|
|
楼主 |
发表于 2019-10-8 08:08:13
|
显示全部楼层
用OpenStack计算来托管和管理云计算系统。OpenStack计算是基础设施即服务(IaaS)系统的重要组成部分。主要模块是用Python实现的。
; h n. h, u# a9 l4 S OpenStack计算与OpenStack标识进行交互,用于身份验证,用于资源目录跟踪和选择的OpenStack放置,用于磁盘和服务器映像的OpenStack映像服务,以及用于用户和管理界面的OpenStack仪表板。图像访问受到项目和用户的限制;每个项目的配额是有限的(例如,实例的数量)。OpenStack计算可以在标准硬件上水平伸缩,并下载映像来启动实例。
5 s- q0 w _, }( x7 P5 e# m OpenStack计算包括以下组件:
! f4 T2 B* F4 _1 M2 t C( v; L1 q5 w4 @" w9 C) |
nova-api service
; q) |6 |+ L4 W7 w2 k接受并响应最终用户compute API调用。该服务支持OpenStack计算API。它执行一些策略并启动大多数编排活动,例如运行一个实例。
: A5 ^3 h0 V- @; Knova-api-metadata service L6 E8 D! ~$ J: z0 c
接受来自实例的元数据请求。在使用nova-network安装以多主机模式运行时,通常使用nova-api-metadata服务。
! [ x: k% ]- q& r6 l# inova-compute service
: z, I# K/ f: M- ~4 W一个工作守护进程,它通过管理程序api创建和终止虚拟机实例。例如:2 ?) a: f) h2 W" T6 {
XenAPI for XenServer/XCP. j: Y7 \; w9 x, l3 U1 \% |
libvirt for KVM or QEMU2 y' S! N2 b* R' l% Q- Y8 K
VMwareAPI for VMware ; S8 Y" r5 A7 {$ I0 J0 P: z
处理相当复杂。基本上,守护进程接受队列中的操作并执行一系列系统命令,比如启动一个KVM实例并更新它在数据库中的状态.
- f" c Z- e% Q; i( b. ]- |& Knova-scheduler service 9 F4 S6 Y- b4 R& L8 i
从队列中获取一个虚拟机实例请求,并确定它运行在哪个计算服务器主机上。
: |$ S& y* p" E! ]2 c% M7 Wnova-conductor module
/ i. ]" i6 [7 R. B6 ?协调nova-compute服务和数据库之间的交互。它消除了nova-compute服务对云数据库的直接访问。nova-conductor模块水平伸缩。但是,不要在运行nova-compute服务的节点上部署它。: D8 m6 X2 f5 H- p7 ^" F/ F
nova-consoleauth daemon 8 i: m+ ^7 t) N& y
为控制台代理提供的用户授权令牌。参见nova-novncproxy和nova-xvpvncproxy。要使控制台代理工作,必须运行此服务。您可以对集群配置中的单个nova-consoleauth服务运行这两种类型的代理。
# s% `' h9 o: l4 Rnova-novncproxy daemon 8 s% A# ]2 O! J9 U
提供一个代理,用于通过VNC连接访问正在运行的实例。支持基于浏览器的novnc客户端。+ T- y, D# `: U) ~1 r: a
nova-spicehtml5proxy daemon
" S+ [5 ]9 d3 K提供一个代理,用于通过SPICE连接访问正在运行的实例。支持基于浏览器的HTML5客户端。
4 z' l% F' c8 a- f- J" rnova-xvpvncproxy daemon
+ r9 n6 q7 `2 N; e# W4 O' B提供一个代理,用于通过VNC连接访问正在运行的实例。支持特定于openstack的Java客户机。& L- ~+ _+ \/ R* t. s
The queue
5 N3 z, X0 W2 ?- c+ @5 { F用于在守护进程之间传递消息的中心集线器。通常用RabbitMQ实现,也可以用另一个AMQP消息队列实现
3 X @, \9 n9 }4 r' mSQL database " G( h( q n5 i+ n- k+ H/ I& m# ^
存储云基础设施的大多数构建时和运行时状态,包括:
2 w6 L' i! l6 z: O& F. _% EAvailable instance types
3 |- p7 j% [0 X+ b, B! _. ~7 \Instances in use
& X2 A/ z/ `4 E. R& Y8 wAvailable networks) m0 `' j: C$ ~* N$ S. s
Projects- c" _" T, Z( s/ v, q9 Q; T* r
理论上,OpenStack计算可以支持SQLAlchemy支持的任何数据库。用于测试和开发工作的公共数据库是SQLite3、MySQL、MariaDB和PostgreSQL。% q4 @' w7 V, Y! E
3 j0 b# |, U' P* c准备工作% `' x [6 v- @" n7 }
安装之前我们需要先建库,帐号和api endpoint.- D( D- A* S4 i' q8 w. e9 E
. ?, b# R* h& m: d& \; L% L% Q在数据库服务器上执行如下步骤:6 K9 C/ o! t+ K
○ 使用root连接数据库服务器:7 v: F" M. H+ x, o4 F9 i% g0 C
$ mysql -u root -p root123
0 P! J$ D3 e0 i, k V7 {5 _○ 建立nova_api、nova和nova_cell0数据库:+ q Y8 E; X& `
MariaDB [(none)]> CREATE DATABASE nova_api;
# t! g s- w; s* P, q: y g MariaDB [(none)]> CREATE DATABASE nova;8 L4 `; ~' T- K' r! W8 ?! J; d2 w
MariaDB [(none)]> CREATE DATABASE nova_cell0;
1 |: l9 V- Y7 Q○ 赋予帐号nova对库的操作权限:/ {+ ~7 r. x% B2 F& l% y; T: ^6 ?
