OpenStack 之 Neutron 安装
配置数据库
MariaDB [(none)]> CREATE DATABASE neutron;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
-> IDENTIFIED BY 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
Query OK, 0 rows affected (0.00 sec)
选择网络方式
- 提供者网络
- 自服务网络
本次配置以提供者网络。
安装软件包
[root@openstack ~]# yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables
配置 neutron
在 [database] 下,配置数据库连接
[database]
# ...
connection = mysql+pymysql://neutron:neutron@192.168.1.140/neutron
在 [DEFAULT] 下,激活 the Modular Layer 2 (ML2) plug-in 和 禁止添加插件
[DEFAULT]
# ...
core_plugin = ml2
service_plugins =
在 [DEFAULT] 下,配置RabbitMQ 消息队列
[DEFAULT]
# ...
transport_url = rabbit://openstack:openstack@192.168.1.140
在 [DEFAULT] 和 [keystone_authtoken] 下,配置认账服务连接
[DEFAULT]
# ...
auth_strategy = keystone
[keystone_authtoken]
# ...
www_authenticate_uri = http://192.168.1.140:5000
auth_url = http://192.168.1.140:5000
memcached_servers = 192.168.1.140:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
在 [oslo_concurrency] 块下,配置 lock 路径
[oslo_concurrency]
# ...
lock_path = /var/lib/neutron/tmp
配置 `the Modular Layer 2 (ML2) plug-in
编辑配置文件 /etc/neutron/plugins/ml2/ml2_conf.ini,完成如下配置:
在 [ml2] 块下,激活 flat 和 VLAN 网络:
[ml2]
# ...
type_drivers = flat,vlan
在 [ml2] 块下,禁止服务网络:
[ml2]
# ...
tenant_network_types =
在 [ml2] 块下,激活 网桥:
[ml2]
# ...
mechanism_drivers = linuxbridge
在 [ml2] 块下,激活端口安全扩展驱动:
[ml2]
# ...
extension_drivers = port_security
在 [ml2_type_flat] 块下,配置以 flat 网络配置 提供者虚拟网络
[ml2_type_flat]
# ...
flat_networks = provider
在 [securitygroup] 块下,激活 ipset 以增加安全组规则的效率
[securitygroup]
# ...
enable_ipset = true
配置 Linux 网桥
编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini 配置文件,完成如下配置:
在 [linux_bridge] 块下,匹配提供者虚拟网卡与物理网卡端口
[linux_bridge]
physical_interface_mappings = provider:em1
在 [vxlan] 块下,禁止 VXLAN 覆盖网络
[vxlan]
enable_vxlan = false
在 [securitygroup] 块下,激活安全组和配置 Linux 网桥防火墙驱动:
[securitygroup]
# ...
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
通过 sysctl 命令,确保Linux操作系统内核支持网桥过滤,将如下值设置为 1
net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-ip6tables
CentOS 7 操作系统修改方法:
[root@openstack ~]# modprobe br_netfilter
编辑配置文件 /etc/sysctl.conf,末尾新增如下配置文件:
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
重新加载配置文件
[root@openstack ~]# sysctl -p
配置 DHCP 客户端
编辑配置文件 /etc/neutron/dhcp_agent.ini 完成如下配置:
在 [DEFAULT] 下,配置 Linux 网桥端口驱动,
[DEFAULT]
# ...
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
配置元数据客户端
编辑配置文件 /etc/neutron/metadata_agent.ini,完成如下配置:
在 [DEFAULT] 块下,配置元数据主机和共享密钥
[DEFAULT]
# ...
nova_metadata_host = controller
metadata_proxy_shared_secret = METADATA_SECRET
- METADATA_SECRET:修改为自己的密钥,下面的配置会用到
使用网络服务配置计算服务
编辑 /etc/nova/nova.conf 配置文件,完成如下配置:
在 [neutron] 块下,配置连接茶树,激活元数据代理、配置密钥
[neutron]
