如何在OpenStack-Ansible上集成Tungsten Fabric(下)



  • 如何在OpenStack-Ansible上集成Tungsten Fabric(上)

    测试验证

    Tungsten Fabric已配置为使用Keystone身份验证,要验证这一点,可以使用外部VIP地址和端口8143在浏览器中打开TF的UI:
    72242493-100d-4b77-92dc-647606011c20-image.png
    输入用户名admin,以及在openrc文件中定义的密码。域的地方填default。 如果身份验证成功,则登录面板应如下显示:
    cec48a1b-71ab-46a7-b426-ae15360e8962-image.png
    回到OpenStack,我们可以执行一个openstack network list 的命令来查看网络:

    root@aio1-utility-container-ee37a935:~# openstack network list
    +--------------------------------------+-------------------------+---------+
    | ID                                   | Name                    | Subnets |
    +--------------------------------------+-------------------------+---------+
    | 723e67c1-8ccd-43ba-a6f4-8b2399c1b8d2 | __link_local__          |         |
    | 5a2947ce-0030-4d2a-a06a-76b0d6934102 | ip-fabric               |         |
    | 5f4b0153-8146-4e9c-91d4-c60364ece6bc | default-virtual-network |         |
    +--------------------------------------+-------------------------+---------+
    

    这些网络都是由TF插件/驱动程序创建的,不应删除。
    创建一个测试网络:

    root@aio1-utility-container-ee37a935:~# openstack network create test_network_green
    +---------------------------+--------------------------------------+
    | Field                     | Value                                |
    +---------------------------+--------------------------------------+
    | admin_state_up            | UP                                   |
    | availability_zone_hints   | None                                 |
    | availability_zones        | None                                 |
    | created_at                | None                                 |
    | description               | None                                 |
    | dns_domain                | None                                 |
    | id                        | d9e0507f-5ef4-4b62-bf69-176340095053 |
    | ipv4_address_scope        | None                                 |
    | ipv6_address_scope        | None                                 |
    | is_default                | None                                 |
    | is_vlan_transparent       | None                                 |
    | mtu                       | None                                 |
    | name                      | test_network_green                   |
    | port_security_enabled     | True                                 |
    | project_id                | e565909917a5463b867c5a7594a7612f     |
    | provider:network_type     | None                                 |
    | provider:physical_network | None                                 |
    | provider:segmentation_id  | None                                 |
    | qos_policy_id             | None                                 |
    | revision_number           | None                                 |
    | router:external           | Internal                             |
    | segments                  | None                                 |
    | shared                    | False                                |
    | status                    | ACTIVE                               |
    | subnets                   |                                      |
    | tags                      |                                      |
    | updated_at                | None                                 |
    +---------------------------+--------------------------------------+
    

    注意 provider属性是未指定的,但这些对我们不再重要。TF插件可能不支持其它的属性。
    创建子网:

    root@aio1-utility-container-ee37a935:~# openstack subnet create --subnet-range 172.23.0.0/24 --network test_network_green test_subnet_green
    +-------------------+--------------------------------------+
    | Field             | Value                                |
    +-------------------+--------------------------------------+
    | allocation_pools  | 172.23.0.2-172.23.0.254              |
    | cidr              | 172.23.0.0/24                        |
    | created_at        | None                                 |
    | description       | None                                 |
    | dns_nameservers   |                                      |
    | enable_dhcp       | True                                 |
    | gateway_ip        | 172.23.0.1                           |
    | host_routes       |                                      |
    | id                | cc2d2f56-5c87-49fb-afd5-14e32feccd6a |
    | ip_version        | 4                                    |
    | ipv6_address_mode | None                                 |
    | ipv6_ra_mode      | None                                 |
    | name              | test_subnet_green                    |
    | network_id        | d9e0507f-5ef4-4b62-bf69-176340095053 |
    | project_id        | e565909917a5463b867c5a7594a7612f     |
    | revision_number   | None                                 |
    | segment_id        | None                                 |
    | service_types     | None                                 |
    | subnetpool_id     | None                                 |
    | tags              |                                      |
    | updated_at        | None                                 |
    +-------------------+--------------------------------------+
    

    IPv6应该是支持的,但是在尝试创建IPv6子网时遇到了问题。这里我们的网络已准备好用于VM。为了达到良好的效果,我创建了一个安全组,该安全组可以应用于允许SSH的实例:

    root@aio1-utility-container-ee37a935:~# openstack security group create allow_ssh
    +-----------------+--------------------------------------+
    | Field           | Value                                |
    +-----------------+--------------------------------------+
    | created_at      | None                                 |
    | description     | allow_ssh                            |
    | id              | 39a9e241-27c3-452a-b37a-80b6dcbbf783 |
    | name            | allow_ssh                            |
    | project_id      | e565909917a5463b867c5a7594a7612f     |
    | revision_number | None                                 |
    | rules           |                                      |
    | tags            | []                                   |
    | updated_at      | None                                 |
    +-----------------+--------------------------------------+
    
    root@aio1-utility-container-ee37a935:~# openstack security group rule create --dst-port 22 allow_ssh
    
