深⼊理解openstack⽹络架构(3)-----路由
原⽂地址:
译⽂转⾃:
前⽂中,我们学习了openstack⽹络使⽤的⼏个基本⽹络组件,并通过⼀些简单的use case解释⽹络如何连通的。本⽂中,我们会通过⼀个稍微复杂(其实仍然相当基本)的use case(两个⽹络间路由)探索⽹络的设置。路由使⽤的组件与连通内部⽹络相同,使⽤namespace 创建⼀个隔离的container,允许subnet间的⽹络包中转。 记住我们在第⼀篇⽂章中所说的,这只是使⽤OVS插件的例⼦。openstack还有很多插件使⽤不同的⽅式,我们提到的只是其中⼀种。Use case #4: Routing traffic between two isolated networks
现实中,我们会创建不同的⽹络⽤于不同的⽬的。我们也会需要把这些⽹络连接起来。因为两个⽹络在不同的IP段,我们需要router将他们连接起来。为了分析这种设置,我们创建另⼀个network(net2)并配置⼀个20.20.20.0/24的subnet。在创建这个network后,我们启动⼀个Oracle Linux的虚拟机,并连接到net2。下图是从OpenstackGUI上看到的⽹络拓扑图:
进⼀步探索,我们会在openstack⽹络节点上看到另⼀个namespace,这个namespace⽤于为新创建的⽹络提供服务。现在我们有两个namespace,每个network⼀个。
[plain]
1. # ip netns list
2. qdhcp-63b7fcf2-e921-4011-8da9-5fc2444b42dd
3. qdhcp-5f833617-6179-4797-b7c0-7d420d84040c
可以通过nova net-list查看network的ID信息,或者使⽤UI查看⽹络信息。 [plain]
1. # nova net-list
2. +--------------------------------------+-------+------+
3. | ID | Label | CIDR |
4. +--------------------------------------+-------+------+
5. | 5f833617-6179-4797-b7c0-7d420d84040c | net1 | None |
6. | 63b7fcf2-e921-4011-8da9-5fc2444b42dd | net2 | None |
7. +--------------------------------------+-------+------+
我们新创建的network,net2有⾃⼰的namespace,这个namespace与net1是分离的。在namespace中,我们可以看到两个⽹络接⼝,⼀个local,⼀个是⽤于DHCP服务。
[plain]
1. # ip netns exec qdhcp-63b7fcf2-e921-4011-8da9-5fc2444b42dd ip addr
2. 1: lo: mtu 65536 qdisc noqueue state UNKNOWN
3. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4. inet 127.0.0.1/8 scope host lo
5. inet6 ::1/128 scope host
6. valid_lft forever preferred_lft forever
7. 19: tap16630347-45: mtu 1500 qdisc noqueue state UNKNOWN
8. link/ether fa:16:3e:bd:94:42 brd ff:ff:ff:ff:ff:ff
9. inet 20.20.20.3/24 brd 20.20.20.255 scope global tap16630347-45
10. inet6 fe80::f816:3eff:febd:9442/64 scope link
11. valid_lft forever preferred_lft forever
net1和net2两个network没有被联通,我们需要创建⼀个router,通过router将两个network联通。Openstack Neutron向⽤户提供了创建router 并将两个或多个network连接的能⼒。router其实只是⼀个额外的namespace。使⽤Neutron创建router可以通过GUI或者命令⾏操作:[plain]
1. # neutron router-create my-router
2. Created a new router:
3. +-----------------------+--------------------------------------+
4. | Field | Value |
5. +-----------------------+--------------------------------------+
6. | admin_state_up | True |
7. | external_gateway_info | |
8. | id | fce64ebe-47f0-4846-b3af-9cf764f1ff11 |
9. | name | my-router |
10. | status | ACTIVE |
11. | tenant_id | 9796e5145ee546508939cd49ad59d51f |
12. +-----------------------+--------------------------------------+
现在我们将两个netwrok通过router连接:
查看subnet的ID:
[plain]
1. # neutron subnet-list
2. +--------------------------------------+------+---------------+------------------------------------------------+
金融863. | id | name | cidr | allocation_pools |
4. +--------------------------------------+------+---------------+------------------------------------------------+
5. | 2d7a0a58-0674-439a-ad23-d6471aaae9bc | | 10.10.10.0/24 | {"start": "10.10.10.2", "end": "10.10.10.254"} |
6. | 4a176b4e-a9b2-4bd8-a2e3-2dbe1aeaf890 | | 20.20.20.0/24 | {"start": "20.20.20.2", "end": "20.20.20.254"} |
7. +--------------------------------------+------+---------------+------------------------------------------------+
将subnet 10.10.10.0/24添加到router:
[plain]
1. # neutron router-interface-add fce64ebe-47f0-4846-b3af-9cf764f1ff11 subnet=2d7a0a58-0674-439
