1. network
network 是一个隔离的二层广播域,支持多种network
-
local
local网络与其他网络和节点隔离, local 网络中的 instance 只能与位于同一节点上同一网络的 instance 通信,local 网络主要用于单机测试。
-
flat
flat 网络是无 vlan tagging 的网络。flat 网络中的 instance 能与位于同一网络的 instance 通信,并且可以跨多个节点
-
vlan
vlan 网络是具有vlan tagging 的网络。vlan 是一个二层的广播域,同一 vlan 中的 instance 可以通信,不同 vlan 只能通过 router 通信。vlan 网络可以跨节点,是应用最广泛的网络类型
-
vxlan
vxlan 是基于隧道技术的 overlay 网络。vxlan 网络通过唯一的 segmentation ID(也叫 VNI)与其他 vxlan 网络区分。vxlan 中数据包会通过 VNI 封装成 UDP 包进行传输。因为二层的包通过封装在三层传输,能够克服 vlan 和物理网络基础设施的限制
-
gre
gre 是与 vxlan 类似的一种 overlay 网络。主要区别在于使用 IP 包而非 UDP 进行封装
openstack network 命令:
- 学会使用
-h和--help» Reference- 创建 network 依赖资源,可使用 openstack network 相关命令查看
- openstack network list – 查看network列表
openstack network list # 查看network列表
[--external | --internal]
[--long]
[--name <name>]
[--enable | --disable]
[--project <project>]
[--project-domain <project-domain>]
[--share | --no-share]
[--status <status>]
[--provider-network-type <provider-network-type>]
[--provider-physical-network <provider-physical-network>]
[--provider-segment <provider-segment>]
[--agent <agent-id>]
[--tags <tag>[,<tag>,...]]
[--any-tags <tag>[,<tag>,...]]
[--not-tags <tag>[,<tag>,...]]
[--not-any-tags <tag>[,<tag>,...]]
--long
List additional fields in output
--project <project>
List networks according to their project (name or ID)
--project-domain <project-domain>
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist
--provider-network-type <provider-network-type>
List networks according to their physical mechanisms. The supported options are: flat, geneve, gre, local, vlan, vxlan
--provider-physical-network <provider-physical-network>
List networks according to name of the physical network
--provider-segment <provider-segment>
List networks according to VLAN ID for VLAN networks or Tunnel ID for GENEVE/GRE/VXLAN networks
--agent <agent-id>
List networks hosted by agent (ID only)
- openstack network create – 创建 network
openstack network create # 创建 network
[--share | --no-share]
[--enable | --disable]
[--project <project>]
[--description <description>]
[--project-domain <project-domain>]
[--availability-zone-hint <availability-zone>]
[--enable-port-security | --disable-port-security]
[--external | --internal]
[--default | --no-default]
[--qos-policy <qos-policy>]
[--transparent-vlan | --no-transparent-vlan]
[--provider-network-type <provider-network-type>]
[--provider-physical-network <provider-physical-network>]
[--provider-segment <provider-segment>]
[--tag <tag> | --no-tag]
<name>
--availability-zone-hint <availability-zone>
Availability Zone in which to create this network (Network Availability Zone extension required, repeat option to set multiple availability zones)
--enable-port-security
Enable port security by default for ports created on this network (default)
--disable-port-security
Disable port security by default for ports created on this network
--default
Specify if this network should be used as the default external network
--no-default
Do not use the network as the default external network (default)
--provider-network-type <provider-network-type>
The physical mechanism by which the virtual network is implemented. The supported options are: flat, geneve, gre, local, vlan, vxlan.
