": "192.168.101.250"} | #创建成功
| 79cb82a1-eac1-4311-8e6d-badcabd22e44 | ForTest | 192.168.100.0/24 | {"start": "192.168.100.2", "end": "192.168.100.254"} |
+--------------------------------------+----------------+------------------+-------------------------------------------------------+
c、查看subnet详情
[root@controller ~]# neutron subnet-show 3d715769-73ce-4984-81b2-ae1ffb284a74
+------------------+-------------------------------------------------------+
| Field | Value |
+------------------+-------------------------------------------------------+
| allocation_pools | {"start": "192.168.101.10", "end": "192.168.101.250"} |
| cidr | 192.168.101.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 192.168.101.1 |
| host_routes | |
| id | 3d715769-73ce-4984-81b2-ae1ffb284a74 |
| ip_version | 4 |
| name | public_subnet |
| network_id | 0d30322d-8d87-43c3-b4e2-5a2969d3c42e |
| tenant_id | 842ab3268a2c47e6a4b0d8774de805ae |
+------------------+-------------------------------------------------------+3.交换机配置vlan与云平台联动
云平台中配置了网络,使用vlan模式,此时,需要在交换机层面配置vlan信息和openstack云平台联动,需要配置的信息有:vlan地址,即网络的gateway,所有的compute接口所在的交换机接口,设置为trunk模式,并配置允许vlan101通过(关于具体配置,可以将需求和网络工程师说明)。
4.测试新创建的network
a、查看network和subnet的号码
[root@controller ~]# neutron net-list
+--------------------------------------+---------------+-------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------------+-------------------------------------------------------+
| 0d30322d-8d87-43c3-b4e2-5a2969d3c42e | public | 3d715769-73ce-4984-81b2-ae1ffb284a74 192.168.101.0/24 |
+--------------------------------------+---------------+-------------------------------------------------------+
[root@controller ~]# neutron subnet-list
+--------------------------------------+----------------+------------------+-------------------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+----------------+------------------+-------------------------------------------------------+
| 3d715769-73ce-4984-81b2-ae1ffb284a74 | public_subnet | 192.168.101.0/24 | {"start": "192.168.101.10", "end": "192.168.101.250"} |
+--------------------------------------+----------------+------------------+-------------------------------------------------------+
b、创建端口
[root@controller ~]# neutron port-create --name port_1 --fixed-ip subnet_id=3d715769-73ce-4984-81b2-ae1ffb284a74,ip_address=192.168.101.11 0d30322d-8d87-43c3-b4e2-5a2969d3c42e
Created a new port:
+-----------------------+---------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "3d715769-73ce-4984-81b2-ae1ffb284a74", "ip_address": "192.168.101.11"} | #端口的地址
| id | 9b860e7f-4327-4777-8f80-3a5a3c6672ad | #端口id号
| mac_address | fa:16:3e:af:73:66 | #端口对应MAC
| name | port_1 | #port名字
| network_id | 0d30322d-8d87-43c3-b4e2-5a2969d3c42e | #port所在network
| security_groups | 663468d9-73b1-4b04-8d4c-dac1bf21a94d | #所在安全组
| status | DOWN |
| tenant_id | 842ab3268a2c47e6a4b0d8774de805ae | #所在subnet
+-----------------------+---------------------------------------------------------------------------------------+
c、查看port列表
[root@controller ~]# neutron port-list |grep 192.168.101
| 9b860e7f-4327-4777-8f80-3a5a3c6672ad | port_1 | fa:16:3e:af:73:66 | {"subnet_id": "3d715769-73ce-4984-81b2-ae1ffb284a74", "ip_address": "192.168.101.11"} |
| fb5f8996-c025-4fdd-80dc-7d0d117a7cd6 | | fa:16:3e:19:8f:f8 | {"subnet_id": "3d715769-73ce-4984-81b2-ae1ffb284a74", "ip_address": "192.168.101.10"} |
d、查看port详情
[root@controller ~]# neutron port-show 9b860e7f-4327-4777-8f80-3a5a3c6672ad
+-----------------------+---------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "3d715769-73ce-4984-81b2-ae1ffb284a74", "ip_address": "192.168.101.11"} |
| id | 9b860e7f-4327-4777-8f80-3a5a3c6672ad |
| mac_address | fa:16:3e:af:73:66 |
| name | port_1 |
| network_id | 0d30322d-8d87-43c3-b4e2-5a2969d3c42e |
