Openstack Train配置手册

05实现Neutron-3节点配置

snow chuai汇总、整理、撰写---2020/3/3


1. 拓扑
     ------------+---------------------------+---------------------------+------------
                 |                           |                           |
             eth0|192.168.10.11          eth0|192.168.10.12          eth0|192.168.10.13
     +-----------+-----------+   +-----------+-----------+   +-----------+-----------+
     |    [ Control Node ]   |   |    [ Network Node ]   |   |    [ Compute Node ]   |
     |   [node1.1000cc.net]  |   |   [node3.1000cc.net]  |   |   [node2.1000cc.net]   |
     |  MariaDB    RabbitMQ  |   |      Open vSwitch     |   |        Libvirt        |
     |  Memcached  httpd     |   |        L2 Agent       |   |     Nova Compute      |
     |  Keystone   Glance    |   |        L3 Agent       |   |      Open vSwitch     |
     |  Nova API             |   |     Metadata Agent    |   |        L2 Agent       |
     |  Neutron Server       |   |                       |   |                       |
     |  Metadata Agent       |   |                       |   |                       |
     +-----------------------+   +-----------------------+   +-----------------------+
2. 添加Neutron用户并注册至Keystone中
[root@node1 ~(keystone)]# openstack user create --domain default --project service --password servicepassword neutron
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| default_project_id  | 7972f61f4a1c4f2592d2bb6dc7711e81 |
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 37f3776739a4424b9c5a6e20f44da658 |
| name                | neutron                          |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@node1 ~(keystone)]# openstack role add --project service --user neutron admin
[root@node1 ~(keystone)]# openstack service create --name neutron --description "OpenStack Networking service" network +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking service | | enabled | True | | id | ba2106a3287947549f57bd1e436f83e4 | | name | neutron | | type | network | +-------------+----------------------------------+
# 设定endpoint信息 [root@node1 ~(keystone)]# openstack endpoint create --region RegionOne network public http://192.168.10.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 15c6dfb69fc34d9ebd0980d614ebe3fb | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | ba2106a3287947549f57bd1e436f83e4 | | service_name | neutron | | service_type | network | | url | http://192.168.10.11:9696 | +--------------+----------------------------------+
[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne network internal http://192.168.10.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | c440663c78b944a5bc6b7351d70b7312 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | ba2106a3287947549f57bd1e436f83e4 | | service_name | neutron | | service_type | network | | url | http://192.168.10.11:9696 | +--------------+----------------------------------+
[root@node1 ~(keystone)]# openstack endpoint create --region RegionOne network admin http://192.168.10.11:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | c18c06ee2cac43e190d867fa4ba5a79b | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | ba2106a3287947549f57bd1e436f83e4 | | service_name | neutron | | service_type | network | | url | http://192.168.10.11:9696 | +--------------+----------------------------------+
3. 添加Neutron数据库信息
[root@node1 ~(keystone)]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 55
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database neutron_ml2; Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> grant all privileges on neutron_ml2.* to neutron@'localhost' identified by 'password'; Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on neutron_ml2.* to neutron@'%' identified by 'password'; Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit Bye
4. 在控制节点安装[node1]及配置Neutron
1) 安装Neutron Service到控制节点
[root@node1 ~]# yum --enablerepo=centos-openstack-train,epel install openstack-neutron openstack-neutron-ml2  -y
2) 配置Neutron主配置文件 [root@node1 ~(keystone)]# mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak [root@node1 ~(keystone)]# vim /etc/neutron/neutron.conf [DEFAULT] core_plugin = ml2 service_plugins = router auth_strategy = keystone state_path = /var/lib/neutron dhcp_agent_notification = True allow_overlapping_ips = True notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True
transport_url = rabbit://openstack:password@192.168.10.11
[keystone_authtoken] www_authenticate_uri = http://192.168.10.11:5000 auth_url = http://192.168.10.11:5000 memcached_servers = 192.168.10.11:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = servicepassword
[database] connection = mysql+pymysql://neutron:password@192.168.10.11/neutron_ml2
[nova] auth_url = http://192.168.10.11:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = servicepassword
[oslo_concurrency] lock_path = $state_path/tmp

