首先创建一个 vpc
Paste_Image.png
创建 vpc ( net)
proton net-create test-vpc 10.100.0.0/16
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| cidr | 10.100.0.0/16 |
| id | 37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722 |
| mtu | 1450 |
| name | test-vpc |
| provider:network_type | vpc |
| provider:physical_network | |
| provider:segmentation_id | 5013 |
| status | ACTIVE |
| subnets | |
| tenant_id | 2a64834f411c47f4840e3f078acde161 |
+---------------------------+--------------------------------------+
DEBUG: protonclient.client
REQ: curl -i http://pubbeta1-iaas.service.163.org:9797/v2.0/networks.json -X POST -H "X-Auth-Token: {SHA1}6af1d5f7007092eabb7189e4e50ec6cbafff05ad" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-protonclient" -d '{"network": {"cidr": "10.100.0.0/16", "name": "test-vpc", "admin_state_up": true}}'
DEBUG: protonclient.client RESP:{'transfer-encoding': 'chunked', 'date': 'Thu, 22 Jun 2017 03:01:49 GMT', 'status': '200', 'content-type': 'application/json;charset=UTF-8'} {"network":{"id":"37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722","name":"test-vpc","status":"ACTIVE","cidr":"10.100.0.0/16","mtu":1450,"tenant_id":"2a64834f411c47f4840e3f078acde161","admin_state_up":true,"subnets":[],"provider:network_type":"vpc","provider:segmentation_id":5013,"provider:physical_network":""}}
创建 subnet
proton subnet-create --az dongguan1 37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722 10.100.0.0/24
Created a new subnet:
+------------------+----------------------------------------------------------------------------------------------+
| Field | Value |
+------------------+----------------------------------------------------------------------------------------------+
| allocation_pools | {"start": "10.100.0.2", "end": "10.100.0.254", "id": "fe169c38-bb96-49cf-9c98-9905e1841fa4"} |
| az | dongguan1 |
| cidr | 10.100.0.0/24 |
| enable_dhcp | True |
| gateway_ip | 10.100.0.1 |
| id | c9f3a427-2f29-4dea-bf3e-a749bd3375c4 |
| ip_version | 4 |
| name | |
| network_id | 37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722 |
| tenant_id | 2a64834f411c47f4840e3f078acde161 |
+------------------+----------------------------------------------------------------------------------------------+
DEBUG: protonclient.client
REQ: curl -i http://pubbeta1-iaas.service.163.org:9797/v2.0/subnets.json -X POST -H "X-Auth-Token: {SHA1}e5a5591d76490278963c776b46ed9e31fa5c7414" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-protonclient" -d '{"subnet": {"network_id": "37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722", "ip_version": 4, "cidr": "10.100.0.0/24", "az": "dongguan1"}}'
DEBUG: protonclient.client RESP:{'transfer-encoding': 'chunked', 'date': 'Thu, 22 Jun 2017 03:03:21 GMT', 'status': '200', 'content-type': 'application/json;charset=UTF-8'} {"subnet":{"id":"c9f3a427-2f29-4dea-bf3e-a749bd3375c4","name":"","cidr":"10.100.0.0/24","az":"dongguan1","tenant_id":"2a64834f411c47f4840e3f078acde161","network_id":"37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722","ip_version":4,"gateway_ip":"10.100.0.1","enable_dhcp":true,"allocation_pools":[{"start":"10.100.0.2","end":"10.100.0.254","id":"fe169c38-bb96-49cf-9c98-9905e1841fa4"}]}}
