Openstack Train配置手册

05实现Neutron-3节点配置

snow chuai汇总、整理、撰写---2020/3/3

1. 拓扑

     ------------+---------------------------+---------------------------+------------
                 |                           |                           |
             eth0|192.168.10.11          eth0|192.168.10.12          eth0|192.168.10.13
     +-----------+-----------+   +-----------+-----------+   +-----------+-----------+
     |    [ Control Node ]   |   |    [ Network Node ]   |   |    [ Compute Node ]   |
     |   [node1.1000cc.net]  |   |   [node3.1000cc.net]  |   |   [node2.1000cc.net]   |
     |  MariaDB    RabbitMQ  |   |      Open vSwitch     |   |        Libvirt        |
     |  Memcached  httpd     |   |        L2 Agent       |   |     Nova Compute      |
     |  Keystone   Glance    |   |        L3 Agent       |   |      Open vSwitch     |
     |  Nova API             |   |     Metadata Agent    |   |        L2 Agent       |
     |  Neutron Server       |   |                       |   |                       |
     |  Metadata Agent       |   |                       |   |                       |
     +-----------------------+   +-----------------------+   +-----------------------+

2. 添加Neutron用户并注册至Keystone中

[root@node1 ~(keystone)]# openstack user create --domain default --project service --password servicepassword neutron
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | 7972f61f4a1c4f2592d2bb6dc7711e81 |
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 37f3776739a4424b9c5a6e20f44da658 |
| name                | neutron                          |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

[root@node1 ~(keystone)]# openstack role add --project service --user neutron admin

[root@node1 ~(keystone)]# openstack service create --name neutron --description "OpenStack Networking service" network
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Networking service     |
| enabled     | True                             |
| id          | ba2106a3287947549f57bd1e436f83e4 |
| name        | neutron                          |
| type        | network                          |
+-------------+----------------------------------+

# 设定endpoint信息
[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne network public http://192.168.10.11:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 15c6dfb69fc34d9ebd0980d614ebe3fb |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | ba2106a3287947549f57bd1e436f83e4 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://192.168.10.11:9696        |
+--------------+----------------------------------+

[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne network internal http://192.168.10.11:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c440663c78b944a5bc6b7351d70b7312 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | ba2106a3287947549f57bd1e436f83e4 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://192.168.10.11:9696        |
+--------------+----------------------------------+

[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne network admin http://192.168.10.11:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c18c06ee2cac43e190d867fa4ba5a79b |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | ba2106a3287947549f57bd1e436f83e4 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://192.168.10.11:9696        |
+--------------+----------------------------------+

3. 添加Neutron数据库信息

[root@node1 ~(keystone)]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 55
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database neutron_ml2;
Query OK, 1 row affected (0.01 sec)

MariaDB [(none)]> grant all privileges on neutron_ml2.* to neutron@'localhost' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on neutron_ml2.* to neutron@'%' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

4. 在控制节点安装[node1]及配置Neutron

1) 安装Neutron Service到控制节点
[root@node1 ~]# yum --enablerepo=centos-openstack-train,epel install openstack-neutron openstack-neutron-ml2  -y

2) 配置Neutron主配置文件
[root@node1 ~(keystone)]# mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
[root@node1 ~(keystone)]# vim /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
auth_strategy = keystone
state_path = /var/lib/neutron
dhcp_agent_notification = True
allow_overlapping_ips = True
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True

transport_url = rabbit://openstack:password@192.168.10.11

[keystone_authtoken]
www_authenticate_uri = http://192.168.10.11:5000
auth_url = http://192.168.10.11:5000
memcached_servers = 192.168.10.11:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword

[database]
connection = mysql+pymysql://neutron:password@192.168.10.11/neutron_ml2

[nova]
auth_url = http://192.168.10.11:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = servicepassword

[oslo_concurrency]
lock_path = $state_path/tmp

[root@node1 ~(keystone)]# chmod 640 /etc/neutron/neutron.conf
[root@node1 ~(keystone)]# chgrp neutron /etc/neutron/neutron.conf

3) 配置metadata_agent
[root@node1 ~(keystone)]# vim /etc/neutron/metadata_agent.ini
# 于2行,添加Nova AIP信息
nova_metadata_host = 192.168.10.11

# 并指定共享秘钥
metadata_proxy_shared_secret = qyy_openstack

# 取消212行注释,并指定Memcache Server
memcache_servers = 192.168.10.11:11211

4) 配置ml2
[root@node1 ~(keystone)]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
......
......
......
......
......
......

