一、安裝並配置控制節點
前提條件
1.創建數據庫:
[root@Controller-Node ~]# mysql -u root -p123456 MariaDB [(none)]> CREATE DATABASE neutron; MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron'; MariaDB [(none)]> exit
2..獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限:
[root@Controller-Node ~]# source admin-openrc.sh
3.創建neutron用戶
[root@Controller-Node ~]# openstack user create --domain default --password-prompt neutron User Password: neutron Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 068cad0d03674df79d91c2ca9b948c69 | | name | neutron | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@Controller-Node ~]#
4.給neutron添加到admin組
[root@Controller-Node ~]# openstack role add --project service --user neutron admin
5.創建neutron 服務實體
$openstack service create --name neutron \ --description "OpenStack Networking" network [root@Controller-Node ~]# openstack service create --name neutron \ > --description "OpenStack Networking" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | b840910d3acd4233a2240ad0ef48634c | | name | neutron | | type | network | +-------------+----------------------------------+ [root@Controller-Node ~]#
6.創建網絡服務API端口:
$openstack endpoint create --region RegionOne \ network public http://10.20.9.13:9696 $openstack endpoint create --region RegionOne \ network internal http://10.20.9.13:9696 $openstack endpoint create --region RegionOne \ network admin http://10.20.9.13:9696 執行如下: [root@Controller-Node ~]# openstack endpoint create --region RegionOne \ > network public http://10.20.9.13:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | a5dbdb40a4de4b289baf447fe2ec34b6 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | b840910d3acd4233a2240ad0ef48634c | | service_name | neutron | | service_type | network | | url | http://10.20.9.13:9696 | +--------------+----------------------------------+ [root@Controller-Node ~]# openstack endpoint create --region RegionOne \ > network internal http://10.20.9.13:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | cdfe81255ec8494fb6e9b012f6b48ac6 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | b840910d3acd4233a2240ad0ef48634c | | service_name | neutron | | service_type | network | | url | http://10.20.9.13:9696 | +--------------+----------------------------------+ [root@Controller-Node ~]# openstack endpoint create --region RegionOne \ > network admin http://10.20.9.13:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 5000d169084b4b9795717a1e7175a553 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | b840910d3acd4233a2240ad0ef48634c | | service_name | neutron | | service_type | network | | url | http://10.20.9.13:9696 | +--------------+----------------------------------+ [root@Controller-Node ~]#
二、安裝網絡openstack-neutron
1.安裝組件
$yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables
2.配置服務器組件
編輯/etc/neutron/neutron.conf文件,並完成以下配置
1.> 在 [database] 選項中,配置數據庫連接:
[database] # ... connection=mysql://neutron:neutron@10.20.9.13/neutron
2.>在 [DEFAULT] 部分,啟用Layer 2 (ML2)插件模塊,路由服務和重疊的IP地址:
[DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True
3.>在 [DEFAULT] 和 [oslo_messaging_rabbit] 部分,配置 “RabbitMQ” 消息隊列訪問:
[DEFAULT] ... rpc_backend = rabbit [oslo_messaging_rabbit] ... rabbit_host = 10.20.9.13 rabbit_userid = openstack rabbit_password = openstack
4.> 在 [DEFAULT] 和 [keystone_authtoken] 部分,配置認證服務訪問:
[DEFAULT] ... auth_strategy = keystone [keystone_authtoken] ... auth_uri = http://10.20.9.13:5000 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = neutron
5.> 在 [DEFAULT] 和 [nova] 部分,配置網絡以能夠反映計算網絡拓撲變化:
[DEFAULT] ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True nova_url = http://10.20.9.13:8774/v2 [nova] ... auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = nova password = nova
6.> 在 [oslo_concurrency] 部分,配置鎖路徑:
[oslo_concurrency] ... lock_path = /var/lib/neutron/tmp
7.> 為幫助排錯,在 “[DEFAULT]”部分啟用詳細日志。
[DEFAULT]
...
verbose = True
3. 配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linux橋接機制為實例創建layer-2 (橋接/交換)虛擬網絡基礎設施
編輯 /etc/neutron/plugins/ml2/ml2_conf.ini 文件並完成下面的操作:
1.> 在 [ml2] 部分,啟用flat,VLAN和VXLAN網絡:
[ml2]
...
