关于Neutron上的三种Agent的作用:
- Neutron-OVS-Agent:从OVS-Plugin上接收tunnel和tunnel flow的配置,驱动OVS来建立GRE Tunnel
- Neutron-DHCP-Agent:为每一个配置了DHCP的网络/子网配置dnsmasq,也负责把Mac地址/IP地址 信息写入dnsmasq dhcp lease 文件
- Neturon-L3-Agent:设置iptables/routing/NAT表
网络节点初始建立
[root@network01 ~]# ovs-vsctl show
aa2155ed-ec27-454f-bb5c-07325a5322a9
Bridge br-ex
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port br-ex
Interface br-ex
type: internal
Port "eno16777728"
Interface "eno16777728"
Bridge br-int
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-tun
fail_mode: secure
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
ovs_version: "2.5.0"
[root@network01 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0x98a3719566989240, duration=415.236s, table=0, n_packets=0, n_bytes=0, idle_age=415, priority=1,in_port=1 actions=resubmit(,2)
cookie=0x98a3719566989240, duration=415.236s, table=0, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.236s, table=2, n_packets=0, n_bytes=0, idle_age=415, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0x98a3719566989240, duration=415.235s, table=2, n_packets=0, n_bytes=0, idle_age=415, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=415.235s, table=3, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.235s, table=4, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.234s, table=6, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.234s, table=10, n_packets=0, n_bytes=0, idle_age=415, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0x98a3719566989240,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0x98a3719566989240, duration=415.234s, table=20, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=415.230s, table=22, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
[root@network01 ~]# ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
cookie=0x80eafad15a6e6157, duration=461.942s, table=0, n_packets=84, n_bytes=10115, idle_age=17, priority=2,in_port=1 actions=drop
cookie=0x80eafad15a6e6157, duration=462.010s, table=0, n_packets=0, n_bytes=0, idle_age=462, priority=0 actions=NORMAL
cookie=0x80eafad15a6e6157, duration=462.006s, table=23, n_packets=0, n_bytes=0, idle_age=462, priority=0 actions=drop
cookie=0x80eafad15a6e6157, duration=462.002s, table=24, n_packets=0, n_bytes=0, idle_age=462, priority=0 actions=drop
[root@network01 ~]# ovs-ofctl dump-flows br-ex
NXST_FLOW reply (xid=0x4):
cookie=0x9eca13790f6a3396, duration=475.914s, table=0, n_packets=0, n_bytes=0, idle_age=475, priority=2,in_port=2 actions=drop
cookie=0x9eca13790f6a3396, duration=475.944s, table=0, n_packets=6345, n_bytes=1411407, idle_age=0, priority=0 actions=NORMAL
计算节点初始建
[root@compute01 network-scripts]# ovs-vsctl show
a621fa10-9712-4aee-9fee-b27cb993ae4d
Bridge br-tun
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type: internal
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
ovs_version: "2.5.0"
[root@compute01 network-scripts]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0xa05092b3bd957132, duration=85.620s, table=0, n_packets=0, n_bytes=0, idle_age=85, priority=1,in_port=1 actions=resubmit(,2)
cookie=0xa05092b3bd957132, duration=85.619s, table=0, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.619s, table=2, n_packets=0, n_bytes=0, idle_age=85, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0xa05092b3bd957132, duration=85.619s, table=2, n_packets=0, n_bytes=0, idle_age=85, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0xa05092b3bd957132, duration=85.619s, table=3, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.619s, table=4, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.619s, table=6, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.618s, table=10, n_packets=0, n_bytes=0, idle_age=85, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xa05092b3bd957132,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0xa05092b3bd957132, duration=85.618s, table=20, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=resubmit(,22)