创建 port
proton --debug port-create 37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722 --fixed_ip subnet_id=c9f3a427-2f29-4dea-bf3e-a749bd3375c4
curl 请求为:
DEBUG: protonclient.client
REQ: curl -i http://pubbeta1-iaas.service.163.org:9797/v2.0/ports.json -X POST -H "X-Auth-Token: {SHA1}862f7c94a0fd2870017fc93885c41076080246e2" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-protonclient" -d '{"port": {"network_id": "37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722", "fixed_ips": [{"subnet_id": "c9f3a427-2f29-4dea-bf3e-a749bd3375c4"}], "admin_state_up": true}}'
DEBUG: protonclient.client RESP:{'transfer-encoding': 'chunked', 'date': 'Thu, 22 Jun 2017 03:05:16 GMT', 'status': '200', 'content-type': 'application/json;charset=UTF-8'} {"port":{"id":"8bcf46f2-cc26-4bed-b57c-e93911ebf3ad","name":"","status":"DOWN","capabilities":0,"admin_state_up":true,"mac_address":"fa:16:3e:10:dc:2d","tenant_id":"2a64834f411c47f4840e3f078acde161","device_id":"","device_owner":"","network_id":"37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722","fixed_ips":[{"id":"bcfe47c9-33c3-48f7-8df6-41141380728f","ip_address":"10.100.0.2","subnet_id":"c9f3a427-2f29-4dea-bf3e-a749bd3375c4"}],"security_groups":["b8d57570-f756-4783-9022-5736de691b3d"],"egress_prefer_rate":null,"egress_max_rate":null,"ingress_max_rate":null,"egress_max_pps":null,"egress_syn_limit":null,"services":null,"binding:host_id":"","binding:vif_type":"unbound","binding:profile":{},"support_azs":["dongguan1"]}}
创建 vpc 云主机
通过net_id和 subnet_id 创建云主机
curl -i 'http://pubbeta1-iaas.service.163.org:8774/v2/2a64834f411c47f4840e3f078acde161/servers' -X POST -H "X-Auth-Project-Id: admin" -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: 4994241585fb443092cbe1a389ca71e4" -d '{"server": {"name": "vpc_test_4_subnet", "imageRef": "5bc89244-140d-40ee-86de-7595b7e17554", "flavorRef": "1", "max_count": 1, "min_count": 1, "personality": [{"path": "/etc/vm_monitor", "contents": "eyJzZXJ2aWNlIjoib3BlbnN0YWNrIiwib3JpX3VzZXIiOiJjZTVlOWRhMWZmYTI0YzllYTA4MzFkZTRjM2YxOWU2MiIsInJlc291cmNlX3R5cGUiOiJvcGVuc3RhY2siLCJyZXNvdXJjZV9pZCI6Im5vdmEtZW52IiwiYWNjZXNzS2V5IjoiMTgyZTQxYzdjMjM5NGZlY2FkOTg2OTVhNmMwNTZhY2QiLCJhY2Nlc3NTZWNyZXQiOiI5ZTU2MTJhM2I3MTA0ZWY0ODY3NTNlNjI1ZDQwNzZlNyIsIm1vbml0b3JXZWJTZXJ2ZXJVcmwiOiJodHRwOi8vMTAuMTY2LjE1LjI1Mjo4MTg2In0K"}], "networks": [{"uuid": "f7b4f59d-cdfb-4b02-a398-d9922620d806","subnet":"075bcc15-d0eb-4780-a8c9-2f4da2850c32"}], "vncPass": "000000", "availability_zone": "dongguan1.pubvpc1", "key_name": "idrsa","metadata":{"use-vpc": "true"}}}'
通过port-id 创建 vpc 云主机
curl -i 'http://10.185.0.81:8774/v2/5b2d1fdcfaac407aa50aba05136add7e/servers' -X POST -H "X-Auth-Project-Id: admin" -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: 7a1011094cf2474f95f5228f254a81db" -d '{"server": {"name": "hzx-vpc-test-port", "imageRef": "66140730-73dc-4ff3-b4ba-7f044b33b4e9", "flavorRef": "26", "max_count": 1, "min_count": 1, "personality": [{"path": "/etc/vm_monitor", "contents": "eyJzZXJ2aWNlIjoib3BlbnN0YWNrIiwib3JpX3VzZXIiOiJjZTVlOWRhMWZmYTI0YzllYTA4MzFkZTRjM2YxOWU2MiIsInJlc291cmNlX3R5cGUiOiJvcGVuc3RhY2siLCJyZXNvdXJjZV9pZCI6Im5vdmEtZW52IiwiYWNjZXNzS2V5IjoiMTgyZTQxYzdjMjM5NGZlY2FkOTg2OTVhNmMwNTZhY2QiLCJhY2Nlc3NTZWNyZXQiOiI5ZTU2MTJhM2I3MTA0ZWY0ODY3NTNlNjI1ZDQwNzZlNyIsIm1vbml0b3JXZWJTZXJ2ZXJVcmwiOiJodHRwOi8vMTAuMTY2LjE1LjI1Mjo4MTg2In0K"}], "networks": [{"port": "e0e783aa-7c3f-423a-bad4-0b73e371b079"}], "vncPass": "000000", "availability_zone": "pubt1.vpc1:pubt1-nova87.yq.163.org", "metadata":{"use-vpc": "true"}}}'