type_drivers = flat,vlan,vxlan
2.> 在 [ml2] 部分,啟用VXLAN項目(私有)網絡:
[ml2]
...
tenant_network_types = vxlan
3. 在 [ml2] 部分,啟用Linux 橋接和layer-2 population mechanisms:
[ml2]
...
mechanism_drivers = linuxbridge,l2population
4. >在 [ml2] 部分,啟用端口安全擴展驅動:
[ml2]
...
extension_drivers = port_security
5.> 在 [ml2_type_flat] 部分,配置公共flat提供網絡:
[ml2_type_flat] ... flat_networks = public
6.> 在[ml2_type_vxlan] 部分,配置VXLAN網絡標識范圍與私有網絡不同:
[ml2_type_vxlan] ... vni_ranges = 1:1000
7.>在 [securitygroup] 部分,啟用 ipset 增加安全組的方便性:
[securitygroup]
...
enable_ipset = True
4. 配置Linux 橋接代理
Linux橋接代理為實例創建包括私有網絡的VXLAN隧道和處理安全組的layer-2(橋接/交換)虛擬網絡設施。
編輯 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 文件並完成下面的操作:
1. > 在 [linux_bridge] 部分,映射公共虛擬網絡到公共物理網絡接口,其中PUBLIC_INTERFACE_NAME為你物理網卡的IP地址.
[linux_bridge] physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
2. > 在 [vxlan] 部分,啟用VXLAN覆蓋網絡,配置處理覆蓋網絡和啟用layer-2 的物理網絡接口的IP地址。
[vxlan] enable_vxlan = True local_ip = OVERLAY_INTERFACE_IP_ADDRESS l2_population = True
3. >在 [agent] 部分,啟用ARP欺騙防護
[agent]
...
prevent_arp_spoofing = True
4. >在 [securitygroup] 部分,啟用安全組並配置 Linux 橋接 iptables 防火牆驅動:
[securitygroup] ... enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
5. 配置layer-3代理
編輯 /etc/neutron/l3_agent.ini 文件並完成下面操作:
1. > 在 [DEFAULT] 部分,配置Linux橋接網絡驅動和外部網絡橋接:
[DEFAULT] ... interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver external_network_bridge =
2. > (可選的)為幫助排錯,在 “[DEFAULT]”部分啟用詳細日志。
[DEFAULT]
...
verbose = True
6.配置DHCP代理
編輯 /etc/neutron/dhcp_agent.ini 文件並完成下面的操作:
1. > 在 [DEFAULT] 部分,配置Linux橋接網卡驅動,Dnsmasq DHCP驅動並啟用隔離元數據,這樣在公共網絡上的實例就可以通過網絡訪問元數據:
[DEFAULT] ... interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True
2. > 為幫助排錯,在 “[DEFAULT]”部分啟用詳細日志。
[DEFAULT]
...
verbose = True
3. >在 [DEFAULT] 部分,啟用 dnsmasq 配置文件:
[DEFAULT]
...
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
4. > 創建並編輯 /etc/neutron/dnsmasq-neutron.conf 文件啟用DHCP MTU選項 (26) 並配置為 1450 bytes:
dhcp-option-force=26,1450
7. 配置元數據代理
編輯 /etc/neutron/metadata_agent.ini 文件並完成下面的操作:
1. > 在``[DEFAULT]``部分,配置訪問參數:
[DEFAULT] ... auth_uri = http://10.20.9.13:5000 auth_url = http://10.20.9.13:35357 auth_region = RegionOne auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = neutron nova_metadata_ip = 10.20.9.13 metadata_proxy_shared_secret = METADATA_SECRET verbose = True
2.> 在 [DEFAULT] 部分,配置元數據主機:
[DEFAULT] ... nova_metadata_ip = 10.20.9.13
3.>在 [DEFAULT] 部分,配置元數據代理共享密碼:
[DEFAULT]
...
metadata_proxy_shared_secret = METADATA_SECRET
4.> 為幫助排錯,在 “[DEFAULT]”部分啟用詳細日志。
[DEFAULT]
...
