一、安装并配置控制节点
前提条件
1.创建数据库:
[root@Controller-Node ~]# mysql -u root -p123456
MariaDB [(none)]> CREATE DATABASE neutron;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
MariaDB [(none)]> exit
2..获得 admin 凭证来获取只有管理员能执行命令的访问权限:
[root@Controller-Node ~]# source admin-openrc.sh
3.创建neutron用户
[root@Controller-Node ~]# openstack user create --domain default --password-prompt neutron
User Password: neutron
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 068cad0d03674df79d91c2ca9b948c69 |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@Controller-Node ~]#
4.给neutron添加到admin组
[root@Controller-Node ~]# openstack role add --project service --user neutron admin
5.创建neutron 服务实体
$openstack service create --name neutron \
--description "OpenStack Networking" network
[root@Controller-Node ~]# openstack service create --name neutron \
> --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | b840910d3acd4233a2240ad0ef48634c |
| name | neutron |
| type | network |
+-------------+----------------------------------+
[root@Controller-Node ~]#
6.创建网络服务API端口:
$openstack endpoint create --region RegionOne \
network public http://10.20.9.13:9696
$openstack endpoint create --region RegionOne \
network internal http://10.20.9.13:9696
$openstack endpoint create --region RegionOne \
network admin http://10.20.9.13:9696
执行如下:
[root@Controller-Node ~]# openstack endpoint create --region RegionOne \
> network public http://10.20.9.13:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | a5dbdb40a4de4b289baf447fe2ec34b6 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | b840910d3acd4233a2240ad0ef48634c |
| service_name | neutron |
| service_type | network |
| url | http://10.20.9.13:9696 |
+--------------+----------------------------------+
[root@Controller-Node ~]# openstack endpoint create --region RegionOne \
> network internal http://10.20.9.13:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | cdfe81255ec8494fb6e9b012f6b48ac6 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | b840910d3acd4233a2240ad0ef48634c |
| service_name | neutron |
| service_type | network |
| url | http://10.20.9.13:9696 |
+--------------+----------------------------------+
[root@Controller-Node ~]# openstack endpoint create --region RegionOne \
> network admin http://10.20.9.13:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 5000d169084b4b9795717a1e7175a553 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | b840910d3acd4233a2240ad0ef48634c |
| service_name | neutron |
| service_type | network |
| url | http://10.20.9.13:9696 |
+--------------+----------------------------------+
[root@Controller-Node ~]#
二、安装网络openstack-neutron
1.安装组件
$yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables
2.配置服务器组件
编辑/etc/neutron/neutron.conf文件,并完成以下配置
1.> 在 [database] 选项中,配置数据库连接:
[database]
# ...
connection=mysql://neutron:neutron@10.20.9.13/neutron
2.>在 [DEFAULT] 部分,启用Layer 2 (ML2)插件模块,路由服务和重叠的IP地址:
[DEFAULT]
...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
3.>在 [DEFAULT] 和 [oslo_messaging_rabbit] 部分,配置 “RabbitMQ” 消息队列访问:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = 10.20.9.13
rabbit_userid = openstack
rabbit_password = openstack
4.> 在 [DEFAULT] 和 [keystone_authtoken] 部分,配置认证服务访问:
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://10.20.9.13:5000
auth_url = http://10.20.9.13:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = neutron
password = neutron
5.> 在 [DEFAULT] 和 [nova] 部分,配置网络以能够反映计算网络拓扑变化:
[DEFAULT]
...