绑定和解绑 port
curl 示例
正常绑定port:
curl -g -i -X POST http://10.185.0.87:8774/v2/5b2d1fdcfaac407aa50aba05136add7e/servers/146cdff7-1686-463d-b4a5-8cc0d868a822/os-interface -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: 1cdc30210f83499bad90c20de9147fe2" -d '{"interfaceAttachment": {"port_id": "62af72b6-2915-4bed-8750-38f38bb26e80"}}'
正常解绑port:
curl -g -i -X DELETE http://10.185.0.87:8774/v2/5b2d1fdcfaac407aa50aba05136add7e/servers/146cdff7-1686-463d-b4a5-8cc0d868a822/os-interface/dd5b2482-6061-4bce-83b6-e209fa21dcd8 -H "User-Agent: python-novaclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: 1cdc30210f83499bad90c20de9147fe2"
云主机列出 port
hzhuangzhexiao@pubbeta1-nova10:~$ nova interface-list 903dc306-48ad-424a-8944-99f48a55a002
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| Port State | Port ID | Net ID | IP addresses | MAC Addr |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| DOWN | 549fdcb1-1fb9-41fe-aa6e-2d820409dbf6 | f7b4f59d-cdfb-4b02-a398-d9922620d806 | 10.100.0.12 | fa:16:3e:ee:67:a2 |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
hzhuangzhexiao@pubbeta1-nova10:~$
REQ: curl -i 'http://pubbeta1-iaas.service.163.org:8774/v2/2a64834f411c47f4840e3f078acde161/servers/903dc306-48ad-424a-8944-99f48a55a002/os-interface' -X GET -H "X-Auth-Project-Id: Project_hzx719@163.com" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: 4e25d547cf184a968731398dca574bcb"
DEBUG (connectionpool:375) Setting read timeout to 600.0
DEBUG (connectionpool:415) "GET /v2/2a64834f411c47f4840e3f078acde161/servers/903dc306-48ad-424a-8944-99f48a55a002/os-interface HTTP/1.1" 200 329
RESP: [200] CaseInsensitiveDict({'date': 'Thu, 22 Jun 2017 03:22:14 GMT', 'content-length': '329', 'content-type': 'application/json', 'x-compute-request-id': 'req-a14cee02-c827-49f4-8f56-71730bf8b1b2'})
RESP BODY: {"interfaceAttachments": [{"port_state": "DOWN", "fixed_ips": [{"subnet_id": "1d2d6363-9dcb-424d-9e2f-fffa4d623aab", "ip_address": "10.100.0.12", "id": "71bb2e79-5830-4674-aee6-2f14b5a05ab6"}], "port_id": "549fdcb1-1fb9-41fe-aa6e-2d820409dbf6", "net_id": "f7b4f59d-cdfb-4b02-a398-d9922620d806", "mac_addr": "fa:16:3e:ee:67:a2"}]}
ip 关系
Paste_Image.png
绑定临时ip
临时 ip 和 浮动 ip 都需要绑定到 固定ip上。
(hzx_env) hzhuangzhexiao@pubbeta1-nova10:~$ proton port-list --device_id 38812001-674e-4d12-85fa-76e1b4acacb7
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------------------------------------------------+
| 52b6818e-255a-4b9a-99a3-3fdcde1e33df | | fa:16:3e:23:51:28 | {"subnet_id": "1d2d6363-9dcb-424d-9e2f-fffa4d623aab", "ip_address": "10.100.0.6", "id": "a794d8e8-6f75-4ed3-abba-074dcc146ead"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------------------------------------------------+
得到 fix ip 为 a794d8e8-6f75-4ed3-abba-074dcc146ead
(hzx_env) hzhuangzhexiao@pubbeta1-nova10:~$ proton ephemeralip-create public a794d8e8-6f75-4ed3-abba-074dcc146ead 100 100
