第六章 OpenStack网络服务Neutron
Neutron服务介绍和Neutron控制节点部署
Openstack Neutron
网络服务概览
Openstack 网络(Neutron)允许创建、插入接口设备,这些设备由其他的Openstack服务管理。插件式的实现可以容纳不同的网络设备和软件,为Openstack架构与部署提供了灵活性。
它包含下列组件:
neutron-server
接收和路由API请求到合适的Openstack网络插件,以达到预想的目的。
Openstack网络插件和代理
插拔端口,创建网络和子网,以及提供IP地址,这些插件和代理依赖于供应商和技术而不同,Openstack网络基于插件和代理为Cisco虚拟和物理交换机、NEC Openflow产品,OpenVSwitch,Linux bridging以及Vmware NSX产品穿线搭桥。
常见的代理L3(3层),DHCP(动态主机IP地址),以及插件代理。
消息队列
大多数的Openstack 网络安装都会用到,用于在neutron-server和各种各样的代理进程间路由信息。也为某些特定的插件扮演数据库的角色,以存储网络状态。
Openstack网络主要和Openstack计算交互,以提供网络连接到它的实例。
网络选项1:公共网络
在Controller节点上安装并配置网络组件
安装组件
[root@linux-node1 ~]# yum install openstack-neutron openstack-neutron-ml2 \ openstack-neutron-linuxbridge ebtables
配置服务组件
网络服务器组件的配置包括数据库、认证机制、消息队列、拓扑变化通知和插件。
- 编辑/etc/neutron/neutron.conf文件并完成如下操作:
在[database]部分,配置数据库访问:
[database]
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron
- 在[DEFAULT]部分,启用ML2插件并禁用其他插件:
[DEFAULT] core_plugin = ml2 service_plugins =
在[DEFAULT]和[oslo_messaging_rabbit]部分,配置RabbitMQ消息队列的连接:
[DEFAULT] rpc_backend = rabbit [oslo_messaging_rabbit] rabbit_host = 192.168.1.11 rabbit_userid = openstack rabbit_password = openstack
- 在[DEFAULT]和[keystone_authtoken]部分,配置认证服务访问:
[DEFAULT] auth_strategy = keystone [keystone_authtoken] auth_uri = http://192.168.1.11:5000 auth_url = http://192.168.1.11:35357 memcached_servers = 192.168.1.11:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = neutron
- 在[DEFAULT]和[nova]部分,配置网络服务来通知计算节点的网络拓扑变化:
-
在[oslo_concurrency]部分,配置锁路径:
[DEFAULT] notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True [nova] auth_url = http://192.168.1.11:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = nova
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
检查配置了哪些:
[root@linux-node1 ~]# grep '^[a-z]' /etc/neutron/neutron.conf auth_strategy = keystone core_plugin = ml2 service_plugins = notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true rpc_backend = rabbit connection = mysql+pymysql://neutron:neutron@192.168.1.11/neutron auth_uri = http://192.168.1.11:5000 auth_url = http://192.168.1.11:35357 memcached_servers = 192.168.1.11:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = neutron auth_url = http://192.168.1.11:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = nova lock_path = /var/lib/neutron/tmp rabbit_host = 192.168.1.11 rabbit_userid = openstack rabbit_password = openstack
Neutron控制节点ML2、LinuxBridge配置
配置Modular Layer 2(ML2)插件
ML2插件使用Linuxbridge机制来为实例创建layer 2虚拟网络基础设施
编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件并完成以下操作:
- 在[ml2]部分,启用flat和VLAN网络:
[ml2]
type_drivers = flat,vlan,gre,vxlan,geneve
- 在[ml2]部分,禁用私有网络:
[ml2] tenant_network_types = flat
- 在[ml2]部分,启用Linuxbridge机制:
[ml2] mechanism_drivers = linuxbridge,openvswitch - 在[ml2]部分,启用端口安全扩展驱动:
[ml2]
extension_drivers = port_security
- 在 [securitygroup]部分,启用ipset增加安全组规则的高效性:
[securitygroup]
enable_ipset = True
配置Linuxbridge代理
Linuxbridge代理为实例建立layer 2 虚拟网络并且处理安全组规则。
编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件并且完成以下操作:
- 在[linux_bridge]部分,将公共虚拟网络和公共物理网络接口对应起来:
[linux_bridge]
physical_interface_mappings = public:eth0
- 在[vxlan]部分,禁止VXLAN覆盖网络:
[vxlan]
enable_vxlan = False
- 在[securitygroup]部分,启用安全组并配置 Linuxbridge iptables firewall driver:
[securitygroup] enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
配置DHCP代理
编辑/etc/neutron/dhcp_agent.ini文件并完成下面的操作:
- 在[DEFAULT]部分,配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据
[DEFAULT] interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True
配置元数据代理
编辑/etc/neutron/metadata_agent.ini文件并完成以下操作:
在[DEFAULT]部分,配置元数据主机以及共享密码:
[DEFAULT] nova_metadata_ip = 192.168.1.11 metadata_proxy_shared_secret = unixhot.com
为计算节点配置网络服务
编辑/etc/nova/nova.conf文件并完成以下操作:
- 在[neutron]部分,配置访问参数,启用元数据代理并设置密码:
[neutron] url = http://192.168.1.11:9696 auth_url = http://192.168.1.11:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = neutron service_metadata_proxy = True metadata_proxy_shared_secret = dick.com
完成安装
1.网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini。如果超链接不存在,使用下面的命令创建它:
[root@linux-node1 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
2.同步数据库:
[root@linux-node1 ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ > --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
3.重启计算API服务:
[root@linux-node1 ~]# systemctl restart openstack-nova-api.service
4.当系统启动时,启动网络服务并配置它启动。
[root@linux-node1 ~]# systemctl enable neutron-server.service \ > neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ > neutron-metadata-agent.service Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-server.service to /usr/lib/systemd/system/neutron-server.service. Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service. Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-dhcp-agent.service to /usr/lib/systemd/system/neutron-dhcp-agent.service. Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-metadata-agent.service to /usr/lib/systemd/system/neutron-metadata-agent.service.
