一Neutron介绍
Neutron是Quantum改名后的名字。他继承了Quantum的强大功能,同时也增加了一些功能
neutron的功能:
提供面向租户的API,以便控制2层网络和管理IP地址
支持插件式网络组件,像OpenvSwitch,Cisco,Linux Bridge,Nicira NVP等等
支持位于不同的2层网络的IP地址重叠
支持基本的3层转发和多路由器
支持隧道技术(Tunneling)
支持3层带来和DHCP代理的多节点部署,增强了扩展性和可靠性
提供负载均衡API
支持端到端的IPSec ×××
面向租户的防火墙服务
提供一个新的插件ML2,这个插件可以作为一个框架同时支持不同的2层网络
Openstack的设计理念是把所有的组件当做服务来注册的。 Neutron就是网络服务。它将网络、子网、端口和路由器抽象化,之后启动的虚拟主机就可以连接到这个虚拟网络上,最大的好处是这些都可视化的在Horizon里得到了实现,部署或者改变一个SDN变得非常简单,没有专业知识的人稍经培训也可以做到
我们先通过如下一个简单的流程来了解客户机如何连接到网络上
- 租户创建了一个网络,比方说mynet
- 租户为此网络分配一个子网,比如192.168.122.0/24
- 租户启动一个客户机,并指明一个网口连接到mynet
- Nova通知Neutron并在mynet上创建一个端口,如port1
- Neutron选择并分配一个IP给port1
- 客户机通过port1就连接到了mynet上
Neutron主要有以下几部分组成。
Neutron Server:这一部分包含守护进程neutron-server和各种插件neutron-*-plugin,它们既可以安装在控制节点也可以安装在网络节点。neutron-server提供API接口,并把对API的调用请求传给已经配置好的插件进行后续处理。插件需要访问数据库来维护各种配置数据和对应关系,例如路由器、网络、子网、端口、浮动IP、安全组等等。
插件代理(Plugin Agent):虚拟网络上的数据包的处理则是由这些插件代理来完成的。名字为neutron-*-agent。在每个计算节点和网络节点上运行。一般来说你选择了什么插件,就需要选择相应的代理。代理与Neutron Server及其插件的交互就通过消息队列来支持。
DHCP代理(DHCP Agent):名字为neutron-dhcp-agent,为各个租户网络提供DHCP服务,部署在网络节点上,各个插件也是使用这一个代理。
3层代理(L3 Agent):名字为neutron-l3-agent,为客户机访问外部网络提供3层转发服务。也部署在网络节点上。
下面是一张官网的图展示,neutron的工作过程:
二安装并配置控制节点
数据库配置
在前面已经配置好了数据库信息
创建``neutron``数据库:
CREATE DATABASE neutron;
对``neutron``数据库授予合适的访问权限,使用合适的密码替换``NEUTRON_DBPASS``:我们使用的密码为:neutron
mysql> GRANT ALL PRIVILEGES ON neutron.*TO 'neutron'@'localhost' \ IDENTIFIED BY 'NEUTRON_DBPASS'; mysql> GRANT ALL PRIVILEGES ON neutron.*TO 'neutron'@'%' \ IDENTIFIED BY 'NEUTRON_DBPASS';
获取权限
[root@linux-node1 ~]# sourceadmin-openstack
查看用户列表
[root@linux-node1 ~]# openstack user list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 8dc6f28207b64e6d845a444a2ba18205 |glance | | b84c1614b79b40278e02bd6ed034cc6f |admin | | c0f9c52898ad4d4f88254a01c458eb27 |neutron | | db596da4ed8f47ab9dc7fa77d3bc8c6c |nova | | e5dbdde24a7340edb8bd3f498f9d28b5 |cinder | | f0c69bad72b54e0daef92c2295425932 |demo | +----------------------------------+---------+
网络选项为1
安装网络1相关服务组件
[root@linux-node1 ~]# yum install openstack-neutron openstack-neutron-ml2 \ > openstack-neutron-linuxbridge ebtables
编辑配置文件/etc/neutron/neutron.conf
在 [database]
部分,配置数据库访问:
connection = mysql+pymysql://neutron:[email protected]/neutron
在``[DEFAULT]``部分,启用ML2插件并禁用其他插件:
core_plugin = ml2 service_plugins =
在``[DEFAULT]``部分,配置``RabbitMQ``消息队列访问权限:
transport_url = rabbit://openstack:[email protected]
在 “[DEFAULT]” 和 “[keystone_authtoken]” 部分,配置认证服务访问:
[DEFAULT] auth_strategy = keystone [keystone_authtoken] auth_uri = http://192.168.56.11:5000 auth_url = http://192.168.56.11:35357 memcached_servers = 192.168.56.11:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = neutron
在``[DEFAULT]``和``[nova]``部分,配置网络服务来通知计算节点的网络拓扑变化:
[DEFAULT] notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true [nova] auth_url = http://192.168.56.11:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = nova
在 [oslo_concurrency]
部分,配置锁路径:
lock_path = /var/lib/neutron/tmp
配置结果如下:
[root@linux-node1 ~]# egrep -v '^$|#' /etc/neutron/neutron.conf [DEFAULT] auth_strategy = keystone core_plugin = ml2 service_plugins = notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true transport_url = rabbit://openstack:[email protected] [agent] [cors] [cors.subdomain] [database] connection = mysql+pymysql://neutron:[email protected]/neutron [keystone_authtoken] auth_uri = http://192.168.56.11:5000 auth_url = http://192.168.56.11:35357 memcached_servers = 192.168.56.11:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = neutron [matchmaker_redis] [nova] auth_url = http://192.168.56.11:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = nova [oslo_concurrency] lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [qos] [quotas] [ssl]
