Evaluating OpenStack: Simple Networking in Red Hat OpenStack Platform 10
Overview
Note: Packstack deployments are intended only for testing environments, and are not suitable for production. For more information, see https://access.redhat.com/articles/2477851.
Note: For the Red Hat OpenStack Platform 5 version of this guide, see https://access.redhat.com/articles/1146173.
To help you understand the basics of how networking works in OpenStack, this article explains how to configure a simple networking configuration in a basic Packstack all-in-one deployment. This article demonstrates OpenStack's networking by explaining everything you need to do to make an instance available for incoming SSH connections, including the following steps:
- Creating a new project.
- A private network, subnet, and router are created in the project.
- Creating a SSH keypair.
- Configuring security groups (firewall settings) to allow incoming ICMP and SSH connections for the instance.
- Creating the instance.
- Testing the SSH connection to the instance.
As a result of these steps, all ingress/egress network traffic is bridged to the physical network infrastructure. In addition, this particular all-in-one configuration is intended for a single node deployment; as a result, the networking type is set to local
, and does not make use of VXLAN or VLAN networking.
The resulting configuration will resemble the Packstack topology below. This diagram shows how the network traffic flows from your desktop through to the instance:
1. You open a SSH connection to the instance's floating IP address: 192.168.123.56
.
2. The SSH connection travels over your physical infrasctucture, and reaches the br-ex
bridge, which is mapped to the physical ens33
NIC.
3. The SSH connection reaches the public network connection that hosts the 192.168.123.56
IP address. From here, NAT is used to map this IP address through to the actual IP address configured on the instance (172.16.200.59
).
4. The SSH connection passes through the virtual router1
and arrives at SSH port 22 on testInstance
.
Assumptions
This guide assumes the following:
- Your lab is running on a self-contained subnet (
192.168.123.0/24
), and you are permitted to enable a DHCP service for it. - Your lab has internet access.
- Your server has a single NIC, named
ens33
, with the following IP details:
Table 1. ens33
Setting | Value |
---|---|
IP address | 192.168.123.153 |
Subnet mask | 255.255.255.0 |
Default gateway | 192.168.123.2 |
DNS server | 192.168.123.2 |
Install Packstack
1) Review the network configuration on your node. In this example, the UUID
value will be different for your server:
cat /etc/sysconfig/network-scripts/ifcfg-ens33
UUID="e13af689-3d5b-4503-9838-f1113c099f70"
TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
NAME="ens33"
DEVICE="ens33"
ONBOOT="yes"
BOOTPROTO="static"
IPADDR=192.168.123.153
NETMASK=255.255.255.0
GATEWAY=192.168.123.2
DNS1=192.168.123.2
2) Install Packstack according to the instructions here, however, you will need to use a different packstack
command for deployment: These parameters create a bridge named br-ex
, assigning to it the IP settings previously allocated to ens33
, and configures flat
networking. Run this command from the server console, and not through SSH, as the network reconfiguration might drop your connection and disrupt the installation process:
packstack --allinone --provision-demo=n --os-neutron-ovs-bridge-mappings=extnet:br-ex --os-neutron-ovs-bridge-interfaces=br-ex:ens33 --os-neutron-ml2-type-drivers=vxlan,vlan,flat,local
3) Download and install the cirros image:
source keystonerc_admin
cd ~
curl -O http://download.cirros-cloud.net/0.3.5/cirros-0.3.5-x86_64-disk.img
openstack image create "cirros" --file cirros-0.3.5-x86_64-disk.img --disk-format qcow2 --container-format bare --public
4) Install crudini for easier review of configuration settings:
yum install crudini
Review the network configuration
1) Confirm that ML2 is using the local
type driver (among others):
crudini --get /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers
vxlan,vlan,flat,local
2) Confirm that Packstack successfully mapped the physical NIC to the Open vSwitch bridge. The virtual bridge acts as the intermediary connection between the physical network and any virtual networks:
cat /etc/sysconfig/network-scripts/ifcfg-ens33
DEVICE=ens33
NAME=ens33
DEVICETYPE=ovs
TYPE=OVSPort
OVS_BRIDGE=br-ex
ONBOOT=yes
BOOTPROTO=none
3) Confirm that the virtual bridge is using the IP address details that were previously allocated to ens33. In this example, the UUID
value will be different for your server:
cat /etc/sysconfig/network-scripts/ifcfg-br-ex
UUID="e13af689-3d5b-4503-9838-f1113c099f70"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
ONBOOT="yes"
IPADDR=192.168.123.153
NETMASK=255.255.255.0
GATEWAY=192.168.123.2
DEVICE=br-ex
NAME=br-ex
DEVICETYPE=ovs
OVSBOOTPROTO="static"
TYPE=OVSBridge
Create the test project
- Create the
network-demo
project, and grant access to the admin account:
source keystonerc_admin
openstack project create network-demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| enabled | True |
| id | 017d201f07c84bb086480e381251f62b |
| name | network-demo |
+-------------+----------------------------------+
openstack role add --project network-demo --user admin admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 6b1024ab2a5745fbb9b8bd35fa2314cc |
| name | admin |
+-----------+----------------------------------+
Create the network topology
Note: You can open the Network Topology tab in horizon to observe the results of the following commands. Make sure you have selected the network-demo
project in the dropdown list.
1) Create a network for the network-demo
tenant called private_network
:
openstack network create private_network --project network-demo
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-09-28T05:43:31Z |
| description | |
| headers | |
| id | da4fb7d3-e270-4be5-9b57-7d37f2abf381 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| mtu | 1450 |
| name | private_network |
| project_id | 017d201f07c84bb086480e381251f62b |
| project_id | 017d201f07c84bb086480e381251f62b |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 95 |
| revision_number | 2 |
| router:external | Internal |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | [] |
| updated_at | 2017-09-28T05:43:31Z |
+---------------------------+--------------------------------------+
2) Create a subnet for private_network
called private_vmsubnet
, and define the IP address range:
openstack subnet create private_vmsubnet --subnet-range 172.16.200.0/24 --network private_network --project network-demo --allocation-pool start=172.16.200.50,end=172.16.200.120
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 172.16.200.50-172.16.200.120 |
| cidr | 172.16.200.0/24 |
| created_at | 2017-09-28T05:43:34Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 172.16.200.1 |
| headers | |
| host_routes | |
| id | ce9e8847-2cc8-4d89-8f02-76d1143847de |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | private_vmsubnet |
| network_id | da4fb7d3-e270-4be5-9b57-7d37f2abf381 |
| project_id | 017d201f07c84bb086480e381251f62b |
| project_id | 017d201f07c84bb086480e381251f62b |
| revision_number | 2 |
| service_types | [] |
| subnetpool_id | None |
| updated_at | 2017-09-28T05:43:34Z |
+-------------------+--------------------------------------+
3) Create a router for the network-demo
tenant named router1
:
openstack router create router1 --project network-demo
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-09-28T05:45:52Z |
| description | |
| distributed | False |
| external_gateway_info | null |
| flavor_id | None |
| ha | False |
| headers | |
| id | 84cf55d1-57da-4ba4-937c-5e339431bb7f |
| name | router1 |
| project_id | 017d201f07c84bb086480e381251f62b |
| project_id | 017d201f07c84bb086480e381251f62b |
| revision_number | 3 |
| routes | |
| status | ACTIVE |
| updated_at | 2017-09-28T05:45:52Z |
+-------------------------+--------------------------------------+
4) Create the public network:
openstack network create public_network --project network-demo --external
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2017-09-28T05:46:01Z |
| description | |
| headers | |
| id | 7b1d2452-3bf3-4a7f-8ea1-abef7a31498a |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| is_default | False |
| mtu | 1450 |
| name | public_network |
| project_id | 017d201f07c84bb086480e381251f62b |
| project_id | 017d201f07c84bb086480e381251f62b |
| provider:network_type | vxlan |
| provider:physical_network | None |
| provider:segmentation_id | 99 |
