一、安装并配置控制节点
前提条件
1.创建数据库:
[root@Controller-Node ~]# mysql -u root -p123456 MariaDB [(none)]> CREATE DATABASE neutron; MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron'; MariaDB [(none)]> exit
2..获得 admin 凭证来获取只有管理员能执行命令的访问权限:
[root@Controller-Node ~]# source admin-openrc.sh
3.创建neutron用户
[root@Controller-Node ~]# openstack user create --domain default --password-prompt neutron User Password: neutron Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 068cad0d03674df79d91c2ca9b948c69 | | name | neutron | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@Controller-Node ~]#
4.给neutron添加到admin组
[root@Controller-Node ~]# openstack role add --project service --user neutron admin
5.创建neutron 服务实体
$openstack service create --name neutron \ --description "OpenStack Networking" network [root@Controller-Node ~]# openstack service create --name neutron \ > --description "OpenStack Networking" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | b840910d3acd4233a2240ad0ef48634c | | name | neutron | | type | network | +-------------+----------------------------------+ [root@Controller-Node ~]#
6.创建网络服务API端口:
$openstack endpoint create --region RegionOne \ network public http://10.20.9.13:9696 $openstack endpoint create --region RegionOne \ network internal http://10.20.9.13:9696 $openstack endpoint create --region RegionOne \ network admin http://10.20.9.13:9696 执行如下: [root@Controller-Node ~]# openstack endpoint create --region RegionOne \ > network public http://10.20.9.13:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | a5dbdb40a4de4b289baf447fe2ec34b6 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | b840910d3acd4233a2240ad0ef48634c | | service_name | neutron | | service_type | network | | url | http://10.20.9.13:9696 | +--------------+----------------------------------+ [root@Controller-Node ~]# openstack endpoint create --region RegionOne \ > network internal http://10.20.9.13:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | cdfe81255ec8494fb6e9b012f6b48ac6 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | b840910d3acd4233a2240ad0ef48634c | | service_name | neutron | | service_type | network | | url | http://10.20.9.13:9696 | +--------------+----------------------------------+ [root@Controller-Node ~]# openstack endpoint create --region RegionOne \ > network admin http://10.20.9.13:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 5000d169084b4b9795717a1e7175a553 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | b840910d3acd4233a2240ad0ef48634c | | service_name | neutron | | service_type | network | | url | http://10.20.9.13:9696 | +--------------+----------------------------------+ [root@Controller-Node ~]#
二、安装网络openstack-neutron
1.安装组件
$yum install openstack-neutron openstack-neutron-ml2 \ openstack-neutron-linuxbridge ebtables
2.配置服务器组件
编辑/etc/neutron/neutron.conf文件,并完成以下配置
1.> 在 [database] 选项中,配置数据库连接:
[database] # ... connection=mysql://neutron:[email protected]/neutron
2.>在 [DEFAULT] 部分,启用Layer 2 (ML2)插件模块,路由服务和重叠的IP地址:
[DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True
3.>在 [DEFAULT] 和 [oslo_messaging_rabbit] 部分,配置 “RabbitMQ” 消息队列访问:
[DEFAULT] ... rpc_backend = rabbit [oslo_messaging_rabbit] ... rabbit_host = 10.20.9.13 rabbit_userid = openstack rabbit_password = openstack
4.> 在 [DEFAULT] 和 [keystone_authtoken] 部分,配置认证服务访问:
[DEFAULT] ... auth_strategy = keystone [keystone_authtoken] ... auth_uri = http://10.20.9.13:5000 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = neutron
5.> 在 [DEFAULT] 和 [nova] 部分,配置网络以能够反映计算网络拓扑变化:
[DEFAULT] ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True nova_url = http://10.20.9.13:8774/v2 [nova] ... auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = nova password = nova
6.> 在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency] ... lock_path = /var/lib/neutron/tmp
