背景####
前段時間測試部門的同事申請了一些物理機(jī)接入到OpenStack環(huán)境中,用于部署一套完全隔離的功能測試環(huán)境咐低。其最基本的需求就是要是實現(xiàn)網(wǎng)絡(luò)的隔離性揽思。由于Neutron這邊采用的OVS + Vlan的方式,單純的安全組策略并不能滿足復(fù)雜的需求见擦,所以大部分的隔離是在交換機(jī)上做訪問策略钉汗。整理了下隔離環(huán)境的網(wǎng)絡(luò)需求,由于不涉及本文內(nèi)容鲤屡,就簡單表述了下:
內(nèi)網(wǎng)業(yè)務(wù)測試環(huán)境虛擬機(jī)不能訪問線上環(huán)境损痰;
內(nèi)網(wǎng)虛擬機(jī)需要和線上基礎(chǔ)服務(wù)(包含監(jiān)控、配置管理酒来、自動化卢未、源等等)端通信;
要求兩臺負(fù)載均衡器虛擬機(jī)能夠被辦公網(wǎng)訪問堰汉,同時可以訪問測試虛擬機(jī)辽社;
要求所有測試環(huán)境網(wǎng)段能通過堡壘機(jī)訪問;
在這里翘鸭,如果網(wǎng)絡(luò)隔離放在物理機(jī)交換上實現(xiàn)滴铅,那么OpenStack這里就只需要做到計算資源的隔離和租戶獨(dú)占的網(wǎng)絡(luò)即可。
計算資源通過創(chuàng)建新的Availalibity Zone來給測試部門使用就乓,這部分很簡單汉匙,按下不表拱烁。
租戶獨(dú)占網(wǎng)絡(luò)分兩部分配置,一是配置Neutron客戶端配置噩翠;二是調(diào)整Dhcp-agent作用域戏自。
操作####
1.調(diào)整ML2配置,使改節(jié)點上創(chuàng)建的虛擬網(wǎng)絡(luò)只能是OpenStack物理網(wǎng)絡(luò)(physnet)伤锚,
$ cat /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2_type_vlan]
network_vlan_ranges = physnet2:vlan_id_start:vlan_id_end
$ cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[ovs]
bridge_mappings = physnet2:br-em2 #外部網(wǎng)絡(luò)為physent2
2.租戶創(chuàng)建私有網(wǎng)絡(luò)
由于在底層ML2上Tenant的網(wǎng)絡(luò)驅(qū)動只有Vlan浦妄,所以這里創(chuàng)建下來的Net在Neutron中標(biāo)記是物理網(wǎng)絡(luò);
在這里激活DHCP
3.更改DHCP作用域
neutron-dhcp-agent服務(wù)主要為租戶提供dhcp服務(wù)见芹,agent會在要作用網(wǎng)絡(luò)的OVS上綁定一個Port剂娄,將dnsmasq服務(wù)監(jiān)聽在這個Port上。那么neutron-dhcp-agent服務(wù)主要是3個部件:dhcp scheduler負(fù)責(zé)DHCP agent與network的調(diào)度玄呛;dhcp agent提供DHCP服務(wù)阅懦;dhcp driver主要實現(xiàn)的驅(qū)動,主要是dnsmasq
- 查dhcp port
$ neutron port-list --device_owner=network:dhcp
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| a0b3461c-a87d-41fc-8b8d-5d04956d60bc | | fa:16:3e:d1:4f:b0 | {"subnet_id": "e0b734e8-83b4-4a00-a7ef-a5c44b8b3d74", "ip_address": "10.1.1.1"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
- 查dhcp-agent
$ neutron agent-list
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | DHCP agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-dhcp-agent |
| 5bbc1e7a-2a13-40fe-a533-64e69e60fad6 | Open vSwitch agent | l-01-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
| 972a3b3e-d78e-4bb9-9a03-be5becd01c26 | Metering agent | l-01-mitaka.region1.com | | :-) | True | neutron-metering-agent |
| a9ee8c9a-1680-48e4-a398-0c2b0af2383f | L3 agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-l3-agent |
| cca0e384-c3e5-439a-8325-ef6ff8fdd934 | Metadata agent | l-01-mitaka.region1.com | | :-) | True | neutron-metadata-agent |
| fea81323-3599-4ad7-9083-601784aaba78 | Open vSwitch agent | l-02-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
在l-02-mitaka.region1.com節(jié)點上啟動neutron-dhcp-agent服務(wù)徘铝,結(jié)果再查結(jié)果
$ neutron agent-list
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | DHCP agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-dhcp-agent |
