Shulou(Shulou.com)06/03 Report--

I. the concept of keystone service

Service

Keystone is organized as a set of internal services exposed on one or more endpoints. Many of these services are used in a combined manner by the front end. For example, the authentication call will use the Identity service to validate the user / project credentials and, on success, create and return a token with the token service.

identity

The Identity service provides authentication credential authentication and data about users and groups. In the basic case, this data is managed by the Identity service, allowing it to also handle all CRUD operations associated with this data. In more complex cases, the data is managed by authoritative back-end services. For example, the identity service acts as the front end of the LDAP. In this case, the LDAP server is the real source, and the role of the identity service is to accurately convey that information.

User

Users represents a single API consumer. The user must be owned by a specific domain, so all user names are not globally unique, but only for their domain.

Group

Groups is a container that represents a collection of users. The group itself must be owned by a specific domain, so all group names are not globally unique, but only for their domains.

Resources

Resource services provide data about projects and domains.

Project

The Projects represents the basic unit of the ownershipOpenStack because all resources in the OpenStack should be owned by a specific project. The project itself must be owned by a specific domain, so all project names are not globally unique, but are unique to their domains. If you do not specify a domain for the project, add it to the default domain.

Domain

Domains is an advanced container for projects, users, and groups. Each belongs to a domain. Each domain defines a namespace in which there are name attributes visible to API. Keystone provides a default domain name called default.

In Identity v3 API, the uniqueness of attributes is as follows:

domain name. Global uniqueness in all fields.

Role name. Unique in the domain you own.

User name. Unique in the domain you own.

Project name. Unique in the domain you own.

Name of the team. Unique in the domain you own.

Because of its container architecture, domains can be used as a way to delegate OpenStack resource management. If the appropriate allocation is granted, users in the domain can still access resources in another domain.

Work

The Assignment service provides data about roles and role assignments.

Role

Roles specifies the level of authorization available to end users. Roles can be granted at the domain or project level. Roles can be assigned at the individual user or group level. The role name is unique in the owning domain.

Role assignment

A triple with a Role, a Resource, and an Identity.

Token

Once the user's credentials have been verified, the token service authenticates and manages the tokens used to authenticate the request.

Log in and change the password of the openstack administrator

After completing the openstack building, log in according to http://serverip/dashboard/, and the login prompt will require the password of the admin administrator account. The default password is saved in the keystonerc_admin file

Cat keystonerc_admin

Export OS_PASSWORD is followed by the default password, and then log in to the dashboard interface.

After logging in, you can change the administrator password after setting it.

After completion, modify the password after export OS_PASSWORD in the keystonerc_admin file, and then configure to take effect according to the following command

Source keystonerc_admin # Reload

Note that the admin user is an administrator and can have the permission of the entire resource, which is assigned to the project team of admin by default, so the password in the keystonetc_admin file must be changed after the administrator password is changed in the management interface, otherwise the authentication of other component services will fail.

Third, create projects and users

3.1 create a project

First create a project and click Project in identity Management

Create the project name test-cloud, and the domain information and domain ID will remain default because they are test environments.

The project member is the name of the tenant who logs in to the cloud service, which can be added later. For now, it remains the default. The quota is to limit the use of the project resources. It can be kept by default in the test environment.

Click finish to create the project test_cloud, which can be provided to tenants as a vdc (virtual data center)

3.2 create a user

Create an administrator for test_cloud who is responsible for allocating resources named vdc_admin. "created in Authentication-user, as follows:"

Description:

1. Select the project test_cloud representative to use this resource

2. Select a role _ member_

Then log in to openstack with vdc_admin, and you can see the obvious difference in the resources available.

Create an external network

4.1 Network concept in openstack

In openstack, all network services are implemented by neutron. The official description of neutron by openstack is as follows:

The OpenStack Network (neutron) manages the access layer of all virtual network infrastructure (VNI) and physical network infrastructure (PNI) in the OpenStack environment. OpenStack networks allow tenants to create advanced virtual network topologies such as firewall,: term: `load balancer` and: term: `virtual private network (× ×) `.

Network services provide abstract concepts of networks, subnets, and routing these objects. Each abstract concept has its own function to simulate the corresponding physical devices: the network includes subnets, and routes are routed and forwarded between different subnets and networks.

At least one external network must be included for any given network. Unlike other networks, an external network is not just a defined virtual network. Instead, it represents a view that can be accessed from a physical, external network outside of the OpenStack installation. The IP address on the external network is accessible to any physical device on the external network

Outside of the external network, any Networking setting has one or more internal networks. These software-defined networks connect directly to virtual machines. Only virtual machines on a given network, or those on subnets connected to similar routes through interfaces, can directly access virtual machines connected to that network.

Routing between networks is necessary if the external network wants to access the instance or vice versa. Each route is equipped with a gateway for connecting to the external network and one or more interfaces connected to the internal network. Just like a physical route, subnets can access machines in other subnets on the same route, and machines can also access routed gateways to access external networks.

