一Neutron介绍
Neutron是Quantum改名后的名字。他继承了Quantum的强大功能,同时也增加了一些功能
neutron的功能:
提供面向租户的API,以便控制2层网络和管理IP地址
支持插件式网络组件,像OpenvSwitch,Cisco,Linux Bridge,Nicira NVP等等
支持位于不同的2层网络的IP地址重叠
支持基本的3层转发和多路由器
支持隧道技术(Tunneling)
支持3层带来和DHCP代理的多节点部署,增强了扩展性和可靠性
提供负载均衡API
支持端到端的IPSec VPN
面向租户的防火墙服务
提供一个新的插件ML2,这个插件可以作为一个框架同时支持不同的2层网络
Openstack的设计理念是把所有的组件当做服务来注册的。 Neutron就是网络服务。它将网络、子网、端口和路由器抽象化,之后启动的虚拟主机就可以连接到这个虚拟网络上,最大的好处是这些都可视化的在Horizon里得到了实现,部署或者改变一个SDN变得非常简单,没有专业知识的人稍经培训也可以做到
我们先通过如下一个简单的流程来了解客户机如何连接到网络上
- 租户创建了一个网络,比方说mynet
- 租户为此网络分配一个子网,比如192.168.122.0/24
- 租户启动一个客户机,并指明一个网口连接到mynet
- Nova通知Neutron并在mynet上创建一个端口,如port1
- Neutron选择并分配一个IP给port1
- 客户机通过port1就连接到了mynet上
Neutron主要有以下几部分组成。
Neutron Server:这一部分包含守护进程neutron-server和各种插件neutron-*-plugin,它们既可以安装在控制节点也可以安装在网络节点。neutron-server提供API接口,并把对API的调用请求传给已经配置好的插件进行后续处理。插件需要访问数据库来维护各种配置数据和对应关系,例如路由器、网络、子网、端口、浮动IP、安全组等等。
插件代理(Plugin Agent):虚拟网络上的数据包的处理则是由这些插件代理来完成的。名字为neutron-*-agent。在每个计算节点和网络节点上运行。一般来说你选择了什么插件,就需要选择相应的代理。代理与Neutron Server及其插件的交互就通过消息队列来支持。
DHCP代理(DHCP Agent):名字为neutron-dhcp-agent,为各个租户网络提供DHCP服务,部署在网络节点上,各个插件也是使用这一个代理。
3层代理(L3 Agent):名字为neutron-l3-agent,为客户机访问外部网络提供3层转发服务。也部署在网络节点上。
下面是一张官网的图展示,neutron的工作过程:
二安装并配置控制节点
数据库配置
在前面已经配置好了数据库信息
创建``neutron``数据库:
CREATE DATABASE neutron;
对``neutron``数据库授予合适的访问权限,使用合适的密码替换``NEUTRON_DBPASS``:我们使用的密码为:neutron
mysql> GRANT ALL PRIVILEGES ON neutron.*TO 'neutron'@'localhost' \ IDENTIFIED BY 'NEUTRON_DBPASS';mysql> GRANT ALL PRIVILEGES ON neutron.*TO 'neutron'@'%' \ IDENTIFIED BY 'NEUTRON_DBPASS';
获取权限
[root@linux-node1 ~]# sourceadmin-openstack
查看用户列表
[root@linux-node1 ~]# openstack user list+----------------------------------+---------+| ID | Name |+----------------------------------+---------+| 8dc6f28207b64e6d845a444a2ba18205 |glance || b84c1614b79b40278e02bd6ed034cc6f |admin || c0f9c52898ad4d4f88254a01c458eb27 |neutron || db596da4ed8f47ab9dc7fa77d3bc8c6c |nova || e5dbdde24a7340edb8bd3f498f9d28b5 |cinder || f0c69bad72b54e0daef92c2295425932 |demo |+----------------------------------+---------+
网络选项为1
安装网络1相关服务组件
[root@linux-node1 ~]# yum install openstack-neutron openstack-neutron-ml2 \> openstack-neutron-linuxbridge ebtables
编辑配置文件/etc/neutron/neutron.conf
在 [database] 部分,配置数据库访问:
connection = mysql+pymysql://neutron:neutron@192.168.56.11/neutron
在``[DEFAULT]``部分,启用ML2插件并禁用其他插件:
core_plugin = ml2service_plugins =
在``[DEFAULT]``部分,配置``RabbitMQ``消息队列访问权限:
transport_url = rabbit://openstack:openstack@192.168.56.11
在 “[DEFAULT]” 和 “[keystone_authtoken]” 部分,配置认证服务访问:
[DEFAULT]auth_strategy = keystone[keystone_authtoken]auth_uri = http://192.168.56.11:5000auth_url = http://192.168.56.11:35357memcached_servers = 192.168.56.11:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = neutronpassword = neutron
在``[DEFAULT]``和``[nova]``部分,配置网络服务来通知计算节点的网络拓扑变化:
[DEFAULT]notify_nova_on_port_status_changes = truenotify_nova_on_port_data_changes = true[nova]auth_url = http://192.168.56.11:35357auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultregion_name = RegionOneproject_name = serviceusername = novapassword = nova
在 [oslo_concurrency] 部分,配置锁路径:
lock_path = /var/lib/neutron/tmp
配置结果如下:
[root@linux-node1 ~]# egrep -v '^$|#' /etc/neutron/neutron.conf [DEFAULT]auth_strategy = keystonecore_plugin = ml2service_plugins =notify_nova_on_port_status_changes = truenotify_nova_on_port_data_changes = truetransport_url = rabbit://openstack:openstack@192.168.56.11[agent][cors][cors.subdomain][database]connection = mysql+pymysql://neutron:neutron@192.168.56.11/neutron[keystone_authtoken]auth_uri = http://192.168.56.11:5000auth_url = http://192.168.56.11:35357memcached_servers = 192.168.56.11:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = neutronpassword = neutron[matchmaker_redis][nova]auth_url = http://192.168.56.11:35357auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultregion_name = RegionOneproject_name = serviceusername = novapassword = nova[oslo_concurrency]lock_path = /var/lib/neutron/tmp[oslo_messaging_amqp][oslo_messaging_notifications][oslo_messaging_rabbit][oslo_messaging_zmq][oslo_middleware][oslo_policy][qos][quotas][ssl]
配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linuxbridge机制来为实例创建layer-2虚拟网络基础设施,
编辑``/etc/neutron/plugins/ml2/ml2_conf.ini``文件并完成以下操作:
在``[ml2]``部分,启用flat和VLAN网络:
type_drivers = local,flat,vlan,gre,vxlan,geneve
在``[ml2]``部分,禁用私有网络:
tenant_network_types =
在``[ml2]``部分,启用Linuxbridge机制
mechanism_drivers = linuxbridge
在``[ml2]`` 部分,启用端口安全扩展驱动:
extension_drivers = port_security
在``[ml2_type_flat]``部分,配置公共虚拟网络为flat网络:
flat_networks = public
在 ``[securitygroup]``部分,启用 ipset 增加安全组的方便性:
enable_ipset = true
配置文件结果如下:
[root@linux-node1 ~]# egrep -vn '^$|#' /etc/neutron/plugins/ml2/ml2_conf.ini 1:[DEFAULT]101:[ml2]109:type_drivers = local,flat,vlan,gre,vxlan,geneve114:tenant_network_types = 118:mechanism_drivers = linuxbridge123:extension_drivers = port_security150:[ml2_type_flat]159:flat_networks = public162:[ml2_type_geneve]180:[ml2_type_gre]191:[ml2_type_vlan]204:[ml2_type_vxlan]220:[securitygroup]236:enable_ipset = true
配置linux brige代理
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则。
编辑``/etc/neutron/plugins/ml2/linuxbridge_agent.ini``文件并且完成以下操作:
在``[linux_bridge]``部分,将公共虚拟网络和公共物理网络接口对应起来:
physical_interface_mappings = public:eth0
在``[vxlan]``部分,禁止VXLAN覆盖网络:
enable_vxlan = false
在 ``[securitygroup]``部分,启用安全组并配置 Linux 桥接 iptables 防火墙驱动:
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriverenable_security_group = true
配置结果如下:
[root@linux-node1 ml2]# egrep -vn '^$|#' /etc/neutron/plugins/ml2/linuxbridge_agent.ini
1:[DEFAULT]
101:[agent]
132:[linux_bridge]
143:physical_interface_mappings = public:eth0
149:[securitygroup]
157:firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161:enable_security_group = true
168:[vxlan]
176:enable_vxlan = false
配置DHCP代理
编辑``/etc/neutron/dhcp_agent.ini``文件并完成下面的操作:
在``[DEFAULT]``部分,配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据
[root@linux-node1 neutron]# egrep -vn '^$|#' /etc/neutron/dhcp_agent.ini 1:[DEFAULT]16:interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver32:dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq41:enable_isolated_metadata = true195:[AGENT]
配置元数据代理
编辑``/etc/neutron/metadata_agent.ini``文件并完成以下操作:
在``[DEFAULT]`` 部分,配置元数据主机以及共享密码:
[root@linux-node1 neutron]# egrep -vn '^$|#' /etc/neutron/metadata_agent.ini 1:[DEFAULT]22:nova_metadata_ip = 192.168.56.1134:metadata_proxy_shared_secret = krik173:[AGENT]188:[cache]
配置计算服务来使用网络服务
编辑``/etc/nova/nova.conf``文件并完成以下操作:
在``[neutron]``部分,配置访问参数,启用元数据代理并设置密码:
url = http://192.168.56.11:9696auth_url = http://192.168.56.11:35357auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultregion_name = RegionOneproject_name = serviceusername = neutronpassword = neutronservice_metadata_proxy = Truemetadata_proxy_shared_secret = krik
网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini``指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini``。如果超链接不存在,使用下面的命令创建它:
[root@linux-node1 neutron]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
同步数据库:(这里可以看到我们用到了两个配置文件)
