neutron核心组件向用户提供了云平台中定义网络的功能,它负责管理虚拟网络组件,包括Networks,Switches,Subnets和Routers,同时也会提供一些高级网络服务,如Load Balance、Firewall和VPN。neutron中的组件一般分为如下4种:
1.Server:对外提供API,管理数据库等;
2.Plugins:管理neutron种的各种agents;
3.Agents:向虚拟机提供二层和三层的网络联通,处理逻辑网络和物理网络之间的转换、同时也提供一些拓展服务。包括提供二层网络联通服务的Layer 2 agents,比如Linux Bridge和OVS;提供三层IP和路由服务的Layer 3 agents,比如L3和DHCP;提供一些杂项服务的Miscellaneous agents,比如Metadata
4.Services:提供高级网络服务,包括提供三层路由功能的Routing Service;提供VPN功能的VPNaaS;提供负载均衡器功能的LBaas,一般是基于HAProxy实现;提供防火墙服务的FWaas,一般是基于iptables实现。
neutron部署中一般部署三种节点,即控制节点、网络节点和计算节点。其中控制节点一般会部署Neutron Server和Layer 2 agent组件,网络节点一般会部署Layer 2 agent和Layer 3 agent。通常情况下,控制节点和网络节点会同时部署在同一个节点上,所以我们将控制节点和网络节点都部署在控制节点所在的主机上。计算节点部署Layer 2 agent。本次部署所采用的Layer 2 agent为Linux Bridge。
创建并配置neutron数据库
mysql -u root -pwwwwww
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'NEUTRON_DBPASS';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'NEUTRON_DBPASS';
创建neutron用户并添加admin角色
openstack user create --domain default --password-prompt neutron
openstack role add --project service --user neutron admin
创建neutron服务
openstack service create --name neutron --description "OpenStack Networking" network
创建neutron服务 API endpoints
openstack endpoint create --region RegionOne network public http://控制节点主机名:9696
openstack endpoint create --region RegionOne network internal http://控制节点主机名:9696
openstack endpoint create --region RegionOne network admin http://控制节点主机名:9696
官网安装教程提供了两种网络架构的安装配置方法,第一种为 Provider network,第二种为Self-service network。Provider network属于最简单的网络架构,只允许将实例挂载到外部网络上,无法提供私有网络,路由,浮动ip等功能。只有admin用户或者其他特权用户能够操作网络。Self-service network相比较Provider network来说增加了能够将实例挂载到私有网络的3层服务,demo用户和其他非特权用户能够创建管理通过路由器连接到外部网络的私有网络。本教程采用第二种网络配置,具体配置如下:
yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables -y
编辑/etc/neutron/neutron.conf
cp /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
vim /etc/neutron/neutron.conf
以下是/etc/neutron/neutron.conf中的内容
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = true
transport_url = rabbit://openstack:wwwwww@控制节点主机名
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[database]
connection = mysql://neutron:neutron@控制节点主机名/neutron
[keystone_authtoken]
www_authenticate_uri = http://控制节点主机名:5000
auth_url = http://控制节点主机名:35357
memcached_servers = 控制节点主机名:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
[nova]
auth_url = http://控制节点主机名:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = nova
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
ML2 plug-in是一个框架,允许OpenStack网络同时使用在复杂的现实世界数据中心中发现的各种第2层网络技术。
编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件,其内容如下所示:
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = true
Linux bridge agent为实例创建2层虚拟网络和提供安全组操作
编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini,其内容如下:
[linux_bridge]
physical_interface_mappings = provider:管理ip对应的物理网卡名称(用ifconfig查看)
[vxlan]
enable_vxlan = true
local_ip = 控制节点ip
l2_population = true
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
L3 agent为Self-service虚拟网络提供路由和nat地址转换服务,其配置文件/etc/neutron/l3_agent.ini内容如下:
[DEFAULT]
interface_driver = linuxbridge
DHCP agent为虚拟网络提供DHCP服务,其配置文件/etc/neutron/dhcp_agent.ini内容如下:
[DEFAULT]
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
metadata agent为neutron提供配置信息,其配置文件/etc/neutron/metadata_agent.ini的配置如下所示:
[DEFAULT]
nova_metadata_host = 控制节点主机名
metadata_proxy_shared_secret = metadata密码
修改/etc/nova/nova.conf中下面的内容来使用网络服务
[neutron]
# ...
auth_url = http://控制节点主机名:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = true
metadata_proxy_shared_secret = metadata密码
网络服务的初始化脚本需要一个符号链接/etc/neutron/plugin.ini来指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini,需要建立如下符号链接:
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
同步数据库
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
重启控制节点计算服务
systemctl restart openstack-nova-api.service
开启控制节点网络服务
systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service
systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service
计算节点主要负责处理虚拟机实例的网络连接和安全组,其安装配置如下所示:
安装组件
yum install openstack-neutron-linuxbridge ebtables ipset -y
修改通用组件配置文件/etc/neutron/neutron.conf,其内容如下所示:
[DEFAULT]
transport_url = rabbit://openstack:wwwwww@控制节点主机名
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://控制节点主机名:5000
auth_url = http://控制节点主机名:35357
memcached_servers = 控制节点主机名:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
计算节点的Linux bridge agent配置文件/etc/neutron/plugins/ml2/linuxbridge_agent.ini的配置内容如下所示:
[linux_bridge]
physical_interface_mappings = provider:控制节点的管理ip对应的网卡名称
[vxlan]
enable_vxlan = true
local_ip = 本计算节点ip地址
l2_population = true
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
修改/etc/nova/nova.conf中下面的内容来使用网络服务
[neutron]
# ...
auth_url = http://控制节点主机名:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
systemctl restart openstack-nova-compute.service
systemctl enable neutron-linuxbridge-agent.service
systemctl start neutron-linuxbridge-agent.service
neutron服务官方安装文档:https://docs.openstack.org/neutron/train/install/compute-install-rdo.html