Ubuntu-16.04 部署 OpenStack Ocata<上>
一、搭建基础环境
192.168.30.145 controller【2vCPU、4G内存、40G存储、双网卡】
192.168.30.146 compute【2vCPU、4G内存、40G存储、双网卡】
1.安装ssh并配置root密码
1 $ sudo apt install ssh 2 $ sudo passwd root 3 Enter new UNIX password: 4 Retype new UNIX password: 5 passwd: password updated successfully
2.获取临时认证令牌
1 # openssl rand -hex 10 2 bdb5cad50653d4e85b7d
3.添加阿里云镜像
1 # cp /etc/apt/sources.list /etc/apt/sources.list.bak 2 # vim /etc/apt/sources.list 3 deb-src http://archive.ubuntu.com/ubuntu xenial main restricted 4 deb http://mirrors.aliyun.com/ubuntu/ xenial main restricted 5 deb-src http://mirrors.aliyun.com/ubuntu/ xenial main restricted multiverse universe 6 deb http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted 7 deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted multiverse universe 8 deb http://mirrors.aliyun.com/ubuntu/ xenial universe 9 deb http://mirrors.aliyun.com/ubuntu/ xenial-updates universe 10 deb http://mirrors.aliyun.com/ubuntu/ xenial multiverse 11 deb http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse 12 deb http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse 13 deb-src http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted universe multiverse 14 deb http://archive.canonical.com/ubuntu xenial partner 15 deb-src http://archive.canonical.com/ubuntu xenial partner 16 deb http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted 17 deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted multiverse universe 18 deb http://mirrors.aliyun.com/ubuntu/ xenial-security universe 19 deb http://mirrors.aliyun.com/ubuntu/ xenial-security multiverse
4.配置网络接口IP
1 # ip addr 2 # vim /etc/network/interfaces 3 auto ens33 4 iface ens33 inet static 5 address 192.168.30.145 6 netmask 255.255.255.0 7 gateway 192.168.30.2 8 dns-nameserver 114.114.114.114 9 # The provider network interface(配置第二个接口为提供者接口) 10 auto ens34 11 iface ens34 inet manual 12 up ip link set dev $IFACE up 13 down ip link set dev $IFACE down
5.配置host
1 # vim /etc/hosts 2 192.168.30.145 controller 3 192.168.30.146 compute
6.配置NTP时间协议
1 # dpkg-reconfigure tzdata ##修改时区 2 Current default time zone: 'Asia/Chongqing' 3 Local time is now: Tue Mar 28 20:54:33 CST 2017. 4 Universal Time is now: Tue Mar 28 12:54:33 UTC 2017. 5 # apt -y install chrony ##安装chrony时间同步软件
Controller Node
1 # vim /etc/chrony/chrony.conf 2 allow 192.168.30.0/24 ##设置允许该网段与自己同步时间 3 # service chrony restart
Compute Node
1 # vim /etc/chrony/chrony.conf 2 # pool 2.debian.pool.ntp.org offline iburst 3 server 192.168.30.145 iburst ##设置时间同步服务器地址 4 # service chrony restart 5 # chronyc sources 6 210 Number of sources = 1 7 MS Name/IP address Stratum Poll Reach LastRx Last sample 8 =============================================================================== 9 ^* controller 3 6 377 33 -375us[ -422us] +/- 66ms
7.在所有节点启用openstack库、安装openstack客户端
1 # apt -y install software-properties-common 2 # add-apt-repository cloud-archive:ocata 3 # apt -y update && apt -y dist-upgrade 4 # apt -y install python-openstackclient
8.安装并配置数据库服务(Controller Node)
1 # apt -y install mariadb-server python-pymysql 2 # vim /etc/mysql/mariadb.conf.d/99-openstack.cnf 3 [mysqld] 4 bind-address = 192.168.30.145 5 default-storage-engine = innodb 6 innodb_file_per_table = on 7 max_connections = 4096 8 collation-server = utf8_general_ci 9 character-set-server = utf8 10 # service mysql restart 11 # mysql_secure_installation 12 ##运行该脚本来保证数据库安全,为root账户设置一个合适的密码
9.安装并配置Rabbitmq消息队列服务(Controller Node)
1 # apt -y install rabbitmq-server 2 # rabbitmqctl add_user openstack openstack ##添加OpenStack用户并配置密码 3 Creating user "openstack" ... 4 ##允许openstack用户的配置、写、读权限 5 # rabbitmqctl set_permissions openstack ".*" ".*" ".*" 6 Setting permissions for user "openstack" in vhost "/" ... 7 # rabbitmqctl list_users ##列出用户 8 Listing users ... 9 guest[administrator] 10 openstack[] 11 # rabbitmqctl list_user_permissions openstack ##列出该用户权限 12 Listing permissions for user "openstack" ... 13 /.*.*.* 14 # rabbitmqctl status ##查看RabbitMQ相关信息 15 # rabbitmq-plugins list ##查看RabbitMQ相关插件 16 Configured: E = explicitly enabled; e = implicitly enabled 17 | Status: * = running on rabbit@openstack1 18 |/ 19 ...... 20 # rabbitmq-plugins enable rabbitmq_management ##启用该插件 21 The following plugins have been enabled: 22 mochiweb 23 webmachine 24 rabbitmq_web_dispatch 25 amqp_client 26 rabbitmq_management_agent 27 rabbitmq_management 28 Applying plugin configuration to rabbit@openstack1... started 6 plugins.