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://10.20.9.13:8774/v2
[nova]
...
auth_url = http://10.20.9.13:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = nova
password = nova
6.> 在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
7.> 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT]
...
verbose = True
3. 配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linux桥接机制为实例创建layer-2 (桥接/交换)虚拟网络基础设施
编辑 /etc/neutron/plugins/ml2/ml2_conf.ini 文件并完成下面的操作:
1.> 在 [ml2] 部分,启用flat,VLAN和VXLAN网络:
[ml2]
...
type_drivers = flat,vlan,vxlan
2.> 在 [ml2] 部分,启用VXLAN项目(私有)网络:
[ml2]
...
tenant_network_types = vxlan
3. 在 [ml2] 部分,启用Linux 桥接和layer-2 population mechanisms:
[ml2]
...
mechanism_drivers = linuxbridge,l2population
4. >在 [ml2] 部分,启用端口安全扩展驱动:
[ml2]
...
extension_drivers = port_security
5.> 在 [ml2_type_flat] 部分,配置公共flat提供网络:
[ml2_type_flat]
...
flat_networks = public
6.> 在[ml2_type_vxlan] 部分,配置VXLAN网络标识范围与私有网络不同:
[ml2_type_vxlan]
...
vni_ranges = 1:1000
7.>在 [securitygroup] 部分,启用 ipset 增加安全组的方便性:
[securitygroup]
...
enable_ipset = True
4. 配置Linux 桥接代理
Linux桥接代理为实例创建包括私有网络的VXLAN隧道和处理安全组的layer-2(桥接/交换)虚拟网络设施。
编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 文件并完成下面的操作:
1. > 在 [linux_bridge] 部分,映射公共虚拟网络到公共物理网络接口,其中PUBLIC_INTERFACE_NAME为你物理网卡的IP地址.
[linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
2. > 在 [vxlan] 部分,启用VXLAN覆盖网络,配置处理覆盖网络和启用layer-2 的物理网络接口的IP地址。
[vxlan]
enable_vxlan = True
local_ip = OVERLAY_INTERFACE_IP_ADDRESS
l2_population = True
3. >在 [agent] 部分,启用ARP欺骗防护
[agent]
...
prevent_arp_spoofing = True
4. >在 [securitygroup] 部分,启用安全组并配置 Linux 桥接 iptables 防火墙驱动:
[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
5. 配置layer-3代理
编辑 /etc/neutron/l3_agent.ini 文件并完成下面操作:
1. > 在 [DEFAULT] 部分,配置Linux桥接网络驱动和外部网络桥接:
[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
external_network_bridge =
2. > (可选的)为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT]
...
verbose = True
6.配置DHCP代理
编辑 /etc/neutron/dhcp_agent.ini 文件并完成下面的操作:
1. > 在 [DEFAULT] 部分,配置Linux桥接网卡驱动,Dnsmasq DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络访问元数据:
[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
2. > 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT]
...
verbose = True
3. >在 [DEFAULT] 部分,启用 dnsmasq 配置文件:
[DEFAULT]
...
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
4. > 创建并编辑 /etc/neutron/dnsmasq-neutron.conf 文件启用DHCP MTU选项 (26) 并配置为 1450 bytes:
dhcp-option-force=26,1450
7. 配置元数据代理
编辑 /etc/neutron/metadata_agent.ini 文件并完成下面的操作:
1. > 在``[DEFAULT]``部分,配置访问参数:
[DEFAULT]
...
auth_uri = http://10.20.9.13:5000
auth_url = http://10.20.9.13:35357
auth_region = RegionOne
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = neutron
password = neutron
nova_metadata_ip = 10.20.9.13
metadata_proxy_shared_secret = METADATA_SECRET
verbose = True
2.> 在 [DEFAULT] 部分,配置元数据主机:
[DEFAULT]
...
nova_metadata_ip = 10.20.9.13
3.>在 [DEFAULT] 部分,配置元数据代理共享密码:
[DEFAULT]
...
metadata_proxy_shared_secret = METADATA_SECRET
4.> 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT]
...
verbose = True
8.配置计算使用网络
编辑 /etc/nova/nova.conf文件并完成下面操作:
在 [neutron] 部分,配置访问参数,启用元数据代理和配置secret:
[neutron]
...