Created a new ephemeralip:
+------------------+--------------------------------------+
| Field | Value |
+------------------+--------------------------------------+
| egress_max_rate | 100 |
| fixed_ip_id | a794d8e8-6f75-4ed3-abba-074dcc146ead |
| id | 57b3b763-9f9b-4661-b2e1-d17b4c2653fb |
| ingress_max_rate | 100 |
| ips | {"ip_address": "183.136.181.225"} |
| network_id | f7b4f59d-cdfb-4b02-a398-d9922620d806 |
| tenant_id | 2a64834f411c47f4840e3f078acde161 |
| type | ephemeral-ip-public |
+------------------+--------------------------------------+
(hzx_env) hzhuangzhexiao@pubbeta1-nova10:~$ proton ephemeralip-show 57b3b763-9f9b-4661-b2e1-d17b4c2653fb
+------------------+--------------------------------------+
| Field | Value |
+------------------+--------------------------------------+
| egress_max_rate | 100 |
| fixed_ip_id | a794d8e8-6f75-4ed3-abba-074dcc146ead |
| id | 57b3b763-9f9b-4661-b2e1-d17b4c2653fb |
| ingress_max_rate | 100 |
| ips | {"ip_address": "183.136.181.225"} |
| network_id | f7b4f59d-cdfb-4b02-a398-d9922620d806 |
| tenant_id | 2a64834f411c47f4840e3f078acde161 |
| type | ephemeral-ip-public |
+------------------+--------------------------------------+
qos update
proton ephemeralip-update --ingress-max-rate 50 --egress-max-rate 70 30ab1b99-b3f2-4fac-b3aa-0160f01067d4
DEBUG: protonclient.client
REQ: curl -i http://pubbeta1-iaas.service.163.org:9797/v2.0/ephemeralips/30ab1b99-b3f2-4fac-b3aa-0160f01067d4.json -X PUT -H "X-Auth-Token: {SHA1}92f6c40faed596ff32158a11a246fa3ee2208ae9" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-protonclient" -d '{"ephemeralip": {"ingress_max_rate": "50", "egress_max_rate": "70"}}'
DEBUG: protonclient.client RESP:{'transfer-encoding': 'chunked', 'date': 'Thu, 22 Jun 2017 03:39:19 GMT', 'status': '200', 'content-type': 'application/json;charset=UTF-8'} {"ephemeralip":{"id":"30ab1b99-b3f2-4fac-b3aa-0160f01067d4","type":"ephemeral-ip-public","network_id":"f7b4f59d-cdfb-4b02-a398-d9922620d806","tenant_id":"2a64834f411c47f4840e3f078acde161","ingress_max_rate":50,"egress_max_rate":70,"fixed_ip_id":"4f63d23f-07cb-49d4-aed3-9ac9770be5ed"}}
云主机里面,现在只能看到私有网的网卡,外网网卡看不到。
可以通过下面这种方式获得外网的ip,
curl ipinfo.io/ip 或者 curl myip.ipip.net
root@vpc-test-3:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP qlen 1000
link/ether fa:16:3e:d5:38:a6 brd ff:ff:ff:ff:ff:ff
inet 10.100.0.15/24 brd 10.100.0.255 scope global eth0
inet6 fe80::f816:3eff:fed5:38a6/64 scope link
valid_lft forever preferred_lft forever
root@vpc-test-3:/# curl myip.ipip.net
当前 IP:183.136.181.249 来自于:中国 浙江 杭州 电信
root@vpc-test-3:/# ip r
default via 10.100.0.1 dev eth0
10.100.0.0/24 dev eth0 proto kernel scope link src 10.100.0.15
绑定浮动ip
类似临时外网ip
绑定多个fix ip 到同一个port 上
传入 subnet
(hzx_env) hzhuangzhexiao@pubbeta1-nova10:~$ proton fixed-ip-create c9f3a427-2f29-4dea-bf3e-a749bd3375c4
Created a new fixed_ip:
+------------+--------------------------------------+
| Field | Value |
+------------+--------------------------------------+
| az | dongguan1 |
| id | 539c0b0c-b6fc-4689-9906-c9dbb2aa8154 |
| ip_address | 10.100.0.3 |
| network_id | 37b9e6d4-c1a7-4e3c-bd0b-bfaf92bd0722 |
| port_id | |
| subnet_id | c9f3a427-2f29-4dea-bf3e-a749bd3375c4 |
