八、OpenStack服务-Neutron（控制节点）

本章目录

1、概述
2、架构
3、安装配置控制节点

一、概述

OpenStack Networking（neutron），允许创建、插入接口设备，这些设备由其他的OpenStack服务管理。插件式的实现可以容纳不同的网络设备和软件，为OpenStack架构与部署提供了灵活性。

它包含下列组件：

• neutron-server 端口（9696） api：接受和响应外部的网络管理请求

  接收和路由API请求到合适的OpenStack网络插件，以达到预想的目的。

• OpenStack网络插件和代理

  插拔端口，创建网络和子网，以及提供IP地址，这些插件和代理依赖于供应商和技术而不同，OpenStack网络基于插件和代理为Cisco 虚拟和物理交换机、NEC OpenFlow产品，Open vSwitch,Linux bridging以及VMware NSX 产品穿线搭桥。 常见的代理L3(3层)，DHCP(动态主机IP地址)，以及插件代理。

• 消息队列

  大多数的OpenStack Networking安装都会用到，用于在neutron-server和各种各样的代理进程间路由信息。也为某些特定的插件扮演数据库的角色，以存储网络状态

• neutron-linuxbridge-agent： 负责创建桥接网卡

• neutron-dhcp-agent： 负责分配IP

• neutron-metadata-agent： 配合nova-metadata-api实现虚拟机的定制化操作

• L3-agent 实现三层网络vxlan（网络层）

• LBaaS load balance 及服务（阿里云SLB）

OpenStack网络主要和OpenStack计算交互，以提供网络连接到它的实例。

二、架构

Neutron.jpg

三、安装配置Neutron

1、创建数据库并授权

1、创建数据库
# mysql
MariaDB [(none)]> CREATE DATABASE neutron;

2、授权
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
  IDENTIFIED BY 'neutron';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
  IDENTIFIED BY 'neutron';

[root@controller ~]# mysql -uneutron -pneutron -e "show databases;"
+--------------------+
| Database           |
+--------------------+
| information_schema |
| neutron            |
+--------------------+

2、创建用户neutron、关联角色

1、创建neutron用户
[root@controller ~]# . admin-openrc 
[root@controller ~]# openstack user create --domain default --password-prompt neutron
User Password:neutron
Repeat User Password:neutron
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | a5781b4f2eea4f4087d3bd2a1cef6414 |
| name                | neutron                          |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@controller ~]# openstack user list
+----------------------------------+-----------+
| ID                               | Name      |
+----------------------------------+-----------+
| 0221fe3a18ea4ea9b64895e797bc1bde | nova      |
| 08c32e88c1d646858e1100c670c2e572 | placement |
| 5ef623f55b92487da237bd9e7643244c | glance    |
| 6db0c82dd4634dbbbc3262604f31994f | admin     |
| aa7e9c8d70314df78b6d893dc5627bca | cinder    |
| bb498f4063da46b3be938754dedaa8d3 | myuser    |
| e9b2c5558d4d4a038f6cd929d4e48fcb | neutron   |
+----------------------------------+-----------+
2、添加``admin`` 角色到``neutron`` 用户：
[root@controller ~]# openstack role add --project service --user neutron admin

3、创建neutron服务项目

 [root@controller ~]# openstack service create --name neutron \
   --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Networking             |
| enabled     | True                             |
| id          | 60dafde0841847c3a21542cc55f1f0e8 |
| name        | neutron                          |
| type        | network                          |
+-------------+----------------------------------+

4、创建网络服务api端点endpoint

[root@controller ~]# openstack endpoint create --region RegionOne \
  network public http://controller:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 85d80a6d02fc4b7683f611d7fc1493a3 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+

[root@controller ~]# openstack endpoint create --region RegionOne \
  network internal http://controller:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 09753b537ac74422a68d2d791cf3714f |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+

[root@controller ~]# openstack endpoint create --region RegionOne \
  network admin http://controller:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 1ee14289c9374dffb5db92a5c112fc4e |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+

