A06.OpenStack安装网络服务

OpenStack网络（neutron）允许您创建和链接由其他OpenStack服务管理的接口设备到网络。插件可以被实现以适应不同的网络设备和软件，为OpenStack架构和部署提供了灵活性。

它包括以下组成部分：

neutron-server

接受并将API请求路路由到适当的OpenStack.网络插件

打开堆栈网络插件和代理

插入和拔掉端口，创建网络或子网，并提供IP寻址，这些插件和代理的不同取决于特定云中的供应商技术，OpenStack网络附带了Cisco虚拟和物理交换机的插件和代理，NFC OpenFlow产品，Open vSwitch，Linux桥接，以及VMware NSX产品。

常见的代理是L3（第三层）、DHCP（动态主机IP寻址）和插件代理。

Messaging queue（消息队列）

用于大多数OpenStack网络安装，以在neutron-server和代理之间路由信息，也可以作为数据库来存储特定插件的网络状态。

OpenStack Networking主要是与OpenStack Compute交互，为它的实例提供网络和链接性。

Networking (neutron) concepts

OpenStack Network（neutron）管理Virtual Networking Infrastructure（VNI）的所有网络方面，以及在OpenStack环境中Physical Networking Infrastructure（PNI）的访问层方面，OpenStack网络使项目能够创建高级虚拟网络拓扑，其中可能包括诸如防火墙、负载均衡和虚拟专用网络（VPN）等服务。

网络提供网络、子网和路由作为对象抽象，每个抽象都有模仿其物理对应的功能：网络包含子网，路由器路由不同子网和网络之间的通信。

任何给定的网络设置都至少有一个网络，与其他网络不通，外部网络不仅仅是一个虚拟定义的网络，相反，它将视图表示为OpenStack安装之外可访问的物理、外部网络的一部分，外部网络上的IP地址可以由外部网络上的任何人访问。

除了外部网络，任何网络设置都有一个或多个内部网络。这些软件定义的网络直接连接到虚拟机。只要在任何设定的内部网络上的VMS或者通过接口连接到类似路由器的自网上的虚拟机，都可以直接访问连接到该网络的VM。

对于外部网络访问VM，反之亦然，需要网络之间的路由器。每个路由器有一个网关连接到一个外部网络和一个或多个连接到内部网络的接口，和物理路由器一样，子网可以访问到同一个路由的其他子网上的机器，机器可以通过路由器的网关访问外部网络。

此外，您可以将外部网络上的IP地址分配到内部网络上的端口，当某物连接到子网时，该链接被称为端口，您可以将外部网络IP地址与端口对VM进行关联。通过这种方式，外部网络上的试题可以访问VM。

网络也支持安全组，安全组使管理员可以对防火墙规则进行分组，VM可以属于一个或多个安全组，而网络则应用这些安全组中的规则来阻塞或取消VM的端口、端口范围或流量类型。

网络使用每个插件都有自己的概念，虽然不需要操作VNI和OpenStack环境，但是理解这些概念可以帮助您建立网络，所有的网络安装都使用一个核心插件和一个安全组插件（或者仅仅是No-Op安全组插件）。另外，Firewalls-as-a-Service（FWaas）和Load-Balancer-as-a-Service(LBaas)插件是可用的。

安装和配置控制节点：

先决条件

在配置打开堆栈网络（neutron）服务之前，必须创建数据库、服务凭据和api端点。

1、要创建数据库，请完成以下步骤

使用数据库访问客户端座位根用户连接到数据库服务器：

[[email protected] ~]# mysql -u root -p’lifulai_000’

MariaDB [(none)]> create database neutron;

MariaDB [(none)]> grant all privileges on neutron.* to ‘neutron’@‘localhost’ identified by ‘lifulai_000’;

MariaDB [(none)]> grant all privileges on neutron.* to ‘neutron’@’%’ identified by ‘lifulai_000’;

MariaDB [(none)]> flush privileges;

