openstack-neutron-provider-network-配置

发表于 | in . | | 访客

网络是openstack里最重要的组件之一。Openstack主要提供了两种网络方案:Provider network 和 self-network。由于公司内部使用,虚拟机无访问外网的需求(如果有,直接向网关申请,直接nat的方式访问外网), 所以采用Provider network网络方案。这里使用手动部署, openstack 版本为 queens, 系统为centos7.

安装

控制节点

需要两块网卡:管理网络和虚机网络。通常第一块是管理网络,第二块是虚机网络

管理网络配置

1
2
3
4
5
6
7
8
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=172.*.*.*
NETMASK=255.*.*.*
GATEWAY=172.*.*.*

虚机网络配置

1
2
3
4
5
6
# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=none
NAME=eth1
DEVICE=eth1
ONBOOT=yes

重启网卡,使生效

配置/etc/hosts

这里控制节点的主机名是controller1,计算节点的主机名是conpute1

1
2
3
4
...
172.*.*.* controller1
172.*.*.* compute1
...

计算节点

计算节点与控制节点配置类似,也是一块管理卡和一块虚机网卡。计算节点的管理网络ip可以与控制节点的ip之间空余20个(如果控制节点的管理ip是从11开始,那计算节点管理ip可以从31开始、32、33、34…)

管理网络配置

1
2
3
4
5
6
7
8
# cat /etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=172.*.*.*
NETMASK=255.*.*.*
GATEWAY=172.*.*.*

虚机网络配置

1
2
3
4
5
6
# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=none
NAME=eth1
DEVICE=eth1
ONBOOT=yes

重启网卡,以便生效

配置/etc/hosts

这里控制节点的主机名是controller1,计算节点的主机名是conpute1

1
2
3
4
...
172.*.*.* controller1
172.*.*.* compute1
...

先决条件

创建数据库

使用root用户登录mysql

1
$ mysql -u root -p

创建数据库

1
MariaDB [(none)] CREATE DATABASE neutron;

授权, 把NEUTRON_DBPASS 替换为真实的neutron的数据库密码

1
2
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'NEUTRON_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'NEUTRON_DBPASS';

退出数据库客户端

创建数据凭证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
$ source admin-openrc #该文件是安装keystone的时候生成的,具体参照:https://docs.openstack.org/keystone/queens/install/keystone-install-rdo.html
$ openstack user create --domain default --password-prompt neutron  ## 创建neutron用户
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | fdb0f541e28141719b6a43c8944bf1fb |
| name                | neutron                          |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
$ openstack role add --project service --user neutron admin  ## 把admin role 添加到neutron用户
$ openstack service create --name neutron  ## 创建neutron 实体
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Networking             |
| enabled     | True                             |
| id          | f71529314dab4a4d8eca427e701d209e |
| name        | neutron                          |
| type        | network                          |
+-------------+----------------------------------+
$ openstack endpoint create --region RegionOne network public http://controller1:9696  ##创建endpoint,注意主机名
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 85d80a6d02fc4b7683f611d7fc1493a3 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne network internal http://controller1:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 09753b537ac74422a68d2d791cf3714f |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne network admin http://controller1:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 1ee14289c9374dffb5db92a5c112fc4e |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller:9696           |
+--------------+----------------------------------+

##

控制节点

软件安装

1
# yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch

neutron.conf

database 部分

NEUTRON_DBPASS 为前面创建的neutron数据库密码

1
2
3
[database]
# ...
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller1/neutron

DEFAULT 部分

core_plugin使用ml2 插件, service_plugins 后面为空,表示禁用

1
2
3
4
[DEFAULT]
# ...
core_plugin = ml2
service_plugins =

DEFAULT 部分 RabbitMQ

openstack为在RabbitMQ里创建的账户,RABBIT_PASS为创建rabbit数据库时设置的数据库密码

1
2
3
[DEFAULT]
# ...
transport_url = rabbit://openstack:RABBIT_PASS@controller1

DEFAULT 和 keystone_authtoken 部分

NEUTRON_PASS 为创建的neutron用户数据库密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[DEFAULT]
# ...
auth_strategy = keystone
[keystone_authtoken]
# ...
auth_uri = http://controller1:5000
auth_url = http://controller1:35357
memcached_servers = controller1:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS

注释掉或删除[keystone_authtoken]部分中的任何其他选项

DEFAULT 和 nova 部分

NOVA_PASS为创建的nova用户数据库密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[DEFAULT]
# ...
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[nova]
# ...
auth_url = http://controller1:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = NOVA_PASS

oslo_concurrency 部分

1
2
3
[oslo_concurrency]
# ...
lock_path = /var/lib/neutron/tmp

ml2_conf.ini

vim /etc/neutron/plugins/ml2/ml2_conf.ini

ml2 部分

1
2
3
4
5
6
7
8
9
[ml2]
# ...
type_drivers = vlan   ## 或者flat ,对应的后面需要配置ml2_type_vlan或者ml2_type_flat
# ...
tenant_network_types =     ## 禁用self-service networks
# ...
mechanism_drivers = openvswitch  ## 使用openvswitch 机制
# ...
extension_drivers = port_security  ## 使用port security 扩展

ml2_type_vlan 部分

1
2
3
[ml2_type_vlan]
# ...
flat_networks = provider

securitygroup 部分

1
2
3
[securitygroup]
# ...
#enable_ipset = true ## 注释改行

dhcp_agent.ini

DEFAULT 部分

1
2
3
4
5
[DEFAULT]
# ...
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true

metadata_agent.ini

DEFAULT 部分

METADATA_SECRET 为元数据代理的秘钥

1
2
3
4
[DEFAULT]
# ...
nova_metadata_host = controller1
metadata_proxy_shared_secret = METADATA_SECRET

nova.conf

neutron 部分

NEUTRON_PASS 为neutron数据库密码
METADATA_SECRET 为元数据代理的秘钥

1
2
3
4
5
6
7
8
9
10
11
12
13
[neutron]
# ...
url = http://controller1:9696
auth_url = http://controller1:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
service_metadata_proxy = true
metadata_proxy_shared_secret = METADATA_SECRET

创建软连

1
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

同步数据库

1
2
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron

重启nova-api

1
# systemctl restart openstack-nova-api.service

重启neutron服务

1
2
# systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
# systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service