| 5bbc1e7a-2a13-40fe-a533-64e69e60fad6 | Open vSwitch agent | l-01-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
| 972a3b3e-d78e-4bb9-9a03-be5becd01c26 | Metering agent | l-01-mitaka.region1.com | | :-) | True | neutron-metering-agent |
| a9ee8c9a-1680-48e4-a398-0c2b0af2383f | L3 agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-l3-agent |
| cca0e384-c3e5-439a-8325-ef6ff8fdd934 | Metadata agent | l-01-mitaka.region1.com | | :-) | True | neutron-metadata-agent |
| fea81323-3599-4ad7-9083-601784aaba78 | Open vSwitch agent | l-02-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
| 5ebcaef1-401c-4572-b924-75289ea4d94e | DHCP agent | l-02-mitaka.region1.com | nova | :-) | True | neutron-dhcp-agent |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
- 查dhcp的綁定host
$ neutron dhcp-agent-list-hosting-net <network id>
+--------------------------------------+-------------------------+----------------+-------+
| id | host | admin_state_up | alive |
+--------------------------------------+-------------------------+----------------+-------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | l-01-mitaka.region1.com | True | :-) |
+--------------------------------------+-------------------------+----------------+-------+
這里看到默認(rèn)的網(wǎng)絡(luò)dhcp-agent是綁定到網(wǎng)絡(luò)節(jié)點上的耳胎,由于網(wǎng)絡(luò)節(jié)點與測試環(huán)境物理機(jī)的虛擬機(jī)網(wǎng)絡(luò)vlan之間是隔離的,所以這個時候租戶用這個網(wǎng)絡(luò)創(chuàng)建虛擬機(jī)并不能獲取到IP地址惕它。這個時候就需要更改dhcp綁定的host怕午。
- 刪除綁定關(guān)系
$ neutron dhcp-agent-network-remove <network id> 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b
- 重建綁定關(guān)系
$ neutron dhcp-agent-network-remove <network id> 5ebcaef1-401c-4572-b924-75289ea4d94e
這個時候,我們就以通過登錄這臺物理機(jī)上查看ovs上綁定的dhcp作用port
$ ip netns exec qdhcp-6a96e7c1-1c2f-47a2-bbdd-e9282a58064f ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
17: tapa0b3461c-a8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:d1:4f:b0 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.31.255 scope global tapa0b3461c-a8
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fed1:4fb0/64 scope link
valid_lft forever preferred_lft forever
$ ip netns exec qdhcp-6a96e7c1-1c2f-47a2-bbdd-e9282a58064f ps aux |grep dns
nobody 3836 0.0 0.0 15672 1048 ? S 1月22 3:11 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/host --addn-hosts=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/opts --dhcp-leasefile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tapa0b3461c-a8 --dhcp-range=set:tag0,10.1.1.0,static,86400s --dhcp-option-force=option:mtu,1500 --dhcp-lease-max=512 --conf-file= --domain=openstacklocal
做到這里淹魄,測試部門的同事創(chuàng)建的虛擬機(jī)就能夠dchp到ip地址了郁惜。
番外
- 如何釋放物理機(jī)的swap空間?
釋放swap的前提需要物理內(nèi)存有足夠的容量甲锡。接下來執(zhí)行命令swapoff -a && swapon -a就好了兆蕉。不過這個釋放的時間夠長的,16G足足用了4個半小時缤沦。
