OpenStack实践系列⑤网络服务Neutron
OpenStack实践系列⑤网络服务Neutron
3.8 Neturn 服务部署
注册neutron服务
[root@node1 ~]# source admin-openrc.sh [root@node1 ~]# openstack service create --name neutron --description "OpenStack Networking" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | 5ab9dbad533f409eb5ef4682f937c1b1 | | name | neutron | | type | network | +-------------+----------------------------------+ [root@node1 ~]# openstack endpoint create --region RegionOne network public http://192.168.3.199:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b1b8f5d4d51c408cbea79f2829d99bbc | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 5ab9dbad533f409eb5ef4682f937c1b1 | | service_name | neutron | | service_type | network | | url | http://192.168.3.199:9696 | +--------------+----------------------------------+ [root@node1 ~]# openstack endpoint create --region RegionOne network internal http://192.168.3.199:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | d35182f4e62f49c88c25589e3ae436cb | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 5ab9dbad533f409eb5ef4682f937c1b1 | | service_name | neutron | | service_type | network | | url | http://192.168.3.199:9696 | +--------------+----------------------------------+ [root@node1 ~]# openstack endpoint create --region RegionOne network admin http://192.168.3.199:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 0c1cbd066efc44c6b7e48e0d664e69d6 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 5ab9dbad533f409eb5ef4682f937c1b1 | | service_name | neutron | | service_type | network | | url | http://192.168.3.199:9696 | +--------------+----------------------------------+ 创建neutron用户,并添加大service项目,给予admin权限 [root@node1 ~]# openstack user create --domain default --password=neutron neutron +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | 5d2a9f0420c14fe9a8c1eeaaf1c70738 | | name | neutron | +-----------+----------------------------------+ [root@node1 ~]# openstack role add --project service --user neutron admin
编辑/etc/neutron/neutron.conf文件,并完成以下操作
在[database]部分,配置数据库访问
[database]
...
connection = mysql://neutron:neutron@192.168.3.199:3306/neutron
在[DEFAULT]部分,使模块化第2层(ML2)插件,路由器服务,和重叠的IP地址
[DEFAULT]
...
core_plugin = ml2
service_plugins = router # 服务插件为router
在[DEFAULT]和[oslo_messaging_rabbit]部分,配置RabbitMQ的消息队列访问
[DEFAULT]
...
rpc_backend = rabbit
state_path = /var/lib/neutron
[oslo_messaging_rabbit]
...
rabbit_host = 192.168.3.199
rabbit_port = 5672
rabbit_userid = openstack
rabbit_password = openstack
在[DEFAULT]和[keystone_authtoken]部分,配置认证服务的访问(注释或删除在[keystone_authtoken]任何其他选项。)
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://192.168.3.199:5000
auth_url = http://192.168.3.199:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = neutron
password = neutron
在[DEFAULT]和[nova]部分,配置计算网络通知的网络拓扑变化
[DEFAULT]
...
notify_nova_on_port_status_changes = True # 端口改变需通知nova
notify_nova_on_port_data_changes = True
nova_url = http://192.168.3.199:8774/v2
[nova]
...
auth_url = http://192.168.3.199:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = nova
password = nova
在[oslo_concurrency]部分,配置锁路径
[oslo_concurrency]
...
lock_path = $state_path/lock
配置结果
[root@node1 neutron]# grep -n '^[a-z]' neutron.conf 20:state_path = /var/lib/neutron 60:core_plugin = ml2 77:service_plugins = router 92:auth_strategy = keystone 360:notify_nova_on_port_status_changes = True 364:notify_nova_on_port_data_changes = True 367:nova_url = http://192.168.3.199:8774/v2 573:rpc_backend=rabbit 721:auth_uri = http://192.168.3.199:5000 722:auth_url = http://192.168.3.199:35357 723:auth_plugin = password 724:project_domain_id = default 725:user_domain_id = default 726:project_name = service 727:username = neutron 728:password = neutron 741:connection = mysql://neutron:neutron@192.168.3.199:3306/neutron 784:auth_url = http://192.168.3.199:35357 785:auth_plugin = password 786:project_domain_id = default 787:user_domain_id = default 788:region_name = RegionOne 789:project_name = service 790:username = nova 791:password = nova 826:lock_path = $state_path/lock 964:rabbit_host = 192.168.3.199 965:rabbit_port = 5672 966:rabbit_userid = openstack 967:rabbit_password = openstack
编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件,并完成以下操作:
在[ML2]部分,配置VLAN和VXLAN各种网络驱动
[ml2]
...
