06.OpenStack网络服务Neutron
徐亮伟, 江湖人称标杆徐。多年互联网运维工作经验,曾负责过大规模集群架构自动化运维管理工作。擅长Web集群架构与自动化运维,曾负责国内某大型电商运维工作。
个人博客"徐亮伟架构师之路"累计受益数万人。
笔者Q:552408925、572891887
架构师群:471443208
1.Neutron网络服务概述
OpenStack的网络(Neutron),可以创建和附加其他的OpenStack服务,网络管理接口设备。插件可以被实现,以适应不同的网络设备和软件,提供灵活性,以开栈架构和部署。
OpenStack的网络(Neutron)管理虚拟网络基础架构(VNI),并在您的OpenStack的环境中的物理网络基础架构(PNI)的接入层方面的所有网络方面。开栈网络允许租户创建高级的虚拟网络拓扑可包括服务,例如防火墙,负载均衡器,和虚拟专用网(VPN)。
2.安装和配置Neutron控制器节点
2.1网络服务先决条件
配置OpenStack的网络(Neutron)服务之前,你必须创建一个数据库,服务的凭证,以及API端点。
1.创建Neutron数据库,赋予数据库梯形权限,完成以下操作
mysql -u root -p123456 -e "CREATE DATABASE neutron;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON \
neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON \
neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';"
2.source admin来访问管理
[root@linux-node1 ~]# source admin-openrc
3.创建服务的凭证,完成下列步骤:
创建neutron用户
[root@linux-node1 ~]# openstack user create --domain default \
--password=neutron neutron
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 608d6d530da04d51b1ae57dc388ba39c |
| name | neutron |
| password_expires_at | None |
+---------------------+----------------------------------+
neutron用户赋予管理角色
[root@linux-node1 ~]# openstack role add --project service --user neutron admin
创建neutron服务实体
[root@linux-node1 ~]# openstack service create --name neutron \
--description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | 9d789ecedb994df691d96ed9583e2e4e |
| name | neutron |
| type | network |
+-------------+----------------------------------+
4.创建网络服务API端点
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \
network public http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | c54a43a46d2d424cadff09d0a3b29311 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 9d789ecedb994df691d96ed9583e2e4e |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \
network internal http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 95b5931b54234708bb4a925746896808 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 9d789ecedb994df691d96ed9583e2e4e |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \
network admin http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7651427afd0a479e9f67bd9bec29b76d |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 9d789ecedb994df691d96ed9583e2e4e |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
2.2配置Neutron网络
1.安装Neutron网络服务
yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables -y
2.编辑/etc/neutron/neutron.conf文件,并完成以下操作:
在[database]部分,配置数据库访问
[database]
...
connection = mysql://neutron:neutron@192.168.56.11:3306/neutron
在[DEFAULT]部分,使模块化第2层(ML2)插件,路由器服务,和重叠的IP地址
[DEFAULT]
...
core_plugin = ml2
service_plugins =
在[DEFAULT]和[oslo_messaging_rabbit]部分,配置RabbitMQ的消息队列访问
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = 192.168.56.11
rabbit_userid = openstack
rabbit_password = openstack
在[DEFAULT]和[keystone_authtoken]部分,配置认证服务的访问(注释或删除在[keystone_authtoken]任何其他选项。)
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://192.168.56.11:5000
auth_url = http://192.168.56.11:35357
memcached_servers = 192.168.56.11:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
在[DEFAULT]和[nova]部分,配置计算网络通知的网络拓扑变化
[DEFAULT]
...
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
[nova]
...
auth_url = http://192.168.56.11:35357
auth_type = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = nova
password = nova
在[oslo_concurrency]部分,配置锁路径
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
2.3配置ML2模块插件
该ML2插件使用Linux桥机制,建立实例2层(桥接和交换)的虚拟网络基础设施。
警告
你后配置ML2插件,在type_drivers选项可能会导致数据库不一致移除值。注意
Linux的桥接代理只支持VXLAN覆盖网络。
1.编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件,并完成以下操作:
在[ML2]部分,配置flat和VLAN
[ml2]
...
type_drivers = flat,vlan
在[ML2]部分中,禁用私有网络
[ml2]
...
