1. Neutron 为整个 OpenStack 环境提供网络支持,包括二层交换,三层路由,负载均衡,防火墙和 VPN 等。Neutron 提供了一个灵活的框架,通过配置,无论是开源还是商业软件都可以被用来实现这些功能。
2. 二层交换 Switching
1. Nova 的 Instance 是通过虚拟交换机连接到虚拟二层网络的。Neutron 支持多种虚拟交换机,包括 Linux 原生的 Linux Bridge 和 Open vSwitch。 Open vSwitch(OVS)是一个开源的虚拟交换机,它支持标准的管理接口和协议。
2. 利用 Linux Bridge 和 OVS,Neutron 除了可以创建传统的 VLAN 网络,还可以创建基于隧道技术的 Overlay 网络,比如 VxLAN 和 GRE(Linux Bridge 目前只支持 VxLAN)。
3. 三层路由 Routing
1. Instance 可以配置不同网段的 IP,Neutron 的 router(虚拟路由器)实现 Instance 跨网段通信。router 通过 IP forwarding,iptables 等技术来实现路由和 NAT。
2. Neutron 路由器是一个三层的(L3)的抽象,其模拟物理路由器,为用广提供路由、NAT等服务,在 Openstack网络中,不用子网之间的通信需要路由器,网络与外部网络之间的通信更需要路由器。
3. Neutron 提供虚拟路由器,也支持物理路由器。例如,两个隔离的ⅥLAN网络之间需要实现通信,可以通过物理路由器实现,由物理路由器提供相应的 IP 路由表,确保两个IP子网之间的通信,将两个VLAN网络中的虚拟机默认网关分别设置为路由路由器的接口A和B的IP地址。VLAN中的虚拟机要与 VLANB中的虚拟机通信时,数据包将通过LANA中的物理网卡到达路由器,有物理路由器转发到 VLAN B中的物理网卡,在到目的的虚拟机。
1.安装网络服务(控制节点,node1)
---------------------------------------------#初始化数据库,neutron连接mysql用户密码neutron/neutron
mysql -uroot -pmysql << EOF
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY 'neutron';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY 'neutron';
EOF
---------------------------------------------#创建用户,node1执行
[root@node1 ~]# . admin-openrc
[root@node1 ~]# openstack user create --domain default --password-prompt neutron # 输入neutron密码为neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | bfe0e7a129244dbb80b591f864484648 |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@node1 ~]# openstack role add --project service --user neutron admin
[root@node1 ~]# openstack service create --name neutron --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | c856ae5ec14f4e1986698a50acc5e2e9 |
| name | neutron |
| type | network |
+-------------+----------------------------------+
[root@node1 ~]# openstack endpoint create --region RegionOne network public http://node1:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 8cd127afafbd4e6fb41c4f79a29c6431 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c856ae5ec14f4e1986698a50acc5e2e9 |
| service_name | neutron |
| service_type | network |
| url | http://node1:9696 |
+--------------+----------------------------------+
[root@node1 ~]# openstack endpoint create --region RegionOne network internal http://node1:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | a3c183996c9c4da5a9f2ecbc5cfa2a48 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c856ae5ec14f4e1986698a50acc5e2e9 |
| service_name | neutron |
| service_type | network |
| url | http://node1:9696 |
+--------------+----------------------------------+
[root@node1 ~]# openstack endpoint create --region RegionOne network admin http://node1:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 8021e7393fba4a6da0ed204777f19021 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c856ae5ec14f4e1986698a50acc5e2e9 |
| service_name | neutron |
| service_type | network |
| url | http://node1:9696 |
+--------------+----------------------------------+
---------------------------------------------#选择Provider networks
yum install -y openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
crudini --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2
crudini --set /etc/neutron/neutron.conf DEFAULT service_plugins router # L3
crudini --set /etc/neutron/neutron.conf DEFAULT allow_overlapping_ips true # L3
crudini --set /etc/neutron/neutron.conf DEFAULT transport_url rabbit://openstack:openstack@node1
crudini --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone
crudini --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_status_changes true
crudini --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_data_changes true
crudini --set /etc/neutron/neutron.conf database connection mysql+pymysql://neutron:neutron@node1/neutron
crudini --set /etc/neutron/neutron.conf keystone_authtoken www_authenticate_uri http://node1:5000
crudini --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://node1:5000
crudini --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers node1:11211
crudini --set /etc/neutron/neutron.conf keystone_authtoken auth_type password
crudini --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default
crudini --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default
crudini --set /etc/neutron/neutron.conf keystone_authtoken project_name service
crudini --set /etc/neutron/neutron.conf keystone_authtoken username neutron
crudini --set /etc/neutron/neutron.conf keystone_authtoken password neutron
crudini --set /etc/neutron/neutron.conf nova auth_url http://node1:5000
crudini --set /etc/neutron/neutron.conf nova auth_type password
crudini --set /etc/neutron/neutron.conf nova project_domain_name default
crudini --set /etc/neutron/neutron.conf nova user_domain_name default
crudini --set /etc/neutron/neutron.conf nova region_name RegionOne
crudini --set /etc/neutron/neutron.conf nova project_name service
crudini --set /etc/neutron/neutron.conf nova username nova
crudini --set /etc/neutron/neutron.conf nova password nova
crudini --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
---------------------------------------------
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers local,flat,vlan,gre,vxlan,geneve
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types vxlan # L3默认行为,就是不指网络类型或者在项目部分创建网络时默认使用的类型
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 mechanism_drivers linuxbridge,l2population # L3
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers port_security