[root@linux-node1 ~]# systemctl start neutron-server.service \ > neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ > neutron-metadata-agent.service
最后,
在Keystone上做注册
- 创建"neutron"服务实体:
[root@linux-node1 ~]# source admin-openstack.sh [root@linux-node1 ~]# openstack service create --name neutron \ > --description "OpenStack Networking" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | 69699f6f973949669f51d42b58a754cc | | name | neutron | | type | network | +-------------+----------------------------------+
- 创建网络服务API端点:
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \ > network public http://192.168.1.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b2a24c0e2d7f45fdacfb422032416b84 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 69699f6f973949669f51d42b58a754cc | | service_name | neutron | | service_type | network | | url | http://192.168.1.11:9696 | +--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \ > network internal http://192.168.1.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 801239f0722f4be8a7cf58b268e9519d | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 69699f6f973949669f51d42b58a754cc | | service_name | neutron | | service_type | network | | url | http://192.168.1.11:9696 | +--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \ > network admin http://192.168.1.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 88be851c11904faebc24c57ddf5acf6f | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 69699f6f973949669f51d42b58a754cc | | service_name | neutron | | service_type | network | | url | http://192.168.1.11:9696 | +--------------+----------------------------------+
查看openstack服务列表:
[root@linux-node1 ~]# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | 69699f6f973949669f51d42b58a754cc | neutron | network | | 78e6f8140aa344e0abbc41ca7d21d9ed | keystone | identity | | 976981ab6bef4582b49ac0b406fb1a25 | nova | compute | | c29f2863d89047b997c721cdb51e77cb | glance | image | +----------------------------------+----------+----------+
查看openstack端点列表:
[root@linux-node1 ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------+ | 0306699fe1d240848babc3b41d0be4e3 | RegionOne | nova | compute | True | internal | http://192.168.1.11:8774/v2.1/%(tenant_id)s | | 1d87e06bff044ae88c50e5487485c3f9 | RegionOne | nova | compute | True | admin | http://192.168.1.11:8774/v2.1/%(tenant_id)s | | 353d9c2b13ec4f5d8e3d51abe7ca6ee2 | RegionOne | keystone | identity | True | internal | http://192.168.1.11:5000/v3 | | 801239f0722f4be8a7cf58b268e9519d | RegionOne | neutron | network | True | internal | http://192.168.1.11:9696 | | 84952464ca3644da82907fae74453c99 | RegionOne | keystone | identity | True | public | http://192.168.1.11:5000/v3 | | 88be851c11904faebc24c57ddf5acf6f | RegionOne | neutron | network | True | admin | http://192.168.1.11:9696 | | 9529f8eba1ce4b27bff51a13b7371d51 | RegionOne | glance | image | True | public | http://192.168.1.11:9292 | | b1c181db93dd461bb11f39888b3c653b | RegionOne | nova | compute | True | public | http://192.168.1.11:8774/v2.1/%(tenant_id)s | | b2a24c0e2d7f45fdacfb422032416b84 | RegionOne | neutron | network | True | public | http://192.168.1.11:9696 | | bcafb0d3927f4307bfcc96f9f8882211 | RegionOne | glance | image | True | admin | http://192.168.1.11:9292 | | f3b9aae336cb4f478b95ad7c77431580 | RegionOne | glance | image | True | internal | http://192.168.1.11:9292 | | f56fc2678a13414cbe94b6fea506d13c | RegionOne | keystone | identity | True | admin | http://192.168.1.11:35357/v3 | +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------+
测试neutron安装情况:
[root@linux-node1 ~]# neutron agent-list +--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+ | id | agent_type | host | availability_zone | alive | admin_state_up | binary | +--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+ | 3f1875f2-17d9-4fd0-a48d-42bd78185fcf | Linux bridge agent | linux-node1.example.com | | :-) | True | neutron-linuxbridge-agent | | 52e2e5c7-3dce-4412-baa2-565b5d73f437 | Metadata agent | linux-node1.example.com | | :-) | True | neutron-metadata-agent | | cf45beb1-e731-45fc-95ec-ca8842631a08 | DHCP agent | linux-node1.example.com | nova | :-) | True | neutron-dhcp-agent | +--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
Neutron计算节点部署
安装组件
[root@linux-node2 ~]# yum install openstack-neutron-linuxbridge ebtables ipset
1.在node1上将/etc/neutron/neutron.conf和/etc/neutron/plugin/ml2/linuxbridge_agent.ini 复制到node2下的/opt/文件下:
[root@linux-node1 ~]# scp /etc/neutron/neutron.conf 192.168.1.12:/opt/ root@192.168.1.12's password: neutron.conf 100% 52KB 51.9KB/s 00:00
[root@linux-node1 ~]# scp /etc/neutron/plugins/ml2/linuxbridge_agent.ini 192.168.1.12:/opt/ root@192.168.1.12's password: linuxbridge_agent.ini
2.备份/etc/neutron/neutron.conf文件:
[root@linux-node2 ~]# mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
- 将/opt/文件夹下的neutron.conf移动到/etc/neutron/下并修改文件权限:
[root@linux-node2 ~]# mv /opt/neutron.conf /etc/neutron/ [root@linux-node2 ~]# cd /etc/neutron/ [root@linux-node2 neutron]# ll 总用量 108 drwxr-xr-x 4 root root 67 6月 23 11:09 conf.d -rw-r----- 1 root root 53138 6月 23 11:11 neutron.conf -rw-r----- 1 root neutron 52645 5月 23 17:08 neutron.conf.bak drwxr-xr-x 3 root root 17 6月 23 11:09 plugins -rw-r--r-- 1 root root 1195 2月 1 09:51 rootwrap.conf [root@linux-node2 neutron]# chown root:neutron neutron.conf
- 将/opt/文件夹下的linuxbridge_agent.ini 移动到/etc/neutron/plugins/ml2/下并修改文件权限:
[root@linux-node2 ml2]# mv /opt/linuxbridge_agent.ini . [root@linux-node2 ml2]# ls linuxbridge_agent.ini linuxbridge_agent.ini.bak [root@linux-node2 ml2]# chown root:neutron linuxbridge_agent.ini
3.在/etc/nova/nova.conf下修改如下:
a.去掉connection数据库代码
解析:计算节点不需要直接连接数据库
查看和原文件相比都改了哪些:
- neutron.conf文件:
[root@linux-node2 neutron]# diff neutron.conf neutron.conf.bak 27c27 < auth_strategy = keystone --- > #auth_strategy = keystone 30c30 < core_plugin = ml2 --- > #core_plugin = <None> 33c33 < service_plugins = --- > #service_plugins = 137c137 < notify_nova_on_port_status_changes = true --- > #notify_nova_on_port_status_changes = true 141c141 < notify_nova_on_port_data_changes = true --- > #notify_nova_on_port_data_changes = true 511c511 < rpc_backend = rabbit --- > #rpc_backend = rabbit 683a684 > #connection = <None> 762,770d762 < auth_uri = http://192.168.1.11:5000 < auth_url = http://192.168.1.11:35357 < memcached_servers = 192.168.1.11:11211 < auth_type = password < project_domain_name = default < user_domain_name = default < project_name = service < username = neutron < password = neutron 939,948d930 < auth_url = http://192.168.1.11:35357 < auth_type = password < project_domain_name = default < user_domain_name = default < region_name = RegionOne < project_name = service < username = nova < password = nova < < 1061c1043 < lock_path = /var/lib/neutron/tmp --- > # lock_path = $state_path/lock 1212c1194 < rabbit_host = 192.168.1.11 --- > #rabbit_host = localhost 1230c1212 < rabbit_userid = openstack --- > #rabbit_userid = guest 1234c1216 < rabbit_password = openstack --- > #rabbit_password = guest
- linuxbridge_agent.ini 文件:
[root@linux-node2 ml2]# diff linuxbridge_agent.ini linuxbridge_agent.ini.bak 141c141 < physical_interface_mappings = public:eth0 --- > #physical_interface_mappings = 151c151 < firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver --- > #firewall_driver = <None> 156c156 < enable_security_group = true --- > #enable_security_group = true 171c171 < enable_vxlan = false --- > #enable_vxlan = true
为计算节点配置网络服务
编辑/etc/nova/nova.conf文件并完成下面的操作:
- 在[neutron]部分,配置访问参数:
url = http://192.168.1.11:9696 auth_url = http://192.168.1.11:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = neutron
完成安装
1.重启计算服务:
[root@linux-node2 ml2]# systemctl restart openstack-nova-compute.service
2.启动Linuxbridge代理并配置它开机自动启动:
[root@linux-node2 ml2]# systemctl enable neutron-linuxbridge-agent.service Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service. [root@linux-node2 ml2]# systemctl start neutron-linuxbridge-agent.service
[root@linux-node2 ml2]# systemctl status neutron-linuxbridge-agent.service -l ● neutron-linuxbridge-agent.service - OpenStack Neutron Linux Bridge Agent Loaded: loaded (/usr/lib/systemd/system/neutron-linuxbridge-agent.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since 五 2017-06-23 12:15:50 EDT; 6min ago Process: 12524 ExecStart=/usr/bin/neutron-linuxbridge-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-linuxbridge-agent --log-file /var/log/neutron/linuxbridge-agent.log (code=exited, status=1/FAILURE) Process: 12518 ExecStartPre=/usr/bin/neutron-enable-bridge-firewall.sh (code=exited, status=0/SUCCESS) Main PID: 12524 (code=exited, status=1/FAILURE)
================>>>>修改了:
[root@linux-node2 ml2]# chown root:neutron /etc/neutron/neutron.conf chown root:neutron linuxbridge_agent.ini
Active: active (running) since 五 2017-06-23 12:28:40 EDT; 2s ago
6月 23 12:15:50 linux-node2.example.com neutron-linuxbridge-agent[12524]: File "/usr/lib/python2.7/site-packages/neutron/plugins/ml2/drivers/linuxbridge/agent/linuxbridge_neutron_agent.py", line 878, in main
6月 23 12:15:50 linux-node2.example.com neutron-linuxbridge-agent[12524]: common_config.init(sys.argv[1:])
6月 23 12:15:50 linux-node2.example.com neutron-linuxbridge-agent[12524]: File "/usr/lib/python2.7/site-packages/neutron/common/config.py", line 246, in init
6月 23 12:15:50 linux-node2.example.com neutron-linuxbridge-agent[12524]: **kwargs)
6月 23 12:15:50 linux-node2.example.com neutron-linuxbridge-agent[12524]: File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2171, in __call__
6月 23 12:15:50 linux-node2.example.com neutron-linuxbridge-agent[12524]: self._namespace._files_permission_denied)
6月 23 12:15:50 linux-node2.example.com neutron-linuxbridge-agent[12524]: oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/neutron/neutron.conf,/etc/neutron/plugins/ml2/linuxbridge_agent.ini
6月 23 12:15:50 linux-node2.example.com systemd[1]: neutron-linuxbridge-agent.service: main process exited, code=exited, status=1/FAILURE
6月 23 12:15:50 linux-node2.example.com systemd[1]: Unit neutron-linuxbridge-agent.service entered failed state.
6月 23 12:15:50 linux-node2.example.com systemd[1]: neutron-linuxbridge-agent.service failed.
检查服务是否已经启动:
[root@linux-node2 ml2]# ps aux | grep python root 618 0.0 0.9 553152 18468 ? Ssl 05:09 0:01 /usr/bin/python -Es /usr/sbin/tuned -l -P nova 12349 2.9 5.2 1209236 98896 ? Ssl 11:39 0:03 /usr/bin/python2 /usr/bin/nova-compute root 12429 0.0 0.0 112664 968 pts/0 R+ 11:41 0:00 grep --color=auto python
验证:
在node1上验证是否安装成功:
[root@linux-node1 ~]# source admin-openstack.sh
[root@linux-node1 ~]# neutron agent-list +--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+ | id | agent_type | host | availability_zone | alive | admin_state_up | binary | +--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+ | 3f1875f2-17d9-4fd0-a48d-42bd78185fcf | Linux bridge agent | linux-node1.example.com | | :-) | True | neutron-linuxbridge-agent | | 52e2e5c7-3dce-4412-baa2-565b5d73f437 | Metadata agent | linux-node1.example.com | | :-) | True | neutron-metadata-agent | | cf45beb1-e731-45fc-95ec-ca8842631a08 | DHCP agent | linux-node1.example.com | nova | :-) | True | neutron-dhcp-agent | +--------------------------------------+--------------------+-------------------------+-------------------+-------+----------------+---------------------------+