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova123';: h P1 x) T( v" n
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova123';
8 l* Y$ k" r$ i( o3 L8 F/ t# p MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY 'nova123'
% `5 c2 n$ B8 s. W: F- N加载admin的访问凭据,执行管理员命令:& \( g0 l* n/ Q, c/ f
$ . admin-openrc
1 \4 t/ P" a6 m( ` h. G% n建立计算服务的凭据:$ a: J8 V( D1 N
4 Z; Z; y4 A9 F7 y% I% F! w○ 建立nova用户:
+ W. ]5 |- u a v+ d $ openstack user create --domain default --password-prompt nova
. V, {5 m1 u3 N3 r. f: L% w2 L* b' G% V- m
User Password:nova123% `7 @3 {( s" H; e- t: t
Repeat User Password:nova123
0 _7 |" f+ o1 M' `4 C6 `3 ?! n +---------------------+----------------------------------+0 ^; j% v9 p8 @7 w G, O0 ~. k
| Field | Value |9 t: x, S+ d' u$ L7 l& s
+---------------------+----------------------------------+/ g8 P% m* q l' Z/ o
| domain_id | default |
* u0 G3 H8 ?, L | enabled | True |
8 ]7 G" b" ~$ O- X0 ~; U | id | 8a7dbf5279404537b1c7b86c033620fe | N/ S# @9 ` r7 M( q# @3 V3 I$ y* l
| name | nova |3 C y! q1 O; ?4 S' A
| options | {} |$ d! [; F% A3 G5 |7 _) ~
| password_expires_at | None |/ n, X% M' e- j" u9 Z$ b* p
+---------------------+----------------------------------+% l% f0 _7 F' ?" A* |
○ 给用户nova添加admin角色:
) b4 J" m5 E3 s5 r9 M/ j $ openstack role add --project service --user nova admin8 |; O2 H. |! `: {2 ]* I, T
+ w5 K0 ?. l- ^2 [# r! w3 O/ ] 注意:这个命令没有输出
) P; n0 E1 ~7 E* k" x○ 建立nova服务实体:- `1 Y/ v/ ~! H) u- h- }. _
$ openstack service create --name nova --description "OpenStack Compute" compute
/ L7 ^8 ~+ x' c: h5 U% F* l+ l+ n1 o0 r1 d+ ?; o% A8 u
+-------------+----------------------------------+
3 ^# |; A6 L+ O# r | Field | Value |6 g0 p5 B. V# |$ ^% e2 t! }
+-------------+----------------------------------+
" `) e5 {7 N/ O) ~ | description | OpenStack Compute |
% n. p! x) x, O | enabled | True |
# c; ~; C, `; L* g6 E | id | 060d59eac51b4594815603d75a00aba2 |
5 J% Y# @1 y+ \" m9 s/ I( q | name | nova |
) h0 Y/ u$ G' i6 g0 \/ ^- ` | type | compute |$ u! A1 D7 U3 k, p8 g7 P% G
+-------------+----------------------------------+$ }5 a4 E- Y+ W- Y4 L( t
Create the Compute API service endpoints:& Y0 Q2 h/ O* t
d; d1 E A) `. G1 F: g' v' t* T$ openstack endpoint create --region RegionOne compute public http://stack.flex.net:8774/v2.1: j G1 T- l# C6 i7 R
: Z" ?) K% H; h6 s
+--------------+-------------------------------------------+2 Z) ?% s5 g- Y4 R7 ^2 v
| Field | Value |
& p8 v/ s% f1 u/ Y5 C( ]+--------------+-------------------------------------------+) G7 w! ^# n6 m
| enabled | True |0 M* D- Z7 A$ b( A/ z
| id | 3c1caa473bfe4390a11e7177894bcc7b | [* L% k% C5 [& ?* \
| interface | public |' n4 ]7 c/ O4 q! p! R
| region | RegionOne |
3 P( `+ G. t! W4 s* X| region_id | RegionOne |: z3 X1 w$ m y/ z' a7 @* \" c t6 f
| service_id | 060d59eac51b4594815603d75a00aba2 |
: B; {) a5 x+ || service_name | nova |9 [( c2 O3 A8 y7 G
| service_type | compute |
4 }1 a: I+ i; t9 k! s$ ~; m; n$ D2 u| url | http://stack.flex.net:8774/v2.1 |
$ J+ U4 M8 q& f3 a+--------------+-------------------------------------------+ I: k; `1 P( e! h8 k
' n& O# D# M7 J" c4 D# L0 L- D
$openstack endpoint create --region RegionOne compute internal http://stack.flex.net:8774/v2.1
! v& S: @ V% o$ |( |) V: T& d) c* B! }6 m& V
+--------------+-------------------------------------------+ t! I6 e0 w& @" z, z2 E8 Y
| Field | Value |
/ b8 h' }5 @* A; |+--------------+-------------------------------------------+
U) h) A$ ^7 T( N| enabled | True |
$ ~2 j# U8 ?/ Z6 Y C| id | e3c918de680746a586eac1f2d9bc10ab |) K, e1 Y' C* M
| interface | internal |
) B: e- d t! a| region | RegionOne |( h6 {5 a1 ?( L. W
| region_id | RegionOne |! _7 T5 Q8 r8 I" i% x
| service_id | 060d59eac51b4594815603d75a00aba2 |* i g/ k) @) f3 n9 O1 C2 S
| service_name | nova |) \4 p" r3 g) w) j5 d' R0 k
| service_type | compute |% T, P* H6 {- p L
| url | http://stack.flex.net:8774/v2.1 |
. W: Q$ g! t+ L5 M; v9 S: I+--------------+-------------------------------------------+( ]8 \( v4 C, q& r6 ?) c
. z4 L S a H! I$ openstack endpoint create --region RegionOne compute admin http://stack.flex.net:8774/v2.1
6 X4 ]" H8 r& h, y @ D' K9 C) Y# E+ l, @& i
+--------------+-------------------------------------------+$ E( ? U3 Y \. `
| Field | Value |" a- ]5 z# L8 ^9 J. _- D* c1 m
+--------------+-------------------------------------------+( [8 {2 m$ g+ {: h# C- \
| enabled | True |; I* q& [" ~8 u) C/ ]
| id | 38f7af91666a47cfb97b4dc790b94424 |. `+ Y5 l: Y- h P
| interface | admin |6 V) S9 `0 I, G
| region | RegionOne |- H2 w w0 ^* m0 ?# L
| region_id | RegionOne |. J+ a! e$ W4 T
| service_id | 060d59eac51b4594815603d75a00aba2 |2 G8 M: i4 m+ u+ n, X% B
| service_name | nova |
% Y- [' n" l% E- v. g0 ~; E& l, V| service_type | compute |
8 k( y& H: ?& E& q! R- E9 [4 e| url | http://stack.flex.net:8774/v2.1 |- b9 Q8 h ~2 k; O% ]/ \& N# u, l
+--------------+-------------------------------------------+
; ?0 C( v1 l; b安装配置组件2 F5 Q2 m& z* w( U1 c3 O
安装包:9 l% p- `4 {8 W- B& X$ j; k
# yum install openstack-nova-api openstack-nova-conductor \
2 K' [7 r: v9 X# V openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler& X' M. e& F. _2 ~
编辑/etc/nova/nova.conf文件完成下列需求:
( H$ g& [" @2 v) {3 }0 J: Q4 Z+ I9 m y
○ 在[DEFAULT]区域, 充计compute和元数据API:
. h) @ N# r3 p3 N [DEFAULT]: y+ m6 T9 t1 y$ ?
# ...
) P- U0 o' r9 {9 A. Z& p- L enabled_apis = osapi_compute,metadata
% k- W! i' j; |' I1 G0 A8 N# {7 B( N1 j) t
○ 在[api_database] 和 [database] sections,配置数据库的访问:* p- ~0 _) J3 W8 Z- r$ A
[api_database]" M$ c: v# w: Y
# ...
0 C% ~# s% G1 o' ^" x connection = mysql+pymysql://nova:nova123@dbs.flex.net/nova_api
, p( T) G# G& g) }, T9 N2 j( Y; ~/ T4 e/ H% U
[database]