| tenant_id | 2a64834f411c47f4840e3f078acde161 |
+------------+--------------------------------------+
(hzx_env) hzhuangzhexiao@pubbeta1-nova10:~$
=====
fix ip attach
proton --debug fixed-ip-attach ace3eeb9-4842-4870-8103-0dc39efa0187 af5bb6cc-250d-41b6-8c2a-96c14849c361
DEBUG: protonclient.client
REQ: curl -i http://pubbeta1-iaas.service.163.org:9797/v2.0/fixed-ips/ace3eeb9-4842-4870-8103-0dc39efa0187.json -X PUT -H "X-Auth-Token: {SHA1}67a8654149a1cd95d98e7d54146dca3f196778fe" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-protonclient" -d '{"fixed_ip": {"port_id": "af5bb6cc-250d-41b6-8c2a-96c14849c361"}}'
DEBUG: protonclient.client RESP:{'transfer-encoding': 'chunked', 'date': 'Thu, 22 Jun 2017 04:50:19 GMT', 'status': '200', 'content-type': 'application/json;charset=UTF-8'} {"fixed_ip":{"id":"ace3eeb9-4842-4870-8103-0dc39efa0187","az":"dongguan1","ip_address":"10.100.1.23","tenant_id":"2a64834f411c47f4840e3f078acde161","port_id":"af5bb6cc-250d-41b6-8c2a-96c14849c361","subnet_id":"075bcc15-d0eb-4780-a8c9-2f4da2850c32","network_id":"f7b4f59d-cdfb-4b02-a398-d9922620d806"}}
创建snat public
相当于原来的L3,如果一个vpc内所有的云主机想通外网,但是不绑定 浮动ip或者临时外网ip,那就创建一个 snat public。
(hzx_env) hzhuangzhexiao@pubbeta1-nova10:~$ proton net-list --tenant-id 2a64834f411c47f4840e3f078acde161
+--------------------------------------+-----------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+-----------+----------------------------------------------------+
| f7b4f59d-cdfb-4b02-a398-d9922620d806 | hzx-vpc-2 | 1d2d6363-9dcb-424d-9e2f-fffa4d623aab 10.100.0.0/24 |
+--------------------------------------+-----------+----------------------------------------------------+
(hzx_env) hzhuangzhexiao@pubbeta1-nova10:~$ proton snat-create f7b4f59d-cdfb-4b02-a398-d9922620d806 snat-public 100 100
Created a new snat:
+------------------+--------------------------------------+
| Field | Value |
+------------------+--------------------------------------+
| egress_max_rate | 100 |
| fixed_ip_id | |
| id | a142247a-7b9b-4cc6-9e2e-6a79b9cba477 |
| ingress_max_rate | 100 |
| ips | {"ip_address": "183.136.181.201"} |
| | {"ip_address": "183.136.181.200"} |
| network_id | f7b4f59d-cdfb-4b02-a398-d9922620d806 |
| tenant_id | 2a64834f411c47f4840e3f078acde161 |
| type | snat-public |
+------------------+--------------------------------------+
curl
DEBUG: protonclient.client
REQ: curl -i http://pubbeta1-iaas.service.163.org:9797/v2.0/snats.json -X POST -H "X-Auth-Token: {SHA1}3fde3694aa4a58b6b077d2a6c620d3f85d4697b3" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-protonclient" -d '{"snat": {"network_id": "f7b4f59d-cdfb-4b02-a398-d9922620d806", "egress_max_rate": "100", "ingress_max_rate": "100", "type": "snat-public"}}'
DEBUG: protonclient.client RESP:{'transfer-encoding': 'chunked', 'date': 'Thu, 22 Jun 2017 08:09:06 GMT', 'status': '200', 'content-type': 'application/json;charset=UTF-8'} {"snat":{"id":"e1bb480e-91d2-4067-9685-f20aeba72c62","type":"snat-public","ips":[{"ip_address":"183.136.181.215"},{"ip_address":"183.136.181.214"}],"network_id":"f7b4f59d-cdfb-4b02-a398-d9922620d806","tenant_id":"2a64834f411c47f4840e3f078acde161","ingress_max_rate":100,"egress_max_rate":100,"fixed_ip_id":null}}
安全组