--provider-physical-network <provider-physical-network>
Name of the physical network over which the virtual network is implemented
--provider-segment <provider-segment>
VLAN ID for VLAN networks or Tunnel ID for GENEVE/GRE/VXLAN networks
--qos-policy <qos-policy>
QoS policy to attach to this network (name or ID)
--transparent-vlan
Make the network VLAN transparent
--no-transparent-vlan
Do not make the network VLAN transparent
- opensatck network set – 更新network属性
opensatck network set <network> # 更新network属性
- openstack network unset
openstack network unset
- openstack network delete – 删除指定network
openstack network delete <network> # 删除指定network
2. Subnet
subnet 是一个IPv4或者IPv6地址段,地址段可以在 subnet pool 中获取,subnet 中的 vm 的 ip 是从 subnet 地址段中取,每个subnet需要定义 ip 地址范围和掩码。
network 和 subnet 的关系是一对多的关系,一个subnet只能属于一个network,但是一个network可以有多个subnet,但是每个subnet的网段必须不同。
openstack subnet 命令:
- 学会使用
-h和--help» Reference
- openstack subnet create – 创建subnet
openstack subnet create # 创建subnet
[--project <project>]
[--project-domain <project-domain>]
[--subnet-pool <subnet-pool> | --use-default-subnet-pool]
[--prefix-length <prefix-length>]
[--subnet-range <subnet-range>]
[--dhcp | --no-dhcp]
[--gateway <gateway>]
[--ip-version {4,6}]
[--ipv6-ra-mode {dhcpv6-stateful,dhcpv6-stateless,slaac}]
[--ipv6-address-mode {dhcpv6-stateful,dhcpv6-stateless,slaac}]
[--network-segment <network-segment>]
--network <network>
[--description <description>]
[--allocation-pool start=<ip-address>,end=<ip-address>]
[--dns-nameserver <dns-nameserver>]
[--host-route destination=<subnet>,gateway=<ip-address>]
[--service-type <service-type>]
[--tag <tag> | --no-tag]
name
--dns-nameserver <dns-nameserver>
DNS server for this subnet (repeat option to set multiple DNS servers)
--host-route destination=<subnet>,gateway=<ip-address>
Additional route for this subnet e.g.: destination=10.10.0.0/16,gateway=192.168.71.254 destination: destination subnet (in CIDR notation) gateway: nexthop IP address (repeat option to add multiple routes)
- openstack subnet list – 查询subnet列表
openstack subnet list # 查询subnet列表
[--long]
[--ip-version <ip-version>]
[--dhcp | --no-dhcp]
[--service-type <service-type>]
[--project <project>]
[--project-domain <project-domain>]
[--network <network>]
[--gateway <gateway>]
[--name <name>]
[--subnet-range <subnet-range>]
[--tags <tag>[,<tag>,...]]
[--any-tags <tag>[,<tag>,...]]
[--not-tags <tag>[,<tag>,...]]
[--not-any-tags <tag>[,<tag>,...]]
- openstack subnet show – 查询subnet详情
openstack subnet show <subnet> # 查询subnet详情
- openstack subnet delete – 删除subnet
openstack subnet delete <subnet> # 删除subnet详情
- openstack subnet set – 更新 subnet
openstack subnet set <subnet> # 更新subnet
[--name <name>]
[--dhcp | --no-dhcp]
[--gateway <gateway>]
[--description <description>]
[--tag <tag>]
[--no-tag]
[--allocation-pool start=<ip-address>,end=<ip-address>]
[--no-allocation-pool]
[--dns-nameserver <dns-nameserver>]
[--no-dns-nameservers]
[--host-route destination=<subnet>,gateway=<ip-address>]
[--no-host-route]
[--service-type <service-type>]
<subnet>
- openstack subnet unset – 更新 subnet
openstack subnet unset # 更新 subnet
[--allocation-pool start=<ip-address>,end=<ip-address>]
[--dns-nameserver <dns-nameserver>]
[--host-route destination=<subnet>,gateway=<ip-address>]
[--service-type <service-type>]
[--tag <tag> | --all-tag]
<subnet>
3. Port
port 相当于虚拟交换机上的一个端口,port上定义了 MAC 地址和 IP 地址,当 instance 的虚拟网卡 VIF(Virtual Interface) 绑定到 port 时,port 会将 MAC 和 IP 分配给 VIF,port 只有分配给具体设施才有意义
一个subnet可以有多个port,一个port唯一对应一个subnet,一个port对应一个VIF
openstack port 命令:
学会使用
-h和--helpReference
- openstack port create – 创建port
openstack port create # 创建port
--network <network>
[--description <description>]
[--device <device-id>]
[--mac-address <mac-address>]
[--device-owner <device-owner>]
[--vnic-type <vnic-type>]
[--host <host-id>]
[--dns-name dns-name]
[--fixed-ip subnet=<subnet>,ip-address=<ip-address>]
[--binding-profile <binding-profile>]
[--enable | --disable]
[--project <project>]
[--project-domain <project-domain>]
[--security-group <security-group> | --no-security-group]
[--qos-policy <qos-policy>]
[--enable-port-security | --disable-port-security]
[--allowed-address ip-address=<ip-address>[,mac-address=<mac-address>]]
[--tag <tag> | --no-tag]
<name>
--fixed-ip subnet=<subnet>,ip-address=<ip-address>
Desired IP and/or subnet for this port (name or ID): subnet=<subnet>,ip-address=<ip-address> (repeat option to set multiple fixed IP addresses)
--device <device-id>
Port device ID
--device-owner <device-owner>
Device owner of this port. This is the entity that uses the port (for example, network:dhcp).