浏览器输入http://localhost:15672,默认用户名密码都是guest。
10.安装并配置Memcached缓存服务【对认证服务进行缓存】(Controller Node)
1 # apt -y install memcached python-memcache 2 # vim /etc/memcached.conf 3 #-l 127.0.0.1 4 -l 192.168.30.145 5 # service memcached restart
二、配置 Keystone 认证服务(Controller Node)
1.创建 keystone 数据库
1 # mysql 2 MariaDB [(none)]> CREATE DATABASE keystone; ##创建 keystone 数据库 3 ##对 keystone 数据库授权[用户名@控制节点...BY 密码] 4 MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'192.168.30.145' \ 5 IDENTIFIED BY 'keystone'; 6 MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ 7 IDENTIFIED BY 'keystone'; 8 MariaDB [(none)]> flush privileges;
2.安装并配置 Keystone
# apt -y install keystone # vim /etc/keystone/keystone.conf [database]---配置数据库访问[用户名:密码@控制节点] connection = mysql+pymysql://keystone:keystone@192.168.30.145/keystone [token]---配置Fernet UUID令牌的提供者 provider = fernet # grep ^[a-z] /etc/keystone/keystone.conf connection = mysql+pymysql://keystone:keystone@192.168.30.145/keystone provider = fernet
3.初始化身份认证服务数据库
1 # su -s /bin/sh -c "keystone-manage db_sync" keystone
4.初始化Fernet keys
1 # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 2 # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5.配置引导标识服务
1 # keystone-manage bootstrap --bootstrap-password qaz123 \ 2 --bootstrap-admin-url http://192.168.30.145:35357/v3/ \ 3 --bootstrap-internal-url http://192.168.30.145:5000/v3/ \ 4 --bootstrap-public-url http://192.168.30.145:5000/v3/ \ 5 --bootstrap-region-id RegionOne
6.配置 HTTP 服务器
# vim /etc/apache2/apache2.conf ServerName controller # service apache2 restart ##重启Apache服务 # service apache2 status # rm -f /var/lib/keystone/keystone.db ##删除默认的SQLite数据库
7.配置管理账户
1 # export OS_USERNAME=admin 2 # export OS_PASSWORD=qaz123 3 # export OS_PROJECT_NAME=admin 4 # export OS_USER_DOMAIN_NAME=Default 5 # export OS_PROJECT_DOMAIN_NAME=Default 6 # export OS_AUTH_URL=http://192.168.30.145:35357/v3 7 # export OS_IDENTITY_API_VERSION=3
8.创建 service 项目
1 # openstack project create --domain default \ 2 --description "Service Project" service 3 +-------------+----------------------------------+ 4 | Field | Value | 5 +-------------+----------------------------------+ 6 | description | Service Project | 7 | domain_id | default | 8 | enabled | True | 9 | id | 945e37831e74484f8911fb742c925926 | 10 | is_domain | False | 11 | name | service | 12 | parent_id | default | 13 +-------------+----------------------------------+
9.配置普通(非管理)任务项目和用户权限
a.创建 demo 项目
1 # openstack project create --domain default \ 2 --description "Demo Project" demo 3 +-------------+----------------------------------+ 4 | Field | Value | 5 +-------------+----------------------------------+ 6 | description | Demo Project | 7 | domain_id | default | 8 | enabled | True | 9 | id | 2ef20ce389eb499696f2d7497c6009b0 | 10 | is_domain | False | 11 | name | demo | 12 | parent_id | default | 13 +-------------+----------------------------------+
b.创建 demo 用户
1 # openstack user create --domain default \ 2 --password-prompt demo 3 User Password: 4 Repeat User Password: 5 +---------------------+----------------------------------+ 6 | Field | Value | 7 +---------------------+----------------------------------+ 8 | domain_id | default | 9 | enabled | True | 10 | id | 7cfc508fd5d44b468aac218bd4029bae | 11 | name | demo | 12 | options | {} | 13 | password_expires_at | None | 14 +---------------------+----------------------------------+
c.创建 user 角色
1 # openstack role create user 2 +-----------+----------------------------------+ 3 | Field | Value | 4 +-----------+----------------------------------+ 5 | domain_id | None | 6 | id | 83b6ab2af4414ad387b2fc9daf575b3a | 7 | name | user | 8 +-----------+----------------------------------+
d.添加 user 角色到 demo 项目和用户
1 # openstack role add --project demo --user demo user
10.禁用临时身份验证令牌机制
1 # vim /etc/keystone/keystone-paste.ini 2 [pipeline:public_api] 3 # pipeline = admin_token_auth 4 [pipeline:admin_api] 5 # pipeline = admin_token_auth 6 [pipeline:api_v3] 7 # pipeline = admin_token_auth
11.重置 OS_AUTH_URL 和 OS_PASSWORD 环境变量
1 # unset OS_AUTH_URL OS_PASSWORD
12.使用 admin 用户,请求认证令牌(密码为admin用户密码)
1 # openstack --os-auth-url http://192.168.30.145:35357/v3 \ 2 --os-project-domain-name default --os-user-domain-name default \ 3 --os-project-name admin --os-username admin token issue 4 Password: 5 +------------+-----------------------------------------------------------+ 6 | Field | Value | 7 +------------+-----------------------------------------------------------+ 8 | expires | 2017-03-28T15:11:50+0000 | 9 | id | gAAAAABY2m8mE9pMATPuFW9YpgoBMTg9mCI6GcmFeQAudwbhGiVblXZP | 10 | | kmSmHc5aFwTZSIdjLzPJaMd1k16UZghj59v45Gvzdh5CLhSFGWPsT8rL | 11 | | fRJD4eE1D_eRz2Jjjk5rDmwAHm5mmffuszJLSe4B2KJyBXkdmmznXL-A | 12 | project_id | 2461396f6a344c21a2360a612d4f6abe | 13 | user_id | 63ca263543fb4b02bb34410e3dc8a801 | 14 +------------+-----------------------------------------------------------+
