OpenStack 学习笔记(五):网络管理和虚拟网络实践与存储管理实验(下)
OpenStack管理
OpenStack网络管理-neutron
物理网络与虚拟网络区别
Switch:物理交换机
vSwitch:虚拟交换机
NIC:网络接口卡、网络适配器、网卡
vNIC:虚拟网卡
Switch有很多品牌:cisco、华为
vSwitch有很多软件:linuxbridge、ovs、ovn
•Neutron最为核心的工作是对二层物理网络的抽象与管理,物理服务器虚拟化后,虚拟机的网络功能由虚拟网卡(vNIC)和虚拟交换机提供,各个vNIC连接在vSwitch的端口上,最后这些vSwitch通过物理服务器的物理网卡访问外部的物理网络。
Linux网络虚拟化技术
网卡虚拟化:
- TAP
- TUN
- VETH PAIR
交换机虚拟化:
- linux bridge
- open vswitch
网络隔离:
- network namespace
Linux网卡虚拟化TAP/TUN/VETH
TAP设备:模拟一个二层的网络设备,可以接收和发送二层网包
TUN设备:模拟一个三层的网络设备,可以接收和发送三层网包
VETH:虚拟ethernet接口,通常以pair的方式出现,一端发出的网包,会被另一端接收,可以形成两个网桥之间的通道
•TAP/TUN提供了一台主机内用户空间的数据传输机制。它虚拟了一套网络接口,这套接口和物理的接口无任何区别,可以配置IP,可以路由流量,不同的是,它的流量只在主机内流通。
•TAP/TUN有些许的不同,TUN只操作三层的IP包,而TAP操作二层的以太网帧。
•Veth-Pair是成对出现的一种虚拟网络设备,一端连接着协议栈,一端连接着彼此,数据从一端出,从另一端进。它的这个特性常常用来连接不同的虚拟网络组件,构建大规模的虚拟网络拓扑,比如连接Linux Bridge、OVS、LXC容器等。一个很常见的案例就是它被用于OpenStack Neutron,构建非常复杂的网络形态。
Linux bridge
Linux bridge:工作于二层的网络设备,功能类似于物理交换机
Bridge可以绑定Linux上的其他网络设备,并将这些设备虚拟化为端口
当一个设备被绑定到bridge时,就相当于物理交换机端口插入了一条连接着终端的网线
使用brctl命令配置Linux bridge:
brctl addbr BRIDGE
brctl addif BRIDGE DEVICE
•Linux Bridge结构如上图所示,Bridge设备br0绑定了实际设备eth0与虚拟设备tap0和tap1,但是对于Hypervisor的网络协议栈上层来说,只能看到br0,并不会关心桥接的细节。
•当这些设备接收到数据包时,会将其提交给br0决定数据包的去向,br0会根据MAC地址与端口的映射关系进行转发。
•因为Bridge工作在二层,所以绑定在br0上的从设备eth0、tap0与tap1均不需要再设置IP地址,对于上层路由器来说,它们都位于同一子网,因此只需为br0设置IP地址。因为br0具有自己的IP地址,br0可以被加入路由表,并利用它来发送数据,但是最终实际的发送过程则是由某个从设备来完成。
•即使eth0原本具有自己的IP地址,但是在被绑定到br0上后,它的IP地址会失效,用户程序不能接收到这个IP地址的数据。只有目的地址为br0的IP地址的数据包才会被Linux接收。
•brctl addbr BRIDGE:表示添加BRIDGE。
•brctl addif BRIDGE DEVICE:表示添加接口到bridge。
OVS
Open vSwitch是产品级的虚拟交换机
Linux bridge更适用于小规模,主机内部间通信场景
Open vSwitch更适合于大规模、多主机间通信场景
华为的FusionCompute用的就是DVS(基于EVS,EVS基于OVS)
Open vSwitch常用的命令:
- ovs-vsctl add-br BRIDGE
- ovs-vsctl add-port PORT
- ovs-vsctl show BRIDGE
- ovs-vsctl dump-ports-desc BRIDGE
- ovs-vsctl dump-flows BRIDGE
•Open vSwitch负责连接vNIC与物理网卡,同时桥接同一物理Server内的各个vNIC。其实Linux Bridge已经能够很好地充当这样的角色,为什么我们还需要Open vSwitch?
•因为Open vSwitch的引入使得云环境中对虚拟网络的管理及对网络状态和流量的监控变得更容易。
•我们可以像配置物理交换机一样,将接入Open vSwitch的各个VM分配到不同的VLAN中以实现网络的隔离。我们也可以在Open vSwitch端口上为VM配置QoS,同时Open vSwitch也支持包括NetFlow、sFlow等很多标准的管理接口和协议,我们可以通过这些接口完成流量监控等工作。
•Open vSwitch在云环境中的各种虚拟化平台(如Xen与KVM)上实现了分布式的虚拟交换机(Distributed Virtual Switch),一个物理Server上的vSwitch可以透明地与另一个物理Server上的vSwitch连接在一起。
Neutron功能概述
Neutron 概述
传统的网络管理方式很大程度上依赖于管理员手工配置和维护各种网络硬件设备;而云环境下的网络已经变得非常复杂,特别是在多租户场景里,用户随时都可能需要创建、修改和删除网络,网络的连通性和隔离不已经太可能通过手工配置来保证了。
如何快速响应业务的需求对网络管理提出了更高的要求。传统的网络管理方式已经很难胜任这项工作,而“软件定义网络(software-defined networking, SDN)”所具有的灵活性和自动化优势使其成为云时代网络管理的主流。
Neutron 的设计目标是实现“网络即服务(Networking as a Service)”。为了达到这一目标,在设计上遵循了基于 SDN 实现网络虚拟化的原则,在实现上充分利用了 Linux 系统上的各种网络相关的技术。
Neutron 功能
Neutron 为整个 OpenStack 环境提供网络支持,包括二层交换,三层路由,负载均衡,防火墙和 VPN 等。Neutron 提供了一个灵活的框架,通过配置,无论是开源还是商业软件都可以被用来实现这些功能。
二层交换 Switching
Nova 的 Instance 是通过虚拟交换机连接到虚拟二层网络的。Neutron 支持多种虚拟交换机,包括 Linux 原生的 Linux Bridge 和 Open vSwitch。 Open vSwitch(OVS)是一个开源的虚拟交换机,它支持标准的管理接口和协议。
利用 Linux Bridge 和 OVS,Neutron 除了可以创建传统的 VLAN 网络,还可以创建基于隧道技术的 Overlay 网络,比如 VxLAN 和 GRE(Linux Bridge 目前只支持 VxLAN)。在后面章节我们会学习如何使用和配置 Linux Bridge 和 Open vSwitch。
三层路由 Routing
Instance 可以配置不同网段的 IP,Neutron 的 router(虚拟路由器)实现 instance 跨网段通信。router 通过 IP forwarding,iptables 等技术来实现路由和 NAT。我们将在后面章节讨论如何在 Neutron 中配置 router 来实现 instance 之间,以及与外部网络的通信。
负载均衡 Load Balancing
Openstack 在 Grizzly 版本第一次引入了 Load-Balancing-as-a-Service(LBaaS),提供了将负载分发到多个 instance 的能力。LBaaS 支持多种负载均衡产品和方案,不同的实现以 Plugin 的形式集成到 Neutron,目前默认的 Plugin 是 HAProxy。我们会在后面章节学习 LBaaS 的使用和配置。
防火墙 Firewalling
Neutron 通过下面两种方式来保障 instance 和网络的安全性。
Security Group
通过 iptables 限制进出 instance 的网络包。
Firewall-as-a-Service
FWaaS,限制进出虚拟路由器的网络包,也是通过 iptables 实现。
Neutron网络基本概念
上次我们讨论了 Neutron 提供的功能,接下来我们学习 Neutron 模块几个重要的概念。Neutron 管理的网络资源包括 Network,subnet 和 port,下面依次介绍。
network
network 是一个隔离的二层广播域。Neutron 支持多种类型的 network,包括 local, flat, VLAN, VxLAN 和 GRE。
local
local 网络与其他网络和节点隔离。local 网络中的 instance 只能与位于同一节点上同一网络的 instance 通信,local 网络主要用于单机测试。
flat
flat 网络是无 vlan tagging 的网络。flat 网络中的 instance 能与位于同一网络的 instance 通信,并且可以跨多个节点。
vlan
vlan 网络是具有 802.1q tagging 的网络。vlan 是一个二层的广播域,同一 vlan 中的 instance 可以通信,不同 vlan 只能通过 router 通信。vlan 网络可跨节点,是应用最广泛的网络类型。
vxlan
vxlan 是基于隧道技术的 overlay 网络。vxlan 网络通过唯一的 segmentation ID(也叫 VNI)与其他 vxlan 网络区分。vxlan 中数据包会通过 VNI 封装成 UDP 包进行传输。因为二层的包通过封装在三层传输,能够克服 vlan 和物理网络基础设施的限制。
gre
gre 是与 vxlan 类似的一种 overlay 网络。主要区别在于使用 IP 包而非 UDP 进行封装。
不同 network 之间在二层上是隔离的。
以 vlan 网络为例,network A 和 network B 会分配不同的 VLAN ID,这样就保证了 network A 中的广播包不会跑到 network B 中。当然,这里的隔离是指二层上的隔离,借助路由器不同 network 是可能在三层上通信的。
network 必须属于某个 Project( Tenant 租户),Project 中可以创建多个 network。Project 与 network 之间是 1对多关系。
subnet
subnet 是一个 IPv4 或者 IPv6 地址段。instance 的 IP 从 subnet 中分配。每个 subnet 需要定义 IP 地址的范围和掩码。
network 与 subnet 是 1对多 关系。一个 subnet 只能属于某个 network;一个 network 可以有多个 subnet,这些 subnet 可以是不同的 IP 段,但不能重叠。下面的配置是有效的:
network A subnet A-a: 10.10.1.0/24 {“start”: “10.10.1.1”, “end”: “10.10.1.50”}
subnet A-b: 10.10.2.0/24 {“start”: “10.10.2.1”, “end”: “10.10.2.50”}
但下面的配置则无效,因为 subnet 有重叠
networkA subnet A-a: 10.10.1.0/24 {“start”: “10.10.1.1”, “end”: “10.10.1.50”}
subnet A-b: 10.10.1.0/24 {“start”: “10.10.1.51”, “end”: “10.10.1.100”}
这里不是判断 IP 是否有重叠,而是 subnet 的 CIDR 重叠(都是 10.10.1.0/24)。但是,如果 subnet 在不同的 network 中,CIDR 和 IP 都是可以重叠的,比如
network A subnet A-a: 10.10.1.0/24 {“start”: “10.10.1.1”, “end”: “10.10.1.50”}
networkB subnet B-a: 10.10.1.0/24 {“start”: “10.10.1.1”, “end”: “10.10.1.50”}
如果上面的IP地址是可以重叠的,那么就可能存在具有相同 IP 的两个 instance,不会冲突
具体原因: 因为 Neutron 的 router 是通过 Linux network namespace 实现的。network namespace 是一种网络的隔离机制。通过它,每个 router 有自己独立的路由表。上面的配置有两种结果:
-
如果两个 subnet 是通过同一个 router 路由,根据 router 的配置,只有指定的一个 subnet 可被路由。
-
如果上面的两个 subnet 是通过不同 router 路由,因为 router 的路由表是独立的,所以两个 subnet 都可以被路由。
port
port 可以看做虚拟交换机上的一个端口。port 上定义了 MAC 地址和 IP 地址,当 instance 的虚拟网卡 VIF(Virtual Interface) 绑定到 port 时,port 会将 MAC 和 IP 分配给 VIF。
subnet 与 port 是 1对多 关系。一个 port 必须属于某个 subnet;一个 subnet 可以有多个 port。
Neutron架构
Neutron 架构
与 OpenStack 的其他服务的设计思路一样,Neutron 也是采用分布式架构,由多个组件(子服务)共同对外提供网络服务。
Neutron 由如下组件构成:
Neutron Server
对外提供 OpenStack 网络 API,接收请求,并调用 Plugin 处理请求。
Plugin
处理 Neutron Server 发来的请求,维护 OpenStack 逻辑网络状态, 并调用 Agent 处理请求。
Agent
处理 Plugin 的请求,负责在 network provider 上真正实现各种网络功能。
network provider
提供网络服务的虚拟或物理网络设备,例如 Linux Bridge,Open vSwitch 或者其他支持 Neutron 的物理交换机。
Queue
Neutron Server,Plugin 和 Agent 之间通过 Messaging Queue 通信和调用。
Database
存放 OpenStack 的网络状态信息,包括 Network, Subnet, Port, Router 等。
虚拟网络
linux bridge
环境准备
准备linux bridge
[root@docker ~]# vim /etc/yum.repos.d/openstack.repo
[centos-openstack-victoria]
name=CentOS 8 - OpenStack victoria
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/cloud/x86_64/openstackvictoria/
gpgcheck=0
enabled=1[root@docker ~]# yum clean all
Repository centos-openstack-victoria is listed more than once in the configuration
25 files removed
[root@docker ~]# yum makecache[root@docker ~]# yum -y install bridge-utils
[root@docker ~]# yum install -y net-tools[root@docker ~]# ip link add name br0 type bridge
[root@docker ~]# ifconfig br0 1.2.3.100/24 up
