bbab391aeb
Use # prompt for root and $ for user actions. Change-Id: Ia241921d4f3d072cf4d7459557a5d78d31d7049c
869 lines
48 KiB
XML
869 lines
48 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="section_networking-routers-with-private-networks">
|
|
<title>Per-tenant routers with private networks</title>
|
|
<para>This section describes how to install the OpenStack Networking
|
|
service and its components for a use case that has per-tenant
|
|
routers with private networks.</para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata contentwidth="6in"
|
|
fileref="../common/figures/UseCase-MultiRouter.png"
|
|
/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para>The following figure shows the setup:</para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata contentwidth="6in"
|
|
fileref="../common/figures/demo_routers_with_private_networks.png"
|
|
/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para>As shown in the figure, the setup includes:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>An interface for management traffic on each
|
|
node.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Use of the Open vSwitch plug-in.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>GRE tunnels for data transport on all agents.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Floating IPs and router gateway ports that are
|
|
configured in an external network, and a physical
|
|
router that connects the floating IPs and router
|
|
gateway ports to the outside world.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<note>
|
|
<para>Because this example runs a DHCP agent and L3 agent on
|
|
one node, you must set the
|
|
<literal>use_namespace</literal> option to
|
|
<literal>True</literal> in the configuration file for
|
|
each agent. The default is <literal>True</literal>.</para>
|
|
</note>
|
|
<para>This table describes the nodes:</para>
|
|
<informaltable rules="all" width="100%">
|
|
<col width="20%"/>
|
|
<col width="80%"/>
|
|
<thead>
|
|
<tr>
|
|
<th>Node</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>Controller Node</td>
|
|
<td><para>Runs Networking, Identity Service, and all
|
|
Compute services that are required to deploy
|
|
VMs (<systemitem class="service"
|
|
>nova-api</systemitem>, <systemitem
|
|
class="service"
|
|
>nova-scheduler</systemitem>, for
|
|
example). The node must have at least one
|
|
network interface, which connects to the
|
|
Management Network. The host name is
|
|
<literal>controlnode</literal>, which
|
|
other nodes resolve to the IP of the
|
|
controller node.</para><note>
|
|
<para>The <systemitem class="service"
|
|
>nova-network</systemitem> service
|
|
should not be running. This is replaced by
|
|
Networking.</para>
|
|
</note></td>
|
|
</tr>
|
|
<tr>
|
|
<td>Compute Node</td>
|
|
<td>Runs the Networking L2 agent and the Compute
|
|
services that run VMs (<systemitem class="service"
|
|
>nova-compute</systemitem> specifically, and
|
|
optionally other <systemitem class="service"
|
|
>nova-*</systemitem> services depending on
|
|
configuration). The node must have at least two
|
|
network interfaces. One interface communicates
|
|
with the controller node through the management
|
|
network. The other node is used for the VM traffic
|
|
on the data network. The VM receives its IP
|
|
address from the DHCP agent on this network.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Network Node</td>
|
|
<td>Runs Networking L2 agent, DHCP agent and L3 agent.