5 _: I- |7 g2 h$ j& A1 ]* \% L # ...4 o6 \* `7 j" U7 C3 q) _3 w
connection = mysql+pymysql://nova:nova123@dbs.flex.net/nova2 `3 P' T7 K/ `
/ e( _ X P& {# U○ 在[DEFAULT]区域, 配置RabbitMQ消息队列访问:7 u$ X6 |3 Q0 ?/ N
[DEFAULT]$ F. b$ ]* J! {" H1 v1 a
# ...
/ D9 D+ U6 ~/ y. } transport_url = rabbit://openstack:openstack123@dbs.flex.net
J9 w& l; J$ G0 G; E; |; L* }; N' ]: F) j1 J
○ 在[api]和[keystone_authtoken]区域, 配置访问认证服务:
0 a; d/ {$ T7 M4 a- c/ t: T+ A [api]
& w6 a; `$ t4 w4 U0 ~ # ...% K, O4 k+ X2 A- {1 H
auth_strategy = keystone
8 Z/ R8 j2 H& T' i4 ~
4 j% b& E* f8 N" }, U& m [keystone_authtoken]6 w, a7 c% R2 n1 S4 y L; X
# ...
! i& v" A3 V: a2 _) t( ^; ] auth_url = http://stack.flex.net:5000/v30 z# M3 ]2 N6 S6 M0 B
memcached_servers = dbs.flext.net:112117 ?& H. D; S0 [7 r3 k: d; v
auth_type = password
, b5 Y1 p$ `+ k( f# B project_domain_name = Default2 Y0 g9 _" {7 a, Z j1 w
user_domain_name = Default/ p& K9 C$ [* ~/ b( g
project_name = service7 k: y9 R( _: k- E5 r: R; M
username = nova
$ z0 A: x# a: x password = nova123, R5 F" U" V& m, m& o
& J% y4 c7 g$ \# c6 M5 k 注意: 注释或移除在掉在[keystone_authtoken]区域中的其它的选项.
4 f4 W: Y4 A) [* \$ B6 m
/ S% l/ w! g L0 p- U○ 在[DEFAULT]区域, 配置管理接口的IP:7 i( C8 k2 A* K' n1 W$ _" ?( B
[DEFAULT], U0 o) c" Z" @3 w
# ...$ c) ^5 Z" z' {' x
my_ip = 192.168.207.2 #此处为控制节点的管理IP地址" o7 Z% h. C. W y; ?
○ 在[DEFAULT]区域, 充许支持的网络:
5 _( W: _* S" c% f [DEFAULT]
- s5 W5 D( ~* u( P; D: R0 p3 A6 r6 ? # ...4 t' ?- W+ S: A. D
use_neutron = true' Q$ \& K: i: ^) Z
firewall_driver = nova.virt.firewall.NoopFirewallDriver
. B0 R$ U; Z! D* I: Q
8 ^4 ~ V1 l2 ]# o, i! | 缺省的,计算节点使用一内部的防火墙驱动,因为网络服务包含了一个防火墙驱动,你必须禁用防火墙驱动并使用nova.virt.firewall.NoopFirewallDriver firewall driver
Z' d% I" s, ]& o& a: h○ 在[vnc]区域, 使用管理接口的IP做为vnc代理使用:
6 S/ S7 ^& K6 h9 D8 @ j- m, C [vnc]" z r) u7 _* Z' m; M: \
enabled = true
O3 T, l$ U9 p" l0 e* T1 V4 Q+ c # ...
$ }; A7 u! [/ C7 k! u# h2 L server_listen = $my_ip
+ y) w9 ]/ s$ W, U7 z0 c, q server_proxyclient_address = $my_ip$ e6 {2 ?2 y3 q8 {: z+ t' K" y& }2 `
: G& A) H- x+ l$ O4 b○ 在[glance]区域, 配置镜像服务api的位置:# i; h& n. w; C- U9 Z6 y% z4 X4 i
[glance]
; j6 B' o. u' U9 Y- Q # ...; q8 Q2 [, ~9 y& [
api_servers=http://stack.flex.net:9292: I$ d" a6 \: t# l8 |( I
2 D9 _9 Y# o8 `( ]# w5 f3 L
○ 在[oslo_concurrency]区域, 配置锁定的路径:
& ^/ \' _4 {, n& M; s# a# d, R( T [oslo_concurrency]$ w: ~: _/ ?" `, N ^" g
# ..." B! |4 e8 i6 O
lock_path = /var/lib/nova/tmp
& H @9 z4 V$ u& F, D' Y% N2 O5 h1 V. ~. Y
○ 在[placement]区域, 配置访问placement服务:
8 E8 p6 p1 Z) `# v K0 A/ r3 J [placement]
/ ~* u) C! }) U9 e! u, p # ...
# ~1 p& N7 {0 J; ?! A region_name = RegionOne
- E" {2 L4 Z* _! N! {; a project_domain_name = Default
4 B. X$ ^0 } I$ L: n9 m project_name = service
/ Y. z q+ p* V. I; {1 {- z auth_type = password
( E+ z c* d/ q9 n V+ X* R user_domain_name = Default
3 s# P g2 N# L6 Q auth_url = http://stack.flex.net:5000/v3* G9 i& k# Q: G$ U' b( b' C n
username = placement+ E" O& v; }8 ^' }. |
password = placement123
/ B, J7 c4 c+ X) q; R0 s4 O' h0 H
! O+ A% ? l- ] G, U2 I 注意: 注释或移除在掉在[placement]区域中的其它的选项; L" k8 D% I9 @2 k5 V7 c
. Z! M6 h9 V! h& e1 d○ 由于一个bug, 你必须充许访问placement API, 添加下列的配置到/etc/httpd/conf.d/00-nova-placement-api.conf:
2 p9 V: u, b6 d( L b3 S' O& d <Directory /usr/bin>$ z* U1 |2 ?9 Z8 M& `9 Q4 z
<IfVersion >= 2.4>
l: L" N0 J7 A# P! e Require all granted+ x0 r# Y: ?$ k8 e' x) a
</IfVersion>, y4 `% I# U' U
<IfVersion < 2.4>
: |) Z) Z7 d+ W' Q/ s: F Order allow,deny: N' g4 j0 i* b; ~( {3 k: F; X
Allow from all
/ E1 V3 d& V6 v6 W: g. E </IfVersion>
: {8 b1 D" L9 W; ~0 [% }7 G ] </Directory>% F7 p- f, V. A3 n
3 L! }5 E, Z3 }" W+ H) t○ Restart the httpd service:
8 l9 q A/ w0 g4 C/ M8 Q/ ?; N # systemctl restart httpd: U% u6 r- M# t, s8 O1 k4 _
Populate the nova-api database:
( Z+ }% n. D& @8 l, J# su -s /bin/sh -c "nova-manage api_db sync" nova
/ @" L+ [$ @2 f, wRegister the cell0 database: Q' C2 Q( e2 U8 A, C" e @' w
# su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova
" \) B8 ^9 X; A* nCreate the cell1 cell:
; K4 t, g7 ]: B+ ~# su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova3 L, Q/ K8 X+ y; {8 ~
109e1d4b-536a-40d0-83c6-5f121b82b6506 n+ Z* s+ Q3 @* F9 P6 J
Populate the nova database:
4 v3 o- j8 U8 n# su -s /bin/sh -c "nova-manage db sync" nova8 q8 ^0 a$ k& c: e- t/ S* q! _
Verify nova cell0 and cell1 are registered correctly:1 q* i' t1 X1 E: c: c
# su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova9 c8 D _- r& B4 h6 N7 |5 s
+-------+--------------------------------------+1 F! C% E* s7 N$ _
| Name | UUID |
6 c1 v! C% v3 K' W8 K+-------+--------------------------------------+
, ?; q5 u* J+ N6 H* y| cell1 | 109e1d4b-536a-40d0-83c6-5f121b82b650 |
! ^) E6 S& z' l3 W" W| cell0 | 00000000-0000-0000-0000-000000000000 |8 f- t9 O3 h; p( [
+-------+--------------------------------------+
# t G3 Q0 N* `2 {安成安装# u5 i u5 W; f3 P* I7 W) W
○ 允许系统引导时自动启动服务并启动服务:& ~: K* ]* d4 `8 |: _+ P5 D
# systemctl enable openstack-nova-api.service \
. Q* K, Z7 u5 v% A& Z/ q openstack-nova-scheduler.service \
1 @. j! z L! J: p openstack-nova-conductor.service \( L( D* q8 x, a* W
openstack-nova-novncproxy.service
( t# d. A+ D% O( v3 m # systemctl start openstack-nova-api.service \1 D) c- \3 }( u1 w& Q; @0 Q
openstack-nova-scheduler.service \
0 E2 _. F J* T W7 x# v C openstack-nova-conductor.service \3 _6 @- T3 u0 E$ s0 A2 [
openstack-nova-novncproxy.service
" k4 ]& i% I8 n: y' v! p! Q Q: n4 g" u+ A8 N$ R7 c
Install and configure components
( X0 L. u6 b% J$ {! nInstall the packages:
9 |4 t' e) Z8 c6 b7 T# yum install openstack-nova-compute
S# O3 t0 p+ z; r4 \2 Y1 `/ WEdit the /etc/nova/nova.conf file and complete the following actions:
- P2 c/ T/ `& k/ p7 _- K* a2 I6 G. r, K- v% p' V( S
○ In the [DEFAULT] section, enable only the compute and metadata APIs:
' Y/ S! I5 D* r5 H [DEFAULT]; R! T, ], N3 Z, @6 N
# ...
$ F# I8 H; k# H, X1 F enabled_apis = osapi_compute,metadata, w* W1 y# a; ~! J C
' ]( h- ?; W7 k4 W" b* V5 n
○ In the [DEFAULT] section, configure RabbitMQ message queue access:3 B0 U- `& U( M/ J. n1 G
[DEFAULT] C1 J# w6 B7 E9 B0 k2 T: [
# …
9 ^$ O# H. a2 ~( M transport_url=rabbit://openstack:openstack123@dbs.flex.net! O5 E& V p, F$ Y; Z/ o, D' s
; c4 G- I2 b- {( n' y x( Q+ ^- K
○ In the [api] and [keystone_authtoken] sections, configure Identity service access::; i) Q+ r7 Z$ a
[api]" Q: c% T8 J* z A9 Q
# ...3 s$ t( C# n1 S- ~! C+ E
auth_strategy = keystone
+ Q3 W7 y" S: ~1 l Q& Q# x8 S" e% r) G; W e
[keystone_authtoken]2 b( z% J2 d4 |; B d& T* e
# ...
; o. ?& x( `! F9 F auth_url = http://stack.flex.net:5000/v3( G6 S9 g! l5 w( v; M+ S
memcached_servers = dbs.flex.net:11211' h0 r; a9 i1 `+ d. p. T
auth_type = password+ z8 K/ z+ ?* y0 U2 c* F! G' u" R
project_domain_name = Default
) z, |, ^& b* c, _ y3 {3 v user_domain_name = Default
2 r8 U. ]) h& a" M# B project_name = service
6 [: r$ q+ ~1 l0 q username = nova
- t5 Z; i4 Y$ @ password = nova123/ c- t- |6 [$ K; d1 S V
注意: 注释或移除在掉在[keystone_authtoken]区域中的其它的选项' I) n1 K0 ^7 {$ G6 R
' b5 Z. i5 M; c. F' L
○ In the [DEFAULT] section, configure the my_ip option:. C5 }+ z# V+ |
[DEFAULT]
/ Y! c3 w, d6 N! C+ s) k Q # ..., [& _7 t- t9 h9 Z- j9 S' L6 i
my_ip = 192.168.205.187
- _( N# Z2 ~& F注意:使用管理接口的IP在你的计算节点上.
# h3 O( p# j3 h( [5 M9 C% F/ @& A7 F: E: N# P* j. q1 `/ Q
○ In the [DEFAULT] section, enable support for the Networking service:
- }% b ?; Z$ b, L4 U; s, I [DEFAULT]6 E T1 s+ n/ N) s2 k6 Q% S) h. b4 E
# ...
7 z9 [: Q; L# t0 _ use_neutron = true
8 Q4 Y) v; S, Q; E( c: P firewall_driver = nova.virt.firewall.NoopFirewallDriver
! S. g6 w+ b$ F注意:缺省的,计算节点使用一内部的防火墙驱动,因为网络服务包含了一个防火墙驱动,你必须禁用防火墙驱动并使用nova.virt.firewall.NoopFirewallDriver firewall driver6 _! [3 q# d3 L( R
6 W4 C5 U/ N4 _" ]$ N5 O○ In the [vnc] section, enable and configure remote console access:& x2 x5 `, B$ R) `8 S& c
[vnc]
. h# _, l+ a+ I/ i6 r4 T2 m # ...$ h, y) \* a5 f3 M0 j2 U
enabled = true# K5 B* E6 O* a: ^
server_listen = 0.0.0.0
& p: c# F6 T4 | server_proxyclient_address = $my_ip2 m; C$ k# n. F; l' y
novncproxy_base_url = http://stack.flex.net:6080/vnc_auto.html
/ q2 M7 U3 K0 R* f0 g1 a2 i. K# u- G" V0 |9 |, u5 K! q% F, {
服务器组件监听所有IP地址,代理组件只监听计算节点的管理接口IP地址。基本URL指示可以使用web浏览器访问此计算节点上实例的远程控制台的位置。6 @% x9 {& m" S N2 S
注意:如果要访问远程控制台的web浏览器驻留在无法解析控制器主机名的主机上,则必须使用控制器节点的管理接口IP地址替换控制器。& `/ p+ G& o. e& _7 f; f
: K: c. @3 I! L0 ^; Z4 v
○ In the [glance] section, configure the location of the Image service API:
3 y. k3 Q! f/ F) ] [glance]+ ?- a: d; T- B
# ...
0 m1 M: o# W) `; Y% p( ^( o/ b api_servers = http://stack.flex.net:92925 m2 G- P2 M' v; n/ N0 h
$ s# K, W: n# p0 P2 V9 T. F○ In the [oslo_concurrency] section, configure the lock path:9 \# X5 |* f! [. r- R/ l) C
[oslo_concurrency]
& @$ Y" a4 V+ Z3 n0 V# G # ...1 ]7 J2 R4 Q* O: h3 R9 N
lock_path = /var/lib/nova/tmp3 Z: P) C( M) h( {* v. E# G7 |* C
- v+ w1 Y$ I; E+ `
○ In the [placement] section, configure the Placement API:: W) `" q6 ]( i3 B; Z5 p2 }* @
[placement]8 F4 d" L6 s5 v. i. H+ }0 t6 l# ~
# ...
7 _; }' [5 ^8 s4 C region_name = RegionOne. t& \/ k6 y3 Z$ G
project_domain_name = Default
) r4 ^: R+ Y {# c& B$ ~ project_name = service s1 _( ?- [6 p& D3 \4 v; @7 k2 E
auth_type = password% X1 V! b/ D4 P8 y4 H
user_domain_name = Default
+ }0 Q4 C' `3 t" ]6 {, f: x7 U6 @ auth_url = http://stack.flex.net:5000/v3. \7 H4 d& I) `( B3 f
username = placement# \: N; V7 `) m! f- F
password = placement123; W3 l( C) z7 H/ ?