[root@docker ~]# ip link show br0
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000link/ether 72:61:9b:03:37:e6 brd ff:ff:ff:ff:ff:ff[root@docker ~]# brctl show
bridge name bridge id STP enabled interfaces
br-a1c0a1408f73 8000.0242810fb347 no
br-d7044265ef51 8000.02422afaacdf no
br0 8000.000000000000 no
docker0 8000.0242c128e743 no[root@docker ~]# ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 1.2.3.100 netmask 255.255.255.0 broadcast 1.2.3.255inet6 fe80::7061:9bff:fe03:37e6 prefixlen 64 scopeid 0x20<link>ether 72:61:9b:03:37:e6 txqueuelen 1000 (Ethernet)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 12 bytes 984 (984.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0准备veth pair
# 创建网络命名空间netns2
[root@docker ~]# ip netns add netns2
[root@docker ~]# ip netns show
netns2# 创建veth pair并查看
[root@docker ~]# ip link add veth1 type veth peer name veth2
[root@docker ~]# ip link show | grep veth
7: veth2@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
8: veth1@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000# 将veth2放入网络命名空间netns2
[root@docker ~]# ip link set veth2 netns netns2# veth1配置ip 1.2.3.101并up,veth2配置ip 1.2.3.102并up
[root@docker ~]# ifconfig veth1 1.2.3.101/24 up
[root@docker ~]# ip netns exec netns2 ifconfig veth2 1.2.3.102/24 up# 查看veth1/2信息
[root@docker ~]# ip link show veth1
8: veth1@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000link/ether 62:fe:5b:8c:06:4b brd ff:ff:ff:ff:ff:ff link-netns netns2
[root@docker ~]# ip netns exec netns2 ip link show veth2
7: veth2@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000link/ether a2:ca:25:42:d7:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 0# 查看veth1/2 ip
[root@docker ~]# ifconfig veth1
veth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 1.2.3.101 netmask 255.255.255.0 broadcast 1.2.3.255inet6 fe80::60fe:5bff:fe8c:64b prefixlen 64 scopeid 0x20<link>ether 62:fe:5b:8c:06:4b txqueuelen 1000 (Ethernet)RX packets 9 bytes 726 (726.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 9 bytes 726 (726.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[root@docker ~]# ip netns exec netns2 ifconfig veth2
veth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 1.2.3.102 netmask 255.255.255.0 broadcast 1.2.3.255inet6 fe80::a0ca:25ff:fe42:d7b5 prefixlen 64 scopeid 0x20<link>ether a2:ca:25:42:d7:b5 txqueuelen 1000 (Ethernet)RX packets 9 bytes 726 (726.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 9 bytes 726 (726.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0veth1连接br0
# 将veth1连接到br0
[root@docker ~]# brctl addif br0 veth1# 查看br0信息
[root@docker ~]# brctl show
bridge name bridge id STP enabled interfaces
br-a1c0a1408f73 8000.0242810fb347 no
br-d7044265ef51 8000.02422afaacdf no
br0 8000.62fe5b8c064b no veth1
docker0 8000.0242c128e743 no# br0和veth1之间是双向通信
# 协议栈和veth1之间变成了单通道,即只能协议栈发数据给veth1,veth1收到的数据不会发给协议栈,而是转给br0
# br0的MAC地址变成了veth1的MAC地址(如果有多个设备加入了br0,则,br0的MAC地址是这些设备中最小的MAC地址。
ping测试
# 宿主机默认网络命名空间下查看路由信息
[root@docker ~]# route -n | grep 1.2.3
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 veth1# netns2网络命名空间下查看路由信息
[root@docker ~]# ip netns exec netns2 route -n | grep 1.2.3
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 veth2br0 ping veth1
[root@docker ~]# ping -c 1 -I br0 1.2.3.101
PING 1.2.3.101 (1.2.3.101) from 1.2.3.100 br0: 56(84) bytes of data.
From 1.2.3.100 icmp_seq=1 Destination Host Unreachable--- 1.2.3.101 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms# br0抓包
[root@docker ~]# tcpdump -n -i br0
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes如下图
# veth1抓包
[root@docker ~]# tcpdump -n -i veth1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), capture size 262144 bytes如下图
# veth2抓包
[root@docker ~]# ip netns exec netns2 tcpdump -n -i veth2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth2, link-type EN10MB (Ethernet), capture size 262144 bytes如下图
分析:
1. br0处初始没有1.2.3.101的MAC地址,于是构建ARP request报文发送广播ARP,根据路由规则从
veth1出去;
2. ARP request报文从veth1出去到达veth pair的另一端veth2;
3. veth2处网络协议栈发现目标IP不是自己,不做回复;
4. br0处网络协议栈收不到ARP Reply,再重试2次仍收不到,宣告ping失败。br0 ping veth2
[root@docker ~]# ping -c 1 -I br0 1.2.3.102
PING 1.2.3.102 (1.2.3.102) from 1.2.3.100 br0: 56(84) bytes of data.
64 bytes from 1.2.3.102: icmp_seq=1 ttl=64 time=0.170 ms--- 1.2.3.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.170/0.170/0.170/0.000 msbr0抓包、veth1抓包、veth2抓包顺序结果截图:
分析:
1. br0处初始没有1.2.3.102的MAC地址,于是构建ARP request报文发送广播ARP,根据路由规则从
veth1出去;
2. ARP Request报文从veth1出去到达veth pair的另一端veth2;
3. veth2处网络协议栈发现目标IP是自己,构造ARP Reply从veth2发出去;
4. ARP Reply从veth2出来到达veth pair的另一端veth1;
5. veth1把ARP Reply转给br0;
6. br0处拿到1.2.3.102的MAC地址,构造ICMP echo request,从veth1发出;
7. ICMP echo request报文从veth1出去到达veth pair的另一端veth2。
8. veth2处网络协议栈构造ICMP echo reply从veth2发出去;
9. ICMP echo reply从veth2出去到达veth pair的另一端veth1;
10. veth1把ICMP echo reply转给br0;
11. br0处网络协议栈收到ICMP echo reply,宣告ping成功。veth1 ping br0
[root@docker ~]# ping -c 1 -I veth1 1.2.3.100
PING 1.2.3.100 (1.2.3.100) from 1.2.3.101 veth1: 56(84) bytes of data.
From 1.2.3.101 icmp_seq=1 Destination Host Unreachable--- 1.2.3.100 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0msbr0抓包、veth1抓包、veth2抓包顺序结果截图:
分析:
1. veth1处初始没有1.2.3.100的MAC地址,于是构建ARP request报文发出去;
2. ARP Request报文从veth1出去到达veth pair的另一端veth2;
3. veth2处网络协议栈发现目标IP不是自己,不做回复;
4. veth1处网络协议栈收不到ARP Reply,再重试2次仍收不到,宣告ping失败。veth1 ping veth2
[root@docker ~]# ping -c 1 -I veth1 1.2.3.102
PING 1.2.3.102 (1.2.3.102) from 1.2.3.101 veth1: 56(84) bytes of data.
From 1.2.3.101 icmp_seq=1 Destination Host Unreachable--- 1.2.3.102 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0msbr0抓包、veth1抓包、veth2抓包顺序结果截图:
分析:
1. veth1处初始没有1.2.3.102的MAC地址,于是构建ARP request报文发出去;
2. ARP Request报文从veth1出去到达veth pair的另一端veth2;
3. veth2处网络协议栈发现目标IP是自己,构造ARP Reply从veth2发出去;
4. ARP Reply从veth2出来到达veth pair的另一端veth1;
5. veth1把ARP Reply转给br0;
6. br0处协议栈收到ARP Reply但是不是自己该处理的报文,丢弃;
7. veth1处网络协议栈一直收不到ARP Reply,再重试2次仍收不到,宣告ping失败。veth2 ping br0
[root@docker ~]# ip netns exec netns2 ping -c 1 -I veth2 1.2.3.100
PING 1.2.3.100 (1.2.3.100) from 1.2.3.102 veth2: 56(84) bytes of data.
64 bytes from 1.2.3.100: icmp_seq=1 ttl=64 time=0.156 ms--- 1.2.3.100 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.156/0.156/0.156/0.000 msbr0抓包、veth1抓包、veth2抓包顺序结果截图:
分析:
1. veth2处初始没有1.2.3.100的MAC地址,于是构建ARP request报文从veth2发出去;
2. ARP Request报文从veth2出去到达veth pair的另一端veth1;
3. veth1把ARP Reply转给br0;
4. br0处网络协议栈发现目标IP是自己,构造ARP Reply,根据路由规则从veth1出去;
5. ARP Reply报文从veth1出去到达veth pair的另一端veth2;
6. veth2处拿到1.2.3.100的MAC地址,构造ICMP echo request,从veth2发出;
7. ICMP echo request报文从veth2出去到达veth pair的另一端veth1。
8. veth1把ICMP echo request转给br0;
9. br0处网络协议栈构造ICMP echo reply,根据路由规则从veth1发出去;
10. ICMP echo reply报文从veth1出去到达veth pair的另一端veth2。
11. veth2处网络协议栈收到ICMP echo reply,宣告ping成功。veth2 ping veth1
[root@docker ~]# ip netns exec netns2 ping -c 1 -I veth2 1.2.3.101
PING 1.2.3.101 (1.2.3.101) from 1.2.3.102 veth2: 56(84) bytes of data.
