启动一个实例
创建虚拟网络
创建自服务网络
-
在控制节点上,获得 admin 凭证来获取只有管理员能执行的命令的访问权限:
$ . demo-openrc
-
创建网络:
$ neutron net-create selfservice Created a new network: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | id | 7c6f9b37-76b4-463e-98d8-27e5686ed083 | | mtu | 0 | | name | selfservice | | port_security_enabled | True | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | f5b2ccaa75ac413591f12fcaa096aa5c | +-----------------------+--------------------------------------+
非特权用户一般不能在这个命令制定更多参数。服务会自动从下面的文件中的信息选择参数:
ml2_conf.ini:
[ml2] tenant_network_types = vxlan [ml2_type_vxlan] vni_ranges = 1:1000
-
在网络上创建一个子网:
$ neutron subnet-create --name selfservice \ --dns-nameserver DNS_RESOLVER --gateway SELFSERVICE_NETWORK_GATEWAY \ selfservice SELFSERVICE_NETWORK_CIDR
将 DNS_RESOLVER 替换为DNS解析服务的IP地址。在大多数情况下,你可以从主机``/etc/resolv.conf`` 文件选择一个使用。
将``PRIVATE_NETWORK_GATEWAY`` 替换为私有网络的网关,网关IP形如 ”.1”。
将 PRIVATE_NETWORK_CIDR 替换为私有网络的子网。你可以使用任意值,但是我们推荐遵从`RFC 1918 <https://tools.ietf.org/html/rfc1918>`_的网络。
例子
自服务网络使用172.16.1.0/24 网关172.16.1.1。DHCP服务负责为每个实例从172.16.1.2 到172.16.1.254中分配IP地址。所有实例使用8.8.4.4作为DNS。
$ neutron subnet-create --name selfservice \ --dns-nameserver 8.8.4.4 --gateway 172.16.1.1 \ selfservice 172.16.1.0/24 Created a new subnet: +-------------------+------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------+ | allocation_pools | {"start": "172.16.1.2", "end": "172.16.1.254"} | | cidr | 172.16.1.0/24 | | dns_nameservers | 8.8.4.4 | | enable_dhcp | True | | gateway_ip | 172.16.1.1 | | host_routes | | | id | 3482f524-8bff-4871-80d4-5774c2730728 | | ip_version | 4 | | ipv6_address_mode | | | ipv6_ra_mode | | | name | selfservice | | network_id | 7c6f9b37-76b4-463e-98d8-27e5686ed083 | | subnetpool_id | | | tenant_id | f5b2ccaa75ac413591f12fcaa096aa5c | +-------------------+------------------------------------------------+
创建路由¶
私有网络通过虚拟路由来连接到公有网络,以双向NAT最为典型。每个路由包含至少一个连接到私有网络的接口以及一个连接到公有网络的网关的接口
公有提供网络必须包括 router: external``选项,用来使路由连接到外部网络,比如互联网。``admin``或者其他权限用户在网络创建时必须包括这个选项,也可以之后在添加。在这个环境里,我们把``public``公有网络设置成 ``router: external。
-
在控制节点上,加载 admin 凭证来获取管理员能执行的命令访问权限:
$ . admin-openrc
-
添加’ router:external ‘ 到’ provider’ 网络
$ neutron net-update provider --router:external Updated network: provider
-
加载 demo 证书获得用户能执行的命令访问权限:
$ . demo-openrc
-
创建路由:
$ neutron router-create router Created a new router: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | external_gateway_info | | | id | 89dd2083-a160-4d75-ab3a-14239f01ea0b | | name | router | | routes | | | status | ACTIVE | | tenant_id | f5b2ccaa75ac413591f12fcaa096aa5c | +-----------------------+--------------------------------------+
-
给路由器添加一个私网子网的接口:
$ neutron router-interface-add router selfservice Added interface bff6605d-824c-41f9-b744-21d128fc86e1 to router router.