[root@linux-node1 neutron]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \> --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
出现ok表示数据库同步成功,如果有问题去排查相关的配置文件是否有问题
INFO [alembic.runtime.migration] Context impl MySQLImpl.INFO [alembic.runtime.migration] Will assume non-transactional DDL. Running upgrade for neutron ...INFO [alembic.runtime.migration] Context impl MySQLImpl.INFO [alembic.runtime.migration] Will assume non-transactional DDL.INFO [alembic.runtime.migration] Running upgrade -> kilo, kilo_initialINFO [alembic.runtime.migration] Running upgrade kilo -> 354db87e3225, nsxv_vdr_metadata.pyINFO [alembic.runtime.migration] Running upgrade 354db87e3225 -> 599c6a226151, neutrodb_ipamINFO [alembic.runtime.migration] Running upgrade 599c6a226151 -> 52c5312f6baf, Initial operations in support of address scopesINFO [alembic.runtime.migration] Running upgrade 52c5312f6baf -> 313373c0ffee, Flavor frameworkINFO [alembic.runtime.migration] Running upgrade 313373c0ffee -> 8675309a5c4f, network_rbacINFO [alembic.runtime.migration] Running upgrade 8675309a5c4f -> 45f955889773, quota_usageINFO [alembic.runtime.migration] Running upgrade 45f955889773 -> 26c371498592, subnetpool hashINFO [alembic.runtime.migration] Running upgrade 26c371498592 -> 1c844d1677f7, add order to dnsnameserversINFO [alembic.runtime.migration] Running upgrade 1c844d1677f7 -> 1b4c6e320f79, address scope support in subnetpoolINFO [alembic.runtime.migration] Running upgrade 1b4c6e320f79 -> 48153cb5f051, qos db changesINFO [alembic.runtime.migration] Running upgrade 48153cb5f051 -> 9859ac9c136, quota_reservationsINFO [alembic.runtime.migration] Running upgrade 9859ac9c136 -> 34af2b5c5a59, Add dns_name to PortINFO [alembic.runtime.migration] Running upgrade 34af2b5c5a59 -> 59cb5b6cf4d, Add availability zoneINFO [alembic.runtime.migration] Running upgrade 59cb5b6cf4d -> 13cfb89f881a, add is_default to subnetpoolINFO [alembic.runtime.migration] Running upgrade 13cfb89f881a -> 32e5974ada25, Add standard attribute tableINFO [alembic.runtime.migration] Running upgrade 32e5974ada25 -> ec7fcfbf72ee, Add network availability zoneINFO [alembic.runtime.migration] Running upgrade ec7fcfbf72ee -> dce3ec7a25c9, Add router availability zoneINFO [alembic.runtime.migration] Running upgrade dce3ec7a25c9 -> c3a73f615e4, Add ip_version to AddressScopeINFO [alembic.runtime.migration] Running upgrade c3a73f615e4 -> 659bf3d90664, Add tables and attributes to support external DNS integrationINFO [alembic.runtime.migration] Running upgrade 659bf3d90664 -> 1df244e556f5, add_unique_ha_router_agent_port_bindingsINFO [alembic.runtime.migration] Running upgrade 1df244e556f5 -> 19f26505c74f, Auto Allocated Topology - aka Get-Me-A-NetworkINFO [alembic.runtime.migration] Running upgrade 19f26505c74f -> 15be73214821, add dynamic routing model dataINFO [alembic.runtime.migration] Running upgrade 15be73214821 -> b4caf27aae4, add_bgp_dragent_model_dataINFO [alembic.runtime.migration] Running upgrade b4caf27aae4 -> 15e43b934f81, rbac_qos_policyINFO [alembic.runtime.migration] Running upgrade 15e43b934f81 -> 31ed664953e6, Add resource_versions row to agent tableINFO [alembic.runtime.migration] Running upgrade 31ed664953e6 -> 2f9e956e7532, tag supportINFO [alembic.runtime.migration] Running upgrade 2f9e956e7532 -> 3894bccad37f, add_timestamp_to_base_resourcesINFO [alembic.runtime.migration] Running upgrade 3894bccad37f -> 0e66c5227a8a, Add desc to standard attr tableINFO [alembic.runtime.migration] Running upgrade 0e66c5227a8a -> 45f8dd33480b, qos dscp db additionINFO [alembic.runtime.migration] Running upgrade 