| revision_number | 3 |
| router:external | External |
| shared | False |
| status | ACTIVE |
| subnets | |
| tags | [] |
| updated_at | 2017-09-28T05:46:01Z |
+---------------------------+--------------------------------------+
5) Create a subnet for public_network
called public_vmsubnet
, and define the IP address range:
openstack subnet create public_vmsubnet --subnet-range 192.168.123.0/24 --network public_network --project network-demo --allocation-pool start=192.168.123.50,end=192.168.123.120
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 192.168.123.50-192.168.123.120 |
| cidr | 192.168.123.0/24 |
| created_at | 2017-09-28T05:46:18Z |
| description | |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 192.168.123.1 |
| headers | |
| host_routes | |
| id | 3cdc4c1f-64d8-4e92-b18b-94f7aa912ca2 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | public_vmsubnet |
| network_id | 7b1d2452-3bf3-4a7f-8ea1-abef7a31498a |
| project_id | 017d201f07c84bb086480e381251f62b |
| project_id | 017d201f07c84bb086480e381251f62b |
| revision_number | 2 |
| service_types | [] |
| subnetpool_id | None |
| updated_at | 2017-09-28T05:46:18Z |
+-------------------+--------------------------------------+
6) Set a default gateway for the router, using the id
value of the router you created previously:
neutron router-gateway-set 84cf55d1-57da-4ba4-937c-5e339431bb7f public_network
Set gateway for router 84cf55d1-57da-4ba4-937c-5e339431bb7f
7) Add an interface that connects the router to private_vmsubnet
:
openstack router add subnet 84cf55d1-57da-4ba4-937c-5e339431bb7f private_vmsubnet
Generate a Security Keypair
- The command below generates a keypair and adds it to the nova service. The resulting sshaccess.pem file contains the private key, which can be presented when attempting to SSH to the instance.
cd ~
openstack --os-project-name network-demo keypair create sshaccess-key > sshaccess-key.pem
chmod 600 sshaccess-key.pem
Allow Incoming ICMP and SSH traffic
1) Create a security group (basically a firewall rule) that will allow SSH and ICMP access:
openstack security group create accessInstances --project network-demo
2) Add security group rules. The following neutron commands create security group rules to allow incoming SSH and ICMP traffic. The rules are applied to the UUID of the applicable security group. In this example, you will need to change the UUID value to suit your deployment:
openstack security group rule create --protocol icmp --ingress 829e7e39-b903-4722-b9f6-ba182524ae43
openstack security group rule create --protocol tcp --dst-port 22 --ingress 829e7e39-b903-4722-b9f6-ba182524ae43
Create an Instance
1) Retrieve the network ID of private_network
:
openstack network list
+--------------------------------------+-----------------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+-----------------+--------------------------------------+
| 7b1d2452-3bf3-4a7f-8ea1-abef7a31498a | public_network | 3cdc4c1f-64d8-4e92-b18b-94f7aa912ca2 |
| da4fb7d3-e270-4be5-9b57-7d37f2abf381 | private_network | ce9e8847-2cc8-4d89-8f02-76d1143847de |
+--------------------------------------+-----------------+--------------------------------------+
2) Create an instance named testInstance
and assign it to the ID of private_network
:
openstack --os-project-name network-demo server create --flavor m1.tiny --image cirros --security-group accessInstances --key-name sshaccess-key --nic net-id=da4fb7d3-e270-4be5-9b57-7d37f2abf381 testInstance
3) Review the state of the instance. It should eventually transition from BUILD
to ACTIVE
status:
openstack server list --project network-demo
+--------------------------------------+--------------+--------+----------+------------+
| ID | Name | Status | Networks | Image Name |
+--------------------------------------+--------------+--------+----------+------------+
| 1ec26c7d-4ad7-41b1-9fce-250bd374af21 | testInstance | BUILD | | cirros |
+--------------------------------------+--------------+--------+----------+------------+
Note: If you get an ERROR
status, check /var/log/nova/nova-conductor.log
. If the log has an entry saying No valid host was found
, confirm that your system has sufficient RAM available to host the instance. You can check your available ram with free -h
. Sometimes just a reboot can help.