cookie=0xa05092b3bd957132, duration=85.612s, table=22, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
[root@compute01 network-scripts]# ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
cookie=0xa7ca4aa5282a657d, duration=69.290s, table=0, n_packets=0, n_bytes=0, idle_age=69, priority=0 actions=NORMAL
cookie=0xa7ca4aa5282a657d, duration=69.285s, table=23, n_packets=0, n_bytes=0, idle_age=69, priority=0 actions=drop
cookie=0xa7ca4aa5282a657d, duration=69.281s, table=24, n_packets=0, n_bytes=0, idle_age=69, priority=0 actions=drop
新增计算节点后,网络节点的变化
[root@network01 ~]# ovs-vsctl show
aa2155ed-ec27-454f-bb5c-07325a5322a9
Bridge br-ex
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port br-ex
Interface br-ex
type: internal
Port "eno16777728"
Interface "eno16777728"
Bridge br-int
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-tun
fail_mode: secure
Port "vxlan-01010175"
Interface "vxlan-01010175"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port "gre-01010175"
Interface "gre-01010175"
type: gre
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
ovs_version: "2.5.0"
[root@network01 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0x98a3719566989240, duration=1432.934s, table=0, n_packets=0, n_bytes=0, idle_age=1432, priority=1,in_port=1 actions=resubmit(,2)
cookie=0x98a3719566989240, duration=678.011s, table=0, n_packets=0, n_bytes=0, idle_age=678, priority=1,in_port=2 actions=resubmit(,3)
cookie=0x98a3719566989240, duration=678.001s, table=0, n_packets=0, n_bytes=0, idle_age=678, priority=1,in_port=3 actions=resubmit(,4)
cookie=0x98a3719566989240, duration=1432.934s, table=0, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.934s, table=2, n_packets=0, n_bytes=0, idle_age=1432, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0x98a3719566989240, duration=1432.933s, table=2, n_packets=0, n_bytes=0, idle_age=1432, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=1432.933s, table=3, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.933s, table=4, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.932s, table=6, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.932s, table=10, n_packets=0, n_bytes=0, idle_age=1432, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0x98a3719566989240,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0x98a3719566989240, duration=1432.932s, table=20, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=1432.928s, table=22, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
[root@network01 ~]# ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
cookie=0x80eafad15a6e6157, duration=1435.422s, table=0, n_packets=252, n_bytes=29709, idle_age=30, priority=2,in_port=1 actions=drop
cookie=0x80eafad15a6e6157, duration=1435.490s, table=0, n_packets=0, n_bytes=0, idle_age=1435, priority=0 actions=NORMAL
cookie=0x80eafad15a6e6157, duration=1435.486s, table=23, n_packets=0, n_bytes=0, idle_age=1435, priority=0 actions=drop
cookie=0x80eafad15a6e6157, duration=1435.482s, table=24, n_packets=0, n_bytes=0, idle_age=1435, priority=0 actions=drop
[root@network01 ~]# ovs-ofctl dump-flows br-ex
NXST_FLOW reply (xid=0x4):
cookie=0x9eca13790f6a3396, duration=1437.921s, table=0, n_packets=0, n_bytes=0, idle_age=1437, priority=2,in_port=2 actions=drop
cookie=0x9eca13790f6a3396, duration=1437.951s, table=0, n_packets=24901, n_bytes=5525721, idle_age=0, priority=0 actions=NORMAL
在dashboard管理员下创建不带子网的外部网络
此时不管在dashboard查看,还是在网络节点执行ip netns show查看,都看不到任何名称空间里有设备产生
于是我们为该网络创建子网
然后先在网络节点执行
[root@network01 ~]# ip netns show
qdhcp-7619e0d9-e11d-4005-a691-f7abdd704b37
然后再在dashboard里查看
普通用户demo创建网络,子网,及路由,
在网络节点
[root@network01 ~]# ip netns show
