安装openstack网络服务neutron
一、网络服务neutron的介绍
1. 网络服务概览
OpenStack Networking(neutron),允许创建、插入接口设备,这些设备由其他的OpenStack服务管理。插件式的实现可以容纳不同的网络设备和软件,为OpenStack架构与部署提供了灵活性。
2.网络服务包含下列组件
1)neutron-server:接收和路由API请求到合适的OpenStack网络插件,以达到预想的目的。接受和响应外部的网络管理请求。
2)neutron-linuxbridge-agent:负责创建桥接网卡
3)neutron-dhcp-agent:负责分配IP
4)neutron-metadata-agent:配合nova-metadata-api实现虚拟机的定制化操作
5)L3-agent:实现三层网络vxlan(网络层)
6)消息队列
大多数的OpenStack Networking安装都会用到,用于在neutron-server和各种各样的代理进程间路由信息。也为某些特定的插件扮演数据库的角色,以存储网络状态。
OpenStack网络主要和OpenStack计算交互,以提供网络连接到它的实例。
3. 网络服务概念
OpenStack网络(neutron)管理OpenStack环境中所有虚拟网络基础设施(VNI),物理网络基础设施(PNI)的接入层。
网络服务提供网络,子网以及路由这些对象的抽象概念。每个抽象概念都有自己的功能,可以模拟对应的物理设备:网络包括子网,路由在不同的子网和网络间进行路由转发。
对于任意一个给定的网络都必须包含至少一个外部网络。外部网络不仅仅是一个定义的虚拟网络。相反,它代表了一种OpenStack安装之外的能从物理的,外部的网络访问的视图。外部网络上的IP地址可供外部网络上的任意的物理设备所访问。
外部网络之外,任何 Networking 设置拥有一个或多个内部网络。这些软件定义的网络直接连接到虚拟机。仅仅在给定网络上的虚拟机,或那些在通过接口连接到相近路由的子网上的虚拟机,能直接访问连接到那个网络上的虚拟机。
如果外部网络想要访问实例或者相反实例想要访问外部网络,那么网络之间的路由就是必要的了。每一个路由都配有一个网关用于连接到外部网络,以及一个或多个连接到内部网络的接口。就像一个物理路由一样,子网可以访问同一个路由上其他子网中的机器,并且机器也可以访问路由的网关访问外部网络。
可以将外部网络的IP地址分配给内部网络的端口。不管什么时候一旦有连接连接到子网,那个连接被称作端口。可以给实例的端口分配外部网络的IP地址。通过这种方式,外部网络上的实体可以访问实例。
网络服务同样支持安全组。安全组允许管理员在安全组中定义防火墙规则。一个实例可以属于一个或多个安全组,网络为这个实例配置这些安全组中的规则,阻止或者开启端口,端口范围或者通信类型
二、在控制节点配置网络服务
1.先决条件
在配置OpenStack网络(neutron)服务之前,必须为其创建一个数据库,服务凭证和API端点
1).创建数据库
a.用数据库连接客户端以 root用户连接到数据库服务器
b.创建``neutron`` 数据库
c.对``neutron`` 数据库授予合适的访问权限
d.退出数据库客户端
[root@controller ~]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 54 Server version: 10.1.20-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE neutron; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | glance | | information_schema | | keystone | | mysql | | neutron | | nova | | nova_api | | performance_schema | | test | +--------------------+ 9 rows in set (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.02 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye
2)获得 admin 凭证来获取只有管理员能执行的命令的访问权限
[root@controller ~]# source admin-openrc
3)创建服务证书,完成这些步骤
a.创建``neutron``用户
[root@controller ~]# openstack user create --domain default --password-prompt neutron User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | d9ffe8683c84401cbad69ac5a73482a8 | | enabled | True | | id | b231afeaa194433db9333adf1b1e2135 | | name | neutron | +-----------+----------------------------------+
b.添加``admin`` 角色到``neutron`` 用户
[root@controller ~]# openstack role add --project service --user neutron admin
c.创建``neutron``服务实体
[root@controller ~]# openstack service create --name neutron --description "OpenStack Networking" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | 33e0ad8072e44fe4994a1a22c4c66f9c | | name | neutron | | type | network | +-------------+----------------------------------+
d.创建网络服务API端点
[root@controller ~]# openstack endpoint create --region RegionOne network public http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 137a4929d06e49ce8891adf8c793a7a7 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 33e0ad8072e44fe4994a1a22c4c66f9c | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne network internal http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 9c2e7590812c489f9e8a634e2e971560 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 33e0ad8072e44fe4994a1a22c4c66f9c | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne network admin http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 452d2b72d0da461b8e4fd4cb55e1673e | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 33e0ad8072e44fe4994a1a22c4c66f9c | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+
2. 配置网络选项
可以部署网络服务使用公共网络架构来部署网络服务。只支持实例连接到公有网络(外部网络)。没有私有网络(个人网络),路由器以及浮动IP地址。只有``admin``或者其他特权用户才可以管理公有网络。
在controller节点上安装并配置网络组件。
1)安装组件
[root@controller ~]# yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables -y
2)配置服务组件
Networking 服务器组件的配置包括数据库、认证机制、消息队列、拓扑变化通知和插件
编辑``/etc/neutron/neutron.conf`` 文件并完成如下操作
[root@controller ~]# cp /etc/neutron/neutron.conf{,.bak} [root@controller ~]# grep -Ev "^$|#" /etc/neutron/neutron.conf.bak >/etc/neutron/neutron.conf [root@controller ~]# cat /etc/neutron/neutron.conf [DEFAULT] [agent] [cors] [cors.subdomain] [database] [keystone_authtoken] [matchmaker_redis] [nova] [oslo_concurrency] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_policy] [qos] [quotas] [ssl]
a. 在 [database] 部分,配置数据库访问
b. 在``[DEFAULT]``部分,启用ML2插件并禁用其他插件
c. 在 “[DEFAULT]” 和 “[oslo_messaging_rabbit]”部分,配置 “RabbitMQ” 消息队列的连接
d. 在 “[DEFAULT]” 和 “[keystone_authtoken]” 部分,配置认证服务访问
e. 在``[DEFAULT]``和``[nova]``部分,配置网络服务来通知计算节点的网络拓扑变化
f. 在 [oslo_concurrency] 部分,配置锁路径