--vnic-type <vnic-type>
VNIC type for this port (direct | direct-physical | macvtap | normal | baremetal | virtio-forwarder, default: normal)
--binding-profile <binding-profile>
Custom data to be passed as binding:profile. Data may be passed as <key>=<value> or JSON. (repeat option to set multiple binding:profile data)
--host <host-id>
Allocate port on host <host-id> (ID only)
--qos-policy <qos-policy>
Attach QoS policy to this port (name or ID)
--dns-name <dns-name>
Set DNS name for this port (requires DNS integration extension)
--allowed-address ip-address=<ip-address>[,mac-address=<mac-address>]
Add allowed-address pair associated with this port: ip-address=<ip-address>[,mac-address=<mac-address>] (repeat option to set multiple allowed-address pairs)
- openstack port list – 查询port列表
openstack port list # 查询port列表
[--long]
[--ip-version <ip-version>]
[--dhcp | --no-dhcp]
[--service-type <service-type>]
[--project <project>]
[--project-domain <project-domain>]
[--network <network>]
[--gateway <gateway>]
[--name <name>]
[--subnet-range <subnet-range>]
[--tags <tag>[,<tag>,...]]
[--any-tags <tag>[,<tag>,...]]
[--not-tags <tag>[,<tag>,...]]
[--not-any-tags <tag>[,<tag>,...]]
--service-type <service-type>
List only subnets of a given service type in output
e.g.: network:floatingip_agent_gateway. Must be a
valid device owner value for a network port (repeat
option to list multiple service types)
--subnet-range <subnet-range>
List only subnets of given subnet range (in CIDR
notation) in output e.g.: --subnet-range 10.10.0.0/16
- openstack port delete – 删除指定port
openstack port delete <port> # 删除指定port
- openstack port show – 查询port详情
openstack port show <port> # 查询port详情
- openstack port set – 更新指定port
openstack port set <port> # 更新指定port
- openstack port unset – 更新指定port
openstack port unset <port> # 更新指定port
4.Router
router 是一个逻辑概念,用于內部不同子网(不在一个二层域)之间的数据包转发以及将数据发送到外部网络,neutron router 是由 L3 agent 实现,传统L3 agent 只运行在网路节点
集中式路由:只在网络节点起 L3 agent 以实现 neutron router,这样导致所有的流量(节点内部,出节点)都会通过网络节点
分布式路由:在计算节点和网络都起 L3 agent 以实现 neutron router,计算节点内部的流量在计算节点内部进行转发,出节点的流量走网络节点转发
openstack router 命令:
- openstack router create – 创建router
openstack router create # 创建router
[--enable | --disable]
[--distributed | --centralized]
[--ha | --no-ha]
[--description <description>]
[--project <project>]
[--project-domain <project-domain>]
[--availability-zone-hint <availability-zone>]
[--tag <tag> | --no-tag]
<name>
--distributed
Create a distributed router # 分布式
--centralized
Create a centralized router # 集中式
--ha
Create a highly available router
--no-ha
Create a legacy router
- openstack router list – 查询 router 列表
openstack router list # 查询 router 列表
- openstack router show – 查询 router 详情
openstack router show <router> # 查询 router 详情
- openstack router set / unset – 更新指定 router
openstack router set / unset <router> # 更新指定 router
- openstack router delete – 删除指定 router
openstack router delete <router> # 删除指定 router
- openstack router add port – router 关联port
openstack router add port <router> <port>
- openstack router remove port – router 移除 port
openstack router remove port <router> <port>
- openstack router add subnet – router 关联 subnet
openstack router add subnet <router> <subnet>
- openstack router add subnet – router subnet 解除关联
openstack router remove subnet <router> <subnet>
5. firewall
firewall 是由 L3 Agent 实现,它的规则会在 router 所在的节点转换为 ip tables 规则,主要用于保护跨子网的流量保护
openstack firewall 命令:
- openstack firewall group rule create / **neutron firewall-rule-create ** —- 创建防火墙规则
openstack firewall group rule create # 创建rule
[--name <name>]
[--description <description>]
[--protocol {tcp,udp,icmp,any}]
[--action {allow,deny,reject}]
[--ip-version <ip-version>]
[--source-ip-address <source-ip-address> | --no-source-ip-address]
[--destination-ip-address <destination-ip-address> | --no-destination-ip-address]
[--source-port <source-port> | --no-source-port]
[--destination-port <destination-port> | --no-destination-port]
[--public | --private | --share | --no-share]
[--enable-rule | --disable-rule]
[--project <project>]
[--project-domain <project-domain>]
- openstack firewall group policy create / neutron firewall-policy-create – 创建防火墙策略
openstack firewall group policy create # 创建防火墙策略
[--description DESCRIPTION]
[--audited | --no-audited]
[--share | --public | --private | --no-share]
[--project <project>]
[--project-domain <project-domain>]
[--firewall-rule <firewall-rule> | --no-firewall-rule]
<name>
- openstack firewall group create / neutron firewall-create —- 创建防火墙
openstack firewall group create # 创建防火墙
[--name NAME]
[--description <description>]
[--ingress-firewall-policy <ingress-firewall-policy> | --no-ingress-firewall-policy]
[--egress-firewall-policy <egress-firewall-policy> | --no-egress-firewall-policy]
[--public | --private | --share | --no-share]
[--enable | --disable]
[--project <project>]
[--project-domain <project-domain>]
[--port <port> | --no-port]