| security_groups | 663468d9-73b1-4b04-8d4c-dac1bf21a94d |
| status | DOWN |
| tenant_id | 842ab3268a2c47e6a4b0d8774de805ae |
+-----------------------+---------------------------------------------------------------------------------------+4.将端口attach到intance中
a、执行attach操作 [root@controller ~]# nova list |grep happy | 3f694eaf-aa87-456a-99ce-90dd9f4e45ee | happy_test | SHUTOFF | - | Shutdown | | ChuangYiYuan_10_16_2_11 | [root@controller ~]# nova interface-attach 3f694eaf-aa87-456a-99ce-90dd9f4e45ee --port-id 9b860e7f-4327-4777-8f80-3a5a3c6672ad b、attach成功,虚拟机和端口成功关联 [root@controller ~]# nova list |grep happy | 3f694eaf-aa87-456a-99ce-90dd9f4e45ee | happy_test | SHUTOFF | - | Shutdown | public=192.168.101.11 | ChuangYiYuan_10_16_2_11 |
5. 总结
关于网络的扩容,可以通过租户自己创建,也可以通过管理员手动指定,对于租户自己创建来说,自动分配vlan号码,而管理员则可以针对业务需求,手动定制vlan号,由于openstack的应用场景和配置千奇百怪,不同的环境和场景都有所不同,读者根据自己所在的环境设置。
6. 附录
[root@controller ~]# neutron -h usage: neutron [--version] [-v] [-q] [-h] [--os-auth-strategy <auth-strategy>] [--os-auth-url <auth-url>] [--os-tenant-name <auth-tenant-name>] [--os-tenant-id <auth-tenant-id>] [--os-username <auth-username>] [--os-password <auth-password>] [--os-region-name <auth-region-name>] [--os-token <token>] [--endpoint-type <endpoint-type>] [--os-url <url>] [--os-cacert <ca-certificate>] [--insecure] Command-line interface to the Neutron APIs optional arguments: --version show program‘s version number and exit -v, --verbose, --debug Increase verbosity of output and show tracebacks on errors. Can be repeated. -q, --quiet Suppress output except warnings and errors -h, --help Show this help message and exit --os-auth-strategy <auth-strategy> Authentication strategy (Env: OS_AUTH_STRATEGY, default keystone). For now, any other value will disable the authentication --os-auth-url <auth-url> Authentication URL (Env: OS_AUTH_URL) --os-tenant-name <auth-tenant-name> Authentication tenant name (Env: OS_TENANT_NAME) --os-tenant-id <auth-tenant-id> Authentication tenant name (Env: OS_TENANT_ID) --os-username <auth-username> Authentication username (Env: OS_USERNAME) --os-password <auth-password> Authentication password (Env: OS_PASSWORD) --os-region-name <auth-region-name> Authentication region name (Env: OS_REGION_NAME) --os-token <token> Defaults to env[OS_TOKEN] --endpoint-type <endpoint-type> Defaults to env[OS_ENDPOINT_TYPE] or publicURL. --os-url <url> Defaults to env[OS_URL] --os-cacert <ca-certificate> Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT] --insecure Explicitly allow neutronclient to perform "insecure" SSL (https) requests. The server‘s certificate will not be verified against any certificate authorities. This option should be used with caution. Commands for API v2.0: agent-delete Delete a given agent. #agent管理 agent-list List agents. agent-show Show information of a given agent. agent-update Update a given agent. cisco-credential-create Creates a credential. cisco-credential-delete Delete a given credential. cisco-credential-list List credentials that belong to a given tenant. cisco-credential-show Show information of a given credential. cisco-network-profile-create Creates a network profile. cisco-network-profile-delete Delete a given network profile. cisco-network-profile-list List network profiles that belong to a given tenant. cisco-network-profile-show Show information of a given network profile. cisco-network-profile-update Update network profile‘s information. cisco-policy-profile-list List policy profiles that belong to a given tenant. cisco-policy-profile-show Show information of a given policy profile. cisco-policy-profile-update Update policy profile‘s information. dhcp-agent-list-hosting-net List DHCP agents hosting a network. dhcp-agent-network-add Add a network to a DHCP agent. dhcp-agent-network-remove Remove a network from a DHCP