type_drivers = flat,vlan,gre,vxlan,geneve
在[ML2]部分中,启用网络自助服务
tenant_network_types = vlan,gre,vxlan,geneve
在[ML2]部分中,启用网络自助服务
mechanism_drivers = openvswitch,linuxbridge
在[ML2]部分中,启用端口安全扩展驱动程序
extension_drivers = port_security
在[ml2_type_flat]部分,配置提供虚拟网络作为一个平面网络
[ml2_type_flat]
...
flat_networks = physnet1 使用单一扁平网络(和host一个网络)
在[securitygroup]部分,使IPSET增加安全组规则
[securitygroup]
...
enable_ipset = True
[root@node1 neutron]# grep "^[a-Z]" /etc/neutron/plugins/ml2/ml2_conf.ini
type_drivers = flat,vlan,gre,vxlan,geneve
tenant_network_types = vlan,gre,vxlan,geneve
mechanism_drivers = openvswitch,linuxbridge
extension_drivers = port_security
flat_networks = physnet1
enable_ipset = True
配置Linux桥接代理在Linux桥接代理生成的第2层(桥接和交换)为实例虚拟网络的基础设施和处理安全组。
编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件中,并完成以下操作:
在[linux_bridge]部分,提供商虚拟网络和物理网络接口
[linux_bridge]
...
physical_interface_mappings = physnet1:eth0
在[VXLAN]部分中,关闭VXLAN网络(如果是三层网络使用vxlan参考OpenStack指南并验证)
[vxlan]
...
enable_vxlan = false
在[securitygroup]部分,启用安全组和配置Linux桥iptables防火墙驱动程序
[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
在[agent]部分,启用防arp欺骗
[agent]
...
prevent_arp_spoofing = True
配置结果:
[root@node1 neutron]# grep -n "^[a-Z]" /etc/neutron/plugins/ml2/linuxbridge_agent.ini
9:physical_interface_mappings = physnet1:eth0
16:enable_vxlan = false
51:prevent_arp_spoofing = True
59:firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
64:enable_security_group = True
修改dhcp的配置文件
编辑/etc/neutron/dhcp_agent.ini文件,并完成以下操作:
在[DEFAULT]部分,配置Linux桥接口驱动程序,DHCP的dnsmasq驱动程序,并启用隔离的元数据,以便对供应商网络的实例可以通过网络访问元数据
[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
[root@node1 neutron]# grep -n "^[a-Z]" /etc/neutron/dhcp_agent.ini
16:interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
34:dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
55:enable_isolated_metadata = True
修改metadata_agent.ini配置文件
元数据代理提供配置信息,如凭据实例,编辑/etc/neutron/metadata_agent.ini文件,并完成以下操作:
在[DEFAULT]部分,配置元数据主机和共享的密钥
[DEFAULT]
...
auth_uri = http://192.168.3.199:5000
auth_url = http://192.168.3.199:35357
auth_region = RegionOne
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = neutron
password = neutron
nova_metadata_ip = 192.168.3.199
metadata_proxy_shared_secret = neutron
配管结果
[root@node1 neutron]# grep -n '^[a-z]' /etc/neutron/metadata_agent.ini 4:auth_uri = http://192.168.3.199:5000 5:auth_url = http://192.168.3.199:35357 6:auth_region = RegionOne 7:auth_plugin = password 8:project_domain_id = default 9:user_domain_id = default 10:project_name = service 11:username = neutron 12:password = neutron 29:nova_metadata_ip = 192.168.3.199 52:metadata_proxy_shared_secret = neutron
配置控制节点使用网络,编辑/etc/nova/nova.conf文件并执行以下操作:
在控制节点的nova中添加关于neutron的配置,添加如下内容到neutron模块即可
在[neutron]部分,配置访问参数,启用metadata元数据代理,并配置密钥
[neutron]
...