7.> 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT] ... verbose = True
3. 配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linux桥接机制为实例创建layer-2 (桥接/交换)虚拟网络基础设施
编辑 /etc/neutron/plugins/ml2/ml2_conf.ini 文件并完成下面的操作:
1.> 在 [ml2] 部分,启用flat,VLAN和VXLAN网络:
[ml2] ... type_drivers = flat,vlan,vxlan
2.> 在 [ml2] 部分,启用VXLAN项目(私有)网络:
[ml2] ... tenant_network_types = vxlan
3. 在 [ml2] 部分,启用Linux 桥接和layer-2 population mechanisms:
[ml2] ... mechanism_drivers = linuxbridge,l2population
4. >在 [ml2] 部分,启用端口安全扩展驱动:
[ml2] ... extension_drivers = port_security
5.> 在 [ml2_type_flat] 部分,配置公共flat提供网络:
[ml2_type_flat] ... flat_networks = public
6.> 在[ml2_type_vxlan] 部分,配置VXLAN网络标识范围与私有网络不同:
[ml2_type_vxlan] ... vni_ranges = 1:1000
7.>在 [securitygroup] 部分,启用 ipset 增加安全组的方便性:
[securitygroup] ... enable_ipset = True
4. 配置Linux 桥接代理
Linux桥接代理为实例创建包括私有网络的VXLAN隧道和处理安全组的layer-2(桥接/交换)虚拟网络设施。
编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 文件并完成下面的操作:
1. > 在 [linux_bridge] 部分,映射公共虚拟网络到公共物理网络接口,其中PUBLIC_INTERFACE_NAME为你物理网卡的IP地址.
[linux_bridge] physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
2. > 在 [vxlan] 部分,启用VXLAN覆盖网络,配置处理覆盖网络和启用layer-2 的物理网络接口的IP地址。
[vxlan] enable_vxlan = True local_ip = OVERLAY_INTERFACE_IP_ADDRESS l2_population = True
3. >在 [agent] 部分,启用ARP欺骗防护
[agent] ... prevent_arp_spoofing = True
4. >在 [securitygroup] 部分,启用安全组并配置 Linux 桥接 iptables 防火墙驱动:
[securitygroup] ... enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
5. 配置layer-3代理
编辑 /etc/neutron/l3_agent.ini 文件并完成下面操作:
1. > 在 [DEFAULT] 部分,配置Linux桥接网络驱动和外部网络桥接:
[DEFAULT] ... interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver external_network_bridge =
2. > (可选的)为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT] ... verbose = True
6.配置DHCP代理
编辑 /etc/neutron/dhcp_agent.ini 文件并完成下面的操作:
1. > 在 [DEFAULT] 部分,配置Linux桥接网卡驱动,Dnsmasq DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络访问元数据:
[DEFAULT] ... interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True
2. > 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT] ... verbose = True
3. >在 [DEFAULT] 部分,启用 dnsmasq 配置文件:
[DEFAULT] ... dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
4. > 创建并编辑 /etc/neutron/dnsmasq-neutron.conf 文件启用DHCP MTU选项 (26) 并配置为 1450 bytes:
dhcp-option-force=26,1450
7. 配置元数据代理
编辑 /etc/neutron/metadata_agent.ini 文件并完成下面的操作:
1. > 在``[DEFAULT]``部分,配置访问参数:
[DEFAULT] ... auth_uri = http://10.20.9.13:5000 auth_url = http://10.20.9.13:35357 auth_region = RegionOne auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = neutron nova_metadata_ip = 10.20.9.13 metadata_proxy_shared_secret = METADATA_SECRET verbose = True
2.> 在 [DEFAULT] 部分,配置元数据主机:
[DEFAULT] ... nova_metadata_ip = 10.20.9.13
3.>在 [DEFAULT] 部分,配置元数据代理共享密码:
[DEFAULT] ... metadata_proxy_shared_secret = METADATA_SECRET
4.> 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT] ... verbose = True
8.配置计算使用网络
编辑 /etc/nova/nova.conf文件并完成下面操作:
在 [neutron] 部分,配置访问参数,启用元数据代理和配置secret:
[neutron] ... url = http://10.20.9.13:9696 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = neutron password = neutron service_metadata_proxy = True metadata_proxy_shared_secret = METADATA_SECRET
三、完成安装
1.网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini 指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini 。如果超链接不存在,使用下面的命令创建它:
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
2. 同步数据库:
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
3.重启计算API 服务:
# systemctl restart openstack-nova-api.service
4.启动网络服务并配置他们开机自启动。
对所有网络选项:
# systemctl enable neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service # systemctl start neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service # systemctl restart neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-metadata-agent.service
对网络选项2,同样也启用并启动layer-3服务:
# systemctl enable neutron-l3-agent.service # systemctl start neutron-l3-agent.service # systemctl restart neutron-l3-agent.service
四、安装和配置计算节点,在10.20.9.14上面操作
1. 安装组件
# yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset
2. 配置通用组件,Networking 通用组件的配置包括认证机制、消息队列和插件。
编辑 /etc/neutron/neutron.conf 文件并完成如下动作:
1.> 在 [database] 部分,注释所有 connection 项,因为计算节点不直接访问数据库。
2.> 在 [DEFAULT] 和 [oslo_messaging_rabbit] 部分,配置 “RabbitMQ” 消息队列访问:
[DEFAULT] ... rpc_backend = rabbit [oslo_messaging_rabbit] ... rabbit_host = 10.20.9.13 rabbit_userid = openstack rabbit_password = openstack
3. > 在 [DEFAULT] 和 [keystone_authtoken] 部分,配置认证服务访问:
[DEFAULT] ... auth_strategy = keystone [keystone_authtoken] ... auth_uri = http://10.20.9.13:5000 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = neutron
4.> 在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency] ... lock_path = /var/lib/neutron/tmp
5.> 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT] ... verbose = True
3. 配置Linux 桥接代理
Linux桥接代理为实例创建包括私有网络的VXLAN隧道和处理安全组的layer-2(桥接/交换)虚拟网络设施。
编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 文件并完成下面的操作:
1. > 在 [linux_bridge] 部分,映射公共虚拟网络到公共物理网络接口:
[linux_bridge] physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
2. > 在 [vxlan] 部分,启用VXLAN覆盖网络,配置处理覆盖网络和启用layer-2 的物理网络接口的IP地址。
[vxlan] enable_vxlan = True local_ip = OVERLAY_INTERFACE_IP_ADDRESS l2_population = True
3. > 在 [agent] 部分,启用ARP欺骗防护:
[agent] ... prevent_arp_spoofing = True
4. >在 [securitygroup] 部分,启用安全组并配置 Linux 桥接 iptables 防火墙驱动:
[securitygroup] ... enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
4. 配置计算使用网络
编辑/etc/nova/nova.conf 文件并完成下面的操作:
1.> 在 [neutron] 部分,配置访问参数:
[neutron] ... url = http://10.20.9.13:9696 auth_url = http://10.20.9.13:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = neutron password = neutron
5.完成安装
1. >重启计算服务:
# systemctl restart openstack-nova-compute.service
2. > 启动Linux桥接代理并配置它开机自启动:
# systemctl restart openstack-nova-compute.service
3.>启动Linux桥接代理并配置它开机自启动:
# systemctl enable neutron-linuxbridge-agent.service # systemctl start neutron-linuxbridge-agent.service # systemctl restart neutron-linuxbridge-agent.service
6. 验证操作
在控制节点上执行这些命令。
1.> 获得 admin 凭证来获取只有管理员能执行命令的访问权限
# source admin-openrc.sh
2.> 列出加载的扩展,对``neutron-server``进程是否启动正常进行验证:
[root@Controller-Node ~]# openstack extension list --network +----------------------------------------------------------+---------------------------+-----------------------------------------------------------+ | Name | Alias | Description | +----------------------------------------------------------+---------------------------+-----------------------------------------------------------+ | Default Subnetpools | default-subnetpools | Provides ability to mark and use a subnetpool as the | | | | default | | Network IP Availability | network-ip-availability | Provides IP availability data for each network and | | | | subnet. | | Network Availability Zone | network_availability_zone | Availability zone support for network. | | Auto Allocated Topology Services | auto-allocated-topology | Auto Allocated Topology Services. | | Neutron L3 Configurable external gateway mode | ext-gw-mode | Extension of the router abstraction for specifying | | | | whether SNAT should occur on the external gateway | | Port Binding | binding | Expose port bindings of a virtual port to external | | | | application | | agent | agent | The agent management extension. | | Subnet Allocation | subnet_allocation | Enables allocation of subnets from a subnet pool | | L3 Agent Scheduler | l3_agent_scheduler | Schedule routers among l3 agents | | Tag support | tag | Enables to set tag on resources. | | Neutron external network | external-net | Adds external network attribute to network resource. | | Neutron Service Flavors | flavors | Flavor specification for Neutron advanced services | | Network MTU | net-mtu | Provides MTU attribute for a network