Neutron創(chuàng)建獨立的DHCP作用域

背景####

前段時間測試部門的同事申請了一些物理機接入到OpenStack環(huán)境中,用于部署一套完全隔離的功能測試環(huán)境。其最基本的需求就是要是實現(xiàn)網(wǎng)絡(luò)的隔離性。由于Neutron這邊采用的OVS + Vlan的方式,單純的安全組策略并不能滿足復雜的需求,所以大部分的隔離是在交換機上做訪問策略。整理了下隔離環(huán)境的網(wǎng)絡(luò)需求,由于不涉及本文內(nèi)容,就簡單表述了下:

  • 內(nèi)網(wǎng)業(yè)務(wù)測試環(huán)境虛擬機不能訪問線上環(huán)境;

  • 內(nèi)網(wǎng)虛擬機需要和線上基礎(chǔ)服務(wù)(包含監(jiān)控、配置管理、自動化、源等等)端通信;

  • 要求兩臺負載均衡器虛擬機能夠被辦公網(wǎng)訪問,同時可以訪問測試虛擬機;

  • 要求所有測試環(huán)境網(wǎng)段能通過堡壘機訪問;

在這里,如果網(wǎng)絡(luò)隔離放在物理機交換上實現(xiàn),那么OpenStack這里就只需要做到計算資源的隔離和租戶獨占的網(wǎng)絡(luò)即可。

計算資源通過創(chuàng)建新的Availalibity Zone來給測試部門使用,這部分很簡單,按下不表。

租戶獨占網(wǎng)絡(luò)分兩部分配置,一是配置Neutron客戶端配置;二是調(diào)整Dhcp-agent作用域。

操作####

1.調(diào)整ML2配置,使改節(jié)點上創(chuàng)建的虛擬網(wǎng)絡(luò)只能是OpenStack物理網(wǎng)絡(luò)(physnet),

$ cat /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2_type_vlan]
network_vlan_ranges = physnet2:vlan_id_start:vlan_id_end

$ cat /etc/neutron/plugins/ml2/openvswitch_agent.ini
[ovs]
bridge_mappings = physnet2:br-em2    #外部網(wǎng)絡(luò)為physent2

2.租戶創(chuàng)建私有網(wǎng)絡(luò)

由于在底層ML2上Tenant的網(wǎng)絡(luò)驅(qū)動只有Vlan,所以這里創(chuàng)建下來的Net在Neutron中標記是物理網(wǎng)絡(luò);

創(chuàng)建網(wǎng)絡(luò)
創(chuàng)建子網(wǎng)

在這里激活DHCP

精細配置項

3.更改DHCP作用域

neutron-dhcp-agent服務(wù)主要為租戶提供dhcp服務(wù),agent會在要作用網(wǎng)絡(luò)的OVS上綁定一個Port,將dnsmasq服務(wù)監(jiān)聽在這個Port上。那么neutron-dhcp-agent服務(wù)主要是3個部件:dhcp scheduler負責DHCP agent與network的調(diào)度;dhcp agent提供DHCP服務(wù);dhcp driver主要實現(xiàn)的驅(qū)動,主要是dnsmasq

  • 查dhcp port
$ neutron port-list --device_owner=network:dhcp
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id                                   | name | mac_address       | fixed_ips                                                                          |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| a0b3461c-a87d-41fc-8b8d-5d04956d60bc |      | fa:16:3e:d1:4f:b0 | {"subnet_id": "e0b734e8-83b4-4a00-a7ef-a5c44b8b3d74", "ip_address": "10.1.1.1"}    |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
  • 查dhcp-agent
$ neutron agent-list
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host                    | availability_zone | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | DHCP agent         | l-01-mitaka.region1.com | nova              | :-)   | True           | neutron-dhcp-agent        |
| 5bbc1e7a-2a13-40fe-a533-64e69e60fad6 | Open vSwitch agent | l-01-mitaka.region1.com |                   | :-)   | True           | neutron-openvswitch-agent |
| 972a3b3e-d78e-4bb9-9a03-be5becd01c26 | Metering agent     | l-01-mitaka.region1.com |                   | :-)   | True           | neutron-metering-agent    |
| a9ee8c9a-1680-48e4-a398-0c2b0af2383f | L3 agent           | l-01-mitaka.region1.com | nova              | :-)   | True           | neutron-l3-agent          |
| cca0e384-c3e5-439a-8325-ef6ff8fdd934 | Metadata agent     | l-01-mitaka.region1.com |                   | :-)   | True           | neutron-metadata-agent    |
| fea81323-3599-4ad7-9083-601784aaba78 | Open vSwitch agent | l-02-mitaka.region1.com |                   | :-)   | True           | neutron-openvswitch-agent |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+

