Neutron的概述
Openstack的網絡(Neutron),可以創建和附加其它的Openstack服務,網絡管理接口設備。插件可以被實現,以適應不同的網絡設備和軟件,提供靈活性,以開棧架構和部署。
Openstack的網絡(Neutron)管理虛擬網絡基礎架構(VNI),並在您的Openstack的環境中的物理網絡基礎架構(PNI)的接入層方面的所有網絡方面。開棧網絡允許租戶創建高級的虛擬網絡拓撲可包括服務,例如防火牆,負載均衡器,和虛擬專用網(***)。
Neutron基本概念
網絡
在普通人的眼裏,網絡就是網線和供網線插入的端口,一個盒子會提供這些端口。對於網絡工程師來說,網絡的盒子指的是交換機和路由器。所以在物理世界中,網絡可以簡單地被認爲包括網線,交換機和路由器。當然,除了物理設備,我們還有軟的物件:IP地址,交換機和路由器的配置和管理軟件以及各種網絡協議。Neutron網絡目的是劃分物理網絡,在多租戶環境下提供給每個租戶獨立的網絡環境。另外,Neutron提供API來實現這種目標。Neutron中“網絡”是一個可以被用戶創建的對象,如果要和物理環境下的概念映射的話,這個對象相當於一個巨大的交換機,可以擁有無限多個動態可創建和銷燬的虛擬端口。
子網
簡單地說,子網是由一組IP地址組成的地址池。不同子網間的通信需要路由器的支持,這個Neutron和物理網絡下是一致的。Neutron中子網隸屬於網絡。
端口
在物理網絡環境中,端口是用於連接設備進入網絡的地方。Neutron中的端口起着類似的功能,它是路由器和虛擬機掛接網絡的着附點。
路由
和物理環境下的路由器類似,Neutron中的路由器也是一個路由選擇和轉發部件。只不過在Neutron中,它是可以創建和銷燬的軟部件。
Neutron的組件
- Neutron Server
可以理解爲一個專門用來接收Neutron REST API調用的服務器,然後負責將不同的REST API分發到不同的Neutron-Plugin上。
- Neutron-Plugin
可以理解爲不同網絡功能實現的入口,各個廠商可以開發自己的plugin。Neutron-Plugin接收Neutron-Server分發過來的REST API,向neutron database完成一些信息的註冊,然後將具體要執行的業務操作和參數通知給自身對應的neutron agent。
- Neutron-Agent
可以理解爲Neutron-Plugin在設備上的代理,接收相應的Neutron-Plugin通知的業務操作和參數,並轉換爲具體的設備級操作,以指導設備的動作。當設備本地發生問題時,Neutron-Agent會將情況通知給Neutron-Plugin。
- Neutron Database
Neutron的數據庫,存放網絡狀態信息,包括Network,Subnet, Port,Router等。
- Network Provider
實際執行功能的網絡設備,一般爲虛擬交換機(OVS或者Linux Bridge)
安裝配置控制節點
Neutron的安裝
- 創建數據庫,服務憑證和API端點
MariaDB [(none)]> create database neutron;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| glance |
| information_schema |
| keystone |
| mysql |
| neutron |
| nova |
| nova_api |
| performance_schema |
+--------------------+
8 rows in set (0.00 sec)
MariaDB [(none)]> grant all on neutron.* to 'neutron'@'localhost' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all on neutron.* to 'neutron'@'%' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye- 獲得admin憑證來獲取只有管理員能執行的命令的訪問權限
[root@linux-node1 ~]# source admin-openrc- 要創建服務證書,完成這些步驟
創建neutron用戶
[root@linux-node1 ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | cb35cc907b04428c8425cdba65819dad |
| name | neutron |
| password_expires_at | None |
+---------------------+----------------------------------+添加admin角色到neutron用戶
[root@linux-node1 ~]# openstack role add --project service --user neutron admin創建neutron服務實體
[root@linux-node1 ~]# openstack service create --name neutron \
--description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| name | neutron |
| type | network |
+-------------+----------------------------------+創建網絡服務API端點
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \
network public http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 3723a017a5b84a0e85eb9e41329025f5 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \
network internal http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7d1b36d47ee9451e963b5d6f1b9c6337 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
[root@linux-node1 ~]# openstack endpoint create --region RegionOne \
network admin http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 8a146ce4d097417c8eeda705d6da90a2 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+- 安裝Neutron相關軟件包
[root@linux-node1 ~]# yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
[root@linux-node1 ~]# rpm -qa openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
ebtables-2.0.10-15.el7.x86_64
openstack-neutron-9.4.1-1.el7.noarch
openstack-neutron-linuxbridge-9.4.1-1.el7.noarch
openstack-neutron-ml2-9.4.1-1.el7.noarchNeutron的配置
- 編輯/etc/neutron/neutron.conf文件並完成如下操作
[root@linux-node1 ~]# cp -a /etc/neutron/neutron.conf /etc/neutron/neutron.conf_$(date +%F)
[root@linux-node1 ~]# vim /etc/neutron/neutron.conf在[database]部分,配置數據庫訪問
[database]
......