检查
[root@controller ~]# openstack user list
+----------------------------------+-----------+
| ID                               | Name      |
+----------------------------------+-----------+
| 0221fe3a18ea4ea9b64895e797bc1bde | nova      |
| 08c32e88c1d646858e1100c670c2e572 | placement |
| 5ef623f55b92487da237bd9e7643244c | glance    |
| 6db0c82dd4634dbbbc3262604f31994f | admin     |
| bb498f4063da46b3be938754dedaa8d3 | myuser    |
| e9b2c5558d4d4a038f6cd929d4e48fcb | neutron   |
+----------------------------------+-----------+

[root@host157_node1 ~]# openstack service list
+----------------------------------+-----------+-----------+
| ID                               | Name      | Type      |
+----------------------------------+-----------+-----------+
| 60dafde0841847c3a21542cc55f1f0e8 | neutron   | network   |
| 654777c6bd1547bb839df4d2459eaf26 | nova      | compute   |
| a62cb64d8e3f44f5b4665c18f87dae88 | placement | placement |
| b9548ac6836c423e98ad347ce2fe22bf | keystone  | identity  |
| c287094b556c44b5b72438eccebd9726 | glance    | image     |
+----------------------------------+-----------+-----------+
[root@host157_node1 ~]# openstack endpoint list

5、安装服务及相关软件

• 选择公共网络

安装服务：
[root@controller ~]# yum install openstack-neutron openstack-neutron-ml2 \
   openstack-neutron-linuxbridge ebtables
   
#注释
#eatables类似于iptables

6、修改配置文件

总修改六个配置文件：

• /etc/neutron/neutron.conf
• /etc/neutron/plugins/ml2/ml2_conf.ini
• /etc/neutron/plugins/ml2/linuxbridge_agent.ini
• /etc/neutron/dhcp_agent.ini
• /etc/neutron/metadata_agent.ini
• 修改nova配置文件/etc/nova/nova.conf

6.1、修改配置文件/etc/neutron/neutron.conf

1）连接数据库
[database]
# ...
connection = mysql+pymysql://neutron:neutron@controller/neutron


2）配置核心插件和服务插件，rabbit配置
[DEFAULT]
# ...
core_plugin = ml2   #选择ml2后边就要配置ml2
service_plugins =   #2层网络不需要配置服务插件，3层网路需要

transport_url = rabbit://openstack:openstack@controller
3）使用keystone认证
[DEFAULT]
# ...
auth_strategy = keystone

4）配置keystone
[keystone_authtoken]
# ...
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron

5）端口状态或者数据发生改变要通知nova，并且配置nova
[DEFAULT]
# ...
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true

[nova]
# ...
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = nova

6) 锁路径
[oslo_concurrency]
# ...
lock_path = /var/lib/neutron/tmp

支持自动化配置的软件：
# yum -y install openstack-utils.noarch
a:/etc/neutron/neutron.conf

cp -a /etc/neutron/neutron.conf{,.bak}
grep '^[a-z\[]' /etc/neutron/neutron.conf.bak >/etc/neutron/neutron.conf

openstack-config --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2
openstack-config --set /etc/neutron/neutron.conf DEFAULT service_plugins
openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy  keystone
openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_status_changes  true
openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_data_changes  true
openstack-config --set /etc/neutron/neutron.conf DEFAULT transport_url  rabbit://openstack:openstack@controller
openstack-config --set /etc/neutron/neutron.conf database connection  mysql+pymysql://neutron:neutron@controller/neutron
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken www_authenticate_uri  http://controller:5000
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url  http://controller:5000
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers  controller:11211
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type  password
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name  default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name  default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name  service
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username  neutron
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password  neutron
openstack-config --set /etc/neutron/neutron.conf nova auth_url  http://controller:5000
openstack-config --set /etc/neutron/neutron.conf nova auth_type  password
openstack-config --set /etc/neutron/neutron.conf nova project_domain_name  default
openstack-config --set /etc/neutron/neutron.conf nova user_domain_name  default
openstack-config --set /etc/neutron/neutron.conf nova region_name  RegionOne
openstack-config --set /etc/neutron/neutron.conf nova project_name  service
openstack-config --set /etc/neutron/neutron.conf nova username  nova
openstack-config --set /etc/neutron/neutron.conf nova password  nova
openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path  /var/lib/neutron/tmp

查看一下修改了配置文件的那些内容：
[root@controller ~]# cat /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = 
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[agent]
[cors]
[database]
connection = mysql+pymysql://neutron:neutron@controller/neutron
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
[matchmaker_redis]
[nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = nova
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[quotas]
[ssl]