|
|
This node has access to the external network. The
|
|
DHCP agent allocates IP addresses to the VMs on
|
|
data network. (Technically, the addresses are
|
|
allocated by the Networking server, and
|
|
distributed by the dhcp agent.) The node must have
|
|
at least two network interfaces. One interface
|
|
communicates with the controller node through the
|
|
management network. The other interface is used as
|
|
external network. GRE tunnels are set up as data
|
|
networks.</td>
|
|
</tr>
|
|
<tr>
|
|
<td>Router</td>
|
|
<td>Router has IP 30.0.0.1, which is the default
|
|
gateway for all VMs. The router must be able to
|
|
access public networks.</td>
|
|
</tr>
|
|
</tbody>
|
|
</informaltable>
|
|
<para>The use case assumes the following:</para>
|
|
<para><emphasis role="bold">Controller node</emphasis></para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Relevant Compute services are installed, configured,
|
|
and running.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Glance is installed, configured, and running. In
|
|
addition, an image named <literal>tty</literal> must
|
|
be present.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Identity is installed, configured, and running. A
|
|
Networking user named <emphasis role="bold"
|
|
>neutron</emphasis> should be created on tenant
|
|
<emphasis role="bold">service</emphasis> with
|
|
password <replaceable
|
|
>NEUTRON_PASS</replaceable>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Additional services: <itemizedlist>
|
|
<listitem>
|
|
<para>RabbitMQ is running with default guest
|
|
and password <replaceable>RABBIT_PASS</replaceable>.</para>
|
|
</listitem>
|
|
<listitem
|
|
os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>MySQL server (user is <emphasis
|
|
role="bold">root</emphasis>).</para>
|
|
</listitem>
|
|
</itemizedlist></para>
|
|
</listitem>
|
|
</orderedlist>
|
|
<para><emphasis role="bold">Compute node</emphasis></para>
|
|
<para>Install and configure Compute.</para>
|
|
<section xml:id="demo_routers_with_private_networks_installions">
|
|
<title>Install</title>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Controller node - Networking
|
|
server</emphasis></para>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the Networking server.</para>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>Create database <emphasis role="bold"
|
|
>ovs_neutron</emphasis>.</para>
|
|
</step>
|
|
<step>
|
|
<para>Update the Networking configuration
|
|
file, <filename>
|
|
/etc/neutron/neutron.conf</filename>,
|
|
with plug-in choice and Identity Service
|
|
user as necessary:</para>
|
|
<programlisting language="ini" os="rhel;centos;fedora;opensuse;sles;ubuntu">[DEFAULT]
|
|
core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
|
|
control_exchange = neutron
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
|
|
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
|
|
|
|
[database]
|
|
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>:3306/neutron
|
|
|
|
[keystone_authtoken]
|
|
admin_tenant_name=service
|
|
admin_user=neutron
|
|
admin_password=<replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
<programlisting language="ini" os="debian">[DEFAULT]
|
|
control_exchange = neutron
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
|
|
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
|
|
|
|
[database]
|
|
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>:3306/neutron</programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>Update the plug-in configuration file,
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True</programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>Start the Networking server.</para>
|
|
<para>The Networking server can be a service
|
|
of the operating system. The command to
|
|
start the service depends on your
|
|
operating system. The following command
|
|
runs the Networking server
|
|
directly:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron-server --config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini \
|
|
--config-file /etc/neutron/neutron.conf</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Compute node - Compute </emphasis><procedure>
|
|
<step>
|
|
<para>Install Compute services.</para>
|
|
</step>
|
|
<step>
|
|
<para>Update the Compute <filename>
|
|
/etc/nova/nova.conf</filename>
|
|
configuration file. Make sure the
|
|
following line appears at the end of
|
|
this file:</para>
|
|
<programlisting language="ini">network_api_class=nova.network.neutronv2.api.API
|
|
|
|
neutron_admin_username=neutron
|
|
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
|
|
neutron_admin_auth_url=http://controlnode:35357/v2.0/
|
|
neutron_auth_strategy=keystone
|
|
neutron_admin_tenant_name=service
|
|
neutron_url=http://controlnode:9696/</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Restart relevant Compute
|
|
services.</para>
|
|
</step>
|
|
</procedure></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Compute and Networking
|
|
node - L2 agent</emphasis></para>
|
|
<procedure>
|
|
<step>
|
|
<para>Install and start Open vSwitch.</para>
|
|
</step>
|
|
<step>
|
|
<para>Install the L2 agent (Neutron Open
|
|
vSwitch agent).</para>
|
|
</step>
|
|
<step>
|
|
<para>Add the integration bridge to the Open
|
|
