目前OpenStackNeutron框架支持的网络服务有:LoadBalancing as a Service,VPNas a Service,Firewallas a Service。
1. 安装和配置网络服务(在网络节点上)
(1) 安装软件包
yum install openstack-neutron-vpn-agent openstack-neutron openswan haproxy
/etc/sysctl.conf:
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.send_redirects=0
(2) VPNaaS的特别要求
检查Ipsec服务状态,VPNaaS需要。
chkconfig ipsec on
service ipsec start
ipsec verify
ln -s /dev/urandom /dev/random
(3) 配置服务(我这边把三类服务一起配了,其实一看就该明白,配置项都类似)
/usr/share/neutron/neutron-dist.conf
service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
service_provider = VPN:openswan:neutron.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
service_provider = FIREWALL:Iptables:neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
/etc/neutron/neutron.conf
service_plugins = neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,neutron.services.loadbalancer.plugin.LoadBalancerPlugin, neutron.services.firewall.fwaas_plugin.FirewallPlugin,neutron.services.vpn.plugin.VPNDriverPlugin
/etc/neutron/fwaas_driver.ini
[fwaas]
#driver =neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
/etc/neutron/vpn_agent.ini
[DEFAULT]
# VPN-Agent configuration file
# Note vpn-agent inherits l3-agent, so you can use configs on l3-agent also
[vpnagent]
#vpn device drivers which vpn agent will use
#If we want to use multiple drivers, we need to define this option multipletimes.
vpn_device_driver=neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver
#vpn_device_driver=another_driver
[ipsec]
#Status check interval
#ipsec_status_check_interval=60
/etc/neutron/lbaas_agent.ini
[DEFAULT]
# Show debugging output in log (sets DEBUG log level output).
# debug = False
debug = False
# The LBaaS agent will resync its state with Neutron to recoverfrom any
# transient notification or rpc errors. The interval is number of
# seconds between attempts.
# periodic_interval = 10
# LBaas requires an interface driver be set. Choose the one thatbest
# matches your plugin.
# interface_driver =
interface_driver =neutron.agent.linux.interface.OVSInterfaceDriver
# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC, NVP,
# BigSwitch/Floodlight)
# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
# Use veth for an OVS interface or not.
# Support kernels with limited namespace support
# (e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
# ovs_use_veth = False
# Example of interface_driver option for LinuxBridge
#interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
# The agent requires a driver to manage the loadbalancer. HAProxy is the
# opensource version.
# device_driver = neutron.services.loadbalancer.drivers.haproxy.namespace_driver.HaproxyNSDriver
device_driver = neutron.services.loadbalancer.drivers.haproxy.namespace_driver.HaproxyNSDriver
# The user group
# user_group = nogroup
user_group = haproxy
use_namespaces=True
需要在所有计算节点上配置:
/etc/nova/nova.conf:
# 该配置项有时候会遗漏,导致iptables策略无法生效
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
linuxnet_interface_driver =nova.network.linux_net.LinuxOVSInterfaceDriver
# 让Nova在调用安全组API时,直接通知neutron处理
security_group_api = neutron
# 配置Nova禁用firewalldriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
/etc/neutron/ovs_neutron_plugin.ini:
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