6.2 修改ML2配置文件

etc/neutron/plugins/ml2/ml2_conf.ini
（因为前文配置文件指定了ML2网路，所以要修改ml2配置文件，ML2代表osi7层模型中的数据链路层）

vim /etc/neutron/plugins/ml2/ml2_conf.ini
1)驱动类型
[ml2]
# ...
type_drivers = flat,vlan

2）租户的网络类型（禁用私有网络）
[ml2]
# ...
tenant_network_types =

3）启用linuxbridge机制（网络虚拟化机制）
#linuxbridge：出现时间早，特别成熟，功能较少，稳定，配置简单（一般没有特别要求，选则此网络虚拟化机制）
#openvswitch：出现时间晚，功能比较多，稳定性不如linuxbridge，配置复杂
[ml2]
# ...
mechanism_drivers = linuxbridge

4）扩展驱动或者插件
[ml2]
# ...
extension_drivers = port_security

5）扁平网络，配置公共虚拟网络为flat网络
[ml2_type_flat]
# ...
flat_networks = provider

6）启用ipset增加安全组规则的高效性
[securitygroup]
# ...
enable_ipset = true

自动化实现：
b:/etc/neutron/plugins/ml2/ml2_conf.ini
cp -a /etc/neutron/plugins/ml2/ml2_conf.ini{,.bak}
grep '^[a-z\[]' /etc/neutron/plugins/ml2/ml2_conf.ini.bak >/etc/neutron/plugins/ml2/ml2_conf.ini

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers  flat,vlan
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 mechanism_drivers  linuxbridge
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers  port_security
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat flat_networks  provider
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset  true


查看：
[root@controller ~]# grep '^[a-Z]' /etc/neutron/plugins/ml2/ml2_conf.ini 
type_drivers = local,flat,vlan,gre,vxlan,geneve
tenant_network_types = 
mechanism_drivers = linuxbridge
extension_drivers = port_security
flat_networks = provider
enable_ipset = true

[root@controller ~]# cat /etc/neutron/plugins/ml2/ml2_conf.ini
[DEFAULT]
[l2pop]
[ml2]
type_drivers = flat,vlan
tenant_network_types = 
mechanism_drivers = linuxbridge
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
[securitygroup]
enable_ipset = true

6.3 配置linuxbridge代理：

修改/etc/neutron/plugins/ml2/linuxbridge_agent.ini

[root@controller ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini 
1、将公共虚拟网络和公共物理网络接口对应起来：
[linux_bridge]
physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME

2、禁用VXLAN覆盖网络
[vxlan]
enable_vxlan = false

3、启用安全组配置Linuxbridge iptables firewall driver：
[securitygroup]
# ...
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver


自动化实现：
c:/etc/neutron/plugins/ml2/linuxbridge_agent.ini
cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini{,.bak}
grep '^[a-z\[]' /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak >/etc/neutron/plugins/ml2/linuxbridge_agent.ini

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings  provider:eth0
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan  false
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group  true
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver  neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

[root@controller ~]# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth0
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = false

[root@controller ~]# grep '^[a-Z]' /etc/neutron/plugins/ml2/linuxbridge_agent.ini 
physical_interface_mappings = provider:ens33     #网卡映射
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver #开启防火墙驱动
enable_security_group = true
enable_vxlan = false

Ensure your Linux operating system kernel supports network bridge filters
by verifying all the following sysctl values are set to 1

net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-ip6tables

执行：
[root@controller ~]# vim /etc/sysctl.conf 
[root@controller ~]# sysctl -p
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

[root@controller ~]# lsmod|grep bridge
bridge                151336  1 br_netfilter
stp                    12976  1 bridge
llc                    14552  2 stp,bridge

To enable networking bridge support, typically the br_netfilter kernel
module needs to be loaded. Check your operating system’s documentation for
additional details on enabling this module.

