openstack集群部署—Neutron集群

发表于 | 分类于 | 浏览

Neutron概述

​ Neutron是 OpenStack项目中负责提供网络服务的组件,它基于软件定义网络的思想,实现了网络虚拟化下的资源管理。Neutron 的设计目标是实现“网络即服务(Networking as a Service)”,在设计上遵循了基于 SDN 实现网络虚拟化的原则,在实现上充分利用了 Linux 系统上的各种网络相关的技术。

Neutron功能

二层交换

​ Neutron支持多种虚拟交换机,一般使用Linux Bridge和Open vSwitch创建传统的VLAN网络,以及基于隧道技术的Overlay网络,如VxLAN和GRE(Linux Bridge 目前只支持 VxLAN)。

三层路由

​ Neutron从Juno版开始正式加入的DVR(Distributed Virtual Router)服务,它将原本集中在网络节点的部分服务分散到了计算节点上。可以通过namespace中使用ip route或者iptables实现路由或NAT,也可以通过openflow给OpenvSwitch下发流表来实现。

负载均衡

​ LBaaS 支持多种负载均衡产品和方案,不同的实现以 Plugin 的形式集成到 Neutron,通过HAProxy来实现。

防火墙

​ Neutron有两种方式来保障instance和网络的安全性,分别是安全组以及防火墙功能,均可以通过iptables来实现,前者是限制进出instance的网络包,后者是进出虚拟路由器的网络包。

部署

创建neutron数据库

1
2
3
4
5
6
7
8
9
# 在任意控制节点创建数据库,后台数据自动同步,以controller01节点为例;
[root@controller01 ~]# mysql -u root -p123456

MariaDB [(none)]> CREATE DATABASE neutron;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '123456';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '123456;

MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;

创建neutron-api

1
2
3
# 在任意控制节点操作,以controller01节点为例;
# 调用neutron服务需要认证信息,加载环境变量脚本即可
[root@controller01 ~]# . admin-openrc

创建neutron用户

1
2
3
4
5
6
7
8
9
10
11
12
13
# service项目已在glance章节创建;
# neutron用户在”default” domain中
[root@controller01 ~]# openstack user create --domain default --password=neutron neutron
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 5434a7475b234a5f8c26bfe411640316 |
| name                | neutron                          |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

neutron赋权

1
2
# 为neutron用户赋予admin权限
[root@controller01 ~]# openstack role add --project service --user neutron admin

创建neutron服务实体

1
2
# neutron服务实体类型”network”
[root@controller01 ~]# openstack service create --name neutron --description "OpenStack Networking" network

创建neutron-api

1
2
3
4
5
# 注意--region与初始化admin用户时生成的region一致;
# api地址统一采用vip,如果public/internal/admin分别使用不同的vip,请注意区分;
# neutron-api 服务类型为network;
# public api
[root@controller01 ~]# openstack endpoint create --region RegionOne network public http://controller01:9696
1
2
# internal api
[root@controller01 ~]# openstack endpoint create --region RegionTest network internal http://controller:9696
1
2
# admin api
[root@controller01 ~]# openstack endpoint create --region RegionTest network admin http://controller:9696

安装neutron

1
2
3
4
# 安装Provider networks
# 在全部控制节点安装neutron相关服务,以controller01节点为例
[root@controller01 ~]# yum install openstack-neutron openstack-neutron-ml2 \
  openstack-neutron-linuxbridge ebtables

配置neutron.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# 在全部控制节点操作,以controller01节点为例;
# 注意”bind_host”参数,根据节点修改;
# 注意neutron.conf文件的权限:root:neutron
[root@controller01 ~]# cp /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
[root@controller01 ~]# egrep -v "^$|^#" /etc/neutron/neutron.conf
[DEFAULT]
bind_host = 10.21.0.36
auth_strategy = keystone
core_plugin = ml2
service_plugins =
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
transport_url=rabbit://openstack:d&OmJVoX@bjxg-controller01:5672,bjxg-controller02:5672
[agent]
[cors]
[database]
connection = mysql+pymysql://neutron:neutron_d&OmJVoX@bjxg-controller/neutron
[keystone_authtoken]
www_authenticate_uri = http://bjxg-controller:5000
auth_url = http://bjxg-controller:5000
memcached_servers = bjxg-controller:11211,bjxg-controller02:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
[matchmaker_redis]
[nova]
auth_url = http://bjxg-controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionBjxg
project_name = service
username = nova
password = nova
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[quotas]
[ssl]