qrouter-f37e0927-1291-469f-bdbc-dd4011394835 #这就是demo-router
qdhcp-125e0c45-2d45-469c-929e-493d36d92be4 #这是demo-net的dhcp
qdhcp-7619e0d9-e11d-4005-a691-f7abdd704b37 #这是external的dhcp
租户demo的网络拓扑已经构建完毕demo-net----->demo-router------->external
于是我们可以新建vm连接到demo-net了
且慢,让我们先将上述的网络拓扑画出来
先画网络节点的,查看拓扑
[root@network01 ~]# ovs-vsctl show
b3d24647-b0e2-41d2-bd48-ef2c5d025601
Bridge br-tun
fail_mode: secure
Port "vxlan-01010175"
Interface "vxlan-01010175"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port "gre-01010175"
Interface "gre-01010175"
type: gre
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "qr-eab14967-a4"
tag: 3
Interface "qr-eab14967-a4"
type: internal
Port "tap8cc4ca9f-58"
tag: 2
Interface "tap8cc4ca9f-58"
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "tap8b416bf2-5f"
tag: 3
Interface "tap8b416bf2-5f"
type: internal
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port "qg-8879568d-88"
Interface "qg-8879568d-88"
type: internal
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port "eno16777728"
Interface "eno16777728"
ovs_version: "2.5.0"
此时的compute节点因为没有vm,所以还是跟以前一样
[root@compute01 ~]# ovs-vsctl show
00126cb0-fd70-482d-be60-a9769797d5c8
Bridge br-tun
fail_mode: secure
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
ovs_version: "2.5.0"
但是当我们新增一个vm后,再看compute,当然此时网络节点的网桥关系不会变化
[root@compute01 ~]# ovs-vsctl show
00126cb0-fd70-482d-be60-a9769797d5c8
Bridge br-tun
fail_mode: secure
Port "vxlan-01010177"
Interface "vxlan-01010177"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="1.1.1.117", out_key=flow, remote_ip="1.1.1.119"}
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "qvo1ea1ad64-e2" #这就是刚刚建的那台vm,连接到br-int上的接口
tag: 1
Interface "qvo1ea1ad64-e2"
ovs_version: "2.5.0"
插播Mac地址的基础知识:
- MAC地址是以太网二层使用的一个48bit(6字节十六进制数)的地址,用来标识设备位置。MAC地址分成两部分,前24位是组织唯一标识符(OUI, Organizationally unique identifier),后24位由厂商自行分配。48bit的MAC地址一般用6字节的十六进制来表示,如XX-XX-XX-XX-XX-XX。
- 广播地址:FF:FF:FF:FF:FF:FF
- 组播地址:MAC组播地址的特征是头8位的最低位是1。例如01:80:C2:00:00:00是一个组播地址,表示802.1d网桥多播组。网桥就是使用这个地址,相互之间交换配置信息,运行分布式生成树算法,消除网络拓扑结构中的环路。
- 单播地址:单播地址的特征是头8位的最低位为0。每个网卡出厂时被分配唯一一个单播地址,头24位是设备制造厂商的编号,由IEEE(电气与电子工程师协会)分配,后24位是设备厂商为网卡制定的唯一编号。例如8C-70-5A-29-3A-48 是单播地址的例子 (8C = 10001100)。
[root@network01 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0xa44d2f2745487c7e, duration=6408.572s, table=0, n_packets=201, n_bytes=23932, idle_age=1514, priority=1,in_port=1 actions=resubmit(,2)
cookie=0xa44d2f2745487c7e, duration=6398.482s, table=0, n_packets=0, n_bytes=0, idle_age=6398, priority=1,in_port=2 actions=resubmit(,3)
cookie=0xa44d2f2745487c7e, duration=6398.370s, table=0, n_packets=201, n_bytes=19348, idle_age=1514, priority=1,in_port=3 actions=resubmit(,4)
cookie=0xa44d2f2745487c7e, duration=6408.572s, table=0, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=2, n_packets=153, n_bytes=20092, idle_age=1514, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=2, n_packets=48, n_bytes=3840, idle_age=1806, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=3, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=5727.725s, table=4, n_packets=0, n_bytes=0, idle_age=5727, priority=1,tun_id=0x1 actions=mod_vlan_vid:2,resubmit(,10)
cookie=0xa44d2f2745487c7e, duration=5495.568s, table=4, n_packets=201, n_bytes=19348, idle_age=1514, priority=1,tun_id=0x47 actions=mod_vlan_vid:3,resubmit(,10)
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=4, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=6, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=10, n_packets=201, n_bytes=19348, idle_age=1514, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xa44d2f2745487c7e,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=20, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=resubmit(,22)