tenant_network_types =
在[ML2]部分中,启用Linuxbridge机制
[ml2]
...
mechanism_drivers = linuxbridge
在[ML2]部分中,启用端口安全扩展驱动程序
[ml2]
...
extension_drivers = port_security
在[ml2_type_flat]部分,配置提供虚拟网络作为一个平面网络
[ml2_type_flat]
...
flat_networks = provider
在[securitygroup]部分,使IPSET增加安全组规则
[securitygroup]
...
enable_ipset = True
2.4配置Linux桥接代理
在Linux桥接代理生成的第2层(桥接和交换)为实例虚拟网络的基础设施和处理安全组。
1.编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件中,并完成以下操作:
在[linux_bridge]部分,提供商虚拟网络和物理网络接口
[linux_bridge]
...
physical_interface_mappings = provider:eth0
在[VXLAN]部分中,关闭VXLAN网络(如果是三层网络使用vxlan参考OpenStack指南并验证)
[vxlan]
...
enable_vxlan = false
在[securitygroup]部分,启用安全组和配置Linux桥iptables防火墙驱动程序
[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
在[agent]部分,启用防arp欺骗
[agent]
...
prevent_arp_spoofing = True
2.5配置DHCP代理
编辑/etc/neutron/dhcp_agent.ini文件,并完成以下操作:
在[DEFAULT]部分,配置Linux桥接口驱动程序,DHCP的dnsmasq驱动程序,并启用隔离的元数据,以便对供应商网络的实例可以通过网络访问元数据
[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
2.6配置metadata元数据
元数据代理提供配置信息,如凭据实例。
1.编辑/etc/neutron/metadata_agent.ini文件,并完成以下操作:
在[DEFAULT]部分,配置元数据主机和共享的密钥
[DEFAULT]
...
nova_metadata_ip = 192.168.56.11
metadata_proxy_shared_secret = neutron
2.7配置控制节点使用网络
1.编辑/etc/nova/nova.conf文件并执行以下操作:
在[neutron]部分,配置访问参数,启用metadata元数据代理,并配置密钥
[neutron]
...
url = http://192.168.56.11:9696
auth_url = http://192.168.56.11:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = True
metadata_proxy_shared_secret = neutron
2.8控制节点Neutron安装完成
1.该网络服务初始化脚本/etc/neutron/plugin.ini指向ML2插件配置文件,
/etc/neutron/plugins/ml2/ml2_conf.ini符号链接。如果这个符号链接不存在,使用以下命令创建:
[root@linux-node1 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
2.初始化Neutron数据库,并验证
[root@linux-node1 ~]# su -s /bin/sh -c "neutron-db-manage \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
upgrade head" neutron
[root@linux-node1 ~]# mysql -h 192.168.56.11 -uneutron -pneutron \
-e "use neutron;show tables;"|wc -l
163
3.重新启动控制节点Nova API服务
[root@linux-node1 ~]# systemctl restart openstack-nova-api.service
4.启动网络服务并将其配置为系统启动时启动
[root@linux-node1 ~]# systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
[root@linux-node1 ~]# systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
3.安装和配置Neutron计算节点
计算节点负责处理实例连接性和安全组。
3.1安装Neutron组件
安装OpenStack Neutron
[root@linux-node2 ~]# yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables -y
3.2配置通用Neutron组件
网络通用组件配置包括验证机制,消息队列和插件。
默认的配置文件由分布有所不同。您可能需要添加这些部分和选项,而不是修改现有的部分和选项。此外,在配置片段省略号(...)表示您应保留潜在的默认配置选项。
1.编辑/etc/neutron/neutron.conf文件,并完成以下操作:
在[database]部分中注释掉任何连接选项,因为计算节点不直接访问数据库。
在[DEFAULT]和[oslo_messaging_rabbit]部分,配置RabbitMQ的消息队列访问
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = 192.168.56.11
rabbit_userid = openstack
rabbit_password = openstack
在[DEFAULT]和[keystone_authtoken]部分,配置认证服务(注释或删除在[keystone_authtoken]节任何其他选项。)
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://192.168.56.11:5000
auth_url = http://192.168.56.11:35357
memcached_servers = 192.168.56.11:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
在[oslo_concurrency]部分,配置锁路径
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
3.3配置Linux桥接代理
在Linux桥接代理生成的第2层(桥接和交换)为实例虚拟网络的基础设施和处理安全组。
1.编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件中,并完成以下操作:
在[linux_bridge]部分,提供虚拟网络与物理网络对应接口
[linux_bridge]
...