13.使用 demo 用户,请求认证令牌(密码为demo用户密码)
1 # openstack --os-auth-url http://192.168.30.145:5000/v3 \ 2 --os-project-domain-name default --os-user-domain-name default \ 3 --os-project-name demo --os-username demo token issue 4 Password: 5 +------------+-----------------------------------------------------------+ 6 | Field | Value | 7 +------------+-----------------------------------------------------------+ 8 | expires | 2017-03-28T15:13:50+0000 | 9 | id | gAAAAABY2m-eSIWmQg1SyZFaiGcP2kjHf742ktr8YcVH3Q4aHKTflDJ | 10 | | RLAfgmeoDW2z1sbdHQmKQNSb--F-1Pn_hTFHYqgyMlIxYpEQxGhJ-rg | 11 | | b0EuxUT9opwl0m5onaA5Cv_MBX6awxeity8Gh1dc50NUeYela5Yl4uSG | 12 | project_id | 2ef20ce389eb499696f2d7497c6009b0 | 13 | user_id | 7cfc508fd5d44b468aac218bd4029bae | 14 +------------+-----------------------------------------------------------+
14.创建脚本
a.创建并编辑文件 admin-openrc 并添加如下内容:
1 # vim admin-openrc 2 export OS_PROJECT_DOMAIN_NAME=Default 3 export OS_USER_DOMAIN_NAME=Default 4 export OS_PROJECT_NAME=admin 5 export OS_USERNAME=admin 6 export OS_PASSWORD=qaz123 7 export OS_AUTH_URL=http://192.168.30.145:35357/v3 8 export OS_IDENTITY_API_VERSION=3 9 export OS_IMAGE_API_VERSION=2
b.创建并编辑文件 demo-openrc 并添加如下内容:
1 # vim demo-openrc 2 export OS_PROJECT_DOMAIN_NAME=Default 3 export OS_USER_DOMAIN_NAME=Default 4 export OS_PROJECT_NAME=demo 5 export OS_USERNAME=demo 6 export OS_PASSWORD=demo 7 export OS_AUTH_URL=http://192.168.30.145:5000/v3 8 export OS_IDENTITY_API_VERSION=3 9 export OS_IMAGE_API_VERSION=2
15.使用脚本
a.加载脚本
1 # . admin-openrc
b.请求身份认证令牌
1 # openstack token issue 2 +------------+----------------------------------------------------------+ 3 | Field | Value | 4 +------------+----------------------------------------------------------+ 5 | expires | 2017-03-28T15:22:55+0000 | 6 | id | gAAAAABY2nG_diuPBMl66vJye3mV3S7CWZKesIiSnbicq5XddujfHhc3x| 7 | | PHni3iHWPcTQAjHoIEMTvSH6yKOQ6Z74QL6hVbshqP1dJrRJ6xEa9WvIk| 8 | | F7H5j7lPmM7ncfVvr9k96gLJ6Uhz38R5qRnHBWkxrlNsgw1jdnAjxf5e | 9 | project_id | 2461396f6a344c21a2360a612d4f6abe | 10 | user_id | 63ca263543fb4b02bb34410e3dc8a801 | 11 +------------+----------------------------------------------------------+
三、配置 Glance 镜像服务(Controller Node)
1.创建 glance 数据库
1 # mysql 2 MariaDB [(none)]> CREATE DATABASE glance; ##创建 glance 数据库 3 ##对 glance 数据库授权[用户名@控制节点...BY 密码] 4 MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'192.168.30.145' \ 5 IDENTIFIED BY 'glance'; 6 MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \ 7 IDENTIFIED BY 'glance'; 8 MariaDB [(none)]> flush privileges;
2.获取管理员访问权限
1 # . admin-openrc
3.创建服务证书
a.创建glance用户:
1 # openstack user create --domain default --password-prompt glance 2 User Password: 3 Repeat User Password: 4 +---------------------+----------------------------------+ 5 | Field | Value | 6 +---------------------+----------------------------------+ 7 | domain_id | default | 8 | enabled | True | 9 | id | 3edeaaae87e14811ac2c6767ab657d6b | 10 | name | glance | 11 | options | {} | 12 | password_expires_at | None | 13 +---------------------+----------------------------------+
b.添加 admin 角色到 glance 用户和 service 项目上:
1 # openstack role add --project service --user glance admin
c.创建“glance”服务实体:
1 # openstack service create --name glance \ 2 --description "OpenStack Image" image 3 +-------------+----------------------------------+ 4 | Field | Value | 5 +-------------+----------------------------------+ 6 | description | OpenStack Image | 7 | enabled | True | 8 | id | 22a0875ba92c4512989666f116ae1585 | 9 | name | glance | 10 | type | image | 11 +-------------+----------------------------------+
d.创建镜像服务的 API 端点:
1 # openstack endpoint create --region RegionOne \ 2 image public http://192.168.30.145:9292 3 +--------------+----------------------------------+ 4 | Field | Value | 5 +--------------+----------------------------------+ 6 | enabled | True | 7 | id | ff6d9ed365cf4e7f8cc53d47e57cd46b | 8 | interface | public | 9 | region | RegionOne | 10 | region_id | RegionOne | 11 | service_id | 22a0875ba92c4512989666f116ae1585 | 12 | service_name | glance | 13 | service_type | image | 14 | url | http://192.168.30.145:9292 | 15 +--------------+----------------------------------+ 16 # openstack endpoint create --region RegionOne \ 17 image internal http://192.168.30.145:9292 18 +--------------+----------------------------------+ 19 | Field | Value | 20 +--------------+----------------------------------+ 21 | enabled | True | 22 | id | 7408dd72bc1745758cdf23e136ef7392 | 23 | interface | internal | 24 | region | RegionOne | 25 | region_id | RegionOne | 26 | service_id | 22a0875ba92c4512989666f116ae1585 | 27 | service_name | glance | 28 | service_type | image | 29 | url | http://192.168.30.145:9292 | 30 +--------------+----------------------------------+ 31 # openstack endpoint create --region RegionOne \ 32 image admin http://192.168.30.145:9292 33 --------------+----------------------------------+ 34 | Field | Value | 35 +--------------+----------------------------------+ 36 | enabled | True | 37 | id | 8ed4e7e1a5834177b4ce1896c21e6cb9 | 38 | interface | admin | 39 | region | RegionOne | 40 | region_id | RegionOne | 41 | service_id | 22a0875ba92c4512989666f116ae1585 | 42 | service_name | glance | 43 | service_type | image | 44 | url | http://192.168.30.145:9292 | 45 +--------------+----------------------------------+
4.安装并配置 Glance 组件
a.配置镜像API
1 # apt -y install glance 2 # vim /etc/glance/glance-api.conf 3 [database]---配置数据库访问[用户名:密码@控制节点] 4 connection = mysql+pymysql://glance:glance@192.168.30.145/glance 5 [keystone_authtoken]---配置身份服务访问 6 auth_uri = http://192.168.30.145:5000 7 auth_url = http://192.168.30.145:35357 8 memcached_servers = 192.168.30.145:11211 9 auth_type = password 10 project_domain_name = default 11 user_domain_name = default 12 project_name = service 13 username = glance 14 password = glance 15 [paste_deploy] 16 flavor = keystone 17 [glance_store]---配置本地文件系统存储和图像文件位置 18 stores = file,http 19 default_store = file 20 filesystem_store_datadir = /var/lib/glance/images/ 21 # grep ^[a-z] /etc/glance/glance-api.conf 22 sqlite_db = /var/lib/glance/glance.sqlite 23 backend = sqlalchemy 24 connection = mysql+pymysql://glance:glance@192.168.30.145/glance 25 stores = file,http 26 default_store = file 27 filesystem_store_datadir = /var/lib/glance/images 28 disk_formats = ami,ari,aki,vhd,vhdx,vmdk,raw,qcow2,vdi,iso,ploop.root-tar 29 auth_uri = http://192.168.30.145:5000 30 auth_url = http://192.168.30.145:35357 31 memcached_servers = 192.168.30.145:11211 32 auth_type = password 33 project_domain_name = default 34 user_domain_name = default 35 project_name = service 36 username = glance 37 password = glance 38 flavor = keystone
b.配置镜像注册服务
1 # vim /etc/glance/glance-registry.conf 2 [database]---配置数据库访问[用户名:密码@控制节点] 3 connection = mysql+pymysql://glance:glance@192.168.30.145/glance 4 [keystone_authtoken]---配置身份服务访问 5 auth_uri = http://192.168.30.145:5000 6 auth_url = http://192.168.30.145:35357 7 memcached_servers = 192.168.30.145:11211 8 auth_type = password 9 project_domain_name = default 10 user_domain_name = default 11 project_name = service 12 username = glance 13 password = glance 14 [paste_deploy] 15 flavor = keystone 16 # grep ^[a-z] /etc/glance/glance-registry.conf 17 sqlite_db = /var/lib/glance/glance.sqlite 18 backend = sqlalchemy 19 connection = mysql+pymysql://glance:glance@192.168.30.145/glance 20 auth_uri = http://192.168.30.145:5000 21 auth_url = http://192.168.30.145:35357 22 memcached_servers = 192.168.30.145:11211 23 auth_type = password 24 project_domain_name = default 25 user_domain_name = default 26 project_name = service 27 username = glance 28 password = glance 29 flavor = keystone
5.同步镜像服务数据库
1 # su -s /bin/sh -c "glance-manage db_sync" glance
6.重启服务
1 # service glance-registry restart 2 # service glance-api restart 3 # service glance-registry status 4 # service glance-api status
7.验证操作
使用 CirrOS 对镜像服务进行验证
CirrOS是一个小型的Linux镜像,可以用来进行 OpenStack部署测试。
a.获取管理员权限
1 # . admin-openrc
b.下载源镜像
1 # wget http://download.cirros-cloud.net/0.3.5/cirros-0.3.5-x86_64-disk.img
c.使用 QCOW2 磁盘格式, bare 容器格式上传镜像到镜像服务并设置公共可见
1 # openstack image create "cirros"\ 2 --file cirros-0.3.5-x86_64-disk.img \ 3 --disk-format qcow2 --container-format bare \ 4 --public 5 +------------------+------------------------------------------------------+ 6 | Field | Value | 7 +------------------+------------------------------------------------------+ 8 | checksum | f8ab98ff5e73ebab884d80c9dc9c7290 | 9 | container_format | bare | 10 | created_at | 2017-03-29T05:57:56Z | 11 | disk_format | qcow2 | 12 | file | /v2/images/4b6ebd57-80ab-4b79-8ecc-53a026f3e898/file | 13 | id | 4b6ebd57-80ab-4b79-8ecc-53a026f3e898 | 14 | min_disk | 0 | 15 | min_ram | 0 | 16 | name | cirros | 17 | owner | 2461396f6a344c21a2360a612d4f6abe | 18 | protected | False | 19 | schema | /v2/schemas/image | 20 | size | 13267968 | 21 | status | active | 22 | tags | | 23 | updated_at | 2017-03-29T05:57:56Z | 24 | virtual_size | None | 25 | visibility | public | 26 +------------------+------------------------------------------------------+
