背景####
前段时间测试部门的同事申请了一些物理机接入到OpenStack环境中,用于部署一套完全隔离的功能测试环境。其最基本的需求就是要是实现网络的隔离性。由于Neutron这边采用的OVS + Vlan的方式,单纯的安全组策略并不能满足复杂的需求,所以大部分的隔离是在交换机上做访问策略。整理了下隔离环境的网络需求,由于不涉及本文内容,就简单表述了下:
内网业务测试环境虚拟机不能访问线上环境;
内网虚拟机需要和线上基础服务(包含监控、配置管理、自动化、源等等)端通信;
要求两台负载均衡器虚拟机能够被办公网访问,同时可以访问测试虚拟机;
要求所有测试环境网段能通过堡垒机访问;
在这里,如果网络隔离放在物理机交换上实现,那么OpenStack这里就只需要做到计算资源的隔离和租户独占的网络即可。
计算资源通过创建新的Availalibity Zone来给测试部门使用,这部分很简单,按下不表。
租户独占网络分两部分配置,一是配置Neutron客户端配置;二是调整Dhcp-agent作用域。
操作####
1.调整ML2配置,使改节点上创建的虚拟网络只能是OpenStack物理网络(physnet),
$ cat /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2_type_vlan]
network_vlan_ranges = physnet2:vlan_id_start:vlan_id_end
$ cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[ovs]
bridge_mappings = physnet2:br-em2 #外部网络为physent2
2.租户创建私有网络
由于在底层ML2上Tenant的网络驱动只有Vlan,所以这里创建下来的Net在Neutron中标记是物理网络;
创建网络
创建子网
在这里激活DHCP
精细配置项
3.更改DHCP作用域
neutron-dhcp-agent服务主要为租户提供dhcp服务,agent会在要作用网络的OVS上绑定一个Port,将dnsmasq服务监听在这个Port上。那么neutron-dhcp-agent服务主要是3个部件:dhcp scheduler负责DHCP agent与network的调度;dhcp agent提供DHCP服务;dhcp driver主要实现的驱动,主要是dnsmasq
- 查dhcp port
$ neutron port-list --device_owner=network:dhcp
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| a0b3461c-a87d-41fc-8b8d-5d04956d60bc | | fa:16:3e:d1:4f:b0 | {"subnet_id": "e0b734e8-83b4-4a00-a7ef-a5c44b8b3d74", "ip_address": "10.1.1.1"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
- 查dhcp-agent
$ neutron agent-list
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | DHCP agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-dhcp-agent |
| 5bbc1e7a-2a13-40fe-a533-64e69e60fad6 | Open vSwitch agent | l-01-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
| 972a3b3e-d78e-4bb9-9a03-be5becd01c26 | Metering agent | l-01-mitaka.region1.com | | :-) | True | neutron-metering-agent |
| a9ee8c9a-1680-48e4-a398-0c2b0af2383f | L3 agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-l3-agent |
| cca0e384-c3e5-439a-8325-ef6ff8fdd934 | Metadata agent | l-01-mitaka.region1.com | | :-) | True | neutron-metadata-agent |
| fea81323-3599-4ad7-9083-601784aaba78 | Open vSwitch agent | l-02-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
在l-02-mitaka.region1.com节点上启动neutron-dhcp-agent服务,结果再查结果
$ neutron agent-list
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | DHCP agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-dhcp-agent |
| 5bbc1e7a-2a13-40fe-a533-64e69e60fad6 | Open vSwitch agent | l-01-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
| 972a3b3e-d78e-4bb9-9a03-be5becd01c26 | Metering agent | l-01-mitaka.region1.com | | :-) | True | neutron-metering-agent |
| a9ee8c9a-1680-48e4-a398-0c2b0af2383f | L3 agent | l-01-mitaka.region1.com | nova | :-) | True | neutron-l3-agent |
| cca0e384-c3e5-439a-8325-ef6ff8fdd934 | Metadata agent | l-01-mitaka.region1.com | | :-) | True | neutron-metadata-agent |
| fea81323-3599-4ad7-9083-601784aaba78 | Open vSwitch agent | l-02-mitaka.region1.com | | :-) | True | neutron-openvswitch-agent |
| 5ebcaef1-401c-4572-b924-75289ea4d94e | DHCP agent | l-02-mitaka.region1.com | nova | :-) | True | neutron-dhcp-agent |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
- 查dhcp的绑定host
$ neutron dhcp-agent-list-hosting-net
+--------------------------------------+-------------------------+----------------+-------+
| id | host | admin_state_up | alive |
+--------------------------------------+-------------------------+----------------+-------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | l-01-mitaka.region1.com | True | :-) |
+--------------------------------------+-------------------------+----------------+-------+
这里看到默认的网络dhcp-agent是绑定到网络节点上的,由于网络节点与测试环境物理机的虚拟机网络vlan之间是隔离的,所以这个时候租户用这个网络创建虚拟机并不能获取到IP地址。这个时候就需要更改dhcp绑定的host。
- 删除绑定关系
$ neutron dhcp-agent-network-remove 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b
- 重建绑定关系
$ neutron dhcp-agent-network-remove 5ebcaef1-401c-4572-b924-75289ea4d94e
这个时候,我们就以通过登录这台物理机上查看ovs上绑定的dhcp作用port
$ ip netns exec qdhcp-6a96e7c1-1c2f-47a2-bbdd-e9282a58064f ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
17: tapa0b3461c-a8: mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:d1:4f:b0 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.31.255 scope global tapa0b3461c-a8
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fed1:4fb0/64 scope link
valid_lft forever preferred_lft forever
$ ip netns exec qdhcp-6a96e7c1-1c2f-47a2-bbdd-e9282a58064f ps aux |grep dns
nobody 3836 0.0 0.0 15672 1048 ? S 1月22 3:11 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/host --addn-hosts=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/opts --dhcp-leasefile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tapa0b3461c-a8 --dhcp-range=set:tag0,10.1.1.0,static,86400s --dhcp-option-force=option:mtu,1500 --dhcp-lease-max=512 --conf-file= --domain=openstacklocal
做到这里,测试部门的同事创建的虚拟机就能够dchp到ip地址了。
番外
- 如何释放物理机的swap空间?
释放swap的前提需要物理内存有足够的容量。接下来执行命令swapoff -a && swapon -a就好了。不过这个释放的时间够长的,16G足足用了4个半小时。