OpenStack Rocky : Neutron ネットワークを構成 (VXLAN)2019/08/20 |
|
OpenStack Network Service(Neutron)による仮想ネットワークの構成です。
例として、VXLAN タイプのネットワークを構成します。
事前に以下のように Control ノード、 Network ノード、 Compute ノードの 各 Neutron サービスノードを構築済みであることが前提です。
また、当例では Network ノードが二つのネットワークインターフェースを持っているものとします。また、下例で
eth1 の方は IP なしでインターフェースを UP しています。
IP なしでのインターフェース UP の設定はこちらの [1] を参照ください。
------------+---------------------------+---------------------------+------------
| | |
eth0|10.0.0.30 eth0|10.0.0.50 eth0|10.0.0.51
+-----------+-----------+ +-----------+-----------+ +-----------+-----------+
| [ Control Node ] | | [ Network Node ] | | [ Compute Node ] |
| | | | | |
| MariaDB RabbitMQ | | L2 Agent | | Libvirt |
| Memcached httpd | | L3 Agent | | Nova Compute |
| Keystone Glance | | Metadata Agent | | L2 Agent |
| Nova API | | Open vSwitch | | Open vSwitch |
| Neutron Server | | | | |
| Metadata Agent | | | | |
+-----------------------+ +-----------+-----------+ +-----------------------+
eth1|(UP with no IP)
|
| [1] | Control ノードで以下のように設定変更します。 |
|
root@dlp ~(keystone)#
vi /etc/neutron/plugins/ml2/ml2_conf.ini # 108行目: tenant_network_types に値を追記 tenant_network_types = vxlan
# 155行目:コメント解除し変更 flat_networks = physnet1
systemctl restart neutron-api neutron-rpc-server |
| [2] | Network ノードで以下のように設定変更します。 |
|
# ブリッジを追加して、IP なしに設定したインターフェースをブリッジのポートに追加 root@network:~# ovs-vsctl add-br br-eth1 root@network:~# ovs-vsctl add-port br-eth1 eth1
root@network:~#
vi /etc/neutron/plugins/ml2/ml2_conf.ini # 108行目: tenant_network_types に値を追記 tenant_network_types = vxlan
# 155行目:変更 [ml2_type_flat] ..... ..... flat_networks = physnet1
# 204行目:設定確認 [ml2_type_vxlan] vni_ranges = 1:1000
root@network:~#
vi /etc/neutron/plugins/ml2/openvswitch_agent.ini # 97行目:追記 [agent]
prevent_arp_spoofing = True
# 109行目:コメント解除 tunnel_types = vxlan # 195行目:コメント解除し変更 bridge_mappings = physnet1:br-eth1
for service in l3-agent dhcp-agent metadata-agent openvswitch-agent; do systemctl restart neutron-$service done |
| [3] | Compute ノードで以下のように設定変更します。 |
|
root@node01:~#
vi /etc/neutron/plugins/ml2/ml2_conf.ini # 108行目: tenant_network_types に値を追記 tenant_network_types = vxlan
# 155行目:変更 [ml2_type_flat] ..... ..... flat_networks = physnet1
# 204行目:設定確認 [ml2_type_vxlan] vni_ranges = 1:1000
root@node01:~#
vi /etc/neutron/plugins/ml2/openvswitch_agent.ini # 97行目:追記 [agent]
prevent_arp_spoofing = True
# 109行目:コメント解除 tunnel_types = vxlan systemctl restart neutron-openvswitch-agent |
| [4] | 仮想ルータを作成します。作業場所はどこでもよいですが、当例では Control ノード上で作業します。 |
|
# 仮想ルーター作成 root@dlp ~(keystone)# openstack router create router01 +-------------------------+--------------------------------------+ | Field | Value | +-------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2019-08-20T04:03:33Z | | description | | | distributed | False | | external_gateway_info | None | | flavor_id | None | | ha | False | | id | 735e5f7f-8c98-46c6-86b6-a7dc94602958 | | name | router01 | | project_id | 087b251e194c4962bc916e48694db744 | | revision_number | 0 | | routes | | | status | ACTIVE | | tags | | | updated_at | 2019-08-20T04:03:33Z | +-------------------------+--------------------------------------+ |
| [5] | 内部用のネットワークを作成し、仮想ルーターに関連付けます。 |
|