# ...
url = http://192.168.1.140:9696
auth_url = http://192.168.1.140:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = true
metadata_proxy_shared_secret = METADATA_SECRET
- METADATA_SECRET: 为
/etc/neutron/metadata_agent.ini文件下的metadata_proxy_shared_secret = METADATA_SECRET中的密钥
完成安装
[root@openstack ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
同步数据库
[root@openstack ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
重启计算API服务
[root@openstack ~]# systemctl restart openstack-nova-api.service
启动网络服务,设置开机自启
[root@openstack ~]# systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
[root@openstack ~]# systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
验证查看各个服务的启动状态
[root@openstack ~]# systemctl status neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
创建 keystone 认证
激活环境变量
[root@openstack ~]# . admin-openstack.bashrc
创建 neutron 用户:
[root@openstack ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | b9c2ce3935094bc99d4c58b8fbde678c |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
添加 neutron 用户至 admin 角色
[root@openstack ~]# openstack role add --project service --user neutron admin
创建 neutron 服务入口:
[root@openstack ~]# openstack service create --name neutron \
> --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | 99c229ee69b34a87997f5054970ec685 |
| name | neutron |
| type | network |
+-------------+----------------------------------+
创建网络服务接口 endpoints:
[root@openstack ~]# openstack endpoint create --region RegionOne \
> network public http://192.168.1.140:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b0ae8e5f66644c6c8ba3ca726e6f068d |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 99c229ee69b34a87997f5054970ec685 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.1.140:9696 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne network internal http://192.168.1.140:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 81affa1d256c48a9b6224c14adafb9a5 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 99c229ee69b34a87997f5054970ec685 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.1.140:9696 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne network admin http://192.168.1.140:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | d1ab17debc794a65aee25029bd00f3c7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 99c229ee69b34a87997f5054970ec685 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.1.140:9696 |
+--------------+----------------------------------+
验证各哥客户端是否正常启动
[root@openstack ~]# neutron agent-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+--------------------+-----------+-------------------+-------+----------------+---------------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------------------------+--------------------+-----------+-------------------+-------+----------------+---------------------------+
| cbb9be9e-6f17-4069-994e-3633f1377442 | Linux bridge agent | openstack | | :-) | True | neutron-linuxbridge-agent |
| e3fba7fe-4372-447b-b9d5-aa102e2e272a | DHCP agent | openstack | nova | :-) | True | neutron-dhcp-agent |
| f5a9401c-a6d8-45d3-b118-29cc937954b8 | Metadata agent | openstack | | :-) | True | neutron-metadata-agent |
+--------------------------------------+--------------------+-----------+-------------------+-------+----------------+---------------------------+
安装配置计算节点
yum install openstack-neutron-linuxbridge ebtables ipset
计算节点配置
编辑 /etc/neutron/neutron.conf 文件,完成如下配置
在 [DEFAULT] 块下,完成 RabbitMQ 消息队列连接
[DEFAULT]
# ...
transport_url = rabbit://openstack:openstack@192.168.1.140
在 [DEFAULT] 和 [keystone_authtoken] 块下,配置认证服务连接
[DEFAULT]
# ...
auth_strategy = keystone
[keystone_authtoken]
# ...
www_authenticate_uri = http://192.168.1.140:5000
auth_url = http://192.168.1.140:5000
memcached_servers = 192.168.1.140:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
在 [oslo_concurrency] 块下,配置 lock 路径
[oslo_concurrency]
# ...
lock_path = /var/lib/neutron/tmp
配置提供者网络(同上)
使用网络服务配置计算服务
编辑 /etc/nova/nova.conf 文件,完成如下配置
在 [neutron] 块下,配置连接参数
[neutron]
# ...
url = http://192.168.1.140:9696
auth_url = http://192.168.1.140:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
完成安装
重启计算服务
[root@openstack ~]# systemctl restart openstack-nova-compute.service
启动 Linux 网桥客户端,配置开机自启
[root@openstack ~]# systemctl enable neutron-linuxbridge-agent.service
[root@openstack ~]# systemctl start neutron-linuxbridge-agent.service
浙公网安备 33010602011771号