Finalize installation" d. R- M( p* v/ [7 P; x/ n) v# W
Determine whether your compute node supports hardware acceleration for virtual machines:
, ^4 `+ t0 A( p3 t
/ C0 e" i+ r' c5 d$ egrep -c '(vmx|svm)' /proc/cpuinfo
8 |* W+ c8 ?6 V- J
K I. y* e/ X如果这个命令返回1或大于1的值,你的计算节点支持硬件加速,通常不需要额外的配置,通常如果你的计算节点使用的是Vmware Workstation虚拟机,你可以充许virtuallze Intel VT-x/EPT or AMD-V/RVI这样打开虚拟化设置) l* O7 B2 M b* V; N+ v* G
# k* U8 ]( ~0 K$ o% o+ w" c如果这个命令返回一个0值,你的计算节点不支持硬件加速,并且你必须配置libvirt使用QEMU取代KVM, 编辑文件/etc/nova/nova.conf文件如下:
: q. Z2 ]+ x- U. ~[libvirt]
7 o- w, _# z* a/ o$ j& J' @1 E# ...
$ @) \6 ~/ w" H' ]* h1 m8 Fvirt_type = qemu
. T. Y9 d! w1 p8 q0 a# F% n0 wStart the Compute service including its dependencies and configure them to start automatically when the system boots:8 b7 v6 x. _) `
7 T% V3 w# e" U7 }' J7 v. i$ e! ?# systemctl enable libvirtd.service openstack-nova-compute.service8 c: O1 d. Q7 U S% @& _0 V& i! u
# systemctl start libvirtd.service openstack-nova-compute.service
; d1 n+ F \4 b8 t- H) K; }
/ D8 b1 Y. |4 z+ L1 p注意:如果nova-compute服务无法启动,请检查/var/log/nova/nova- computer .log。controller:5672上的错误消息AMQP服务器不可访问,这可能表明控制器节点上的防火墙正在阻止对端口5672的访问。将防火墙配置为打开控制器节点上的端口5672并在计算节点上重新启动nova-compute服务。1 R8 G, H) C+ y* J
Add the compute node to the cell database
! H a) J1 e# f9 @+ @" MSource the admin credentials to enable admin-only CLI commands, then confirm there are compute hosts in the database:- l: q% `! D7 p' b; \; E
8 D) X" I# Y k' @$ . admin-openrc) j. z$ c/ A5 s; {7 _9 V
/ g3 A0 w# }: q* t3 j1 ^$ openstack compute service list --service nova-compute# S& b3 ^8 a6 X1 D' n0 t
+----+-------+--------------+------+-------+---------+----------------------------+( g4 a( m( ]: Y3 A
| ID | Host | Binary | Zone | State | Status | Updated At |
- [+ p7 ^- b9 o$ {0 u+----+-------+--------------+------+-------+---------+----------------------------+: z. `$ f: N5 t. X
| 1 | node1 | nova-compute | nova | up | enabled | 2017-04-14T15:30:44.000000 |
! K! o% w* I' Q; I4 ]+----+-------+--------------+------+-------+---------+----------------------------+
* z5 `# ?% x' z$ |- ]8 GDiscover compute hosts:8 ?- o" e( c9 o
% [ m3 y4 t' D/ x: n( Z3 Q+ S' P# su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova
T+ S' }9 f) `8 H4 w" k- O# [+ v w# `( x
Found 2 cell mappings.3 Y% X4 o2 f7 d
Skipping cell0 since it does not contain hosts.. `9 \" C5 p* ^/ y/ L0 k/ X
Getting compute nodes from cell 'cell1': ad5a5985-a719-4567-98d8-8d148aaae4bc
' r) A: L. d0 PFound 1 computes in cell: ad5a5985-a719-4567-98d8-8d148aaae4bc8 B9 F0 O& S2 e- V/ E' V, n3 ]) O
Checking host mapping for compute host 'compute': fe58ddc1-1d65-4f87-9456-bc040dc106b3
3 @! e$ j# h, |( w9 m& gCreating host mapping for compute host 'compute': fe58ddc1-1d65-4f87-9456-bc040dc106b3& ?8 J! w0 T4 v- y# E, s8 i( b
注意:当你添加新的计算节点,你必须运行nova-manage cell_v2 discover_hosts在控制器上注册新的计算节点,替代方法为你可以在/etc/nova/nova.conf中设置一个适当的间间隔自动发现计算节点:* Q& E, m9 S2 ^' T, m8 C; d0 ?& d
[scheduler]
$ V6 G( S( S- ~+ y: K2 `3 Ediscover_hosts_in_cells_interval = 300$ b* F' r2 A5 c4 D& ~* v, h* r' s
Verify operation9 e( R$ Q2 J. U# u, {
Verify operation of the Compute service.* B, g% R8 I3 p# ]
Note: Perform these commands on the controller node.
+ {# K7 ~+ w( {
1 E% D: l. Y; ? G1 S% K5 M1 l6 iSource the admin credentials to gain access to admin-only CLI commands:
2 B6 O( z( t* [7 e6 V6 I/ l" J9 |$ . admin-openrc
3 J/ @$ a2 A) f. NList service components to verify successful launch and registration of each process:; G2 a, o, ^- B! C
0 a6 a+ O& K; M5 U" A, {$ openstack compute service list
$ S6 ]; L5 P( }1 o
8 {% _6 y# l: Q( _3 G% f5 T- u+----+--------------------+------------+----------+---------+-------+----------------------------+4 }, D2 _% j S
| Id | Binary | Host | Zone | Status | State | Updated At |% t0 P$ v/ Q# y8 u& m
+----+--------------------+------------+----------+---------+-------+----------------------------+
2 N$ O1 o2 m. o| 1 | nova-scheduler | controller | internal | enabled | up | 2016-02-09T23:11:15.000000 |
( e$ `. I& H U/ Z, h* z6 W| 2 | nova-conductor | controller | internal | enabled | up | 2016-02-09T23:11:16.000000 |( A% X' o% ?2 d( B5 r* w8 Q8 ?8 T
| 3 | nova-compute | compute1 | nova | enabled | up | 2016-02-09T23:11:20.000000 |; R% Z: |9 p1 y, l
+----+--------------------+------------+----------+---------+-------+----------------------------+
( d, E% R" i3 S4 n* U8 }9 h# j1 r* X
Note: This output should indicate two service components enabled on the controller node and one service component enabled on the compute node./ b1 U" p l' q% P, N
List API endpoints in the Identity service to verify connectivity with the Identity service:
+ L% J k1 o" C0 d$ openstack catalog list J( C9 V: R E" ?
