Neutron为整个 Openstack环境提供网络支持,包括二层交换,三层路由,负载均衡,防火墙和VPN等。 Neutron提供了一个灵活的框架,通过配置,无论是开源还是商业软件都可以被用来实现这些功能
参考 OpenStack组件之Neutron
Neutron控制节点安装与配置
[root@openstack ~]# mysql -u root -p
CREATE DATABASE neutron;
CREATE USER neutron@'%' IDENTIFIED BY 'Admin@123';
Grant all privileges on neutron.* to 'neutron'@'%';
flush privileges;
[root@node-251 openstack]# source admin-openrc
[root@node-251 openstack]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | f4e5187c3aef4288b6b2d97c292a69a2 |
| enabled | True |
| id | 66f12e64adb7413f8dc218b6a9a1492a |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
密码:123456
[root@node-251 openstack]# openstack role add --project service --user neutron admin
[root@node-251 openstack]# openstack service create --name neutron --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | c549d4fc33f44765b062f3eaf832aece |
| name | neutron |
| type | network |
+-------------+----------------------------------+
[root@node-251 openstack]# openstack endpoint create --region RegionOne network public http://openstack.if010.com:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | a0be92af6bc64337a94c30aa22523070 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c549d4fc33f44765b062f3eaf832aece |
| service_name | neutron |
| service_type | network |
| url | http://openstack.if010.com:9696 |
+--------------+----------------------------------+
[root@openstack ~]# yum install -y openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
配置/etc/neutron/neutron.conf文件
[root@node-251 openstack]# egrep -v '^#|^$' /etc/neutron/neutron.conf
[DEFAULT]
auth_strategy = keystone #配置认证服务访问
core_plugin = ml2 #启用ML2插件
service_plugins = #禁用其他插件
notify_nova_on_port_status_changes = True #配置网络服务来通知计算节点的网络拓扑变化
notify_nova_on_port_data_changes = True ##配置网络服务来通知计算节点的网络拓扑变化
transport_url = rabbit://openstack:[email protected] #配置RabbitMQ消息队列访问
rpc_backend = rabbit #配置RabbitMQ消息队列访问
[database]
connection = mysql+pymysql://neutron:Admin@[email protected]/neutron
[keystone_authtoken]
auth_uri = http://openstack.if010.com:5000
auth_url = http://openstack.if010.com:35357
memcached_servers = openstack.if010.com:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = 123456
[nova]
auth_url = http://openstack.if010.com:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = 123456
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_rabbit]
rabbit_host = 127.0.0.1
rabbit_port = 5672
rabbit_userid = openstack
rabbit_password = 1735e32955b2ef18362e
配置ml2_conf.ini文件
[root@openstack ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan #启用flat和VLAN网络
tenant_network_types = #禁用私有网络
mechanism_drivers = linuxbridge #启用Linuxbridge机制
extension_drivers = port_security #启用端口安全扩展驱动
[ml2_type_flat] #配置公共虚拟网络为flat网络
flat_networks = provider
[securitygroup] #启用ipset增加安全组规则的高效性
enable_ipset = true
配置linuxbridge_agent.ini文件
[root@openstack ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = provider:ens33 //将eth1替换成自己本身的网卡接口,ip addr可查看网卡名称
[securitygroup] #启用安全组并配置Linuxbridge iptables firewall driver
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
enable_security_group = true
[vxlan]
enable_vxlan = false #禁止VXLAN覆盖网络
配置dhcp_agent.ini文件
配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据
[root@openstack ~]# vim /etc/neutron/dhcp_agent.ini
[DEFAULT] #配置DHCP代理
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
配置metadata_agent.ini文件
[root@openstack ~]# vim /etc/neutron/metadata_agent.ini
[DEFAULT] #配置元数据主机以及共享密码
nova_metadata_host = openstack.if010.com
metadata_proxy_shared_secret = neutron
配置nova使用neutron服务
[root@openstack ~]# vim /etc/nova/nova.conf
[neutron]
url = http://openstack.if010.com:9696
auth_url = http://openstack.if010.com:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = 123456
service_metadata_proxy = true
metadata_proxy_shared_secret = neutron
网络服务初始化脚本需要/etc/neutron/plugin.ini
指向ML2插件配置文件的符号链接/etc/neutron/plugins/ml2 ml2_conf.ini
。如果此符号链接不存在,请使用以下命令创建它:
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
[root@openstack ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
这步笔者尝试多次失败,如果是虚拟机运行,建议把内存调到4G,cpu 2个。
[root@openstack ~]# systemctl restart openstack-nova-api.service
[root@openstack ~]# systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
[root@openstack ~]# systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
如果报错Failed to start OpenStack Neutron Server.