6.4 DHCP的配置文件

修改 /etc/neutron/dhcp_agent.ini

[root@controller ~]# vim /etc/neutron/dhcp_agent.ini 
[DEFAULT]
# ...
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq    # #Dnsmasq轻量的管理dhcp和dns的小工具
enable_isolated_metadata = true

自动化：
d:/etc/neutron/dhcp_agent.ini

cp -a /etc/neutron/dhcp_agent.ini{,.bak}
grep -Ev '^$|#' /etc/neutron/dhcp_agent.ini.bak >/etc/neutron/dhcp_agent.ini
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver  linuxbridge
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver  neutron.agent.linux.dhcp.Dnsmasq
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT enable_isolated_metadata  true

查看：
[root@controller ~]# grep "^[a-Z]" /etc/neutron/dhcp_agent.ini 
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true

验证：
[root@controller ~]# md5sum /etc/neutron/dhcp_agent.ini
33a1e93e1853796070d5da0773496665  /etc/neutron/dhcp_agent.ini

6.5 配置元数据代理

修改/etc/neutron/metadata_agent.ini

[root@controller ~]# vim /etc/neutron/metadata_agent.ini 
1）配置元数据主机已经共享秘钥
[DEFAULT]
# ...
nova_metadata_host = controller
metadata_proxy_shared_secret = METADATA_SECRET

####
e:/etc/neutron/metadata_agent.ini  
cp -a /etc/neutron/metadata_agent.ini{,.bak}
grep -Ev '^$|#' /etc/neutron/metadata_agent.ini.bak >/etc/neutron/metadata_agent.ini 
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT nova_metadata_host  controller
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT metadata_proxy_shared_secret  METADATA_SECRET

[root@controller ~]# grep '^[a-Z]' /etc/neutron/metadata_agent.ini 
nova_metadata_host = controller
metadata_proxy_shared_secret = METADATA_SECRET

6.6 为计算服务配置网络服务：

修改nova配置文件/etc/nova/nova.conf

• 配置访问参数，启用元数据代理并设置密码

[root@controller ~]# vim /etc/nova/nova.conf 
1）添加Neutron相关配置
[neutron]
# ...
url = http://controller:9696
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = true
metadata_proxy_shared_secret = METADATA_SECRET

自动化执行：
openstack-config --set /etc/nova/nova.conf neutron url  http://controller:9696
openstack-config --set /etc/nova/nova.conf neutron auth_url  http://controller:5000
openstack-config --set /etc/nova/nova.conf neutron auth_type  password
openstack-config --set /etc/nova/nova.conf neutron project_domain_name  default
openstack-config --set /etc/nova/nova.conf neutron user_domain_name  default
openstack-config --set /etc/nova/nova.conf neutron region_name  RegionOne
openstack-config --set /etc/nova/nova.conf neutron project_name  service
openstack-config --set /etc/nova/nova.conf neutron username  neutron
openstack-config --set /etc/nova/nova.conf neutron password  neutron
openstack-config --set /etc/nova/nova.conf neutron service_metadata_proxy  true
openstack-config --set /etc/nova/nova.conf neutron metadata_proxy_shared_secret  METADATA_SECRET

校验对比：
[root@controller ~]# md5sum /etc/nova/nova.conf
5703713c54df818c5c4e4489cc5ff6ff  /etc/nova/nova.conf

7、同步数据库并启动服务（在配置文件修改完成之后在进行）

1、根据不同的网络服务创建软连接，因为启动找的是/etc/neutron/plugin.ini所以要创建软连接
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

2、同步数据库
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
  
3、因为修改了nova配置文件，需要重启服务计算节点nova-api服务
# systemctl restart openstack-nova-api.service

4、重启neutron服务，设置开机自启
# systemctl enable neutron-server.service \
  neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
  neutron-metadata-agent.service
# systemctl start neutron-server.service \
  neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
  neutron-metadata-agent.service
 
5、 查看验证，多刷新几次（可以看到后边有笑脸）：
[root@controller ~]# neutron agent-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host       | availability_zone | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
| 274aab6a-66bd-4da8-9353-81f62c75bb47 | DHCP agent         | controller | nova              | :-)   | True           | neutron-dhcp-agent        |
| 6cca7537-071d-4e6a-9bc8-671890d4985f | Metadata agent     | controller |                   | :-)   | True           | neutron-metadata-agent    |
| cb95211d-3102-4daf-b776-5bbef7074e35 | Linux bridge agent | controller |                   | :-)   | True           | neutron-linuxbridge-agent |
+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+

# systemctl enable neutron-l3-agent.service
# systemctl start neutron-l3-agent.service