网络节点的部署是个难点,所以后面如果有时间的话,我觉得很有必要单独开一篇文章来讲解这个。但是如果前面都是按照我的步骤来部署的话,我们可以先一边部署一边参照这篇博文去初步认识neutron。
三条网络的作用:
External Network/API Network,这个网络是连接外网的,无论是用户调用Openstack的API,还是创建出来的虚拟机要访问外网,或者外网要ssh到虚拟机,都需要通过这个网络。
Instance Network,数据网络,虚拟机之间的数据传输通过这个网络来进行,比如一个虚拟机要连接另一个虚拟机,虚拟机要连接虚拟的路由都是通过这个网络来进行。
Management Network,管理网络,Openstack各个模块之间的交互,连接数据库,连接Message Queue都是通过这个网络来。
虽然我打算把networknode塞到controllerNode里面,但是也是用的三条网络,所以说无论怎么安装,原理基本上是一样的。
neutron分成多个模块分布在两个节点上,各个节点对应的服务如下。
Controller节点:
neutron-server,用于接受API请求创建网络,子网,路由器等,然而创建的这些东西仅仅是一些数据结构在数据库里面。
neutron-l3-agent,用于创建和管理虚拟路由器,当neutron-server将路由器的数据结构创建好,它是做具体的事情的,真正的调用命令行将虚拟路由器,路由表,namespace,iptables规则全部创建好。
neutron-dhcp-agent,用于创建和管理虚拟DHCP Server,每个虚拟网络都会有一个DHCP Server,这个DHCP Server为这个虚拟网络里面的虚拟机提供IP。
neutron-openvswith-plugin-agent,这个是用于创建虚拟的L2的switch的,在Network节点上,Router和DHCP Server都会连接到二层的switch上。
Compute节点:
neutron-openvswith-plugin-agent,这个是用于创建虚拟的L2的switch的,在Compute节点上,虚拟机的网卡也是连接到二层的switch上。
注意:下面的操作均在controller节点上
创建Nova数据库和数据库中的nova用户,并授权为nova数据库的管理员
command:
mysql -u root -p123456 CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '123456'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '123456'; exit
OutPut:
[root@controller ~]# mysql -u root -p123456 Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 68 Server version: 10.1.12-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE neutron; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye [root@controller ~]#
在openstack中创建neutron账号,并授权为service project的管理员
[root@controller ~]# source ~/admin-openrc [root@controller ~]# openstack user create --domain default --password-prompt neutron User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 098b1a4d36d241ed87e979ec86d32722 | | enabled | True | | id | cdf1f68d3d91463daedfac4c83337fc3 | | name | neutron | +-----------+----------------------------------+ [root@controller ~]# openstack role add --project service --user neutron admin
创建neutron服务和其对应端口
[root@controller ~]# openstack service create --name neutron \ > --description "OpenStack Networking" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | c297d9848e7144f3af54107f100a9d77 | | name | neutron | | type | network | +-------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne \ > network public http://controller.example.com:9696 +--------------+------------------------------------+ | Field | Value | +--------------+------------------------------------+ | enabled | True | | id | d88a0173c04248f0bc141543b0b88ca6 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | c297d9848e7144f3af54107f100a9d77 | | service_name | neutron | | service_type | network | | url | http://controller.example.com:9696 | +--------------+------------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne \ > network internal http://controller.example.com:9696 +--------------+------------------------------------+ | Field | Value | +--------------+------------------------------------+ | enabled | True | | id | 7bad043337a8470688c5238a6575a628 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | c297d9848e7144f3af54107f100a9d77 | | service_name | neutron | | service_type | network | | url | http://controller.example.com:9696 | +--------------+------------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne \ > network admin http://controller.example.com:9696 +--------------+------------------------------------+ | Field | Value | +--------------+------------------------------------+ | enabled | True | | id | 48e397c460a04a11ad59f0ffb266d036 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | c297d9848e7144f3af54107f100a9d77 | | service_name | neutron | | service_type | network | | url | http://controller.example.com:9696 | +--------------+------------------------------------+ [root@controller ~]#
配置网络官方给了两个选项:
选项1:提供者网络(Provider networks),是最简单的架构,只支持绑定虚拟机实例到Public公共网络。没有Self-service自服务网络,路由器和浮动IP地址。只有admin用户或者其它特权用户可以管理提供者网络。
选项2:自服务网络(Self-service networks),选项2包含了选项1的功能,而且还能够提供3层网络服务,支持绑定虚拟机实例到自服务(Private私有)网络。demo或非特权用也可以管理自服务网络,包括管理路由器。路由器能够实现自服务网络和提供者网络之间的互通。同时,浮动IP地址实现了从Internet外部网络访问虚拟机实例的功能。
额,就冲着2包含了1的功能这句话,我果断选了2!