+-----------+-----------+---------------------------------------------++ W& P+ y" f; |+ J7 w% w- ~ t
| Name | Type | Endpoints |
7 s. Q% Z) \9 p# w6 K! X+-----------+-----------+---------------------------------------------+6 f1 P5 ~7 ^& H% ?8 q* }
| placement | placement | RegionOne |
; w) T! U8 D- l5 }2 R6 E& ?| | | admin: http://stack.flex.net:8778 |+ x3 H: N% o4 c% A" l' M
| | | RegionOne |2 n5 X; n$ b2 K5 u$ S
| | | internal: http://stack.flex.net:8778 |
1 ?5 o- v2 ~ c* q& H0 Y| | | RegionOne |
6 ^$ E# N* i$ Z0 z| | | public: http://stack.flex.net:8778 |$ a9 \0 _4 D- B# ?; b0 U
| | | |( {7 q1 D( ?- P7 R& G; a. z) \
| glance | image | RegionOne |
( _7 d, k2 l' S: y| | | admin: http://stack.flex.net:9292 |) ?! N+ P3 c. W( }! A7 T$ h+ [+ U
| | | RegionOne |* V, h. W. e( a& H& @8 S1 p# ^+ ?
| | | public: http://stack.flex.net:9292 |
9 `( I0 ~' u/ `$ @3 y* M) f% ^. O| | | RegionOne |1 h4 ~* [- h" x& c) n! S) v
| | | internal: http://stack.flex.net:9292 |
! n7 A# u; x+ ?, W| | | |
4 s% _$ d6 e$ s+ |' k ~) h| nova | compute | RegionOne |
8 L( T! G v' M }/ R| | | public: http://stack.flex.net:8774/v2.1 |
' {# X( s# ^1 s. C* t4 N% q6 X| | | RegionOne |
* z1 o/ ^( C* Z| | | internal: http://stack.flex.net:8774/v2.1 | n& i, P4 V! _
| | | RegionOne |
- `* {* n- D# C9 U| | | admin: http://stack.flex.net:8774/v2.1 |* A: d0 B- u/ i: r) T
| | | |7 M. x. f3 ]( w3 Y0 L6 \( v) M
| keystone | identity | RegionOne |
$ h/ W, C& i! u- Z# R3 C* E| | | public: http://stack.flex.net:5000/v3/ |
# T1 m6 n- w; @3 _; Z0 B8 p4 E| | | RegionOne |! q: v2 F5 ~ U6 w/ g
| | | admin: http://stack.flex.net:5000/v3/ |
2 Y* K& k6 l" f5 P8 ~" K| | | RegionOne |
8 V4 _2 R" Z K) S- N/ w( B+ I| | | internal: http://stack.flex.net:5000/v3/ |4 ]3 ?# e% ^0 ~9 ?) v5 C$ E
| | | |
; X8 \3 A, q" u7 s+-----------+-----------+---------------------------------------------+7 |. T: ~5 Y B
List images in the Image service to verify connectivity with the Image service:
+ B- K i1 D( W' x" h1 Y4 b" g' `2 ~" b O0 l; V1 Z3 `+ K
$ openstack image list
) w( f( g$ f0 a5 a" j
0 Q; k+ x/ u2 W) D+--------------------------------------+-------------+-------------+
' g1 I$ D- E) l; b+ d0 j E' V| ID | Name | Status |/ S' |) P3 s0 D" Z! P ]
+--------------------------------------+-------------+-------------+5 [ z2 O N% v4 H" j4 [2 T
| 9a76d9f9-9620-4f2e-8c69-6c5691fae163 | cirros | active |
7 V: b) ^) v- y1 t+--------------------------------------+-------------+-------------+/ R, w" b5 y3 a- a/ ?5 P$ U; k) t* g2 a
Check the cells and placement API are working successfully and that other necessary prerequisites are in place:7 B6 q6 h* L' Q; d0 m. s' a
) T7 R8 f8 b1 s7 p: Z) P# nova-status upgrade check
' D- z, R( N" O3 U- m; y0 t: G. c3 w" u7 W
+--------------------------------------------------------------------+' C, s1 U3 L: g5 u( z# R
| Upgrade Check Results |& F* O- H5 s5 O+ T
+--------------------------------------------------------------------+: B' `- g+ i& j5 ]
| Check: Cells v2 |
4 U2 c& o7 t5 u& Y' w& w( x I- a' ?9 _" || Result: Success |
2 J9 D' g+ B1 v: b| Details: None |
7 Z4 L/ u) g `+--------------------------------------------------------------------+2 Y8 b6 ^7 Z2 ~9 Q5 L
| Check: Placement API |
. s, n7 d$ u; ~' y, s+ ?& r5 @| Result: Success |, w) D- F; {: Y" z- l
| Details: None |
4 B/ b" C& }, w0 p* Y! |+--------------------------------------------------------------------+2 u+ v; f, X9 N" J* ^) F4 t
| Check: Ironic Flavor Migration |
" G6 y# {& @8 v& g( T" O| Result: Success |; n8 r. w: f. m; b
| Details: None |. p7 d$ t/ D! k
+--------------------------------------------------------------------+0 g; ^9 i4 |! _1 s3 v6 j2 T
| Check: Request Spec Migration | R2 r: _ C" O7 [
| Result: Success |2 V c9 G9 t* v1 { {& q
| Details: None |0 S, m. D/ k2 e1 j8 v) u8 h
+--------------------------------------------------------------------+
# W9 u1 j; ]* m| Check: Console Auths |
+ a: t& ]. f! |$ ]. n/ ~1 l! Y| Result: Success |$ K$ |# I: |& R$ y( `
| Details: None |' U' W: o" e* U! Z$ ~; @- O" D
+--------------------------------------------------------------------+
5 b+ U3 b% u3 S2 ^# X- p2 j4 s7 n, j% S6 S3 \
- j! R: x* Z# B. y& S' d% `4 [& _7 ]OpenStack网络(neutron)允许您创建并将其他OpenStack服务管理的接口设备附加到网络上。可以实现插件来适应不同的网络设备和软件,从而为OpenStack体系结构和部署提供灵活性。
+ m; ~2 o7 g. z [% h8 R 它包括以下组成部分:: q" ~" {: b- E- [* {( S) I
4 O, |3 U/ ~7 u3 aneutron-server 3 Q2 p& [- j2 \, P# g+ O4 O: @
接受API请求并将其路由到适当的OpenStack网络插件以执行操作。
7 S& l6 m) t3 MOpenStack Networking plug-ins and agents 1 E: g, j& m) `
插件式的网络端口,创建网络或子网,并提供IP地址。这些插件和代理的差异取决于特定云中使用的供应商和技术。OpenStack网络附带了用于Cisco虚拟和物理交换机、NEC OpenFlow产品、Open vSwitch、Linux桥接和VMware NSX产品的插件和代理。8 Z& f. {2 p* @0 h) {) y
常见的代理包括L3 (layer 3)、DHCP(动态主机IP寻址)和插件代理。. o7 w/ p: i( w( G ~# ^
Messaging queue 5 m% A3 o5 r; e+ J. ^0 y1 v
大多数OpenStack网络安装都使用它在neutron-server和各种代理之间路由信息。还充当数据库,存储特定插件的网络状态。
6 u( @& v% S* ?0 S7 {1 W& n4 H. a; y) V7 B, C
Prerequisites
( y- q1 B* Q& {) W8 x ?" N* eBefore you configure the OpenStack Networking (neutron) service, you must create a database, service credentials, and API endpoints.
