Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to connect the virtual machine in the openstack environment with public network. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

We further analyze the routing function to show that routing is implemented between internal internal network and public network (not just between internal network).

We will also analyze how neutron configures floating IP to virtual machines to achieve connectivity between public network and virtual machines.

Use case # 5: Connecting VMs to the public network

The so-called "public network" refers to networks outside the openstack deployment environment. This network can be another network in datacenter, internet, or a private network that is not controlled by openstack.

To communicate with public network, we need to create a network in openstack and set it to public. This network is used for virtual machines to communicate with public network. The virtual machine cannot connect directly to the newly created network with the attribute public, and all network traffic must be routed from private network to public network using the router created by openstack. To create a public network in openstack, we just need to use the neutron net-create command and set router:external to True.

In our example, public newtork is called "my-public".

# neutron net-create my-public-- router:external=TrueCreated a new network:+--+--+ | Field | Value | +- -+-+ | admin_state_up | True | | id | 5eb99ac3-905b-4f0e-9c0f-708ce1fd2303 | | name | my-public | | provider:network_type | vlan | | provider:physical_network | default | | provider:segmentation_id | 1002 | | router:external | True | | | shared | False | | status | ACTIVE | | subnets | | tenant_id | 9796e5145ee546508939cd49ad59d51f | +-| -+

In our environment, the eth4 of the control node is a network card that is not bound to IP. We use it to access external public network. So we add eth4 to the OVS bridge "br-ex", and Neutron will route network packets sent by the virtual machine to the external network to this bridge.

# ovs-vsctl add-port br-ex eth4# ovs-vsctl show8a069c7c-ea05-4375-93e2murb9fc9e4b3ca1. Bridge br-ex Port br-ex Interface br-ex type: internal Port "eth4" Interface "eth4"...

We created a public network on eth4 with an IP range of 180.180.180.0swap 24. This public network exists in datacenter and can be connected to the datacenter network through gateway 180.180.180.1. To connect this network to the Openstack environment, we need to create a subnet with the same IP range on the "my-public" network, and tell neutron the gateway of the network.

# neutron subnet-create my-public 180.180.180.0 neutron subnet-create my-public 24-name public_subnet-enable_dhcp=False-allocation-pool start=180.180.180.2 End=180.180.180.100-- gateway=180.180.180.1Created a new subnet:+-+---+ | Field | Value | | +-+-- + | allocation_pools | {"start": "180.180.180.2" "end": "180.180.180.100"} | | cidr | 180.180.180.0and24 | | dns_nameservers | | enable_dhcp | False | | gateway_ip | | | 180.180.180.1 | | host_routes | id | ecadf103-0b3b-46e8-8492-4c5f4b3ea4cd | | ip_version | 4 | | | name | public_subnet | | network_id | 5eb99ac3-905b-4f0e-9c0f-708ce1fd2303 | | tenant_id | 9796e5145ee546508939cd49ad59d51f | +-| -- +

Then we need to connect the router to our newly created public network and create it with the following command:

# neutron router-gateway-set my-router my-publicSet gateway for router my-router

Note: we use the term "public network" in two cases, one is the real public network in datacenter, and to distinguish it (180.180.180.0 public network 24) we call it "external public network". The other is the "public network" we use in openstack, which we call the "my-public" interface network. We also cover two "gateways", one is the gateway for external Public network (180.180.180.1), and the other is the gateway interface in router (180.180.180.2).

After doing the above, a third network interface (called gateway) has been added to the router (which already has two network interfaces connecting two different internal network). Router can have multiple network interfaces, connect to a normal internal subnet or connect to a "my-public" network as a gateway. A common mistake is to try to access public network in the same way as the usual network interface, which may be successful, but cannot be connected to the external network. Before we create a public network,subnet and connect to router, the network topology looks like this:

When we enter the namespace of router, we see that we have added a network interface of IP in the 24 network segment 180.180.180.0, and the IP is 180.180.180.2:

# ip netns exec qrouter-fce64ebe-47f0-4846-b3af-9cf764f1ff11 ip addr..22: qg-c08b8179-3b: mtu 1500 qdisc noqueue state UNKNOWN link/ether fa:16:3e:a4:58:40 brd ff:ff:ff:ff:ff:ff inet 180.180.180.2 inet6 2606:b400 24 brd 180.180.180.255 scope global qg-c08b8179-3b: 400:3441:f816:3eff:fea4:5840/64 scope global dynamic valid_lft 2591998sec preferred_lft 604798sec inet6 fe80::f816:3eff:fea4:5840/64 scope link valid_lft forever preferred_lft forever..