vSwitch:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Update the Networking configuration
|
|
file, <filename>
|
|
/etc/neutron/neutron.conf</filename>:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
|
|
control_exchange = neutron
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
|
|
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
|
|
|
|
[database]
|
|
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>:3306/neutron</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Update the plug-in configuration file,
|
|
<filename>
|
|
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.</para>
|
|
<para>Compute node:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True
|
|
local_ip = 9.181.89.202</programlisting>
|
|
<para>Network node:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True
|
|
local_ip = 9.181.89.203</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Create the integration bridge <emphasis
|
|
role="bold">br-int</emphasis>:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl --may-exist add-br br-int</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Start the Networking L2 agent</para>
|
|
<para>The Networking Open vSwitch L2 agent can
|
|
be a service of the operating system. The
|
|
command to start depends on your operating
|
|
system. The following command runs the
|
|
service directly:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron-openvswitch-agent --config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini \
|
|
--config-file /etc/neutron/neutron.conf</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Network node - DHCP
|
|
agent</emphasis></para>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the DHCP agent.</para>
|
|
</step>
|
|
<step>
|
|
<para>Update the Networking configuration
|
|
file, <filename>
|
|
/etc/neutron/neutron.conf</filename></para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
|
|
control_exchange = neutron
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
|
|
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
|
|
allow_overlapping_ips = True</programlisting>
|
|
<para><emphasis role="bold">Set
|
|
<literal>allow_overlapping_ips</literal>
|
|
because TenantA and TenantC use
|
|
overlapping subnets.</emphasis></para>
|
|
</step>
|
|
<step>
|
|
<para>Update the DHCP <filename>
|
|
/etc/neutron/dhcp_agent.ini</filename>
|
|
configuration file:</para>
|
|
<programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Start the DHCP agent.</para>
|
|
<para>The Networking DHCP agent can be a
|
|
service of operating system. The command
|
|
to start the service depends on your
|
|
operating system. The following command
|
|
runs the service directly:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron-dhcp-agent --config-file /etc/neutron/neutron.conf \
|
|
--config-file /etc/neutron/dhcp_agent.ini</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Network node - L3
|
|
agent</emphasis></para>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the L3 agent.</para>
|
|
</step>
|
|
<step>
|
|
<para>Add the external network bridge</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Add the physical interface, for example
|
|
eth0, that is connected to the outside
|
|
network to this bridge:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex eth0</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Update the L3 configuration file
|
|
<filename>
|
|
/etc/neutron/l3_agent.ini</filename>:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
interface_driver=neutron.agent.linux.interface.OVSInterfaceDriver
|
|
use_namespaces=True</programlisting>
|
|
<para><emphasis role="bold">Set the
|
|
<literal>use_namespaces</literal>
|
|
option (it is True by default) because
|
|
TenantA and TenantC have overlapping
|
|
subnets, and the routers are hosted on
|
|
one l3 agent network
|
|
node.</emphasis></para>
|
|
</step>
|
|
<step>
|
|
<para>Start the L3 agent</para>
|
|
<para>The Networking L3 agent can be a service
|
|
of the operating system. The command to start
|
|
the service depends on your operating
|
|
system. The following command starts the
|
|
agent directly:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron-l3-agent --config-file /etc/neutron/neutron.conf \
|
|
--config-file /etc/neutron/l3_agent.ini</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
<section xml:id="demo_per_tenant_router_network_config">
|
|
<title>Configure logical network</title>
|
|
<para>You can run these commands on the network node.</para>
|
|
<note>
|
|
<para>Ensure that the following environment variables are
|
|
set. Various clients use these to access the Identity
|
|
Service.</para>
|
|
<programlisting language="bash">export OS_USERNAME=admin
|
|
export OS_PASSWORD=<replaceable>ADMIN_PASS</replaceable>
|
|
export OS_TENANT_NAME=admin
|
|
export OS_AUTH_URL=http://<replaceable>controller</replaceable>:5000/v2.0/</programlisting>
|
|
</note>
|
|
<procedure>
|
|
<step>
|
|
<para>Get the tenant ID (Used as $TENANT_ID
|
|
later):</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput>
|
|
<computeroutput>+----------------------------------+---------+---------+
|
|
| id | name | enabled |
|
|
+----------------------------------+---------+---------+
|
|
| 247e478c599f45b5bd297e8ddbbc9b6a | TenantA | True |
|
|