2、授权管理员凭据以获得只对管理CLI命令的访问：

[[email protected] ~]# . admin-openrc

3、要创建服务凭据，请完成以下步骤：

创建neutron用户

[[email protected] ~]# openstack user create --domain default --password-prompt neutron

User Password:123

Repeat User Password:123

向neutron添加管理员角色

[[email protected] ~]# openstack role add --project service --user neutron admin

创建neutron实体

[[email protected] ~]# openstack service create --name neutron --description “OpenStack Networking” network

4、创建网路服务API端点

[[email protected] ~]# openstack endpoint create --region RegionOne network public http://192.168.85.101:9696

[[email protected] ~]# openstack endpoint create --region RegionOne network internal http://192.168.85.101:9696

[[email protected] ~]# openstack endpoint create --region RegionOne network admin http://192.168.85.101:9696

[[email protected] ~]# yum -y install grep openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables

编辑 /etc/neutron/neutron.conf文件并完成以下操作

[[email protected] ~]# vim /etc/neutron/neutron.conf

[database]

connection = mysql+pymysql://neutron:[email protected]/neutron

[DEFAULT]

core_plugin = ml2

service_plugins = router

allow_overlapping_ips = true

transport_url = rabbit://openstack:[email protected]

auth_strategy = keystone

notify_nova_on_port_status_changes = true

notify_nova_on_port_data_changes = true

[keystone_authtoken]

auth_uri = http://192.168.85.101:5000

auth_url = http://192.168.85.101:35357

memcached_servers = 192.168.85.101:11211

auth_type = password

project_domain_name = default

user_domain_name = default

project_name = service

username = neutron

password = 123

[nova]

auth_url = http://192.168.85.101:35357

auth_type = password

project_domain_name = default

user_domain_name = default

region_name = RegionOne

project_name = service

username = nova

password = 123

[oslo_concurrency]

lock_path = /var/lib/neutron/tmp

[[email protected] ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini

[ml2]

type_drivers = flat,vlan,vxlan

tenant_network_types = vxlan

mechanism_drivers = linuxbridge,l2population

extension_drivers = port_security

[ml2_type_flat]

flat_networks = provider

[ml2_type_vxlan]

vni_ranges = 1:1000

[securitygroup]

enable_ipset = true

[[email protected] ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

[linux_bridge]

physical_interface_mappings = provider:eth1

[vxlan]

enable_vxlan = true

local_ip = 192.168.85.101

l2_population = true

[securitygroup]

enable_security_group = true

firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

[[email protected] ~]# vim /etc/neutron/l3_agent.ini

[DEFAULT]

interface_driver = linuxbridge

[[email protected] ~]# vim /etc/neutron/dhcp_agent.ini

[DEFAULT]

interface_driver = linuxbridge

dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq

enable_isolated_metadata = true

[[email protected] ~]# vim /etc/neutron/metadata_agent.ini

[DEFAULT]

nova_metadata_ip = 192.168.85.101

metadata_proxy_shared_secret = 123

[[email protected] ~]# vim /etc/nova/nova.conf

[neutron]

url = http://192.168.85.101:9696

auth_url = http://192.168.85.101:35357

auth_type = password

project_domain_name = default

user_domain_name = default

region_name = RegionOne

project_name = service

username = neutron

password = 123

service_metadata_proxy = true

metadata_proxy_shared_secret = 123

[[email protected] ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

[[email protected] ~]# su -s /bin/sh -c “neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head” neutron

[[email protected] ~]# systemctl restart openstack-nova-api

[[email protected] ~]# systemctl enable neutron-server neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent

[[email protected] ~]# systemctl start neutron-server neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent

[[email protected] ~]# systemctl status neutron-server neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent

[[email protected] ~]# systemctl enable neutron-l3-agent

[[email protected] ~]# systemctl start neutron-l3-agent

在计算节点创建网络配置compute1

[[email protected] ~]# yum -y install openstack-neutron-linuxbridge ebtables ipset

