Networking service, code-named: neutron
OpenStack Networking主要与OpenStack Compute进行交互,为其实例提供网络和连接。
OpenStack Networking(neutron)管理您的OpenStack环境中虚拟网络基础设施(VNI)的所有网络方面和物理网络基础设施(PNI)的接入层方面。OpenStack Networking使项目能够创建高级虚拟网络拓扑,其中可能包括防火墙,负载平衡器和虚拟专用网络(VPN)等服务。
网络提供网络,子网和路由器作为对象抽象。每个抽象都具有模仿其物理对应物的功能:网络包含子网,路由器在不同的子网和网络之间路由流量。
安装和配置(控制节点)
先决条件
# su -xiao
$ mysql -u root -p
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY 'NEUTRON_DBPASS';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY 'NEUTRON_DBPASS';
MariaDB [(none)]> exit
$ . /etc/openstack/admin-openrc
创建neutron用户
$ openstack user create --domain default --password-prompt neutron
将admin角色绑给neutron用户和service project
$ openstack role add --project service --user neutron admin
创建neutron服务,服务类型为network
openstack service create --name neutron \
--description "OpenStack Networking" network
创建neutron服务的endpoint
openstack endpoint create --region RegionOne \
network public http://controller-150:9696
openstack endpoint create --region RegionOne \
network internal http://controller-150:9696
openstack endpoint create --region RegionOne \
network admin http://controller-150:9696
验证服务和endpoint创建是否成功
$ openstack service list
$ openstack endpoint list --service neutron
配置网络选项
Neutron配置网络有两种网络架构选项:Provider networks、Self-service networks
Provider networks:提供商网络(外网)
部署最简单的架构,该架构仅支持将实例附加到提供商(外部)网络。没有自助(私有)网络、路由器或浮动IP地址。只有该admin管理员或其他特权用户才能管理提供商网络。
Self-service networks:自服务网络(内网)
使用支持将实例附加到自助服务网络的第3层服务来增强选项1。demo用户或其他无特权用户可以管理自助服务网络,包括在Self-service network和Provider network之间提供连接的router。此外,floating IP addresses通过sefl-service network提供instance连接外网的能力。
Overlay networks 覆盖网络
Self-service network通常使用overlay networks。Overlay network协议(如VXLAN)包括额外的头信息,这些头信息增加了开销,减少了有效payload或user data可用的空间。这些属于virtual network infrastructure。默认情况下,instance使用Ethernet的MTU是1500。DHCP服务会自动提供MTU值,有些不支持DHCP的Image则需要使用脚本进行配置。
这里我们两种都进行配置使用
- 安装组件
yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-openvswitch ebtables -y
- 配置Server组件
vi /etc/neutron/neutron.conf
[DEFAULT]
auth_strategy = keystone
core_plugin = ml2
service_plugins = router
dhcp_agent_notification = True
allow_overlapping_ips = true
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
transport_url = rabbit://openstack:RABBIT_PASS@controller-150
[agent]
[cors]
[database]
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller-150/neutron
[keystone_authtoken]
www_authenticate_uri = http://controller-150:5000
auth_url = http://controller-150:5000
memcached_servers = controller-150:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = 你的密码
[matchmaker_redis]
[nova]
auth_url = http://controller-150:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = 你的密码
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
- 配置Modular Layer 2 (ML2)插件
vi /etc/neutron/plugins/ml2/ml2_conf.ini
[DEFAULT]
[l2pop]
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
vni_ranges = 3001:4000
[securitygroup]
- 配置openvswitch
vi /etc/neutron/plugins/ml2/openvswitch_agent.ini
[DEFAULT]
[agent]
tunnel_types = vxlan
l2_population = True
[network_log]
[ovs]
bridge_mappings = provider:br-provider
local_ip = 192.168.11.150
[securitygroup]
firewall_driver = openvswitch
enable_security_group = true
enable_ipset = true
[xenapi]
创建OVS provider bridge br-provider
首先要启动openvswitch服务
# systemctl enable openvswitch
# systemctl start openvswitch
再执行下面的命令,否则会报错:
ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (No such file or directory)
$ ovs-vsctl add-br br-provider
将provider网络的接口作为OVS provider bridge (br-provider)的port
ovs-vsctl add-port br-provider ens224
- 配置layer-3 代理
vi /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = openvswitch
external_network_bridge =
[agent]
[ovs]
- 配置DHCP代理
vi /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = openvswitch
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
[agent]
[ovs]
- 配置元数据代理
vi /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = openvswitch
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
[agent]
[ovs]
- 确保下面的参数为1
查看是否启动br_netfilter内核模块
# lsmod |grep br_netfilter
如果没有则启动
# modprobe br_netfilter
启动之后,查看下面的参数是否为1
# sysctl net.bridge.bridge-nf-call-iptables
# sysctl net.bridge.bridge-nf-call-ip6tables
如果不为1,则在# vi /etc/sysctl.d/99-sysctl.conf配置:
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
然后执行# sysctl -p令其生效。
详细参见:
https://docs.openstack.org/neutron/queens/install/controller-install-option2-rdo.html
配置计算服务去使用网络服务
vi /etc/nova/nova.conf
[DEFAULT]
use_neutron = True
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
/\[neutron
url被弃用了,使用endpoint_override可以实现相同效果。。这里直接不配置
[neutron]
# ...
#endpoint_override = http://controller-150:9696
auth_url = http://controller-150:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = 你的密码
service_metadata_proxy = true
metadata_proxy_shared_secret = METADATA_SECRET
完成安装
- 创建/etc/neutron/plugin.ini软连接
网络服务的初始化脚本会引用/etc/neutron/plugin.ini软连接,该软连接默认应该是没有,需要创建:
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
- 导入数据库数据
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
- Restart the Compute API service
systemctl restart openstack-nova-api.service && systemctl status openstack-nova-api.service
- 网络服务配置自启动&&启动服务
# systemctl enable neutron-server.service \
neutron-openvswitch-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service neutron-l3-agent.service
# systemctl start neutron-server.service \
neutron-openvswitch-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service neutron-l3-agent.service \
&& systemctl status neutron-server.service \
neutron-openvswitch-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service neutron-l3-agent.service
添加防火墙策略
neutron-server:9696
dnsmasq:53/tcp 53/udp
# firewall-cmd --add-port 35357/tcp --add-port 9696/tcp --permanent
# firewall-cmd --add-port 53/tcp --add-port 53/udp --permanent
# firewall-cmd --reload && firewall-cmd --list-port
具体参见:
https://docs.openstack.org/neutron/queens/install/controller-install-rdo.html
https://docs.openstack.org/neutron/queens/admin/deploy-ovs-provider.html
https://docs.openstack.org/neutron/queens/admin/deploy-ovs-selfservice.html
不管配置为:Provider networks还是Self-service networks
openstack-neutron依赖dnsmasq,其DHCP需要使用到,所以要设置dnsmasq开机启动。
# systemctl enable dnsmasq
# systemctl start dnsmasq && systemctl status dnsmasq