[root@node1 ~(keystone)]# chmod 640 /etc/neutron/neutron.conf [root@node1 ~(keystone)]# chgrp neutron /etc/neutron/neutron.conf
3) 配置metadata_agent [root@node1 ~(keystone)]# vim /etc/neutron/metadata_agent.ini # 于2行,添加Nova AIP信息 nova_metadata_host = 192.168.10.11
# 并指定共享秘钥 metadata_proxy_shared_secret = qyy_openstack
# 取消212行注释,并指定Memcache Server memcache_servers = 192.168.10.11:11211
4) 配置ml2 [root@node1 ~(keystone)]# vim /etc/neutron/plugins/ml2/ml2_conf.ini ...... ...... ...... ...... ...... ......
# 于文件最底部添加如下内容 [ml2] type_drivers = flat,vlan,gre,vxlan tenant_network_types = mechanism_drivers = openvswitch extension_drivers = port_security
5) 配置nova [root@node1 ~(keystone)]# vim /etc/nova/nova.conf # 于[DEFAULT]区段下添加如下内容 [DEFAULT] ...... ...... ...... ...... ...... ......
use_neutron = True linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver
...... ...... ...... ...... ...... ......
# 于文件最后,添加Neutron认证信息及设定认证共享密码 [neutron] auth_url = http://192.168.10.11:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = servicepassword service_metadata_proxy = True metadata_proxy_shared_secret = qyy_openstack
5) SElinux设定及防火墙设定 [root@node1 ~(keystone)]# yum --enablerepo=centos-openstack-train -y install openstack-selinux [root@node1 ~(keystone)]# setsebool -P neutron_can_network on [root@node1 ~(keystone)]# setsebool -P daemons_enable_cluster_mode on
[root@node1 ~(keystone)]# firewall-cmd --add-port=9696/tcp --permanent success [root@node1 ~(keystone)]# firewall-cmd --reload success
6) 启动Neutron服务 [root@node1 ~(keystone)]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini [root@node1 ~(keystone)]# su -s /bin/bash neutron -c "neutron-db-manage \ --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugin.ini upgrade head"
[root@node1 ~(keystone)]# systemctl enable --now neutron-server neutron-metadata-agent [root@node1 ~(keystone)]# systemctl restart openstack-nova-api
5. 在网络节点[nod3]配置Neutron
1) 安装Neurton
[root@node3 ~]# yum install centos-release-openstack-train -y
[root@node3 ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-OpenStack-train.repo
[root@node3 ~]# yum --enablerepo=centos-openstack-train,epel install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch libibverbs -y
2) 配置Neurton [root@node3 ~]# mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak [root@node3 ~]# vim /etc/neutron/neutron.conf [DEFAULT] core_plugin = ml2 service_plugins = router auth_strategy = keystone state_path = /var/lib/neutron allow_overlapping_ips = True
transport_url = rabbit://openstack:password@192.168.10.11
[keystone_authtoken] www_authenticate_uri = http://192.168.10.11:5000 auth_url = http://192.168.10.11:5000 memcached_servers = 192.168.10.11:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = servicepassword
[oslo_concurrency] lock_path = $state_path/lock

[root@node3 ~]# chmod 640 /etc/neutron/neutron.conf [root@node3 ~]# chgrp neutron /etc/neutron/neutron.conf
3) 配置L3 [root@node3 ~]# vim /etc/neutron/l3_agent.ini # 于第2行,添加如下内容 interface_driver = openvswitch
4) 配置dhcp_agent [root@network ~]# vim /etc/neutron/dhcp_agent.ini # 于第2行,添加如下内容 interface_driver = openvswitch dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = true
5) 配置metadata_agent [root@network ~]# vim /etc/neutron/metadata_agent.ini # 于第2添加Nova AIP信息 nova_metadata_host = 192.168.10.11
# 指定共享密码 metadata_proxy_shared_secret = qyy_openstack
# 取消212行注释,并指定Memcached信息 memcache_servers = 192.168.10.11:11211
6) 配置ML2 [root@node3 ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini ...... ...... ...... ...... ...... ......
# 于文件最后添加所支持的驱动及相关信息 [ml2] type_drivers = flat,vlan,gre,vxlan tenant_network_types = mechanism_drivers = openvswitch extension_drivers = port_security
7) 配置OVS [root@network ~]# vim /etc/neutron/plugins/ml2/openvswitch_agent.ini ...... ...... ...... ...... ...... ......
# 于文件最后,添加如下内容 [securitygroup] firewall_driver = openvswitch enable_security_group = true enable_ipset = true
8) SELinux设置 [root@node3 ~]# yum --enablerepo=centos-openstack-train -y install openstack-selinux [root@node3 ~]# setsebool -P neutron_can_network on [root@node3 ~]# setsebool -P haproxy_connect_any on [root@node3 ~]# setsebool -P daemons_enable_cluster_mode on
[root@node3 ~]# vim my-ovsofctl.te module my-ovsofctl 1.0;require { type neutron_t; class capability sys_rawio; }
#============= neutron_t ============== allow neutron_t self:capability sys_rawio;

