## 8. 配置基于OVS的Neutron网络服务 ### 8.1 控制节点配置 + 创建数据库与用给予neutron使用 ```shell # 创建数据库 CREATE DATABASE neutron; # 创建用户 GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutronang'; ``` + 创建neutron用户 ```shell openstack user create --domain default --password neutron neutron ``` + 向neutron用户添加管理员角色 ```shell openstack role add --project service --user neutron admin ``` + 创建neutron实体 ```shell openstack service create --name neutron --description "OpenStack Networking" network ``` + 创建neutron的api端点 ```shell openstack endpoint create --region RegionOne network public http://controller:9696 openstack endpoint create --region RegionOne network internal http://controller:9696 openstack endpoint create --region RegionOne network admin http://controller:9696 ``` + 配置内核转发 ```shell cat >> /etc/sysctl.conf << EOF # 用于控制系统是否开启对数据包源地址的校验,关闭 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 # 开启二层转发设备 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 EOF ``` + 加载模块 + 作用:桥接流量转发到iptables链 ```shell modprobe br_netfilter ``` + 生效内核配置 ```shell sysctl -p ``` + 安装ovs服务 ```shell apt install -y neutron-server neutron-plugin-ml2 neutron-l3-agent neutron-dhcp-agent neutron-metadata-agent neutron-openvswitch-agent ``` + 配置neutron.conf文件 + 用于提供neutron主体服务 ```shell # 备份配置文件 cp /etc/neutron/neutron.conf{,.bak} # 过滤提取配置文件 grep -Ev "^$|#" /etc/neutron/neutron.conf.bak > /etc/neutron/neutron.conf # 完整配置 vim /etc/neutron/neutron.conf [DEFAULT] core_plugin = ml2 service_plugins = router allow_overlapping_ips = true auth_strategy = keystone state_path = /var/lib/neutron dhcp_agent_notification = true allow_overlapping_ips = true notify_nova_on_port_status_changes = true notify_nova_on_port_data_changes = true transport_url = rabbit://openstack:000000@controller [agent] root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf" [cache] [cors] [database] connection = mysql+pymysql://neutron:neutronang@controller/neutron [healthcheck] [ironic] [keystone_authtoken] www_authenticate_uri = http://controller:5000 auth_url = http://controller:5000 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = neutron [nova] auth_url = http://controller:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = nova password = nova [oslo_concurrency] lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [oslo_reports] [placement] [privsep] [quotas] [ssl] ``` + 配置ml2_conf.ini文件 + 用户提供二层网络插件服务 ```shell # 备份配置文件 cp /etc/neutron/plugins/ml2/ml2_conf.ini{,.bak} # 过滤覆盖文件 grep -Ev "^$|#" /etc/neutron/plugins/ml2/ml2_conf.ini.bak > /etc/neutron/plugins/ml2/ml2_conf.ini # 完整配置 vim /etc/neutron/plugins/ml2/ml2_conf.ini [DEFAULT] [ml2] type_drivers = flat,vlan,vxlan,gre tenant_network_types = vxlan mechanism_drivers = openvswitch,l2population extension_drivers = port_security [ml2_type_flat] flat_networks = physnet1 [ml2_type_geneve] [ml2_type_gre] [ml2_type_vlan] [ml2_type_vxlan] vni_ranges = 1:1000 [ovs_driver] [securitygroup] enable_ipset = true enable_security_group = true firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver [sriov_driver] ``` + 配置openvswitch_agent.ini文件 + 提供ovs代理服务 ```shell # 备份文件 cp /etc/neutron/plugins/ml2/openvswitch_agent.ini{,.bak} # 过滤覆盖文件 grep -Ev "^$|#" /etc/neutron/plugins/ml2/openvswitch_agent.ini.bak > /etc/neutron/plugins/ml2/openvswitch_agent.ini # 完整配置 vim /etc/neutron/plugins/ml2/openvswitch_agent.ini [DEFAULT] [agent] l2_population = True tunnel_types = vxlan prevent_arp_spoofing = True [dhcp] [network_log] [ovs] local_ip = 172.168.200.10 bridge_mappings = physnet1:br-ens34 [securitygroup] ``` + 配置l3_agent.ini文件 + 提供三层网络服务 ```shell # 备份文件 cp /etc/neutron/l3_agent.ini{,.bak} # 过滤覆盖文件 grep -Ev "^$|#" /etc/neutron/l3_agent.ini.bak > /etc/neutron/l3_agent.ini # 完整配置 vim /etc/neutron/l3_agent.ini [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver external_network_bridge = [agent] [network_log] [ovs] ``` + 配置dhcp_agent文件 + 提供dhcp动态网络服务 ```shell # 备份文件 cp /etc/neutron/dhcp_agent.ini{,.bak} # 过滤覆盖文件 grep -Ev "^$|#" /etc/neutron/dhcp_agent.ini.bak > /etc/neutron/dhcp_agent.ini # 完整配置 vim /etc/neutron/dhcp_agent.ini [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True [agent] [ovs] ``` + 配置metadata_agent.ini文件 + 提供元数据服务 + 元数据什么? + 用来支持如指示存储位置、历史数据、资源查找、文件记录等功能。元数据算是一种电子式目录,为了达到编制目录的目的,必须在描述并收藏数据的内容或特色,进而达成协助数据检索的目的。 ```shell # 备份文件 cp /etc/neutron/metadata_agent.ini{,.bak} # 过滤覆盖文件 grep -Ev "^$|#" /etc/neutron/metadata_agent.ini.bak > /etc/neutron/metadata_agent.ini # 完整配置 vim /etc/neutron/metadata_agent.ini [DEFAULT] nova_metadata_host = controller metadata_proxy_shared_secret = ws [agent] [cache] ``` + 配置nova文件 + 主要识别neutron配置,从而能调用网络 ```shell vim /etc/nova/nova.conf ''' [default] linuxnet_interface_driver = nova.network.linux_net.LinuxOVSlnterfaceDriver [neutron] auth_url = http://controller:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = neutron service_metadata_proxy = true metadata_proxy_shared_secret = ws ''' ``` + 填充数据库 ```shell su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron ``` + 重启nova-api服务生效neutron配置 ```shell service nova-api restart ``` + 新建一个外部网络桥接 ```shell ovs-vsctl add-br br-ens38 ``` + 将外部网络桥接映射到网卡 + 这里绑定第二张网卡,属于业务网卡 ```shell ovs-vsctl add-port br-ens38 ens38 ``` + 重启neutron相关服务生效配置 ```shell # 提供neutron服务 service neutron-server restart # 提供ovs服务 service neutron-openvswitch-agent restart # 提供地址动态服务 service neutron-dhcp-agent restart # 提供元数据服务 service neutron-metadata-agent restart # 提供三层网络服务 service neutron-l3-agent restart ``` ### 8.2 计算节点配置 + ### compute01节点 + 配置内核转发 ```shell cat >> /etc/sysctl.conf << EOF # 用于控制系统是否开启对数据包源地址的校验,关闭 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 # 开启二层转发设备 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 EOF ``` + 加载模块 + 作用:桥接流量转发到iptables链 ```shell modprobe br_netfilter ``` + 生效内核配置 ```shell sysctl -p ``` + 安装neutron-ovs服务 ```shell apt install -y neutron-openvswitch-agent ``` + 配置neutron文件 + 提供neutron主体服务 ```shell # 备份文件 cp /etc/neutron/neutron.conf{,.bak} # 过滤提取文件 grep -Ev "^$|#" /etc/neutron/neutron.conf.bak > /etc/neutron/neutron.conf # 完整配置 vim /etc/neutron/neutron.conf [DEFAULT] core_plugin = ml2 service_plugins = router auth_strategy = keystone state_path = /var/lib/neutron allow_overlapping_ips = true transport_url = rabbit://openstack:000000@controller [agent] root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf" [cache] [cors] [database] [healthcheck] [ironic] [keystone_authtoken] www_authenticate_uri = http://controller:5000 auth_url = http://controller:5000 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = neutron [nova] [oslo_concurrency] lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [oslo_reports] [placement] [privsep] [quotas] [ssl] ``` + 配置openvswitch_agent.ini文件 + 提供ovs网络服务 ```shell # 备份文件 cp /etc/neutron/plugins/ml2/openvswitch_agent.ini{,.bak} # 过滤提取文件 grep -Ev "^$|#" /etc/neutron/plugins/ml2/openvswitch_agent.ini.bak > /etc/neutron/plugins/ml2/openvswitch_agent.ini # 完整配置 vim /etc/neutron/plugins/ml2/openvswitch_agent.ini [DEFAULT] [agent] l2_population = True tunnel_types = vxlan prevent_arp_spoofing = True [dhcp] [network_log] [ovs] local_ip = 10.0.0.11 bridge_mappings = physnet1:br-ens38 [securitygroup] enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver ``` + 配置nova文件识别neutron配置 ```shell vim /etc/nova/nova.conf ''' [DEFAULT] linuxnet_interface_driver = nova.network.linux_net.LinuxOVSlnterfaceDriver vif_plugging_is_fatal = true vif_pligging_timeout = 300 [neutron] auth_url = http://controller:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = neutron ''' ``` + 重启nova服务识别网络配置 ```shell service nova-compute restart ``` + 新建一个外部网络桥接 ```shell ovs-vsctl add-br br-ens38 ``` + 将外部网络桥接映射到网卡 + 这里绑定第二张网卡,属于业务网卡 ```shell ovs-vsctl add-port br-ens38 ens38 ``` + 重启服务加载ovs配置 ```shell service neutron-openvswitch-agent restart ``` + ### compute02节点 + 配置内核转发 ```shell cat >> /etc/sysctl.conf << EOF # 用于控制系统是否开启对数据包源地址的校验,关闭 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 # 开启二层转发设备 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 EOF ``` + 加载模块 + 作用:桥接流量转发到iptables链 ```shell modprobe br_netfilter ``` + 生效内核配置 ```shell sysctl -p ``` + 安装neutron-ovs服务 ```shell apt install -y neutron-openvswitch-agent ``` + 配置neutron文件 + 提供neutron主体服务 ```shell # 备份文件 cp /etc/neutron/neutron.conf{,.bak} # 过滤提取文件 grep -Ev "^$|#" /etc/neutron/neutron.conf.bak > /etc/neutron/neutron.conf # 完整配置 vim /etc/neutron/neutron.conf [DEFAULT] core_plugin = ml2 service_plugins = router auth_strategy = keystone state_path = /var/lib/neutron allow_overlapping_ips = true transport_url = rabbit://openstack:000000@controller [agent] root_helper = "sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf" [cache] [cors] [database] [healthcheck] [ironic] [keystone_authtoken] www_authenticate_uri = http://controller:5000 auth_url = http://controller:5000 memcached_servers = controller:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = neutron password = neutron [nova] [oslo_concurrency] lock_path = /var/lib/neutron/tmp [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_middleware] [oslo_policy] [oslo_reports] [placement] [privsep] [quotas] [ssl] ``` + 配置openvswitch_agent.ini文件 + 提供ovs网络服务 ```shell # 备份文件 cp /etc/neutron/plugins/ml2/openvswitch_agent.ini{,.bak} # 过滤提取文件 grep -Ev "^$|#" /etc/neutron/plugins/ml2/openvswitch_agent.ini.bak > /etc/neutron/plugins/ml2/openvswitch_agent.ini # 完整配置 vim /etc/neutron/plugins/ml2/openvswitch_agent.ini [DEFAULT] [agent] l2_population = True tunnel_types = vxlan prevent_arp_spoofing = True [dhcp] [network_log] [ovs] local_ip = 172.168.200.12 bridge_mappings = physnet1:br-ens38 [securitygroup] enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver ``` + 配置nova文件识别neutron配置 ```shell vim /etc/nova/nova.conf ''' [DEFAULT] linuxnet_interface_driver = nova.network.linux_net.LinuxOVSlnterfaceDriver vif_plugging_is_fatal = true vif_pligging_timeout = 300 [neutron] auth_url = http://controller:5000 auth_type = password project_domain_name = default user_domain_name = default region_name = RegionOne project_name = service username = neutron password = neutron ''' ``` + 重启nova服务识别网络配置 ```shell service nova-compute restart ``` + 新建一个外部网络桥接 ```shell ovs-vsctl add-br br-ens38 ``` + 将外部网络桥接映射到网卡 + 这里绑定第二张网卡,属于业务网卡 ```shell ovs-vsctl add-port br-ens38 ens38 ``` + 重启服务加载ovs配置 ```shell service neutron-openvswitch-agent restart ```