verbose = True
8.配置計算使用網絡
編輯 /etc/nova/nova.conf文件並完成下面操作:
在 [neutron] 部分,配置訪問參數,啟用元數據代理和配置secret:
[neutron] ... url = http://10.20.9.13:9696 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = neutron password = neutron service_metadata_proxy = True metadata_proxy_shared_secret = METADATA_SECRET
三、完成安裝
1.網絡服務初始化腳本需要一個超鏈接 /etc/neutron/plugin.ini 指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini 。如果超鏈接不存在,使用下面的命令創建它:
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
2. 同步數據庫:
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
3.重啟計算API 服務:
# systemctl restart openstack-nova-api.service
4.啟動網絡服務並配置他們開機自啟動。
對所有網絡選項:
# systemctl enable neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service # systemctl start neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service # systemctl restart neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service
對網絡選項2,同樣也啟用並啟動layer-3服務:
# systemctl enable neutron-l3-agent.service # systemctl start neutron-l3-agent.service # systemctl restart neutron-l3-agent.service
四、安裝和配置計算節點,在10.20.9.14上面操作
1. 安裝組件
# yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset
2. 配置通用組件,Networking 通用組件的配置包括認證機制、消息隊列和插件。
編輯 /etc/neutron/neutron.conf 文件並完成如下動作:
1.> 在 [database] 部分,注釋所有 connection 項,因為計算節點不直接訪問數據庫。
2.> 在 [DEFAULT] 和 [oslo_messaging_rabbit] 部分,配置 “RabbitMQ” 消息隊列訪問:
[DEFAULT] ... rpc_backend = rabbit [oslo_messaging_rabbit] ... rabbit_host = 10.20.9.13 rabbit_userid = openstack rabbit_password = openstack
3. > 在 [DEFAULT] 和 [keystone_authtoken] 部分,配置認證服務訪問:
[DEFAULT] ... auth_strategy = keystone [keystone_authtoken] ... auth_uri = http://10.20.9.13:5000 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = neutron
4.> 在 [oslo_concurrency] 部分,配置鎖路徑:
[oslo_concurrency] ... lock_path = /var/lib/neutron/tmp
5.> 為幫助排錯,在 “[DEFAULT]”部分啟用詳細日志。
[DEFAULT]
...
verbose = True
3. 配置Linux 橋接代理
Linux橋接代理為實例創建包括私有網絡的VXLAN隧道和處理安全組的layer-2(橋接/交換)虛擬網絡設施。
編輯 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 文件並完成下面的操作:
1. > 在 [linux_bridge] 部分,映射公共虛擬網絡到公共物理網絡接口:
[linux_bridge] physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
2. > 在 [vxlan] 部分,啟用VXLAN覆蓋網絡,配置處理覆蓋網絡和啟用layer-2 的物理網絡接口的IP地址。
[vxlan] enable_vxlan = True local_ip = OVERLAY_INTERFACE_IP_ADDRESS l2_population = True
3. > 在 [agent] 部分,啟用ARP欺騙防護:
[agent]
...
prevent_arp_spoofing = True
4. >在 [securitygroup] 部分,啟用安全組並配置 Linux 橋接 iptables 防火牆驅動:
[securitygroup] ... enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
4. 配置計算使用網絡
編輯/etc/nova/nova.conf 文件並完成下面的操作:
1.> 在 [neutron] 部分,配置訪問參數:
[neutron] ... url = http://10.20.9.13:9696 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = neutron password = neutron
5.完成安裝
1. >重啟計算服務:
# systemctl restart openstack-nova-compute.service
2. > 啟動Linux橋接代理並配置它開機自啟動:
# systemctl restart openstack-nova-compute.service
3.>啟動Linux橋接代理並配置它開機自啟動:
# systemctl enable neutron-linuxbridge-agent.service # systemctl start neutron-linuxbridge-agent.service # systemctl restart neutron-linuxbridge-agent.service
6. 驗證操作
在控制節點上執行這些命令。
1.> 獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限
# source admin-openrc.sh
2.> 列出加載的擴展,對``neutron-server``進程是否啟動正常進行驗證:
[root@Controller-Node ~]# openstack extension list --network +----------------------------------------------------------+---------------------------+-----------------------------------------------------------+ | Name | Alias | Description | +----------------------------------------------------------+---------------------------+-----------------------------------------------------------+ | Default Subnetpools | default-subnetpools | Provides ability to mark and use a subnetpool as the | | | | default | | Network IP Availability | network-ip-availability | Provides IP availability data for each network and | | | | subnet. | | Network Availability Zone | network_availability_zone | Availability zone support for network. | | Auto Allocated Topology Services | auto-allocated-topology | Auto Allocated Topology Services. | | Neutron L3 Configurable external gateway mode | ext-gw-mode | Extension of the router abstraction for specifying | | | | whether SNAT should occur on the external gateway | | Port Binding | binding | Expose port bindings of a virtual port to external | | | | application | | agent | agent | The agent management extension. | | Subnet Allocation | subnet_allocation | Enables allocation of subnets from a subnet pool | | L3 Agent Scheduler | l3_agent_scheduler | Schedule routers among l3 agents | | Tag support | tag | Enables to set tag on resources. | | Neutron external network | external-net | Adds external network attribute to network resource. | | Neutron Service Flavors | flavors | Flavor specification for Neutron advanced services | | Network MTU | net-mtu | Provides MTU attribute for a network resource. | | Availability Zone | availability_zone | The availability zone extension. | | Quota management support | quotas | Expose functions for quotas management per tenant | | HA Router extension | l3-ha | Add HA capability to routers. | | Provider Network | provider | Expose mapping of virtual networks to physical networks | | Multi Provider Network | multi-provider | Expose mapping of virtual networks to multiple physical | | | | networks | | Address scope | address-scope | Address scopes extension. | | Neutron Extra Route | extraroute | Extra routes configuration for L3 router | | Subnet service types | subnet-service-types | Provides ability to set the subnet service_types field | | Resource timestamps | standard-attr-timestamp | Adds created_at and updated_at fields to all Neutron | | | | resources that have Neutron standard attributes. | | Neutron Service Type Management | service-type | API for retrieving service providers for Neutron advanced | | | | services | | Router Flavor Extension | l3-flavors | Flavor support for routers. | | Port Security | port-security | Provides port security | | Neutron Extra DHCP opts | extra_dhcp_opt | Extra options configuration for DHCP. For example PXE | | | | boot options to DHCP clients can be specified (e.g. tftp- | | | | server, server-ip-address, bootfile-name) | | Resource revision numbers | standard-attr-revisions | This extension will display the revision number of | | | | neutron resources. | | Pagination support | pagination | Extension that indicates that pagination is enabled. | | Sorting support | sorting | Extension that indicates that sorting is enabled. | | security-group | security-group | The security groups extension. | | DHCP Agent Scheduler | dhcp_agent_scheduler | Schedule networks among dhcp agents | | Router Availability Zone | router_availability_zone | Availability zone support for router. | | RBAC Policies | rbac-policies | Allows creation and modification of policies that control | | | | tenant access to resources. | | Tag support for resources: subnet, subnetpool, port, | tag-ext | Extends tag support to more L2 and L3 resources. | | router | | | | standard-attr-description | standard-attr-description | Extension to add descriptions to standard attributes | | Neutron L3 Router | router | Router abstraction for basic L3 forwarding between L2 | | | | Neutron networks and access to external networks via a | | | | NAT gateway. | | Allowed Address Pairs | allowed-address-pairs | Provides allowed address pairs | | project_id field enabled | project-id | Extension that indicates that project_id field is | | | | enabled. | | Distributed Virtual Router | dvr | Enables configuration of Distributed Virtual Routers. | +----------------------------------------------------------+---------------------------+-----------------------------------------------------------+ [root@Controller-Node ~]#
3. > 列出代理以驗證啟動 neutron 代理是否成功:
[root@Controller-Node ~]# openstack network agent list +--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+ | ID | Agent Type | Host | Availability Zone | Alive | State | Binary | +--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+ | 4cb8842e-f9bb-4c5b-9202-0f0de50b3308 | Linux bridge agent | Controller-Node | None | True | UP | neutron-linuxbridge-agent | | 67c9e1bb-2e57-4984-9c53-c97f338fbeab | L3 agent | Controller-Node | nova | True | UP | neutron-l3-agent | | b135bda1-dea3-4b04-bdac-c4977e74f0ef | Linux bridge agent | Compute-Node | None | True | UP | neutron-linuxbridge-agent | | bfc6c4fb-8633-460e-9b1c-f6d827bf728b | Metadata agent | Controller-Node | None | True | UP | neutron-metadata-agent | | c67e45cc-bc96-4eea-8ab6-fc4c659e75c9 | DHCP agent | Controller-Node | nova | True | UP | neutron-dhcp-agent | +--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+ [root@Controller-Node ~]#