OpenStack搭建之Networking(五)

文章

林里克斯

1208字数

Linux,OpenStack

在Linux下搭建OpenStack之Networking

一、实验平台：CentOS Linux release 7.3.1611 (Core)

二、openstack版本：Mitake

三、本机所有IP：内网：192.168.1.2 192.168.1.3

外网：192.168.2.4 192.168.2.5

四、openstack1:192.168.1.2 #控制节点 1 处理器, 4 GB 内存, 及20 GB 存储

五、openstack2:192.168.1.3 #计算节点 1 处理器, 2 GB 内存, 及20 GB 存储

一、网络服务概览
二、安装并配置控制节点
三、安装和配置计算节点
四、验证操作

一、网络服务概览

OpenStack Networking（neutron，允许创建、插入接口设备，这些设备由其他的OpenStack服务管理。插件式的实现可以容纳不同的网络设备和软件，为OpenStack架构与部署提供了灵活性。

它包含下列组件：

neutron-server 接收和路由API请求到合适的OpenStack网络插件，以达到预想的目的。

OpenStack网络插件和代理插拔端口，创建网络和子网，以及提供IP地址，这些插件和代理依赖于供应商和技术而不同，OpenStack网络基于插件和代理为Cisco 虚拟和物理交换机、NEC OpenFlow产品，Open vSwitch,Linux bridging以及VMware NSX产品穿线搭桥。

常见的代理L3(3层)，DHCP(动态主机IP地址)，以及插件代理。

消息队列 大多数的OpenStack Networking安装都会用到，用于在neutron-server和各种各样的代理进程间路由信息。也为某些特定的插件扮演数据库的角色，以存储网络状态

OpenStack网络主要和OpenStack计算交互，以提供网络连接到它的实例。

二、安装并配置控制节点

在配置OpenStack网络(neutron)服务之前，你必须为其创建一个数据库，服务凭证和API端点。

创建neutron数据库：

$ mysql -u root -p CREATE DATABASE neutron;

对neutron数据库授予合适的访问权限

> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';

获得admin凭证来获取只有管理员能执行的命令的访问权限：

$ . admin-openstack.sh

要创建服务证书，完成这些步骤：

创建neutron用户：

$ openstack user create --domain default --password-prompt neutron
User Password:              #设置密码，我这里设置为neutron
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled   | True                             |
| id        | eba2e17858b34672b32e7ae2a8873632 |
| name      | neutron                          |
+-----------+----------------------------------+

添加admin 角色到neutron用户： openstack role add --project service --user neutron admin 创建neutron服务实体：

$ openstack service create --name neutron --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Networking             |
| enabled     | True                             |
| id          | e557b61726dc4a62bea05fe71124d662 |
| name        | neutron                          |
| type        | network                          |
+-------------+----------------------------------+

创建网络服务API端点：

$ openstack endpoint create --region RegionOne network public http://192.168.1.2:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | b831f56ecfc441158d39489018326958 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | e557b61726dc4a62bea05fe71124d662 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://192.168.1.2:9696          |
+--------------+----------------------------------+

openstack endpoint create --region RegionOne network internal http://192.168.1.2:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 8be7f9940f6346d4a7fa7da8efde5235 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | e557b61726dc4a62bea05fe71124d662 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://192.168.1.2:9696          |
+--------------+----------------------------------+

openstack endpoint create --region RegionOne network admin http://192.168.1.2:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | b5b23b5a14e44bc5a8d033c6be292545 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | e557b61726dc4a62bea05fe71124d662 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://192.168.1.2:9696          |
+--------------+----------------------------------+

检查neutron是否安装成功

$ neutron agent-list
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host       | availability_zone | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
| 663b551a-e0c1-4228-ac9e-35ea07bd7b85 | Metadata agent     | openstack1 |                   | :-)   | True           | neutron-metadata-agent    |
| bbe1c6d3-f5ef-4f77-b8c2-dad601aa1f69 | Linux bridge agent | openstack1 |                   | :-)   | True           | neutron-linuxbridge-agent |
| dba89587-8675-4b4f-ab30-e5d94d3ea9b0 | DHCP agent         | openstack1 | nova              | :-)   | True           | neutron-dhcp-agent        |
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+

网络选项：配置公共网络

安装组件

$ yum -y install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables
#neutron和其他组件的小区别是配置完数据库之后不可以马上进行同步，它还依赖其他配置文件

编辑/etc/neutron/neutron.conf

$ vim /etc/neutron/neutron.conf

[database]
connection = mysql+pymysql://neutron:neutron@192.168.1.2/neutron        #配置数据库访问