入方向(ingress)为白名单,出方向(egress)为黑名单。
创建安全组
传入 network-id
hzhuangzhexiao@pubt1-nova81:~$ proton security-group-create e3e29f61-018e-4862-beae-0a81e7c78e23 hzx-sg-test
Created a new security_group:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | 782a577e-b645-4b17-bb25-471b6ff7184d |
| name | hzx-sg-test |
| network_id | e3e29f61-018e-4862-beae-0a81e7c78e23 |
| rules | |
| tenant_id | 5b2d1fdcfaac407aa50aba05136add7e |
+-------------+--------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$
show 安全组
hzhuangzhexiao@pubt1-nova81:~$ proton security-group-show 782a577e-b645-4b17-bb25-471b6ff7184d
+-------------+--------------------------------------------------------------------+
| Field | Value |
+-------------+--------------------------------------------------------------------+
| description | |
| id | 782a577e-b645-4b17-bb25-471b6ff7184d |
| name | hzx-sg-test |
| network_id | e3e29f61-018e-4862-beae-0a81e7c78e23 |
| rules | { |
| | "icmp_code": null, |
| | "direction": "ingress", |
| | "icmp_type": null, |
| | "protocol": null, |
| | "ethertype": "IPv4", |
| | "port_range_max": null, |
| | "security_group_id": "782a577e-b645-4b17-bb25-471b6ff7184d", |
| | "port_range_min": null, |
| | "remote_ip_prefix": "10.200.254.254/16", |
| | "tenantId": "5b2d1fdcfaac407aa50aba05136add7e", |
| | "id": "86f842cb-54f6-42b7-b7e3-3503686241d8" |
| | } |
| | { |
| | "icmp_code": null, |
| | "direction": "ingress", |
| | "icmp_type": null, |
| | "protocol": "udp", |
| | "ethertype": "IPv4", |
| | "port_range_max": 755, |
| | "security_group_id": "782a577e-b645-4b17-bb25-471b6ff7184d", |
| | "port_range_min": 719, |
| | "remote_ip_prefix": null, |
| | "tenantId": "5b2d1fdcfaac407aa50aba05136add7e", |
| | "id": "93fa7641-ab5f-428f-a825-a6bd473224ee" |
| | } |
| tenant_id | 5b2d1fdcfaac407aa50aba05136add7e |
+-------------+--------------------------------------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$
或者可以show一条具体的rule
hzhuangzhexiao@pubt1-nova81:~$ proton security-group-rule-show 93fa7641-ab5f-428f-a825-a6bd473224ee
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| icmp_code | |
| icmp_type | |
| id | 93fa7641-ab5f-428f-a825-a6bd473224ee |
| port_range_max | 755 |
| port_range_min | 719 |
| protocol | udp |
| remote_ip_prefix | |
| security_group_id | 782a577e-b645-4b17-bb25-471b6ff7184d |
| tenantId | 5b2d1fdcfaac407aa50aba05136add7e |
+-------------------+--------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$
port绑定安全组
hzhuangzhexiao@pubt1-nova81:~$ proton port-update 3e172246-30cf-4def-a25d-d96de8315c80 --security_groups list=true 782a577e-b645-4b17-bb25-471b6ff7184d
Updated port: 3e172246-30cf-4def-a25d-d96de8315c80
hzhuangzhexiao@pubt1-nova81:~$
hzhuangzhexiao@pubt1-nova81:~$ proton port-show 3e172246-30cf-4def-a25d-d96de8315c80
+--------------------+----------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------------+----------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_type | unbound |
| capabilities | 0 |
| device_id | |
| device_owner | compute:pubt1.vpc1 |
| egress_max_pps | |
| egress_max_rate | |
| egress_prefer_rate | |
| egress_syn_limit | |
| fixed_ips | {"subnet_id": "032fe390-f6c4-4036-8944-16669d657320", "ip_address": "10.200.0.10", "id": "8566c421-11d0-420c-bcf4-ac8245d1e783"} |