Here the gateway address of router 180.180.180.2 is connected to the virtual machine, and the virtual machine can ping to it. We can also go from the virtual machine ping to the gateway180.180.180.1 of the external network and the network to which this gateway is connected. If we look at router namespace, we see the following two lines of rules in iptables's NAT talbe.

# ip netns exec qrouter-fce64ebe-47f0-4846-b3af-9cf764f1ff11 iptables-save..-A neutron-l3-agent-snat-s 20.20.20.0 SNAT 24-j SNAT-- to-source 180.180.180.2 Murray A neutron-l3-agent-snat-s 10.10.10.0.0 Universe 24-j SNAT-- to-source 180.180.180.2.

Therefore, the source IP address of the network packet sent from net1 or net2 to the external network will be modified to 180.180.180.2. We can ping an address of the public network in the virtual machine to see if the IP address of the request packet is this IP address.

The routing table in namespace routes all external traffic to the gateway of the external network (180.180.180.1).

# ip netns exec qrouter-fce64ebe-47f0-4846-b3af-9cf764f1ff11 route-nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 180.180.180.1 0.0.0.0 UG 000 qg-c08b8179-3b10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-15ea2dd1-6520.20.20.0 0.0.0.0 255.255.255.0 U 000 qr-dc290da0-0a180.180.180.0 0.0.0.0 255.255.255.0 U 000 qg-c08b8179-3b

Requests made in the virtual machine to public network are mapped by NAT to the source address of 180.180.180.2 and then sent to the gateway of public network. Again, we can see that the ip forward function is enabled in namespace.

# ip netns exec qrouter-fce64ebe-47f0-4846-b3af-9cf764f1ff11 sysctl net.ipv4.ip_forwardnet.ipv4.ip_forward = 1

Use case # 6: Attaching a floating IP to a VM

The virtual machine can now access the public network. Next, we try to allow external customers to access virtual machines in the Openstack environment, which can be done through floating IP. Floating IP is provided by an external network, and users can set it to a virtual machine, thus allowing external customers to access the virtual machine.

To create a Floating IP, the first step is to connect the virtual machine to the external network as explained in the previous usecase. The second step uses the command line to generate a floating IP.

# neutron floatingip-create publicCreated a new floatingip:+-+--+ | Field | Value | +-+ -- + | fixed_ip_address | floating_ip_address | 180.180.180.3 | | floating_network_id | 5eb99ac3-905b-4f0e-9c0f-708ce1fd2303 | | id | 25facce9murc840- 4607-83f5-d477eaceba61 | | port_id | | router_id | tenant_id | 9796e5145ee546508939cd49ad59d51f | +-- -+

Depending on the capabilities of "my-public" network, users can create many such IP. Linking a floating IP with a virtual machine can be done through the command line or GUI. The following is an example of GUI:

In router namespace, we can see that a 3-hop iptabales rule has been added:

-A neutron-l3-agent-OUTPUT-d 180.180.180.3 DNAT 32-j DNAT-- to-destination 20.20.20.2 neutron-l3-agent-PREROUTING A neutron-l3-agent-PREROUTING-d 180.180.180.3 to-destination 20.20.20.2 A neutron-l3-agent-float-snat-s 20.20.20.2 SNAT 32-j SNAT-- to-source 180.180.180.3

These rules are mainly NAT operations on Floating IP. A request received by router with a destination address of 180.180.180.3 is translated to a destination address of 20.20.20.2. And vice versa.

After binding the Floating IP, we can connect to the virtual machine. You need to confirm that the security group rules have been set to allow this connection:

Nova secgroup-add-rule default icmp-1-1 0.0.0.0/0nova secgroup-add-rule default tcp 22 22 0.0.0.0 Universe 0

These two rules allow ping and ssh.

Iptables is a complex and powerful tool. If you want to better understand the iptables rules, check out iptables's help file.

This is how the editor shares how to connect the virtual machine in openstack environment with public network. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.