[DEFAULT]
core_plugin = ml2           #动ML2插件
service_plugins =           #service_plugins等号后面什么都不写就是禁用其他插件
rpc_backend = rabbit        #配置RabbitMQ消息队列的连接
auth_strategy = keystone    #配置认证服务访问
notify_nova_on_port_status_changes = True       #配置网络服务来通知计算节点的网络拓扑变化
notify_nova_on_port_data_changes = True         #配置网络服务来通知计算节点的网络拓扑变化

[oslo_messaging_rabbit]     #配置RabbitMQ消息队列的连接
rabbit_host = 192.168.1.2
rabbit_userid = openstack
rabbit_password = openstack

[keystone_authtoken]        #配置认证服务访问
auth_uri = http://192.168.1.2:5000
auth_url = http://192.168.1.2:35357
memcached_servers = 192.168.1.2:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron

[nova]                       #配置网络服务来通知计算节点的网络拓扑变化
auth_url = http://192.168.1.2:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = nov

[oslo_concurrency]
lock_path = /var/lib/neutron/tmp    #配置锁路径

配置Modular Layer 2 (ML2)插件

编辑/etc/neutron/plugins/ml2/ml2\_conf.ini

$ vim /etc/neutron/plugins/ml2/ml2_conf.ini

[ml2]
type_drivers = flat,vlan            #启用flat和VLAN网络
tenant_network_types =              #禁用私有网络
mechanism_drivers = linuxbridge     #启用Linuxbridge机制
extension_drivers = port_security   #启用端口安全扩展驱动

[ml2_type_flat]
flat_networks = provider            #配置公共虚拟网络为flat网络

[securitygroup]
enable_ipset = True                 #启用ipset增加安全组规则的高效性

配置Linuxbridge代理

编辑/etc/neutron/plugins/ml2/linuxbridge\_agent.ini

$ vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

[linux_bridge]
physical_interface_mappings = public:eth0       #将公共虚拟网络和公共物理网络接口对应起来
#我这里给的是主机模式eth0网卡

[vxlan]
enable_vxlan = False        #禁止VXLAN覆盖网络

[securitygroup]             #启用安全组并配置 Linuxbridge iptables firewall driver
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

配置DHCP代理

编辑/etc/neutron/dhcp\_agent.ini

$ vim /etc/neutron/dhcp_agent.ini

[DEFAULT]       #配置Linuxbridge驱动接口，DHCP驱动并启用隔离元数据，这样在公共网络上的实例就可以通过网络来访问元数据
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver  #虚拟接口驱动，使用Linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq                          #dhcp驱动，默认使用Dnsmasq(是一个小的开源项目)来提供dhcp服务
enable_isolated_metadata = True                                         #刷新路由使用

配置元数据代理

编辑/etc/nova/nova.conf

$ vim /etc/nova/nova.conf

[DEFAULT]                   #配置元数据主机以及共享密码
nova_metadata_ip = 192.168.1.2
metadata_proxy_shared_secret = redhat

为计算节点配置网络服务编辑/etc/nova/nova.conf

$ vim /etc/nova/nova.conf

[neutron]       #配置访问参数，启用元数据代理并设置密码
url = http://192.168.1.2:9696
auth_url = http://192.168.1.2:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = True
metadata_proxy_shared_secret = redhat   #配置元数据哪里设置的密钥

网络服务初始化脚本需要一个超链接/etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2\_conf.ini。如果超链接不存在，使用下面的命令创建它：

$ ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

同步数据库：

$ su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
> --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron

No handlers could be found for logger "oslo_config.cfg"
INFO  [alembic.runtime.migration] Context impl MySQLImpl.
INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
  Running upgrade for neutron ...
INFO  [alembic.runtime.migration] Context impl MySQLImpl.
INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
INFO  [alembic.runtime.migration] Running upgrade  -> kilo, kilo_initial
INFO  [alembic.runtime.migration] Running upgrade kilo -> 354db87e3225, nsxv_vdr_metadata.py
INFO  [alembic.runtime.migration] Running upgrade 354db87e3225 -> 599c6a226151, neutrodb_ipam
INFO  [alembic.runtime.migration] Running upgrade 599c6a226151 -> 52c5312f6baf, Initial operations in support of address scopes
INFO  [alembic.runtime.migration] Running upgrade 52c5312f6baf -> 313373c0ffee, Flavor framework
INFO  [alembic.runtime.migration] Running upgrade 313373c0ffee -> 8675309a5c4f, network_rbac
INFO  [alembic.runtime.migration] Running upgrade 8675309a5c4f -> 45f955889773, quota_usage
INFO  [alembic.runtime.migration] Running upgrade 45f955889773 -> 26c371498592, subnetpool hash
INFO  [alembic.runtime.migration] Running upgrade 26c371498592 -> 1c844d1677f7, add order to dnsnameservers
INFO  [alembic.runtime.migration] Running upgrade 1c844d1677f7 -> 1b4c6e320f79, address scope support in subnetpool
INFO  [alembic.runtime.migration] Running upgrade 1b4c6e320f79 -> 48153cb5f051, qos db changes
INFO  [alembic.runtime.migration] Running upgrade 48153cb5f051 -> 9859ac9c136, quota_reservations
INFO  [alembic.runtime.migration] Running upgrade 9859ac9c136 -> 34af2b5c5a59, Add dns_name to Port
INFO  [alembic.runtime.migration] Running upgrade 34af2b5c5a59 -> 59cb5b6cf4d, Add availability zone
INFO  [alembic.runtime.migration] Running upgrade 59cb5b6cf4d -> 13cfb89f881a, add is_default to subnetpool
INFO  [alembic.runtime.migration] Running upgrade 13cfb89f881a -> 32e5974ada25, Add standard attribute table
INFO  [alembic.runtime.migration] Running upgrade 32e5974ada25 -> ec7fcfbf72ee, Add network availability zone
INFO  [alembic.runtime.migration] Running upgrade ec7fcfbf72ee -> dce3ec7a25c9, Add router availability zone
INFO  [alembic.runtime.migration] Running upgrade dce3ec7a25c9 -> c3a73f615e4, Add ip_version to AddressScope
INFO  [alembic.runtime.migration] Running upgrade c3a73f615e4 -> 659bf3d90664, Add tables and attributes to support external DNS integration
INFO  [alembic.runtime.migration] Running upgrade 659bf3d90664 -> 1df244e556f5, add_unique_ha_router_agent_port_bindings
INFO  [alembic.runtime.migration] Running upgrade 1df244e556f5 -> 19f26505c74f, Auto Allocated Topology - aka Get-Me-A-Network
INFO  [alembic.runtime.migration] Running upgrade 19f26505c74f -> 15be73214821, add dynamic routing model data
INFO  [alembic.runtime.migration] Running upgrade 15be73214821 -> b4caf27aae4, add_bgp_dragent_model_data
INFO  [alembic.runtime.migration] Running upgrade b4caf27aae4 -> 15e43b934f81, rbac_qos_policy
INFO  [alembic.runtime.migration] Running upgrade 15e43b934f81 -> 31ed664953e6, Add resource_versions row to agent table
INFO  [alembic.runtime.migration] Running upgrade 31ed664953e6 -> 2f9e956e7532, tag support
INFO  [alembic.runtime.migration] Running upgrade 2f9e956e7532 -> 3894bccad37f, add_timestamp_to_base_resources
INFO  [alembic.runtime.migration] Running upgrade 3894bccad37f -> 0e66c5227a8a, Add desc to standard attr table
INFO  [alembic.runtime.migration] Running upgrade kilo -> 30018084ec99, Initial no-op Liberty contract rule.
INFO  [alembic.runtime.migration] Running upgrade 30018084ec99 -> 4ffceebfada, network_rbac
INFO  [alembic.runtime.migration] Running upgrade 4ffceebfada -> 5498d17be016, Drop legacy OVS and LB plugin tables
INFO  [alembic.runtime.migration] Running upgrade 5498d17be016 -> 2a16083502f3, Metaplugin removal
INFO  [alembic.runtime.migration] Running upgrade 2a16083502f3 -> 2e5352a0ad4d, Add missing foreign keys
INFO  [alembic.runtime.migration] Running upgrade 2e5352a0ad4d -> 11926bcfe72d, add geneve ml2 type driver
INFO  [alembic.runtime.migration] Running upgrade 11926bcfe72d -> 4af11ca47297, Drop cisco monolithic tables
INFO  [alembic.runtime.migration] Running upgrade 4af11ca47297 -> 1b294093239c, Drop embrane plugin table
INFO  [alembic.runtime.migration] Running upgrade 1b294093239c -> 8a6d8bdae39, standardattributes migration
INFO  [alembic.runtime.migration] Running upgrade 8a6d8bdae39 -> 2b4c2465d44b, DVR sheduling refactoring
INFO  [alembic.runtime.migration] Running upgrade 2b4c2465d44b -> e3278ee65050, Drop NEC plugin tables
INFO  [alembic.runtime.migration] Running upgrade e3278ee65050 -> c6c112992c9, rbac_qos_policy
INFO  [alembic.runtime.migration] Running upgrade c6c112992c9 -> 5ffceebfada, network_rbac_external
INFO  [alembic.runtime.migration] Running upgrade 5ffceebfada -> 4ffceebfcdc, standard_desc
  OK