配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linuxbridge机制来为实例创建layer-2虚拟网络基础设施,
编辑``/etc/neutron/plugins/ml2/ml2_conf.ini``文件并完成以下操作:
在``[ml2]``部分,启用flat和VLAN网络:
type_drivers = local,flat,vlan,gre,vxlan,geneve
在``[ml2]``部分,禁用私有网络:
tenant_network_types =
在``[ml2]``部分,启用Linuxbridge机制
mechanism_drivers = linuxbridge
在``[ml2]`` 部分,启用端口安全扩展驱动:
extension_drivers = port_security
在``[ml2_type_flat]``部分,配置公共虚拟网络为flat网络:
flat_networks = public
在 ``[securitygroup]``部分,启用 ipset 增加安全组的方便性:
enable_ipset = true
配置文件结果如下:
[root@linux-node1 ~]# egrep -vn '^$|#' /etc/neutron/plugins/ml2/ml2_conf.ini 1:[DEFAULT] 101:[ml2] 109:type_drivers = local,flat,vlan,gre,vxlan,geneve 114:tenant_network_types = 118:mechanism_drivers = linuxbridge 123:extension_drivers = port_security 150:[ml2_type_flat] 159:flat_networks = public 162:[ml2_type_geneve] 180:[ml2_type_gre] 191:[ml2_type_vlan] 204:[ml2_type_vxlan] 220:[securitygroup] 236:enable_ipset = true
配置linux brige代理
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则。
编辑``/etc/neutron/plugins/ml2/linuxbridge_agent.ini``文件并且完成以下操作:
在``[linux_bridge]``部分,将公共虚拟网络和公共物理网络接口对应起来:
physical_interface_mappings = public:eth0
在``[vxlan]``部分,禁止VXLAN覆盖网络:
enable_vxlan = false
在 ``[securitygroup]``部分,启用安全组并配置 Linux 桥接 iptables 防火墙驱动:
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver enable_security_group = true
配置结果如下:
[root@linux-node1 ml2]# egrep -vn '^$|#' /etc/neutron/plugins/ml2/linuxbridge_agent.ini
1:[DEFAULT]
101:[agent]
132:[linux_bridge]
143:physical_interface_mappings = public:eth0
149:[securitygroup]
157:firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161:enable_security_group = true
168:[vxlan]
176:enable_vxlan = false
配置DHCP代理
编辑``/etc/neutron/dhcp_agent.ini``文件并完成下面的操作:
在``[DEFAULT]``部分,配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据
[root@linux-node1 neutron]# egrep -vn '^$|#' /etc/neutron/dhcp_agent.ini 1:[DEFAULT] 16:interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver 32:dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq 41:enable_isolated_metadata = true 195:[AGENT]
配置元数据代理
编辑``/etc/neutron/metadata_agent.ini``文件并完成以下操作:
在``[DEFAULT]`` 部分,配置元数据主机以及共享密码:
[root@linux-node1 neutron]# egrep -vn '^$|#' /etc/neutron/metadata_agent.ini 1:[DEFAULT] 22:nova_metadata_ip = 192.168.56.11 34:metadata_proxy_shared_secret = krik 173:[AGENT] 188:[cache]
配置计算服务来使用网络服务
编辑``/etc/nova/nova.conf``文件并完成以下操作:
在``[neutron]``部分,配置访问参数,启用元数据代理并设置密码:
url = http://192.168.56.11:9696 auth_url = http://192.168.56.11:35357 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = neutron service_metadata_proxy = True metadata_proxy_shared_secret = krik
网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini``指向ML2插件配置文件
/etc/neutron/plugins/ml2/ml2_conf.ini``。如果超链接不存在,使用下面的命令创建它:
[root@linux-node1 neutron]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
同步数据库:(这里可以看到我们用到了两个配置文件)
[root@linux-node1 neutron]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ > --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
出现ok表示数据库同步成功,如果有问题去排查相关的配置文件是否有问题