cookie=0xa44d2f2745487c7e, duration=5727.741s, table=22, n_packets=5, n_bytes=390, idle_age=5719, dl_vlan=2 actions=strip_vlan,set_tunnel:0x1,output:3
cookie=0xa44d2f2745487c7e, duration=5495.573s, table=22, n_packets=19, n_bytes=1606, idle_age=1806, dl_vlan=3 actions=strip_vlan,set_tunnel:0x47,output:3
cookie=0xa44d2f2745487c7e, duration=6408.565s, table=22, n_packets=16, n_bytes=1328, idle_age=5379, priority=0 actions=drop
[root@compute01 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=0, n_packets=206, n_bytes=19730, idle_age=1815, priority=1,in_port=1 actions=resubmit(,2)
cookie=0xaec5db959d6a6f09, duration=2113.576s, table=0, n_packets=154, n_bytes=20134, idle_age=1815, priority=1,in_port=2 actions=resubmit(,4)
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=0, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=2, n_packets=1, n_bytes=42, idle_age=2107, priority=1,arp,dl_dst=ff:ff:ff:ff:ff:ff actions=resubmit(,21)
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=2, n_packets=193, n_bytes=18204, idle_age=1815, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=2, n_packets=12, n_bytes=1484, idle_age=2097, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=3, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=2114.249s, table=4, n_packets=154, n_bytes=20134, idle_age=1815, priority=1,tun_id=0x47 actions=mod_vlan_vid:1,resubmit(,10)
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=4, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=6, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=10, n_packets=154, n_bytes=20134, idle_age=1815, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xaec5db959d6a6f09,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=20, n_packets=1, n_bytes=42, idle_age=2102, priority=2,dl_vlan=1,dl_dst=fa:16:3e:1d:79:ea actions=strip_vlan,set_tunnel:0x47,output:2
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=20, n_packets=192, n_bytes=18162, idle_age=1815, priority=2,dl_vlan=1,dl_dst=fa:16:3e:b3:b4:f7 actions=strip_vlan,set_tunnel:0x47,output:2
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=20, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=resubmit(,22)
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=21, n_packets=0, n_bytes=0, idle_age=2113, priority=1,arp,dl_vlan=1,arp_tpa=172.16.45.2 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:fa:16:3e:1d:79:ea,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163e1d79ea->NXM_NX_ARP_SHA[],load:0xac102d02->NXM_OF_ARP_SPA[],IN_PORT
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=21, n_packets=1, n_bytes=42, idle_age=2107, priority=1,arp,dl_vlan=1,arp_tpa=172.16.45.1 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:fa:16:3e:b3:b4:f7,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163eb3b4f7->NXM_NX_ARP_SHA[],load:0xac102d01->NXM_OF_ARP_SPA[],IN_PORT
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=21, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=resubmit(,22)
cookie=0xaec5db959d6a6f09, duration=2113.570s, table=22, n_packets=8, n_bytes=1144, idle_age=2097, dl_vlan=1 actions=strip_vlan,set_tunnel:0x47,output:2
cookie=0xaec5db959d6a6f09, duration=6700.396s, table=22, n_packets=4, n_bytes=340, idle_age=2114, priority=0 actions=drop
命名空间查看
查看路由
[root@network01 ~]# ip netns exec qrouter-f37e0927-1291-469f-bdbc-dd4011394835 bash
[root@network01 ~]# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
qg-8879568d-88: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 192.168.31.3 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::f816:3eff:fe64:f3d8 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:64:f3:d8 txqueuelen 0 (Ethernet)
RX packets 2774 bytes 245126 (239.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 89 bytes 7908 (7.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