url = http://192.168.3.199:9696
auth_url = http://192.168.3.199:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = True
metadata_proxy_shared_secret = neutron
创建ml2的软连接
[root@node1 neutron]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
同步neutron数据库,并检查结果
[root@node1 neutron]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron MariaDB [(none)]> use neutron Database changed MariaDB [neutron]> show tables; +-----------------------------------------+ | Tables_in_neutron | +-----------------------------------------+ | address_scopes | | agents | | alembic_version | | allowedaddresspairs | | arista_provisioned_nets | | arista_provisioned_tenants | | arista_provisioned_vms | | brocadenetworks | | brocadeports | | cisco_csr_identifier_map | | cisco_hosting_devices | | cisco_ml2_apic_contracts | | cisco_ml2_apic_host_links | | cisco_ml2_apic_names | | cisco_ml2_n1kv_network_bindings | | cisco_ml2_n1kv_network_profiles | | cisco_ml2_n1kv_policy_profiles | | cisco_ml2_n1kv_port_bindings | | cisco_ml2_n1kv_profile_bindings | | cisco_ml2_n1kv_vlan_allocations | | cisco_ml2_n1kv_vxlan_allocations | | cisco_ml2_nexus_nve | | cisco_ml2_nexusport_bindings | | cisco_port_mappings | | cisco_router_mappings | | consistencyhashes | | csnat_l3_agent_bindings | | default_security_group | | dnsnameservers | | dvr_host_macs | | embrane_pool_port | | externalnetworks | | extradhcpopts | | firewall_policies | | firewall_rules | | firewalls | | flavors | | flavorserviceprofilebindings | | floatingips | | ha_router_agent_port_bindings | | ha_router_networks | | ha_router_vrid_allocations | | healthmonitors | | ikepolicies | | ipallocationpools | | ipallocations | | ipamallocationpools | | ipamallocations | | ipamavailabilityranges | | ipamsubnets | | ipavailabilityranges | | ipsec_site_connections | | ipsecpeercidrs | | ipsecpolicies | | lsn | | lsn_port | | maclearningstates | | members | | meteringlabelrules | | meteringlabels | | ml2_brocadenetworks | | ml2_brocadeports | | ml2_dvr_port_bindings | | ml2_flat_allocations | | ml2_geneve_allocations | | ml2_geneve_endpoints | | ml2_gre_allocations | | ml2_gre_endpoints | | ml2_network_segments | | ml2_nexus_vxlan_allocations | | ml2_nexus_vxlan_mcast_groups | | ml2_port_binding_levels | | ml2_port_bindings | | ml2_ucsm_port_profiles | | ml2_vlan_allocations | | ml2_vxlan_allocations | | ml2_vxlan_endpoints | | multi_provider_networks | | networkconnections | | networkdhcpagentbindings | | networkgatewaydevicereferences | | networkgatewaydevices | | networkgateways | | networkqueuemappings | | networkrbacs | | networks | | networksecuritybindings | | neutron_nsx_network_mappings | | neutron_nsx_port_mappings | | neutron_nsx_router_mappings | | neutron_nsx_security_group_mappings | | nexthops | | nsxv_edge_dhcp_static_bindings | | nsxv_edge_vnic_bindings | | nsxv_firewall_rule_bindings | | nsxv_internal_edges | | nsxv_internal_networks | | nsxv_port_index_mappings | | nsxv_port_vnic_mappings | | nsxv_router_bindings | | nsxv_router_ext_attributes | | nsxv_rule_mappings | | nsxv_security_group_section_mappings | | nsxv_spoofguard_policy_network_mappings | | nsxv_tz_network_bindings | | nsxv_vdr_dhcp_bindings | | nuage_net_partition_router_mapping | | nuage_net_partitions | | nuage_provider_net_bindings | | nuage_subnet_l2dom_mapping | | ofcfiltermappings | | ofcnetworkmappings | | ofcportmappings | | ofcroutermappings | | ofctenantmappings | | packetfilters | | poolloadbalanceragentbindings | | poolmonitorassociations | | pools | | poolstatisticss | | portbindingports | | portinfos | | portqueuemappings | | ports | | portsecuritybindings | | providerresourceassociations | | qos_bandwidth_limit_rules | | qos_network_policy_bindings | | qos_policies | | qos_port_policy_bindings | | qosqueues | | quotas | | quotausages | | reservations | | resourcedeltas | | router_extra_attributes | | routerl3agentbindings | | routerports | | routerproviders | | routerroutes | | routerrules | | routers | | securitygroupportbindings | | securitygrouprules | | securitygroups | | serviceprofiles | | sessionpersistences | | subnetpoolprefixes | | subnetpools | | subnetroutes | | subnets | | tz_network_bindings | | vcns_router_bindings | | vips | | vpnservices | +-----------------------------------------+ 155 rows in set (0.08 sec)