In addition, you can assign the IP address of the external network to the port of the internal network. Whenever a connection is connected to a subnet, that connection is called a port. You can assign the IP address of the external network to the port of the instance. In this way, entities on the external network can access the instance.

Neutron makes use of the important network technologies of linux, and the related concepts are as follows:

Bridge: bridge, used in Linux to represent a virtual device that can connect different network devices, in linux

Traditionally implemented bridges are similar to a hub device, while ovs-managed bridges are generally similar to switches.

Br-int:bridge-integration, an integrated bridge, often used to represent a network that implements major internal network functions

The bridge.

Br-ex:bridge-external, the external bridge, usually represents the bridge responsible for communicating with the external network.

GRE:General Routing Encapsulation, a way to tunnel through encapsulation. In

Openstack is generally based on L3 gre, that is, original pkt/GRE/IP/Ethernet.

VETH: virtual ethernet interface, which usually appears in the form of pair. A network packet sent by one end will be replaced by another.

One end of the receiver can form a channel between two bridges.

Qvb:neutron veth, Linux Bridge-side

Qvo:neutron veth, OVS-side

TAP device: simulates a layer 2 network device that can accept and send layer 2 network packets.

TUN device: simulates a layer 3 network device that can accept and send layer 3 network packets.

Firewall software commonly used on iptables:Linux to implement security policies.

Vlan: virtual Lan, which is isolated with tags under the same physical Lan. Available labels are 1-4094.

VXLAN: an Overlay implementation that uses the UDP protocol as the underlying transport protocol. It is generally believed that doing

It is the extension or replacement of VLan technology.

Namespace: a set of mechanisms used to achieve isolation between resources in different namespace

Invisible.

Neutron manages the following entities:

Network: isolated L2 domain, which can be virtual, logical, or switched.

Subnet: isolated L3 domain, IP address block. Each of these machines has an IP, and hosts on the same subnet are visible to each other in L3.

Port: virtual, logical, or switched port on the network. All of these entities are virtual, have a unique tag id that is automatically generated, support the CRUD function, and track the status of records in the database.

A network-isolated L2 broadcast domain, generally owned by the user who created it. Users can have multiple networks. The network is the most basic, and subnets and ports need to be associated to the network. There can be multiple subnets on the network. Hosts on the same network can generally be connected through a switch or router.

Subnet-isolated L3 domain, where subnets represent a group of virtual machines assigned IP. Each subnet must have a CIDR and be associated with a network. IP can be selected from CIDR or user-specified pools. The subnet may have a gateway, a set of DNS, and host routes. L3 between different subnets is invisible to each other and must communicate through a layer 3 gateway (that is, a router) over L3.

Ports can enter and exit the interface of traffic, often bound with a number of MAC addresses and IP addresses for addressing. It is generally a virtual interface on a virtual switch. The virtual machine mounts the network card to the port and accesses the network through the port. When a port has IP, it means that it belongs to someone.

The logical concept is shown in the following figure:

The general structure is as follows: (VLAN mode)

Due to the deployment of allinone, the control node and the network node are merged together. At the same time, there is only one network card in the test environment.

4.2 Connect neutron to an external network

Neuntron mainly communicates with external networks through br-ex.

First, copy / etc/sysconfig/network-scripts/ifcfg-ens192 (the actual physical Nic name may be different, such as eth0 in kvm) to / etc/sysconfig/network-scripts/ifcfg-br-ex.

Edit / etc / sysconfig / network-scripts / ifcfg-br-ex, and focus on the following

DEVICE=br-exDEVICETYPE=ovsTYPE=OVSBridgeBOOTPROTO=staticIPADDR=172.31.208.100 # the ip address is the ip address NETMASK=255.255.255.0 GATEWAY=192.168.122.1 DNS1=192.168.122.1 ONBOOT=yes of the ens01 Nic.

Then modify / etc/sysconfig/network-scripts/ifcfg-ens192

DEVICE=ens192TYPE=OVSPortDEVICETYPE=ovsOVS_BRIDGE=br-exONBOOT=yes

After completing the modification and saving, restart the network service

Systemctl restart network

Now, use Neutron to create an external network.

. Keystonerc_adminneutron net-create external_network-provider:network_type flat-provider:physical_network extnet-router:external

Then we can see the created extranet in openstack dashbord

4.2 configure Subnet

Log in using the vdc_admin created between, and start creating the network, named public

Then define the subnet private_network segment as the assigned private network segment, 192.168.1.0 Universe 24

Next, define the subnet dhcp address range and dns information. There is no need to add host routes.

After completing the configuration of the private network, you also need to configure a router. After the virtual machine instance is assigned to the private network address, the router is used to snat to the exernal network and then to the external physical network.

Then click the newly created router router to add the interface

The addition of the router is completed at this point.

At this point, view the network topology, as follows:

As you can see, the virtual network public has been connected to the external network through the virtual machine router.

After the configuration is complete, you can verify the created network on the command line.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.