六、安装neutron服务
1、创建数据库
[root@controller ~]# mysql -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 75 Server version: 10.3.20-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE neutron; Query OK, 1 row affected (0.000 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '000000'; Query OK, 0 rows affected (0.000 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '000000'; Query OK, 0 rows affected (0.000 sec)
2、获取admin凭证
[root@controller ~]# source admin-openrc
3、创建neutron用户
[root@controller ~]# openstack user create --domain default --password-prompt neutron User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 91cded1130a545d68775be19fd8f6b56 | | name | neutron | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ # 将neutron用户添加到admin角色 [root@controller ~]# openstack role add --project service --user neutron admin # 创建neutron服务实体 [root@controller ~]# openstack service create --name neutron --description "OpenStack Networking" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | 009428a2aae64977ae895abc2ea10106 | | name | neutron | | type | network | +-------------+----------------------------------+
4、创建neutron服务API端点:
[root@controller ~]# openstack endpoint create --region RegionOne network public http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 2878168bad0c484d835a00cef1ca1e7f | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 009428a2aae64977ae895abc2ea10106 | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne network internal http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 93ca6767de7f45ae82938b8186bf2998 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 009428a2aae64977ae895abc2ea10106 | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne network admin http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | fa66b213e7f94951a8838c5350d81c13 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 009428a2aae64977ae895abc2ea10106 | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+
5、安装neutron服务
[root@controller ~]# yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables -y
6、修改neutron配置文件
编辑/etc/neutron/neutron.conf文件,完成如下操作:
在[database]部分,配置数据库访问:
[database] connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron # 可使用以下命令直接修改 openstack-config --set /etc/neutron/neutron.conf database connection mysql+pymysql://neutron:000000@controller/neutron
在[DEFAULT]部分,启用模块化第2层(ML2)插件并禁用其他插件:
[DEFAULT] core_plugin = ml2 service_plugins = # 可使用以下命令直接修改 openstack-config --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2 openstack-config --set /etc/neutron/neutron.conf DEFAULT service_plugins
在[DEFAULT]部分,配置RabbitMQ消息队列访问:
[DEFAULT] transport_url = rabbit://openstack:000000@controller # 可使用以下命令直接修改 openstack-config --set /etc/neutron/neutron.conf DEFAULT transport_url rabbit://openstack:000000@controller
在[DEFAULT]和[keystone_authtoken]部分中,配置身份服务访问:
[DEFAULT] auth_strategy = keystone [keystone_authtoken] www_authenticate_uri = http://controller:5000 auth_url = http://controller:5000 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = 000000 # 可使用以下命令直接修改 openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone openstack-config --set /etc/neutron/neutron.conf keystone_authtoken www_authenticate_uri http://controller:5000 openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://controller:5000 openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers controller:11211 openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type password openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name service openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password 000000
在[DEFAULT]和[nova]部分中,配置Networking以通知Compute网络拓扑变化:
[DEFAULT] notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true [nova] auth_url = http://controller:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = 000000 # 可使用以下命令直接修改 openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_status_changes true openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_data_changes true openstack-config --set /etc/neutron/neutron.conf nova auth_url http://controller:5000 openstack-config --set /etc/neutron/neutron.conf nova auth_type password openstack-config --set /etc/neutron/neutron.conf nova project_domain_name default openstack-config --set /etc/neutron/neutron.conf nova user_domain_name default openstack-config --set /etc/neutron/neutron.conf nova region_name RegionOne openstack-config --set /etc/neutron/neutron.conf nova project_name service openstack-config --set /etc/neutron/neutron.conf nova username nova openstack-config --set /etc/neutron/neutron.conf nova password 000000
在[oslo_concurrency]部分,配置锁路径:
[oslo_concurrency] lock_path = /var/lib/neutron/tmp # 可使用以下命令直接修改 openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
7、配置模块化第2层(ML2)插件
编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件,完成如下操作:
在[m12]部分,启用平面和VLAN网络:
[ml2] type_drivers = flat,vlan # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers flat,vlan
在[m12]部分,禁用自助网络:
[ml2] tenant_network_types = # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types vxlan
在[m12]部分,启用Linux桥接机制:
[ml2] mechanism_drivers = linuxbridge # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 mechanism_drivers linuxbridge
在[ml2]部分,启用端口安全扩展驱动程序:
[ml2] extension_drivers = port_security # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers port_security
在[ml2_type_flat]部分中,将提供商虚拟网络配置为平面网络:
[ml2_type_flat] flat_networks = provider # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat flat_networks provider
在[securitygroup]部分,启用ipset,提高安全组规则的效率:
[securitygroup] enable_ipset = true # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset true
8、配置Linux网桥代理
编辑/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件,完成如下操作:
在[linux_bridge]部分,将提供商虚拟网络映射到提供商物理网络接口:
[linux_bridge] physical_interface_mappings = provider:ens34 # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings provider:ens34
在[vxlan]区域,禁用vxlan覆盖网络:
[vxlan] enable_vxlan = false # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan false
在[securitygroup]部分,启用安全组并配置Linux bridge iptables防火墙驱动程序:
[securitygroup] enable_security_group = true firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver # 可使用以下命令直接修改 openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group true openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
配置内核参数
vi /etc/sysctl.conf net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 # 永久加载模块 cat > /etc/modules-load.d/neutron-bridge.conf <<EOF br_netfilter EOF ## 配置开机启动 systemctl restart systemd-modules-load systemctl enable systemd-modules-load sysctl -p
9、配置DHCP代理
编辑/etc/neutron/dhcp_agent.ini文件,完成如下操作:
在[DEFAULT]部分,配置Linux桥接接口驱动程序,Dnsmasq DHCP驱动程序,并启用隔离元数
据,以便提供商网络上的实例可以通过网络访问元数据
[DEFAULT] interface_driver = linuxbridge dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = true # 可使用以下命令直接修改 openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver linuxbridge openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver neutron.agent.linux.dhcp.Dnsmasq openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT enable_isolated_metadata true
