上一篇:构建基于openEuler2209的OpenStack云平台(五)
6 安装和配置Networking服务(neutron service)
OpenStack Networking主要与OpenStack Compute交互,为其实例提供网络和连接。
OpenStack Networking(neutron)管理OpenStack环境中虚拟网络基础设施(VNI)的所有网络方面以及物理网络基础设施的访问层方面。
6.1 安装和配置控制节点
本小节在控制节点上操作完成。
6.1.1 先决条件
1、创建数据库并授权访问
[root@xgk-ctl ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 598
Server version: 10.5.16-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE neutron;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'NEUTRON_DBPASS';
Query OK, 0 rows affected (0.002 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'NEUTRON_DBPASS';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> exit;
Bye
2、 获取admin凭据
[root@xgk-ctl ~]# source /etc/keystone/admin-openrc
3、创建服务凭据
(1)创建neutron用户
[root@xgk-ctl ~]# openstack user create --domain default --password-prompt neutron
User Password: #设置neutron用户密码,如NEUTRON_PASS
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 64898ac3a2d04d188a3235c06dacc0c7 |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
(2)为neutron用户添加管理员角色
[root@xgk-ctl ~]# openstack role add --project service --user neutron admin
(3)创建neutron服务实体
[root@xgk-ctl ~]# openstack service create --name neutron --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | 3714752cf3aa437fbb3dd4af4436ea4b |
| name | neutron |
| type | network |
+-------------+----------------------------------+
4、创建网络服务API端点
(1)创建public端点
[root@xgk-ctl ~]# openstack endpoint create --region RegionOne network public http://xgk-ctl:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | ce30a25059e54cc18b4f75b58124ce0d |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 3714752cf3aa437fbb3dd4af4436ea4b |
| service_name | neutron |
| service_type | network |
| url | http://xgk-ctl:9696 |
+--------------+----------------------------------+
(2)创建internal端点
[root@xgk-ctl ~]# openstack endpoint create --region RegionOne network internal http://xgk-ctl:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b76879e1785b4030a4d6f1a16593a85e |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 3714752cf3aa437fbb3dd4af4436ea4b |
| service_name | neutron |
| service_type | network |
| url | http://xgk-ctl:9696 |
+--------------+----------------------------------+
(3)创建admin端点
[root@xgk-ctl ~]# openstack endpoint create --region RegionOne network admin http://xgk-ctl:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 8b39220536d340ca91ba14b8102c4edd |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 3714752cf3aa437fbb3dd4af4436ea4b |
| service_name | neutron |
| service_type | network |
| url | http://xgk-ctl:9696 |
+--------------+----------------------------------+
6.1.2 配置网络选项
可以使用选项1或者选项2表示的两种体系结构来部署网络服务。
选项1部署了最简单的架构,仅支持将实例附加到提供商(外部)网络。没有自助服务(专用)网络、路由器或浮动IP地址。只有管理员或其他特权用户才能管理提供商网络。
选项2通过支持将实例附加到自助服务网络的第3层服务来增强选项1。demo或其他非特权用户可以管理自助服务网络,包括在自助服务网络和提供商网络之间提供连接的路由器。此外,浮动IP地址提供从外部网络(如Internet)到使用自助服务网络的实例的连接。
为简单起见,这里使用选项1的体系结构来部署网络服务。
1、安装组件
[root@xgk-ctl ~]# dnf -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
2、配置服务器组件
网络服务器组件配置包括数据库、身份验证机制、消息队列、拓扑更改通知和插件。这些内容均在/etc/neutron/neutron.conf 文件中配置完成,文件中没有的节可自行添加。
[root@xgk-ctl ~]# cp -a /etc/neutron/neutron.conf{,.bak}
[root@xgk-ctl ~]# grep -Ev '^$|#' /etc/neutron/neutron.conf.bak > /etc/neutron/neutron.conf
[root@xgk-ctl ~]# vim /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2 //启用第2层(ML2)模块插件
service_plugins = //禁用其他插件
transport_url = rabbit://openstack:RABBIT_PASS@xgk-ctl //配置RabbitMQ消息队列访问
auth_strategy = keystone //配置Identity服务访问
notify_nova_on_port_status_changes = true //配置网络以通知计算网络拓扑更改
notify_nova_on_port_data_changes = true
[cache]
[cors]
[database]
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@xgk-ctl/neutron
[healthcheck]
#配置Identity服务访问
[keystone_authtoken]
www_authenticate_uri = http://xgk-ctl:5000
auth_url = http://xgk-ctl:5000
memcached_servers = xgk-ctl:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
#配置网络以通知计算网络拓扑更改
[nova]
auth_url = http://xgk-ctl:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = NOVA_PASS
#配置锁定路径
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
……此处省略文件后续原有内容……
3、配置第2层(ML2)模块插件
ML2插件使用Linux桥接机制为实例构建第2层(桥接和交换)虚拟网络基础设施,该配置在/etc/neutron/plugins/ml2/ml2_conf.ini文件中完成,文件中没有的节可自行添加。