url = http://10.20.9.13:9696
auth_url = http://10.20.9.13:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = True
metadata_proxy_shared_secret = METADATA_SECRET
三、完成安装
1.网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini 指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini 。如果超链接不存在,使用下面的命令创建它:
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
2. 同步数据库:
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
3.重启计算API 服务:
# systemctl restart openstack-nova-api.service
4.启动网络服务并配置他们开机自启动。
对所有网络选项:
# systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
# systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
# systemctl restart neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
对网络选项2,同样也启用并启动layer-3服务:
# systemctl enable neutron-l3-agent.service
# systemctl start neutron-l3-agent.service
# systemctl restart neutron-l3-agent.service
四、安装和配置计算节点,在10.20.9.14上面操作
1. 安装组件
# yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset
2. 配置通用组件,Networking 通用组件的配置包括认证机制、消息队列和插件。
编辑 /etc/neutron/neutron.conf 文件并完成如下动作:
1.> 在 [database] 部分,注释所有 connection 项,因为计算节点不直接访问数据库。
2.> 在 [DEFAULT] 和 [oslo_messaging_rabbit] 部分,配置 “RabbitMQ” 消息队列访问:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = 10.20.9.13
rabbit_userid = openstack
rabbit_password = openstack
3. > 在 [DEFAULT] 和 [keystone_authtoken] 部分,配置认证服务访问:
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://10.20.9.13:5000
auth_url = http://10.20.9.13:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = neutron
password = neutron
4.> 在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
5.> 为帮助排错,在 “[DEFAULT]”部分启用详细日志。
[DEFAULT]
...
verbose = True
3. 配置Linux 桥接代理
Linux桥接代理为实例创建包括私有网络的VXLAN隧道和处理安全组的layer-2(桥接/交换)虚拟网络设施。
编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 文件并完成下面的操作:
1. > 在 [linux_bridge] 部分,映射公共虚拟网络到公共物理网络接口:
[linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
2. > 在 [vxlan] 部分,启用VXLAN覆盖网络,配置处理覆盖网络和启用layer-2 的物理网络接口的IP地址。
[vxlan]
enable_vxlan = True
local_ip = OVERLAY_INTERFACE_IP_ADDRESS
l2_population = True
3. > 在 [agent] 部分,启用ARP欺骗防护:
[agent]
...
prevent_arp_spoofing = True
4. >在 [securitygroup] 部分,启用安全组并配置 Linux 桥接 iptables 防火墙驱动:
[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
4. 配置计算使用网络
编辑/etc/nova/nova.conf 文件并完成下面的操作:
1.> 在 [neutron] 部分,配置访问参数:
[neutron]
...
url = http://10.20.9.13:9696
auth_url = http://10.20.9.13:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
5.完成安装
1. >重启计算服务:
# systemctl restart openstack-nova-compute.service
2. > 启动Linux桥接代理并配置它开机自启动:
# systemctl restart openstack-nova-compute.service
3.>启动Linux桥接代理并配置它开机自启动:
# systemctl enable neutron-linuxbridge-agent.service
# systemctl start neutron-linuxbridge-agent.service
# systemctl restart neutron-linuxbridge-agent.service
6. 验证操作
在控制节点上执行这些命令。
1.> 获得 admin 凭证来获取只有管理员能执行命令的访问权限
# source admin-openrc.sh
2.> 列出加载的扩展,对``neutron-server``进程是否启动正常进行验证:
[root@Controller-Node ~]# openstack extension list --network
+----------------------------------------------------------+---------------------------+-----------------------------------------------------------+
| Name | Alias | Description |
+----------------------------------------------------------+---------------------------+-----------------------------------------------------------+
| Default Subnetpools | default-subnetpools | Provides ability to mark and use a subnetpool as the |
| | | default |
| Network IP Availability | network-ip-availability | Provides IP availability data for each network and |
| | | subnet. |
| Network Availability Zone | network_availability_zone | Availability zone support for network. |
| Auto Allocated Topology Services | auto-allocated-topology | Auto Allocated Topology Services. |
| Neutron L3 Configurable external gateway mode | ext-gw-mode | Extension of the router abstraction for specifying |
| | | whether SNAT should occur on the external gateway |
| Port Binding | binding | Expose port bindings of a virtual port to external |
| | | application |
| agent | agent | The agent management extension. |
| Subnet Allocation | subnet_allocation | Enables allocation of subnets from a subnet pool |
| L3 Agent Scheduler | l3_agent_scheduler | Schedule routers among l3 agents |