1.组件安装
yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables -y
2.编辑/etc/neutron/neutron.conf文件
cp -p /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
vim /etc/neutron/neutron.conf
[DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True rpc_backend = rabbit auth_strategy = keystone notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True [database] ... connection = mysql+pymysql://neutron:123456@controller.example.com/neutron [oslo_messaging_rabbit] ... rabbit_host = controller.example.com rabbit_userid = openstack rabbit_password = henry [keystone_authtoken] ... auth_uri = http://controller.example.com:5000 auth_url = http://controller.example.com:35357 memcached_servers = controller.example.com:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 123456 [nova] ... auth_url = http://controller.example.com:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = 123456 [oslo_concurrency] ... lock_path = /var/lib/neutron/tmp
总览:
[root@controller ~]# cat /etc/neutron/neutron.conf | grep -v ^# | grep -v ^$ [DEFAULT] core_plugin = ml2 #启用Layer 2 (ML2)插件模块 service_plugins = router #启用路由服务 allow_overlapping_ips = True #启用重叠IP地址功能 rpc_backend = rabbit #启用rabbitMQ服务 auth_strategy = keystone #启用keystone认证 notify_nova_on_port_status_changes = True #当网络拓扑结构发生变化时通知Compute Service notify_nova_on_port_data_changes = True [agent] [cors] [cors.subdomain] [database] connection = mysql+pymysql://neutron:123456@controller.example.com/neutron #连接数据库,123456是我的密码 [keystone_authtoken] #keystone认证模块 auth_uri = http://controller.example.com:5000 auth_url = http://controller.example.com:35357 memcached_servers = controller.example.com:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 123456 #openstack中neutron的密码 [matchmaker_redis] [nova] auth_url = http://controller.example.com:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = 123456 #openstack中nova的密码 [oslo_concurrency] lock_path = /var/lib/neutron/tmp #配置并发锁路径 [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] rabbit_host = controller.example.com #rabbitMQ服务的URL rabbit_userid = openstack #rabbitMq的账户 rabbit_password = henry #rabbitMQ的密码 [oslo_policy] [quotas] [ssl] [root@controller ~]#
3.配置Modular Layer 2 (ML2) 插件
cp -p /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini.bak
vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2] ... type_drivers = flat,vlan,vxlan tenant_network_types = vxlan mechanism_drivers = linuxbridge,l2population extension_drivers = port_security [ml2_type_flat] ... flat_networks = provider [ml2_type_vxlan] ... vni_ranges = 1:1000 [securitygroup] ... enable_ipset = True
总览:
[root@controller ~]# cat /etc/neutron/plugins/ml2/ml2_conf.ini | grep -v ^# | grep -v ^$ [DEFAULT] [ml2] type_drivers = flat,vlan,vxlan #启用Flat,VLAN和VXLAN网络 tenant_network_types = vxlan #启用VXLAN项目(Private私有)网络 mechanism_drivers = linuxbridge,l2population #启用Linux bridge(桥接)和layer-2 population mechanisms extension_drivers = port_security #启用端口安全扩展驱动 [ml2_type_flat] flat_networks = provider [ml2_type_geneve] [ml2_type_gre] [ml2_type_vlan] [ml2_type_vxlan] vni_ranges = 1:1000 #配置VXLAN网络隧道标识范围 [securitygroup] enable_ipset = True #启用ipset增加安全组的方便性 [root@controller ~]#
4.配置Linux 桥接代理
cp -p /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge] physical_interface_mappings = provider:eth1 [vxlan] enable_vxlan = True local_ip = 172.16.0.17 l2_population = True [securitygroup] ... enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
总览:
[root@controller ~]# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini | grep -v ^# | grep -v ^$ [DEFAULT] [agent] [linux_bridge] physical_interface_mappings = provider:eth1 #eth1是我instance network的网卡,对应下面的IP:172.16.0.17 [securitygroup] enable_security_group = True #启用安全组 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver #设置Linux bridge iptables防火墙驱动 [vxlan] enable_vxlan = True local_ip = 172.16.0.17 l2_population = True [root@controller ~]#
5.配置layer-3代理
Layer-3(L3)代理提供了路由功能和虚拟网络的NAT service(网络地址转换)
cp -p /etc/neutron/l3_agent.ini /etc/neutron/l3_agent.ini.bak
vim /etc/neutron/l3_agent.ini
[DEFAULT] ... interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver #配置Linux桥接网络驱动和外部网络桥接 external_network_bridge =
6.配置DHCP代理
配置Linux桥接网卡(interface)驱动,Dnsmasq DHCP驱动并启用隔离元数据功能,这样在公共网络上的虚拟机实例就可以通过网络访问元数据。
cp -p /etc/neutron/dhcp_agent.ini /etc/neutron/dhcp_agent.ini.bak
vim /etc/neutron/dhcp_agent.ini
[DEFAULT] ... interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True
元数据代理提供了例如虚拟机凭证之类的配置信息
cp -p /etc/neutron/metadata_agent.ini /etc/neutron/metadata_agent.ini.bak
vim /etc/neutron/metadata_agent.ini
[DEFAULT] ... nova_metadata_ip = controller.example.com metadata_proxy_shared_secret = 123456
vim /etc/nova/nova.conf
[neutron] ... url = http://controller.example.com:9696 auth_url = http://controller.example.com:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = 123456 #neutron用户的密码 service_metadata_proxy = True metadata_proxy_shared_secret = 123456 #元数据代理的密码