64 bytes from 1.2.3.101: icmp_seq=1 ttl=64 time=0.163 ms--- 1.2.3.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.163/0.163/0.163/0.000 msbr0抓包、veth1抓包、veth2抓包顺序结果截图:
分析:
veth2发过来的arp request,发给veth1,veth1转给br0,br0回复arp,veth1转给veth2ovs原理与实践
介绍
ovs(Open vSwitch)是在开源 Apache 2.0 许可下获得许可的生产级虚拟交换机`。它旨在通过编程扩展实 现大规模网络自动化,同时仍支持标准管理接口和协议(例如 NetFlow、sFlow、IPFIX、RSPAN、CLI、 LACP、802.1ag)。此外,它旨在支持跨多个物理服务器的分布,类似于 VMware 的 vNetwork 分布式 vswitch 或 Cisco 的 Nexus 1000V。常在SDN(Software Defined Network,软件定义网络)领域能看到 ovs的身影。
ovs由三个组件组成: dataPath 、 vswitchd 和 ovsdb 。
术语
ovs有很多术语,我们选取一些常见的术语做解释。
- Bridge
网桥,也就是交换机(不过是虚拟的,即vSwitch),一台主机中可以创建多个网桥。当数据包从网桥的 某个端口进来后,网桥会根据一定的规则把该数据包转发到另外的端口,也可以修改或者丢弃报文。
- Port
交换机的端口,有以下几种类型:
1、Normal : 将物理网卡添加到bridge时它们会成为Port,类型为Normal。此时物理网卡配置ip已没有 意义,它已经“退化成一根网线”只负责数据报文的进出。Normal类型的Port常用于vlan模式下多台 物理主机相连的那个口,交换机的一端属于Trunk模式。
2、Internal : 此类型的Port,ovs会自动创建一个虚拟网卡接口(Interface),此端口收到数据都会转发 给这块网卡,从网卡发出的数据也会通过Port交给ovs处理。当ovs创建一个新的Bridge时,会自动 创建一个与网桥同名的Internal Port,同时也会创建一个与网桥同名的Interface。另外,Internal Port可配置IP地址,然后将其up,即可实现ovs三层网络。
3、Patch : 与veth pair功能类似,常用于连接两个Bridge。
4、Tunnel : 实现overlay网络,支持GRE、vxlan、STT、Geneve和IPSec等隧道协议。
- Interface 网卡,
虚拟的(TUN/TAP)或物理的都可以。
- Controller
控制器,ovs可以接收一个或多个OpenFlow控制器的管理,主要功能为 下发流表 来控制转发规则。
- FlowTable
流表 ,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动 作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
安装
环境准备
[root@docker ~]# cat <<EOF > /etc/yum.repos.d/openstack.repo
[centos-openstack-victoria]
name=CentOS 8 - OpenStack victoria
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/cloud/x86_64/openstack-victoria/
gpgcheck=0
enabled=1[highavailability]
name=CentOS Stream 8 - HighAvailability
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/HighAvailability/x86_64/os/
gpgcheck=0
enabled=1[nfv]
name=CentOS Stream 8 - NFV
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/NFV/x86_64/os/
gpgcheck=0
enabled=1[rt]
name=CentOS Stream 8 - RT
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/RT/x86_64/os/
gpgcheck=0
enabled=1[resilientstorage]
name=CentOS Stream 8 - ResilientStorage
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/ResilientStorage/x86_64/os/
gpgcheck=0
enabled=1[extras-common]
name=CentOS Stream 8 - Extras packages
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/extras/x86_64/extras-common/
gpgcheck=0
enabled=1[extras]
name=CentOS Stream $releasever - Extras
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/extras/x86_64/os/
gpgcheck=0
enabled=1[centos-ceph-pacific]
name=CentOS - Ceph Pacific
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/storage/x86_64/ceph-pacific/
gpgcheck=0
enabled=1[centos-rabbitmq-38]
name=CentOS-8 - RabbitMQ 38
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/messaging/x86_64/rabbitmq-38/
gpgcheck=0
enabled=1[centos-nfv-openvswitch]
name=CentOS Stream 8 - NFV OpenvSwitch
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/nfv/x86_64/openvswitch-2/
gpgcheck=0
enabled=1[baseos]
name=CentOS Stream 8 - BaseOS
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/BaseOS/x86_64/os/
gpgcheck=0
enabled=1[appstream]
name=CentOS Stream 8 - AppStream
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/AppStream/x86_64/os/
gpgcheck=0
enabled=1[powertools]
name=CentOS Stream 8 - PowerTools
baseurl=https://mirrors.aliyun.com/centos-vault/8-stream/PowerTools/x86_64/os/
gpgcheck=0
enabled=1
EOF
安装
[root@docker ~]# yum install openvswitch -y启动并验证
[root@docker ~]# systemctl enable openvswitch.service --now
Created symlink /etc/systemd/system/multi-user.target.wants/openvswitch.service → /usr/lib/systemd/system/openvswitch.service.
[root@docker ~]# systemctl status openvswitch.service
● openvswitch.service - Open vSwitchLoaded: loaded (/usr/lib/systemd/system/openvswitch.service; enabled; vendor preset: >Active: active (exited) since Fri 2025-09-19 13:50:11 CST; 4s agoProcess: 3635 ExecStart=/bin/true (code=exited, status=0/SUCCESS)Main PID: 3635 (code=exited, status=0/SUCCESS)Sep 19 13:50:11 docker systemd[1]: Starting Open vSwitch...
Sep 19 13:50:11 docker systemd[1]: Started Open vSwitch.[root@docker ~]# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.13.11
DB Schema 8.2.0[root@docker ~]# ps -ef | grep openvswitch
openvsw+ 3546 1 0 13:50 ? 00:00:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach
openvsw+ 3627 1 0 13:50 ? 00:00:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
root 3642 1936 0 13:50 pts/0 00:00:00 grep --color=auto openvswitch[root@docker ~]# ovs-vsctl show
4ef7b1de-17e5-4181-b3ff-d0494dd3691covs_version: "2.13.11"实践-创建ovs交换机
创建一个名为sw1的ovs交换机
[root@docker ~]# ovs-vsctl add-br sw1
[root@docker ~]# ovs-vsctl list-br
sw1
[root@docker ~]# ovs-vsctl show
4ef7b1de-17e5-4181-b3ff-d0494dd3691cBridge sw1Port sw1Interface sw1type: internalovs_version: "2.13.11"
[root@docker ~]#访问
# 创建两个网络命名空间
[root@docker ~]# ip netns add ns1
[root@docker ~]# ip netns add ns2
[root@docker ~]# ip netns show
ns2
ns1
netns2 (id: 0)# 创建两个veth pair,并分别把这两个veth pair的一端放到上述两个网络命名空间
# 第一个网络命名空间配置
[root@docker ~]# ip link add veth11 type veth peer name veth12
[root@docker ~]# ip link set veth12 netns ns1 #将 veth12 接口移动到名为ns1的网络命名空间中
[root@docker ~]# ip link set veth11 up #在当前命名空间(通常是默认命名空间)中启用 veth11 接口
[root@docker ~]# ip natns exec ns1 ip link set veth12 up
[root@docker ~]# ip netns exec ns1 ip link set veth12 up# type veth:指定要创建的接口类型为 veth
# peer name veth12:指定与 veth11 配对的另一个虚拟接口名称为 veth12# 第二个网络命名空间配置
[root@docker ~]# ip link add veth21 type veth peer name veth22
[root@docker ~]# ip link set veth22 netns ns2
[root@docker ~]# ip link set veth21 up
[root@docker ~]# ip netns exec ns2 ip link set veth22 up# 把veth11和veth21插到ovs交换机上
[root@docker ~]# ovs-vsctl add-port sw1 veth11 #将之前创建的虚拟接口veth11添加到名为sw1的OVS虚拟交换机中
[root@docker ~]# ovs-vsctl add-port sw1 veth21 #将veth21接口也添加到sw1虚拟交换机中
[root@docker ~]# ovs-vsctl show
4ef7b1de-17e5-4181-b3ff-d0494dd3691cBridge sw1Port veth21Interface veth21Port sw1Interface sw1type: internalPort veth11Interface veth11ovs_version: "2.13.11"# 网络命名空间内配置ip
# ns1配置ip
[root@docker ~]# ip netns exec ns1 ip addr add 1.1.1.1/24 dev veth12
[root@docker ~]# ip netns exec ns1 ifconfig veth12
veth12: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 1.1.1.1 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::5039:e6ff:fedc:7667 prefixlen 64 scopeid 0x20<link>ether 52:39:e6:dc:76:67 txqueuelen 1000 (Ethernet)RX packets 14 bytes 1076 (1.0 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 11 bytes 866 (866.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0# ns2配置ip
[root@docker ~]# ip netns exec ns2 ip addr add 1.1.1.2/24 dev veth22
[root@docker ~]# ip netns exec ns2 ifconfig veth22
veth22: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 1.1.1.2 netmask 255.255.255.0 broadcast 0.0.0.0inet6 fe80::f0f1:98ff:fe10:c6d2 prefixlen 64 scopeid 0x20<link>ether f2:f1:98:10:c6:d2 txqueuelen 1000 (Ethernet)RX packets 13 bytes 1006 (1006.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 11 bytes 866 (866.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0# 验证连通性
# ns1 ping ns2
[root@docker ~]# ip netns exec ns1 ping -c 1 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.776 ms--- 1.1.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.776/0.776/0.776/0.000 ms# ns2 ping ns1
[root@docker ~]# ip netns exec ns2 ping -c 1 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.069 ms--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.069/0.069/0.069/0.000 msvlan隔离
基于前面的环境,把插在ovs交换机上的两个虚拟网络设备对端口分别打上不同的tag(默认是0), 也就是配置到不同的vlan里,再验证网络连通性:
[root@docker ~]# ovs-vsctl show
4ef7b1de-17e5-4181-b3ff-d0494dd3691cBridge sw1Port veth21Interface veth21Port sw1Interface sw1type: internalPort veth11Interface veth11ovs_version: "2.13.11"# 设置两个端口的vlan tag
[root@docker ~]# ovs-vsctl set port veth11 tag=10
[root@docker ~]# ovs-vsctl set port veth21 tag=20# 验证连通性
# ns1 ping ns2,vlan tag不同,不能通信
[root@docker ~]# ip netns exec ns1 ping -c 1 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.--- 1.1.1.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms# ns2 ping ns1,vlan tag不同,不能通信
[root@docker ~]# ip netns exec ns2 ping -c 1 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.--- 1.1.1.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0msOpenStack存储管理实验
OpenStack CLI操作
卷管理
挂载和卸载卷
发放计算实例“Instance_cli_01”
[root@controller ~(keystone_admin)]# openstack server create --availability-zone nova --image Img_cli --flavor Flavor_cli --network shared --key-name KeyPair_cli Instance_cli_01
+-------------------------------------+---------------------------------------------------+
| Field | Value |
+-------------------------------------+---------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | 4XDpZsm7oj3X |
| config_drive | |
| created | 2025-09-19T01:38:37Z |
| flavor | Flavor_cli (2a6f1df1-ecd9-4ab8-b14c-e9b8570c6e88) |
| hostId | |
| id | 5a77aa01-9067-469e-991f-50e736cb7e57 |
| image | Img_cli (b8b4d0e8-4366-436c-9d5b-0eb6ad6ddeb0) |
| key_name | KeyPair_cli |
| name | Instance_cli_01 |
| progress | 0 |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| properties | |
| security_groups | name='default' |
| status | BUILD |
| updated | 2025-09-19T01:38:37Z |
| user_id | af704f24dc304c09a051f19c9f4d4efe |
| volumes_attached | |
+-------------------------------------+---------------------------------------------------+将卷“Volume_cli_01”挂载给虚拟机实例“Instance_cli_01”,查看卷的挂载情况