| 2b4fec24e62e4ff28a8445ad83150f9d | TenantC | True |
|
|
| 3719a4940bf24b5a8124b58c9b0a6ee6 | TenantB | True |
|
|
| 5fcfbc3283a142a5bb6978b549a511ac | demo | True |
|
|
| b7445f221cda4f4a8ac7db6b218b1339 | admin | True |
|
|
+----------------------------------+---------+---------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Get user information:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput>
|
|
<computeroutput>+----------------------------------+-------+---------+-------------------+
|
|
| id | name | enabled | email |
|
|
+----------------------------------+-------+---------+-------------------+
|
|
| 5a9149ed991744fa85f71e4aa92eb7ec | demo | True | |
|
|
| 5b419c74980d46a1ab184e7571a8154e | admin | True | admin@example.com |
|
|
| 8e37cb8193cb4873a35802d257348431 | UserC | True | |
|
|
| c11f6b09ed3c45c09c21cbbc23e93066 | UserB | True | |
|
|
| ca567c4f6c0942bdac0e011e97bddbe3 | UserA | True | |
|
|
+----------------------------------+-------+---------+-------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the external network and its subnet by
|
|
admin user:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-create Ext-Net --provider:network_type local --router:external true</userinput>
|
|
<computeroutput>Created a new network:
|
|
+---------------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+---------------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | 2c757c9e-d3d6-4154-9a77-336eb99bd573 |
|
|
| name | Ext-Net |
|
|
| provider:network_type | local |
|
|
| provider:physical_network | |
|
|
| provider:segmentation_id | |
|
|
| router:external | True |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | |
|
|
| tenant_id | b7445f221cda4f4a8ac7db6b218b1339 |
|
|
+---------------------------+--------------------------------------+</computeroutput></screen>
|
|
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create Ext-Net 30.0.0.0/24 --disable-dhcp</userinput>
|
|
<computeroutput>Created a new subnet:
|
|
+------------------+--------------------------------------------+
|
|
| Field | Value |
|
|
+------------------+--------------------------------------------+
|
|
| allocation_pools | {"start": "30.0.0.2", "end": "30.0.0.254"} |
|
|
| cidr | 30.0.0.0/24 |
|
|
| dns_nameservers | |
|
|
| enable_dhcp | False |
|
|
| gateway_ip | 30.0.0.1 |
|
|
| host_routes | |
|
|
| id | ba754a55-7ce8-46bb-8d97-aa83f4ffa5f9 |
|
|
| ip_version | 4 |
|
|
| name | |
|
|
| network_id | 2c757c9e-d3d6-4154-9a77-336eb99bd573 |
|
|
| tenant_id | b7445f221cda4f4a8ac7db6b218b1339 |
|
|
+------------------+--------------------------------------------+</computeroutput></screen>
|
|
<para><emphasis role="bold">
|
|
<literal>provider:network_type local</literal>
|
|
means that Networking does not have to realize
|
|
this network through provider network.
|
|
<literal>router:external true</literal>
|
|
means that an external network is created
|
|
where you can create the floating IP and router
|
|
gateway port.</emphasis></para>
|
|
</step>
|
|
<step>
|
|
<para>Add an IP on the external network to br-ex.</para>
|
|
<para>Because br-ex is the external network bridge,
|
|
add an IP 30.0.0.100/24 to br-ex and ping the
|
|
floating IP of the VM from our network
|
|
node.</para>
|
|
<screen><prompt>#</prompt> <userinput>ip addr add 30.0.0.100/24 dev br-ex</userinput>
|
|
<prompt>#</prompt> <userinput>ip link set br-ex up</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Serve TenantA.</para>
|
|
<para>For TenantA, create a private network, subnet,
|
|
server, router, and floating IP.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Create a network for TenantA:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 net-create TenantA-Net</userinput>
|
|
<computeroutput>Created a new network:
|
|
+-----------------+--------------------------------------+
|
|
| Field | Value |
|
|
+-----------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | 7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 |
|
|
| name | TenantA-Net |
|
|
| router:external | False |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | |
|
|
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
|
|
+-----------------+--------------------------------------+</computeroutput></screen>
|
|
<para>After that, you can use admin user to
|
|
query the provider network
|
|
information:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-show TenantA-Net</userinput>
|
|
<computeroutput>+---------------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+---------------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | 7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 |
|
|
| name | TenantA-Net |
|
|
| provider:network_type | gre |
|
|
| provider:physical_network | |
|
|
| provider:segmentation_id | 1 |
|
|
| router:external | False |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | |
|
|
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
|
|
+---------------------------+--------------------------------------+</computeroutput></screen>
|
|
<para>The network has GRE tunnel ID (for
|
|
example, provider:segmentation_id)
|
|
1.</para>
|
|
</step>
|
|
<step>
|
|
<para>Create a subnet on the network
|
|
TenantA-Net:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 subnet-create TenantA-Net 10.0.0.0/24</userinput>
|
|