722 connection = mysql+pymysql://neutron:[email protected]/neutron在[DEFAULT]部分,啓用ML2插件並禁用其他插件
[DEFAULT]
......
30 core_plugin = ml2
33 service_plugins =在[DEFAULT]部分,配置RabbitMQ消息隊列訪問權限
[DEFAULT]
......
530 transport_url = rabbit://openstack:[email protected]在[DEFAULT]和[keystone_authtoken]部分,配置認證服務訪問
[DEFAULT]
......
27 auth_strategy = keystone
[keystone_authtoken]
803 auth_uri = http://192.168.56.11:5000
804 auth_url = http://192.168.56.11:35357
805 memcached_servers = 192.168.56.11:11211
806 auth_type = password
807 project_domain_name = Default
808 user_domain_name = Default
809 project_name = service
810 username = neutron
811 password = neutron在[DEFAULT]和[nova]部分,配置網絡服務來通知計算節點的網絡拓撲變化
[DEFAULT]
......
118 notify_nova_on_port_status_changes = true
122 notify_nova_on_port_data_changes = true
[nova]
1002 auth_url = http://192.168.56.11:35357
1003 auth_type = password
1004 project_domain_name = Default
1005 user_domain_name = Default
1006 region_name = RegionOne
1007 project_name = service
1008 username = nova
1009 password = nova在[oslo_concurrency]部分,配置鎖路徑
[oslo_concurrency]
......
1123 lock_path = /var/lib/neutron/tmpML2插件的配置
ML2插件使用Linuxbridge機制來爲實例創建layer-2虛擬網絡基礎設施,警告:你後配置ML2插件,在type_drivers選項可能會導致數據庫不一致移除值。
- 編輯/etc/neutron/plugins/ml2/ml2_conf.ini文件並完成以下操作
[root@linux-node1 ~]# cp -a /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini_$(date +%F)
[root@linux-node1 ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini在[ml2]部分,啓用flat和VLAN網絡
[ml2]
......
109 type_drivers = flat,vlan在[ml2]部分,禁用私有網絡
[ml2]
......
114 tenant_network_types =在[ml2]部分,啓用Linuxbridge機制
[ml2]
......
118 mechanism_drivers = linuxbridge在[ml2]部分,啓用端口安全擴展驅動
[ml2]
......
123 extension_drivers = port_security在[ml2_type_flat]部分,配置公共虛擬網絡爲flat網絡
[ml2_type_flat]
......
159 flat_networks = provider在[securitygroup]部分,啓用ipset增加安全組的方便性
[securitygroup]
......
236 enable_ipset = trueLinuxbridge代理的配置
Linuxbridge代理爲實例建立layer-2虛擬網絡並且處理安全組規則。
- 編輯/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件並且完成以下操作
[root@linux-node1 ~]# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini_$(date +%F)
[root@linux-node1 ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini在[linux_bridge]部分,將公共虛擬網絡和公共物理網絡接口對應起來
[linux_bridge]
......
143 physical_interface_mappings = provider:eth0在[vxlan]部分,禁止VXLAN覆蓋網絡
[vxlan]
176 enable_vxlan = False在[securitygroup]部分,啓用安全組並配置Linux橋接iptables防火牆驅動
[securitygroup]
......
156 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161 enable_security_group = true在[agent]部分,啓用防ARP欺騙
[agent]
......