d.确认镜像的上传并验证属性
1 # openstack image list 2 +--------------------------------------+--------+--------+ 3 | ID | Name | Status | 4 +--------------------------------------+--------+--------+ 5 | 4b6ebd57-80ab-4b79-8ecc-53a026f3e898 | cirros | active | 6 +--------------------------------------+--------+--------+
五、配置 Neutron 网络服务【各节点皆要配置】
1.创建 neutron 数据库
1 # mysql 2 MariaDB [(none)] CREATE DATABASE neutron; ##创建 neutron 数据库 3 ##对 neutron 数据库授权[用户名@控制节点...BY 密码] 4 MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'192.168.30.145' \\ 5 IDENTIFIED BY 'neutron'; 6 MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \\ 7 IDENTIFIED BY 'neutron'; 8 MariaDB [(none)]> flush privileges;
2.获取管理员访问权限
1 # . admin-openrc
3.创建服务证书
a.创建 neutron 用户
1 # openstack user create --domain default --password-prompt neutron 2 User Password: 3 Repeat User Password: 4 +---------------------+----------------------------------+ 5 | Field | Value | 6 +---------------------+----------------------------------+ 7 | domain_id | default | 8 | enabled | True | 9 | id | 54cd9e72295c411090ea9f641cb02135 | 10 | name | neutron | 11 | options | {} | 12 | password_expires_at | None | 13 +---------------------+----------------------------------+
b.添加 admin 角色到 neutron 用户
1 # openstack role add --project service --user neutron admin
c.创建 neutron 服务实体
1 # openstack service create --name neutron \\ 2 --description "OpenStack Networking" network 3 +-------------+----------------------------------+ 4 | Field | Value | 5 +-------------+----------------------------------+ 6 | description | OpenStack Networking | 7 | enabled | True | 8 | id | 720687745d354718862255a56d7aea46 | 9 | name | neutron | 10 | type | network | 11 +-------------+----------------------------------+
d.创建 neutron 服务API端点
1 # openstack endpoint create --region RegionOne \\ 2 network public http://192.168.30.145:9696 3 +--------------+----------------------------------+ 4 | Field | Value | 5 +--------------+----------------------------------+ 6 | enabled | True | 7 | id | a9b1b5b8fbb842a8b14a9cecca7a58a8 | 8 | interface | public | 9 | region | RegionOne | 10 | region_id | RegionOne | 11 | service_id | 720687745d354718862255a56d7aea46 | 12 | service_name | neutron | 13 | service_type | network | 14 | url | http://192.168.30.145:9696 | 15 +--------------+----------------------------------+ 16 17 # openstack endpoint create --region RegionOne \\ 18 network internal http://192.168.30.145:9696 19 +--------------+----------------------------------+ 20 | Field | Value | 21 +--------------+----------------------------------+ 22 | enabled | True | 23 | id | 61e2c14b0c8f4003a7099012e9a6331f | 24 | interface | internal | 25 | region | RegionOne | 26 | region_id | RegionOne | 27 | service_id | 720687745d354718862255a56d7aea46 | 28 | service_name | neutron | 29 | service_type | network | 30 | url | http://192.168.30.145:9696 | 31 +--------------+----------------------------------+ 32 # openstack endpoint create --region RegionOne \\ 33 network admin http://192.168.30.145:9696 34 +--------------+----------------------------------+ 35 | Field | Value | 36 +--------------+----------------------------------+ 37 | enabled | True | 38 | id | 6719539759c34487bd519c0dffb5509d | 39 | interface | admin | 40 | region | RegionOne | 41 | region_id | RegionOne | 42 | service_id | 720687745d354718862255a56d7aea46 | 43 | service_name | neutron | 44 | service_type | network | 45 | url | http://192.168.30.145:9696 | 46 +--------------+----------------------------------+
4.配置网络类型2:私有网络
a.安装组件
1 # apt -y install neutron-server neutron-plugin-ml2 \\ 2 neutron-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent \\ 3 neutron-metadata-agent
b.配置 Neutron 组件
