Note | ||
---|---|---|
| ||
Before you issue commands with Nova, ensure that your environment contains the necessary credentials. You can do this by sourcing the keystonerc_admin file that is created during the OpenStack installation. For more information, refer to the section Getting Credentials for a CLI in the OpenStack CLI Guide. |
Sections covered in this topic are:
Table of Contents |
---|
To install vNIOS for KVM in OpenStack complete the following steps:
- In OpenStack, run
source keystonerc_admin
to set up the OpenStack environment. - Upload the qcow2 file for the specified vNIOS for KVM model to OpenStack. For more information, see Requirements.
- Set up the OpenStack flavors, as described in the Setting Up vNIOS the OpenStack Flavors for vNIOS section.
- Import the vNIOS instance into OpenStack, as described in the Importing vNIOS Instance into OpenStack section.
- Set up security groups, as described in the Setting Up Security Groups section.
- Start Deploy an instance, as described in the Starting Deploying a vNIOS Instance in an OpenStack Environment section.
Setting
...
up the OpenStack Flavors for vNIOS
After you upload the qcow2 file, set up the OpenStack flavors for your vNIOS models. Each flavor corresponds to different vCPU, RAM, disk size, and functionality.
Infoblox enables you to choose the size of the virtual disk that you use for reporting. To do so, you must create a vNIOS instance and associate an additional disk with it. You can add an ephemeral disk in the flavor that is used to create an instance. Note that the value for the ephemeral disk must be a non-zero.
To set up the vNIOS OpenStack flavors, run the following command:
...
Use the following command to create the a vNIOS instance in OpenStack:
...
glance image-create --name vnios-820 --visibility public --container-format bare
--disk-format qcow2 --file
/tmp/nios-7.3.3-318825-2016-03-04-23-16-19-55G-820-disk1.qcow2
Setting
...
up Security Groups
When you set up your OpenStack environment, you can create an additional security group "vnios-sec-group" or add certain protocol rules to the existing or default security groups to allow specific network traffic. You can configure basic settings as described in the Basic Configuration section, or configure optional settings as described in the Advanced Configuration section. These sections contain sample scripts for Grid communication and for other protocols such as DNS and DHCP. For more information, refer to the Infoblox NIOS Documentation.
This section contains sample scripts that you can use to establish specific protocol rules.
Basic Configuration
...
- Create a security group. The following example is for creating a security group
...
- by name
vnios-sec-group
...
- :
#vNIOS security group
neutron security-group-rule-create vnios-sec-group
...
- Add rules to the security group to allow specific network traffic on required ports. The following example creates a rule that allows only HTTPS traffic on port 443:
# https
neutron security-group-rule-create --protocol tcp --port-range-min 443 --port-range-max
443 --ethertype IPv4 vnios-sec-group
...
Advanced Configuration
Grid communications:
#tunnels
neutron security-group-rule-create --protocol udp --port-range-min 1023
--port-range-max 1023 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 1023
--port-range-max 1023 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 1194
--port-range-max 1195 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 1194
--port-range-max 1195 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 2114
--port-range-max 2114 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 2114
--port-range-max 2114 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 802 --port-range-max 802 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 802 --port-range-max 802 --ethertype IPv6 vnios-sec-group
Optional for other protocols:
# dhcp
neutron security-group-rule-create --protocol udp --port-range-min 67 --port-range-max
69 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 67 --port-range-max
69 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 647 --port-range-max 647 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 647 --port-range-max 647 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 546 --port-range-max
547 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 546 --port-range-max
547 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 546 --port-range-max
547 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 546 --port-range-max
547 --ethertype IPv6 vnios-sec-group
#
ntp
neutron security-group-rule-create --protocol tcp --port-range-min 123 --port-range-max 123 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 123 --port-range-max
123 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 123 --port-range-max
123 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 123 --port-range-max
123 --ethertype IPv6 vnios-sec-group
#
dns neutron security-group-rule-create --protocol tcp --port-range-min 53 --port-range-max
53 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 53 --port-range-max
53 --ethertype IPv6 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 53 --port-range-max
53 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 53 --port-range-max
53 --ethertype IPv6 vnios-sec-group
ftp#
neutron security-group-rule-create --protocol tcp --port-range-min 20 --port-range-max
21 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 20 --port-range-max
21 --ethertype IPv6 vnios-sec-group
syslog#
neutron security-group-rule-create --protocol udp --port-range-min 514 --port-range-max
514 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol udp --port-range-min 514 --port-range-max
514 --ethertype IPv6 vnios-sec-group
reporting#
neutron security-group-rule-create --protocol tcp --port-range-min 9997
--port-range-max 9997 --ethertype IPv4 vnios-sec-group
neutron security-group-rule-create --protocol tcp --port-range-min 9997
--port-range-max 9997 --ethertype IPv6 vnios-sec-group
ICMP#
neutron security-group-rule-create --protocol icmp --ethertype IPv4 vnios-sec-group neutron security-group-rule-create --protocol icmp --ethertype IPv6 vnios-sec-group
The following screen shot illustrates how to set up the security group rules.