[root@controller ~(keystone_admin)]# openstack server add volume Instance_cli_01 Volume_cli_01将卷“Volume_cli_01”从虚拟机实例“Instance_cli_01”卸载,再次查看卷的挂载情况
[root@controller ~(keystone_admin)]# openstack volume list
+--------------------------------------+---------------+--------+------+------------------------------------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+---------------+--------+------+------------------------------------------+
| 81cb8d61-d64a-4fc5-a385-6efb869c7925 | Volume_cli_01 | in-use | 1 | Attached to Instance_cli_01 on /dev/vdb |
| ade705e8-5a3a-4068-88df-54085fcc5019 | Volume_web | in-use | 1 | Attached to Instance_web_02 on /dev/vda |
+--------------------------------------+---------------+--------+------+------------------------------------------+将卷“Volume_cli_01”从虚拟机实例“Instance_cli_01”卸载,再次查看卷的挂载情况
[root@controller ~(keystone_admin)]# openstack server remove volume Instance_cli_01 Volume_cli_01[root@controller ~(keystone_admin)]# openstack volume list
+--------------------------------------+---------------+-----------+------+------------------------------------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+---------------+-----------+------+------------------------------------------+
| 81cb8d61-d64a-4fc5-a385-6efb869c7925 | Volume_cli_01 | available | 1 | |
| ade705e8-5a3a-4068-88df-54085fcc5019 | Volume_web | in-use | 1 | Attached to Instance_web_02 on /dev/vda |
+--------------------------------------+---------------+-----------+------+------------------------------------------+上传卷到镜像
将卷“Volume_cli_01”上传到镜像“Volume_Img_cli”,镜像格式设置为“QCOW2”,查看刚刚创建的镜像
[root@controller ~(keystone_admin)]# openstack image create --volume Volume_cli_01 --disk-format qcow2 Volume_Img_cli
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| container_format | bare |
| disk_format | qcow2 |
| display_description | None |
| id | 81cb8d61-d64a-4fc5-a385-6efb869c7925 |
| image_id | d62ab357-3c53-44b4-9ba6-25ec62ebb443 |
| image_name | Volume_Img_cli |
| protected | False |
| size | 1 |
| status | uploading |
| updated_at | 2025-09-19T01:40:06.000000 |
| visibility | shared |
| volume_type | VolumeType_cli |
+---------------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack image list
+--------------------------------------+-------------------+--------+
| ID | Name | Status |
+--------------------------------------+-------------------+--------+
| b8b4d0e8-4366-436c-9d5b-0eb6ad6ddeb0 | Img_cli | active |
| 3bbe74b3-62db-444b-a3ff-90f0477e811b | Img_web | active |
| 4891d579-4b19-4532-bd31-c23a9401903d | Instance_Snap_cli | active |
| 437821cd-35cf-47d6-b971-a33d70eb488b | Instance_Snap_web | active |
| d62ab357-3c53-44b4-9ba6-25ec62ebb443 | Volume_Img_cli | active |
| 92ecebf0-ffbc-4a82-b848-c2e6f09a9e2f | Volume_Img_web | active |
+--------------------------------------+-------------------+--------+创建卷快照
为卷“Volume_cli_01”创建卷快照“Volume_Snap_cli”,查看刚刚创建的卷快照
[root@controller ~(keystone_admin)]# openstack volume snapshot create --volume Volume_cli_01 Volume_Snap_cli
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| created_at | 2025-09-19T01:41:20.074717 |
| description | None |
| id | a109abd9-2a07-4d2b-9d3b-3f180fdd5c8a |
| name | Volume_Snap_cli |
| properties | |
| size | 1 |
| status | creating |
| updated_at | None |
| volume_id | 81cb8d61-d64a-4fc5-a385-6efb869c7925 |
+-------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack volume snapshot list
+--------------------------------------+-----------------+-------------+-----------+------+
| ID | Name | Description | Status | Size |
+--------------------------------------+-----------------+-------------+-----------+------+
| a109abd9-2a07-4d2b-9d3b-3f180fdd5c8a | Volume_Snap_cli | None | available | 1 |
+--------------------------------------+-----------------+-------------+-----------+------+卷扩容
将卷“Volume_cli_01”扩容至2 GB,查看刚刚扩容的卷
[root@controller ~(keystone_admin)]# openstack volume set --size 2 Volume_cli_01[root@controller ~(keystone_admin)]# openstack volume show Volume_cli_01
+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | true |
| consistencygroup_id | None |
| created_at | 2025-09-18T11:47:27.000000 |
| description | None |
| encrypted | False |
| id | 81cb8d61-d64a-4fc5-a385-6efb869c7925 |
| migration_status | None |
| multiattach | False |
| name | Volume_cli_01 |
| os-vol-host-attr:host | controller@lvm#lvm |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | bbe6a457a15b48d792da334eb27a5d7b |
| properties | |
| replication_status | None |
| size | 2 ......基于卷快照创建卷
基于卷快照“Volume_Sanp_cli”创建卷“Volume_cli_02”,查看刚刚创建的卷
[root@controller ~(keystone_admin)]# openstack volume create --snapshot Volume_Snap_cli Volume_cli_02
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | true |
| consistencygroup_id | None |
| created_at | 2025-09-19T01:45:01.896492 |
| description | None |
| encrypted | False |
| id | 3cdec04c-04a8-4c5c-ac0e-8a426b9f00d7 |
| migration_status | None |
| multiattach | False |
| name | Volume_cli_02 |
| properties | |
| replication_status | None |
| size | 1 |
| snapshot_id | a109abd9-2a07-4d2b-9d3b-3f180fdd5c8a |
| source_volid | None |
| status | creating |
| type | VolumeType_cli |
| updated_at | None |
| user_id | af704f24dc304c09a051f19c9f4d4efe |
+---------------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack volume list
+--------------------------------------+---------------+-----------+------+------------------------------------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+---------------+-----------+------+------------------------------------------+
| 3cdec04c-04a8-4c5c-ac0e-8a426b9f00d7 | Volume_cli_02 | available | 1 | |
| 81cb8d61-d64a-4fc5-a385-6efb869c7925 | Volume_cli_01 | available | 2 | |
| ade705e8-5a3a-4068-88df-54085fcc5019 | Volume_web | in-use | 1 | Attached to Instance_web_02 on /dev/vda |
+--------------------------------------+---------------+-----------+------+------------------------------------------+基于卷发放虚拟机实例
基于卷“Volume_cli_02”发放虚拟机实例“Instance_cli_02”,规格设置为“Flavor_cli”,查看虚拟机实例列表
[root@controller ~(keystone_admin)]# openstack server create --volume Volume_cli_02 --flavor Flavor_cli --network shared Instance_cli_02
+-------------------------------------+---------------------------------------------------+
| Field | Value |
+-------------------------------------+---------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | eEKWnvudhRx3 |
| config_drive | |
| created | 2025-09-19T02:09:23Z |
| flavor | Flavor_cli (2a6f1df1-ecd9-4ab8-b14c-e9b8570c6e88) |
| hostId | |
| id | adeb9eb4-95a8-4598-9cc9-6a04cc11b231 |
| image | N/A (booted from volume) |
| key_name | None |
| name | Instance_cli_02 |
| progress | 0 |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| properties | |
| security_groups | name='default' |
| status | BUILD |
| updated | 2025-09-19T02:09:23Z |
| user_id | af704f24dc304c09a051f19c9f4d4efe |
| volumes_attached | |
+-------------------------------------+---------------------------------------------------+[root@controller ~(keystone_admin)]# openstack server list
+--------------------------------------+-----------------+---------+------------------------+--------------------------+-----------------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-----------------+---------+------------------------+--------------------------+-----------------+
| adeb9eb4-95a8-4598-9cc9-6a04cc11b231 | Instance_cli_02 | ACTIVE | shared=192.168.233.170 | N/A (booted from volume) | Flavor_cli |
| 5a77aa01-9067-469e-991f-50e736cb7e57 | Instance_cli_01 | ACTIVE | shared=192.168.233.51 | Img_cli | Flavor_cli |
| 5c59cdad-a327-4dfd-8e16-b861eea76d1e | Instance_web_02 | SHUTOFF | shared=192.168.233.85 | N/A (booted from volume) | Flavor_web_test |
| ad2f6590-062d-4903-b1f9-a2e8d70335b0 | Instance_web_01 | SHUTOFF | shared=192.168.233.105 | Img_web | Flavor_web_test |
+--------------------------------------+-----------------+---------+------------------------+--------------------------+-----------------+将卷“Volume_cli_02”设置为非启动卷,再次发放虚拟机实例,验证是否能成功
[root@controller ~(keystone_admin)]# openstack volume set --non-bootable Volume_cli_02
[root@controller ~(keystone_admin)]# openstack server create --volume Volume_cli_02 --flavor Flavor_cli Instance_cli_03
Block Device 3cdec04c-04a8-4c5c-ac0e-8a426b9f00d7 is not bootable. (HTTP 400) (Request-ID: req-6e0a309f-f233-4f13-9daf-dbe4e1efc2e3)结论:
当卷为“非启动盘”时,无法使用该卷发放虚拟机实例。
更新卷状态
查看卷“Volume_cli_01”的状态,更新卷“Volume_cli_01”的状态
[root@controller ~(keystone_admin)]# openstack volume list | grep Volume_cli_01
| 81cb8d61-d64a-4fc5-a385-6efb869c7925 | Volume_cli_01 | available | 2 | |
[root@controller ~(keystone_admin)]# openstack volume set --state error Volume_cli_01再次查看卷“Volume_cli_01”的状态
[root@controller ~(keystone_admin)]# openstack volume list | grep Volume_cli_01
| 81cb8d61-d64a-4fc5-a385-6efb869c7925 | Volume_cli_01 | error | 2 |
删除卷
删除卷“Volume_cli_01”,查看是否成功
[root@controller ~(keystone_admin)]# openstack volume delete Volume_cli_01
Failed to delete volume with name or ID 'Volume_cli_01': Invalid volume: Volume status must be available or error or error_restoring or error_extending or error_managing and must not be migrating, attached, belong to a group, have snapshots or be disassociated from snapshots after volume transfer. (HTTP 400) (Request-ID: req-d6161ef3-e32c-40ae-919c-1dddc3cd6bdb)
1 of 1 volumes failed to delete.# 由提示无法删除卷的原因可知,卷“Volume_cli_01”存在卷快照“Volume_Snap_cli”,需要先删除卷快照,才能删除该卷。
删除卷快照“Volume_Snap_cli”