INFO [alembic.runtime.migration] Context impl MySQLImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. Running upgrade for neutron ... INFO [alembic.runtime.migration] Context impl MySQLImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. INFO [alembic.runtime.migration] Running upgrade -> kilo, kilo_initial INFO [alembic.runtime.migration] Running upgrade kilo -> 354db87e3225, nsxv_vdr_metadata.py INFO [alembic.runtime.migration] Running upgrade 354db87e3225 -> 599c6a226151, neutrodb_ipam INFO [alembic.runtime.migration] Running upgrade 599c6a226151 -> 52c5312f6baf, Initial operations in support of address scopes INFO [alembic.runtime.migration] Running upgrade 52c5312f6baf -> 313373c0ffee, Flavor framework INFO [alembic.runtime.migration] Running upgrade 313373c0ffee -> 8675309a5c4f, network_rbac INFO [alembic.runtime.migration] Running upgrade 8675309a5c4f -> 45f955889773, quota_usage INFO [alembic.runtime.migration] Running upgrade 45f955889773 -> 26c371498592, subnetpool hash INFO [alembic.runtime.migration] Running upgrade 26c371498592 -> 1c844d1677f7, add order to dnsnameservers INFO [alembic.runtime.migration] Running upgrade 1c844d1677f7 -> 1b4c6e320f79, address scope support in subnetpool INFO [alembic.runtime.migration] Running upgrade 1b4c6e320f79 -> 48153cb5f051, qos db changes INFO [alembic.runtime.migration] Running upgrade 48153cb5f051 -> 9859ac9c136, quota_reservations INFO [alembic.runtime.migration] Running upgrade 9859ac9c136 -> 34af2b5c5a59, Add dns_name to Port INFO [alembic.runtime.migration] Running upgrade 34af2b5c5a59 -> 59cb5b6cf4d, Add availability zone INFO [alembic.runtime.migration] Running upgrade 59cb5b6cf4d -> 13cfb89f881a, add is_default to subnetpool INFO [alembic.runtime.migration] Running upgrade 13cfb89f881a -> 32e5974ada25, Add standard attribute table INFO [alembic.runtime.migration] Running upgrade 32e5974ada25 -> ec7fcfbf72ee, Add network availability zone INFO [alembic.runtime.migration] Running upgrade ec7fcfbf72ee -> dce3ec7a25c9, Add router availability zone INFO [alembic.runtime.migration] Running upgrade dce3ec7a25c9 -> c3a73f615e4, Add ip_version to AddressScope INFO [alembic.runtime.migration] Running upgrade c3a73f615e4 -> 659bf3d90664, Add tables and attributes to support external DNS integration INFO [alembic.runtime.migration] Running upgrade 659bf3d90664 -> 1df244e556f5, add_unique_ha_router_agent_port_bindings INFO [alembic.runtime.migration] Running upgrade 1df244e556f5 -> 19f26505c74f, Auto Allocated Topology - aka Get-Me-A-Network INFO [alembic.runtime.migration] Running upgrade 19f26505c74f -> 15be73214821, add dynamic routing model data INFO [alembic.runtime.migration] Running upgrade 15be73214821 -> b4caf27aae4, add_bgp_dragent_model_data INFO [alembic.runtime.migration] Running upgrade b4caf27aae4 -> 15e43b934f81, rbac_qos_policy INFO [alembic.runtime.migration] Running upgrade 15e43b934f81 -> 31ed664953e6, Add resource_versions row to agent table INFO [alembic.runtime.migration] Running upgrade 31ed664953e6 -> 2f9e956e7532, tag support INFO [alembic.runtime.migration] Running upgrade 2f9e956e7532 -> 3894bccad37f, add_timestamp_to_base_resources INFO [alembic.runtime.migration] Running upgrade 3894bccad37f -> 0e66c5227a8a, Add desc to standard attr table INFO [alembic.runtime.migration] Running upgrade 0e66c5227a8a -> 45f8dd33480b, qos dscp db addition INFO [alembic.runtime.migration] Running upgrade 45f8dd33480b -> 5abc0278ca73, Add support for VLAN trunking INFO [alembic.runtime.migration] Running upgrade 5abc0278ca73 -> d3435b514502, Add