# 内部用ネットワーク作成 root@dlp ~(keystone)# openstack network create int_net --provider-network-type vxlan +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2019-08-20T04:03:51Z | | description | | | dns_domain | None | | id | 0b5e9fa8-b57f-47c0-af13-debc989baa28 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1450 | | name | int_net | | port_security_enabled | True | | project_id | 087b251e194c4962bc916e48694db744 | | provider:network_type | vxlan | | provider:physical_network | None | | provider:segmentation_id | 56 | | qos_policy_id | None | | revision_number | 1 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2019-08-20T04:03:51Z | +---------------------------+--------------------------------------+ # 内部用ネットワークにサブネット作成 root@dlp ~(keystone)# openstack subnet create subnet1 --network int_net \ --subnet-range 192.168.100.0/24 --gateway 192.168.100.1 \ --dns-nameserver 10.0.0.10 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 192.168.100.2-192.168.100.254 | | cidr | 192.168.100.0/24 | | created_at | 2019-08-20T04:04:35Z | | description | | | dns_nameservers | 10.0.0.10 | | enable_dhcp | True | | gateway_ip | 192.168.100.1 | | host_routes | | | id | c900d81a-1eda-4d90-b900-a06005f975d2 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | subnet1 | | network_id | 0b5e9fa8-b57f-47c0-af13-debc989baa28 | | project_id | 087b251e194c4962bc916e48694db744 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2019-08-20T04:04:35Z | +-------------------+--------------------------------------+ # 仮想ルーターに内部ネットワークを設定 root@dlp ~(keystone)# openstack router add subnet router01 subnet1
|
| [6] | 外部接続用のネットワークを作成し、仮想ルーターに関連付けます。 |
|
# 外部用ネットワーク作成 root@dlp ~(keystone)# openstack network create \ --provider-physical-network physnet1 \ --provider-network-type flat --external ext_net +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2019-08-20T04:05:12Z | | description | | | dns_domain | None | | id | 60c664d6-d7fd-4009-9888-74801655b422 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | False | | is_vlan_transparent | None | | mtu | 1500 | | name | ext_net | | port_security_enabled | True | | project_id | 087b251e194c4962bc916e48694db744 | | provider:network_type | flat | | provider:physical_network | physnet1 | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 1 | | router:external | External | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | 2019-08-20T04:05:12Z | +---------------------------+--------------------------------------+ # 外部用ネットワークにサブネット作成 root@dlp ~(keystone)# openstack subnet create subnet2 \ --network ext_net --subnet-range 10.0.0.0/24 \ --allocation-pool start=10.0.0.200,end=10.0.0.254 \ --gateway 10.0.0.1 --dns-nameserver 10.0.0.10 --no-dhcp +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 10.0.0.200-10.0.0.254 | | cidr | 10.0.0.0/24 | | created_at | 2019-08-20T04:05:38Z | | description | | | dns_nameservers | 10.0.0.10 | | enable_dhcp | False | | gateway_ip | 10.0.0.1 | | host_routes | | | id | 578a2608-e20f-4985-9ded-f9ecbfc1ef34 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | subnet2 | | network_id | 60c664d6-d7fd-4009-9888-74801655b422 | | project_id | 087b251e194c4962bc916e48694db744 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2019-08-20T04:05:38Z | +-------------------+--------------------------------------+ # 仮想ルーターにゲートウェイを設定 root@dlp ~(keystone)# openstack router set router01 --external-gateway ext_net |
| [7] | 作成したネットワークは、外部用はデフォルトで全プロジェクトがアクセス可能ですが、内部用はデフォルトでは admin プロジェクトのみがアクセス可能なため、内部ネットワークを利用させたいプロジェクトにアクセス権限を付与しておきます。 |
|
# ネットワーク RBAC リスト表示 root@dlp ~(keystone)# openstack network rbac list +--------------------------------------+-------------+--------------------------------------+ | ID | Object Type | Object ID | +--------------------------------------+-------------+--------------------------------------+ | 39496f8c-77b0-4bae-b151-a4014ef4f253 | network | 60c664d6-d7fd-4009-9888-74801655b422 | +--------------------------------------+-------------+--------------------------------------+ # RBAC の詳細 (access_as_external のみ全プロジェクトがアクセス可能) root@dlp ~(keystone)# openstack network rbac show 39496f8c-77b0-4bae-b151-a4014ef4f253 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_external | | id | 39496f8c-77b0-4bae-b151-a4014ef4f253 | | name | None | | object_id | 60c664d6-d7fd-4009-9888-74801655b422 | | object_type | network | | project_id | 087b251e194c4962bc916e48694db744 | | target_project_id | * | +-------------------+--------------------------------------+ # 作成済みネットワーク一覧 root@dlp ~(keystone)# openstack network list +--------------------------------------+---------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+---------+--------------------------------------+ | 0b5e9fa8-b57f-47c0-af13-debc989baa28 | int_net | c900d81a-1eda-4d90-b900-a06005f975d2 | | 60c664d6-d7fd-4009-9888-74801655b422 | ext_net | 578a2608-e20f-4985-9ded-f9ecbfc1ef34 | +--------------------------------------+---------+--------------------------------------+ # 作成済みプロジェクト一覧 root@dlp ~(keystone)# openstack project list +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | 087b251e194c4962bc916e48694db744 | admin | | 6de0ab5f5ae24824820df0ab890bd84f | hiroshima | | af821885c5934a9395aeabe996751847 | service | +----------------------------------+-----------+ # [int_net] への [access_as_shared] アクセス権を [hiroshima] プロジェクトに付与 root@dlp ~(keystone)# netID=$(openstack network list | grep int_net | awk '{ print $2 }') root@dlp ~(keystone)# prjID=$(openstack project list | grep hiroshima | awk '{ print $2 }') root@dlp ~(keystone)# openstack network rbac create --target-project $prjID --type network --action access_as_shared $netID +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | action | access_as_shared | | id | 17fb895f-a3c8-4f84-a97a-12d4cb0fa245 | | name | None | | object_id | 0b5e9fa8-b57f-47c0-af13-debc989baa28 | | object_type | network | | project_id | 087b251e194c4962bc916e48694db744 | | target_project_id | 6de0ab5f5ae24824820df0ab890bd84f | +-------------------+--------------------------------------+ |
| [8] | 内部ネットワークへのアクセス権を付与したプロジェクトに所属する任意のユーザーでログインし、 作成した内部ネットワークをインスタンスに紐付けてインスタンスを作成・起動します。 |
|
# 利用可能な flavor 確認 debian@dlp ~(keystone)$ openstack flavor list +----+----------+------+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +----+----------+------+------+-----------+-------+-----------+ | 0 | m1.small | 2048 | 10 | 0 | 1 | True | +----+----------+------+------+-----------+-------+-----------+ # 利用可能なイメージ確認 debian@dlp ~(keystone)$ openstack image list +--------------------------------------+----------+--------+ | ID | Name | Status | +--------------------------------------+----------+--------+ | 2f489eea-ca80-471d-b450-31664cd284b1 | Debian10 | active | +--------------------------------------+----------+--------+ # 利用可能なネットワーク確認 debian@dlp ~(keystone)$ openstack network list +--------------------------------------+---------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+---------+--------------------------------------+ | 0b5e9fa8-b57f-47c0-af13-debc989baa28 | int_net | c900d81a-1eda-4d90-b900-a06005f975d2 | | 60c664d6-d7fd-4009-9888-74801655b422 | ext_net | 578a2608-e20f-4985-9ded-f9ecbfc1ef34 | +--------------------------------------+---------+--------------------------------------+ # インスタンス用のセキュリティグループを作成 debian@dlp ~(keystone)$ openstack security group create secgroup01 +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2019-08-20T04:08:39Z | | description | secgroup01 | | id | 7b89d209-e2b2-4a46-ab6e-f5333d626c75 | | name | secgroup01 | | project_id | 6de0ab5f5ae24824820df0ab890bd84f | | revision_number | 1 | | rules | created_at='2019-08-20T04:08:39Z', direction='egress', ethertype='IPv4', id='a43c625f-3a53-4cf0-87bf-af046c417fa3', updated_at='2019-08-20T04:08:39Z' | | | created_at='2019-08-20T04:08:39Z', direction='egress', ethertype='IPv6', id='d284c326-5238-4c40-89d5-e0e41302bb92', updated_at='2019-08-20T04:08:39Z' | | tags | [] | | updated_at | 2019-08-20T04:08:39Z | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ # インスタンス接続用の SSH キーペア作成 debian@dlp ~(keystone)$ ssh-keygen -q -N "" Enter file in which to save the key (/home/debian/.ssh/id_rsa): # 公開鍵登録 debian@dlp ~(keystone)$ openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey +-------------+-------------------------------------------------+ | Field | Value | +-------------+-------------------------------------------------+ | fingerprint | 83:e8:e9:da:28:a1:c9:be:b6:07:37:6a:79:94:f8:c5 | | name | mykey | | user_id | 2af053ff367b47fc9e1a9139c29340b6 | +-------------+-------------------------------------------------+debian@dlp ~(keystone)$ netID=$(openstack network list | grep int_net | awk '{ print $2 }')
debian@dlp ~(keystone)$
debian@dlp ~(keystone)$ openstack server create --flavor m1.small --image Debian10 --security-group secgroup01 --nic net-id=$netID --key-name mykey Debian_10
openstack server list +--------------------------------------+-----------+--------+------------------------+----------+----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+-----------+--------+------------------------+----------+----------+ | ca63556d-5adc-4183-a2de-476da9f71780 | Debian_10 | ACTIVE | int_net=192.168.100.10 | Debian10 | m1.small | +--------------------------------------+-----------+--------+------------------------+----------+----------+ |
| [9] | 作成した仮想マシンインスタンスにフローティングIP を割り当てます。 |
|
debian@dlp ~(keystone)$ openstack floating ip create ext_net +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | created_at | 2019-08-20T04:34:43Z | | description | | | dns_domain | None | | dns_name | None | | fixed_ip_address | None | | floating_ip_address | 10.0.0.219 | | floating_network_id | 60c664d6-d7fd-4009-9888-74801655b422 | | id | 21ae9ddc-203f-4aaf-99b1-cbdb8fe6c8d6 | | name | 10.0.0.219 | | port_details | None | | port_id | None | | project_id | 6de0ab5f5ae24824820df0ab890bd84f | | qos_policy_id | None | | revision_number | 0 | | router_id | None | | status | DOWN | | subnet_id | None | | tags | [] | | updated_at | 2019-08-20T04:34:43Z | +---------------------+--------------------------------------+debian@dlp ~(keystone)$ openstack server add floating ip Debian_10 10.0.0.219 # 設定確認 debian@dlp ~(keystone)$ openstack floating ip show 10.0.0.219 +---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2019-08-20T04:34:43Z | | description | | | dns_domain | None | | dns_name | None | | fixed_ip_address | 192.168.100.10 | | floating_ip_address | 10.0.0.219 | | floating_network_id | 60c664d6-d7fd-4009-9888-74801655b422 | | id | 21ae9ddc-203f-4aaf-99b1-cbdb8fe6c8d6 | | name | 10.0.0.219 | | port_details | admin_state_up='True', device_id='ca63556d-5adc-4183-a2de-476da9f71780', device_owner='compute:nova', mac_address='fa:16:3e:e0:b1:9f', name='', network_id='0b5e9fa8-b57f-47c0-af13-debc989baa28', status='ACTIVE' | | port_id | d835a1d1-2963-4d0c-be65-0e8ac14b23ca | | project_id | 6de0ab5f5ae24824820df0ab890bd84f | | qos_policy_id | None | | revision_number | 2 | | router_id | 735e5f7f-8c98-46c6-86b6-a7dc94602958 | | status | ACTIVE | | subnet_id | None | | tags | [] | | updated_at | 2019-08-20T04:36:38Z | +---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+debian@dlp ~(keystone)$ openstack server list +--------------------------------------+-----------+--------+------------------------------------+----------+----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+-----------+--------+------------------------------------+----------+----------+ | ca63556d-5adc-4183-a2de-476da9f71780 | Debian_10 | ACTIVE | int_net=192.168.100.10, 10.0.0.219 | Debian10 | m1.small | +--------------------------------------+-----------+--------+------------------------------------+----------+----------+ |