,把配置文件中的中文删除
安装
yum install openstack-neutron-linuxbridge ebtables ipset
配置/etc/neutron/neutron.conf文件
[root@openstack-node01 ~]# vim /etc/neutron/neutron.conf
[DEFAULT]
transport_url = rabbit://openstack:[email protected]
auth_strategy = keystone
[keystone_authtoken]
auth_uri = http://openstack.if010.com:5000
auth_url = http://openstack.if010.com:35357
memcached_servers = openstack.if010.com:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = 123456
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
配置linuxbridge_agent.ini文件
[root@openstack-node01 ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = provider:ens33
[vxlan]
enable_vxlan = false
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
配置计算服务使用网络服务
[root@openstack-node01 ~]# vim /etc/nova/nova.conf
[neutron]
url = http://openstack.if010.com:9696
auth_url = http://openstack.if010.com:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = 123456
重新启动计算服务
systemctl restart openstack-nova-compute.service
启动Linux桥接代理并将其配置为在系统引导时启动
[root@openstack-node01 ~]# systemctl enable neutron-linuxbridge-agent.service
[root@openstack-node01 ~]# systemctl start neutron-linuxbridge-agent.service
[root@node-251 openstack]# source admin-openrc
[root@node-251 openstack]# openstack network agent list
+--------------------------------------+--------------------+----------+-------------------+-------+-------+---------------------------+
| ID | Agent Type | Host | Availability Zone | Alive | State | Binary |
+--------------------------------------+--------------------+----------+-------------------+-------+-------+---------------------------+
| 83d493b0-95c7-47ca-b765-8c4adbeb3567 | Linux bridge agent | node-252 | None | :-) | UP | neutron-linuxbridge-agent |
| 8fb3be4a-347c-421e-8332-01bf75f829f3 | DHCP agent | node-251 | nova | :-) | UP | neutron-dhcp-agent |
| a46acb90-e92e-48e7-a473-50d7b7fcac6d | Metadata agent | node-251 | None | :-) | UP | neutron-metadata-agent |
+--------------------------------------+--------------------+----------+-------------------+-------+-------+---------------------------+
[root@node-251 openstack]# openstack extension list --network
+----------------------------------------------------------------------------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Name | Alias | Description |
+----------------------------------------------------------------------------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Default Subnetpools | default-subnetpools | Provides ability to mark and use a subnetpool as the default. |
| Network IP Availability | network-ip-availability | Provides IP availability data for each network and subnet. |
| Network Availability Zone | network_availability_zone | Availability zone support for network. |
| Network MTU (writable) | net-mtu-writable | Provides a writable MTU attribute for a network resource. |
| Port Binding | binding | Expose port bindings of a virtual port to external application |
| agent | agent | The agent management extension. |
| Subnet Allocation | subnet_allocation | Enables allocation of subnets from a subnet pool |
| DHCP Agent Scheduler | dhcp_agent_scheduler | Schedule networks among dhcp agents |
| Tag support | tag | Enables to set tag on resources. |
| Neutron external network | external-net | Adds external network attribute to network resource. |
| Neutron Service Flavors | flavors | Flavor specification for Neutron advanced services. |
| Network MTU | net-mtu | Provides MTU attribute for a network resource. |
| Availability Zone | availability_zone | The availability zone extension. |
| Quota management support | quotas | Expose functions for quotas management per tenant |
| Tag support for resources with standard attribute: trunk, policy, security_group, floatingip | standard-attr-tag | Enables to set tag on resources with standard attribute. |
| If-Match constraints based on revision_number | revision-if-match | Extension indicating that If-Match based on revision_number is supported. |
| Provider Network | provider | Expose mapping of virtual networks to physical networks |
| Multi Provider Network | multi-provider | Expose mapping of virtual networks to multiple physical networks |
| Quota details management support | quota_details | Expose functions for quotas usage statistics per project |
| Address scope | address-scope | Address scopes extension. |
| Subnet service types | subnet-service-types | Provides ability to set the subnet service_types field |
| Resource timestamps | standard-attr-timestamp | Adds created_at and updated_at fields to all Neutron resources that have Neutron standard attributes. |
| Neutron Service Type Management | service-type | API for retrieving service providers for Neutron advanced services |
| Tag support for resources: subnet, subnetpool, port, router | tag-ext | Extends tag support to more L2 and L3 resources. |