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat flat_networks provider,inside # 定义两个网络
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vxlan vni_ranges 1:1000 # L3
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vlan network_vlan_ranges provider:1001:2000 # L3
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset true
---------------------------------------------
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings provider:ens19,inside:ens20 # 网卡名称,实例所在网络,第二块网卡
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan true # L3
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 192.168.31.101 # L3
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group true
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
---------------------------------------------
crudini --set /etc/neutron/l3_agent.ini DEFAULT interface_driver linuxbridge # L3
---------------------------------------------
modprobe br_netfilter
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.conf
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.conf
sysctl -p
---------------------------------------------
crudini --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver linuxbridge
crudini --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver neutron.agent.linux.dhcp.Dnsmasq
crudini --set /etc/neutron/dhcp_agent.ini DEFAULT enable_isolated_metadata true
---------------------------------------------
crudini --set /etc/neutron/metadata_agent.ini DEFAULT nova_metadata_host node1 # 注意是node1
crudini --set /etc/neutron/metadata_agent.ini DEFAULT metadata_proxy_shared_secret 12345678 # METADATA_SECRET,要一致
---------------------------------------------
crudini --set /etc/nova/nova.conf neutron auth_url http://node1:5000
crudini --set /etc/nova/nova.conf neutron auth_type password
crudini --set /etc/nova/nova.conf neutron project_domain_name default
crudini --set /etc/nova/nova.conf neutron user_domain_name default
crudini --set /etc/nova/nova.conf neutron region_name RegionOne
crudini --set /etc/nova/nova.conf neutron project_name service
crudini --set /etc/nova/nova.conf neutron username neutron
crudini --set /etc/nova/nova.conf neutron password neutron
crudini --set /etc/nova/nova.conf neutron service_metadata_proxy true
crudini --set /etc/nova/nova.conf neutron metadata_proxy_shared_secret 12345678 # METADATA_SECRET,要一致
---------------------------------------------#初始化数据
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
---------------------------------------------#启动服务
systemctl restart openstack-nova-api.service
systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
systemctl enable neutron-l3-agent; systemctl start neutron-l3-agent # L32.安装网络服务(计算节点,node2/node3/node4/node5)
---------------------------------------------#选择Provider networks
for i in $(seq 2 5);do ssh node$i "yum --enablerepo powertools -y install openstack-neutron-linuxbridge ebtables ipset" ;done # node1执行安装
# 在计算节点,node2/node3/node4/node5上分别配置,相关ip参数需要修改为对应节点的ip地址
crudini --set /etc/neutron/neutron.conf DEFAULT transport_url rabbit://openstack:openstack@node1
crudini --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone
crudini --set /etc/neutron/neutron.conf keystone_authtoken www_authenticate_uri http://node1:5000
crudini --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://node1:5000
crudini --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers node1:11211
crudini --set /etc/neutron/neutron.conf keystone_authtoken auth_type password
crudini --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default
crudini --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default
crudini --set /etc/neutron/neutron.conf keystone_authtoken project_name service
crudini --set /etc/neutron/neutron.conf keystone_authtoken username neutron
crudini --set /etc/neutron/neutron.conf keystone_authtoken password neutron
crudini --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
---------------------------------------------
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings provider:ens19,inside:ens20 # 网卡名称,实例所在网络,第二块网卡
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan true # L3
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 192.168.31.102 # 计算节点IP地址,L3
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan l2_population true # L3
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup enable_security_group true
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
---------------------------------------------
modprobe br_netfilter
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.conf
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.conf
sysctl -p
---------------------------------------------
crudini --set /etc/nova/nova.conf neutron auth_url http://node1:5000
crudini --set /etc/nova/nova.conf neutron auth_type password
crudini --set /etc/nova/nova.conf neutron project_domain_name default
crudini --set /etc/nova/nova.conf neutron user_domain_name default
crudini --set /etc/nova/nova.conf neutron region_name RegionOne
crudini --set /etc/nova/nova.conf neutron project_name service
crudini --set /etc/nova/nova.conf neutron username neutron
crudini --set /etc/nova/nova.conf neutron password neutron
---------------------------------------------#启动服务
systemctl restart openstack-nova-compute.service
systemctl enable neutron-linuxbridge-agent.service
systemctl start neutron-linuxbridge-agent.service
---------------------------------------------#控制节点验证,node1执行
. admin-openrc
openstack extension list --network