qr-eab14967-a4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.16.45.1 netmask 255.255.255.0 broadcast 172.16.45.255
inet6 fe80::f816:3eff:feb3:b4f7 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:b3:b4:f7 txqueuelen 0 (Ethernet)
RX packets 200 bytes 19306 (18.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 161 bytes 20190 (19.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@network01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.31.1 0.0.0.0 UG 0 0 0 qg-8879568d-88
172.16.45.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-eab14967-a4
192.168.31.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-8879568d-88
浮动ip
安全组
查看浮动ip,在网络节点
[root@network01 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
neutron-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
DNAT all -- 0.0.0.0/0 192.168.31.4 to:172.16.45.3 #=============================》外访问内
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
DNAT all -- 0.0.0.0/0 192.168.31.4 to:172.16.45.3
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
SNAT all -- 172.16.45.3 0.0.0.0/0 to:192.168.31.4#===========================》内访问外
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.31.3
SNAT all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x2/0xffff ctstate DNAT to:192.168.31.3
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- 0.0.0.0/0 0.0.0.0/0 /* Perform source NAT on outgoing traffic. */
DHCP server
每一个有DHCP的网络都在Neutron节点上有一个DHCP服务,每个DHCP Server都是一个运行在一个network namespace中的dnsmasq进程。 dnsmasq是一个用在Linux上的轻型DNS和DHCP服务,具体见 http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html.
[root@network01 ~]# ps aux |grep dnsmasq |grep -v 'grep'
nobody 4049 0.0 0.0 15556 900 ? S 05:58 0:00 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/host --addn-hosts=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/opts --dhcp-leasefile=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tap8cc4ca9f-58 --dhcp-range=set:tag0,192.168.31.0,static,86400s --dhcp-option-force=option:mtu,1450 --dhcp-lease-max=256 --conf-file= --domain=openstacklocal
nobody 4617 0.0 0.0 15556 948 ? S 06:02 0:00 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/host --addn-hosts=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/opts --dhcp-leasefile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tap8b416bf2-5f --dhcp-range=set:tag0,172.16.45.0,static,86400s --dhcp-option-force=option:mtu,1450 --dhcp-lease-max=256 --conf-file= --domain=openstacklocal
在虚机的创建过程中,Neutron会把这些信息(应该是从neutron db中拿到一个可用的IP地址)写到该文件中,这样,当虚机使用Mac地址向DHCP Server查询IP地址的时候,dnsmasq会读取该文件把IP地址返回给它。
1. -interface=tap8b416bf2-5f: 该process绑定/监听一个TAP设备,即上图的H1
2. --dhcp-hostsfile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/host
[root@network01 ~]# cat /var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/host
fa:16:3e:1d:79:ea,host-172-16-45-2.openstacklocal,172.16.45.2
fa:16:3e:b3:b4:f7,host-172-16-45-1.openstacklocal,172.16.45.1
fa:16:3e:4b:72:ef,host-172-16-45-3.openstacklocal,172.16.45.3
在虚机的创建过程中,Neutron会把这些信息(应该是从neutron db中拿到一个可用的IP地址)写到该文件中,这样,当虚机使用Mac地址向DHCP Server查询IP地址的时候,dnsmasq会读取该文件把IP地址返回给它。
查看dhcp的端口
[root@network01 ~]# ip netns exec qdhcp-125e0c45-2d45-469c-929e-493d36d92be4 bash
[root@network01 ~]# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1 bytes 576 (576.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1 bytes 576 (576.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tap8b416bf2-5f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.16.45.2 netmask 255.255.255.0 broadcast 172.16.45.255
inet6 fe80::f816:3eff:fe1d:79ea prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:1d:79:ea txqueuelen 0 (Ethernet)
RX packets 29 bytes 3717 (3.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11 bytes 1456 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
可以在dhcp的名称克空间里,抓包分析