老规矩–妹妹镇楼:
[root@controller ~]# mysql -uroot
MariaDB [(none)]> CREATE DATABASE neutron;
Query OK, 1 row affected (0.000 sec)
neutron数据库的登录密码是
NEUTRON_DBPASS
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'NEUTRON_DBPASS';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'NEUTRON_DBPASS';
Query OK, 0 rows affected (0.000 sec)
创建openstack用户neutron,它的domain是default,密码是NEUTRON_PASS,用于在keystone做认证
[root@controller ~]# openstack user create --domain default --password NEUTRON_PASS neutron
角色是admin,所在的项目是service
[root@controller ~]# openstack role add --project service --user neutron admin
neutron服务实体,类型为network
[root@controller ~]# openstack service create --name neutron --description "OpenStack Networking" network
[root@controller ~]# openstack endpoint create --region RegionOne network public http://192.168.112.146:9696
[root@controller ~]# openstack endpoint create --region RegionOne network internal http://192.168.112.146:9696
[root@controller ~]# openstack endpoint create --region RegionOne network admin http://192.168.112.146:9696
[root@controller ~]# yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables conntrack-tools -y
说明:
openstack-neutron:neutron-server的包
openstack-neutron-ml2:ML2 plugin的包
openstack-neutron-linuxbridge:linux bridge network provider相关的包
ebtables:防火墙相关的包,配置iptables规则
精简配置neutron.conf配置文件
[root@controller ~]# cp -a /etc/neutron/neutron.conf{,.bak}
[root@controller ~]# grep -Ev '^$|#' /etc/neutron/neutron.conf.bak > /etc/neutron/neutron.conf
设置mysql连接地址
openstack-config --set /etc/neutron/neutron.conf database connection mysql+pymysql://neutron:[email protected]/neutron
设置二层网络core-plugin为ML2
openstack-config --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2
设置三层网络插件service-plugin为router
openstack-config --set /etc/neutron/neutron.conf DEFAULT service_plugins router
配置rabbitmq连接
openstack-config --set /etc/neutron/neutron.conf DEFAULT transport_url rabbit://openstack:[email protected]
设置认证方式为keystone
openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone
当网络接口发生变化时,通知给计算节点
openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_status_changes true
当端口数据发生变化,通知计算节点
openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_data_changes true
配置keystone的认证地址url
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken www_authenticate_uri http://192.168.112.146:5000
配置keystone的认证地址uri
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://192.168.112.146:5000
Memcached服务器地址
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers 192.168.112.146:11211
认证方式为password
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type password
项目所属Domain为default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default
用户所属Domain为default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default
认证所属项目service
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name service
认证的用户名为neutron
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron
认证的密码:NEUTRON_PASS
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password NEUTRON_PASS
配置锁的路径
openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
neutron需要给nova返回数据:
设置nova的认证地址:
openstack-config --set /etc/neutron/neutron.conf nova auth_url http://192.168.112.146:5000
设置nova 的认证方式
openstack-config --set /etc/neutron/neutron.conf nova auth_type password
设置nova的项目所属Domain为default
openstack-config --set /etc/neutron/neutron.conf nova project_domain_name default
设置nova的用户所属Domain为default
openstack-config --set /etc/neutron/neutron.conf nova user_domain_name default
设置nova的Region名称
openstack-config --set /etc/neutron/neutron.conf nova region_name RegionOne
设置nova的项目名为service
openstack-config --set /etc/neutron/neutron.conf nova project_name service
设置nova的用户名为nova
openstack-config --set /etc/neutron/neutron.conf nova username nova
设置nova的密码为NOVA_PASS
openstack-config --set /etc/neutron/neutron.conf nova password NOVA_PASS
精简ml2_conf.ini配置文件:
[root@controller ~]# cp -a /etc/neutron/plugins/ml2/ml2_conf.ini{,.bak}
[root@controller ~]# grep -Ev '^$|#' /etc/neutron/plugins/ml2/ml2_conf.ini.bak > /etc/neutron/plugins/ml2/ml2_conf.ini
配置驱动类型;单一扁平网络(桥接)和vlan;让二层网络支持桥接,支持基于vlan做子网划分
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers flat,vlan,vxlan
租户网络类型
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types vxlan
启用Linuxbridge和l2机制,(l2population机制是为了简化网络通信拓扑,减少网络广播):
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 mechanism_drivers linuxbridge,l2population
启用端口安全扩展驱动程序,基于iptables实现访问控制;但配置了扩展安全组会导致一些端口限制,造成一些服务无法启动
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers port_security
配置公共虚拟网络为flat网络
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat flat_networks provider
为私有网络配置VXLAN网络识别的网络范围
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vxlan vni_ranges 1:1000
启用 ipset 增加安全组的方便性
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset true
精简配置文件linuxbridge_agent.ini:
[root@controller ~]# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak}
[root@controller ~]# grep -Ev '^$|#' /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
配置物理网卡的映射,provider表示该节点可用的物理网络名字(physical network, 名字可以随便定义),physical_interface_mappings用来把名字和该网络使用的物理网卡对应起来。
后面的就是该名称对应的物理网卡。
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings provider:ens33
允许用户创建自定义网络(3层网络)
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan true
启用安全组并配置 Linux 桥接 iptables 防火墙驱动
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group true
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