| Tag support | tag | Enables to set tag on resources. |
| Neutron external network | external-net | Adds external network attribute to network resource. |
| Neutron Service Flavors | flavors | Flavor specification for Neutron advanced services |
| Network MTU | net-mtu | Provides MTU attribute for a network resource. |
| Availability Zone | availability_zone | The availability zone extension. |
| Quota management support | quotas | Expose functions for quotas management per tenant |
| HA Router extension | l3-ha | Add HA capability to routers. |
| Provider Network | provider | Expose mapping of virtual networks to physical networks |
| Multi Provider Network | multi-provider | Expose mapping of virtual networks to multiple physical |
| | | networks |
| Address scope | address-scope | Address scopes extension. |
| Neutron Extra Route | extraroute | Extra routes configuration for L3 router |
| Subnet service types | subnet-service-types | Provides ability to set the subnet service_types field |
| Resource timestamps | standard-attr-timestamp | Adds created_at and updated_at fields to all Neutron |
| | | resources that have Neutron standard attributes. |
| Neutron Service Type Management | service-type | API for retrieving service providers for Neutron advanced |
| | | services |
| Router Flavor Extension | l3-flavors | Flavor support for routers. |
| Port Security | port-security | Provides port security |
| Neutron Extra DHCP opts | extra_dhcp_opt | Extra options configuration for DHCP. For example PXE |
| | | boot options to DHCP clients can be specified (e.g. tftp- |
| | | server, server-ip-address, bootfile-name) |
| Resource revision numbers | standard-attr-revisions | This extension will display the revision number of |
| | | neutron resources. |
| Pagination support | pagination | Extension that indicates that pagination is enabled. |
| Sorting support | sorting | Extension that indicates that sorting is enabled. |
| security-group | security-group | The security groups extension. |
| DHCP Agent Scheduler | dhcp_agent_scheduler | Schedule networks among dhcp agents |
| Router Availability Zone | router_availability_zone | Availability zone support for router. |
| RBAC Policies | rbac-policies | Allows creation and modification of policies that control |
| | | tenant access to resources. |
| Tag support for resources: subnet, subnetpool, port, | tag-ext | Extends tag support to more L2 and L3 resources. |
| router | | |
| standard-attr-description | standard-attr-description | Extension to add descriptions to standard attributes |
| Neutron L3 Router | router | Router abstraction for basic L3 forwarding between L2 |
| | | Neutron networks and access to external networks via a |
| | | NAT gateway. |
| Allowed Address Pairs | allowed-address-pairs | Provides allowed address pairs |
| project_id field enabled | project-id | Extension that indicates that project_id field is |
| | | enabled. |
| Distributed Virtual Router | dvr | Enables configuration of Distributed Virtual Routers. |
+----------------------------------------------------------+---------------------------+-----------------------------------------------------------+
[root@Controller-Node ~]#
3. > 列出代理以验证启动 neutron 代理是否成功:
[root@Controller-Node ~]# openstack network agent list
+--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+
| ID | Agent Type | Host | Availability Zone | Alive | State | Binary |
+--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+
| 4cb8842e-f9bb-4c5b-9202-0f0de50b3308 | Linux bridge agent | Controller-Node | None | True | UP | neutron-linuxbridge-agent |
| 67c9e1bb-2e57-4984-9c53-c97f338fbeab | L3 agent | Controller-Node | nova | True | UP | neutron-l3-agent |
| b135bda1-dea3-4b04-bdac-c4977e74f0ef | Linux bridge agent | Compute-Node | None | True | UP | neutron-linuxbridge-agent |
| bfc6c4fb-8633-460e-9b1c-f6d827bf728b | Metadata agent | Controller-Node | None | True | UP | neutron-metadata-agent |
| c67e45cc-bc96-4eea-8ab6-fc4c659e75c9 | DHCP agent | Controller-Node | nova | True | UP | neutron-dhcp-agent |
+--------------------------------------+--------------------+-----------------+-------------------+-------+-------+---------------------------+
[root@Controller-Node ~]#