[root@controller ~(keystone_admin)]# openstack volume snapshot delete Volume_Snap_cli再次删除卷,查看是否有报错,查看卷列表
[root@controller ~(keystone_admin)]# openstack volume delete Volume_cli_01
[root@controller ~(keystone_admin)]# openstack volume list
+--------------------------------------+---------------+--------+------+------------------------------------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+---------------+--------+------+------------------------------------------+
| 3cdec04c-04a8-4c5c-ac0e-8a426b9f00d7 | Volume_cli_02 | in-use | 1 | Attached to Instance_cli_02 on /dev/vda |
| ade705e8-5a3a-4068-88df-54085fcc5019 | Volume_web | in-use | 1 | Attached to Instance_web_02 on /dev/vda |
+--------------------------------------+---------------+--------+------+------------------------------------------+删除卷“Volume_cli_02”,查看是否成功
[root@controller ~(keystone_admin)]# openstack volume delete Volume_cli_02
Failed to delete volume with name or ID 'Volume_cli_02': Invalid volume: Volume status must be available or error or error_restoring or error_extending or error_managing and must not be migrating, attached, belong to a group, have snapshots or be disassociated from snapshots after volume transfer. (HTTP 400) (Request-ID: req-5f69f066-8910-4e36-82ba-efd157df4f22)
1 of 1 volumes failed to delete.# 由提示无法删除卷的原因可知,卷“Volume_cli_02”的状态不能是“in-use”,需要先将卷从虚拟机实例上卸载,状态变为“available”后再删除。
将卷“Volume_cli_02”从虚拟机实例“Instance_cli_02”上卸载
[root@controller ~(keystone_admin)]# openstack server remove volume Instance_cli_02 Volume_cli_02
Cannot detach a root device volume (HTTP 400) (Request-ID: req-71266137-266d-49b3-a40b-12a62388bbdd)
[root@controller ~(k# 由提示无法卸载卷的原因可知,待删除的卷为系统卷无法卸载,因此该卷也无法删除,除非删除虚拟机实例。
删除虚拟机实例“Instance_cli_02”,再次查看卷“Volume_cli_02”的状态
[root@controller ~(keystone_admin)]# openstack server delete Instance_cli_02[root@controller ~(keystone_admin)]# openstack volume list | grep Volume_cli_02
| 3cdec04c-04a8-4c5c-ac0e-8a426b9f00d7 | Volume_cli_02 | available | 1 |
再次删除卷“Volume_cli_02”,查看是否成功
[root@controller ~(keystone_admin)]# openstack volume delete Volume_cli_02再次查看卷列表,是否删除成功
[root@controller ~(keystone_admin)]# openstack volume list
+--------------------------------------+------------+--------+------+------------------------------------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+------------+--------+------+------------------------------------------+
| ade705e8-5a3a-4068-88df-54085fcc5019 | Volume_web | in-use | 1 | Attached to Instance_web_02 on /dev/vda |
+--------------------------------------+------------+--------+------+------------------------------------------+OpenStack使用
WEB界面实验
创建实例类型(规格)
上传镜像
创建外部网络
创建内网
创建路由器
网络拓扑
创建实例
VNC登录
网络拓扑
instance1 外网通信测试
OpenStack网络管理
实验介绍
本实验主要介绍如何通过OpenStack Dashboard和OpenStack CLI两种方式创建网络、子网、路由器、安全组以及浮动IP分配等基本操作,并测试虚拟机实例的连通性。
实验流程
OpenStackDashboard操作
检查OpenStack环境配置
创建镜像
创建实例规格
创建网络
使用admin用户登录OpenStack Dashboard界面,在左侧导航栏,选择“项目>网络>网络拓扑”,进入网络拓扑页面,显示环境当前的网络拓扑,单击下方的“创建网络”
查看网络拓扑的变化
查看刚刚创建的网络
创建网络“Network_web_02”,子网名称“Subnet_web_02”,网络地址“192.168.2.0/24”,网关IP“192.168.2.1”,地址池的起止IP“192.168.2.100,192.168.2.200”
验证:虚拟机实例相互访问
发放如下2个虚拟机实例:
虚拟机实例名称:Instance_web_test。
数量:2。
选择启动源:Image。
创建新卷:否。
分配镜像:Img_web。
分配规格:Flavor_web。
分配网络:Network_web_01。
其他保持默认。
2个虚拟机实例的IP地址:
192.168.1.104
192.168.1.123
在左侧导航栏,选择“项目>计算>实例”,进入虚拟机实例列表分别单击刚刚创建的2个虚拟机实例名称,进入虚拟机实例概览页面,选择“控制台”页签,单击页面上方的“点击此处只登录控制台”
查看虚拟机实例IP地址,并进行互Ping,测试是否互通
查看当前的网络拓扑
查看当前的网络拓扑
结论:
由结果可知:同一网络中的虚拟机实例默认可以互通。
发放虚拟机实例“Instance_web_test-3”,网络选择“Network_web_02”,其他参数与虚拟机实例“Instance_web_test-1”和“Instance_web_test-2”保持一致
192.168.2.122
查看虚拟机实例IP地址,并与虚拟机实例“Instance_web_test-1”进行互Ping,测试是否互通
查看当前的网络拓扑
由网络拓扑图可知,虚拟机实例“Instance_web_test-1”与“Instance_web_test-3”分别处于不同网络中,不同网络间相互隔离,所以无法互通。
结论:不同网络间的虚拟机实例默认无法互通。
创建路由器
进入路由列表,单击页面上方的“新建路由”
增加接口
选择子网“Network_web_02:192.168.2.0/24(Subnet_web_02)”,添加接口
查看当前的网络拓扑
进入虚拟机实例列表,分别单击虚拟机实例名称“Instance_web_test-3”和“Instance_web_test-1”,进入“控制台”页签,单击页面上方的“点击此处只显示控制台”,再次进行互Ping,测试是否互通
结论:
不同网络间的虚拟机实例可以通过连接同一个路由器进行互通。
此刻创建的instance无法访问外网,配置外部网络,让虚拟机能访问外网
创建外部网络
管理浮动IP
在OpenStack所在的ECS服务器中,验证是否能够从外部Ping通虚拟机实例“Instance_web_test-3
ping不通
结论:
虚拟机实例“Instance_web_test-3”的网络“Network_web_02”为OpenStack系统内部网络,无法从外部进行互通。若要实现从外部访问虚拟机实例,必须通过外部网络分配浮动IP来访问,具体操作步骤如下:
分配IP给项目
绑定浮动IP
再次验证是否能够从外部Ping通虚拟机实例“Instance_web_test-3”
还是无法Ping通
再创建一个浮动IP,查看浮动IP的状态为“Down”,单击浮动IP“Actions”列的“关联”
解除绑定
释放浮动IP
创建安全组
查看虚拟机实例当前应用的安全组
在左侧导航栏,选择“项目>网络>安全组”,进入安全组列表,单击安全组“default”所在行“Actions”列的“管理规则”
由图可知,虚拟机实例的默认安全组允许所有出口流量,但禁止所有除了来自内部的入口流量。由此可知,外部默认无法访问虚拟机实例“Instance_web_test-3”,需要更改安全组规则。
创建安全组,并添加规则
编辑安全组
再次查看
再次验证,远程登陆也成功
OpenStack CLI操作
创建网络
# 创建一个镜像和规格
[root@controller ~(keystone_admin)]# openstack image create --disk-format qcow2 --container-format bare --min-disk 1 --min-ram 128 --private --file ./cirros-0.5.2-x86_64-disk.img Img_cli
+------------------+---------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------------+---------------------------------------------------------------------------------------------------------------------------------------------+
| container_format | bare |
| created_at | 2025-09-19T12:53:59Z |
| disk_format | qcow2 |
| file | /v2/images/ddffcbde-1aae-477b-ab48-85f638fb457a/file |
| id | ddffcbde-1aae-477b-ab48-85f638fb457a |
| min_disk | 1 |
| min_ram | 128 |
| name | Img_cli |
| owner | bbe6a457a15b48d792da334eb27a5d7b |
| properties | os_hidden='False', owner_specified.openstack.md5='', owner_specified.openstack.object='images/Img_cli', owner_specified.openstack.sha256='' |
| protected | False |
| schema | /v2/schemas/image |
| status | queued |
| tags | |
| updated_at | 2025-09-19T12:53:59Z |
| visibility | private |
+------------------+---------------------------------------------------------------------------------------------------------------------------------------------+[root@controller ~(keystone_admin)]# openstack flavor create --vcpus 1 --ram 128 --disk 1 Flavor_cli
+----------------------------+--------------------------------------+
| Field | Value |
+----------------------------+--------------------------------------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| id | efa15b24-43f5-472d-81cf-cadc3a6a9cc2 |
| name | Flavor_cli |
| os-flavor-access:is_public | True |
| properties | |
| ram | 128 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+--------------------------------------+# 创建网络“Network_cli_01”,设置为“Shared”
[root@controller ~(keystone_admin)]# openstack network create --share Network_cli_01
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2025-09-19T12:54:41Z |
| description | |
| dns_domain | None |
| id | c163bb88-fdeb-405c-bc3a-b03e049a08dd |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1442 |
| name | Network_cli_01 |
| port_security_enabled | True |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| provider:network_type | geneve |
| provider:physical_network | None |
| provider:segmentation_id | 86 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2025-09-19T12:54:41Z |
+---------------------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack network list
+--------------------------------------+----------------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------------+--------------------------------------+
| 7fe21fee-cab6-42ef-b769-a85a03d03b7a | Network_web_01 | adf3f452-ff7f-42a4-a4c5-091472abfc9c |
| 8c716cd8-bd65-4618-b870-2dd8bf16d522 | External | 5b08ab7c-973c-4063-b415-577583a0a1ba |
| c163bb88-fdeb-405c-bc3a-b03e049a08dd | Network_cli_01 | |
| cbaf888c-a301-46de-bf41-0492b1ebfdd2 | Network_web_02 | 47a8a142-d637-447c-bc20-f9dbef5af801 |
+--------------------------------------+----------------+--------------------------------------+创建网络“Network_cli_01”的子网“Subnet_cli_01”,配置要求如下:
网络地址:“192.168.3.0/24”。
子网地址池:“192.168.3.100~192.168.3.200”。
网关地址:“192.168.3.1”
[root@controller ~(keystone_admin)]# openstack subnet create --network Network_cli_01 --subnet-range 192.168.3.0/24 --allocation-pool start=192.168.3.100,end=192.168.3.200 --gateway 192.168.3.1 Subnet_cli_01
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.3.100-192.168.3.200 |
| cidr | 192.168.3.0/24 |
| created_at | 2025-09-19T12:55:50Z |
| description | |
| dns_nameservers | |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.3.1 |
| host_routes | |
| id | c3164b01-32be-4fe6-86ab-b209df19b7be |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | Subnet_cli_01 |
| network_id | c163bb88-fdeb-405c-bc3a-b03e049a08dd |
| prefix_length | None |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2025-09-19T12:55:50Z |
+----------------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack subnet list
+--------------------------------------+---------------+--------------------------------------+------------------+
| ID | Name | Network | Subnet |
+--------------------------------------+---------------+--------------------------------------+------------------+
| 47a8a142-d637-447c-bc20-f9dbef5af801 | Subnet_web_02 | cbaf888c-a301-46de-bf41-0492b1ebfdd2 | 192.168.2.0/24 |
| 5b08ab7c-973c-4063-b415-577583a0a1ba | External_sub | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | 192.168.108.0/24 |
| adf3f452-ff7f-42a4-a4c5-091472abfc9c | Subnet_web_01 | 7fe21fee-cab6-42ef-b769-a85a03d03b7a | 192.168.1.0/24 |
| c3164b01-32be-4fe6-86ab-b209df19b7be | Subnet_cli_01 | c163bb88-fdeb-405c-bc3a-b03e049a08dd | 192.168.3.0/24 |
+--------------------------------------+---------------+--------------------------------------+------------------+# 查看网络“Network_cli_01”的网口列表