[root@controller ~]# openstack-config --set /etc/neutron/neutron.conf database connection mysql+pymysql://neutron:123456@controller/neutron [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT service_plugins [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_host controller [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_userid openstack [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_password 123456 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri http://controller:5000 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://controller:35357 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers controller:11211 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type password [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name service [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password 123456 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_status_changes True [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_data_changes True [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova auth_url http://controller:35357 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova auth_type password [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova project_domain_name default [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova user_domain_name default [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova region_name RegionOne [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova project_name service [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova username nova [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf nova password 123456 [root@controller ~]# openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
[root@controller ~]# cat /etc/neutron/neutron.conf [DEFAULT]
#启用ML2插件并禁用其他插件 core_plugin = ml2 service_plugins =
#配置 “RabbitMQ” 消息队列的连接 rpc_backend = rabbit
#配置认证服务 auth_strategy = keystone
#配置网络服务来通知计算节点的网络拓扑变化 notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True [agent] [cors] [cors.subdomain] [database]
#配置数据库访问 connection = mysql+pymysql://neutron:123456@controller/neutron
#配置认证服务访问 [keystone_authtoken] auth_uri = http://controller:5000 auth_url = http://controller:35357 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 123456 [matchmaker_redis] [nova]
#配置网络服务来通知计算节点的网络拓扑变化 auth_url = http://controller:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = 123456 [oslo_concurrency]
#配置锁路径 lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp]
#配置 “RabbitMQ” 消息队列的连接 [oslo_messaging_notifications] [oslo_messaging_rabbit] rabbit_host = controller rabbit_userid = openstack rabbit_password = 123456 [oslo_policy] [qos] [quotas] [ssl]
3)配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linuxbridge机制来为实例创建layer-2虚拟网络基础设施
编辑``/etc/neutron/plugins/ml2/ml2_conf.ini``文件并完成以下操作
[root@controller ~]# cp /etc/neutron/plugins/ml2/ml2_conf.ini{,.bak} [root@controller ~]# grep -Ev "^$|#" /etc/neutron/plugins/ml2/ml2_conf.ini.bak >/etc/neutron/plugins/ml2/ml2_conf.ini [root@controller ~]# cat /etc/neutron/plugins/ml2/ml2_conf.ini [DEFAULT] [ml2] [ml2_type_flat] [ml2_type_geneve] [ml2_type_gre] [ml2_type_vlan] [ml2_type_vxlan] [securitygroup]
在``[ml2]``部分,启用flat和VLAN网络
在``[ml2]``部分,禁用私有网络
在``[ml2]``部分,启用Linuxbridge机制
在``[ml2]`` 部分,启用端口安全扩展驱动
在``[ml2_type_flat]``部分,配置公共虚拟网络为flat网
在 ``[securitygroup]``部分,启用 ipset 增加安全组规则的高效性
[root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers flat,vlan [root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types [root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 mechanism_drivers linuxbridge [root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers port_security [root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat flat_networks provider [root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset True [root@controller ~]# cat /etc/neutron/plugins/ml2/ml2_conf.ini [DEFAULT] [ml2] type_drivers = flat,vlan #启用flat和VLAN网络 tenant_network_types = #禁用私有网络 mechanism_drivers = linuxbridge #启用Linuxbridge机制 extension_drivers = port_security #启用端口安全扩展驱动 [ml2_type_flat] flat_networks = provider #配置公共虚拟网络为flat网 [ml2_type_geneve] [ml2_type_gre] [ml2_type_vlan] [ml2_type_vxlan] [securitygroup] enable_ipset = True #启用 ipset 增加安全组规则的高效性
[root@controller ~]# md5sum /etc/neutron/plugins/ml2/ml2_conf.ini
2640b5de519fafcd675b30e1bcd3c7d5 /etc/neutron/plugins/ml2/ml2_conf.ini
4)配置Linuxbridge代理
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则
编辑``/etc/neutron/plugins/ml2/linuxbridge_agent.ini``文件并且完成以下操作
[root@controller ~]# cp /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak} [root@controller ~]# grep -Ev "^$|#" /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak >/etc/neutron/plugins/ml2/linuxbridge_agent.ini [root@controller ~]# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini [DEFAULT] [agent] [linux_bridge] [securitygroup] [vxlan]
a. 在``[linux_bridge]``部分,将公共虚拟网络和公共物理网络接口对应起来
将``PUBLIC_INTERFACE_NAME`` 替换为底层的物理公共网络接口
b. 在``[vxlan]``部分,禁止VXLAN覆盖网络
c. 在 ``[securitygroup]``部分,启用安全组并配置 Linuxbridge iptables firewall driver
[root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan False [root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group True [root@controller ~]# openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver [root@controller ~]# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini [DEFAULT] [agent] [linux_bridge] physical_interface_mappings = provider:eth0 #将公共虚拟网络和公共物理网络接口对应起来 [securitygroup] enable_security_group = True #启用安全组并配置 Linuxbridge iptables firewall driver firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver [vxlan] enable_vxlan = False #禁止VXLAN覆盖网络
[root@controller ~]# md5sum /etc/neutron/plugins/ml2/linuxbridge_agent.ini
3f474907a7f438b34563e4d3f3c29538 /etc/neutron/plugins/ml2/linuxbridge_agent.ini
5)配置DHCP代理
The DHCP agent provides DHCP services for virtual networks.