| id | 3e172246-30cf-4def-a25d-d96de8315c80 |
| ingress_max_rate | |
| mac_address | fa:16:3e:25:11:82 |
| name | |
| network_id | e3e29f61-018e-4862-beae-0a81e7c78e23 |
| security_groups | 782a577e-b645-4b17-bb25-471b6ff7184d |
| status | DOWN |
| support_azs | pubt1 |
| tenant_id | 5b2d1fdcfaac407aa50aba05136add7e |
+--------------------+----------------------------------------------------------------------------------------------------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$
创建安全组规则
默认安全组入方向放行icmp,只能ping通,其他不通,需要手工增加一下入方向的白名单。
proton security-group-rule-create 9b283ee5-4719-4d09-a4c4-e93dfdf5d5f3 --direction ingress --ethertype IPv4 --remote-ip-prefix 223.252.223.0/24
hzhuangzhexiao@pubt1-nova81:~$ proton security-group-rule-create 782a577e-b645-4b17-bb25-471b6ff7184d --direction egress --ethertype IPv4 --remote-ip-prefix 223.252.223.0/24
curl 示例为:
DEBUG: protonclient.client
REQ: curl -i http://pubbeta1-iaas.service.163.org:9797/v2.0/security-group-rules.json -X POST -H "X-Auth-Token: {SHA1}2fdb6469e4cf8db60ea52f1c97963eabdf8ba091" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-protonclient" -d '{"security_group_rule": {"ethertype": "IPv4", "direction": "ingress", "remote_ip_prefix": "223.252.221.0/24", "security_group_id": "9b283ee5-4719-4d09-a4c4-e93dfdf5d5f3"}}'
DEBUG: protonclient.client RESP:{'transfer-encoding': 'chunked', 'date': 'Thu, 22 Jun 2017 02:43:39 GMT', 'status': '200', 'content-type': 'application/json;charset=UTF-8'} {"security_group_rule":{"tenantId":"2a64834f411c47f4840e3f078acde161","id":"6f0f28df-456a-42c3-9220-30a208406423","direction":"ingress","ethertype":"IPv4","protocol":null,"security_group_id":"9b283ee5-4719-4d09-a4c4-e93dfdf5d5f3","port_range_min":null,"port_range_max":null,"icmp_type":null,"icmp_code":null,"remote_ip_prefix":"223.252.221.0/24","remote_group_id":null}}
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | egress |
| ethertype | IPv4 |
| icmp_code | |
| icmp_type | |
| id | b8cd7c4c-f6cd-4f68-82e5-e12a475a7080 |
| port_range_max | |
| port_range_min | |
| protocol | |
| remote_ip_prefix | 223.252.223.0/24 |
| security_group_id | 782a577e-b645-4b17-bb25-471b6ff7184d |
| tenantId | 5b2d1fdcfaac407aa50aba05136add7e |
+-------------------+--------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$ proton port-list --device-id e1f1942b-f922-4dd6-be84-66788e537fb7
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------------------------------------------------+
| a5205ce2-f0db-4571-bd5d-f63f4a1c108b | | fa:16:3e:f0:58:66 | {"subnet_id": "6dc3fd56-1d94-4cf5-9330-540798486137", "ip_address": "10.100.1.2", "id": "66c44aff-cd98-424f-b0d2-36a776ff2f62"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------------------------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$ proton port-update a5205ce2-f0db-4571-bd5d-f63f4a1c108b --security_groups list=true 782a577e-b645-4b17-bb25-471b6ff7184d proton port-show 2
hzhuangzhexiao@pubt1-nova81:~$ proton port-show a5205ce2-f0db-4571-bd5d-f63f4a1c108b
+--------------------+---------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+--------------------+---------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| binding:host_id | pubt1-nova87.yq.163.org |