<computeroutput>Created a new subnet:
|
|
+------------------+--------------------------------------------+
|
|
| Field | Value |
|
|
+------------------+--------------------------------------------+
|
|
| allocation_pools | {"start": "10.0.0.2", "end": "10.0.0.254"} |
|
|
| cidr | 10.0.0.0/24 |
|
|
| dns_nameservers | |
|
|
| enable_dhcp | True |
|
|
| gateway_ip | 10.0.0.1 |
|
|
| host_routes | |
|
|
| id | 51e2c223-0492-4385-b6e9-83d4e6d10657 |
|
|
| ip_version | 4 |
|
|
| name | |
|
|
| network_id | 7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 |
|
|
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
|
|
+------------------+--------------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create a server for TenantA:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 boot --image tty --flavor 1 \
|
|
--nic net-id=7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 TenantA_VM1</userinput></screen>
|
|
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 list</userinput>
|
|
<computeroutput>+--------------------------------------+-------------+--------+----------------------+
|
|
| ID | Name | Status | Networks |
|
|
+--------------------------------------+-------------+--------+----------------------+
|
|
| 7c5e6499-7ef7-4e36-8216-62c2941d21ff | TenantA_VM1 | ACTIVE | TenantA-Net=10.0.0.3 |
|
|
+--------------------------------------+-------------+--------+----------------------+</computeroutput></screen>
|
|
<note>
|
|
<para>It is important to understand that
|
|
you should not attach the instance to
|
|
Ext-Net directly. Instead, you must
|
|
use a floating IP to make it
|
|
accessible from the external
|
|
network.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Create and configure a router for
|
|
TenantA:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 router-create TenantA-R1</userinput>
|
|
<computeroutput>Created a new router:
|
|
+-----------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+-----------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| external_gateway_info | |
|
|
| id | 59cd02cb-6ee6-41e1-9165-d251214594fd |
|
|
| name | TenantA-R1 |
|
|
| status | ACTIVE |
|
|
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
|
|
+-----------------------+--------------------------------------+</computeroutput></screen>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 router-interface-add \
|
|
TenantA-R1 51e2c223-0492-4385-b6e9-83d4e6d10657</userinput></screen>
|
|
<para>Added interface to router
|
|
TenantA-R1</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 \
|
|
router-gateway-set TenantA-R1 Ext-Net</userinput></screen>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step>
|
|
<para>Associate a floating IP for TenantA_VM1.</para>
|
|
<substeps>
|
|
|
|
<step>
|
|
<para>Create a floating IP:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 floatingip-create Ext-Net</userinput>
|
|
<computeroutput>Created a new floatingip:
|
|
+---------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+---------------------+--------------------------------------+
|
|
| fixed_ip_address | |
|
|
| floating_ip_address | 30.0.0.2 |
|
|
| floating_network_id | 2c757c9e-d3d6-4154-9a77-336eb99bd573 |
|
|
| id | 5a1f90ed-aa3c-4df3-82cb-116556e96bf1 |
|
|
| port_id | |
|
|
| router_id | |
|
|
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
|
|
+---------------------+--------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Get the port ID of the VM with ID
|
|
7c5e6499-7ef7-4e36-8216-62c2941d21ff:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 port-list -- \
|
|
--device_id 7c5e6499-7ef7-4e36-8216-62c2941d21ff</userinput>
|
|
<computeroutput>+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
|
|
| id | name | mac_address | fixed_ips |
|
|
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
|
|
| 6071d430-c66e-4125-b972-9a937c427520 | | fa:16:3e:a0:73:0d | {"subnet_id": "51e2c223-0492-4385-b6e9-83d4e6d10657", "ip_address": "10.0.0.3"} |
|
|
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Associate the floating IP with the VM
|
|
port:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 floatingip-associate \
|
|
5a1f90ed-aa3c-4df3-82cb-116556e96bf1 6071d430-c66e-4125-b972-9a937c427520</userinput>
|
|
<computeroutput>Associated floatingip 5a1f90ed-aa3c-4df3-82cb-116556e96bf1
|
|
</computeroutput></screen>
|
|
<screen><prompt>$</prompt> <userinput>neutron floatingip-list</userinput>
|
|
<computeroutput>+--------------------------------------+------------------+---------------------+--------------------------------------+
|
|
| id | fixed_ip_address | floating_ip_address | port_id |
|
|
+--------------------------------------+------------------+---------------------+--------------------------------------+
|
|
| 5a1f90ed-aa3c-4df3-82cb-116556e96bf1 | 10.0.0.3 | 30.0.0.2 | 6071d430-c66e-4125-b972-9a937c427520 |
|
|
+--------------------------------------+------------------+---------------------+--------------------------------------+
|
|
</computeroutput></screen>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step>
|
|
<para>Ping the public network from the server of
|
|
TenantA.</para>
|
|
<para>In my environment, 192.168.1.0/24 is my public
|
|
network connected with my physical router, which
|
|
also connects to the external network 30.0.0.0/24.