编辑``/etc/neutron/dhcp_agent.ini``文件并完成下面的操作
[root@controller ~]# cp /etc/neutron/dhcp_agent.ini{,.bak} [root@controller ~]# grep -Ev "^$|#" /etc/neutron/dhcp_agent.ini.bak >/etc/neutron/dhcp_agent.ini [root@controller ~]# cat /etc/neutron/dhcp_agent.ini [DEFAULT] [AGENT]
在``[DEFAULT]``部分,配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据
[root@controller ~]# openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.BridgeInterfaceDriver [root@controller ~]# openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver neutron.agent.linux.dhcp.Dnsmasq [root@controller ~]# openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT enable_isolated_metadata True [root@controller ~]# cat /etc/neutron/dhcp_agent.ini [DEFAULT] interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver #配置Linuxbridge驱动接口 dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True [AGENT]
[root@controller ~]# md5sum /etc/neutron/dhcp_agent.ini
d39579607b2f7d92e88f8910f9213520 /etc/neutron/dhcp_agent.ini
3. 配置元数据代理
负责提供配置信息
编辑``/etc/neutron/metadata_agent.ini``文件并完成以下操作
[root@controller ~]# cp /etc/neutron/metadata_agent.ini{,.bak} [root@controller ~]# grep -Ev "^$|#" /etc/neutron/metadata_agent.ini.bak >/etc/neutron/metadata_agent.ini [root@controller ~]# cat /etc/neutron/metadata_agent.ini [DEFAULT] [AGENT]
在``[DEFAULT]`` 部分,配置元数据主机以及共享密码
[root@controller ~]# openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT nova_metadata_ip controller [root@controller ~]# openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT metadata_proxy_shared_secret 123456 [root@controller ~]# cat /etc/neutron/metadata_agent.ini [DEFAULT] nova_metadata_ip = controller metadata_proxy_shared_secret = 123456 [AGENT]
4.为计算服务配置网络服务
编辑``/etc/nova/nova.conf``文件并完成以下操作
在``[neutron]``部分,配置访问参数,启用元数据代理并设置密码
注:使用neutron用户选择的密码和使用为元数据代理设置的密码
[root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron url http://controller:9696 [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron auth_url http://controller:35357 [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron auth_type password [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron project_domain_name default [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron user_domain_name default [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron project_name service [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron username neutron [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron password 123456 [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron service_metadata_proxy True [root@controller ~]# openstack-config --set /etc/nova/nova.conf neutron metadata_proxy_shared_secret 123456 [root@controller ~]# cat /etc/nova/nova.conf [DEFAULT] enabled_apis = osapi_compute,metadata rpc_backend = rabbit auth_strategy = keystone my_ip = 10.0.0.11 use_neutron = True firewall_driver = nova.virt.firewall.NoopFirewallDriver [api_database] connection = mysql+pymysql://nova:123456@controller/nova_api [barbican] [cache] [cells] [cinder] [conductor] [cors] [cors.subdomain] [database] connection = mysql+pymysql://nova:123456@controller/nova [ephemeral_storage_encryption] [glance] api_servers = http://controller:9292 [guestfs] [hyperv] [image_file_url] [ironic] [keymgr] [keystone_authtoken] auth_uri = http://controller:5000 auth_url = http://controller:35357 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = nova password = 123456 [libvirt] [matchmaker_redis] [metrics] [neutron] url = http://controller:9696 auth_url = http://controller:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = 123456 service_metadata_proxy = True metadata_proxy_shared_secret = 123456 [osapi_v21] [oslo_concurrency] lock_path = /var/lib/nova/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] rabbit_host = controller rabbit_userid = openstack rabbit_password = 123456 [oslo_middleware] [oslo_policy] [rdp] [serial_console] [spice] [ssl] [trusted_computing] [upgrade_levels] [vmware] [vnc] vncserver_listen = $my_ip vncserver_proxyclient_address = $my_ip [workarounds] [xenserver]
5. 完成安装
1)创建软链接
网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini``指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini``。如果超链接不存在,使用下面的命令创建它
[root@controller ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini [root@controller ~]# ll /etc/neutron/plugins/ml2/ml2_conf.ini -rw-r----- 1 root neutron 274 Nov 15 14:57 /etc/neutron/plugins/ml2/ml2_conf.ini [root@controller ~]# ll /etc/neutron/plugin.ini lrwxrwxrwx 1 root root 37 Nov 15 15:26 /etc/neutron/plugin.ini -> /etc/neutron/plugins/ml2/ml2_conf.ini
2)同步数据库