agent. ext-list List all extensions. ext-show Show information of a given resource. firewall-create Create a firewall. #防火墙管理 firewall-delete Delete a given firewall. firewall-list List firewalls that belong to a given tenant. firewall-policy-create Create a firewall policy. firewall-policy-delete Delete a given firewall policy. firewall-policy-insert-rule Insert a rule into a given firewall policy. firewall-policy-list List firewall policies that belong to a given tenant. firewall-policy-remove-rule Remove a rule from a given firewall policy. firewall-policy-show Show information of a given firewall policy. firewall-policy-update Update a given firewall policy. firewall-rule-create Create a firewall rule. firewall-rule-delete Delete a given firewall rule. firewall-rule-list List firewall rules that belong to a given tenant. firewall-rule-show Show information of a given firewall rule. firewall-rule-update Update a given firewall rule. firewall-show Show information of a given firewall. firewall-update Update a given firewall. floatingip-associate Create a mapping between a floating ip and a fixed ip. #浮动IP管理 floatingip-create Create a floating ip for a given tenant. floatingip-delete Delete a given floating ip. floatingip-disassociate Remove a mapping from a floating ip to a fixed ip. floatingip-list List floating ips that belong to a given tenant. floatingip-show Show information of a given floating ip. help print detailed help for another command ipsec-site-connection-create Create an IPsecSiteConnection. #VPN站点管理 ipsec-site-connection-delete Delete a given IPsecSiteConnection. ipsec-site-connection-list List IPsecSiteConnections that belong to a given tenant. ipsec-site-connection-show Show information of a given IPsecSiteConnection. ipsec-site-connection-update Update a given IPsecSiteConnection. l3-agent-list-hosting-router List L3 agents hosting a router. l3-agent-router-add Add a router to a L3 agent. l3-agent-router-remove Remove a router from a L3 agent. lb-agent-hosting-pool Get loadbalancer agent hosting a pool. #负载均衡相关管理 lb-healthmonitor-associate Create a mapping between a health monitor and a pool. lb-healthmonitor-create Create a healthmonitor. lb-healthmonitor-delete Delete a given healthmonitor. lb-healthmonitor-disassociate Remove a mapping from a health monitor to a pool. lb-healthmonitor-list List healthmonitors that belong to a given tenant. lb-healthmonitor-show Show information of a given healthmonitor. lb-healthmonitor-update Update a given healthmonitor. lb-member-create Create a member. lb-member-delete Delete a given member. lb-member-list List members that belong to a given tenant. lb-member-show Show information of a given member. lb-member-update Update a given member. lb-pool-create Create a pool. lb-pool-delete Delete a given pool. lb-pool-list List pools that belong to a given tenant. lb-pool-list-on-agent List the pools on a loadbalancer agent. lb-pool-show Show information of a given pool. lb-pool-stats Retrieve stats for a given pool. lb-pool-update Update a given pool. lb-vip-create Create a vip. lb-vip-delete Delete a given vip. lb-vip-list List vips that belong to a given tenant. lb-vip-show Show information of a given vip. lb-vip-update Update a given vip. meter-label-create Create a metering label for a given tenant. meter-label-delete Delete a given metering label. meter-label-list List metering labels that belong to a given tenant. meter-label-rule-create Create a metering label rule for a given label. meter-label-rule-delete Delete a given metering label. meter-label-rule-list List metering labels that belong to a given label. meter-label-rule-show Show information of a given metering label rule. meter-label-show Show information of a given metering label. net-create Create a network for a given