Neutron的概述
Openstack的網絡(Neutron),可以建立和附加其它的Openstack服務,網絡管理接口裝置。插件可以被實作,以适應不同的網絡裝置和軟體,提供靈活性,以開棧架構和部署。
Openstack的網絡(Neutron)管理虛拟網絡基礎架構(VNI),并在您的Openstack的環境中的實體網絡基礎架構(PNI)的接入層方面的所有網絡方面。開棧網絡允許租戶建立進階的虛拟網絡拓撲可包括服務,例如防火牆,負載均衡器,和虛拟專用網(×××)。
Neutron基本概念
網絡
在普通人的眼裡,網絡就是網線和供網線插入的端口,一個盒子會提供這些端口。對于網絡工程師來說,網絡的盒子指的是交換機和路由器。是以在實體世界中,網絡可以簡單地被認為包括網線,交換機和路由器。當然,除了實體裝置,我們還有軟的物件:IP位址,交換機和路由器的配置和管理軟體以及各種網絡協定。Neutron網絡目的是劃分實體網絡,在多租戶環境下提供給每個租戶獨立的網絡環境。另外,Neutron提供API來實作這種目标。Neutron中“網絡”是一個可以被使用者建立的對象,如果要和實體環境下的概念映射的話,這個對象相當于一個巨大的交換機,可以擁有無限多個動态可建立和銷毀的虛拟端口。
子網
簡單地說,子網是由一組IP位址組成的位址池。不同子網間的通信需要路由器的支援,這個Neutron和實體網絡下是一緻的。Neutron中子網隸屬于網絡。
端口
在實體網絡環境中,端口是用于連接配接裝置進入網絡的地方。Neutron中的端口起着類似的功能,它是路由器和虛拟機挂接網絡的着附點。
路由
和實體環境下的路由器類似,Neutron中的路由器也是一個路由選擇和轉發部件。隻不過在Neutron中,它是可以建立和銷毀的軟部件。
Neutron的元件
- Neutron Server
可以了解為一個專門用來接收Neutron REST API調用的伺服器,然後負責将不同的REST API分發到不同的Neutron-Plugin上。
- Neutron-Plugin
可以了解為不同網絡功能實作的入口,各個廠商可以開發自己的plugin。Neutron-Plugin接收Neutron-Server分發過來的REST API,向neutron database完成一些資訊的注冊,然後将具體要執行的業務操作和參數通知給自身對應的neutron agent。
- Neutron-Agent
可以了解為Neutron-Plugin在裝置上的代理,接收相應的Neutron-Plugin通知的業務操作和參數,并轉換為具體的裝置級操作,以指導裝置的動作。當裝置本地發生問題時,Neutron-Agent會将情況通知給Neutron-Plugin。
- Neutron Database
Neutron的資料庫,存放網絡狀态資訊,包括Network,Subnet, Port,Router等。
- Network Provider
實際執行功能的網絡裝置,一般為虛拟交換機(OVS或者Linux Bridge)
安裝配置控制節點
Neutron的安裝
- 建立資料庫,服務憑證和API端點
MariaDB [(none)]> create database neutron;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| glance |
| information_schema |
| keystone |
| mysql |
| neutron |
| nova |
| nova_api |
| performance_schema |
+--------------------+
8 rows in set (0.00 sec)
MariaDB [(none)]> grant all on neutron.* to 'neutron'@'localhost' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all on neutron.* to 'neutron'@'%' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
- 獲得admin憑證來擷取隻有管理者能執行的指令的通路權限
[[email protected] ~]# source admin-openrc
- 要建立服務證書,完成這些步驟
建立neutron使用者
[[email protected] ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | cb35cc907b04428c8425cdba65819dad |
| name | neutron |
| password_expires_at | None |
+---------------------+----------------------------------+
添加admin角色到neutron使用者
[[email protected] ~]# openstack role add --project service --user neutron admin
建立neutron服務實體
[[email protected] ~]# openstack service create --name neutron \
--description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| name | neutron |
| type | network |
+-------------+----------------------------------+
建立網絡服務API端點
[[email protected] ~]# openstack endpoint create --region RegionOne \
network public http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 3723a017a5b84a0e85eb9e41329025f5 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne \
network internal http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7d1b36d47ee9451e963b5d6f1b9c6337 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne \
network admin http://192.168.56.11:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 8a146ce4d097417c8eeda705d6da90a2 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c96abf0d2fe6402ebb55d8b3fdb95626 |
| service_name | neutron |
| service_type | network |
| url | http://192.168.56.11:9696 |
+--------------+----------------------------------+
- 安裝Neutron相關軟體包
[[email protected] ~]# yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
[[email protected] ~]# rpm -qa openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
ebtables-2.0.10-15.el7.x86_64
openstack-neutron-9.4.1-1.el7.noarch
openstack-neutron-linuxbridge-9.4.1-1.el7.noarch
openstack-neutron-ml2-9.4.1-1.el7.noarch
Neutron的配置
- 編輯/etc/neutron/neutron.conf檔案并完成如下操作
[[email protected] ~]# cp -a /etc/neutron/neutron.conf /etc/neutron/neutron.conf_$(date +%F)
[[email protected] ~]# vim /etc/neutron/neutron.conf
在
[database]
部分,配置資料庫通路
[database]
......