[root@controller ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron No handlers could be found for logger "oslo_config.cfg" INFO [alembic.runtime.migration] Context impl MySQLImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. Running upgrade for neutron ... INFO [alembic.runtime.migration] Context impl MySQLImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. INFO [alembic.runtime.migration] Running upgrade -> kilo, kilo_initial INFO [alembic.runtime.migration] Running upgrade kilo -> 354db87e3225, nsxv_vdr_metadata.py INFO [alembic.runtime.migration] Running upgrade 354db87e3225 -> 599c6a226151, neutrodb_ipam INFO [alembic.runtime.migration] Running upgrade 599c6a226151 -> 52c5312f6baf, Initial operations in support of address scopes INFO [alembic.runtime.migration] Running upgrade 52c5312f6baf -> 313373c0ffee, Flavor framework INFO [alembic.runtime.migration] Running upgrade 313373c0ffee -> 8675309a5c4f, network_rbac INFO [alembic.runtime.migration] Running upgrade 8675309a5c4f -> 45f955889773, quota_usage INFO [alembic.runtime.migration] Running upgrade 45f955889773 -> 26c371498592, subnetpool hash INFO [alembic.runtime.migration] Running upgrade 26c371498592 -> 1c844d1677f7, add order to dnsnameservers INFO [alembic.runtime.migration] Running upgrade 1c844d1677f7 -> 1b4c6e320f79, address scope support in subnetpool INFO [alembic.runtime.migration] Running upgrade 1b4c6e320f79 -> 48153cb5f051, qos db changes INFO [alembic.runtime.migration] Running upgrade 48153cb5f051 -> 9859ac9c136, quota_reservations INFO [alembic.runtime.migration] Running upgrade 9859ac9c136 -> 34af2b5c5a59, Add dns_name to Port INFO [alembic.runtime.migration] Running upgrade 34af2b5c5a59 -> 59cb5b6cf4d, Add availability zone INFO [alembic.runtime.migration] Running upgrade 59cb5b6cf4d -> 13cfb89f881a, add is_default to subnetpool INFO [alembic.runtime.migration] Running upgrade 13cfb89f881a -> 32e5974ada25, Add standard attribute table INFO [alembic.runtime.migration] Running upgrade 32e5974ada25 -> ec7fcfbf72ee, Add network availability zone INFO [alembic.runtime.migration] Running upgrade ec7fcfbf72ee -> dce3ec7a25c9, Add router availability zone INFO [alembic.runtime.migration] Running upgrade dce3ec7a25c9 -> c3a73f615e4, Add ip_version to AddressScope INFO [alembic.runtime.migration] Running upgrade c3a73f615e4 -> 659bf3d90664, Add tables and attributes to support external DNS integration INFO [alembic.runtime.migration] Running upgrade 659bf3d90664 -> 1df244e556f5, add_unique_ha_router_agent_port_bindings INFO [alembic.runtime.migration] Running upgrade 1df244e556f5 -> 19f26505c74f, Auto Allocated Topology - aka Get-Me-A-Network INFO [alembic.runtime.migration] Running upgrade 19f26505c74f -> 15be73214821, add dynamic routing model data INFO [alembic.runtime.migration] Running upgrade 15be73214821 -> b4caf27aae4, add_bgp_dragent_model_data INFO [alembic.runtime.migration] Running upgrade b4caf27aae4 -> 15e43b934f81, rbac_qos_policy INFO [alembic.runtime.migration] Running upgrade 15e43b934f81 -> 31ed664953e6, Add resource_versions row to agent table INFO [alembic.runtime.migration] Running upgrade 31ed664953e6 -> 2f9e956e7532, tag support INFO [alembic.runtime.migration] Running upgrade 2f9e956e7532 -> 3894bccad37f, add_timestamp_to_base_resources INFO [alembic.runtime.migration] Running upgrade 3894bccad37f -> 0e66c5227a8a, Add desc to standard attr table INFO [alembic.runtime.migration] Running upgrade kilo -> 30018084ec99, Initial no-op Liberty contract rule. INFO [alembic.runtime.migration] Running upgrade 30018084ec99 -> 4ffceebfada, network_rbac INFO [alembic.runtime.migration] Running upgrade 4ffceebfada -> 5498d17be016, Drop legacy OVS and LB plugin tables INFO [alembic.runtime.migration] Running upgrade 5498d17be016 -> 2a16083502f3, Metaplugin removal INFO [alembic.runtime.migration] Running upgrade 2a16083502f3 -> 2e5352a0ad4d, Add missing foreign keys INFO [alembic.runtime.migration] Running upgrade 2e5352a0ad4d -> 11926bcfe72d, add geneve ml2 type driver INFO [alembic.runtime.migration] Running upgrade 11926bcfe72d -> 4af11ca47297, Drop cisco monolithic tables INFO [alembic.runtime.migration] Running upgrade 4af11ca47297 -> 1b294093239c, Drop embrane plugin table INFO [alembic.runtime.migration] Running upgrade 1b294093239c -> 8a6d8bdae39, standardattributes migration INFO [alembic.runtime.migration] Running upgrade 8a6d8bdae39 -> 2b4c2465d44b, DVR sheduling refactoring INFO [alembic.runtime.migration] Running upgrade 2b4c2465d44b -> e3278ee65050, Drop NEC plugin tables INFO [alembic.runtime.migration] Running upgrade e3278ee65050 -> c6c112992c9, rbac_qos_policy INFO [alembic.runtime.migration] Running upgrade c6c112992c9 -> 5ffceebfada, network_rbac_external INFO [alembic.runtime.migration] Running upgrade 5ffceebfada -> 4ffceebfcdc, standard_desc OK