resource. | | Availability Zone | availability_zone | The availability zone extension. | | Quota management support | quotas | Expose functions for quotas management per tenant | | HA Router extension | l3-ha | Add HA capability to routers. | | Provider Network | provider | Expose mapping of virtual networks to physical networks | | Multi Provider Network | multi-provider | Expose mapping of virtual networks to multiple physical | | | | networks | | Address scope | address-scope | Address scopes extension. | | Neutron Extra Route | extraroute | Extra routes configuration for L3 router | | Subnet service types | subnet-service-types | Provides ability to set the subnet service_types field | | Resource timestamps | standard-attr-timestamp | Adds created_at and updated_at fields to all Neutron | | | | resources that have Neutron standard attributes. | | Neutron Service Type Management | service-type | API for retrieving service providers for Neutron advanced | | | | services | | Router Flavor Extension | l3-flavors | Flavor support for routers. | | Port Security | port-security | Provides port security | | Neutron Extra DHCP opts | extra_dhcp_opt | Extra options configuration for DHCP. For example PXE | | | | boot options to DHCP clients can be specified (e.g. tftp- | | | | server, server-ip-address, bootfile-name) | | Resource revision numbers | standard-attr-revisions | This extension will display the revision number of | | | | neutron resources. | | Pagination support | pagination | Extension that indicates that pagination is enabled. | | Sorting support | sorting | Extension that indicates that sorting is enabled. | | security-group | security-group | The security groups extension. | | DHCP Agent Scheduler | dhcp_agent_scheduler | Schedule networks among dhcp agents | | Router Availability Zone | router_availability_zone | Availability zone support for router. | | RBAC Policies | rbac-policies | Allows creation and modification of policies that control | | | | tenant access to resources. | | Tag support for resources: subnet, subnetpool, port, | tag-ext | Extends tag support to more L2 and L3 resources. | | router | | | | standard-attr-description | standard-attr-description | Extension to add descriptions to standard attributes | | Neutron L3 Router | router | Router abstraction for basic L3 forwarding between L2 | | | | Neutron networks and access to external networks via a | | | | NAT gateway. | | Allowed Address Pairs | allowed-address-pairs | Provides allowed address pairs | | project_id field enabled | project-id | Extension that indicates that project_id field is | | | | enabled. | | Distributed Virtual Router | dvr | Enables configuration of Distributed Virtual Routers. | +----------------------------------------------------------+---------------------------+-----------------------------------------------------------+ [root@Controller-Node ~]#
3. > 列出代理以验证启动 neutron 代理是否成功:
[root@Controller-Node ~]# openstack network agent list +--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+ | ID | Agent Type | Host | Availability Zone | Alive | State | Binary | +--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+ | 4cb8842e-f9bb-4c5b-9202-0f0de50b3308 | Linux bridge agent | Controller-Node | None | True | UP | neutron-linuxbridge-agent | | 67c9e1bb-2e57-4984-9c53-c97f338fbeab | L3 agent | Controller-Node | nova | True | UP | neutron-l3-agent | | b135bda1-dea3-4b04-bdac-c4977e74f0ef | Linux bridge agent | Compute-Node | None | True | UP | neutron-linuxbridge-agent | | bfc6c4fb-8633-460e-9b1c-f6d827bf728b | Metadata agent | Controller-Node | None | True | UP | neutron-metadata-agent | | c67e45cc-bc96-4eea-8ab6-fc4c659e75c9 | DHCP agent | Controller-Node | nova | True | UP | neutron-dhcp-agent | +--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+ [root@Controller-Node ~]#