重启nova-api,并启动neutron服务
[root@node1 ~]# systemctl restart openstack-nova-api [root@node1 ~]# systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service [root@node1 ~]# systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
检查neutron-agent结果
[root@node1 ~]# neutron agent-list +--------------------------------------+--------------------+---------------------+-------+----------------+---------------------------+ | id | agent_type | host | alive | admin_state_up | binary | +--------------------------------------+--------------------+---------------------+-------+----------------+---------------------------+ | 065dc30e-610f-44d2-b169-29bc33a15e31 | Metadata agent | node1.chinasoft.com | :-) | True | neutron-metadata-agent | | 46cab8fd-571b-481a-9b69-655c06ff3b26 | DHCP agent | node1.chinasoft.com | :-) | True | neutron-dhcp-agent | | 5ae87a79-b59a-41b4-9294-7f0bca70e611 | Linux bridge agent | node1.chinasoft.com | :-) | True | neutron-linuxbridge-agent | +--------------------------------------+--------------------+---------------------+-------+----------------+---------------------------+
开始部署neutron的计算节点,在这里直接scp过去,不需要做任何更改
[root@node1 neutron]# scp /etc/neutron/neutron.conf 192.168.3.200:/etc/neutron/
修改计算节点的nova配置,添加如下内容到neutron模块即可
[neutron]
...
url = http://192.168.3.199:9696
auth_url = http://192.168.3.199:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = True
metadata_proxy_shared_secret = neutron
从控制节点复制linuxbridge_agent.ini和到ml2_conf.ini计算节点,文件无需更改
如果网卡名称不是eth0
需要修改linuxbridge_agent.ini的physical_interface_mappings = physnet1:ens37
[root@node1 neutron]# scp /etc/neutron/plugins/ml2/linuxbridge_agent.ini 192.168.3.200:/etc/neutron/plugins/ml2/ [root@node1 neutron]# scp /etc/neutron/plugins/ml2/ml2_conf.ini 192.168.3.200:/etc/neutron/plugins/ml2/
在计算节点创建ml2软连接
[root@node2 nova]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini [root@node2 nova]# ls -l /etc/neutron/plugin.ini lrwxrwxrwx 1 root root 37 Apr 26 17:22 /etc/neutron/plugin.ini -> /etc/neutron/plugins/ml2/ml2_conf.ini
重启计算节点的nova-computer
[root@node2 nova]# systemctl restart openstack-nova-compute.service
计算机点上启动linuxbridge_agent服务
[root@node2 nova]# systemctl enable neutron-linuxbridge-agent.service Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service. [root@node2 nova]# systemctl start neutron-linuxbridge-agent.service
检查neutron的结果,有四个(控制节点一个,计算节点两个)结果代表正确
[root@node1 ~]# neutron agent-list +--------------------------------------+--------------------+---------------------+-------+----------------+---------------------------+ | id | agent_type | host | alive | admin_state_up | binary | +--------------------------------------+--------------------+---------------------+-------+----------------+---------------------------+ | 065dc30e-610f-44d2-b169-29bc33a15e31 | Metadata agent | node1.chinasoft.com | :-) | True | neutron-metadata-agent | | 46cab8fd-571b-481a-9b69-655c06ff3b26 | DHCP agent | node1.chinasoft.com | :-) | True | neutron-dhcp-agent | | 5ae87a79-b59a-41b4-9294-7f0bca70e611 | Linux bridge agent | node1.chinasoft.com | :-) | True | neutron-linuxbridge-agent | | a1e8aeea-d564-45f7-bd8f-70bb8d61c64e | Linux bridge agent | node2.chinasoft.com | :-) | True | neutron-linuxbridge-agent | +--------------------------------------+--------------------+---------------------+-------+----------------+---------------------------+