. \! d# J5 Z+ v$ L! }0 z
" R3 S% K- s/ ~. B* b ETo create the database, complete these steps:% @9 ?- {. n% K6 J$ y! G
○ Use the database access client to connect to the database server as the root user:
8 K9 k( u' Q% m5 z$ mysql -u root -p root123
5 `& B# o' S& M7 U/ w: S1 }○ Create the neutron database:/ [/ H: h3 d" Q6 H
MariaDB [keystone]> CREATE DATABASE neutron;
- [/ Q' R% ^* R. O' e) ^○ Grant proper access to the neutron database, replacing NEUTRON_DBPASS with a suitable password:
9 T8 u" o2 y6 O0 a+ M; qMariaDB [keystone]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron123';5 c/ ^. {) c% Y# C
Source the admin credentials to gain access to admin-only CLI commands:
( z2 s* O0 B+ N1 t. ^- P( R$ . admin-openrc' o+ C) z* y! d. J
To create the service credentials, complete these steps:
. P7 ]) d7 G; g; x% R
7 @. V& g0 Q& H: P2 e7 T○ Create the neutron user:
5 x( W1 J @3 r4 P$ openstack user create --domain default --password-prompt neutron8 m2 z# I' Y, g/ W- u0 q) ]( ~% A
User Password:neutron123# ^, ?; G# c u6 R3 e- t% C6 `
Repeat User Password:neutron123
+ S. W& x9 }5 [, h; N) g+---------------------+----------------------------------+' Q) G' n% O z$ }5 y$ {
| Field | Value |
- j, m) i2 j; N" K) ]+---------------------+----------------------------------+% S+ h) h( ]. l. j/ F
| domain_id | default |2 a3 _% K6 _5 {$ u% r. {3 ^8 P3 s
| enabled | True |# u; X1 I/ F$ V# e ^$ \- e
| id | fdb0f541e28141719b6a43c8944bf1fb |
6 X1 i; Y$ A/ n V1 \& j+ T& V5 N| name | neutron |8 _/ P8 [# U$ V2 q
| options | {} |3 j& g+ H5 d, {+ ]
| password_expires_at | None |1 k9 s+ g" ~. h+ j) m
+---------------------+----------------------------------+
2 Y: e) B+ \5 X! w1 @0 z○ Add the admin role to the neutron user:7 w- n" b* V. J4 i1 L* q( Y
$ openstack role add --project service --user neutron admin
5 @) [0 K$ V7 P! q4 O : }; m2 S7 i5 R
Note: This command provides no output.
" W+ u' ^, b) e' [" i* B6 u% y: t○ Create the neutron service entity:) P" y% O. w. _ G4 W4 ~
$ openstack service create --name neutron --description "OpenStack Networking" network
5 b. ^' W" U$ C6 X: G5 D* B5 e1 R/ ?+ I. l& R
+-------------+----------------------------------+4 e! s5 m* `2 u- f) L
| Field | Value |8 I/ R2 N6 } d" X) t/ u9 \
+-------------+----------------------------------+/ Z8 j$ a8 M" V- W4 c
| description | OpenStack Networking |& a$ [ }" K$ ~! I
| enabled | True |4 ?& d9 d7 v" q5 j) U
| id | f71529314dab4a4d8eca427e701d209e |( k$ _$ [7 B9 F- k2 `' \7 a4 Q
| name | neutron |4 _; d9 n+ [9 O* r2 e2 B
| type | network |
4 z/ D4 o' v; f5 G5 |+-------------+----------------------------------+9 n2 D7 P) ~; `: @% @6 u
Create the Networking service API endpoints:: U: F; k, Y% X2 q
$ k* F* x* h8 e: e. W; E1 d/ e#openstack endpoint create --region RegionOne network public http://stack.flex.net:9696
& N% c( Y3 O9 ~+--------------+----------------------------------+0 i: k/ O2 Y6 G4 o) ^. f3 j0 K' ]6 P
| Field | Value |
3 Q# U X8 s; F C3 T9 I+--------------+----------------------------------+
" P7 ^% c: V! D/ z0 j| enabled | True |& t+ x; L" y: U
| id | 85d80a6d02fc4b7683f611d7fc1493a3 |# J! k0 p! `) G
| interface | public |% i6 K3 C4 |7 U+ ?! o J1 V
| region | RegionOne |7 Z3 r; w, i; x
| region_id | RegionOne |: [ c* s, _6 B y$ V
| service_id | f71529314dab4a4d8eca427e701d209e |
5 o- I. T% {% @9 Q- J| service_name | neutron |/ m2 x# Q; v% K m" n% U4 ~- w% `
| service_type | network |
9 H _ t9 P( N| url | http://stack.flex.net:9696 |
. i: X. I6 H q- E n+--------------+----------------------------------+; g- T9 ~4 D' O& E; t
#openstack endpoint create --region RegionOne network internal http://stack.flex.net:9696) t+ O% M& w4 H; s1 f9 ?, @
& [% ]- m3 P' K& _% ] H+--------------+----------------------------------+
( g0 `; V% X. d! ?| Field | Value |- Z) }" \$ ^4 I l: w& Z- I
+--------------+----------------------------------+
! t; G' D _2 n# L% F% m| enabled | True |9 F4 f* S: n. I+ K( G7 u( Q
| id | 09753b537ac74422a68d2d791cf3714f |
1 n/ A6 D3 e0 ?) T: k" f| interface | internal |
/ V3 w) Y/ v: r5 I. ~, F; L2 Z| region | RegionOne |
8 @7 k5 S9 i) K# w: R, P| region_id | RegionOne |, A6 C, G- W- q c8 P. B+ \, L
| service_id | f71529314dab4a4d8eca427e701d209e |9 K) u3 M: Q) M' o
| service_name | neutron |
+ ^0 ?/ W8 ?+ i| service_type | network |
; I; I9 u5 F2 ?| url | http://stack.flex.net:9696 |
0 R- i8 [3 s/ [/ [- p' P* e" L5 H8 [" V+--------------+----------------------------------+
5 v* R2 A |, E& K+ ?' N8 @) `$ w/ ]
2 z0 d) e% r6 s" r# x: ]#openstack endpoint create --region RegionOne network admin http://stack.flex.net:9696
7 s+ C! J& _% O2 s; E9 A. ]5 o) [, z- m( n4 g
+--------------+----------------------------------+- {7 r2 O. r5 d/ c3 s1 @1 @
| Field | Value |
, Y9 T" n" M1 l- J4 a8 ^& i+--------------+----------------------------------+
/ y$ D f5 @" g* Y| enabled | True |
/ ?) r) c9 K9 d' C/ f8 s% ^* N5 f| id | 1ee14289c9374dffb5db92a5c112fc4e |8 z5 }& u& A3 Q8 K0 f
| interface | admin |2 U. o, r; @$ U" |
| region | RegionOne |
$ h2 j) K/ K, ?, O) Y( Y9 || region_id | RegionOne |
