Openstack之路(五)网络服务Neutron
Neutron的概述Openstack的网络(Neutron),可以创建和附加其它的Openstack服务,网络管理接口设备。插件可以被实现,以适应不同的网络设备和软件,提供灵活性,以开栈架构和部署。
Openstack的网络(Neutron)管理虚拟网络基础架构(VNI),并在您的Openstack的环境中的物理网络基础架构(PNI)的接入层方面的所有网络方面。开栈网络允许租户创建高级的虚拟网络拓扑可包括服务,例如防火墙,负载均衡器,和虚拟专用网(VPN)。
Neutron基本概念
网络
在普通人的眼里,网络就是网线和供网线插入的端口,一个盒子会提供这些端口。对于网络工程师来说,网络的盒子指的是交换机和路由器。所以在物理世界中,网络可以简单地被认为包括网线,交换机和路由器。当然,除了物理设备,我们还有软的物件:IP地址,交换机和路由器的配置和管理软件以及各种网络协议。Neutron网络目的是划分物理网络,在多租户环境下提供给每个租户独立的网络环境。另外,Neutron提供API来实现这种目标。Neutron中“网络”是一个可以被用户创建的对象,如果要和物理环境下的概念映射的话,这个对象相当于一个巨大的交换机,可以拥有无限多个动态可创建和销毁的虚拟端口。
子网
简单地说,子网是由一组IP地址组成的地址池。不同子网间的通信需要路由器的支持,这个Neutron和物理网络下是一致的。Neutron中子网隶属于网络。
端口
在物理网络环境中,端口是用于连接设备进入网络的地方。Neutron中的端口起着类似的功能,它是路由器和虚拟机挂接网络的着附点。
路由
和物理环境下的路由器类似,Neutron中的路由器也是一个路由选择和转发部件。只不过在Neutron中,它是可以创建和销毁的软部件。
Neutron的组件
[*]Neutron Server
可以理解为一个专门用来接收Neutron REST API调用的服务器,然后负责将不同的REST API分发到不同的Neutron-Plugin上。
[*]Neutron-Plugin
可以理解为不同网络功能实现的入口,各个厂商可以开发自己的plugin。Neutron-Plugin接收Neutron-Server分发过来的REST API,向neutron database完成一些信息的注册,然后将具体要执行的业务操作和参数通知给自身对应的neutron agent。
[*]Neutron-Agent
可以理解为Neutron-Plugin在设备上的代理,接收相应的Neutron-Plugin通知的业务操作和参数,并转换为具体的设备级操作,以指导设备的动作。当设备本地发生问题时,Neutron-Agent会将情况通知给Neutron-Plugin。
[*]Neutron Database
Neutron的数据库,存放网络状态信息,包括Network,Subnet, Port,Router等。
[*]Network Provider
实际执行功能的网络设备,一般为虚拟交换机(OVS或者Linux Bridge)
安装配置控制节点
Neutron的安装
[*]创建数据库,服务凭证和API端点
MariaDB [(none)]> create database neutron;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| glance |
| information_schema |
| keystone |
| mysql |
| neutron |
| nova |
| nova_api |
| performance_schema |
+--------------------+
8 rows in set (0.00 sec)
MariaDB [(none)]> grant all on neutron.* to 'neutron'@'localhost' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all on neutron.* to 'neutron'@'%' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
[*]获得admin凭证来获取只有管理员能执行的命令的访问权限
# source admin-openrc
[*]要创建服务证书,完成这些步骤
创建neutron用户
# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | cb35cc907b04428c8425cdba65819dad |
| name | neutron |
| password_expires_at | None |
+---------------------+----------------------------------+
添加admin角色到neutron用户
# openstack role add --project service --user neutron admin
创建neutron服务实体
# openstack service create --name neutron \
--description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| name | neutron |
| type | network |
+-------------+----------------------------------+
创建网络服务API端点
# openstack endpoint create --region RegionOne \
network public http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 3723a017a5b84a0e85eb9e41329025f5 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne \
network internal http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7d1b36d47ee9451e963b5d6f1b9c6337 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne \
network admin http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 8a146ce4d097417c8eeda705d6da90a2 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
[*]安装Neutron相关软件包
# yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
# rpm -qa openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
ebtables-2.0.10-15.el7.x86_64
openstack-neutron-9.4.1-1.el7.noarch
openstack-neutron-linuxbridge-9.4.1-1.el7.noarch
openstack-neutron-ml2-9.4.1-1.el7.noarch
Neutron的配置
[*]编辑/etc/neutron/neutron.conf文件并完成如下操作
# cp -a /etc/neutron/neutron.conf /etc/neutron/neutron.conf_$(date +%F)
# vim /etc/neutron/neutron.conf
在部分,配置数据库访问
......
722 connection = mysql+pymysql://neutron:neutron@192.168.56.11/neutron
在部分,启用ML2插件并禁用其他插件
......