[root@xgk-ctl ~]# cp -a /etc/neutron/plugins/ml2/ml2_conf.ini{,.bak}
[root@xgk-ctl ~]# grep -Ev '^$|#' /etc/neutron/plugins/ml2/ml2_conf.ini.bak > /etc/neutron/plugins/ml2/ml2_conf.ini
[root@xgk-ctl ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
[DEFAULT]
[ml2]
type_drivers = flat,vlan //启用扁平和VLAN网络
tenant_network_types = //禁用自助服务网络
mechanism_drivers = linuxbridge //启用Linux网桥机制
extension_drivers = port_security //启用端口安全扩展驱动程序
[ml2_type_flat]
flat_networks = provider //将提供商虚拟网络配置为扁平网络
[securitygroup]
enable_ipset = true //启用ipset以提高安全组规则的效率
4、配置Linux网桥代理
Linux网桥代理为实例构建第2层(桥接和交换)虚拟网络基础设施,并处理安全组。该配置在/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件中完成,文件中没有的节可自行添加。
[root@xgk-ctl ~]# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak}
[root@xgk-ctl ~]# grep -Ev '^$|#' /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[root@xgk-ctl ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[DEFAULT]
[linux_bridge]
physical_interface_mappings = provider:enp4s4 //将提供商虚拟网络映射到提供商物理网络接口
[vxlan]
enable_vxlan = false //禁用VXLAN overlay网络
#启用安全组并配置Linux网桥iptables防火墙驱动程序
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
注:可执行【ip a】命令查看网络接口名称,IP地址为192.168.18.200的为控制节点的管理网络接口,另一个则为提供商网络接口。
为确保系统内核支持网桥filters,需加载br_netfilter内核模块,可执行以下命令查看当前系统是否已加载该内核模块。
[root@xgk-ctl ~]# lsmod | grep br_netfilter
br_netfilter 32768 0
bridge 266240 1 br_netfilter
如果没有,可以创建如下配置文件,并重启systemd-modules-load服务即可 。
[root@xgk-ctl ~]# vim /etc/modules-load.d/openstack-ml2.conf
br_netfilter
[root@xgk-ctl ~]# systemctl restart systemd-modules-load.service
然后检查相关网桥sysctl值是否已设置为1
[root@xgk-ctl ~]# cat /usr/lib/sysctl.d/99-neutron-linuxbridge-agent.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
5、配置DHCP代理
DHCP代理为虚拟网络提供DHCP服务。该配置在 /etc/neutron/dhcp_agent.ini 文件中完成。
在[Default]节,配置Linux网桥接口驱动程序,Dnsmasq DHCP驱动程序,并启用隔离元数据,以便提供商网络上的实例可以通过网络访问元数据。
[root@xgk-ctl ~]# cp -a /etc/neutron/dhcp_agent.ini{,.bak}
[root@xgk-ctl ~]# grep -Ev '^$|#' /etc/neutron/dhcp_agent.ini.bak > /etc/neutron/dhcp_agent.ini
[root@xgk-ctl ~]# vim /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
6、配置元数据代理
元数据代理向实例提供配置信息,例如凭据。该配置在/etc/neutron/metadata_agent.ini文件中完成。
[root@xgk-ctl ~]# cp -a /etc/neutron/metadata_agent.ini{,.bak}
[root@xgk-ctl ~]# grep -Ev '^$|#' /etc/neutron/metadata_agent.ini.bak > /etc/neutron/metadata_agent.ini
[root@xgk-ctl ~]# vim /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_host = xgk-ctl
metadata_proxy_shared_secret = METADATA_SECRET
[cache]
7、完成安装
(1)网络服务初始化脚本需要符号链接/etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ML2/ML2_conf.ini。如果此符号链接不存在,请使用以下命令创建它
[root@xgk-ctl ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
(2)同步数据库
[root@xgk-ctl ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
(3)重新启动计算API服务
[root@xgk-ctl ~]# systemctl restart openstack-nova-api.service
(4)启动网络服务,并将其配置为在系统启动时启动
[root@xgk-ctl ~]# systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
[root@xgk-ctl ~]# systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
6.2 安装与配置计算节点
本小节在计算节点上完成。
6.2.1 安装组件
[root@xgk-cpt ~]# dnf -y install openstack-neutron-linuxbridge ebtables ipset
6.2.2 配置公共组件
网络公共组件配置包括身份验证机制、消息队列和插件。该配置通过/etc/neutron/neutron.conf文件完成。
[root@xgk-cpt ~]# cp -a /etc/neutron/neutron.conf{,.bak}
[root@xgk-cpt ~]# grep -Ev '^$|#' /etc/neutron/neutron.conf.bak > /etc/neutron/neutron.conf
[root@xgk-cpt ~]# vim /etc/neutron/neutron.conf
[DEFAULT]
transport_url = rabbit://openstack:RABBIT_PASS@xgk-ctl //配置RabbitMQ消息队列访问
auth_strategy = keystone //配置Identity服务访问
[cache]
[cors]
[database]
[healthcheck]
#配置Identity服务访问
[keystone_authtoken]
www_authenticate_uri = http://xgk-ctl:5000
auth_url = http://xgk-ctl:5000
memcached_servers = xgk-ctl:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp //配置锁定路径
……此处省略文件后续原有内容……
6.2.3 配置网络选项
与控制节点上配置网络选项相同,仍然用选项1的网络结构来配置。以下内容为配置Linux网桥代理。
[root@xgk-cpt ~]# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak}
[root@xgk-cpt ~]# grep -Ev '^$|#' /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[root@xgk-cpt ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[DEFAULT]
[linux_bridge]
physical_interface_mappings = provider:enp4s4 //将提供商虚拟网络映射到提供商物理网络接口
[vxlan]