126 prevent_arp_spoofing = trueDHCP代理的配置
- 編輯/etc/neutron/dhcp_agent.ini文件並完成下面的操作
[root@linux-node1 ~]# cp -a /etc/neutron/dhcp_agent.ini /etc/neutron/dhcp_agent.ini_$(date +%F)
[root@linux-node1 ~]# vim /etc/neutron/dhcp_agent.ini在[DEFAULT]部分,配置Linuxbridge驅動接口,DHCP驅動並啓用隔離元數據,這樣在公共網絡上的實例就可以通過網絡來訪問元數據
[DEFAULT]
......
16 interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
32 dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
41 enable_isolated_metadata = True元數據代理的配置
- 編輯/etc/neutron/metadata_agent.ini文件並完成以下操作
[root@linux-node1 ~]# cp -a /etc/neutron/metadata_agent.ini /etc/neutron/metadata_agent.ini_$(date +%F)
[root@linux-node1 ~]# vim /etc/neutron/metadata_agent.ini在[DEFAULT]部分,配置元數據主機以及共享密碼
[DEFAULT]
......
22 nova_metadata_ip = 192.168.56.11
34 metadata_proxy_shared_secret = neutron控制節點使用網絡的配置
- 編輯/etc/nova/nova.conf文件並完成以下操作
[root@linux-node1 ~]# vim /etc/nova/nova.conf在[neutron]部分,配置訪問參數,啓用元數據代理並設置密碼
[neutron]
6472 url = http://192.168.56.11:9696
6473 auth_url = http://192.168.56.11:35357
6474 auth_type = password
6475 project_domain_name = Default
6476 user_domain_name = Default
6477 region_name = RegionOne
6478 project_name = service
6479 username = neutron
6480 password = neutron
6481 service_metadata_proxy = True
6482 metadata_proxy_shared_secret = neutronNeutron安裝完成
- 網絡服務初始化腳本需要一個超鏈接/etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini
[root@linux-node1 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
[root@linux-node1 ~]# ls -l /etc/neutron/plugin.ini
lrwxrwxrwx 1 root root 37 Jan 18 10:50 /etc/neutron/plugin.ini -> /etc/neutron/plugins/ml2/ml2_conf.ini- 同步數據庫,可以忽略警告信息
[root@linux-node1 ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
[root@linux-node1 ~]# mysql -uneutron -pneutron -e "use neutron;show tables;"|wc -l
163- 重新啓動控制節點Nova API服務
[root@linux-node1 ~]# systemctl restart openstack-nova-api.service
[root@linux-node1 ~]# systemctl status openstack-nova-api.service- 啓動網絡服務並將其配置爲系統啓動時啓動
[root@linux-node1 ~]# systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
[root@linux-node1 ~]# systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
[root@linux-node1 ~]# systemctl status neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.serviceNeutron驗證操作
[root@linux-node1 ~]# source admin-openrc
[root@linux-node1 ~]# neutron agent-list
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| 1bd2e7bb-a74f-4613 | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent |
| -87dc-13696f5a2350 | | | | | | |
| a3a0b766-e3ba- | Metadata agent | linux-node1 | | :-) | True | neutron-metadata- |
| 4e5a- | | | | | | agent |
| 84d3-bda27afaaa9d | | | | | | |
| eb6e6a13-42e5-4dae | Linux bridge agent | linux-node1 | | :-) | True | neutron- |
| -8755-f66167321293 | | | | | | linuxbridge-agent |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+安裝配置計算節點
Neutron的安裝
- 安裝Neutron相關軟件包
[root@linux-node2 ~]# yum -y install openstack-neutron-linuxbridge ebtables ipset
[root@linux-node2 ~]# rpm -qa openstack-neutron-linuxbridge ebtables ipset
ebtables-2.0.10-15.el7.x86_64
ipset-6.29-1.el7.x86_64
openstack-neutron-linuxbridge-9.4.1-1.el7.noarchNeutron的配置
- 編輯/etc/neutron/neutron.conf文件並完成如下操作
[root@linux-node2 ~]# cp -a /etc/neutron/neutron.conf /etc/neutron/neutron.conf_$(date +%F)
[root@linux-node2 ~]# vim /etc/neutron/neutron.conf在[database]部分,註釋所有connection項,因爲計算節點不直接訪問數據庫
在[DEFAULT]部分,配置RabbitMQ消息隊列訪問權限
[DEFAULT]
......
530 transport_url = rabbit://openstack:[email protected]在[DEFAULT]和[keystone_authtoken]部分,配置認證服務訪問
[DEFAULT]
......