|
|
With the floating IP and virtual router, you can
|
|
ping the public network within the server of
|
|
tenant A:</para>
|
|
<screen><prompt>$</prompt> <userinput>ping 192.168.1.1</userinput>
|
|
<computeroutput>PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
|
|
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=1.74 ms
|
|
64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=1.50 ms
|
|
64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=1.23 ms
|
|
^C
|
|
--- 192.168.1.1 ping statistics ---
|
|
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
|
|
rtt min/avg/max/mdev = 1.234/1.495/1.745/0.211 ms
|
|
</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Ping the floating IP of TenantA's server:</para>
|
|
<screen><prompt>$</prompt> <userinput>ping 30.0.0.2</userinput>
|
|
<computeroutput>PING 30.0.0.2 (30.0.0.2) 56(84) bytes of data.
|
|
64 bytes from 30.0.0.2: icmp_req=1 ttl=63 time=45.0 ms
|
|
64 bytes from 30.0.0.2: icmp_req=2 ttl=63 time=0.898 ms
|
|
64 bytes from 30.0.0.2: icmp_req=3 ttl=63 time=0.940 ms
|
|
^C
|
|
--- 30.0.0.2 ping statistics ---
|
|
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
|
|
rtt min/avg/max/mdev = 0.898/15.621/45.027/20.793 ms
|
|
</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create other servers for TenantA.</para>
|
|
<para>You can create more servers for TenantA and add
|
|
floating IPs for them.</para>
|
|
</step>
|
|
<step>
|
|
<para>Serve TenantC.</para>
|
|
<para>For TenantC, you create two private networks
|
|
with subnet 10.0.0.0/24 and subnet 10.0.1.0/24,
|
|
some servers, one router to connect to these two
|
|
subnets and some floating IPs.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Create networks and subnets for
|
|
TenantC:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 net-create TenantC-Net1</userinput>
|
|
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 subnet-create TenantC-Net1 \
|
|
10.0.0.0/24 --name TenantC-Subnet1</userinput>
|
|
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 net-create TenantC-Net2</userinput>
|
|
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 subnet-create TenantC-Net2 \
|
|
10.0.1.0/24 --name TenantC-Subnet2</userinput>
|
|
</screen>
|
|
<para>After that you can use admin user to
|
|
query the network's provider network
|
|
information:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-show TenantC-Net1</userinput>
|
|
<computeroutput>+---------------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+---------------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | 91309738-c317-40a3-81bb-bed7a3917a85 |
|
|
| name | TenantC-Net1 |
|
|
| provider:network_type | gre |
|
|
| provider:physical_network | |
|
|
| provider:segmentation_id | 2 |
|
|
| router:external | False |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | cf03fd1e-164b-4527-bc87-2b2631634b83 |
|
|
| tenant_id | 2b4fec24e62e4ff28a8445ad83150f9d |
|
|
+---------------------------+--------------------------------------+
|
|
</computeroutput></screen>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-show TenantC-Net2</userinput>
|
|
<computeroutput>+---------------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+---------------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | 5b373ad2-7866-44f4-8087-f87148abd623 |
|
|
| name | TenantC-Net2 |
|
|
| provider:network_type | gre |
|
|
| provider:physical_network | |
|
|
| provider:segmentation_id | 3 |
|
|
| router:external | False |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | 38f0b2f0-9f98-4bf6-9520-f4abede03300 |
|
|
| tenant_id | 2b4fec24e62e4ff28a8445ad83150f9d |
|
|
+---------------------------+--------------------------------------+</computeroutput></screen>
|
|
<para>You can see GRE tunnel IDs (such as,
|
|
provider:segmentation_id) 2 and 3. And
|
|
also note the network IDs and subnet IDs
|
|
because you use them to create VMs and
|
|
the router.</para>
|
|
</step>
|
|
<step>
|
|
<para>Create a server TenantC-VM1 for TenantC
|
|
on TenantC-Net1.</para>
|
|
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 boot --image tty --flavor 1 \
|
|