enable_vxlan = false //禁用VXLAN overlay网络
#启用安全组并配置Linux网桥iptables防火墙驱动程序
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
注:可执行【ip a】命令查看网络接口名称,IP地址为192.168.18.201的为计算节点的管理网络接口,另一个则为提供商网络接口。
为确保系统内核支持网桥filters,需加载br_netfilter内核模块,可执行以下命令查看当前系统是否已加载该内核模块。
[root@xgk-ctl ~]# lsmod | grep br_netfilter
br_netfilter 32768 0
bridge 266240 1 br_netfilter
如果没有,可以创建如下配置文件,并重启systemd-modules-load服务即可 。
[root@xgk-cpt ~]# vim /etc/modules-load.d/openstack-ml2.conf
br_netfilter
[root@xgk-cpt ~]# systemctl restart systemd-modules-load.service
然后检查相关网桥sysctl值是否已设置为1
[root@xgk-ctl ~]# cat /usr/lib/sysctl.d/99-neutron-linuxbridge-agent.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
6.2.4 配置计算服务以使用网络服务
该配置在/etc/nova/nova.conf文件中完成。
[root@xgk-cpt ~]# vim /etc/nova/nova.conf
……此处省略文件原有内容……
[neutron]
auth_url = http://xgk-ctl:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
[notifications]
……此处省略文件原有内容……
6.2.5 完成安装
1、重新启动计算服务
[root@xgk-cpt ~]# systemctl restart openstack-nova-compute.service
2、启动Linux网桥代理,并将其配置为在系统引导时启动
[root@xgk-cpt ~]# systemctl enable neutron-linuxbridge-agent.service
[root@xgk-cpt ~]# systemctl start neutron-linuxbridge-agent.service
6.3 验证操作
本小节操作在控制节点上完成。
1、获取管理员凭据
[root@xgk-ctl ~]# source /etc/keystone/admin-openrc
2、列出加载的扩展,以验证neutron-server进程的成功启动
[root@xgk-ctl ~]# openstack extension list --network
+----------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Name | Alias | Description |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Address group | address-group | Support address group |
| Address scope | address-scope | Address scopes extension. |
| agent | agent | The agent management extension. |
| Agent's Resource View Synced to Placement | agent-resources-synced | Stores success/failure of last sync to Placement |
| Allowed Address Pairs | allowed-address-pairs | Provides allowed address pairs |
| Availability Zone | availability_zone | The availability zone extension. |
| Availability Zone Filter Extension | availability_zone_filter | Add filter parameters to AvailabilityZone resource |
| Default Subnetpools | default-subnetpools | Provides ability to mark and use a subnetpool as the default. |
| DHCP Agent Scheduler | dhcp_agent_scheduler | Schedule networks among dhcp agents |
| Empty String Filtering Extension | empty-string-filtering | Allow filtering by attributes with empty string value |
| Neutron external network | external-net | Adds external network attribute to network resource. |
| Neutron Extra DHCP options | extra_dhcp_opt | Extra options configuration for DHCP. For example PXE boot options to DHCP clients can be specified (e.g. tftp-server, server-ip-address, bootfile-name) |
| Filter parameters validation | filter-validation | Provides validation on filter parameters. |
| Neutron Service Flavors | flavors | Flavor specification for Neutron advanced services. |
| IP address substring filtering | ip-substring-filtering | Provides IP address substring filtering when listing ports |
| Multi Provider Network | multi-provider | Expose mapping of virtual networks to multiple physical networks |
| Network MTU | net-mtu | Provides MTU attribute for a network resource. |
| Network MTU (writable) | net-mtu-writable | Provides a writable MTU attribute for a network resource. |
| Network Availability Zone | network_availability_zone | Availability zone support for network. |
| Network IP Availability | network-ip-availability | Provides IP availability data for each network and subnet. |
| Pagination support | pagination | Extension that indicates that pagination is enabled. |
| Port device profile | port-device-profile | Expose the port device profile (Cyborg) |
| Neutron Port MAC address regenerate | port-mac-address-regenerate | Network port MAC address regenerate |
| Port NUMA affinity policy | port-numa-affinity-policy | Expose the port NUMA affinity policy |
| Port Binding | binding | Expose port bindings of a virtual port to external application |
| Port Bindings Extended | binding-extended | Expose port bindings of a virtual port to external application |
| Port Security | port-security | Provides port security |