tenant. #网络相关管理 net-delete Delete a given network. net-external-list List external networks that belong to a given tenant. net-gateway-connect Add an internal network interface to a router. net-gateway-create Create a network gateway. net-gateway-delete Delete a given network gateway. net-gateway-disconnect Remove a network from a network gateway. net-gateway-list List network gateways for a given tenant. net-gateway-show Show information of a given network gateway. net-gateway-update Update the name for a network gateway. net-list List networks that belong to a given tenant. net-list-on-dhcp-agent List the networks on a DHCP agent. net-show Show information of a given network. net-update Update network‘s information. port-create Create a port for a given tenant. #端口相关管理 port-delete Delete a given port. port-list List ports that belong to a given tenant. port-show Show information of a given port. port-update Update port‘s information. queue-create Create a queue. queue-delete Delete a given queue. queue-list List queues that belong to a given tenant. queue-show Show information of a given queue. #quota相关管理 quota-delete Delete defined quotas of a given tenant. quota-list List quotas of all tenants who have non-default quota values. quota-show Show quotas of a given tenant quota-update Define tenant‘s quotas not to use defaults. router-create Create a router for a given tenant. #路由器相关管理 router-delete Delete a given router. router-gateway-clear Remove an external network gateway from a router. router-gateway-set Set the external network gateway for a router. router-interface-add Add an internal network interface to a router. router-interface-delete Remove an internal network interface from a router. router-list List routers that belong to a given tenant. router-list-on-l3-agent List the routers on a L3 agent. router-port-list List ports that belong to a given tenant, with specified router. router-show Show information of a given router. router-update Update router‘s information. security-group-create Create a security group. #安全组相关管理 security-group-delete Delete a given security group. security-group-list List security groups that belong to a given tenant. security-group-rule-create Create a security group rule. security-group-rule-delete Delete a given security group rule. security-group-rule-list List security group rules that belong to a given tenant. security-group-rule-show Show information of a given security group rule. security-group-show Show information of a given security group. security-group-update Update a given security group. service-provider-list List service providers. #子网相关管理 subnet-create Create a subnet for a given tenant. subnet-delete Delete a given subnet. subnet-list List subnets that belong to a given tenant. subnet-show Show information of a given subnet. subnet-update Update subnet‘s information. vpn-ikepolicy-create Create an IKEPolicy. #VPN相关的管理 vpn-ikepolicy-delete Delete a given IKE Policy. vpn-ikepolicy-list List IKEPolicies that belong to a tenant. vpn-ikepolicy-show Show information of a given IKEPolicy. vpn-ikepolicy-update Update a given IKE Policy. vpn-ipsecpolicy-create Create an ipsecpolicy. vpn-ipsecpolicy-delete Delete a given ipsecpolicy. vpn-ipsecpolicy-list List ipsecpolicies that belongs to a given tenant connection. vpn-ipsecpolicy-show Show information of a given ipsecpolicy. vpn-ipsecpolicy-update Update a given ipsec policy. vpn-service-create Create a VPNService. vpn-service-delete Delete a given VPNService. vpn-service-list List VPNService configurations that belong to a given tenant. vpn-service-show Show information of a given VPNService. vpn-service-update Update a given VPNService.
本文出自 “Happy实验室” 博客,谢绝转载!
openstack运维实战系列(二十)之neutron创建网络并指定vlan号码
原文地址:http://happylab.blog.51cto.com/1730296/1740165