-
给路由器设置公有网络的网关:
$ neutron router-gateway-set router provider Set gateway for router router
验证操作¶
我们推荐您在操作之前,确认并修复问题。以下步骤将使用网络和子网创建示例中的IP地址。
-
在控制节点上,加载 admin 凭证来获取管理员能执行的命令访问权限:
$ . admin-openrc
-
列出网络命名空间。你应该可以看到一个’ qrouter ‘命名空间和两个’qdhcp ‘ 命名空间
$ ip netns qrouter-89dd2083-a160-4d75-ab3a-14239f01ea0b qdhcp-7c6f9b37-76b4-463e-98d8-27e5686ed083 qdhcp-0e62efcd-8cee-46c7-b163-d8df05c3c5ad
-
列出路由器上的端口来确定公网网关的IP 地址:
$ neutron router-port-list router +--------------------------------------+------+-------------------+------------------------------------------+ | id | name | mac_address | fixed_ips | +--------------------------------------+------+-------------------+------------------------------------------+ | bff6605d-824c-41f9-b744-21d128fc86e1 | | fa:16:3e:2f:34:9b | {"subnet_id": | | | | | "3482f524-8bff-4871-80d4-5774c2730728", | | | | | "ip_address": "172.16.1.1"} | | d6fe98db-ae01-42b0-a860-37b1661f5950 | | fa:16:3e:e8:c1:41 | {"subnet_id": | | | | | "5cc70da8-4ee7-4565-be53-b9c011fca011", | | | | | "ip_address": "203.0.113.102"} | +--------------------------------------+------+-------------------+------------------------------------------+
-
从控制节点或任意公共物理网络上的节点Ping这个IP地址:
$ ping -c 4 203.0.113.102 PING 203.0.113.102 (203.0.113.102) 56(84) bytes of data. 64 bytes from 203.0.113.102: icmp_req=1 ttl=64 time=0.619 ms 64 bytes from 203.0.113.102: icmp_req=2 ttl=64 time=0.189 ms 64 bytes from 203.0.113.102: icmp_req=3 ttl=64 time=0.165 ms 64 bytes from 203.0.113.102: icmp_req=4 ttl=64 time=0.216 ms --- 203.0.113.102 ping statistics --- rtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms
创建m1.nano规格的主机
默认的最小规格的主机需要512 MB内存。对于环境中计算节点内存不足4 GB的,我们推荐创建只需要64 MB的``m1.nano``规格的主机。若单纯为了测试的目的,请使用``m1.nano``规格的主机来加载CirrOS镜像
$ openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
+----------------------------+---------+
| Field | Value |
+----------------------------+---------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| id | 0 |
| name | m1.nano |
| os-flavor-access:is_public | True |
| ram | 64 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+---------+
生成一个键值对¶
大部分云镜像支持公共密钥认证而不是传统的密码认证。在启动实例前,你必须添加一个公共密钥到计算服务。
-
导入租户``demo``的凭证
$ . demo-openrc
-
生成和添加秘钥对:
$ ssh-keygen -q -N "" $ openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey +-------------+-------------------------------------------------+ | Field | Value | +-------------+-------------------------------------------------+ | fingerprint | ee:3d:2e:97:d4:e2:6a:54:6d:0d:ce:43:39:2c:ba:4d | | name | mykey | | user_id | 58126687cbcc4888bfa9ab73a2256f27 | +-------------+-------------------------------------------------+
另外,你可以跳过执行 ssh-keygen 命令而使用已存在的公钥。
-
验证公钥的添加:
$ openstack keypair list +-------+-------------------------------------------------+ | Name | Fingerprint | +-------+-------------------------------------------------+ | mykey | ee:3d:2e:97:d4:e2:6a:54:6d:0d:ce:43:39:2c:ba:4d | +-------+-------------------------------------------------+
增加安全组规则¶
默认情况下, ``default``安全组适用于所有实例并且包括拒绝远程访问实例的防火墙规则。对诸如CirrOS这样的Linux镜像,我们推荐至少允许ICMP (ping) 和安全shell(SSH)规则。
-
添加规则到 default 安全组。
-
允许 ICMP (ping):
$ openstack security group rule create --proto icmp default +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | id | a1876c06-7f30-4a67-a324-b6b5d1309546 | | ip_protocol | icmp | | ip_range | 0.0.0.0/0 | | parent_group_id | b0d53786-5ebb-4729-9e4a-4b675016a958 | | port_range | | | remote_security_group | | +-----------------------+--------------------------------------+
-
允许安全 shell (SSH) 的访问:
$ openstack security group rule create --proto tcp --dst-port 22 default +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | id | 3d95e59c-e98d-45f1-af04-c750af914f14 | | ip_protocol | tcp | | ip_range | 0.0.0.0/0 | | parent_group_id | b0d53786-5ebb-4729-9e4a-4b675016a958 | | port_range | 22:22 | | remote_security_group | | +-----------------------+--------------------------------------+
-
确定实例选项¶
启动一台实例,您必须至少指定一个类型、镜像名称、网络、安全组、密钥和实例名称。
-
在控制节点上,获得 admin 凭证来获取只有管理员能执行的命令的访问权限:
$ . demo-openrc
-
一个实例指定了虚拟机资源的大致分配,包括处理器、内存和存储。
列出可用类型:
$ openstack flavor list +----+-----------+-------+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +----+-----------+-------+------+-----------+-------+-----------+ | 1 | m1.tiny | 512 | 1 | 0 | 1 | True | | 2 | m1.small | 2048 | 20 | 0 | 1 | True | | 3 | m1.medium | 4096 | 40 | 0 | 2 | True | | 4 | m1.large | 8192 | 80 | 0 | 4 | True | | 5 | m1.xlarge | 16384 | 160 | 0 | 8 | True | +----+-----------+-------+------+-----------+-------+-----------+
这个实例使用``m1.tiny``规格的主机。如果你创建了``m1.nano``这种主机规格,使用``m1.nano``来代替``m1.tiny``。
您也可以以 ID 引用类型。
-
列出可用镜像:
$ openstack image list +--------------------------------------+--------+--------+ | ID | Name | Status | +--------------------------------------+--------+--------+ | 390eb5f7-8d49-41ec-95b7-68c0d5d54b34 | cirros | active | +--------------------------------------+--------+--------+
这个实例使用``cirros``镜像。
-
列出可用网络:
$ openstack network list +--------------------------------------+-------------+--------------------------------------+ | ID | Name | Subnets | +--------------------------------------+-------------+--------------------------------------+ | 4716ddfe-6e60-40e7-b2a8-42e57bf3c31c | selfservice | 2112d5eb-f9d6-45fd-906e-7cabd38b7c7c | | b5b6993c-ddf9-40e7-91d0-86806a42edb8 | provider | 310911f6-acf0-4a47-824e-3032916582ff | +--------------------------------------+-------------+--------------------------------------+
这个实例使用 ``self-service``私有网络。 你必须使用ID而不是名称才可以使用这个网络。
-
列出可用的安全组:
$ openstack security group list +--------------------------------------+---------+------------------------+ | ID | Name | Description | +--------------------------------------+---------+------------------------+ | dd2b614c-3dad-48ed-958b-b155a3b38515 | default | Default security group | +--------------------------------------+---------+------------------------+
这个实例使用 default 安全组。
-
启动实例:
使用``selfservice ``网络的ID替换``SELFSERVICE_NET_ID ``。
$ openstack server create --flavor m1.tiny --image cirros \ --nic net-id=SELFSERVICE_NET_ID --security-group default \ --key-name mykey selfservice-instance +--------------------------------------+---------------------------------------+ | Field | Value | +--------------------------------------+---------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | 7KTBYHSjEz7E | | config_drive | | | created | 2016-02-26T14:52:37Z | | flavor | m1.tiny (1) | | hostId | | | id | 113c5892-e58e-4093-88c7-e33f502eaaa4 | | image | cirros (390eb5f7-8d49-41ec-95b7-68c0d | | | 5d54b34) | | key_name | mykey | | name | selfservice-instance | | os-extended-volumes:volumes_attached | [] | | progress | 0 | | project_id | ed0b60bf607743088218b0a533d5943f | | properties | | | security_groups | [{u'name': u'default'}] | | status | BUILD | | updated | 2016-02-26T14:52:38Z | | user_id | 58126687cbcc4888bfa9ab73a2256f27 | +--------------------------------------+---------------------------------------+
-
检查实例的状态:
$ openstack server list +--------------------------------------+----------------------+--------+---------------------------------+ | ID | Name | Status | Networks | +--------------------------------------+----------------------+--------+---------------------------------+ | 113c5892-e58e-4093-88c7-e33f502eaaa4 | selfservice-instance | ACTIVE | selfservice=172.16.1.3 | | 181c52ba-aebc-4c32-a97d-2e8e82e4eaaf | provider-instance | ACTIVE | provider=203.0.113.103 | +--------------------------------------+----------------------+--------+---------------------------------+