# 于文件最底部添加如下内容
[ml2]
type_drivers = flat,vlan,gre,vxlan
tenant_network_types =
mechanism_drivers = openvswitch
extension_drivers = port_security

5) 配置nova
[root@node1 ~(keystone)]# vim /etc/nova/nova.conf
# 于[DEFAULT]区段下添加如下内容
[DEFAULT]
......
......
......
......
......
......

use_neutron = True
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver

......
......
......
......
......
......

# 于文件最后，添加Neutron认证信息及设定认证共享密码
[neutron]
auth_url = http://192.168.10.11:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = servicepassword
service_metadata_proxy = True
metadata_proxy_shared_secret = qyy_openstack

5) SElinux设定及防火墙设定
[root@node1 ~(keystone)]# yum --enablerepo=centos-openstack-train -y install openstack-selinux
[root@node1 ~(keystone)]# setsebool -P neutron_can_network on
[root@node1 ~(keystone)]# setsebool -P daemons_enable_cluster_mode on

[root@node1 ~(keystone)]# firewall-cmd --add-port=9696/tcp --permanent
success
[root@node1 ~(keystone)]# firewall-cmd --reload
success

6) 启动Neutron服务
[root@node1 ~(keystone)]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
[root@node1 ~(keystone)]# su -s /bin/bash neutron -c "neutron-db-manage \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugin.ini upgrade head"

[root@node1 ~(keystone)]# systemctl enable --now neutron-server neutron-metadata-agent
[root@node1 ~(keystone)]# systemctl restart openstack-nova-api

5. 在网络节点[nod3]配置Neutron

1) 安装Neurton
[root@node3 ~]# yum install centos-release-openstack-train -y
[root@node3 ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-OpenStack-train.repo

[root@node3 ~]# yum --enablerepo=centos-openstack-train,epel install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch libibverbs -y

2) 配置Neurton
[root@node3 ~]# mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
[root@node3 ~]# vim /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
auth_strategy = keystone
state_path = /var/lib/neutron
allow_overlapping_ips = True

transport_url = rabbit://openstack:password@192.168.10.11

[keystone_authtoken]
www_authenticate_uri = http://192.168.10.11:5000
auth_url = http://192.168.10.11:5000
memcached_servers = 192.168.10.11:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword

[oslo_concurrency]
lock_path = $state_path/lock

[root@node3 ~]# chmod 640 /etc/neutron/neutron.conf
[root@node3 ~]# chgrp neutron /etc/neutron/neutron.conf

3) 配置L3
[root@node3 ~]# vim /etc/neutron/l3_agent.ini
# 于第2行，添加如下内容
interface_driver = openvswitch

4) 配置dhcp_agent
[root@network ~]# vim /etc/neutron/dhcp_agent.ini
# 于第2行，添加如下内容
interface_driver = openvswitch
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true

5) 配置metadata_agent
[root@network ~]# vim /etc/neutron/metadata_agent.ini
# 于第2添加Nova AIP信息
nova_metadata_host = 192.168.10.11

# 指定共享密码
metadata_proxy_shared_secret = qyy_openstack

# 取消212行注释,并指定Memcached信息
memcache_servers = 192.168.10.11:11211

6) 配置ML2
[root@node3 ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
......
......
......
......
......
......

# 于文件最后添加所支持的驱动及相关信息
[ml2]
type_drivers = flat,vlan,gre,vxlan
tenant_network_types =
mechanism_drivers = openvswitch
extension_drivers = port_security

7) 配置OVS
[root@network ~]# vim /etc/neutron/plugins/ml2/openvswitch_agent.ini
......
......
......
......
......
......