[root@controller ~(keystone_admin)]# openstack port list --network Network_cli_01 --long
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+-----------------+---------------------+------+
| ID | Name | MAC Address | Fixed IP Addresses | Status | Security Groups | Device Owner | Tags |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+-----------------+---------------------+------+
| 5d4d6bfe-ed5f-4a2f-9666-cf68ecb86f61 | | fa:16:3e:75:d8:f1 | ip_address='192.168.3.100', subnet_id='c3164b01-32be-4fe6-86ab-b209df19b7be' | DOWN | | network:distributed | |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+-----------------+---------------------+------+
[root@controller ~(keystone_admin)]#创建网络“Network_cli_02”和网络子网“Subnet_cli_02”,子网配置要求如下,其他与网络“Network_cli_01”和网络子网“Subnet_cli_01”保持一致:
网络地址:“192.168.4.0/24”。
子网地址池:“192.168.4.100~192.168.4.200”。
网关地址:“192.168.4.1”。
[root@controller ~(keystone_admin)]# openstack network create --share Network_cli_02
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2025-09-19T12:57:06Z |
| description | |
| dns_domain | None |
| id | e90df194-c84b-490a-9610-7194ed58834a |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| is_vlan_transparent | None |
| mtu | 1442 |
| name | Network_cli_02 |
| port_security_enabled | True |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| provider:network_type | geneve |
| provider:physical_network | None |
| provider:segmentation_id | 50 |
| qos_policy_id | None |
| revision_number | 1 |
| router:external | Internal |
| segments | None |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | |
| updated_at | 2025-09-19T12:57:07Z |
+---------------------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack subnet create --network Network_cli_02 --subnet-range 192.168.4.0/24 --allocation-pool start=192.168.4.100,end=192.168.4.200 --gateway 192.168.4.1 Subnet_cli_02
+----------------------+--------------------------------------+
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.4.100-192.168.4.200 |
| cidr | 192.168.4.0/24 |
| created_at | 2025-09-19T12:57:32Z |
| description | |
| dns_nameservers | |
| dns_publish_fixed_ip | None |
| enable_dhcp | True |
| gateway_ip | 192.168.4.1 |
| host_routes | |
| id | 8293f9bc-729b-4cef-85bc-6e7135358fa7 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | Subnet_cli_02 |
| network_id | e90df194-c84b-490a-9610-7194ed58834a |
| prefix_length | None |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| revision_number | 0 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2025-09-19T12:57:32Z |
+----------------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack network list
+--------------------------------------+----------------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------------+--------------------------------------+
| 7fe21fee-cab6-42ef-b769-a85a03d03b7a | Network_web_01 | adf3f452-ff7f-42a4-a4c5-091472abfc9c |
| 8c716cd8-bd65-4618-b870-2dd8bf16d522 | External | 5b08ab7c-973c-4063-b415-577583a0a1ba |
| c163bb88-fdeb-405c-bc3a-b03e049a08dd | Network_cli_01 | c3164b01-32be-4fe6-86ab-b209df19b7be |
| cbaf888c-a301-46de-bf41-0492b1ebfdd2 | Network_web_02 | 47a8a142-d637-447c-bc20-f9dbef5af801 |
| e90df194-c84b-490a-9610-7194ed58834a | Network_cli_02 | 8293f9bc-729b-4cef-85bc-6e7135358fa7 |
+--------------------------------------+----------------+--------------------------------------+
[root@controller ~(keystone_admin)]# openstack subnet list
+--------------------------------------+---------------+--------------------------------------+------------------+
| ID | Name | Network | Subnet |
+--------------------------------------+---------------+--------------------------------------+------------------+
| 47a8a142-d637-447c-bc20-f9dbef5af801 | Subnet_web_02 | cbaf888c-a301-46de-bf41-0492b1ebfdd2 | 192.168.2.0/24 |
| 5b08ab7c-973c-4063-b415-577583a0a1ba | External_sub | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | 192.168.108.0/24 |
| 8293f9bc-729b-4cef-85bc-6e7135358fa7 | Subnet_cli_02 | e90df194-c84b-490a-9610-7194ed58834a | 192.168.4.0/24 |
| adf3f452-ff7f-42a4-a4c5-091472abfc9c | Subnet_web_01 | 7fe21fee-cab6-42ef-b769-a85a03d03b7a | 192.168.1.0/24 |
| c3164b01-32be-4fe6-86ab-b209df19b7be | Subnet_cli_01 | c163bb88-fdeb-405c-bc3a-b03e049a08dd | 192.168.3.0/24 |
+--------------------------------------+---------------+--------------------------------------+------------------+验证:虚拟机实例相互访问
发放2个虚拟机实例“Instance_cli_test”,配置要求如下:
虚拟机实例名称:Instance_cli_test。
数量:2。
选择启动源:Image。
分配镜像:Img_cli。
分配规格:Flavor_cli。
分配网络:Network_cli_01。
其他保持默认。
[root@controller ~(keystone_admin)]# openstack server create --image Img_cli --flavor Flavor_cli --network Network_cli_01 --min 2 --max 2 Instance_cli_test
+-------------------------------------+---------------------------------------------------+
| Field | Value |
+-------------------------------------+---------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | FzuXuZccrp8V |
| config_drive | |
| created | 2025-09-19T12:58:41Z |
| flavor | Flavor_cli (efa15b24-43f5-472d-81cf-cadc3a6a9cc2) |
| hostId | |
| id | 52922808-a6c7-4889-8867-e494cdce5666 |
| image | Img_cli (ddffcbde-1aae-477b-ab48-85f638fb457a) |
| key_name | None |
| name | Instance_cli_test-1 |
| progress | 0 |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| properties | |
| security_groups | name='default' |
| status | BUILD |
| updated | 2025-09-19T12:58:42Z |
| user_id | af704f24dc304c09a051f19c9f4d4efe |
| volumes_attached | |
+-------------------------------------+---------------------------------------------------+[root@controller ~(keystone_admin)]# openstack server list
+--------------------------------------+---------------------+--------+-----------------------------------------------+---------+------------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+---------------------+--------+-----------------------------------------------+---------+------------+
| 52922808-a6c7-4889-8867-e494cdce5666 | Instance_cli_test-1 | ACTIVE | Network_cli_01=192.168.3.179 | Img_cli | Flavor_cli |
| a593313f-e707-4a8b-81ab-142c64336b62 | Instance_cli_test-2 | ACTIVE | Network_cli_01=192.168.3.160 | Img_cli | Flavor_cli |
| 431deeab-fca5-49fe-9103-bf5ffd5ac037 | Instance_web_test-3 | ACTIVE | Network_web_02=192.168.2.122, 192.168.108.118 | Img_web | Flaovr_web |
| 417e1200-9150-4305-b9c6-d68e970d1258 | Instance_web_test-1 | ACTIVE | Network_web_01=192.168.1.123 | Img_web | Flaovr_web |
| 74d5f9d3-4270-419b-ba1e-757d47aa8e9e | Instance_web_test-2 | ACTIVE | Network_web_01=192.168.1.104 | Img_web | Flaovr_web |
+--------------------------------------+---------------------+--------+-----------------------------------------------+---------+------------+验证虚拟机实例“Instance_web_cli-1”与“Instance_cli_cli-2”是否可以相互Ping通
发放虚拟机实例“Instance_cli_test-3”,配置要求如下:
虚拟机实例名称:Instance_cli_test-3。
选择启动源:Image。
分配镜像:Img_cli。
分配规格:Flavor_cli。
分配网络:Network_cli_02。
其他保持默认。
[root@controller ~(keystone_admin)]# openstack server create --image Img_cli --flavor Flavor_cli --network Network_cli_02 Instance_cli_test-3
+-------------------------------------+---------------------------------------------------+
| Field | Value |
+-------------------------------------+---------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | ZNVfR9n3PNor |
| config_drive | |
| created | 2025-09-19T13:25:16Z |
| flavor | Flavor_cli (efa15b24-43f5-472d-81cf-cadc3a6a9cc2) |
| hostId | |
| id | aca4f1df-fd2e-488b-8f1f-d9c70607c71b |
| image | Img_cli (ddffcbde-1aae-477b-ab48-85f638fb457a) |
| key_name | None |
| name | Instance_cli_test-3 |
| progress | 0 |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| properties | |
| security_groups | name='default' |
| status | BUILD |
| updated | 2025-09-19T13:25:16Z |
| user_id | af704f24dc304c09a051f19c9f4d4efe |
| volumes_attached | |
+-------------------------------------+---------------------------------------------------+[root@controller ~(keystone_admin)]# openstack server list
+--------------------------------------+---------------------+--------+-----------------------------------------------+---------+------------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+---------------------+--------+-----------------------------------------------+---------+------------+
| aca4f1df-fd2e-488b-8f1f-d9c70607c71b | Instance_cli_test-3 | ACTIVE | Network_cli_02=192.168.4.162 | Img_cli | Flavor_cli |
| 52922808-a6c7-4889-8867-e494cdce5666 | Instance_cli_test-1 | ACTIVE | Network_cli_01=192.168.3.179 | Img_cli | Flavor_cli |
| a593313f-e707-4a8b-81ab-142c64336b62 | Instance_cli_test-2 | ACTIVE | Network_cli_01=192.168.3.160 | Img_cli | Flavor_cli |
| 431deeab-fca5-49fe-9103-bf5ffd5ac037 | Instance_web_test-3 | ACTIVE | Network_web_02=192.168.2.122, 192.168.108.118 | Img_web | Flaovr_web |
| 417e1200-9150-4305-b9c6-d68e970d1258 | Instance_web_test-1 | ACTIVE | Network_web_01=192.168.1.123 | Img_web | Flaovr_web |
| 74d5f9d3-4270-419b-ba1e-757d47aa8e9e | Instance_web_test-2 | ACTIVE | Network_web_01=192.168.1.104 | Img_web | Flaovr_web |
+--------------------------------------+---------------------+--------+-----------------------------------------------+---------+------------+验证虚拟机实例“Instance_cli_test-1”与“Instance_cli_test-3”是否可以相互Ping通。
创建路由器
创建路由器“Router_cli”
[root@controller ~(keystone_admin)]# openstack router create --project admin Router_cli