1 # vim /etc/neutron/neutron.conf 2 [database]----配置数据库访问[用户名:密码@控制节点] 3 #connection = sqlite:////var/lib/neutron/neutron.sqlite 4 connection = mysql+pymysql://neutron:neutron@192.168.30.145/neutron 5 [DEFAULT]----启用ML2插件、路由器服务和overlapping IP addresses 6 core_plugin = ml2 7 service_plugins = router 8 allow_overlapping_ips = true 9 10 [DEFAULT]----配置 RabbitMQ 消息队列访问[用户名:密码@控制节点] 11 transport_url = rabbit://openstack:openstack@192.168.30.145 12 [DEFAULT]----配置认证服务访问 13 auth_strategy = keystone 14 [keystone_authtoken]----配置认证服务访问 15 auth_uri = http://192.168.30.145:5000 16 auth_url = http://192.168.30.145:35357 17 memcached_servers = 192.168.30.145:11211 18 auth_type = password 19 project_domain_name = default 20 user_domain_name = default 21 project_name = service 22 username = neutron 23 password = neutron 24 25 [DEFAULT]----配置网络服务来通知计算节点的网络拓扑变化 26 notify_nova_on_port_status_changes = true 27 notify_nova_on_port_data_changes = true 28 [nova]----配置网络服务来通知计算节点的网络拓扑变化 29 auth_url = http://192.168.30.145:35357 30 auth_type = password 31 project_domain_name = default 32 user_domain_name = default 33 region_name = RegionOne 34 project_name = service 35 username = nova 36 password = nova 37 # grep ^[a-z] /etc/neutron/neutron.conf 38 auth_strategy = keystone 39 core_plugin = ml2 40 service_plugins = router 41 allow_overlapping_ips = true 42 notify_nova_on_port_status_changes = true 43 notify_nova_on_port_data_changes = true 44 transport_url = rabbit://openstack:openstack@192.168.30.145 45 root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf 46 connection = mysql+pymysql://neutron:neutron@192.168.30.145/neutron 47 auth_uri = http://192.168.30.145:5000 48 auth_url = http://192.168.30.145:35357 49 memcached_servers = 192.168.30.145:11211 50 auth_type = password 51 project_domain_name = default 52 user_domain_name = default 53 project_name = service 54 username = neutron 55 password = neutron 56 region_name = RegionOne 57 auth_url = http://192.168.30.145:35357 58 auth_type = password 59 password = nova 60 project_domain_name = default 61 project_name = service 62 user_domain_name = default 63 username = nova
c.配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linuxbridge机制来为实例创建layer-2虚拟网络基础设施
1 # vim /etc/neutron/plugins/ml2/ml2_conf.ini 2 [ml2]----启用flat,VLAN以及VXLAN网络 3 type_drivers = flat,vlan,vxlan 4 [ml2]----启用VXLAN私有网络 5 tenant_network_types = vxlan 6 [ml2]----启用Linuxbridge和layer-2机制 7 mechanism_drivers = linuxbridge,l2population 8 [ml2]----启用端口安全扩展驱动 9 extension_drivers = port_security 10 [ml2_type_flat]----配置公共虚拟网络为flat网络 11 flat_networks = provider 12 [ml2_type_vxlan]----为私有网络配置VXLAN网络识别的网络范围 13 vni_ranges = 1:1000 14 [securitygroup]----启用 ipset 增加安全组规则的高效性 15 enable_ipset = true 16 17 # grep ^[a-z] /etc/neutron/plugins/ml2/ml2_conf.ini 18 type_drivers = flat,vlan,vxlan 19 tenant_network_types = vxlan 20 mechanism_drivers = linuxbridge,l2population 21 extension_drivers = port_security 22 flat_networks = provider 23 vni_ranges = 1:1000 24 enable_ipset = true
注:Linuxbridge代理只支持VXLAN覆盖网络
d.配置Linuxbridge代理
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则
1 # vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini 2 [linux_bridge]----对应公共虚拟网络和公共物理网络接口 3 physical_interface_mappings = provider:ens33 4 [vxlan]----启用VXLAN覆盖网络,配置覆盖网络的物理网络接口的IP地址,并启用layer-2 population 5 enable_vxlan = true 6 local_ip = 192.168.30.145 7 l2_population = true 8 [securitygroup]----启用安全组并配置防火墙服务 9 enable_security_group = true 10 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver 11 12 # grep ^[a-z] /etc/neutron/plugins/ml2/linuxbridge_agent.ini 13 physical_interface_mappings = provider:ens33 14 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver 15 enable_security_group = true 16 enable_vxlan = true 17 local_ip = 192.168.30.145 18 l2_population = true
e.配置layer-3代理
Layer-3代理为私有虚拟网络提供路由和NAT服务
1 # vim /etc/neutron/l3_agent.ini 2 [DEFAULT]----配置Linuxbridge接口驱动和外部网络网桥 3 interface_driver = linuxbridge 4 5 # grep ^[a-z] /etc/neutron/l3_agent.ini 6 interface_driver = linuxbridge
f.配置DHCP代理
DHCP代理为虚拟网络提供DHCP服务
1 # vim /etc/neutron/dhcp_agent.ini 2 [DEFAULT]----配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据 3 interface_driver = linuxbridge 4 dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq 5 enable_isolated_metadata = true 6 7 # grep ^[a-z] /etc/neutron/dhcp_agent.ini 8 interface_driver = linuxbridge 9 dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq 10 enable_isolated_metadata = true
g.配置元数据代理----负责提供配置信息
1 # vim /etc/neutron/metadata_agent.ini 2 [DEFAULT]----配置元数据主机以及共享密码 3 nova_metadata_ip = 192.168.30.145 4 metadata_proxy_shared_secret = qaz123 5 6 # grep ^[a-z] /etc/neutron/metadata_agent.ini 7 nova_metadata_ip = 192.168.30.145 8 metadata_proxy_shared_secret = qaz123
5.在控制节点上为计算节点配置网络服务
1 # vim /etc/nova/nova.conf 2 [neutron]----配置访问参数,启用元数据代理并设置密码 3 url = http://192.168.30.145:9696 4 auth_url = http://192.168.30.145:35357 5 auth_type = password 6 project_domain_name = default 7 user_domain_name = default 8 region_name = RegionOne 9 project_name = service 10 username = neutron 11 password = neutron 12 service_metadata_proxy = true 13 metadata_proxy_shared_secret = qaz123 14 # grep ^[a-z] /etc/nova/nova.conf
6.完成安装
a.同步数据库