--nic net-id=91309738-c317-40a3-81bb-bed7a3917a85 TenantC_VM1</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create a server TenantC-VM3 for TenantC
|
|
on TenantC-Net2.</para>
|
|
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 boot --image tty --flavor 1 \
|
|
--nic net-id=5b373ad2-7866-44f4-8087-f87148abd623 TenantC_VM3</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>List servers of TenantC.</para>
|
|
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 list</userinput>
|
|
<computeroutput>+--------------------------------------+-------------+--------+-----------------------+
|
|
| ID | Name | Status | Networks |
|
|
+--------------------------------------+-------------+--------+-----------------------+
|
|
| b739fa09-902f-4b37-bcb4-06e8a2506823 | TenantC_VM1 | ACTIVE | TenantC-Net1=10.0.0.3 |
|
|
| 17e255b2-b14f-48b3-ab32-5df36566d2e8 | TenantC_VM3 | ACTIVE | TenantC-Net2=10.0.1.3 |
|
|
+--------------------------------------+-------------+--------+-----------------------+</computeroutput></screen>
|
|
<para>Note the server IDs because you use them
|
|
later.</para>
|
|
</step>
|
|
<step>
|
|
<para>Make sure servers get their IPs.</para>
|
|
<para>You can use VNC to log on the VMs to
|
|
check if they get IPs. If not, you must
|
|
make sure that the Networking components
|
|
are running correctly and the GRE tunnels
|
|
work.</para>
|
|
</step>
|
|
<step>
|
|
<para>Create and configure a router for
|
|
TenantC:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 router-create TenantC-R1</userinput></screen>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 router-interface-add \
|
|
TenantC-R1 cf03fd1e-164b-4527-bc87-2b2631634b83</userinput>
|
|
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 router-interface-add \
|
|
TenantC-R1 38f0b2f0-9f98-4bf6-9520-f4abede03300</userinput></screen>
|
|
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
|
|
--os-auth-url=http://localhost:5000/v2.0 \
|
|
router-gateway-set TenantC-R1 Ext-Net</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Checkpoint: ping from within TenantC's
|
|
servers.</para>
|
|
<para>Because a router connects to two
|
|
subnets, the VMs on these subnets can ping
|
|
each other. And because the gateway for
|
|
the router is set, TenantC's servers can
|
|
ping external network IPs, such as
|
|
192.168.1.1, 30.0.0.1, and so on.</para>
|
|
</step>
|
|
<step>
|
|
<para>Associate floating IPs for TenantC's
|
|
servers.</para>
|
|
<para>Because a router connects to two
|
|
subnets, the VMs on these subnets can ping
|
|
each other. And because the gateway
|
|
interface for the router is set, TenantC's
|
|
servers can ping external network IPs,
|
|
such as 192.168.1.1, 30.0.0.1, and so
|
|
on.</para>
|
|
</step>
|
|
<step>
|
|
<para>Associate floating IPs for TenantC's
|
|
servers.</para>
|
|
<para>You can use similar commands to the ones
|
|
used in the section for TenantA.</para>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="section_use-cases-tenant-router">
|
|
<title>Use case: per-tenant routers with private
|
|
networks</title>
|
|
<para>This use case represents a more advanced router scenario
|
|
in which each tenant gets at least one router, and
|
|
potentially has access to the Networking API to create
|
|
additional routers. The tenant can create their own
|
|
networks, potentially uplinking those networks to a
|
|
router. This model enables tenant-defined, multi-tier
|
|
applications, with each tier being a separate network
|
|
behind the router. Because there are multiple routers,
|
|
tenant subnets can overlap without conflicting, because
|
|
access to external networks all happens through SNAT or
|
|
floating IPs. Each router uplink and floating IP is
|
|
allocated from the external network subnet.</para>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="55"
|
|
fileref="../common/figures/UseCase-MultiRouter.png"
|
|
align="left"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
<!--Image source link: https://docs.google.com/a/nicira.com/drawings/d/1mmQc8cBUoTEfEns-ehIyQSTvOrjUdl5xeGDv9suVyAY/edit -->
|
|
</section>
|
|
</section>
|