722 connection = mysql+pymysql://neutron:[email protected]/neutron
在
[DEFAULT]
部分,啟用ML2插件并禁用其他插件
[DEFAULT]
......
30 core_plugin = ml2
33 service_plugins =
在
[DEFAULT]
部分,配置
RabbitMQ
消息隊列通路權限
[DEFAULT]
......
530 transport_url = rabbit://openstack:[email protected]
在
[DEFAULT]
和
[keystone_authtoken]
部分,配置認證服務通路
[DEFAULT]
......
27 auth_strategy = keystone
[keystone_authtoken]
803 auth_uri = http://192.168.56.11:5000
804 auth_url = http://192.168.56.11:35357
805 memcached_servers = 192.168.56.11:11211
806 auth_type = password
807 project_domain_name = Default
808 user_domain_name = Default
809 project_name = service
810 username = neutron
811 password = neutron
在
[DEFAULT]
和
[nova]
部分,配置網絡服務來通知計算節點的網絡拓撲變化
[DEFAULT]
......
118 notify_nova_on_port_status_changes = true
122 notify_nova_on_port_data_changes = true
[nova]
1002 auth_url = http://192.168.56.11:35357
1003 auth_type = password
1004 project_domain_name = Default
1005 user_domain_name = Default
1006 region_name = RegionOne
1007 project_name = service
1008 username = nova
1009 password = nova
在
[oslo_concurrency]
部分,配置鎖路徑
[oslo_concurrency]
......
1123 lock_path = /var/lib/neutron/tmp
ML2插件的配置
ML2插件使用Linuxbridge機制來為執行個體建立layer-2虛拟網絡基礎設施,
警告:你後配置ML2插件,在type_drivers選項可能會導緻資料庫不一緻移除值
。
- 編輯/etc/neutron/plugins/ml2/ml2_conf.ini檔案并完成以下操作
[[email protected] ~]# cp -a /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini_$(date +%F)
[[email protected] ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
在
[ml2]
部分,啟用flat和VLAN網絡
[ml2]
......
109 type_drivers = flat,vlan
在
[ml2]
部分,禁用私有網絡
[ml2]
......
114 tenant_network_types =
在
[ml2]
部分,啟用Linuxbridge機制
[ml2]
......
118 mechanism_drivers = linuxbridge
在
[ml2]
部分,啟用端口安全擴充驅動
[ml2]
......
123 extension_drivers = port_security
在
[ml2_type_flat]
部分,配置公共虛拟網絡為flat網絡
[ml2_type_flat]
......
159 flat_networks = provider
在
[securitygroup]
部分,啟用ipset增加安全組的友善性
[securitygroup]
......
236 enable_ipset = true
Linuxbridge代理的配置
Linuxbridge代理為執行個體建立layer-2虛拟網絡并且處理安全組規則。
- 編輯/etc/neutron/plugins/ml2/linuxbridge_agent.ini檔案并且完成以下操作
[[email protected] ~]# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini_$(date +%F)
[[email protected] ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
在
[linux_bridge]
部分,将公共虛拟網絡和公共實體網絡接口對應起來
[linux_bridge]
......
143 physical_interface_mappings = provider:eth0
在
[vxlan]
部分,禁止VXLAN覆寫網絡
[vxlan]
176 enable_vxlan = False
在
[securitygroup]
部分,啟用安全組并配置Linux橋接iptables防火牆驅動
[securitygroup]
......
156 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161 enable_security_group = true
在
[agent]
部分,啟用防ARP欺騙
[agent]
......
