如何在OpenStack-Ansible上集成Tungsten Fabric(下)
-
如何在OpenStack-Ansible上集成Tungsten Fabric(上)
测试验证
Tungsten Fabric已配置为使用Keystone身份验证,要验证这一点,可以使用外部VIP地址和端口
8143
在浏览器中打开TF的UI:
输入用户名admin
,以及在openrc
文件中定义的密码。域的地方填default
。 如果身份验证成功,则登录面板应如下显示:
回到OpenStack,我们可以执行一个openstack network list
的命令来查看网络:root@aio1-utility-container-ee37a935:~# openstack network list +--------------------------------------+-------------------------+---------+ | ID | Name | Subnets | +--------------------------------------+-------------------------+---------+ | 723e67c1-8ccd-43ba-a6f4-8b2399c1b8d2 | __link_local__ | | | 5a2947ce-0030-4d2a-a06a-76b0d6934102 | ip-fabric | | | 5f4b0153-8146-4e9c-91d4-c60364ece6bc | default-virtual-network | | +--------------------------------------+-------------------------+---------+
这些网络都是由TF插件/驱动程序创建的,不应删除。
创建一个测试网络:root@aio1-utility-container-ee37a935:~# openstack network create test_network_green +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | UP | | availability_zone_hints | None | | availability_zones | None | | created_at | None | | description | None | | dns_domain | None | | id | d9e0507f-5ef4-4b62-bf69-176340095053 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | mtu | None | | name | test_network_green | | port_security_enabled | True | | project_id | e565909917a5463b867c5a7594a7612f | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | None | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | | | tags | | | updated_at | None | +---------------------------+--------------------------------------+
注意
provider
属性是未指定的,但这些对我们不再重要。TF插件可能不支持其它的属性。
创建子网:root@aio1-utility-container-ee37a935:~# openstack subnet create --subnet-range 172.23.0.0/24 --network test_network_green test_subnet_green +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | allocation_pools | 172.23.0.2-172.23.0.254 | | cidr | 172.23.0.0/24 | | created_at | None | | description | None | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 172.23.0.1 | | host_routes | | | id | cc2d2f56-5c87-49fb-afd5-14e32feccd6a | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | name | test_subnet_green | | network_id | d9e0507f-5ef4-4b62-bf69-176340095053 | | project_id | e565909917a5463b867c5a7594a7612f | | revision_number | None | | segment_id | None | | service_types | None | | subnetpool_id | None | | tags | | | updated_at | None | +-------------------+--------------------------------------+
IPv6应该是支持的,但是在尝试创建IPv6子网时遇到了问题。这里我们的网络已准备好用于VM。为了达到良好的效果,我创建了一个安全组,该安全组可以应用于允许SSH的实例:
root@aio1-utility-container-ee37a935:~# openstack security group create allow_ssh +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | created_at | None | | description | allow_ssh | | id | 39a9e241-27c3-452a-b37a-80b6dcbbf783 | | name | allow_ssh | | project_id | e565909917a5463b867c5a7594a7612f | | revision_number | None | | rules | | | tags | [] | | updated_at | None | +-----------------+--------------------------------------+ root@aio1-utility-container-ee37a935:~# openstack security group rule create --dst-port 22 allow_ssh +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | None | | description | None | | direction | ingress | | ether_type | IPv4 | | id | b8393e4d-1d9d-47e9-877e-86374f38dca1 | | name | None | | port_range_max | 22 | | port_range_min | 22 | | project_id | e565909917a5463b867c5a7594a7612f | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | None | | security_group_id | 39a9e241-27c3-452a-b37a-80b6dcbbf783 | | updated_at | None |
+-------------------+--------------------------------------+
随后,我使用tiny flavor和CirrOS镜像启动了实例:root@aio1-utility-container-ee37a935:~# openstack server create --image cirros --flavor test_flavor --nic net-id=test_network_green --security-group allow_ssh test1 +-------------------------------------+----------------------------------------------------+ | Field | Value | +-------------------------------------+----------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-SRV-ATTR:host | None | | OS-EXT-SRV-ATTR:hypervisor_hostname | None | | OS-EXT-SRV-ATTR:instance_name | | | OS-EXT-STS:power_state | NOSTATE | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | None | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | | | adminPass | a8tghwSoTWZP | | config_drive | | | created | 2018-06-18T14:34:49Z | | flavor | test_flavor (5c0600b7-f9fe-46f3-8af5-f8390ee5c6f3) | | hostId | | | id | b14d1861-8855-4d17-a2d3-87eb67a3d81c | | image | cirros (4006fd58-cdc5-4bd8-bc25-ef73be1cd429) | | key_name | None | | name | test1 | | progress | 0 | | project_id | e565909917a5463b867c5a7594a7612f | | properties | | | security_groups | name='39a9e241-27c3-452a-b37a-80b6dcbbf783' | | status | BUILD | | updated | 2018-06-18T14:34:49Z | | user_id | f6aac1aa53294659998aa71838133a1d | | volumes_attached | | +-------------------------------------+----------------------------------------------------+ root@aio1-utility-container-ee37a935:~# openstack server list +--------------------------------------+-------+--------+-------------------------------+--------+-------------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+-------+--------+-------------------------------+--------+-------------+ | b14d1861-8855-4d17-a2d3-87eb67a3d81c | test1 | ACTIVE | test_network_green=172.23.0.3 | cirros | test_flavor | +--------------------------------------+-------+--------+-------------------------------+--------+-------------+
现在,我可以连接到实例的控制台,并尝试出站连接:
在Tungsten Fabric UI中,我能够在网络上启用snat ,以允许vRouter对来自VM的出站连接进行snat:
快速测试显示ping正常工作:
到VM的入站连接也是可行的,但需要Tungsten Fabric进行一些额外的工作才能通告VM地址。在我的实验室中有一个Cisco ASA 1001,已配置为与TF控制器建立对等关系,但我们下一次再展示它是如何配置的吧。总结
对于学习了解Tungsten Fabric的运行方式,以及围绕如何在基于OpenStack-Ansible的云中部署构建最佳实践,还有很多工作要做。用于安装过程的某些组件,被大量包装在Docker容器中,并且必须先提取才能在LXC容器和/或主机中进行部署。这是不可扩展的,但目前来说已经足够了。
最近,我遇到了与opencontrailnightly 版本有关的问题,vRouter丢弃来自VM的出站或响应流量。借助Juniper repo中的GA版本,该问题已经解决了,但并非每个人都可以使用该访问权限。
我遇到的另一个问题是,在往返于VM的ping工作正常(在中间使用ASR)的同时,SSH却连接失败。实际上,任何TCP连接都失败了。在该实例中看到了SYN,并且观察到发送了SYN/ACK。但是,SYN/ACK从未通过vRouter。抓包信息表明,SYN/ACK的校验和无效。当在主机的“physical”接口上禁用通用IP校验和,这种情况下为
ens160
,可以使一切恢复正常。下面这篇文章超级有帮助:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30500随着我获得更多的reps,我希望简化流程,并且能有一天将其移到上游以包含在OpenStack-Ansible中。在那之前,祝我们都好运!
作者:James Denton 译者:TF编译组
原文链接:https://www.jimmdenton.com/contrail-osa/