    +-------------------+--------------------------------------+
    | Field             | Value                                |
    +-------------------+--------------------------------------+
    | created_at        | None                                 |
    | description       | None                                 |
    | direction         | ingress                              |
    | ether_type        | IPv4                                 |
    | id                | b8393e4d-1d9d-47e9-877e-86374f38dca1 |
    | name              | None                                 |
    | port_range_max    | 22                                   |
    | port_range_min    | 22                                   |
    | project_id        | e565909917a5463b867c5a7594a7612f     |
    | protocol          | tcp                                  |
    | remote_group_id   | None                                 |
    | remote_ip_prefix  | 0.0.0.0/0                            |
    | revision_number   | None                                 |
    | security_group_id | 39a9e241-27c3-452a-b37a-80b6dcbbf783 |
    | updated_at        | None                                 |
    

    +-------------------+--------------------------------------+
    随后,我使用tiny flavor和CirrOS镜像启动了实例:

    root@aio1-utility-container-ee37a935:~# openstack server create --image cirros --flavor test_flavor --nic net-id=test_network_green --security-group allow_ssh test1
    +-------------------------------------+----------------------------------------------------+
    | Field                               | Value                                              |
    +-------------------------------------+----------------------------------------------------+
    | OS-DCF:diskConfig                   | MANUAL                                             |
    | OS-EXT-AZ:availability_zone         |                                                    |
    | OS-EXT-SRV-ATTR:host                | None                                               |
    | OS-EXT-SRV-ATTR:hypervisor_hostname | None                                               |
    | OS-EXT-SRV-ATTR:instance_name       |                                                    |
    | OS-EXT-STS:power_state              | NOSTATE                                            |
    | OS-EXT-STS:task_state               | scheduling                                         |
    | OS-EXT-STS:vm_state                 | building                                           |
    | OS-SRV-USG:launched_at              | None                                               |
    | OS-SRV-USG:terminated_at            | None                                               |
    | accessIPv4                          |                                                    |
    | accessIPv6                          |                                                    |
    | addresses                           |                                                    |
    | adminPass                           | a8tghwSoTWZP                                       |
    | config_drive                        |                                                    |
    | created                             | 2018-06-18T14:34:49Z                               |
    | flavor                              | test_flavor (5c0600b7-f9fe-46f3-8af5-f8390ee5c6f3) |
    | hostId                              |                                                    |
    | id                                  | b14d1861-8855-4d17-a2d3-87eb67a3d81c               |
    | image                               | cirros (4006fd58-cdc5-4bd8-bc25-ef73be1cd429)      |
    | key_name                            | None                                               |
    | name                                | test1                                              |
    | progress                            | 0                                                  |
    | project_id                          | e565909917a5463b867c5a7594a7612f                   |
    | properties                          |                                                    |
    | security_groups                     | name='39a9e241-27c3-452a-b37a-80b6dcbbf783'        |
    | status                              | BUILD                                              |
    | updated                             | 2018-06-18T14:34:49Z                               |
    | user_id                             | f6aac1aa53294659998aa71838133a1d                   |
    | volumes_attached                    |                                                    |
    +-------------------------------------+----------------------------------------------------+
    
    root@aio1-utility-container-ee37a935:~# openstack server list
    +--------------------------------------+-------+--------+-------------------------------+--------+-------------+
    | ID                                   | Name  | Status | Networks                      | Image  | Flavor      |
    +--------------------------------------+-------+--------+-------------------------------+--------+-------------+
    | b14d1861-8855-4d17-a2d3-87eb67a3d81c | test1 | ACTIVE | test_network_green=172.23.0.3 | cirros | test_flavor |
    +--------------------------------------+-------+--------+-------------------------------+--------+-------------+
    

    现在,我可以连接到实例的控制台,并尝试出站连接:
    314af17b-247d-4eda-b05b-cf5c7f9b73cb-image.png
    在Tungsten Fabric UI中,我能够在网络上启用snat ,以允许vRouter对来自VM的出站连接进行snat:
    f70a04a8-cb17-4939-825c-281975752d63-image.png
    快速测试显示ping正常工作:
    2ab7327e-9acd-4d73-9862-5f2161f89201-image.png
    到VM的入站连接也是可行的,但需要Tungsten Fabric进行一些额外的工作才能通告VM地址。在我的实验室中有一个Cisco ASA 1001,已配置为与TF控制器建立对等关系,但我们下一次再展示它是如何配置的吧。

    总结

    对于学习了解Tungsten Fabric的运行方式,以及围绕如何在基于OpenStack-Ansible的云中部署构建最佳实践,还有很多工作要做。用于安装过程的某些组件,被大量包装在Docker容器中,并且必须先提取才能在LXC容器和/或主机中进行部署。这是不可扩展的,但目前来说已经足够了。

    最近,我遇到了与opencontrailnightly 版本有关的问题,vRouter丢弃来自VM的出站或响应流量。借助Juniper repo中的GA版本,该问题已经解决了,但并非每个人都可以使用该访问权限。

    我遇到的另一个问题是,在往返于VM的ping工作正常(在中间使用ASR)的同时,SSH却连接失败。实际上,任何TCP连接都失败了。在该实例中看到了SYN,并且观察到发送了SYN/ACK。但是,SYN/ACK从未通过vRouter。抓包信息表明,SYN/ACK的校验和无效。当在主机的“physical”接口上禁用通用IP校验和,这种情况下为ens160,可以使一切恢复正常。下面这篇文章超级有帮助:
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30500

    随着我获得更多的reps,我希望简化流程,并且能有一天将其移到上游以包含在OpenStack-Ansible中。在那之前,祝我们都好运!

    作者:James Denton 译者:TF编译组
    原文链接:https://www.jimmdenton.com/contrail-osa/


Log in to reply