device_id index to Port INFO [alembic.runtime.migration] Running upgrade d3435b514502 -> 30107ab6a3ee, provisioning_blocks.py INFO [alembic.runtime.migration] Running upgrade 30107ab6a3ee -> c415aab1c048, add revisions table INFO [alembic.runtime.migration] Running upgrade c415aab1c048 -> a963b38d82f4, add dns name to portdnses INFO [alembic.runtime.migration] Running upgrade kilo -> 30018084ec99, Initial no-op Liberty contract rule. INFO [alembic.runtime.migration] Running upgrade 30018084ec99 -> 4ffceebfada, network_rbac INFO [alembic.runtime.migration] Running upgrade 4ffceebfada -> 5498d17be016, Drop legacy OVS and LB plugin tables INFO [alembic.runtime.migration] Running upgrade 5498d17be016 -> 2a16083502f3, Metaplugin removal INFO [alembic.runtime.migration] Running upgrade 2a16083502f3 -> 2e5352a0ad4d, Add missing foreign keys INFO [alembic.runtime.migration] Running upgrade 2e5352a0ad4d -> 11926bcfe72d, add geneve ml2 type driver INFO [alembic.runtime.migration] Running upgrade 11926bcfe72d -> 4af11ca47297, Drop cisco monolithic tables INFO [alembic.runtime.migration] Running upgrade 4af11ca47297 -> 1b294093239c, Drop embrane plugin table INFO [alembic.runtime.migration] Running upgrade 1b294093239c -> 8a6d8bdae39, standardattributes migration INFO [alembic.runtime.migration] Running upgrade 8a6d8bdae39 -> 2b4c2465d44b, DVR sheduling refactoring INFO [alembic.runtime.migration] Running upgrade 2b4c2465d44b -> e3278ee65050, Drop NEC plugin tables INFO [alembic.runtime.migration] Running upgrade e3278ee65050 -> c6c112992c9, rbac_qos_policy INFO [alembic.runtime.migration] Running upgrade c6c112992c9 -> 5ffceebfada, network_rbac_external INFO [alembic.runtime.migration] Running upgrade 5ffceebfada -> 4ffceebfcdc, standard_desc INFO [alembic.runtime.migration] Running upgrade 4ffceebfcdc -> 7bbb25278f53, device_owner_ha_replicate_int INFO [alembic.runtime.migration] Running upgrade 7bbb25278f53 -> 89ab9a816d70, Rename ml2_network_segments table INFO [alembic.runtime.migration] Running upgrade a963b38d82f4 -> 3d0e74aa7d37, Add flavor_id to Router INFO [alembic.runtime.migration] Running upgrade 3d0e74aa7d37 -> 030a959ceafa, uniq_routerports0port_id INFO [alembic.runtime.migration] Running upgrade 030a959ceafa -> a5648cfeeadf, Add support for Subnet Service Types INFO [alembic.runtime.migration] Running upgrade a5648cfeeadf -> 0f5bef0f87d4, add_qos_minimum_bandwidth_rules INFO [alembic.runtime.migration] Running upgrade 0f5bef0f87d4 -> 67daae611b6e, add standardattr to qos policies INFO [alembic.runtime.migration] Running upgrade 89ab9a816d70 -> c879c5e1ee90, Add segment_id to subnet INFO [alembic.runtime.migration] Running upgrade c879c5e1ee90 -> 8fd3918ef6f4, Add segment_host_mapping table. INFO [alembic.runtime.migration] Running upgrade 8fd3918ef6f4 -> 4bcd4df1f426, Rename ml2_dvr_port_bindings INFO [alembic.runtime.migration] Running upgrade 4bcd4df1f426 -> b67e765a3524, Remove mtu column from networks. INFO [alembic.runtime.migration] Running upgrade b67e765a3524 -> a84ccf28f06a, migrate dns name from port INFO [alembic.runtime.migration] Running upgrade a84ccf28f06a -> 7d9d8eeec6ad, rename tenant to project INFO [alembic.runtime.migration] Running upgrade 7d9d8eeec6ad -> a8b517cff8ab, Add routerport bindings for L3 HA INFO [alembic.runtime.migration] Running upgrade a8b517cff8ab -> 3b935b28e7a0, migrate to pluggable ipam INFO [alembic.runtime.migration] Running upgrade 