在l-02-mitaka.region1.com節(jié)點上啟動neutron-dhcp-agent服務(wù),結(jié)果再查結(jié)果

$ neutron agent-list
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host                    | availability_zone | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | DHCP agent         | l-01-mitaka.region1.com | nova              | :-)   | True           | neutron-dhcp-agent        |
| 5bbc1e7a-2a13-40fe-a533-64e69e60fad6 | Open vSwitch agent | l-01-mitaka.region1.com |                   | :-)   | True           | neutron-openvswitch-agent |
| 972a3b3e-d78e-4bb9-9a03-be5becd01c26 | Metering agent     | l-01-mitaka.region1.com |                   | :-)   | True           | neutron-metering-agent    |
| a9ee8c9a-1680-48e4-a398-0c2b0af2383f | L3 agent           | l-01-mitaka.region1.com | nova              | :-)   | True           | neutron-l3-agent          |
| cca0e384-c3e5-439a-8325-ef6ff8fdd934 | Metadata agent     | l-01-mitaka.region1.com |                   | :-)   | True           | neutron-metadata-agent    |
| fea81323-3599-4ad7-9083-601784aaba78 | Open vSwitch agent | l-02-mitaka.region1.com |                   | :-)   | True           | neutron-openvswitch-agent |
| 5ebcaef1-401c-4572-b924-75289ea4d94e | DHCP agent         | l-02-mitaka.region1.com | nova              | :-)   | True           | neutron-dhcp-agent        |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
  • 查dhcp的綁定host
$ neutron  dhcp-agent-list-hosting-net <network id>
+--------------------------------------+-------------------------+----------------+-------+
| id                                   | host                    | admin_state_up | alive |
+--------------------------------------+-------------------------+----------------+-------+
| 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b | l-01-mitaka.region1.com | True           | :-)   |
+--------------------------------------+-------------------------+----------------+-------+

這里看到默認的網(wǎng)絡(luò)dhcp-agent是綁定到網(wǎng)絡(luò)節(jié)點上的,由于網(wǎng)絡(luò)節(jié)點與測試環(huán)境物理機的虛擬機網(wǎng)絡(luò)vlan之間是隔離的,所以這個時候租戶用這個網(wǎng)絡(luò)創(chuàng)建虛擬機并不能獲取到IP地址。這個時候就需要更改dhcp綁定的host。

  • 刪除綁定關(guān)系
$ neutron dhcp-agent-network-remove <network id> 1ffc04ce-9e3f-4549-b9fd-0033ae8f753b
  • 重建綁定關(guān)系
$ neutron dhcp-agent-network-remove <network id> 5ebcaef1-401c-4572-b924-75289ea4d94e

這個時候,我們就以通過登錄這臺物理機上查看ovs上綁定的dhcp作用port

$ ip netns exec qdhcp-6a96e7c1-1c2f-47a2-bbdd-e9282a58064f ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
17: tapa0b3461c-a8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:d1:4f:b0 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.31.255 scope global tapa0b3461c-a8
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fed1:4fb0/64 scope link
       valid_lft forever preferred_lft forever
       
$ ip netns exec qdhcp-6a96e7c1-1c2f-47a2-bbdd-e9282a58064f ps aux |grep dns
nobody    3836  0.0  0.0  15672  1048 ?        S    1月22   3:11 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/host --addn-hosts=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/opts --dhcp-leasefile=/var/lib/neutron/dhcp/6a96e7c1-1c2f-47a2-bbdd-e9282a58064f/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tapa0b3461c-a8 --dhcp-range=set:tag0,10.1.1.0,static,86400s --dhcp-option-force=option:mtu,1500 --dhcp-lease-max=512 --conf-file= --domain=openstacklocal

做到這里,測試部門的同事創(chuàng)建的虛擬機就能夠dchp到ip地址了。

番外

  • 如何釋放物理機的swap空間?

釋放swap的前提需要物理內(nèi)存有足夠的容量。接下來執(zhí)行命令swapoff -a && swapon -a就好了。不過這個釋放的時間夠長的,16G足足用了4個半小時。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容