[root@controller ~]# mysql -uroot -p neutron -e "show tables" Enter password: +-----------------------------------------+ | Tables_in_neutron | +-----------------------------------------+ | address_scopes | | agents | | alembic_version | | allowedaddresspairs | | arista_provisioned_nets | | arista_provisioned_tenants | | arista_provisioned_vms | | auto_allocated_topologies | | bgp_peers | | bgp_speaker_dragent_bindings | | bgp_speaker_network_bindings | | bgp_speaker_peer_bindings | | bgp_speakers | | brocadenetworks | | brocadeports | | cisco_csr_identifier_map | | cisco_hosting_devices | | cisco_ml2_apic_contracts | | cisco_ml2_apic_host_links | | cisco_ml2_apic_names | | cisco_ml2_n1kv_network_bindings | | cisco_ml2_n1kv_network_profiles | | cisco_ml2_n1kv_policy_profiles | | cisco_ml2_n1kv_port_bindings | | cisco_ml2_n1kv_profile_bindings | | cisco_ml2_n1kv_vlan_allocations | | cisco_ml2_n1kv_vxlan_allocations | | cisco_ml2_nexus_nve | | cisco_ml2_nexusport_bindings | | cisco_port_mappings | | cisco_router_mappings | | consistencyhashes | | default_security_group | | dnsnameservers | | dvr_host_macs | | externalnetworks | | extradhcpopts | | firewall_policies | | firewall_rules | | firewalls | | flavors | | flavorserviceprofilebindings | | floatingipdnses | | floatingips | | ha_router_agent_port_bindings | | ha_router_networks | | ha_router_vrid_allocations | | healthmonitors | | ikepolicies | | ipallocationpools | | ipallocations | | ipamallocationpools | | ipamallocations | | ipamavailabilityranges | | ipamsubnets | | ipavailabilityranges | | ipsec_site_connections | | ipsecpeercidrs | | ipsecpolicies | | lsn | | lsn_port | | maclearningstates | | members | | meteringlabelrules | | meteringlabels | | ml2_brocadenetworks | | ml2_brocadeports | | ml2_dvr_port_bindings | | ml2_flat_allocations | | ml2_geneve_allocations | | ml2_geneve_endpoints | | ml2_gre_allocations | | ml2_gre_endpoints | | ml2_network_segments | | ml2_nexus_vxlan_allocations | | ml2_nexus_vxlan_mcast_groups | | ml2_port_binding_levels | | ml2_port_bindings | | ml2_ucsm_port_profiles | | ml2_vlan_allocations | | ml2_vxlan_allocations | | ml2_vxlan_endpoints | | multi_provider_networks | | networkconnections | | networkdhcpagentbindings | | networkdnsdomains | | networkgatewaydevicereferences | | networkgatewaydevices | | networkgateways | | networkqueuemappings | | networkrbacs | | networks | | networksecuritybindings | | neutron_nsx_network_mappings | | neutron_nsx_port_mappings | | neutron_nsx_router_mappings | | neutron_nsx_security_group_mappings | | nexthops | | nsxv_edge_dhcp_static_bindings | | nsxv_edge_vnic_bindings | | nsxv_firewall_rule_bindings | | nsxv_internal_edges | | nsxv_internal_networks | | nsxv_port_index_mappings | | nsxv_port_vnic_mappings | | nsxv_router_bindings | | nsxv_router_ext_attributes | | nsxv_rule_mappings | | nsxv_security_group_section_mappings | | nsxv_spoofguard_policy_network_mappings | | nsxv_tz_network_bindings | | nsxv_vdr_dhcp_bindings | | nuage_net_partition_router_mapping | | nuage_net_partitions | | nuage_provider_net_bindings | | nuage_subnet_l2dom_mapping | | poolloadbalanceragentbindings | | poolmonitorassociations | | pools | | poolstatisticss | | portbindingports | | portdnses | | portqueuemappings | | ports | | portsecuritybindings | | providerresourceassociations | | qos_bandwidth_limit_rules | | qos_network_policy_bindings | | qos_policies | | qos_port_policy_bindings | | qospolicyrbacs | | qosqueues | | quotas | | quotausages | | reservations | | resourcedeltas | | router_extra_attributes | | routerl3agentbindings | | routerports | | routerroutes | | routerrules | | routers | | securitygroupportbindings | | securitygrouprules | | securitygroups | | serviceprofiles | | sessionpersistences | | standardattributes | | subnetpoolprefixes | | subnetpools | | subnetroutes | | subnets | | tags | | tz_network_bindings | | vcns_router_bindings | | vips | | vpnservices | +-----------------------------------------+
注:数据库的同步发生在 Networking 之后,因为脚本需要完成服务器和插件的配置文件
3)重启计算API 服务
[root@controller ~]# systemctl restart openstack-nova-api.service [root@controller ~]# systemctl status openstack-nova-api.service ● openstack-nova-api.service - OpenStack Nova API Server Loaded: loaded (/usr/lib/systemd/system/openstack-nova-api.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-11-15 15:30:07 CST; 9s ago Main PID: 95223 (nova-api) CGroup: /system.slice/openstack-nova-api.service ├─95223 /usr/bin/python2 /usr/bin/nova-api ├─95235 /usr/bin/python2 /usr/bin/nova-api └─95245 /usr/bin/python2 /usr/bin/nova-api Nov 15 15:30:03 controller systemd[1]: Stopped OpenStack Nova API Server. Nov 15 15:30:03 controller systemd[1]: Starting OpenStack Nova API Server... Nov 15 15:30:07 controller sudo[95236]: nova : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/nova-rootwrap /etc/nova/root...save -c Nov 15 15:30:07 controller sudo[95241]: nova : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/nova-rootwrap /etc/nova/root...tore -c Nov 15 15:30:07 controller systemd[1]: Started OpenStack Nova API Server. Hint: Some lines were ellipsized, use -l to show in full.
4)当系统启动时,启动 Networking 服务并配置它启动
[root@controller ~]# systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-server.service to /usr/lib/systemd/system/neutron-server.service. Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service. Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-dhcp-agent.service to /usr/lib/systemd/system/neutron-dhcp-agent.service. Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-metadata-agent.service to /usr/lib/systemd/system/neutron-metadata-agent.service.