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \\ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron ...... OK
注:数据库的同步发生在 Networking 之后,因为脚本需要完成服务器和插件的配置文件
b.重启计算 API 服务
1 # service nova-api restart
c.重启 Networking 服务
对于两种网络类型:
1 # service neutron-server restart 2 # service neutron-linuxbridge-agent restart 3 # service neutron-dhcp-agent restart 4 # service neutron-metadata-agent restart
对于网络类型 2 ,还需重启 L3 服务:
1 # service neutron-l3-agent restart
d.确认启动与否
1 # service nova-api status 2 # service neutron-server status 3 # service neutron-linuxbridge-agent status 4 # service neutron-dhcp-agent status 5 # service neutron-metadata-agent status 6 # service neutron-l3-agent status
7.配置 Compute Node 的 Neutron 网络服务
1 # apt -y install neutron-linuxbridge-agent 2 # vim /etc/neutron/neutron.conf 3 [database]----计算节点不直接访问数据库 4 #connection = sqlite:////var/lib/neutron/neutron.sqlite 5 [DEFAULT]----配置 RabbitMQ 消息队列访问[用户名:密码@控制节点] 6 transport_url = rabbit://openstack:openstack@192.168.30.145 7 [DEFAULT]----配置认证服务访问 8 auth_strategy = keystone 9 [keystone_authtoken]----配置认证服务访问 10 auth_uri = http://192.168.30.145:5000 11 auth_url = http://192.168.30.145:35357 12 memcached_servers = 192.168.30.145:11211 13 auth_type = password 14 project_domain_name = default 15 user_domain_name = default 16 project_name = service 17 username = neutron 18 password = neutron 19 20 # grep ^[a-z] /etc/neutron/neutron.conf 21 auth_strategy = keystone 22 core_plugin = ml2 23 transport_url = rabbit://openstack:openstack@192.168.30.145 24 root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf 25 auth_uri = http://192.168.30.145:5000 26 auth_url = http://192.168.30.145:35357 27 memcached_servers = 192.168.30.145:11211 28 auth_type = password 29 project_domain_name = default 30 user_domain_name = default 31 project_name = service 32 username = neutron 33 password = neutron
8.为计算节点配置网络服务
1 # vim /etc/nova/nova.conf 2 [neutron]----配置访问参数 3 url = http://192.168.30.145:9696 4 auth_url = http://192.168.30.145:35357 5 auth_type = password 6 project_domain_name = default 7 user_domain_name = default 8 region_name = RegionOne 9 project_name = service 10 username = neutron 11 password = neutron 12 # grep ^[a-z] /etc/nova/nova.conf
9.完成安装
a.重启计算服务:
1 # service nova-compute restart 2 # service nova-compute status
b.重启Linuxbridge代理:
1 # service neutron-linuxbridge-agent restart 2 # service neutron-linuxbridge-agent status
10.在计算节点上配置网络类型2
配置Linuxbridge代理----为实例建立layer-2虚拟网络并且处理安全组规则
1 # vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini 2 [linux_bridge]----对应公共虚拟网络和公共物理网络接口 3 physical_interface_mappings = provider:ens33 4 [vxlan]----启用VXLAN覆盖网络,配置覆盖网络的物理网络接口的IP地址,启用layer-2 population 5 enable_vxlan = true 6 local_ip = 192.168.30.146 7 l2_population = true 8 [securitygroup]----启用安全组并配置firewall_driver 9 enable_security_group = true 10 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver 11 12 # grep ^[a-z] /etc/neutron/plugins/ml2/linuxbridge_agent.ini 13 physical_interface_mappings = provider:ens33 14 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver 15 enable_security_group = true 16 enable_vxlan = true 17 local_ip = 192.168.30.146 18 l2_population = true
11.在控制节点上验证操作
a.获取管理员权限
1 # . admin-openrc
b.列出加载的扩展来验证 neutron-server 进程是否正常启动
# openstack extension list --network +----------------------+----------------------+--------------------------+ | Name | Alias | Description | +----------------------+----------------------+--------------------------+ | Default Subnetpools | default-subnetpools | Provides ability to mark | | | | and use a subnetpool as | | | | the default | | Network IP | network-ip- | Provides IP availability | | Availability | availability | data for each network | | | | and subnet. | | Network Availability |network_availability_z| Availability zone | | Zone | one | support for network. | | Auto Allocated | auto-allocated- | Auto Allocated Topology | | Topology Services | topology | Services. | | Neutron L3 | ext-gw-mode | Extension of the router | | Configurable external| | abstraction for | | gateway mode | | specifying whether SNAT | | | | should occur on the | | | | external gateway | | Port Binding | binding | Expose port bindings of | | | | a virtual port to | | | | external application | | agent | agent | The agent management | | | | extension. | | Subnet Allocation | subnet_allocation | Enables allocation of | | | | subnets from a subnet | | | | pool | | L3 Agent Scheduler | l3_agent_scheduler | Schedule routers among | | | | l3 agents | | Tag support | tag | Enables to set tag on | | | | resources. | | Neutron external | external-net | Adds