a-ad23-d6471aaae9bc
2. Added interface 0b7b0b40-f952-41dd-ad74-2c15a063243a to router fce64ebe-47f0-4846-b3af-9cf764f1ff11.
将subnet 20.20.20.0/24添加到router:
[plain]
1. # neutron router-interface-add fce64ebe-47f0-4846-b3af-9cf764f1ff11 subnet=4a176b4e-a9b2-4bd8-a2e3-2dbe1aeaf890
2. Added interface dc290da0-0aa4-4d96-9085-1f894cf5b160 to router fce64ebe-47f0-4846-b3af-9cf764f1ff11.
此时,我们在查看⽹络拓扑会发现两个⽹络被router打通:
我们还可以发现两个⽹络接⼝连接到router,作为各⾃subnet的gateway。
我们可以看到为router创建的namespace。
中国女性人体
[plain]
1. # ip netns list
2. qrouter-fce64ebe-47f0-4846-b3af-9cf764f1ff11
3. qdhcp-63b7fcf2-e921-4011-8da9-5fc2444b42dd
静电测量4. qdhcp-5f833617-6179-4797-b7c0-7d420d84040c
我们进⼊namespace内部可以看到:
[plain]
1. # ip netns exec qrouter-fce64ebe-47f0-4846-b3af-9cf764f1ff11 ip addr
2. 1: lo: mtu 65536 qdisc noqueue state UNKNOWN
3. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4. inet 127.0.0.1/8 scope host lo
5. inet6 ::1/128 scope host
6. valid_lft forever preferred_lft forever
7. 20: qr-0b7b0b40-f9: mtu 1500 qdisc noqueue state UNKNOWN
8. link/ether fa:16:3e:82:47:a6 brd ff:ff:ff:ff:ff:ff
9. inet 10.10.10.1/24 brd 10.10.10.255 scope global qr-0b7b0b40-f9
10. inet6 fe80::f816:3eff:fe82:47a6/64 scope link
11. valid_lft forever preferred_lft forever
12. 21: qr-dc290da0-0a: mtu 1500 qdisc noqueue state UNKNOWN
13. link/ether fa:16:3e:c7:7c:9c brd ff:ff:ff:ff:ff:ff
14. inet 20.20.20.1/24 brd 20.20.20.255 scope global qr-dc290da0-0a
15. inet6 fe80::f816:3eff:fec7:7c9c/64 scope link
16. valid_lft forever preferred_lft forever
我们看到两个⽹络接⼝,“qr-dc290da0-0a“ 和 “qr-0b7b0b40-f9。这两个⽹络接⼝连接到OVS上,使⽤两个network/subnet的gateway IP。[plain]
1. # ovs-vsctl show
2. 8a069c7c-ea05-4375-93e2-b9fc9e4b3ca1
3. Bridge "br-eth2"
4. Port "br-eth2"
5. Interface "br-eth2"
6. type: internal
7. Port "eth2"
8. Interface "eth2"
9. Port "phy-br-eth2"
湍流耗散率
10. Interface "phy-br-eth2"
11. Bridge br-ex
12. Port br-ex
13. Interface br-ex
14. type: internal
15. Bridge br-int
16. Port "int-br-eth2"
17. Interface "int-br-eth2"
18. Port "qr-dc290da0-0a"
19. tag: 2
20. Interface "qr-dc290da0-0a"
21. type: internal
22. Port "tap26c9b807-7c"
23. tag: 1
24. Interface "tap26c9b807-7c"
25. type: internal
26. Port br-int
27. Interface br-int
28. type: internal
29. Port "tap16630347-45"
30. tag: 2
31. Interface "tap16630347-45"
32. type: internal
33. Port "qr-0b7b0b40-f9"
34. tag: 1
35. Interface "qr-0b7b0b40-f9"
36. type: internal
37. ovs_version: "1.11.0"
我们可以看到,这些接⼝连接到”br-int",并打上了所在network对应的VLAN标签。这⾥我们可以通过gateway地址(20.20.20.1)成功的ping通router namespace: 我们还可以看到IP地址为20.20.20.2可以ping通IP地址为10.10.10.2的虚拟机:
新水浒传穿帮镜头两个subnet通过namespace中的⽹络接⼝互相连通。在namespace中,Neutron将系统参数net.ipv4.ip_forward设置为1。命令查看如下:[plain]
1. # ip netns exec qrouter-fce64ebe-47f0-4846-b3af-9cf764f1ff11 sysctl net.ipv4.ip_forward
scar zone
2. net.ipv4.ip_forward = 1
我们可以看到namespace中的系统参数net.ipv4.ip_forward被设置,这种设置不会对namespace外产⽣影响。
总结