27 auth_strategy = keystone
[keystone_authtoken]
803 auth_uri = http://192.168.56.11:5000
804 auth_url = http://192.168.56.11:35357
805 memcached_servers = 192.168.56.11:11211
806 auth_type = password
807 project_domain_name = Default
808 user_domain_name = Default
809 project_name = service
810 username = neutron
811 password = neutron在[oslo_concurrency]部分,配置鎖路徑
[oslo_concurrency]
......
1115 lock_path = /var/lib/neutron/tmpLinuxbridge代理的配置
Linuxbridge代理爲實例建立layer-2虛擬網絡並且處理安全組規則。
- 編輯/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件並且完成以下操作
[root@linux-node2 ~]# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini_$(date +%F)
[root@linux-node2 ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini在[linux_bridge]部分,將公共虛擬網絡和公共物理網絡接口對應起來
[linux_bridge]
......
143 physical_interface_mappings = provider:eth0在[vxlan]部分,禁止VXLAN覆蓋網絡
[vxlan]
176 enable_vxlan = False在[securitygroup]部分,啓用安全組並配置Linux橋接iptables防火牆驅動
[securitygroup]
......
156 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161 enable_security_group = true在[agent]部分,啓用防ARP欺騙
[agent]
......
126 prevent_arp_spoofing = true計算節點使用網絡的配置
- 編輯/etc/nova/nova.conf文件並完成以下操作
[root@linux-node2 ~]# vim /etc/nova/nova.conf在[neutron]部分,配置訪問參數,啓用元數據代理並設置密碼
[neutron]
6472 url = http://192.168.56.11:9696
6473 auth_url = http://192.168.56.11:35357
6474 auth_type = password
6475 project_domain_name = Default
6476 user_domain_name = Default
6477 region_name = RegionOne
6478 project_name = service
6479 username = neutron
6480 password = neutronNeutron安裝完成
- 重新啓動計算服務
[root@linux-node2 ~]# systemctl restart openstack-nova-compute.service
[root@linux-node2 ~]# systemctl status openstack-nova-compute.service- 啓動Linuxbridge代理並配置它開機自啓動
[root@linux-node2 ~]# systemctl enable neutron-linuxbridge-agent.service
[root@linux-node2 ~]# systemctl start neutron-linuxbridge-agent.service
[root@linux-node2 ~]# systemctl status neutron-linuxbridge-agent.serviceNeutron驗證操作
- 獲得admin憑證來獲取只有管理員能執行的命令的訪問權限
[root@linux-node1 ~]# source admin-openrc- 列出加載的擴展來驗證
neutron-server進程是否正常啓動
[root@linux-node1 ~]# neutron ext-list
+---------------------------+---------------------------------+
| alias | name |
+---------------------------+---------------------------------+
| default-subnetpools | Default Subnetpools |
| availability_zone | Availability Zone |
| network_availability_zone | Network Availability Zone |
| binding | Port Binding |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| dhcp_agent_scheduler | DHCP Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| flavors | Neutron Service Flavors |
| net-mtu | Network MTU |
| network-ip-availability | Network IP Availability |
| quotas | Quota management support |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| subnet-service-types | Subnet service types |
| standard-attr-timestamp | Resource timestamps |
| service-type | Neutron Service Type Management |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| standard-attr-revisions | Resource revision numbers |
| pagination | Pagination support |
| sorting | Sorting support |
| security-group | security-group |
| rbac-policies | RBAC Policies |
| standard-attr-description | standard-attr-description |
| port-security | Port Security |
| allowed-address-pairs | Allowed Address Pairs |
| project-id | project_id field enabled |
+---------------------------+---------------------------------+
[root@linux-node1 ~]# neutron agent-list
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| 1bd2e7bb-a74f-4613 | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent |
| -87dc-13696f5a2350 | | | | | | |
| 746000d6-c48d-418b | Linux bridge agent | linux-node2 | | :-) | True | neutron- |
| -9501-8c008873374d | | | | | | linuxbridge-agent |
| a3a0b766-e3ba- | Metadata agent | linux-node1 | | :-) | True | neutron-metadata- |
| 4e5a- | | | | | | agent |
| 84d3-bda27afaaa9d | | | | | | |
| eb6e6a13-42e5-4dae | Linux bridge agent | linux-node1 | | :-) | True | neutron- |
| -8755-f66167321293 | | | | | | linuxbridge-agent |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+