30 core_plugin = ml2
33 service_plugins =
在部分,配置RabbitMQ消息队列访问权限
......
530 transport_url = rabbit://openstack:openstack@192.168.56.11
在和部分,配置认证服务访问
......
27 auth_strategy = keystone
803 auth_uri = http://192.168.56.11:5000
804 auth_url = http://192.168.56.11:35357
805 memcached_servers = 192.168.56.11:11211
806 auth_type = password
807 project_domain_name = Default
808 user_domain_name = Default
809 project_name = service
810 username = neutron
811 password = neutron
在和部分,配置网络服务来通知计算节点的网络拓扑变化
......
118 notify_nova_on_port_status_changes = true
122 notify_nova_on_port_data_changes = true
1002 auth_url = http://192.168.56.11:35357
1003 auth_type = password
1004 project_domain_name = Default
1005 user_domain_name = Default
1006 region_name = RegionOne
1007 project_name = service
1008 username = nova
1009 password = nova
在部分,配置锁路径
......
1123 lock_path = /var/lib/neutron/tmp
ML2插件的配置
ML2插件使用Linuxbridge机制来为实例创建layer-2虚拟网络基础设施,警告:你后配置ML2插件,在type_drivers选项可能会导致数据库不一致移除值。
[*]编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件并完成以下操作
# cp -a /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini_$(date +%F)
# vim /etc/neutron/plugins/ml2/ml2_conf.ini
在部分,启用flat和VLAN网络
......
109 type_drivers = flat,vlan
在部分,禁用私有网络
......
114 tenant_network_types =
在部分,启用Linuxbridge机制
......
118 mechanism_drivers = linuxbridge
在部分,启用端口安全扩展驱动
......
123 extension_drivers = port_security
在部分,配置公共虚拟网络为flat网络
......
159 flat_networks = provider
在部分,启用ipset增加安全组的方便性
......
236 enable_ipset = true
Linuxbridge代理的配置
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则。
[*]编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件并且完成以下操作
# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini_$(date +%F)
# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
在部分,将公共虚拟网络和公共物理网络接口对应起来
......
143 physical_interface_mappings = provider:eth0
在部分,禁止VXLAN覆盖网络
176 enable_vxlan = False
在部分,启用安全组并配置Linux桥接iptables防火墙驱动
......
156 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161 enable_security_group = true
在部分,启用防ARP欺骗
......
126 prevent_arp_spoofing = true
DHCP代理的配置
[*]编辑/etc/neutron/dhcp_agent.ini文件并完成下面的操作
# cp -a /etc/neutron/dhcp_agent.ini /etc/neutron/dhcp_agent.ini_$(date +%F)
# vim /etc/neutron/dhcp_agent.ini
在部分,配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据
......
16 interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
32 dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
41 enable_isolated_metadata = True
元数据代理的配置
[*]编辑/etc/neutron/metadata_agent.ini文件并完成以下操作
# cp -a /etc/neutron/metadata_agent.ini /etc/neutron/metadata_agent.ini_$(date +%F)
# vim /etc/neutron/metadata_agent.ini
在部分,配置元数据主机以及共享密码
......
22 nova_metadata_ip = 192.168.56.11
34 metadata_proxy_shared_secret = neutron
控制节点使用网络的配置
[*]编辑/etc/nova/nova.conf文件并完成以下操作
# vim /etc/nova/nova.conf
在部分,配置访问参数,启用元数据代理并设置密码
6472 url = http://192.168.56.11:9696
6473 auth_url = http://192.168.56.11:35357
6474 auth_type = password
6475 project_domain_name = Default
6476 user_domain_name = Default
6477 region_name = RegionOne
6478 project_name = service
6479 username = neutron
6480 password = neutron
6481 service_metadata_proxy = True
6482 metadata_proxy_shared_secret = neutron
Neutron安装完成
[*]网络服务初始化脚本需要一个超链接/etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
# ls -l /etc/neutron/plugin.ini
lrwxrwxrwx 1 root root 37 Jan 18 10:50 /etc/neutron/plugin.ini -> /etc/neutron/plugins/ml2/ml2_conf.ini
[*]同步数据库,可以忽略警告信息
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
# mysql -uneutron -pneutron -e "use neutron;show tables;"|wc -l
163
[*]重新启动控制节点Nova API服务
# systemctl restart openstack-nova-api.service
# systemctl status openstack-nova-api.service
[*]启动网络服务并将其配置为系统启动时启动
# systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
# systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
# systemctl status neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
Neutron验证操作
# source admin-openrc
# neutron agent-list
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| 1bd2e7bb-a74f-4613 | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent|
| -87dc-13696f5a2350 | | | | | | |
| a3a0b766-e3ba- | Metadata agent | linux-node1 | | :-) | True | neutron-metadata- |
| 4e5a- | | | | | | agent |
| 84d3-bda27afaaa9d| | | | | | |
| eb6e6a13-42e5-4dae | Linux bridge agent | linux-node1 | | :-) | True | neutron- |
| -8755-f66167321293 | | | | | | linuxbridge-agent |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
安装配置计算节点
Neutron的安装
[*]安装Neutron相关软件包
# yum -y install openstack-neutron-linuxbridge ebtables ipset
# rpm -qa openstack-neutron-linuxbridge ebtables ipset
ebtables-2.0.10-15.el7.x86_64
ipset-6.29-1.el7.x86_64
openstack-neutron-linuxbridge-9.4.1-1.el7.noarch
Neutron的配置
[*]编辑/etc/neutron/neutron.conf文件并完成如下操作
# cp -a /etc/neutron/neutron.conf /etc/neutron/neutron.conf_$(date +%F)
# vim /etc/neutron/neutron.conf
在部分,注释所有connection项,因为计算节点不直接访问数据库
在部分,配置RabbitMQ消息队列访问权限
......