| Neutron Extra DHCP options | extra_dhcp_opt | Extra options configuration for DHCP. For example PXE boot options to DHCP clients can be specified (e.g. tftp-server, server-ip-address, bootfile-name) |
| Resource revision numbers | standard-attr-revisions | This extension will display the revision number of neutron resources. |
| Pagination support | pagination | Extension that indicates that pagination is enabled. |
| Sorting support | sorting | Extension that indicates that sorting is enabled. |
| security-group | security-group | The security groups extension. |
| RBAC Policies | rbac-policies | Allows creation and modification of policies that control tenant access to resources. |
| standard-attr-description | standard-attr-description | Extension to add descriptions to standard attributes |
| IP address substring filtering | ip-substring-filtering | Provides IP address substring filtering when listing ports |
| Port Security | port-security | Provides port security |
| Allowed Address Pairs | allowed-address-pairs | Provides allowed address pairs |
| project_id field enabled | project-id | Extension that indicates that project_id field is enabled. |
+----------------------------------------------------------------------------------------------+---------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
报错:Missing value auth-url required for auth plugin password
重启后需要加载环境变量
source admin-openrc
前文中提到Cinder和Swift对比,Cinder更像是我们使用的本地磁盘,这样说并不准确,但可以帮助理解。
控制节点安装与配置
[root@openstack ~]# mysql -u root -p
CREATE DATABASE cinder;
CREATE USER cinder@'%' IDENTIFIED BY 'Admin@123';
Grant all privileges on cinder.* to 'cinder'@'%';
flush privileges;
[root@openstack ~]# source admin-openrc
[root@node-251 openstack]# openstack user create --domain default --password-prompt cinder
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | f4e5187c3aef4288b6b2d97c292a69a2 |
| enabled | True |
| id | df16d750fd2b459dbe1fd28e59502456 |
| name | cinder |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
密码:123456
openstack role add --project service --user cinder admin
[root@node-251 openstack]# openstack service create --name cinder --description "OpenStack Block Storage" volume
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Block Storage |
| enabled | True |
| id | 053d01d8dd96456f83b525be597f30c3 |
| name | cinder |
| type | volume |
+-------------+----------------------------------+
[root@node-251 openstack]# openstack service create --name cinderv2 --description "OpenStack Block Storage" volumev2
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Block Storage |
| enabled | True |
| id | 251670d258ad4a3f86f392aada1787b9 |
| name | cinderv2 |
| type | volumev2 |
+-------------+----------------------------------+
[root@node-251 openstack]# openstack service create --name cinderv3 --description "OpenStack Block Storage" volumev3
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Block Storage |
| enabled | True |
| id | 6df298f2ba09454daf68e753b321466c |
| name | cinderv3 |
| type | volumev3 |
+-------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volume public http://openstack.if010.com:8776/v1/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 03fa2c90153546c295bf30ca86b1344b |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | ab3bbbef780845a1a283490d281e7fda |
| service_name | cinder |
| service_type | volume |
| url | http://openstack.if010.com:8776/v1/%(tenant_id)s |
+--------------+-----------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volume internal http://openstack.if010.com:8776/v1/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 94f684395d1b41068c70e4ecb11364b2 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | ab3bbbef780845a1a283490d281e7fda |
| service_name | cinder |
| service_type | volume |
| url | http://openstack.if010.com:8776/v1/%(tenant_id)s |
+--------------+---------------------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volume admin http://openstack.if010.com:8776/v1/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 4511c28a0f9840c78bacb25f10f62c98 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | ab3bbbef780845a1a283490d281e7fda |
| service_name | cinder |
| service_type | volume |
| url | http://openstack.if010.com:8776/v1/%(tenant_id)s |
+--------------+--------------------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volumev2 public http://openstack.if010.com:8776/v2/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 513e73819e14460fb904163f41ef3759 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | eb9fd245bdbc414695952e93f29fe3ac |
| service_name | cinderv2 |
| service_type | volumev2 |
| url | http://openstack.if010.com:8776/v2/%(tenant_id)s |
+--------------+--------------------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volumev2 internal http://openstack.if010.com:8776/v2/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 513e73819e14460fb904163f41ef3759 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | eb9fd245bdbc414695952e93f29fe3ac |
| service_name | cinderv2 |