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2025-09-19T13:27:50Z |
| description | |
| external_gateway_info | null |
| flavor_id | None |
| id | aea9f066-abff-4e3a-bf38-16908f9b2bbf |
| name | Router_cli |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| revision_number | 1 |
| routes | |
| status | ACTIVE |
| tags | |
| updated_at | 2025-09-19T13:27:50Z |
+-------------------------+--------------------------------------+
[root@controller ~(keystone_admin)]# openstack router list
+--------------------------------------+------------+--------+-------+----------------------------------+
| ID | Name | Status | State | Project |
+--------------------------------------+------------+--------+-------+----------------------------------+
| 997ece82-c2b0-499d-b089-1adadd761c30 | Router_web | ACTIVE | UP | bbe6a457a15b48d792da334eb27a5d7b |
| aea9f066-abff-4e3a-bf38-16908f9b2bbf | Router_cli | ACTIVE | UP | bbe6a457a15b48d792da334eb27a5d7b |
+--------------------------------------+------------+--------+-------+----------------------------------+配置路由器“Router_cli”的外部网络为“External”
[root@controller ~(keystone_admin)]# openstack router set --external-gateway External Router_cli分别添加子网“Subnet_cli_01”和“Subnet_cli_02”在路由器“Router_cli”上的接口。
[root@controller ~(keystone_admin)]# openstack router add subnet Router_cli Subnet_cli_01
[root@controller ~(keystone_admin)]# openstack router add subnet Router_cli Subnet_cli_02查看路由器“Router_cli”的接口信息
[root@controller ~(keystone_admin)]# openstack router show Router_cli | grep interfaces_info
| interfaces_info | [{"port_id": "45888608-60c4-4118-9785-9b047781bdd7", "ip_address": "192.168.4.1", "subnet_id": "8293f9bc-729b-4cef-85bc-6e7135358fa7"}, {"port_id": "9b66e9e6-86c1-4e95-b428-a2c12b5ed6f0", "ip_address": "192.168.3.1", "subnet_id": "c3164b01-32be-4fe6-86ab-b209df19b7be"}] |再次验证虚拟机实例“Instance_web_test-1”与“Instance_web_test-3”是否可以相互Ping通
管理浮动IP
验证是否能够从外部Ping通虚拟机实例“Instance_cli_test-3”
[root@controller ~(keystone_admin)]# ping 192.168.4.162
PING 192.168.4.162 (192.168.4.162) 56(84) bytes of data.
^C
--- 192.168.4.162 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2061ms查看待分配虚拟机实例“Instance_cli_test-3”的网口
[root@controller ~(keystone_admin)]# openstack port list --server Instance_cli_test-3
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+
| acb7292f-8537-4271-900a-a747efb086c9 | | fa:16:3e:da:df:ef | ip_address='192.168.4.162', subnet_id='8293f9bc-729b-4cef-85bc-6e7135358fa7' | ACTIVE |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------+--------+# 分配虚拟机实例“Instance_cli_test-3”的网口ID:acb7292f-8537-4271-900a-a747efb086c9
为虚拟机实例“Instance_cli_test-3”的网口创建并分配外部网络“External”的浮动IP
[root@controller ~(keystone_admin)]# openstack floating ip create --port acb7292f-8537-4271-900a-a747efb086c9 External
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2025-09-19T13:35:47Z |
| description | |
| dns_domain | None |
| dns_name | None |
| fixed_ip_address | 192.168.4.162 |
| floating_ip_address | 192.168.108.113 |
| floating_network_id | 8c716cd8-bd65-4618-b870-2dd8bf16d522 |
| id | f84ce0d0-b28d-4ea6-a53c-cd7bdc0d0124 |
| name | 192.168.108.113 |
| port_details | {'name': '', 'network_id': 'e90df194-c84b-490a-9610-7194ed58834a', 'mac_address': 'fa:16:3e:da:df:ef', 'admin_state_up': True, 'status': 'ACTIVE', 'device_id': 'aca4f1df-fd2e-488b-8f1f-d9c70607c71b', 'device_owner': 'compute:nova'} |
| port_id | acb7292f-8537-4271-900a-a747efb086c9 |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| qos_policy_id | None |
| revision_number | 0 |
| router_id | aea9f066-abff-4e3a-bf38-16908f9b2bbf |
| status | DOWN |
| subnet_id | None |
| tags | [] |
| updated_at | 2025-09-19T13:35:47Z |
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+查看浮动IP列表,并查看其网口状态
[root@controller ~(keystone_admin)]# openstack floating ip list --long
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+--------------------------------------+--------+-------------+------+----------+------------+
| ID | Floating IP Address | Fixed IP Address | Port | Floating Network | Project | Router | Status | Description | Tags | DNS Name | DNS Domain |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+--------------------------------------+--------+-------------+------+----------+------------+
| 12e83003-4c8c-4f47-ac76-80b1517ddc00 | 192.168.108.118 | 192.168.2.122 | 6dc3c742-99e3-4af0-bcc7-f2b2e220a3c0 | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | bbe6a457a15b48d792da334eb27a5d7b | 997ece82-c2b0-499d-b089-1adadd761c30 | ACTIVE | | [] | None | None |
| f84ce0d0-b28d-4ea6-a53c-cd7bdc0d0124 | 192.168.108.113 | 192.168.4.162 | acb7292f-8537-4271-900a-a747efb086c9 | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | bbe6a457a15b48d792da334eb27a5d7b | aea9f066-abff-4e3a-bf38-16908f9b2bbf | ACTIVE | | [] | None | None |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+--------------------------------------+--------+-------------+------+----------+------------+验证是否能够从外部Ping通虚拟机实例“Instance_web_test-3”
[root@controller ~(keystone_admin)]# ping 192.168.4.162
PING 192.168.4.162 (192.168.4.162) 56(84) bytes of data.
^C
--- 192.168.4.162 ping statistics ---
150 packets transmitted, 0 received, 100% packet loss, time 152573ms重新创建一个浮动IP,并查看其网口状态
[root@controller ~(keystone_admin)]# openstack floating ip create External
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| created_at | 2025-09-19T13:40:14Z |
| description | |
| dns_domain | None |
| dns_name | None |
| fixed_ip_address | None |
| floating_ip_address | 192.168.108.183 |
| floating_network_id | 8c716cd8-bd65-4618-b870-2dd8bf16d522 |
| id | 27a97c2a-ba1c-4691-8235-3927da796d7a |
| name | 192.168.108.183 |
| port_details | None |
| port_id | None |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| qos_policy_id | None |
| revision_number | 0 |
| router_id | None |
| status | DOWN |
| subnet_id | None |
| tags | [] |
| updated_at | 2025-09-19T13:40:14Z |
+---------------------+--------------------------------------+[root@controller ~(keystone_admin)]# openstack floating ip list --long
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+--------------------------------------+--------+-------------+------+----------+------------+
| ID | Floating IP Address | Fixed IP Address | Port | Floating Network | Project | Router | Status | Description | Tags | DNS Name | DNS Domain |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+--------------------------------------+--------+-------------+------+----------+------------+
| 12e83003-4c8c-4f47-ac76-80b1517ddc00 | 192.168.108.118 | 192.168.2.122 | 6dc3c742-99e3-4af0-bcc7-f2b2e220a3c0 | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | bbe6a457a15b48d792da334eb27a5d7b | 997ece82-c2b0-499d-b089-1adadd761c30 | ACTIVE | | [] | None | None |
| 27a97c2a-ba1c-4691-8235-3927da796d7a | 192.168.108.183 | None | None | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | bbe6a457a15b48d792da334eb27a5d7b | None | DOWN | | [] | None | None |
| f84ce0d0-b28d-4ea6-a53c-cd7bdc0d0124 | 192.168.108.113 | 192.168.4.162 | acb7292f-8537-4271-900a-a747efb086c9 | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | bbe6a457a15b48d792da334eb27a5d7b | aea9f066-abff-4e3a-bf38-16908f9b2bbf | ACTIVE | | [] | None | None |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+--------------------------------------+--------+-------------+------+----------+------------+# 浮动IP地址:192.168.108.183
为虚拟机实例“Instance_cli_test-1”分配浮动IP
[root@controller ~(keystone_admin)]# openstack server add floating ip Instance_cli_test-1 192.168.108.183为虚拟机实例“Instance_cli_test-1” 解分配浮动IP
[root@controller ~(keystone_admin)]# openstack server remove floating ip Instance_cli_test-1 192.168.108.183释放全部已解分配的浮动IP
[root@controller ~(keystone_admin)]# openstack floating ip delete 192.168.108.183查看浮动IP列表
[root@controller ~(keystone_admin)]# openstack floating ip list
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+
| ID | Floating IP Address | Fixed IP Address | Port | Floating Network | Project |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+
| 12e83003-4c8c-4f47-ac76-80b1517ddc00 | 192.168.108.118 | 192.168.2.122 | 6dc3c742-99e3-4af0-bcc7-f2b2e220a3c0 | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | bbe6a457a15b48d792da334eb27a5d7b |
| f84ce0d0-b28d-4ea6-a53c-cd7bdc0d0124 | 192.168.108.113 | 192.168.4.162 | acb7292f-8537-4271-900a-a747efb086c9 | 8c716cd8-bd65-4618-b870-2dd8bf16d522 | bbe6a457a15b48d792da334eb27a5d7b |
+--------------------------------------+---------------------+------------------+--------------------------------------+--------------------------------------+----------------------------------+
创建安全组
查看虚拟机实例“Instance_cli_test-3”当前应用的安全组
[root@controller ~(keystone_admin)]# openstack server show Instance_cli_test-3
+-------------------------------------+----------------------------------------------------------+
| Field | Value |
+-------------------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | controller |
| OS-EXT-SRV-ATTR:hypervisor_hostname | controller |
| OS-EXT-SRV-ATTR:instance_name | instance-00000006 |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2025-09-19T13:25:22.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | Network_cli_02=192.168.4.162, 192.168.108.113 |
| config_drive | |
| created | 2025-09-19T13:25:16Z |
| flavor | Flavor_cli (efa15b24-43f5-472d-81cf-cadc3a6a9cc2) |
| hostId | 7d1bb9c1ad99b2930830e14ce16d550553ad3b69d66d3631f1af0d02 |