当构建过程完全成功后,状态会从 BUILD``变为``ACTIVE。
使用虚拟控制台访问实例¶
-
获取你实例的 Virtual Network Computing (VNC) 会话URL并从web浏览器访问它:
$ openstack console url show selfservice-instance +-------+---------------------------------------------------------------------------------+ | Field | Value | +-------+---------------------------------------------------------------------------------+ | type | novnc | | url | http://controller:6080/vnc_auto.html?token=5eeccb47-525c-4918-ac2a-3ad1e9f1f493 | +-------+---------------------------------------------------------------------------------+
CirrOS 镜像包含传统的用户名/密码认证方式并需在登录提示中提供这些这些认证。登录到 CirrOS 后,我们建议您验证使用``ping``验证网络的连通性。
-
验证能否ping通私有网络的网关:
$ ping -c 4 172.16.1.1 PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data. 64 bytes from 172.16.1.1: icmp_req=1 ttl=64 time=0.357 ms 64 bytes from 172.16.1.1: icmp_req=2 ttl=64 time=0.473 ms 64 bytes from 172.16.1.1: icmp_req=3 ttl=64 time=0.504 ms 64 bytes from 172.16.1.1: icmp_req=4 ttl=64 time=0.470 ms --- 172.16.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2998ms rtt min/avg/max/mdev = 0.357/0.451/0.504/0.055 ms
-
验证能否连接到互联网
$ ping -c 4 openstack.org PING openstack.org (174.143.194.225) 56(84) bytes of data. 64 bytes from 174.143.194.225: icmp_req=1 ttl=53 time=17.4 ms 64 bytes from 174.143.194.225: icmp_req=2 ttl=53 time=17.5 ms 64 bytes from 174.143.194.225: icmp_req=3 ttl=53 time=17.7 ms 64 bytes from 174.143.194.225: icmp_req=4 ttl=53 time=17.5 ms --- openstack.org ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 17.431/17.575/17.734/0.143 ms
验证能否远程访问实例¶
-
在公有网络上创建浮动IP地址池:
$ openstack ip floating create provider +-------------+--------------------------------------+ | Field | Value | +-------------+--------------------------------------+ | fixed_ip | None | | id | 3d05a9b1-b1af-4884-be1c-833a69744449 | | instance_id | None | | ip | 203.0.113.104 | | pool | provider | +-------------+--------------------------------------+
-
为实例分配浮动IP:
$ openstack ip floating add 203.0.113.104 selfservice-instance
这个命令执行后没有输出。
-
检查这个浮动 IP 地址的状态:
$ openstack server list +--------------------------------------+----------------------+--------+---------------------------------------+ | ID | Name | Status | Networks | +--------------------------------------+----------------------+--------+---------------------------------------+ | 113c5892-e58e-4093-88c7-e33f502eaaa4 | selfservice-instance | ACTIVE | selfservice=172.16.1.3, 203.0.113.104 | | 181c52ba-aebc-4c32-a97d-2e8e82e4eaaf | provider-instance | ACTIVE | provider=203.0.113.103 | +--------------------------------------+----------------------+--------+---------------------------------------+
-
验证控制节点或者其他公有网络上的主机通过浮动IP地址ping通实例:
$ ping -c 4 203.0.113.104 PING 203.0.113.104 (203.0.113.104) 56(84) bytes of data. 64 bytes from 203.0.113.104: icmp_req=1 ttl=63 time=3.18 ms 64 bytes from 203.0.113.104: icmp_req=2 ttl=63 time=0.981 ms 64 bytes from 203.0.113.104: icmp_req=3 ttl=63 time=1.06 ms 64 bytes from 203.0.113.104: icmp_req=4 ttl=63 time=0.929 ms --- 203.0.113.104 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 0.929/1.539/3.183/0.951 ms
-
在控制节点或其他公有网络上的主机使用 SSH远程访问实例:
$ ssh cirros@203.0.113.104 The authenticity of host '203.0.113.104 (203.0.113.104)' can't be established. RSA key fingerprint is ed:05:e9:e7:52:a0:ff:83:68:94:c7:d1:f2:f8:e2:e9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '203.0.113.104' (RSA) to the list of known hosts.