Starting a vNIOS Instance in OpenStack Environment
To start a vNIOS instance:
...
Ensure that you have already specified the vNIOS flavors and provided a unique name for the instance you want to spin up. For the list of available flavors, see vNIOS for KVM Virtual Appliance Models.
Execute the neutron port-create command to create port IDs for the network interfaces (MGMT and LAN1/HA). You can use the security-group option to associate the vNIOS instance with the security group(s) you have created. For information, see the Setting Up Security Groups section. (Optionally, you can associate the vNIOS instance with a security group when you execute the nova boot command.)
Note:
Do not reuse the OpenStack neutron port of the deleted instances. When you reuse the neutron port of a deleted instance, a mismatch in the MAC address between the VM interface and the host VF might happen during NIC bonding. Also, the neutron port does not function properly when you reuse it repeatedly.
Following is a neutron example:
$ neutron port-create --security-group <name of the security group>
For an HA pair, you must also execute the allowed-address-pairs option to define the VIP port for the HA configuration, using the VRRP MAC address and the Virtual Router ID you use. Following is an example:$ neutron port-create VIP –-allowed-address-pairs list=true mac_address= 00:00:5e:00:01:c8 ip_address=10.0.0.22
...
Deploying the vNIOS Instances in an OpenStack Environment
As prerequisites, ensure that you have specified the vNIOS flavors and provided unique names for the instances you want to deploy.
Deploying a Standalone Instance
To deploy a standalone vNIOS instance in OpenStack, complete the following steps:
- Run the
neutron port-create
command to create port IDs for the MGMT, LAN1 and HA network interfaces.- To create an MGMT port, use the command:
neutron port-create <mgmt_network_name> --name <mgmt-node-1> --binding:vnic-type direct
- To create a LAN1 port, use the command:
neutron port-create <lan1_network_name> --name <lan1-node-1> --binding:vnic-type direct
- (Optional) If you need to create a LAN2 port, then you must create a HA port. To create a HA port, use the command:
neutron port-create <lan1_network_name> --name <ha-node-1> --binding:vnic-type direct
- (Optional) If you need to create a LAN2 port, use the command:
neutron port-create <lan2_network_name> --name <lan2-node-1> --binding:vnic-type direct
- To create an MGMT port, use the command:
- Run the
neutron port list
command to view the network and port IDs generated for all network interfaces. You can copy the port IDs from this output to thenova boot
command. - Deploy the instance using the
nova boot
command as shown in the following example:nova boot --config-drive True --flavor <flavor_name> --image <image_name> --nic port-id=<mgmt_port_id> --nic port-id=<lan1_port_id> --nic port-id=<ha_port_id> --nic port-id=<lan2_port_id> <instance_name>
flavor
specifies the flavors of the vNIOS for KVM instance. For information about how to define flavors, see the Setting Up vNIOS OpenStack Flavors section.image
defines the name of the software package you downloaded. For information about supported vNIOS for KVM models, see vNIOS for KVM Virtual Appliance Models.nic port-id
specifies the port ID of an interface (MGMT, LAN1, LAN2, or HA).
The vNIOS for KVM instance automatically spins up after the nova boot
command is executed.
Note | ||
---|---|---|
| ||
|
Deploying the vNIOS Instances in a HA Setup
To deploy the vNIOS instances in a HA setup in OpenStack, complete the following steps:
Note | ||
---|---|---|
| ||
In a HA configuration, you must unblock the VRRP port 112 in your security group. |
- For both active and passive nodes, run the
neutron port-create
command to create port IDs for the MGMT, LAN1 and HA network interfaces as shown in the following steps:- To create an MGMT port, use the command:
neutron port-create <mgmt_network_name> --name <mgmt-node-1> --binding:vnic-type direct
neutron port-create <mgmt_network_name> --name <mgmt-node-2> --binding:vnic-type direct
- To create a LAN1 port, use the command:
neutron port-create <lan1_network_name> --name <lan1-node-1> --binding:vnic-type direct
neutron port-create <lan1_network_name> --name <lan1-node-2> --binding:vnic-type direct
- To create a HA port, use the command:
neutron port-create <lan1_network_name> --name <ha-node-1> --binding:vnic-type direct
neutron port-create <lan1_network_name> --name <ha-node-2> --binding:vnic-type direct
- To create an MGMT port, use the command:
- Create a port for HA-VIP in the same subnet as that of LAN1 by using the command:
neutron port-create <lan1_network_name> --name <ha-vip> --binding:vnic-type direct
- Run the
neutron port list
command to view the network and port IDs generated for all network interfaces so you can copy and paste them into . You can copy the port IDs from this output to thenova boot
command.Execute thenova boot
command in OpenStack to spin up the vNIOS instance. (Note - : Use the custom name you came up with when creating flavors).