控制节点IP地址
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 192.168.112.146
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan l2_population true
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.conf
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.conf
表示向内核加入参数
modprobe br_netfilter
sysctl -p
精简l3_agent.ini配置文件
cp -a /etc/neutron/l3_agent.ini{,.bak}
grep -Ev '^$|#' /etc/neutron/l3_agent.ini.bak > /etc/neutron/l3_agent.ini
接口驱动为linuxbridge
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT interface_driver linuxbridge
精简dhcp_agent.ini配置文件:
cp -a /etc/neutron/dhcp_agent.ini{,.bak}
grep -Ev '^$|#' /etc/neutron/dhcp_agent.ini.bak > /etc/neutron/dhcp_agent.ini
指定默认接口驱动为linux网桥
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver linuxbridge
指定DHCP驱动
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver neutron.agent.linux.dhcp.Dnsmasq
开启iso元数据
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT enable_isolated_metadata true
精简配置文件:
[root@controller ~]# cp -a /etc/neutron/metadata_agent.ini{,.bak}
[root@controller ~]# grep -Ev '^$|#' /etc/neutron/metadata_agent.ini.bak > /etc/neutron/metadata_agent.ini
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT nova_metadata_host controller
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT metadata_proxy_shared_secret METADATA_SECRET
修改nova.conf配置文件,添加neutron的信息,便于与neutron的交互:
openstack-config --set /etc/nova/nova.conf neutron url http://192.168.112.146:9696
openstack-config --set /etc/nova/nova.conf neutron auth_url http://192.168.112.146:5000
openstack-config --set /etc/nova/nova.conf neutron auth_type password
openstack-config --set /etc/nova/nova.conf neutron project_domain_name default
openstack-config --set /etc/nova/nova.conf neutron user_domain_name default
openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne
openstack-config --set /etc/nova/nova.conf neutron project_name service
openstack-config --set /etc/nova/nova.conf neutron username neutron
openstack-config --set /etc/nova/nova.conf neutron password NEUTRON_PASS
openstack-config --set /etc/nova/nova.conf neutron service_metadata_proxy true
openstack-config --set /etc/nova/nova.conf neutron metadata_proxy_shared_secret METADATA_SECRET
网络服务初始化脚本需要/etc/neutron/plugin.ini指向ML2插件配置文件的符号链接
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
systemctl restart openstack-nova-api.service
开机自启动下面的四个neutron子服务:
[root@ct ~]# systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
[root@ct ~]# systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
检查neutron服务的启动情况,
因为配置了第三层L3网络服务、所以需要启动第三层服务
[root@ct ~]# systemctl enable neutron-l3-agent.service
[root@ct ~]# systemctl restart neutron-l3-agent.service
ipset:iptables的扩展,允许匹配规则的集合而不仅仅是一个IP
[root@compute01 ~]# yum install openstack-neutron-linuxbridge ebtables ipset conntrack-tools -y
精简neutron.conf配置文件
[root@compute01 ~]# cp -a /etc/neutron/neutron.conf{,.bak}
[root@compute01 ~]# grep -Ev '^$|#' /etc/neutron/neutron.conf.bak > /etc/neutron/neutron.conf
openstack-config --set /etc/neutron/neutron.conf DEFAULT transport_url rabbit://openstack:[email protected]
openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken www_authenticate_uri http://192.168.112.146:5000
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://192.168.112.146:5000
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers 192.168.112.146:11211
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type password
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name service
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password NEUTRON_PASS
openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
精简配置文件:
cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak}
grep -Ev '^$|#' /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings provider:ens33
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan true
Compute节点的IP
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 192.168.112.145
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan l2_population true
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group true
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
允许虚拟机的数据通过物理机出去
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.conf
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.conf
modprobe:用于向内核中加载模块,或者从内核中移除模块。modprobe -r 表示移除
modprobe br_netfilter
sysctl -p
openstack-config --set /etc/nova/nova.conf neutron auth_url http://192.168.112.146:5000
openstack-config --set /etc/nova/nova.conf neutron auth_type password
openstack-config --set /etc/nova/nova.conf neutron project_domain_name default
openstack-config --set /etc/nova/nova.conf neutron user_domain_name default
openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne
openstack-config --set /etc/nova/nova.conf neutron project_name service
openstack-config --set /etc/nova/nova.conf neutron username neutron
openstack-config --set /etc/nova/nova.conf neutron password NEUTRON_PASS
systemctl restart openstack-nova-compute.service
systemctl enable neutron-linuxbridge-agent.service
systemctl start neutron-linuxbridge-agent.service
[root@controller ~]# openstack extension list --network
[root@controller ~]# openstack network agent list
或者从内核中移除模块。modprobe -r 表示移除可以看到,Controller节点中有4个Neutron子服务,Compute节点中有一个Neutron子服务,State都是Up。
配置neutron组件的用户、认证、endpoint
设置提供者provider网络(这里是桥接模式)
① 配置二层网络
② 配置网桥(插件)
③ 优化内核
④ 配置网桥接口与外部对接
⑤ 修改DHCP配置(修改配置文件、代理)
⑥ 配置网桥与内部组件的配置(修改配置文件、代理)
设置neutron与nova对接的配置