[root@controller ~]# systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
[root@controller ~]# systemctl status neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service ● neutron-server.service - OpenStack Neutron Server Loaded: loaded (/usr/lib/systemd/system/neutron-server.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-11-15 15:31:35 CST; 2min 0s ago Main PID: 95281 (neutron-server) CGroup: /system.slice/neutron-server.service ├─95281 /usr/bin/python2 /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/shar... ├─95343 /usr/bin/python2 /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/shar... ├─95344 /usr/bin/python2 /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/shar... └─95348 /usr/bin/python2 /usr/bin/neutron-server --config-file /usr/share/neutron/neutron-dist.conf --config-dir /usr/shar... Nov 15 15:30:57 controller systemd[1]: Starting OpenStack Neutron Server... Nov 15 15:30:58 controller neutron-server[95281]: Guru mediation now registers SIGUSR1 and SIGUSR2 by default for backward comp...ports. Nov 15 15:31:14 controller neutron-server[95281]: Option "verbose" from group "DEFAULT" is deprecated for removal. Its value m...uture. Nov 15 15:31:15 controller neutron-server[95281]: Option "notification_driver" from group "DEFAULT" is deprecated. Use option "...ions". Nov 15 15:31:35 controller systemd[1]: Started OpenStack Neutron Server. ● neutron-linuxbridge-agent.service - OpenStack Neutron Linux Bridge Agent Loaded: loaded (/usr/lib/systemd/system/neutron-linuxbridge-agent.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-11-15 15:30:58 CST; 2min 37s ago Process: 95282 ExecStartPre=/usr/bin/neutron-enable-bridge-firewall.sh (code=exited, status=0/SUCCESS) Main PID: 95302 (neutron-linuxbr) CGroup: /system.slice/neutron-linuxbridge-agent.service └─95302 /usr/bin/python2 /usr/bin/neutron-linuxbridge-agent --config-file /usr/share/neutron/neutron-dist.conf --config-fi... Nov 15 15:30:58 controller neutron-enable-bridge-firewall.sh[95282]: net.bridge.bridge-nf-call-arptables = 1 Nov 15 15:30:58 controller neutron-enable-bridge-firewall.sh[95282]: net.bridge.bridge-nf-call-iptables = 1 Nov 15 15:30:58 controller neutron-enable-bridge-firewall.sh[95282]: net.bridge.bridge-nf-call-ip6tables = 1 Nov 15 15:30:58 controller systemd[1]: Started OpenStack Neutron Linux Bridge Agent. Nov 15 15:31:00 controller neutron-linuxbridge-agent[95302]: Guru mediation now registers SIGUSR1 and SIGUSR2 by default for bac...orts. Nov 15 15:31:22 controller neutron-linuxbridge-agent[95302]: Option "verbose" from group "DEFAULT" is deprecated for removal. I...ture. Nov 15 15:31:27 controller neutron-linuxbridge-agent[95302]: Option "notification_driver" from group "DEFAULT" is deprecated. Us...ons". Nov 15 15:31:28 controller sudo[95341]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap-daemon /etc...ap.conf Nov 15 15:31:37 controller neutron-linuxbridge-agent[95302]: /usr/lib/python2.7/site-packages/pkg_resources/__init__.py:187: RuntimeW... Nov 15 15:31:37 controller neutron-linuxbridge-agent[95302]: stacklevel=1, ● neutron-dhcp-agent.service - OpenStack Neutron DHCP Agent Loaded: loaded (/usr/lib/systemd/system/neutron-dhcp-agent.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-11-15 15:30:57 CST; 2min 38s ago Main PID: 95283 (neutron-dhcp-ag) CGroup: /system.slice/neutron-dhcp-agent.service └─95283 /usr/bin/python2 /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc... Nov 15 15:30:57 controller systemd[1]: Started OpenStack Neutron DHCP Agent. Nov 15 15:30:58 controller neutron-dhcp-agent[95283]: Guru mediation now registers SIGUSR1 and SIGUSR2 by default for backward ...ports. Nov 15 15:31:04 controller neutron-dhcp-agent[95283]: Option "verbose" from group "DEFAULT" is deprecated for removal. Its val...uture. Nov 15 15:31:13 controller neutron-dhcp-agent[95283]: Option "notification_driver" from group "DEFAULT" is deprecated. Use opti...ions". Nov 15 15:31:14 controller neutron-dhcp-agent[95283]: /usr/lib/python2.7/site-packages/pkg_resources/__init__.py:187: RuntimeWarning:... Nov 15 15:31:14 controller neutron-dhcp-agent[95283]: stacklevel=1, ● neutron-metadata-agent.service - OpenStack Neutron Metadata Agent Loaded: loaded (/usr/lib/systemd/system/neutron-metadata-agent.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-11-15 15:30:57 CST; 2min 38s ago Main PID: 95284 (neutron-metadat) CGroup: /system.slice/neutron-metadata-agent.service └─95284 /usr/bin/python2 /usr/bin/neutron-metadata-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file ... Nov 15 15:30:57 controller systemd[1]: Started OpenStack Neutron Metadata Agent. Nov 15 15:30:59 controller neutron-metadata-agent[95284]: Guru mediation now registers SIGUSR1 and SIGUSR2 by default for backwa...orts. Nov 15 15:31:10 controller neutron-metadata-agent[95284]: Option "verbose" from group "DEFAULT" is deprecated for removal. Its ...ture. Nov 15 15:31:13 controller neutron-metadata-agent[95284]: Option "notification_driver" from group "DEFAULT" is deprecated. Use o...ons". Nov 15 15:31:14 controller neutron-metadata-agent[95284]: /usr/lib/python2.7/site-packages/pkg_resources/__init__.py:187: RuntimeWarn... Nov 15 15:31:14 controller neutron-metadata-agent[95284]: stacklevel=1, Hint: Some lines were ellipsized, use -l to show in full.
