Shulou(Shulou.com)06/02 Report--

I. Foreword

Openstack has now become the first choice of major public cloud vendors, the author is also in a public cloud vendor to do outsourcing (yes, that is, the manufacturer of folding screen mobile phone), his home network equipment default is to do white list (deny any), only allow designated traffic through, production environment for network security factors do not allow permit any, this article will explain in detail what network planes his openstack public cloud field to open and why to open these planes. We assume that each server has 4 network cards, management and business traffic are separated, eth0/eth2 goes to management traffic, eth5/eth6 goes to business traffic for explanation.

II. Composition of openstack

Openstack is a cloud operating system, which can be roughly divided into: control nodes, compute nodes, network nodes, and storage nodes. In order to avoid network nodes becoming bottlenecks, DVR function will be enabled in the production environment (that is, east-west traffic will not pass through network nodes, and north-south traffic will only pass through network nodes without fip). The above architecture can be simplified as shown in the following figure:

III. Creation of VM

To liberate the VLAN criteria, first of all to understand how a VM is generated in OpenStack, each VM is called an instance, each instance is like a computer, a computer to work properly, in addition to computing resources, but also need to have operating system, network, hard disk, these functions in OpenStack corresponding through nova, glance, neutron and cinder components. The following figure is a simplified vm creation process. For more details, please refer to the author's other blog posts. The simplified virtual machine creation process is:

After the client passes keystone authentication, it initiates a vm creation request; after receiving the request, the nova-api selects a host machine bearing vm through scheduler component;nova-compute component provides the computing functions required by vm, and at the same time, it initiates requests to apis of glance, neutron and cinder components to request mirror, network and storage resources. At this point, the components needed for a computer are complete; nova-conspute contacts the compute node host (kvm, xen, vmware, etc.) that provides the hypervisor via libvert. IV. VLAN Description

1. management node

The management node uses eth0/eth2 as the management interface. In the production scenario, the operating system is installed by pxe, and the installed host communicates through the management plane. At the same time, nova-compose needs to request resources through the api of each component and manage the backend storage. Therefore, the vlan that needs to be opened is:

==eth0/eth2==

pvid：

pxe #Install the operating system;

vlan：

om #management plane communication between hosts, such as nova-compose to initiate requests to APIs of other components;api #api here is external-api, which is used for third-party products to invoke management nodes, such as monitoring;storage #management node to manage backend storage;vtep #His product needs to create two management virtual machines to manage physical hosts and virtual machines, so it is also necessary to open the vtep plane. port open vlaneth0/eth2pvid:pxe vlan:om/api/vtep/storage

2. computing node

Compute node is represented as hypervisor in the figure above, which is the host that actually provides computing capability. eth0/eth2 is used as management port, eth5/eth6 is used as service port, and the vlan that is open is:

==eth0/eth2==

pvid：

pxe #Install the operating system;

vlan:

om #inter-host management plane communication;storage #vm is actually stored in backend storage and requires compute nodes to be able to access storage nodes.

==eth5/eth6==

vlan:

vtep #vxlan tunnel established between compute nodes, used for communication between VMs on different hosts;fip #provides dnat function for VMs inside compute nodes, which can be accessed by users through internet (eip converted to fip). Port open vlaneth0/eth2pvid:pxe vlan:om/storageeth5/eth6vlan:vtep/fip

3. storage node

The storage node uses eth0/eth2 as the management service port, and the vlan opened is:

==eth0/eth2==

pvid：

om #Install the operating system and manage traffic. There is no separate vlan for pxe here. Pxe uses the om plane vlan;

vlan：

storage #The business plane of the storage node. port open vlaneth0/eth2pvid:om vlan:storage

The above is the network plane that needs to be opened in the openstack public cloud scenario.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.