网络服务初始化脚本需要一个超链接/etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini
1.创建超链接:
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
2.同步数据库:
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
3.重启compute API服务:
systemctl restart openstack-nova-api.service
4.启动以下服务,并设置为开机自启:
systemctl enable neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service neutron-l3-agent.service systemctl start neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service neutron-l3-agent.service
注意:以下操作在compute中运行
yum install openstack-neutron-linuxbridge ebtables ipset -y
1.编辑/etc/neutron/neutron.conf
cp -p /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
vim /etc/neutron/neutron.conf
[DEFAULT] ... rpc_backend = rabbit auth_strategy = keystone [oslo_messaging_rabbit] ... rabbit_host = controller.example.com #rabbitMQ服务的URL rabbit_userid = openstack #账号 rabbit_password = henry #密码 [keystone_authtoken] ... auth_uri = http://controller.example.com:5000 auth_url = http://controller.example.com:35357 memcached_servers = controller.example.com:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 123456 [oslo_concurrency] ... lock_path = /var/lib/neutron/tmp #配置锁路径
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge] physical_interface_mappings = provider:eth1 #compute节点中连接instance网络的网卡,对应controller节点的配置 [vxlan] enable_vxlan = True #启用VXLAN覆盖网络 local_ip = 172.16.0.18 #compute节点中连接instance网络的网卡的IP地址 l2_population = True [securitygroup] ... enable_security_group = True #启用安全组 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver #设置 Linux 桥接 iptables 防火墙驱动
vim /etc/nova/nova.conf
[neutron] ... url = http://controller.example.com:9696 auth_url = http://controller.example.com:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = 123456 #neutron用户的密码
1.重启nova-compute服务
systemctl restart openstack-nova-compute.service
2.启动linuxbridge-agent并设为开机自启
systemctl enable neutron-linuxbridge-agent.service systemctl start neutron-linuxbridge-agent.service
如果看到下面五个笑脸证明服务都已经正常启动
[root@controller ~]# source ~/admin-openrc [root@controller ~]# neutron ext-list +---------------------------+-----------------------------------------------+ | alias | name | +---------------------------+-----------------------------------------------+ | default-subnetpools | Default Subnetpools | | network-ip-availability | Network IP Availability | | network_availability_zone | Network Availability Zone | | auto-allocated-topology | Auto Allocated Topology Services | | ext-gw-mode | Neutron L3 Configurable external gateway mode | | binding | Port Binding | | agent | agent | | subnet_allocation | Subnet Allocation | | l3_agent_scheduler | L3 Agent Scheduler | | tag | Tag support | | external-net | Neutron external network | | net-mtu | Network MTU | | availability_zone | Availability Zone | | quotas | Quota management support | | l3-ha | HA Router extension | | provider | Provider Network | | multi-provider | Multi Provider Network | | address-scope | Address scope | | extraroute | Neutron Extra Route | | timestamp_core | Time Stamp Fields addition for core resources | | router | Neutron L3 Router | | extra_dhcp_opt | Neutron Extra DHCP opts | | dns-integration | DNS Integration | | security-group | security-group | | dhcp_agent_scheduler | DHCP Agent Scheduler | | router_availability_zone | Router Availability Zone | | rbac-policies | RBAC Policies | | standard-attr-description | standard-attr-description | | port-security | Port Security | | allowed-address-pairs | Allowed Address Pairs | | dvr | Distributed Virtual Router | +---------------------------+-----------------------------------------------+ [root@controller ~]# neutron agent-list +------------+------------+------------+-------------------+-------+----------------+-------------+ | id | agent_type | host | availability_zone | alive | admin_state_up | binary | +------------+------------+------------+-------------------+-------+----------------+-------------+ | 07a5880e-b | Linux | controller | | :-) | True | neutron-lin | | fe6-463e-b | bridge | .example.c | | | | uxbridge- | | 262-12b482 | agent | om | | | | agent | | 54471d | | | | | | | | 4a386cce-f | L3 agent | controller | nova | :-) | True | neutron-l3- | | 445-41d1 | | .example.c | | | | agent | | -b85b-06d3 | | om | | | | | | 3b125ce8 | | | | | | | | 6f9d16c2 | Linux | compute.ex | | :-) | True | neutron-lin | | -5abf- | bridge | ample.com | | | | uxbridge- | | 47da-aa6c- | agent | | | | | agent | | 52c32a6453 | | | | | | | | 56 | | | | | | | | c103c215-d | DHCP agent | controller | nova | :-) | True | neutron- | | 0f6-4627-a | | .example.c | | | | dhcp-agent | | d94-10a346 | | om | | | | | | 8c64aa | | | | | | | | e2f4dda3-9 | Metadata | controller | | :-) | True | neutron- | | e42-4b8f- | agent | .example.c | | | | metadata- | | a0ed-20320 | | om | | | | agent | | a214a74 | | | | | | | +------------+------------+------------+-------------------+-------+----------------+-------------+ [root@controller ~]#