配置ml2_conf.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 在全部控制节点操作,以controller01节点为例;
# ml2_conf.ini文件的权限:root:neutron
[root@controller01 ~]# cp /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini.bak
[root@controller01 ~]# egrep -v "^$|^#" /etc/neutron/plugins/ml2/ml2_conf.ini
[DEFAULT]
[l2pop]
[ml2]
type_drivers = flat,vlan
tenant_network_types =
mechanism_drivers = linuxbridge
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
network_vlan_ranges = provider:2000:2999
[ml2_type_vxlan]
[securitygroup]
enable_ipset = true

# 服务初始化调用ml2_conf.ini中的配置,但指向/etc/neutron/olugin.ini文件
[root@controller01 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

配置linuxbridge_agent.ini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 在全部控制节点操作,以controller01节点为例;
# linuxbridge_agent.ini文件的权限:root:neutron
[root@controller01 ~]# cp /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak
[root@controller01 ~]# egrep -v "^$|^#" /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:em1
[network_log]
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = false
1
2
3
4
5
6
7
8
# bridge:是否允许桥接;
# 如果“sysctl -p”加载不成功,报” No such file or directory”错误,需要加载内核模块“br_netfilter”;
# 命令“modinfo br_netfilter”查看内核模块信息;
# 命令“modprobe br_netfilter”加载内核模块
[root@controller01 ~]# echo "# bridge" >> /etc/sysctl.conf
[root@controller01 ~]# echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
[root@controller01 ~]# echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
[root@controller01 ~]# modprobe br_netfilter && sysctl -p

配置dhcp_agent.ini

1
2
3
4
5
6
7
8
9
10
11
# 在全部控制节点操作,以controller01节点为例;
# 使用dnsmasp提供dhcp服务;
# dhcp_agent.ini文件的权限:root:neutron
[root@controller01 ~]# cp /etc/neutron/dhcp_agent.ini /etc/neutron/dhcp_agent.ini.bak
[root@controller01 ~]# egrep -v "^$|^#" /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
[agent]
[ovs]

配置metadata_agent.ini

1
2
3
4
5
6
7
8
9
10
# 在全部控制节点操作,以controller01节点为例;
# metadata_proxy_shared_secret:与/etc/nova/nova.conf文件中参数一致;
# metadata_agent.ini文件的权限:root:neutron
[root@controller01 ~]# cp /etc/neutron/metadata_agent.ini  /etc/neutron/metadata_agent.ini.bak
[root@controller01 ~]# egrep -v "^$|^#"  /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_host = bjxg-controller
metadata_proxy_shared_secret = METADATA_SECRET
[agent]
[cache]

配置nova.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 在全部控制节点操作,以controller01节点为例;
# 配置只涉及nova.conf的”[neutron]”字段;
# metadata_proxy_shared_secret:与/etc/neutron/metadata_agent.ini文件中参数一致
[root@controller01 ~]# vim /etc/nova/nova.conf
[neutron]
url = http://bjxg-controller:9696
auth_url = http://bjxg-controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionBjxg
project_name = service
username = neutron
password = neutron
service_metadata_proxy = true
metadata_proxy_shared_secret = METADATA_SECRET

同步neutron数据库

1
2
# 任意控制节点操作;
[root@controller01 ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron

启动服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 全部控制节点操作;
# 变更nova配置文件,首先需要重启nova服务
[root@controller01 ~]# systemctl restart openstack-nova-api.service


# 开机启动
[root@controller01 ~]# systemctl enable neutron-server.service \
  neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
  neutron-metadata-agent.service

# 启动
[root@controller01 ~]# systemctl restart neutron-server.service
[root@controller01 ~]# systemctl restart neutron-linuxbridge-agent.service
[root@controller01 ~]# systemctl restart neutron-l3-agent.service
[root@controller01 ~]# systemctl restart neutron-dhcp-agent.service
[root@controller01 ~]# systemctl restart neutron-metadata-agent.service

验证

1
2
3
4
5
6
7
[root@controller01 ~]# . admin-openrc 

# 查看加载的扩展服务
[root@controller01 ~]# openstack extension list --network

# 查看agent服务
[root@controller01 ~]# openstack network agent list
Donate