# 于文件最后，添加如下内容
[securitygroup]
firewall_driver = openvswitch
enable_security_group = true
enable_ipset = true

8) SELinux设置
[root@node3 ~]# yum --enablerepo=centos-openstack-train -y install openstack-selinux
[root@node3 ~]# setsebool -P neutron_can_network on
[root@node3 ~]# setsebool -P haproxy_connect_any on
[root@node3 ~]# setsebool -P daemons_enable_cluster_mode on

[root@node3 ~]# vim my-ovsofctl.te
module my-ovsofctl 1.0;require {
        type neutron_t;
        class capability sys_rawio;
}

#============= neutron_t ==============
allow neutron_t self:capability sys_rawio;

[root@node3 ~]# checkmodule -m -M -o my-ovsofctl.mod my-ovsofctl.te
checkmodule: loading policy configuration from my-ovsofctl.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 17) to my-ovsofctl.mod
[root@node3 ~]# semodule_package --outfile my-ovsofctl.pp --module my-ovsofctl.mod
[root@node3 ~]# semodule -i my-ovsofctl.pp

9) 启动Neutron服务
[root@node3 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
[root@node3 ~]# systemctl enable --now openvswitch
[root@node3 ~]# ovs-vsctl add-br br-int
[root@node3 ~]# systemctl enable --now neutron-dhcp-agent neutron-l3-agent neutron-metadata-agent neutron-openvswitch-agent

6. 于计算节点配置Neutron

1) 安装Neutron组件
[root@node2 ~]# yum --enablerepo=centos-openstack-train,epel install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch -y

2) 配置Neutron
[root@node2 ~]# mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
[root@node2 ~]# vim /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
auth_strategy = keystone
state_path = /var/lib/neutron
allow_overlapping_ips = True

transport_url = rabbit://openstack:password@192.168.10.11

[keystone_authtoken]
www_authenticate_uri = http://192.168.10.11:5000
auth_url = http://192.168.10.11:5000
memcached_servers = 192.168.10.11:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword

[oslo_concurrency]
lock_path = $state_path/lock

[root@node2 ~]# chmod 640 /etc/neutron/neutron.conf
[root@node2 ~]# chgrp neutron /etc/neutron/neutron.conf

3) 配置ML2
[root@node2 ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
......
......
......
......
......
......

# 于文件最底部,添加如下内容
[ml2]
type_drivers = flat,vlan,gre,vxlan
tenant_network_types =
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security

4) 配置ovs
[root@node2 ~]# vim /etc/neutron/plugins/ml2/openvswitch_agent.ini
......
......
......
......
......
......

# 于文件最底部,添加如下内容
[securitygroup]
firewall_driver = openvswitch
enable_security_group = true
enable_ipset = true

5) 配置nova
[root@node01 ~]# vim /etc/nova/nova.conf
# 于[DEFAULT]区段添加如下内容
[DEFAULT]
......
......
......
......
......
......

use_neutron = True
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
vif_plugging_is_fatal = True
vif_plugging_timeout = 300

......
......
......
......
......
......

# 于文件尾部,添加如下内容
[neutron]
auth_url = http://192.168.10.11:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = servicepassword
service_metadata_proxy = True
metadata_proxy_shared_secret = qyy_openstack

7) SELinux配置
[root@node2 ~]# yum --enablerepo=centos-openstack-train -y install openstack-selinux
[root@node2 ~]# setsebool -P neutron_can_network on
[root@node2 ~]# setsebool -P daemons_enable_cluster_mode on

[root@node2 ~]# vim my-ovsofctl.te
module my-ovsofctl 1.0;

require {
        type neutron_t;
        class capability sys_rawio;
}

#============= neutron_t ==============
allow neutron_t self:capability sys_rawio;

[root@node2 ~]# checkmodule -m -M -o my-ovsofctl.mod my-ovsofctl.te
checkmodule: loading policy configuration from my-ovsofctl.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 17) to my-ovsofctl.mod

[root@node2 ~]# semodule_package --outfile my-ovsofctl.pp --module my-ovsofctl.mod
[root@node2 ~]# semodule -i my-ovsofctl.pp

8) 启动Neutron服务
[root@node2 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
[root@node2 ~]# systemctl enable --now openvswitch
[root@node2 ~]# ovs-vsctl add-br br-int
[root@node2 ~]# systemctl restart openstack-nova-compute
[root@node2 ~]# systemctl enable --now neutron-openvswitch-agent

如对您有帮助，请随缘打个赏。^-^

gold