physical_interface_mappings = provider:eth0
在[VXLAN]部分中,关闭VXLAN网络(如果是三层网络使用vxlan参考OpenStack指南并验证)
[vxlan]
...
enable_vxlan = false
在[securitygroup]部分,启用安全组和配置Linux桥iptables防火墙驱动程序
[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
在[agent]部分,启用防arp欺骗
[agent]
...
prevent_arp_spoofing = True
3.4配置计算节点使用网络
1.编辑计算节点/etc/nova/nova.conf文件,并完成以下操作
在[neutron]部分,配置访问
[neutron]
...
url = http://192.168.56.11:9696
auth_url = http://192.168.56.11:35357
auth_type = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
3.5计算节点Neutron安装完成
1.重启计算节点nova-compute服务
[root@linux-node2 ~]# systemctl restart openstack-nova-compute
2.启动Linux桥接代理,包括它的依赖和配置并在系统启动时启动
[root@linux-node2 ~]# systemctl enable neutron-linuxbridge-agent.service
[root@linux-node2 ~]# systemctl start neutron-linuxbridge-agent.service
3.控制节点验证Neutron操作
[root@linux-node1 ~]# source admin-openrc
[root@linux-node1 ~]# neutron agent-list
+--------------------------------------+--------------------+----------------------------+-------------------+-------+----------------+---------------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------------------------+--------------------+----------------------------+-------------------+-------+----------------+---------------------------+
| 9bce80d3-8baf-437a-838e-2b9313865fb2 | Metadata agent | linux-node1.xuliangwei.com | | :-) | True | neutron-metadata-agent |
| cb64693c-dfcb-49c7-8d16-1e09026f1567 | DHCP agent | linux-node1.xuliangwei.com | nova | :-) | True | neutron-dhcp-agent |
| d9bf8056-8970-49a3-9811-2a77648ebc4c | Linux bridge agent | linux-node1.xuliangwei.com | | :-) | True | neutron-linuxbridge-agent |
| ef2c97dd-55d8-4c05-95a2-50e1893a8750 | Linux bridge agent | linux-node2.xuliangwei.com | | :-) | True | neutron-linuxbridge-agent |
+--------------------------------------+--------------------+----------------------------+-------------------+-------+----------------+---------------------------+
[root@linux-node1 ~]# neutron ext-list
+---------------------------+-----------------------------------------------+
| alias | name |
+---------------------------+-----------------------------------------------+
| default-subnetpools | Default Subnetpools |
| network-ip-availability | Network IP Availability |
| network_availability_zone | Network Availability Zone |
| auto-allocated-topology | Auto Allocated Topology Services |
| ext-gw-mode | Neutron L3 Configurable external gateway mode |
| binding | Port Binding |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| l3_agent_scheduler | L3 Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| flavors | Neutron Service Flavors |
| net-mtu | Network MTU |
| availability_zone | Availability Zone |
| quotas | Quota management support |
| l3-ha | HA Router extension |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| extraroute | Neutron Extra Route |
| subnet-service-types | Subnet service types |
| standard-attr-timestamp | Resource timestamps |
| service-type | Neutron 服务类型管理 |
| l3-flavors | Router Flavor Extension |
| port-security | Port Security |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| standard-attr-revisions | Resource revision numbers |
| pagination | Pagination support |
| sorting | Sorting support |
| security-group | security-group |
| dhcp_agent_scheduler | DHCP Agent Scheduler |
| router_availability_zone | Router Availability Zone |
| rbac-policies | RBAC Policies |
| standard-attr-description | standard-attr-description |
| router | Neutron L3 Router |
| allowed-address-pairs | Allowed Address Pairs |
| project-id | project_id field enabled |
| dvr | Distributed Virtual Router |
+---------------------------+-----------------------------------------------+