| project_id field enabled | project-id | Extension that indicates that project_id field is enabled. |
| Provider Network | provider | Expose mapping of virtual networks to physical networks |
| Quota engine limit check | quota-check-limit | Support for checking the resource usage before applying a new quota limit |
| Quota management support | quotas | Expose functions for quotas management per project |
| Quota details management support | quota_details | Expose functions for quotas usage statistics per project |
| RBAC Policies | rbac-policies | Allows creation and modification of policies that control tenant access to resources. |
| Add address_group type to RBAC | rbac-address-group | Add address_group type to network RBAC |
| Add address_scope type to RBAC | rbac-address-scope | Add address_scope type to RBAC |
| Add security_group type to network RBAC | rbac-security-groups | Add security_group type to network RBAC |
| Add subnetpool type to RBAC | rbac-subnetpool | Add subnetpool type to RBAC |
| If-Match constraints based on revision_number | revision-if-match | Extension indicating that If-Match based on revision_number is supported. |
| Resource revision numbers | standard-attr-revisions | This extension will display the revision number of neutron resources. |
| Normalized CIDR field for security group rules | security-groups-normalized-cidr | Add new field with normalized remote_ip_prefix cidr in SG rule |
| Port filtering on security groups | port-security-groups-filtering | Provides security groups filtering when listing ports |
| Remote address group id field for security group rules | security-groups-remote-address-group | Add new field of remote address group id in SG rules |
| Security group filtering on the shared field | security-groups-shared-filtering | Support filtering security groups on the shared field |
| security-group | security-group | The security groups extension. |
| Neutron Service Type Management | service-type | API for retrieving service providers for Neutron advanced services |
| Sorting support | sorting | Extension that indicates that sorting is enabled. |
| standard-attr-description | standard-attr-description | Extension to add descriptions to standard attributes |
| Stateful security group | stateful-security-group | Indicates if the security group is stateful or not |
| Subnet Onboard | subnet_onboard | Provides support for onboarding subnets into subnet pools |
| Subnet service types | subnet-service-types | Provides ability to set the subnet service_types field |
| Subnet Allocation | subnet_allocation | Enables allocation of subnets from a subnet pool |
| Subnet Pool Prefix Operations | subnetpool-prefix-ops | Provides support for adjusting the prefix list of subnet pools |
| Tag support for resources with standard attribute: port, subnet, subnetpool, network, security_group, router, floatingip, policy, trunk, network_segment_range | standard-attr-tag | Enables to set tag on resources with standard attribute. |
| Resource timestamps | standard-attr-timestamp | Adds created_at and updated_at fields to all Neutron resources that have Neutron standard attributes. |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
3、列出代理以验证neutron agents加载成功
[root@xgk-ctl ~]# openstack network agent list
+--------------------------------------+--------------------+---------+-------------------+-------+-------+---------------------------+
| ID | Agent Type | Host | Availability Zone | Alive | State | Binary |
+--------------------------------------+--------------------+---------+-------------------+-------+-------+---------------------------+
| 1223aab1-bf49-42d8-8505-3367e73937b5 | Linux bridge agent | xgk-ctl | None | :-) | UP | neutron-linuxbridge-agent |
| 7b4271e1-f0df-46e9-9871-488f5554785f | DHCP agent | xgk-ctl | nova | :-) | UP | neutron-dhcp-agent |
| c0dd8ad3-ff48-42e7-a670-20ffb5227006 | Metadata agent | xgk-ctl | None | :-) | UP | neutron-metadata-agent |
| f6798f07-6694-4c24-bc6a-e1e296521f69 | Linux bridge agent | xgk-cpt | None | :-) | UP | neutron-linuxbridge-agent |
+--------------------------------------+--------------------+---------+-------------------+-------+-------+---------------------------+