[root@node3 ~]# checkmodule -m -M -o my-ovsofctl.mod my-ovsofctl.te checkmodule: loading policy configuration from my-ovsofctl.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 17) to my-ovsofctl.mod [root@node3 ~]# semodule_package --outfile my-ovsofctl.pp --module my-ovsofctl.mod [root@node3 ~]# semodule -i my-ovsofctl.pp
9) 启动Neutron服务 [root@node3 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini [root@node3 ~]# systemctl enable --now openvswitch [root@node3 ~]# ovs-vsctl add-br br-int [root@node3 ~]# systemctl enable --now neutron-dhcp-agent neutron-l3-agent neutron-metadata-agent neutron-openvswitch-agent
6. 于计算节点配置Neutron
1) 安装Neutron组件
[root@node2 ~]# yum --enablerepo=centos-openstack-train,epel install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch -y
2) 配置Neutron [root@node2 ~]# mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak [root@node2 ~]# vim /etc/neutron/neutron.conf [DEFAULT] core_plugin = ml2 service_plugins = router auth_strategy = keystone state_path = /var/lib/neutron allow_overlapping_ips = True
transport_url = rabbit://openstack:password@192.168.10.11
[keystone_authtoken] www_authenticate_uri = http://192.168.10.11:5000 auth_url = http://192.168.10.11:5000 memcached_servers = 192.168.10.11:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = servicepassword
[oslo_concurrency] lock_path = $state_path/lock

[root@node2 ~]# chmod 640 /etc/neutron/neutron.conf [root@node2 ~]# chgrp neutron /etc/neutron/neutron.conf
3) 配置ML2 [root@node2 ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini ...... ...... ...... ...... ...... ......
# 于文件最底部,添加如下内容 [ml2] type_drivers = flat,vlan,gre,vxlan tenant_network_types = mechanism_drivers = openvswitch,l2population extension_drivers = port_security
4) 配置ovs [root@node2 ~]# vim /etc/neutron/plugins/ml2/openvswitch_agent.ini ...... ...... ...... ...... ...... ......
# 于文件最底部,添加如下内容 [securitygroup] firewall_driver = openvswitch enable_security_group = true enable_ipset = true
5) 配置nova [root@node01 ~]# vim /etc/nova/nova.conf # 于[DEFAULT]区段添加如下内容 [DEFAULT] ...... ...... ...... ...... ...... ......
use_neutron = True linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver vif_plugging_is_fatal = True vif_plugging_timeout = 300
...... ...... ...... ...... ...... ......
# 于文件尾部,添加如下内容 [neutron] auth_url = http://192.168.10.11:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = servicepassword service_metadata_proxy = True metadata_proxy_shared_secret = qyy_openstack
7) SELinux配置 [root@node2 ~]# yum --enablerepo=centos-openstack-train -y install openstack-selinux [root@node2 ~]# setsebool -P neutron_can_network on [root@node2 ~]# setsebool -P daemons_enable_cluster_mode on
[root@node2 ~]# vim my-ovsofctl.te module my-ovsofctl 1.0;
require { type neutron_t; class capability sys_rawio; }
#============= neutron_t ============== allow neutron_t self:capability sys_rawio;

[root@node2 ~]# checkmodule -m -M -o my-ovsofctl.mod my-ovsofctl.te checkmodule: loading policy configuration from my-ovsofctl.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 17) to my-ovsofctl.mod
[root@node2 ~]# semodule_package --outfile my-ovsofctl.pp --module my-ovsofctl.mod [root@node2 ~]# semodule -i my-ovsofctl.pp
8) 启动Neutron服务 [root@node2 ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini [root@node2 ~]# systemctl enable --now openvswitch [root@node2 ~]# ovs-vsctl add-br br-int [root@node2 ~]# systemctl restart openstack-nova-compute [root@node2 ~]# systemctl enable --now neutron-openvswitch-agent

 

如对您有帮助,请随缘打个赏。^-^

gold