| [10] | 起動した仮想マシンインスタンスに SSH 接続できるように、先に作成したセキュリティグループにポート許可の設定を追加します。 |
|
# ICMP 許可 debian@dlp ~(keystone)$ openstack security group rule create --protocol icmp --ingress secgroup01 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2019-08-20T04:37:38Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 8cec4a91-e491-4cb2-8871-09b8fcf1c436 | | name | None | | port_range_max | None | | port_range_min | None | | project_id | 6de0ab5f5ae24824820df0ab890bd84f | | protocol | icmp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 7b89d209-e2b2-4a46-ab6e-f5333d626c75 | | updated_at | 2019-08-20T04:37:38Z | +-------------------+--------------------------------------+ # SSH 許可 debian@dlp ~(keystone)$ openstack security group rule create --protocol tcp --dst-port 22:22 secgroup01 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2019-08-20T04:37:53Z | | description | | | direction | ingress | | ether_type | IPv4 | | id | 5531ce0e-4725-414a-9a0c-52624bf566bf | | name | None | | port_range_max | 22 | | port_range_min | 22 | | project_id | 6de0ab5f5ae24824820df0ab890bd84f | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 0 | | security_group_id | 7b89d209-e2b2-4a46-ab6e-f5333d626c75 | | updated_at | 2019-08-20T04:37:53Z | +-------------------+--------------------------------------+debian@dlp ~(keystone)$ openstack security group rule list +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | Security Group | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ | 0d96e5f5-f31c-4f38-87ce-3c9161c67d79 | None | None | | 3d6fa089-5901-4fe5-8bd1-e2421e2fa788 | 3d6fa089-5901-4fe5-8bd1-e2421e2fa788 | | 5531ce0e-4725-414a-9a0c-52624bf566bf | tcp | 0.0.0.0/0 | 22:22 | None | 7b89d209-e2b2-4a46-ab6e-f5333d626c75 | | 5e4efe2b-1024-4994-9153-94ee02931d5f | None | None | | None | 3d6fa089-5901-4fe5-8bd1-e2421e2fa788 | | 6ea9dd58-5e1f-438d-88b3-811aad1eaa2d | None | None | | 3d6fa089-5901-4fe5-8bd1-e2421e2fa788 | 3d6fa089-5901-4fe5-8bd1-e2421e2fa788 | | 7199a0ce-9e6b-485f-b0fe-62a6b0392671 | None | None | | None | 3d6fa089-5901-4fe5-8bd1-e2421e2fa788 | | 8cec4a91-e491-4cb2-8871-09b8fcf1c436 | icmp | 0.0.0.0/0 | | None | 7b89d209-e2b2-4a46-ab6e-f5333d626c75 | | a43c625f-3a53-4cf0-87bf-af046c417fa3 | None | None | | None | 7b89d209-e2b2-4a46-ab6e-f5333d626c75 | | d284c326-5238-4c40-89d5-e0e41302bb92 | None | None | | None | 7b89d209-e2b2-4a46-ab6e-f5333d626c75 | +--------------------------------------+-------------+-----------+------------+--------------------------------------+--------------------------------------+ |
| [11] | 仮想マシンインスタンスに割りあてられたフローティング IP 宛てに SSH 接続することで、インスタンスに SSH ログインできます。 |
|
debian@dlp ~(keystone)$ openstack server list +--------------------------------------+-----------+--------+------------------------------------+----------+----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+-----------+--------+------------------------------------+----------+----------+ | ca63556d-5adc-4183-a2de-476da9f71780 | Debian_10 | ACTIVE | int_net=192.168.100.10, 10.0.0.219 | Debian10 | m1.small | +--------------------------------------+-----------+--------+------------------------------------+----------+----------+debian@dlp ~(keystone)$ ssh debian@10.0.0.219 The authenticity of host '10.0.0.219 (10.0.0.219)' can't be established. ECDSA key fingerprint is SHA256:Xhng+j/ONxzdPTcoEnGmhJeY6aPyCL/AWUPln+5vrAw. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.0.219' (ECDSA) to the list of known hosts. Linux debian-10 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. debian@debian-10:~$ # ログインできた |
| Sponsored Link |