| id | aca4f1df-fd2e-488b-8f1f-d9c70607c71b |
| image | Img_cli (ddffcbde-1aae-477b-ab48-85f638fb457a) |
| key_name | None |
| name | Instance_cli_test-3 |
| progress | 0 |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| properties | |
| security_groups | name='default' |
| status | ACTIVE |
| updated | 2025-09-19T13:25:22Z |
| user_id | af704f24dc304c09a051f19c9f4d4efe |
| volumes_attached | |
+-------------------------------------+----------------------------------------------------------+# Instance_cli_test-3”的安全组名称和项目ID:
bbe6a457a15b48d792da334eb27a5d7b
name='default'
查看虚拟机实例“Instance_cli_test-3”应用的安全组ID
[root@controller ~(keystone_admin)]# openstack security group list --project bbe6a457a15b48d792da334eb27a5d7b
+--------------------------------------+---------+------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+---------+------------------------+----------------------------------+------+
| 1f67f79a-85df-4a9f-be98-4d96112c14e6 | default | Default security group | bbe6a457a15b48d792da334eb27a5d7b | [] |
| 28d5c3e9-1e25-4c8e-a8ac-afe45ae27e83 | SG_web | | bbe6a457a15b48d792da334eb27a5d7b | [] |
+--------------------------------------+---------+------------------------+----------------------------------+------+# Instance_cli_test-3”的安全组ID:1f67f79a-85df-4a9f-be98-4d96112c14e6
查看虚拟机实例“Instance_cli_test-3”的安全组的规则ID
[root@controller ~(keystone_admin)]# openstack security group rule list | grep 1f67f79a-85df-4a9f-be98-4d96112c14e6
| 59de7cfe-b87e-44e8-b3bd-60caa0dff3ad | None | IPv4 | 0.0.0.0/0 | | 1f67f79a-85df-4a9f-be98-4d96112c14e6 | 1f67f79a-85df-4a9f-be98-4d96112c14e6 |
| 989132ae-e332-445e-b3d3-b84bf051f827 | None | IPv4 | 0.0.0.0/0 | | None | 1f67f79a-85df-4a9f-be98-4d96112c14e6 |
| afdedaaa-0db4-4024-a287-eebe6a4c7bdd | None | IPv6 | ::/0 | | 1f67f79a-85df-4a9f-be98-4d96112c14e6 | 1f67f79a-85df-4a9f-be98-4d96112c14e6 |
| f6838d75-5e90-477a-a837-6045e7a9978a | None | IPv6 | ::/0 | | None | 1f67f79a-85df-4a9f-be98-4d96112c14e6 |# Instance_cli_test-3”的安全组的规则ID:
59de7cfe-b87e-44e8-b3bd-60caa0dff3ad
989132ae-e332-445e-b3d3-b84bf051f827
afdedaaa-0db4-4024-a287-eebe6a4c7bdd
f6838d75-5e90-477a-a837-6045e7a9978a
查看虚拟机实例“Instance_cli_test-3”的安全组的规则的详细信息
# 以第一条规则为例进行查看
[root@controller ~(keystone_admin)]# openstack security group rule show 59de7cfe-b87e-44e8-b3bd-60caa0dff3ad
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2025-09-19T08:46:02Z |
| description | None |
| direction | ingress |
| ether_type | IPv4 |
| id | 59de7cfe-b87e-44e8-b3bd-60caa0dff3ad |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| protocol | None |
| remote_group_id | 1f67f79a-85df-4a9f-be98-4d96112c14e6 |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 1f67f79a-85df-4a9f-be98-4d96112c14e6 |
| tags | [] |
| updated_at | 2025-09-19T08:46:02Z |
+-------------------+--------------------------------------+创建安全组“SG_cli”
[root@controller ~(keystone_admin)]# openstack security group create SG_cli
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2025-09-19T13:50:49Z |
| description | SG_cli |
| id | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| name | SG_cli |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| revision_number | 1 |
| rules | created_at='2025-09-19T13:50:49Z', direction='egress', ethertype='IPv4', id='113049df-a84a-447e-bbc5-914d4995162f', updated_at='2025-09-19T13:50:49Z' |
| | created_at='2025-09-19T13:50:49Z', direction='egress', ethertype='IPv6', id='931bcea7-9698-4178-b92e-89c8dc74158c', updated_at='2025-09-19T13:50:49Z' |
| stateful | True |
| tags | [] |
| updated_at | 2025-09-19T13:50:49Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@controller ~(keystone_admin)]# openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+---------+------------------------+----------------------------------+------+
| 1f67f79a-85df-4a9f-be98-4d96112c14e6 | default | Default security group | bbe6a457a15b48d792da334eb27a5d7b | [] |
| 28d5c3e9-1e25-4c8e-a8ac-afe45ae27e83 | SG_web | | bbe6a457a15b48d792da334eb27a5d7b | [] |
| 608d13a4-4799-4382-ac0b-114f2f65de49 | SG_cli | SG_cli | bbe6a457a15b48d792da334eb27a5d7b | [] |
| 76928e85-f763-4f76-88f7-0d030b1eab0c | default | Default security group | 716c695a1f0d4183ab1e07523ea2202e | [] |
+--------------------------------------+---------+------------------------+----------------------------------+------+# SG_cli”的ID:
608d13a4-4799-4382-ac0b-114f2f65de49 | SG_cli | SG_cli | bbe6a457a15b48d792da334eb27a5d7b
添加安全组“SG_cli”的ICMP规则,要求配置如下:
规则:All ICMP。
方向:Ingress。
远端:CIDR。
CIDR:0.0.0.0/0。
[root@controller ~(keystone_admin)]# openstack security group rule create --protocol icmp --ingress --remote-ip 0.0.0.0/0 SG_cli
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2025-09-19T13:51:44Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | c8bfcf7f-a437-4d06-bb6c-d1b8a7d43b10 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| protocol | icmp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| tags | [] |
| updated_at | 2025-09-19T13:51:44Z |
+-------------------+--------------------------------------+添加安全组“SG_cli”的TCP规则,要求配置如下:
规则:All TCP。
方向:Ingress。
远端:CIDR。
CIDR:0.0.0.0/0。
[root@controller ~(keystone_admin)]# openstack security group rule create --protocol tcp --ingress --remote-ip 0.0.0.0/0 SG_cli
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2025-09-19T13:52:05Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | d74a6c15-f9c5-4ad1-acad-ab37718ff223 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | bbe6a457a15b48d792da334eb27a5d7b |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| tags | [] |
| updated_at | 2025-09-19T13:52:05Z |
+-------------------+--------------------------------------+查看安全组“SG_cli”的规则列表
[root@controller ~(keystone_admin)]# openstack security group rule list | grep 608d13a4-4799-4382-ac0b-114f2f65de49
| 113049df-a84a-447e-bbc5-914d4995162f | None | IPv4 | 0.0.0.0/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| 931bcea7-9698-4178-b92e-89c8dc74158c | None | IPv6 | ::/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| c8bfcf7f-a437-4d06-bb6c-d1b8a7d43b10 | icmp | IPv4 | 0.0.0.0/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| d74a6c15-f9c5-4ad1-acad-ab37718ff223 | tcp | IPv4 | 0.0.0.0/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |为虚拟机实例移除安全组“default”
[root@controller ~(keystone_admin)]# openstack server remove security group Instance_cli_test-3 default为虚拟机实例添加安全组“SG_cli”
[root@controller ~(keystone_admin)]# openstack server add security group Instance_cli_test-3 SG_cli再次查看虚拟机实例“Instance_cli_test-3”当前应用的安全组
[root@controller ~(keystone_admin)]# openstack server show Instance_cli_test-3 | grep security_groups
| security_groups | name='SG_cli' |再次验证是否能够从外部Ping通虚拟机实例“Instance_cli_test-3”
[root@controller ~(keystone_admin)]# ping 192.168.108.113
PING 192.168.108.113 (192.168.108.113) 56(84) bytes of data.
64 bytes from 192.168.108.113: icmp_seq=1 ttl=63 time=6.30 ms
64 bytes from 192.168.108.113: icmp_seq=2 ttl=63 time=1.39 ms
^C
--- 192.168.108.113 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.394/3.847/6.300/2.453 ms使用SSH登录虚拟机实例“Instance_cli_test-3”,验证是否成功
[root@controller ~(keystone_admin)]# ssh cirros@192.168.108.113
The authenticity of host '192.168.108.113 (192.168.108.113)' can't be established.
ECDSA key fingerprint is SHA256:GSY9VZBazkEY+JOfIbDX+OGz580hexp6U1w5BUMPcJc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.108.113' (ECDSA) to the list of known hosts.
cirros@192.168.108.113's password:
$0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| tags | [] |
| updated_at | 2025-09-19T13:52:05Z |
±------------------±-------------------------------------+
查看安全组“SG_cli”的规则列表```bash
[root@controller ~(keystone_admin)]# openstack security group rule list | grep 608d13a4-4799-4382-ac0b-114f2f65de49
| 113049df-a84a-447e-bbc5-914d4995162f | None | IPv4 | 0.0.0.0/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| 931bcea7-9698-4178-b92e-89c8dc74158c | None | IPv6 | ::/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| c8bfcf7f-a437-4d06-bb6c-d1b8a7d43b10 | icmp | IPv4 | 0.0.0.0/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |
| d74a6c15-f9c5-4ad1-acad-ab37718ff223 | tcp | IPv4 | 0.0.0.0/0 | | None | 608d13a4-4799-4382-ac0b-114f2f65de49 |为虚拟机实例移除安全组“default”
[root@controller ~(keystone_admin)]# openstack server remove security group Instance_cli_test-3 default为虚拟机实例添加安全组“SG_cli”
[root@controller ~(keystone_admin)]# openstack server add security group Instance_cli_test-3 SG_cli再次查看虚拟机实例“Instance_cli_test-3”当前应用的安全组
[root@controller ~(keystone_admin)]# openstack server show Instance_cli_test-3 | grep security_groups
| security_groups | name='SG_cli' |再次验证是否能够从外部Ping通虚拟机实例“Instance_cli_test-3”
[root@controller ~(keystone_admin)]# ping 192.168.108.113
PING 192.168.108.113 (192.168.108.113) 56(84) bytes of data.
64 bytes from 192.168.108.113: icmp_seq=1 ttl=63 time=6.30 ms
64 bytes from 192.168.108.113: icmp_seq=2 ttl=63 time=1.39 ms
^C
--- 192.168.108.113 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.394/3.847/6.300/2.453 ms使用SSH登录虚拟机实例“Instance_cli_test-3”,验证是否成功
[root@controller ~(keystone_admin)]# ssh cirros@192.168.108.113
The authenticity of host '192.168.108.113 (192.168.108.113)' can't be established.
ECDSA key fingerprint is SHA256:GSY9VZBazkEY+JOfIbDX+OGz580hexp6U1w5BUMPcJc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.108.113' (ECDSA) to the list of known hosts.
cirros@192.168.108.113's password:
$