Allocate a Floating IP Address
A floating IP address allows an instance to receive incoming network traffic from external networks. The guest OS of an instance is configured with an IP address that is accessible only to systems within that subnet; systems that are outside the subnet will contact the instance using the floating IP address that has been assigned to it. The floating IP address is not configured within the instance guest OS. Instead, the floating IP address is mapped to the instance's IP address using NAT.
In the following procedure, a floating IP address is created and associated with the instance's network port.
1) Create a floating IP address:
export OS_TENANT_NAME=network-demo
openstack floating ip create public_network
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| created_at | 2017-09-28T05:50:32Z |
| description | |
| fixed_ip_address | None |
| floating_ip_address | 192.168.123.56 |
| floating_network_id | 7b1d2452-3bf3-4a7f-8ea1-abef7a31498a |
| headers | |
| id | 752c55f9-a0d8-40ac-a630-a238d5ce785f |
| port_id | None |
| project_id | 017d201f07c84bb086480e381251f62b |
| project_id | 017d201f07c84bb086480e381251f62b |
| revision_number | 1 |
| router_id | None |
| status | DOWN |
| updated_at | 2017-09-28T05:50:32Z |
+---------------------+--------------------------------------+
2) Retrieve the ID
of testInstance
:
openstack server list --project network-demo
+--------------------------------------+--------------+--------+-------------------------------+------------+
| ID | Name | Status | Networks | Image Name |
+--------------------------------------+--------------+--------+-------------------------------+------------+
| 1ec26c7d-4ad7-41b1-9fce-250bd374af21 | testInstance | ACTIVE | private_network=172.16.200.59 | cirros |
+--------------------------------------+--------------+--------+-------------------------------+------------+
3) Associate the floating IP address with the ID of testInstance
:
export OS_TENANT_NAME=network-demo
openstack server add floating ip 1ec26c7d-4ad7-41b1-9fce-250bd374af21 192.168.123.56
4) You can now see that the floating IP address is associated with testInstance
:
openstack server list --project network-demo
+--------------------------------------+--------------+--------+-----------------------------------------------+------------+
| ID | Name | Status | Networks | Image Name |
+--------------------------------------+--------------+--------+-----------------------------------------------+------------+
| 1ec26c7d-4ad7-41b1-9fce-250bd374af21 | testInstance | ACTIVE | private_network=172.16.200.59, 192.168.123.56 | cirros |
+--------------------------------------+--------------+--------+-----------------------------------------------+------------+
SSH to the instance
- You should now be able SSH to the instance's floating IP address, by presenting the sshaccess.pem key:
ssh -i sshaccess-key.pem cirros@192.168.123.56
The authenticity of host '192.168.123.56 (192.168.123.56)' can't be established.
RSA key fingerprint is SHA256:<redacted>
RSA key fingerprint is MD5:<redacted>
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.123.56' (RSA) to the list of known hosts.
$
Note: If not using cirros, you might need to specifically enable SSH in your instance's guest OS.
Configure the instance
You can now proceed to configure your instance's operating system for connectivity. You will need to configure the default gateway and DNS settings manually if they're not served out using DHCP:
- The default gateway IP address will need to be situated on the same subnet as your instance.
- At least one DNS server will need to be specified in the instance's interface settings for name resolution to work.
Comments