三、在计算节点上配置网络服务
计算节点处理实例的连接和安全组
1. 安装组件
[root@computer1 ~]# yum install openstack-neutron-linuxbridge ebtables ipset -y
2. 配置通用组件
Networking 通用组件的配置包括认证机制、消息队列和插件
编辑/etc/neutron/neutron.conf`文件并完成如下操作
[root@computer1 ~]# cp /etc/neutron/neutron.conf{,.bak} [root@computer1 ~]# grep -Ev "^$|#" /etc/neutron/neutron.conf.bak >/etc/neutron/neutron.conf [root@computer1 ~]# cat /etc/neutron/neutron.conf [DEFAULT] [agent] [cors] [cors.subdomain] [database] [keystone_authtoken] [matchmaker_redis] [nova] [oslo_concurrency] [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_policy] [qos] [quotas] [ssl]
在[database]部分,注释所有connection 项,因为计算节点不直接访问数据库
在[DEFAULT] 和 [oslo_messaging_rabbit]部分,配置 “RabbitMQ” 消息队列的连接
在 [DEFAULT]” 和 [keystone_authtoken]”部分,配置认证服务访问
在 [oslo_concurrency] 部分,配置锁路径
依据openstack-config命令自动化修改配置文件
[root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_host 10.0.0.11 [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_userid openstack [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_password 123456 [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri http://controller:5000 [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://controller:35357 [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers controller:11211 [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type password [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name service [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password 123456 [root@computer1 ~]# openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
[root@computer1 ~]# cat /etc/neutron/neutron.conf [DEFAULT] rpc_backend = rabbit auth_strategy = keystone [agent] [cors] [cors.subdomain] [database] [keystone_authtoken] auth_uri = http://controller:5000 auth_url = http://controller:35357 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 123456 [matchmaker_redis] [nova] [oslo_concurrency] lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] rabbit_host = 10.0.0.11 rabbit_userid = openstack rabbit_password = 123456 [oslo_policy] [qos] [quotas] [ssl]
3. 配置网络选项
选择与之前在控制节点上选择的相同的网络选项:公共网络。在计算节点上配置网络组件
配置Linuxbridge代理
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则
编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件并且完成以下操作
[root@computer1 ~]# cp /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak} [root@computer1 ~]# grep -Ev "^$|#" /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak >/etc/neutron/plugins/ml2/linuxbridge_agent.ini [root@computer1 ~]# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini [DEFAULT] [agent] [linux_bridge] [securitygroup] [vxlan]
a. 在[linux_bridge]部分,将公共虚拟网络和公共物理网络接口对应起来
将PUBLIC_INTERFACE_NAME替换为底层的物理公共网络接口
b.在[vxlan]部分,禁止VXLAN覆盖网络
c.在 [securitygroup]部分,启用安全组并配置 Linuxbridge iptables firewall driver
[root@computer1 ~]# openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings provider:eth0 [root@computer1 ~]# openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan False [root@computer1 ~]# openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group True [root@computer1 ~]# openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver [root@computer1 ~]# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini [DEFAULT] [agent] [linux_bridge] physical_interface_mappings = provider:eth0 #将公共虚拟网络和公共物理网络接口对应起来 [securitygroup] enable_security_group = True #启用安全组
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver #启用安全组并配置 Linuxbridge iptables firewall driver
[vxlan]
enable_vxlan = False #禁止VXLAN覆盖网络
[root@computer1 ~]# md5sum /etc/neutron/plugins/ml2/linuxbridge_agent.ini
3f474907a7f438b34563e4d3f3c29538 /etc/neutron/plugins/ml2/linuxbridge_agent.ini
4. 为计算服务配置网络服务
编辑/etc/nova/nova.conf文件并完成下面的操作
在[neutron]部分,配置访问参数
[root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron url http://controller:9696 [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron auth_url http://controller:35357 [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron auth_type password [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron project_domain_name default [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron user_domain_name default [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron project_name service [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron username neutron [root@computer1 ~]# openstack-config --set /etc/nova/nova.conf neutron password 123456
[root@computer1 ~]# cat /etc/nova/nova.conf [DEFAULT] enabled_apis = osapi_compute,metadata rpc_backend = rabbit auth_strategy = keystone my_ip = 10.0.0.12 use_neutron = True firewall_driver = nova.virt.firewall.NoopFirewallDriver [api_database] [barbican] [cache] [cells] [cinder] [conductor] [cors] [cors.subdomain] [database] [ephemeral_storage_encryption] [glance] api_servers = http://controller:9292 [guestfs] [hyperv] [image_file_url] [ironic] [keymgr] [keystone_authtoken] auth_uri = http://controller:5000 auth_url = http://controller:35357 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = nova password = 123456 [libvirt] [matchmaker_redis] [metrics] [neutron] url = http://controller:9696 auth_url = http://controller:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = 123456 [osapi_v21] [oslo_concurrency] lock_path = /var/lib/nova/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] rabbit_host = 10.0.0.11 rabbit_userid = openstack rabbit_password = 123456 [oslo_middleware] [oslo_policy] [rdp] [serial_console] [spice] [ssl] [trusted_computing] [upgrade_levels] [vmware] [vnc] enabled = True vncserver_listen = 0.0.0.0 vncserver_proxyclient_address = $my_ip novncproxy_base_url = http://controller:6080/vnc_auto.html [workarounds] [xenserver]
5. 完成安装
1)重启计算服务
[root@computer1 ~]# systemctl restart openstack-nova-compute.service [root@computer1 ~]# systemctl status openstack-nova-compute.service ● openstack-nova-compute.service - OpenStack Nova Compute Server Loaded: loaded (/usr/lib/systemd/system/openstack-nova-compute.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-11-15 17:40:30 CST; 2min 7s ago Main PID: 84089 (nova-compute) Tasks: 22 CGroup: /system.slice/openstack-nova-compute.service └─84089 /usr/bin/python2 /usr/bin/nova-compute Nov 15 17:40:14 computer1 systemd[1]: Starting OpenStack Nova Compute Server... Nov 15 17:40:30 computer1 nova-compute[84089]: /usr/lib/python2.7/site-packages/pkg_resources/__init__.py:187: RuntimeWarning: You ha... Nov 15 17:40:30 computer1 nova-compute[84089]: stacklevel=1, Nov 15 17:40:30 computer1 systemd[1]: Started OpenStack Nova Compute Server. Hint: Some lines were ellipsized, use -l to show in full.