45f8dd33480b -> 5abc0278ca73, Add support for VLAN trunkingINFO [alembic.runtime.migration] Running upgrade 5abc0278ca73 -> d3435b514502, Add device_id index to PortINFO [alembic.runtime.migration] Running upgrade d3435b514502 -> 30107ab6a3ee, provisioning_blocks.pyINFO [alembic.runtime.migration] Running upgrade 30107ab6a3ee -> c415aab1c048, add revisions tableINFO [alembic.runtime.migration] Running upgrade c415aab1c048 -> a963b38d82f4, add dns name to portdnsesINFO [alembic.runtime.migration] Running upgrade kilo -> 30018084ec99, Initial no-op Liberty contract rule.INFO [alembic.runtime.migration] Running upgrade 30018084ec99 -> 4ffceebfada, network_rbacINFO [alembic.runtime.migration] Running upgrade 4ffceebfada -> 5498d17be016, Drop legacy OVS and LB plugin tablesINFO [alembic.runtime.migration] Running upgrade 5498d17be016 -> 2a16083502f3, Metaplugin removalINFO [alembic.runtime.migration] Running upgrade 2a16083502f3 -> 2e5352a0ad4d, Add missing foreign keysINFO [alembic.runtime.migration] Running upgrade 2e5352a0ad4d -> 11926bcfe72d, add geneve ml2 type driverINFO [alembic.runtime.migration] Running upgrade 11926bcfe72d -> 4af11ca47297, Drop cisco monolithic tablesINFO [alembic.runtime.migration] Running upgrade 4af11ca47297 -> 1b294093239c, Drop embrane plugin tableINFO [alembic.runtime.migration] Running upgrade 1b294093239c -> 8a6d8bdae39, standardattributes migrationINFO [alembic.runtime.migration] Running upgrade 8a6d8bdae39 -> 2b4c2465d44b, DVR sheduling refactoringINFO [alembic.runtime.migration] Running upgrade 2b4c2465d44b -> e3278ee65050, Drop NEC plugin tablesINFO [alembic.runtime.migration] Running upgrade e3278ee65050 -> c6c112992c9, rbac_qos_policyINFO [alembic.runtime.migration] Running upgrade c6c112992c9 -> 5ffceebfada, network_rbac_externalINFO [alembic.runtime.migration] Running upgrade 5ffceebfada -> 4ffceebfcdc, standard_descINFO [alembic.runtime.migration] Running upgrade 4ffceebfcdc -> 7bbb25278f53, device_owner_ha_replicate_intINFO [alembic.runtime.migration] Running upgrade 7bbb25278f53 -> 89ab9a816d70, Rename ml2_network_segments tableINFO [alembic.runtime.migration] Running upgrade a963b38d82f4 -> 3d0e74aa7d37, Add flavor_id to RouterINFO [alembic.runtime.migration] Running upgrade 3d0e74aa7d37 -> 030a959ceafa, uniq_routerports0port_idINFO [alembic.runtime.migration] Running upgrade 030a959ceafa -> a5648cfeeadf, Add support for Subnet Service TypesINFO [alembic.runtime.migration] Running upgrade a5648cfeeadf -> 0f5bef0f87d4, add_qos_minimum_bandwidth_rulesINFO [alembic.runtime.migration] Running upgrade 0f5bef0f87d4 -> 67daae611b6e, add standardattr to qos policiesINFO [alembic.runtime.migration] Running upgrade 89ab9a816d70 -> c879c5e1ee90, Add segment_id to subnetINFO [alembic.runtime.migration] Running upgrade c879c5e1ee90 -> 8fd3918ef6f4, Add segment_host_mapping table.INFO [alembic.runtime.migration] Running upgrade 8fd3918ef6f4 -> 4bcd4df1f426, Rename ml2_dvr_port_bindingsINFO [alembic.runtime.migration] Running upgrade 4bcd4df1f426 -> b67e765a3524, Remove mtu column from networks.INFO [alembic.runtime.migration] Running upgrade b67e765a3524 -> a84ccf28f06a, migrate dns name from portINFO [alembic.runtime.migration] Running upgrade a84ccf28f06a -> 7d9d8eeec6ad, rename tenant to projectINFO [alembic.runtime.migration] Running upgrade 7d9d8eeec6ad -> a8b517cff8ab, Add routerport bindings for L3 HAINFO [alembic.runtime.migration] Running upgrade a8b517cff8ab -> 3b935b28e7a0, migrate to pluggable ipamINFO [alembic.runtime.migration] Running upgrade 