530 transport_url = rabbit://openstack:openstack@192.168.56.11
在和部分,配置认证服务访问
......
27 auth_strategy = keystone
803 auth_uri = http://192.168.56.11:5000
804 auth_url = http://192.168.56.11:35357
805 memcached_servers = 192.168.56.11:11211
806 auth_type = password
807 project_domain_name = Default
808 user_domain_name = Default
809 project_name = service
810 username = neutron
811 password = neutron
在部分,配置锁路径
......
1115 lock_path = /var/lib/neutron/tmp
Linuxbridge代理的配置
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则。
[*]编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件并且完成以下操作
# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini_$(date +%F)
# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
在部分,将公共虚拟网络和公共物理网络接口对应起来
......
143 physical_interface_mappings = provider:eth0
在部分,禁止VXLAN覆盖网络
176 enable_vxlan = False
在部分,启用安全组并配置Linux桥接iptables防火墙驱动
......
156 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161 enable_security_group = true
在部分,启用防ARP欺骗
......
126 prevent_arp_spoofing = true
计算节点使用网络的配置
[*]编辑/etc/nova/nova.conf文件并完成以下操作
# vim /etc/nova/nova.conf
在部分,配置访问参数,启用元数据代理并设置密码
6472 url = http://192.168.56.11:9696
6473 auth_url = http://192.168.56.11:35357
6474 auth_type = password
6475 project_domain_name = Default
6476 user_domain_name = Default
6477 region_name = RegionOne
6478 project_name = service
6479 username = neutron
6480 password = neutron
Neutron安装完成
[*]重新启动计算服务
# systemctl restart openstack-nova-compute.service
# systemctl status openstack-nova-compute.service
[*]启动Linuxbridge代理并配置它开机自启动
# systemctl enable neutron-linuxbridge-agent.service
# systemctl start neutron-linuxbridge-agent.service
# systemctl status neutron-linuxbridge-agent.service
Neutron验证操作
[*]获得admin凭证来获取只有管理员能执行的命令的访问权限
# source admin-openrc
[*]列出加载的扩展来验证neutron-server进程是否正常启动
# neutron ext-list
+---------------------------+---------------------------------+
| alias | name |
+---------------------------+---------------------------------+
| default-subnetpools | Default Subnetpools |
| availability_zone | Availability Zone |
| network_availability_zone | Network Availability Zone |
| binding | Port Binding |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| dhcp_agent_scheduler | DHCP Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| flavors | Neutron Service Flavors |
| net-mtu | Network MTU |
| network-ip-availability | Network IP Availability |
| quotas | Quota management support |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| subnet-service-types | Subnet service types |
| standard-attr-timestamp | Resource timestamps |
| service-type | Neutron Service Type Management |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| standard-attr-revisions | Resource revision numbers |
| pagination | Pagination support |
| sorting | Sorting support |
| security-group | security-group |
| rbac-policies | RBAC Policies |
| standard-attr-description | standard-attr-description |
| port-security | Port Security |
| allowed-address-pairs | Allowed Address Pairs |
| project-id | project_id field enabled |
+---------------------------+---------------------------------+
# neutron agent-list
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| 1bd2e7bb-a74f-4613 | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent|
| -87dc-13696f5a2350 | | | | | | |
| 746000d6-c48d-418b | Linux bridge agent | linux-node2 | | :-) | True | neutron- |
| -9501-8c008873374d | | | | | | linuxbridge-agent |
| a3a0b766-e3ba- | Metadata agent | linux-node1 | | :-) | True | neutron-metadata- |
| 4e5a- | | | | | | agent |
| 84d3-bda27afaaa9d| | | | | | |
| eb6e6a13-42e5-4dae | Linux bridge agent | linux-node1 | | :-) | True | neutron- |
| -8755-f66167321293 | | | | | | linuxbridge-agent |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
页:
[1]