3b935b28e7a0 -> b12a3ef66e62, add standardattr to qos policies INFO [alembic.runtime.migration] Running upgrade b12a3ef66e62 -> 97c25b0d2353, Add Name and Description to the networksegments table INFO [alembic.runtime.migration] Running upgrade 97c25b0d2353 -> 2e0d7a8a1586, Add binding index to RouterL3AgentBinding INFO [alembic.runtime.migration] Running upgrade 2e0d7a8a1586 -> 5c85685d616d, Remove availability ranges. INFO [alembic.runtime.migration] Running upgrade 67daae611b6e -> 6b461a21bcfc, uniq_floatingips0floating_network_id0fixed_port_id0fixed_ip_addr INFO [alembic.runtime.migration] Running upgrade 6b461a21bcfc -> 5cd92597d11d, Add ip_allocation to port OK
重启nova服务,这里修改了Nova.conf配置文件所以需要重启nova服务
systemctl restart openstack-nova-api.service
当系统启动时,启动 Networking 服务并配置它启动。
systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
对于网络选项2,同样启用layer-3服务并设置其随系统自启动
# systemctl enable neutron-l3-agent.service # systemctl start neutron-l3-agent.service
创建``neutron``服务实体:
[root@linux-node1 ~]# openstack service create --name neutron --description "Openstack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Openstack Networking |
| enabled | True |
| id | 18da8703415b42fb93e68e71e001b408 |
| name | neutron |
| type | network |
创建网络服务API端点:
[root@linux-node1 ~]# openstack endpoint create --region RegionOne network public http://192.168.56.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b7c88b5a10d845dc9c2327f307e5a130 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 18da8703415b42fb93e68e71e001b408 | | service_name | neutron | | service_type | network | | url | http://192.168.56.11:9696 | +--------------+----------------------------------+ [root@linux-node1 ~]# openstack endpoint create --region RegionOne network internal http://192.168.56.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b11dbe35a00444ceae5a776f09794f73 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 18da8703415b42fb93e68e71e001b408 | | service_name | neutron | | service_type | network | | url | http://192.168.56.11:9696 | +--------------+----------------------------------+ [root@linux-node1 ~]# openstack endpoint create --region RegionOne network admin http://192.168.56.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | aae6d242e3984cdbaccb1ad91f3ccf13 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 18da8703415b42fb93e68e71e001b408 | | service_name | neutron | | service_type | network | | url | http://192.168.56.11:9696 | +--------------+----------------------------------+
检查网络客户端
这里出现3个笑脸就表示成功
[root@linux-node1 ~]# neutron agent-list +--------------------------------------+--------------------+-------------+-------------------+-------+----------------+---------------------------+ | id | agent_type | host | availability_zone | alive | admin_state_up | binary | +--------------------------------------+--------------------+-------------+-------------------+-------+----------------+---------------------------+ | 030154d2-c9ad-4af1-91db-ea1bf01bb99f | Metadata agent | linux-node1 | | :-) | True | neutron-metadata-agent | | 27e1ee2f-6224-4a79-b3a5-ad0f46e59c4a | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent | | f0b914bc-ab5b-4304-89a6-29d36d809705 | Linux bridge agent | linux-node1 | | :-) | True | neutron-linuxbridge-agent | +--------------------------------------+--------------------+-------------+-------------------+-------+----------------+---------------------------+
下面将继续计算节点的neutron配置