3b935b28e7a0 -> b12a3ef66e62, add standardattr to qos policiesINFO [alembic.runtime.migration] Running upgrade b12a3ef66e62 -> 97c25b0d2353, Add Name and Description to the networksegments tableINFO [alembic.runtime.migration] Running upgrade 97c25b0d2353 -> 2e0d7a8a1586, Add binding index to RouterL3AgentBindingINFO [alembic.runtime.migration] Running upgrade 2e0d7a8a1586 -> 5c85685d616d, Remove availability ranges.INFO [alembic.runtime.migration] Running upgrade 67daae611b6e -> 6b461a21bcfc, uniq_floatingips0floating_network_id0fixed_port_id0fixed_ip_addrINFO [alembic.runtime.migration] Running upgrade 6b461a21bcfc -> 5cd92597d11d, Add ip_allocation to port OK
重启nova服务,这里修改了Nova.conf配置文件所以需要重启nova服务
systemctl restart openstack-nova-api.service
当系统启动时,启动 Networking 服务并配置它启动。
systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service
对于网络选项2,同样启用layer-3服务并设置其随系统自启动
# systemctl enable neutron-l3-agent.service# systemctl start neutron-l3-agent.service
创建``neutron``服务实体:
[root@linux-node1 ~]# openstack service create --name neutron --description "Openstack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Openstack Networking |
| enabled | True |
| id | 18da8703415b42fb93e68e71e001b408 |
| name | neutron |
| type | network |
创建网络服务API端点:
[root@linux-node1 ~]# openstack endpoint create --region RegionOne network public http://192.168.56.11:9696+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | b7c88b5a10d845dc9c2327f307e5a130 || interface | public || region | RegionOne || region_id | RegionOne || service_id | 18da8703415b42fb93e68e71e001b408 || service_name | neutron || service_type | network || url | http://192.168.56.11:9696 |+--------------+----------------------------------+[root@linux-node1 ~]# openstack endpoint create --region RegionOne network internal http://192.168.56.11:9696+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | b11dbe35a00444ceae5a776f09794f73 || interface | internal || region | RegionOne || region_id | RegionOne || service_id | 18da8703415b42fb93e68e71e001b408 || service_name | neutron || service_type | network || url | http://192.168.56.11:9696 |+--------------+----------------------------------+[root@linux-node1 ~]# openstack endpoint create --region RegionOne network admin http://192.168.56.11:9696+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | aae6d242e3984cdbaccb1ad91f3ccf13 || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 18da8703415b42fb93e68e71e001b408 || service_name | neutron || service_type | network || url | http://192.168.56.11:9696 |+--------------+----------------------------------+
检查网络客户端
这里出现3个笑脸就表示成功
[root@linux-node1 ~]# neutron agent-list+--------------------------------------+--------------------+-------------+-------------------+-------+----------------+---------------------------+| id | agent_type | host | availability_zone | alive | admin_state_up | binary |+--------------------------------------+--------------------+-------------+-------------------+-------+----------------+---------------------------+| 030154d2-c9ad-4af1-91db-ea1bf01bb99f | Metadata agent | linux-node1 | | :-) | True | neutron-metadata-agent || 27e1ee2f-6224-4a79-b3a5-ad0f46e59c4a | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent || f0b914bc-ab5b-4304-89a6-29d36d809705 | Linux bridge agent | linux-node1 | | :-) | True | neutron-linuxbridge-agent |+--------------------------------------+--------------------+-------------+-------------------+-------+----------------+---------------------------+
下面将继续计算节点的neutron配置
本文出自 “Old-K” 博客,谢绝转载!