Following is an exampleDeploy active and passive nodes using the
False --imagenova boot
command:nova boot --config-drive
<nios-7.3.0-314352-2016-01-29-05-02-02-160G-1425-disk1.qcow2> --flavor <vnios1410.160>
– security-groups <name of the security group> --nic net-id=<the network ID for the MGMT interface> --nic net-id=<the network ID for the LAN1/HA interface only if you are configuring an HA pair>True --flavor <flavor_name> --image <image_name> --nic port-id=<mgmt_port_id> --nic port-id=<lan1_port_id> --nic port-id=<ha_port_id> <instance name>
flavor
specifiesnova boot --config-drive True --flavor <flavor_name> --image <image_name> --nic port-id=<mgmt_port_id> --nic port-id=<lan1_port_id> --nic port-id=<the IP address ID for the LAN1 interface>
<my-vm-name>
whereimage
defines the name of the software package you downloaded. For information about supported vNIOS for KVM models, see vNIOS for KVM Virtual Appliance Models.
<ha_port_id> <instance name>
flavor
specifies the flavors of the vNIOS for KVM instance. For information about how to define flavors, see the Setting Up vNIOS OpenStack Flavors section.security-groups
defines the security group with which this vNIOS instance associatesimage
defines the name of the software package you downloaded. For information about how to create rules for security groups, see the Setting Up Security Groups section.nic net-id
specifies the network ID for the MGMT interface. Note that when provisioning an HA pair, you must also specify the network ID for the LAN1/HA interface. For more information, see Sample Commands for Provisioning an HA Pairsupported vNIOS for KVM models, see vNIOS for KVM Virtual Appliance Models.nic port-id
specifies the IP address ID for the LAN1/HA interface.
Note: For the vNIOS appliance to run in OpenStack, you must specify at least two networks, MGMT and LAN1. To remove networks, use the neutron net-delete command. If some of the networks remain, use OpenStack Horizon to manually remove them.my-vm-name
defines the unique name of the VMport ID of an interface (MGMT, LAN1, LAN2, or HA).
The vNIOS for KVM instance automatically spins up after the
...
command is
...
run. Proceed to configure the instances as explained in the following section.
Configuring the vNIOS Instance
- In OpenStack Horizon, select the launched instance.
- Assign the previously created security group to the instance.
- Click the Console tab.
- When the Infoblox login prompt appears, log in with the default user name and password.
login: admin
password: infoblox
The Infoblox prompt appears:Infoblox >
- You must have Install valid licenses before you can configure the vNIOS appliance. To obtain permanent licenses, first use the Infoblox > show version command to obtain the serial number of the vNIOS appliance, and then visit the Infoblox Support web site at https://support.infoblox.com. Log in with the user ID and password you receive when you register your product online at
http://www.infoblox.com/support/customer/evaluation-and-registration.
If the vNIOS virtual appliance does not have the Infoblox licenses required to run NIOS services and to join a Grid, you can use the set temp_license command to generate and install a temporary 60-day license. From the list of licenses, select the Grid, vNIOS, and other relevant licenses for your vNIOS virtual appliance.
Note that you must have both the Grid and vNIOS licenses for the vNIOS virtual appliance to join a Grid (2 and 8 from the list).- In OpenStack Horizon, go to InstanceOverview and copy the floating IP address of the instance.
- Go back to the console and run the
set network
command. Not required for Elastic Scaling. - Go to the Infoblox Grid Manager and enable the NAT mode for the Grid member. For an HA Grid Master, ensure that you specify these settings for both nodes.
- Click Grid -> Grid Manager -> Members -> Network.
- Select the Grid member and click Edit.
- Click Network -> Advanced.
- Click Enable NAT Compatibility and enter the floating IP address.
- Click Save & Close.
- In the console, run the
set network
command.
This step is not required in the following scenarios:- If Elastic Scaling is set up for this instance.
- If DHCP is enabled for this instance (the LAN1 IP address will be obtained automatically).
(For a HA setup only) Complete the following:
Log in to Grid Manager and change the configuration to HA pair.
To set up an IPv6 only Grid, change the configuration to IPv6 only.
Specify the IP addresses for the node 2 of the LAN1 port and that of HA-VIP port.
The instance will restart. Once it is back online, you can see the updated configuration using theshow network
command.In the console, use the
show interface
command to get the MAC address of the NIOS HA interface.Set the HA port of both active and passive nodes to form a bond with the HA interface as follows:
neutron port-update <ha1-node-1 port id> --allowed-address-pairs type=dict list=true ip_address=<Ipv4/Ipv6 HA-VIP>,mac_address=<mac address of Node-1 HA interface>
neutron port-update <ha1-node-2 port id> --allowed-address-pairs type=dict list=true ip_address=<
Ipv4/Ipv6
HA-VIP>,mac_address=<mac address of Node-1 HA interface>
Example:neutron port-update 1828291e-c109-46d1-8d13-35d40bc905a2 --allowed-address-pairs type=dict list=true ip_address=2001:1890:1959:2745::902,mac_address=fa:16:3e:07:09:72
Log in to the console of node 2.
Join the node 2 to the HA master through the HA-VIP port by using the
set membership
command.
Terminating vNIOS Instances
To terminate vNIOS instances, go to in OpenStack Horizon, select the instance and select "choose Terminate Instance" from the drop-down menu list on the right-hand side of the panel.