external network | | network | | attribute to network | | | | resource. | | Neutron Service | flavors | Flavor specification for | | Flavors | | Neutron advanced | | | | services | | Network MTU | net-mtu | Provides MTU attribute | | | | for a network resource. | | Availability Zone | availability_zone | The availability zone | | | | extension. | | Quota management | quotas | Expose functions for | | support | | quotas management per | | | | tenant | | HA Router extension | l3-ha | Add HA capability to | | | | routers. | | Provider Network | provider | Expose mapping of | | | | virtual networks to | | | | physical networks | |Multi Provider Network| multi-provider | Expose mapping of | | | | virtual networks to | | | | multiple physical | | | | networks | | Address scope | address-scope | Address scopes | | | | extension. | | Neutron Extra Route | extraroute | Extra routes | | | | configuration for L3 | | | | router | | Subnet service types | subnet-service-types | Provides ability to set | | | | the subnet service_types | | | | field | | Resource timestamps | standard-attr- | Adds created_at and | | | timestamp | updated_at fields to all | | | | Neutron resources that | | | | have Neutron standard | | | | attributes. | | Neutron Service Type | service-type | API for retrieving | | Management | | service providers for | | | | Neutron advanced | | | | services | | Router Flavor | l3-flavors | Flavor support for | | Extension | | routers. | | Port Security | port-security | Provides port security | | Neutron Extra DHCP | extra_dhcp_opt | Extra options | | opts | | configuration for DHCP. | | | | For example PXE boot | | | | options to DHCP clients | | | | can be specified (e.g. | | | | tftp-server, server-ip- | | | | address, bootfile-name) | | Resource revision | standard-attr- | This extension will | | numbers | revisions | display the revision | | | | number of neutron | | | | resources. | | Pagination support | pagination | Extension that indicates | | | | that pagination is | | | | enabled. | | Sorting support | sorting | Extension that indicates | | | | that sorting is enabled. | | security-group | security-group | The security groups | | | | extension. | | DHCP Agent Scheduler | dhcp_agent_scheduler | Schedule networks among | | | | dhcp agents | | Router Availability |router_availability_zo| Availability zone | | Zone | ne | support for router. | | RBAC Policies | rbac-policies | Allows creation and | | | | modification of policies | | | | that control tenant | | | | access to resources. | | Tag support for | tag-ext | Extends tag support to | | resources: subnet, | | more L2 and L3 | | subnetpool, port, | | resources. | | router | | | | standard-attr- | standard-attr- | Extension to add | | description | description | descriptions to standard | | | | attributes | | Neutron L3 Router | router | Router abstraction for | | | | basic L3 forwarding | | | | between L2 Neutron | | | | networks and access to | | | | external networks via a | | | | NAT gateway. | | Allowed Address Pairs| allowed-address-pairs| Provides allowed address | | | | pairs | | project_id field | project-id | Extension that indicates | | enabled | | that project_id field is | | | | enabled. | | Distributed Virtual | dvr | Enables configuration of | | Router | | Distributed Virtual | | | | Routers. | +----------------------+----------------------+--------------------------+
c.启动 neutron 代理验证是否成功
1 # neutron agent-list 2 +--------------------------------------+--------------------+------------+ 3 | id | agent_type | host | 4 +--------------------------------------+--------------------+------------+ 5 | 23601054-312a-497c-b728-4b791ce76e64 | L3 agent | controller | 6 | 9a7546d9-73ec-47e0-ab23-ca2a5366660f | Linux bridge agent | controller | 7 | acd42d89-1af4-413f-be77-3172d38a805d | Metadata agent | controller | 8 | b438ae93-aaf3-41f0-a7b7-d1502a1986c9 | DHCP agent | controller | 9 | e1d32b6b-07c6-468b-965d-ce9dfd09b338 | Linux bridge agent | compute | 10 +--------------------------------------+--------------------+------------+ 11 +-------------------+-------+----------------+---------------------------+ 12 | availability_zone | alive | admin_state_up | binary | 13 +-------------------+-------+----------------+---------------------------+ 14 | nova | :-) | True | neutron-l3-agent | 15 | | :-) | True | neutron-linuxbridge-agent | 16 | | :-) | True | neutron-metadata-agent | 17 | nova | :-) | True | neutron-dhcp-agent | 18 | | :-) | True | neutron-linuxbridge-agent | 19 +-------------------+-------+----------------+---------------------------+