126 prevent_arp_spoofing = true
DHCP代理的配置
- 編輯/etc/neutron/dhcp_agent.ini檔案并完成下面的操作
[[email protected] ~]# cp -a /etc/neutron/dhcp_agent.ini /etc/neutron/dhcp_agent.ini_$(date +%F)
[[email protected] ~]# vim /etc/neutron/dhcp_agent.ini
在
[DEFAULT]
部分,配置Linuxbridge驅動接口,DHCP驅動并啟用隔離中繼資料,這樣在公共網絡上的執行個體就可以通過網絡來通路中繼資料
[DEFAULT]
......
16 interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
32 dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
41 enable_isolated_metadata = True
中繼資料代理的配置
- 編輯/etc/neutron/metadata_agent.ini檔案并完成以下操作
[[email protected] ~]# cp -a /etc/neutron/metadata_agent.ini /etc/neutron/metadata_agent.ini_$(date +%F)
[[email protected] ~]# vim /etc/neutron/metadata_agent.ini
在
[DEFAULT]
部分,配置中繼資料主機以及共享密碼
[DEFAULT]
......
22 nova_metadata_ip = 192.168.56.11
34 metadata_proxy_shared_secret = neutron
控制節點使用網絡的配置
- 編輯/etc/nova/nova.conf檔案并完成以下操作
[[email protected] ~]# vim /etc/nova/nova.conf
在
[neutron]
部分,配置通路參數,啟用中繼資料代理并設定密碼
[neutron]
6472 url = http://192.168.56.11:9696
6473 auth_url = http://192.168.56.11:35357
6474 auth_type = password
6475 project_domain_name = Default
6476 user_domain_name = Default
6477 region_name = RegionOne
6478 project_name = service
6479 username = neutron
6480 password = neutron
6481 service_metadata_proxy = True
6482 metadata_proxy_shared_secret = neutron
Neutron安裝完成
- 網絡服務初始化腳本需要一個超連結/etc/neutron/plugin.ini指向ML2插件配置檔案/etc/neutron/plugins/ml2/ml2_conf.ini
[[email protected] ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
[[email protected] ~]# ls -l /etc/neutron/plugin.ini
lrwxrwxrwx 1 root root 37 Jan 18 10:50 /etc/neutron/plugin.ini -> /etc/neutron/plugins/ml2/ml2_conf.ini
- 同步資料庫,可以忽略警告資訊
[[email protected] ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
[[email protected] ~]# mysql -uneutron -pneutron -e "use neutron;show tables;"|wc -l
163
- 重新啟動控制節點Nova API服務
[[email protected] ~]# systemctl restart openstack-nova-api.service
[[email protected] ~]# systemctl status openstack-nova-api.service
- 啟動網絡服務并将其配置為系統啟動時啟動
[[email protected] ~]# systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
[[email protected] ~]# systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
[[email protected] ~]# systemctl status neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
Neutron驗證操作
[[email protected] ~]# source admin-openrc
[[email protected] ~]# neutron agent-list
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| 1bd2e7bb-a74f-4613 | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent |
| -87dc-13696f5a2350 | | | | | | |
| a3a0b766-e3ba- | Metadata agent | linux-node1 | | :-) | True | neutron-metadata- |
| 4e5a- | | | | | | agent |
| 84d3-bda27afaaa9d | | | | | | |
| eb6e6a13-42e5-4dae | Linux bridge agent | linux-node1 | | :-) | True | neutron- |
| -8755-f66167321293 | | | | | | linuxbridge-agent |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
安裝配置計算節點
Neutron的安裝
- 安裝Neutron相關軟體包
[[email protected] ~]# yum -y install openstack-neutron-linuxbridge ebtables ipset
[[email protected] ~]# rpm -qa openstack-neutron-linuxbridge ebtables ipset
ebtables-2.0.10-15.el7.x86_64
ipset-6.29-1.el7.x86_64
openstack-neutron-linuxbridge-9.4.1-1.el7.noarch
Neutron的配置
- 編輯/etc/neutron/neutron.conf檔案并完成如下操作
[[email protected] ~]# cp -a /etc/neutron/neutron.conf /etc/neutron/neutron.conf_$(date +%F)
[[email protected] ~]# vim /etc/neutron/neutron.conf
在
[database]
部分,注釋所有
connection
項,因為計算節點不直接通路資料庫
在
[DEFAULT]
部分,配置
RabbitMQ
消息隊列通路權限
[DEFAULT]
......
530 transport_url = rabbit://openstack:[email protected]
在
[DEFAULT]
和
[keystone_authtoken]
部分,配置認證服務通路
[DEFAULT]
......