| binding:profile | {} |
| binding:vif_type | ovs |
| capabilities | 1 |
| device_id | e1f1942b-f922-4dd6-be84-66788e537fb7 |
| device_owner | compute:pubt1.vpc1 |
| egress_max_pps | |
| egress_max_rate | |
| egress_prefer_rate | |
| egress_syn_limit | |
| fixed_ips | {"subnet_id": "6dc3fd56-1d94-4cf5-9330-540798486137", "ip_address": "10.100.1.2", "id": "66c44aff-cd98-424f-b0d2-36a776ff2f62"} |
| id | a5205ce2-f0db-4571-bd5d-f63f4a1c108b |
| ingress_max_rate | |
| mac_address | fa:16:3e:f0:58:66 |
| name | |
| network_id | 7d19bd0d-e530-4cc8-b072-9ba543d24bfa |
| security_groups | 782a577e-b645-4b17-bb25-471b6ff7184d |
| status | DOWN |
| support_azs | pubt1 |
| tenant_id | 5b2d1fdcfaac407aa50aba05136add7e |
+--------------------+---------------------------------------------------------------------------------------------------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$
hzhuangzhexiao@pubt1-nova81:~$ proton security-group-list --tenant-id 5b2d1fdcfaac407aa50aba05136add7e
+--------------------------------------+-------------+
| id | name |
+--------------------------------------+-------------+
| 01bd5b8d-5b11-4a72-8c20-11682cf11a85 | default |
| 03f5fee2-b9bc-4c21-9a43-42555bce4dad | default |
| 782a577e-b645-4b17-bb25-471b6ff7184d | hzx-sg-test |
+--------------------------------------+-------------+
hzhuangzhexiao@pubt1-nova81:~$
路由
有以下需求时,可以添加自定义路由。
VPC内网路由
比如您在一个VPC内创建了两个实例,分别为ECS01和ECS02。ECS01绑定了一个弹性公网IP,并且配置了一个SNAT条目,为ECS01提供访问Internet的代理服务。当您想将ECS02的请求都路由到ECS01进行公网时,可以添加一条自定义路由。
Paste_Image.png
创建自定义路由
hzhuangzhexiao@pubt1-nova81:~$ proton route-create --route_table_id 95539a7e-910d-48ff-a8ab-eecad13ad167 --destination 223.252.223.0/24 --nexthop_port_id a11f6784-a66c-4d06-b4ef-77165f1adbe5
Created a new route:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| destination | 223.252.223.0/24 |
| id | c4765ccb-748a-4f7d-91cf-91ad6a41abb7 |
| nexthop_device_id | a11f6784-a66c-4d06-b4ef-77165f1adbe5 |
| nexthop_ports | a11f6784-a66c-4d06-b4ef-77165f1adbe5 |
| nexthop_type | port |
| route_table_id | 95539a7e-910d-48ff-a8ab-eecad13ad167 |
| route_type | user |
| tenant_id | 5b2d1fdcfaac407aa50aba05136add7e |
+-------------------+--------------------------------------+
hzhuangzhexiao@pubt1-nova81:~$ proton route-table-list --tenant-id 5b2d1fdcfaac407aa50aba05136add7e
+--------------------------------------+-------------------------------------------------------+--------------------------------------+
| id | name | network_id |
+--------------------------------------+-------------------------------------------------------+--------------------------------------+
| 95539a7e-910d-48ff-a8ab-eecad13ad167 | hzx-route-table | 7d19bd0d-e530-4cc8-b072-9ba543d24bfa |
| b59cac5e-bc9d-4658-8986-789bf4af5f0e | main_route_table_7d19bd0d-e530-4cc8-b072-9ba543d24bfa | 7d19bd0d-e530-4cc8-b072-9ba543d24bfa |
| c844ffb4-9a25-4404-84e4-c70a0efb97a1 | main_route_table_4197f303-53cf-4c5a-b9d0-bec515edff9a | 4197f303-53cf-4c5a-b9d0-bec515edff9a |
+--------------------------------------+-------------------------------------------------------+--------------------------------------+