重启计算API服务：

$ systemctl restart openstack-nova-api.service

当系统启动时，启动 Networking 服务并配置它启动

$ systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
$ systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service

三、安装和配置计算节点

安装包

$ yum -y install openstack-neutron-linuxbridge ebtables ipset

编辑/etc/neutron/neutron.conf

$ vim /etc/neutron/neutron.conf

[DEFAULT]
rpc_backend = rabbit        #配置RabbitMQ消息队列的连接
auth_strategy = keystone    #配置认证服务访问

[oslo_messaging_rabbit]     #配置RabbitMQ消息队列的连接
rabbit_host = 192.168.1.2
rabbit_userid = openstack
rabbit_password = openstack

[keystone_authtoken]        #配置认证服务访问
auth_uri = http://192.168.1.2:5000
auth_url = http://192.168.1.2:35357
memcached_servers = 192.168.1.2:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron

[oslo_concurrency]
lock_path = /var/lib/neutron/tmp    #配置锁路径

配置Linuxbridge代理

编辑/etc/neutron/plugins/ml2/linuxbridge\_agent.ini

$ vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

[linux_bridge]
physical_interface_mappings = public:eth0       #将公共虚拟网络和公共物理网络接口对应起来
#我这里给的是主机模式eth0网卡

[vxlan]
enable_vxlan = False        #禁止VXLAN覆盖网络

[securitygroup]             #启用安全组并配置 Linuxbridge iptables firewall driver
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

为计算节点配置网络服务编辑/etc/nova/nova.conf

$ vim /etc/nova/nova.conf

[neutron]
url = http://192.168.1.2:9696
auth_url = http://192.168.1.1:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron

重启计算服务：

$ systemctl restart openstack-nova-compute.service

启动Linuxbridge代理并配置它开机自启动：

$ systemctl enable neutron-linuxbridge-agent.service
$ systemctl start neutron-linuxbridge-agent.service

四、验证操作

获得admin凭证来获取只有管理员能执行的命令的访问权限：

在控制节点上执行这些命令。

$ . admin-openstack.sh

列出加载的扩展来验证neutron-server进程是否正常启动：

$ neutron ext-list
+---------------------------+-----------------------------------------------+
| alias                     | name                                          |
+---------------------------+-----------------------------------------------+
| default-subnetpools       | Default Subnetpools                           |
| availability_zone         | Availability Zone                             |
| network_availability_zone | Network Availability Zone                     |
| auto-allocated-topology   | Auto Allocated Topology Services              |
| binding                   | Port Binding                                  |
| agent                     | agent                                         |
| subnet_allocation         | Subnet Allocation                             |
| dhcp_agent_scheduler      | DHCP Agent Scheduler                          |
| tag                       | Tag support                                   |
| external-net              | Neutron external network                      |
| net-mtu                   | Network MTU                                   |
| network-ip-availability   | Network IP Availability                       |
| quotas                    | Quota management support                      |
| provider                  | Provider Network                              |
| multi-provider            | Multi Provider Network                        |
| address-scope             | Address scope                                 |
| timestamp_core            | Time Stamp Fields addition for core resources |
| extra_dhcp_opt            | Neutron Extra DHCP opts                       |
| security-group            | security-group                                |
| rbac-policies             | RBAC Policies                                 |
| standard-attr-description | standard-attr-description                     |
| port-security             | Port Security                                 |
| allowed-address-pairs     | Allowed Address Pairs                         |
+---------------------------+-----------------------------------------------+

$ neutron agent-list
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host       | availability_zone | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
| 558eebbe-7f5c-42b4-9e5d-5ccbc45324b3 | Linux bridge agent | openstack2 |                   |/:-)   | True           | neutron-linuxbridge-agent |
| 663b551a-e0c1-4228-ac9e-35ea07bd7b85 | Metadata agent     | openstack1 |                   |/:-)   | True           | neutron-metadata-agent    |
| bbe1c6d3-f5ef-4f77-b8c2-dad601aa1f69 | Linux bridge agent | openstack1 |                   |/:-)   | True           | neutron-linuxbridge-agent |
| dba89587-8675-4b4f-ab30-e5d94d3ea9b0 | DHCP agent         | openstack1 | nova              |/:-)   | True           | neutron-dhcp-agent        |
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
#确保命令列出来的都一致，如果缺了一个有问题，需要排除。
#如果网卡名字不对，也会导致缺少一个