27 auth_strategy = keystone
[keystone_authtoken]
803 auth_uri = http://192.168.56.11:5000
804 auth_url = http://192.168.56.11:35357
805 memcached_servers = 192.168.56.11:11211
806 auth_type = password
807 project_domain_name = Default
808 user_domain_name = Default
809 project_name = service
810 username = neutron
811 password = neutron
在
[oslo_concurrency]
部分,配置鎖路徑
[oslo_concurrency]
......
1115 lock_path = /var/lib/neutron/tmp
Linuxbridge代理的配置
Linuxbridge代理為執行個體建立layer-2虛拟網絡并且處理安全組規則。
- 編輯/etc/neutron/plugins/ml2/linuxbridge_agent.ini檔案并且完成以下操作
[[email protected] ~]# cp -a /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini_$(date +%F)
[[email protected] ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
在
[linux_bridge]
部分,将公共虛拟網絡和公共實體網絡接口對應起來
[linux_bridge]
......
143 physical_interface_mappings = provider:eth0
在
[vxlan]
部分,禁止VXLAN覆寫網絡
[vxlan]
176 enable_vxlan = False
在
[securitygroup]
部分,啟用安全組并配置Linux橋接iptables防火牆驅動
[securitygroup]
......
156 firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
161 enable_security_group = true
在
[agent]
部分,啟用防ARP欺騙
[agent]
......
126 prevent_arp_spoofing = true
計算節點使用網絡的配置
- 編輯/etc/nova/nova.conf檔案并完成以下操作
[[email protected] ~]# vim /etc/nova/nova.conf
在
[neutron]
部分,配置通路參數,啟用中繼資料代理并設定密碼
[neutron]
6472 url = http://192.168.56.11:9696
6473 auth_url = http://192.168.56.11:35357
6474 auth_type = password
6475 project_domain_name = Default
6476 user_domain_name = Default
6477 region_name = RegionOne
6478 project_name = service
6479 username = neutron
6480 password = neutron
Neutron安裝完成
- 重新啟動計算服務
[[email protected] ~]# systemctl restart openstack-nova-compute.service
[[email protected] ~]# systemctl status openstack-nova-compute.service
- 啟動Linuxbridge代理并配置它開機自啟動
[[email protected] ~]# systemctl enable neutron-linuxbridge-agent.service
[[email protected] ~]# systemctl start neutron-linuxbridge-agent.service
[[email protected] ~]# systemctl status neutron-linuxbridge-agent.service
Neutron驗證操作
- 獲得admin憑證來擷取隻有管理者能執行的指令的通路權限
[[email protected] ~]# source admin-openrc
- 列出加載的擴充來驗證
neutron-server
[[email protected] ~]# neutron ext-list
+---------------------------+---------------------------------+
| alias | name |
+---------------------------+---------------------------------+
| default-subnetpools | Default Subnetpools |
| availability_zone | Availability Zone |
| network_availability_zone | Network Availability Zone |
| binding | Port Binding |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| dhcp_agent_scheduler | DHCP Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| flavors | Neutron Service Flavors |
| net-mtu | Network MTU |
| network-ip-availability | Network IP Availability |
| quotas | Quota management support |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| subnet-service-types | Subnet service types |
| standard-attr-timestamp | Resource timestamps |
| service-type | Neutron Service Type Management |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| standard-attr-revisions | Resource revision numbers |
| pagination | Pagination support |
| sorting | Sorting support |
| security-group | security-group |
| rbac-policies | RBAC Policies |
| standard-attr-description | standard-attr-description |
| port-security | Port Security |
| allowed-address-pairs | Allowed Address Pairs |
| project-id | project_id field enabled |
+---------------------------+---------------------------------+
[[email protected] ~]# neutron agent-list
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
| 1bd2e7bb-a74f-4613 | DHCP agent | linux-node1 | nova | :-) | True | neutron-dhcp-agent |
| -87dc-13696f5a2350 | | | | | | |
| 746000d6-c48d-418b | Linux bridge agent | linux-node2 | | :-) | True | neutron- |
| -9501-8c008873374d | | | | | | linuxbridge-agent |
| a3a0b766-e3ba- | Metadata agent | linux-node1 | | :-) | True | neutron-metadata- |
| 4e5a- | | | | | | agent |
| 84d3-bda27afaaa9d | | | | | | |
| eb6e6a13-42e5-4dae | Linux bridge agent | linux-node1 | | :-) | True | neutron- |
| -8755-f66167321293 | | | | | | linuxbridge-agent |
+--------------------+--------------------+-------------+-------------------+-------+----------------+---------------------+
轉載于:https://blog.51cto.com/11097612/2063618
![ACS基本配置-權限等級管理[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)