配置公共组件

网络公共组件配置包括身份验证机制、消息队列和插件。

注意：默认配置文件因分布而不同。您可能需要添加这些

部分和选项要比修改现有部分和选项更简单。还有，一个设定片段中的椭圆(…)表示可能的预设设定你应该保留的选择。

[[email protected] ~]# vim /etc/neutron/neutron.conf

[DEFAULT]

transport_url = rabbit://openstack:[email protected]

auth_strategy = keystone

[keystone_authtoken]

auth_uri = http://192.168.85.101:5000

auth_url = http://192.168.85.101:35357

memcached_servers = 192.168.85.101:11211

auth_type = password

project_domain_name = default

user_domain_name = default

project_name = service

username = neutron

password = 123

[oslo_concurrency]

lock_path = /var/lib/neutron/tmp

linux桥接代理 layer-2 （连接和交换）虚拟网络用于实例和处理安全组的基础设施

[root@compute1 ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

[linux_bridge]

physical_interface_mappings = provider:eth1

[vxlan]

enable_vxlan = false

[securitygroup]

enable_security_group = true

firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

[[email protected] ~]# vim /etc/nova/nova.conf

[neutron]

url = http://192.168.85.101:9696

auth_url = http://192.168.85.101:35357

auth_type = password

project_domain_name = default

user_domain_name = default

region_name = RegionOne

project_name = service

username = neutron

password = 123

[[email protected] ~]# systemctl restart openstack-nova-compute

[[email protected] ~]# systemctl enable neutron-linuxbridge-agent

[[email protected] ~]# systemctl start neutron-linuxbridge-agent

在计算节点创建网络配置compute2

[[email protected] ~]# yum -y install openstack-neutron-linuxbridge ebtables ipset

配置公共组件

网络公共组件配置包括身份验证机制、消息队列和插件。

注意：默认配置文件因分布而不同。您可能需要添加这些

部分和选项要比修改现有部分和选项更简单。还有，一个设定片段中的椭圆(…)表示可能的预设设定你应该保留的选择。

[[email protected] ~]# vim /etc/neutron/neutron.conf

[DEFAULT]

transport_url = rabbit://openstack:[email protected]

auth_strategy = keystone

[keystone_authtoken]

auth_uri = http://192.168.85.101:5000

auth_url = http://192.168.85.101:35357

memcached_servers = 192.168.85.101:11211

auth_type = password

project_domain_name = default

user_domain_name = default

project_name = service

username = neutron

password = 123

[oslo_concurrency]

lock_path = /var/lib/neutron/tmp

linux桥接代理 layer-2 （连接和交换）虚拟网络用于实例和处理安全组的基础设施

[root@compute2 ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini

[linux_bridge]

physical_interface_mappings = provider:eth1

[vxlan]

enable_vxlan = false

[securitygroup]

enable_security_group = true

firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

[[email protected] ~]# vim /etc/nova/nova.conf

[neutron]

url = http://192.168.85.101:9696

auth_url = http://192.168.85.101:35357

auth_type = password

project_domain_name = default

user_domain_name = default

region_name = RegionOne

project_name = service

username = neutron

password = 123

[[email protected] ~]# systemctl restart openstack-nova-compute

[[email protected] ~]# systemctl enable neutron-linuxbridge-agent

[[email protected] ~]# systemctl start neutron-linuxbridge-agent

注意：在控制器节点上执行这些命令。

授权管理员凭据以获得对只管理cli命令的访问:

[[email protected] ~]# . admin-openrc

[[email protected] ~]# openstack extension list --network

±---------------------------------------------------------------------------------------------±--------------------------±---------------------------------------------------------------------------------------------------------------------------------------------------------+

| Name | Alias | Description |

±---------------------------------------------------------------------------------------------±--------------------------±---------------------------------------------------------------------------------------------------------------------------------------------------------+

| Default Subnetpools | default-subnetpools | Provides ability to mark and use a subnetpool as the default |

| Network IP Availability | network-ip-availability | Provides IP availability data for each network and subnet. |

| Network Availability Zone | network_availability_zone | Availability zone support for network. |

| Auto Allocated Topology Services | auto-allocated-topology | Auto Allocated Topology Services. |

| Neutron L3 Configurable external gateway mode | ext-gw-mode | Extension of the router abstraction for specifying whether SNAT should occur on the external gateway |

| Port Binding | binding | Expose port bindings of a virtual port to external application |

| agent | agent | The agent management extension. |

| Subnet Allocation | subnet_allocation | Enables allocation of subnets from a subnet pool |

| L3 Agent Scheduler | l3_agent_scheduler | Schedule routers among l3 agents |

| Tag support | tag | Enables to set tag on resources. |

| Neutron external network | external-net | Adds external network attribute to network resource. |

| Tag support for resources with standard attribute: trunk, policy, security_group, floatingip | standard-attr-tag | Enables to set tag on resources with standard attribute. |

| Neutron Service Flavors | flavors | Flavor specification for Neutron advanced services |

| Network MTU | net-mtu | Provides MTU attribute for a network resource. |

| Availability Zone | availability_zone | The availability zone extension. |

| Quota management support | quotas | Expose functions for quotas management per tenant |

| If-Match constraints based on revision_number | revision-if-match | Extension indicating that If-Match based on revision_number is supported. |

| HA Router extension | l3-ha | Add HA capability to routers. |

| Provider Network | provider | Expose mapping of virtual networks to physical networks |

| Multi Provider Network | multi-provider | Expose mapping of virtual networks to multiple physical networks |

| Quota details management support | quota_details | Expose functions for quotas usage statistics per project |

| Address scope | address-scope | Address scopes extension. |

| Neutron Extra Route | extraroute | Extra routes configuration for L3 router |

| Network MTU (writable) | net-mtu-writable | Provides a writable MTU attribute for a network resource. |

| Subnet service types | subnet-service-types | Provides ability to set the subnet service_types field |

| Resource timestamps | standard-attr-timestamp | Adds created_at and updated_at fields to all Neutron resources that have Neutron standard attributes. |

| Neutron Service Type Management | service-type | API for retrieving service providers for Neutron advanced services |

| Router Flavor Extension | l3-flavors | Flavor support for routers. |

| Port Security | port-security | Provides port security |

| Neutron Extra DHCP options | extra_dhcp_opt | Extra options configuration for DHCP. For example PXE boot options to DHCP clients can be specified (e.g. tftp-server, server-ip-address, bootfile-name) |

| Resource revision numbers | standard-attr-revisions | This extension will display the revision number of neutron resources. |

| Pagination support | pagination | Extension that indicates that pagination is enabled. |

| Sorting support | sorting | Extension that indicates that sorting is enabled. |

| security-group | security-group | The security groups extension. |

| DHCP Agent Scheduler | dhcp_agent_scheduler | Schedule networks among dhcp agents |

| Router Availability Zone | router_availability_zone | Availability zone support for router. |

| RBAC Policies | rbac-policies | Allows creation and modification of policies that control tenant access to resources. |

| Tag support for resources: subnet, subnetpool, port, router | tag-ext | Extends tag support to more L2 and L3 resources. |

| standard-attr-description | standard-attr-description | Extension to add descriptions to standard attributes |

| Neutron L3 Router | router | Router abstraction for basic L3 forwarding between L2 Neutron networks and access to external networks via a NAT gateway. |

| Allowed Address Pairs | allowed-address-pairs | Provides allowed address pairs |

| project_id field enabled | project-id | Extension that indicates that project_id field is enabled. |

| Distributed Virtual Router | dvr | Enables configuration of Distributed Virtual Routers. |

±---------------------------------------------------------------------------------------------±--------------------------±---------------------------------------------------------------------------------------------------------------------------------------------------------+

为您选择部署的网络选项使用验证部分。

联网备选方案1：提供商网络

[[email protected] ~]# openstack network agent list