| service_type | volumev2 |
| url | http://openstack.if010.com:8776/v2/%(tenant_id)s |
+--------------+--------------------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volumev2 admin http://openstack.if010.com:8776/v2/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 513e73819e14460fb904163f41ef3759 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | eb9fd245bdbc414695952e93f29fe3ac |
| service_name | cinderv2 |
| service_type | volumev2 |
| url | http://openstack.if010.com:8776/v2/%(tenant_id)s |
+--------------+--------------------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volumev3 public http://openstack.if010.com:8776/v3/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 513e73819e14460fb904163f41ef3759 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | eb9fd245bdbc414695952e93f29fe3ac |
| service_name | cinderv3 |
| service_type | volumev3 |
| url | http://openstack.if010.com:8776/v2/%(tenant_id)s |
+--------------+--------------------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volumev3 internal http://openstack.if010.com:8776/v3/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 513e73819e14460fb904163f41ef3759 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | eb9fd245bdbc414695952e93f29fe3ac |
| service_name | cinderv3 |
| service_type | volumev3 |
| url | http://openstack.if010.com:8776/v2/%(tenant_id)s |
+--------------+--------------------------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne volumev3 admin http://openstack.if010.com:8776/v3/%\(tenant_id\)s
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 513e73819e14460fb904163f41ef3759 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | eb9fd245bdbc414695952e93f29fe3ac |
| service_name | cinderv3 |
| service_type | volumev3 |
| url | http://openstack.if010.com:8776/v2/%(tenant_id)s |
+--------------+--------------------------------------------------+
安装
yum install -y openstack-cinder
配置/etc/cinder/cinder.conf文件
[DEFAULT]
glance_api_servers = http://openstack.if010.com:9292
auth_strategy = keystone
enabled_backends = lvm
cinder_internal_tenant_project_id = 926b3127ab004702a50c969fa629022b #service的项目ID
cinder_internal_tenant_user_id = de788c0a0f77469b9e8285052e50fd60 #cinder的用户ID
transport_url = rabbit://openstack:[email protected]
rpc_backend = rabbit #配置RabbitMQ消息队列访问
my_ip = 192.168.71.251 #配置管理接口的IP 地址
[database] #配置数据库访问
connection = mysql+pymysql://cinder:Admin@[email protected]/cinder
[keystone_authtoken] #配置认证服务访问
auth_uri = http://openstack.if010.com:5000
auth_url = http://openstack.if010.com:35357
memcached_servers = openstack.if010.com:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = cinder
password = 123456 #cinder用户的密码
[oslo_concurrency] #配置硕路径
lock_path = /var/lib/cinder/tmp
[oslo_messaging_rabbit] #配置RabbitMQ消息队列访问
rabbit_host = openstack.if010.com
rabbit_port = 5672
rabbit_userid = openstack
rabbit_password = 1735e32955b2ef18362e
[lvm]
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
volume_group = cinder-volumes
iscsi_protocol = iscsi
iscsi_helper = lioadm
image_volume_cache_max_size_gb = 200
image_volume_cache_max_count = 50
image_volume_cache_enabled = True
配置nova使用cinder模块
[root@openstack ~]# vim /etc/nova/nova.conf
[cinder]
os_region_name = RegionOne
su -s /bin/sh -c "cinder-manage db sync" cinder
systemctl restart openstack-nova-api.service
[root@openstack ~]# systemctl enable openstack-cinder-api.service openstack-cinder-scheduler.service
[root@openstack ~]# systemctl start openstack-cinder-api.service openstack-cinder-scheduler.service
如果虚拟机磁盘不足,添加磁盘,可参考 SECTION 10 逻辑卷管理
创建LVM物理卷
[root@openstack ~]# pvcreate /dev/sdb
创建LVM卷组cinder-volumes
[root@openstack ~]# vgcreate cinder-volumes /dev/sdb
[root@openstack ~]# vim /etc/lvm/lvm.conf
devices {
...
filter = [ "a/sdb/", "r/.*/"]
}
yum install -y openstack-cinder targetcli python-keystone
配置/etc/cinder/cinder.conf文件
[root@openstack ~]# vim /etc/cinder/cinder.conf
[DEFAULT]
enabled_backends = lvm
glance_api_servers = http://openstack.if010.com:9292
[oslo_concurrency]
lock_path = /var/lib/cinder/tmp
[lvm]
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
volume_group = cinder-volumes
iscsi_protocol = iscsi
iscsi_helper = lioadm
[root@openstack ~]# systemctl enable openstack-cinder-volume.service target.service
[root@openstack ~]# systemctl start openstack-cinder-volume.service target.service
[root@node-251 openstack]# cinder service-list
+------------------+--------------+------+---------+-------+----------------------------+-----------------+
| Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
+------------------+--------------+------+---------+-------+----------------------------+-----------------+
| cinder-scheduler | node-251 | nova | enabled | up | 2023-06-07T10:15:54.000000 | - |
| cinder-volume | node-251@lvm | nova | enabled | up | 2023-06-07T10:15:46.000000 | - |
+------------------+--------------+------+---------+-------+----------------------------+-----------------+