2)启动Linuxbridge代理并配置它开机自启动
[root@computer1 ~]# systemctl enable neutron-linuxbridge-agent.service Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service. [root@computer1 ~]# systemctl start neutron-linuxbridge-agent.service [root@computer1 ~]# systemctl status neutron-linuxbridge-agent.service ● neutron-linuxbridge-agent.service - OpenStack Neutron Linux Bridge Agent Loaded: loaded (/usr/lib/systemd/system/neutron-linuxbridge-agent.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2020-11-18 22:19:20 CST; 6s ago Process: 2092 ExecStartPre=/usr/bin/neutron-enable-bridge-firewall.sh (code=exited, status=0/SUCCESS) Main PID: 2108 (neutron-linuxbr) CGroup: /system.slice/neutron-linuxbridge-agent.service ├─2108 /usr/bin/python2 /usr/bin/neutron-linuxbridge-agent --config-file /usr/share/neutron/neutron-dist.conf --config-fi... ├─2119 sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf └─2120 /usr/bin/python2 /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf Nov 18 22:19:20 computer1 neutron-enable-bridge-firewall.sh[2092]: net.bridge.bridge-nf-call-arptables = 1 Nov 18 22:19:20 computer1 neutron-enable-bridge-firewall.sh[2092]: net.bridge.bridge-nf-call-iptables = 1 Nov 18 22:19:20 computer1 neutron-enable-bridge-firewall.sh[2092]: net.bridge.bridge-nf-call-ip6tables = 1 Nov 18 22:19:20 computer1 systemd[1]: Started OpenStack Neutron Linux Bridge Agent. Nov 18 22:19:20 computer1 neutron-linuxbridge-agent[2108]: Guru mediation now registers SIGUSR1 and SIGUSR2 by default for back...orts. Nov 18 22:19:21 computer1 neutron-linuxbridge-agent[2108]: Option "verbose" from group "DEFAULT" is deprecated for removal. It...ture. Nov 18 22:19:21 computer1 neutron-linuxbridge-agent[2108]: Option "notification_driver" from group "DEFAULT" is deprecated. Use...ons". Nov 18 22:19:21 computer1 sudo[2119]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap-daemon /etc/...ap.conf Nov 18 22:19:21 computer1 neutron-linuxbridge-agent[2108]: /usr/lib/python2.7/site-packages/pkg_resources/__init__.py:187: RuntimeWa... Nov 18 22:19:21 computer1 neutron-linuxbridge-agent[2108]: stacklevel=1, Hint: Some lines were ellipsized, use -l to show in full.
四、验证
在控制节点上执行这些命令
1.获得 admin 凭证来获取只有管理员能执行的命令的访问权限
[root@controller ~]# source admin-openrc
2.列出加载的扩展来验证neutron-server进程是否正常启动
[root@controller ~]# neutron ext-list +---------------------------+-----------------------------------------------+ | alias | name | +---------------------------+-----------------------------------------------+ | default-subnetpools | Default Subnetpools | | availability_zone | Availability Zone | | network_availability_zone | Network Availability Zone | | auto-allocated-topology | Auto Allocated Topology Services | | binding | Port Binding | | agent | agent | | subnet_allocation | Subnet Allocation | | dhcp_agent_scheduler | DHCP Agent Scheduler | | tag | Tag support | | external-net | Neutron external network | | net-mtu | Network MTU | | network-ip-availability | Network IP Availability | | quotas | Quota management support | | provider | Provider Network | | multi-provider | Multi Provider Network | | address-scope | Address scope | | timestamp_core | Time Stamp Fields addition for core resources | | extra_dhcp_opt | Neutron Extra DHCP opts | | security-group | security-group | | rbac-policies | RBAC Policies | | standard-attr-description | standard-attr-description | | port-security | Port Security | | allowed-address-pairs | Allowed Address Pairs | +---------------------------+-----------------------------------------------+
3. 列出代理以验证启动 neutron 代理是否成功
[root@controller ~]# neutron agent-list +-----------------------+--------------------+------------+-------------------+-------+----------------+-----------------------+ | id | agent_type | host | availability_zone | alive | admin_state_up | binary | +-----------------------+--------------------+------------+-------------------+-------+----------------+-----------------------+ | 097037d9-fb3d-4576 | Linux bridge agent | controller | | :-) | True | neutron-linuxbridge- | | -a7ac-9908c16d9212 | | | | | | agent | | 888b4a72-3946-475e- | Linux bridge agent | computer1 | | :-) | True | neutron-linuxbridge- | | 9b40-fbe1d873b98b | | | | | | agent | | ad827fd0-6163-49f5 | DHCP agent | controller | nova | :-) | True | neutron-dhcp-agent | | -9d7c-32c43ab02842 | | | | | | | | bbd32153-b3a0-4f34 | Metadata agent | controller | | :-) | True | neutron-metadata- | | -bb4e-eb392aac4921 | | | | | | agent | +-----------------------+--------------------+------------+-------------------+-------+----------------+-----------------------+
如果发现缺少compute计算节点的linux bridge agent,是因为计算节点未和控制节点时间同步。在计算节点上做时间同步操作。