, B; j* z4 X: H) B6 ^. z9 K7 @( L| service_id | f71529314dab4a4d8eca427e701d209e |# i/ q. R; G- q0 o# u2 @1 ^9 N
| service_name | neutron |& J; b5 @" E9 O0 V4 g, r) A3 F5 x
| service_type | network |8 b2 e2 \- D8 D1 g2 t
| url | http://stack.flex.net:9696 |' d' E4 T2 ~" F
+--------------+----------------------------------+
: n% n% t* j$ ~3 Q( l8 L) m0 ` x. h/ Z$ e
#### Configure networking options* {+ T3 y, v, u3 i, Z
可以使用选项1和选项2表示的两种体系结构中的一种部署网络服务。
4 `" A1 N0 K _
+ v1 d$ y3 [+ W" X) v; O选项1部署了最简单的体系结构,它只支持将实例附加到provider(external)网络。没有self-service(private)网络、路由器或浮动IP地址。只有管理员或其他特权用户才能管理provider网络。
( h+ _) U* S2 `+ u) @4 s+ R! s" Z. A" I8 l7 ^/ p' ~ H" Y
选项2支持将实例附加到自助服务网络的3层服务来增强选项1。demo或其他无特权用户可以管理自助服务网络,包括在自助服务网络和提供者网络之间提供连接的路由器。此外,浮动IP地址使用来自外部网络(如Internet)的自助服务网络提供到实例的连接。+ L) j8 l* o5 }, M; f' C' k
' x( L. B, e/ n+ H7 s# o
自服务网络通常使用overlay网络。overlay网络协议如vxlan包括额外的头部信息,这些头文件增加了开销,减少了有效负载或用户数据可用的空间。在不了解虚拟网络基础设施的情况下,实例尝试使用默认的1500字节以太网最大传输单元(MTU)发送数据包。网络服务通过DHCP自动向实例提供正确的MTU值。但是,有些云镜像不使用DHCP或忽略DHCP MTU选项,需要使用元数据或脚本进行配置。: O. S/ Y) d2 s( h0 j, i
' f& {6 H+ i6 E+ h: V
选择下列网络选项中的一个,或两个全选,参看下面的两个章节。并返回这里再向下继续配置
0 p4 n c: b# Y○ Networking Option 1: Provider networks" T8 B3 }5 S/ J, i- R9 Z7 P
○ Networking Option 2: Self-service networks
% m# v; @ N7 g; W3 L* ~2 K. H% M$ ^% ^7 [
Configure the metadata agent) r* u0 y* r$ r9 U4 l
The metadata agent provides configuration information such as credentials to instances. H& y. b# i6 G4 R+ I+ X$ J
Edit the /etc/neutron/metadata_agent.ini file and complete the following actions:
/ c, {; k U# Q8 o2 y5 p& t2 }$ Y9 d. G
○ In the [DEFAULT] section, configure the metadata host and shared secret:
, _) \/ p' {" g7 C+ M I; n' M) t [DEFAULT]9 l- q p" _8 D U8 i+ J: o: R
# ...
/ d" i; k2 `* ] nova_metadata_host = stack.flex.net
3 L! Y7 _4 `3 i) R metadata_proxy_shared_secret = 1234 , i7 Y; H5 x8 s8 a/ r
# I5 r- p' |) \ p Replace METADATA_SECRET with a suitable secret for the metadata proxy.. w' D& I6 w% J8 M
Configure the Compute service to use the Networking service/ P, i" ~" |6 _- e, b# Q0 g8 y8 m5 r
Note: The Nova compute service must be installed to complete this step.
, w0 K6 _$ a$ r4 \/ pEdit the /etc/nova/nova.conf file and perform the following actions:
* p( V2 {$ Y# \8 C* E, h6 K: w' ?; F; z2 B* I( Z% e8 o
○ In the [neutron] section, configure access parameters, enable the metadata proxy, and configure the secret:
! K; Q2 q7 [* V j [neutron]
8 Z4 p, M7 W9 t9 _+ _* P # ...
1 Q% R5 `6 J2 X% P url = http://stack.flex.net:9696- |0 k1 T- U( w
auth_url = http://stack.flex.net:5000, r* x4 J" V6 @( u+ `7 p. [
auth_type = password
8 @7 O5 _9 i& o2 A7 R/ C project_domain_name = default7 F% Z& n5 Q# @& h- ~/ m% t
user_domain_name = default
. {2 W. x3 r4 G5 C ` region_name = RegionOne
8 ~2 j; T" {5 h7 P1 x) ]8 j project_name = service7 }. W$ e% a5 |7 U/ \7 o
username = neutron
; P [) E# a1 f% c+ P6 i password = neutron123$ U4 |2 k5 p- `! e q
service_metadata_proxy = true
% [2 X7 h$ _( s+ R metadata_proxy_shared_secret = 1234
7 v5 |$ E+ J3 v& S# G/ RFinalize installation
2 o2 v. L3 } F8 T' nThe Networking service initialization scripts expect a symbolic link /etc/neutron/plugin.ini pointing to the ML2 plug-in configuration file, /etc/neutron/plugins/ml2/ml2_conf.ini. If this symbolic link does not exist, create it using the following command:, f# H$ k0 S* I% w2 W
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini4 k) o J% x6 V8 L& t+ e' B2 F
Populate the database:. a7 C% C+ A! O0 F
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \4 y0 y8 F7 ]" }) C2 S' t" K
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
6 F( _& n& E5 _9 u( y) @/ u; g$ h注意:由于脚本需要完整的服务器和插件配置文件,数据库填充将在稍后用于网络。
& ]$ l. Y; S& Q& e, |. [) ZRestart the Compute API service:
/ s0 c: F, z7 C9 t1 ]7 S4 z# systemctl restart openstack-nova-api.service1 C7 | n; a4 O# p
Start the Networking services and configure them to start when the system boots.
4 F5 X# P$ C& c6 S: XFor both networking options:
9 g$ e4 W8 D6 y$ d/ P/ E # systemctl enable neutron-server.service \
5 _! i! ~* r3 N; |( i neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
" b7 Q& u0 Q$ p- g- k neutron-metadata-agent.service
5 D$ ^2 |: r6 O. S" `8 M # systemctl start neutron-server.service \ D9 @, U C* B* _/ o" t ^
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
7 u. K, U' \6 \6 I& ^ neutron-metadata-agent.service+ U1 [+ H2 h2 Y& C' p9 {
1 I S' |+ `" a0 x- |7 N3 X' G
For networking option 2, also enable and start the layer-3 service:$ x9 ]% G! W- V& x0 B' U+ A4 l/ E
# systemctl enable neutron-l3-agent.service
1 Q$ q- x5 Y. v3 | P j # systemctl start neutron-l3-agent.service
! m! D, p; a, M( s7 r0 t! _5 I% u$ [, y, O" Q5 J: c& X
2019-09-04 16:46:13; d- @/ E0 W7 m7 A6 n
最近测试esxi6.7的vmotion功能,为了熟悉kvm决定在kvm上实现, 系统是ubuntu16.04, 启动一个kvm,发现esxi在迁移时会崩溃,无法进行迁移,查找相关次料,解决方案如下:
4 {# |. V1 w$ B
) j7 Q9 i1 `1 p8 d; h0 PKVM的安装和使用
* t; v. x0 N A* ?& i$ T首先安装kvm0 f3 s" U, @% \* x' s. ]. d+ v
# apt install qemu-system-x86 qemu-kvm qemu libvirt-bin virt-manager virtinst bridge-utils cpu-checker virt-viewer
9 K9 b4 y. v ]- u% u Z0 p校验kvm是否安装,并检测cpu的VT-x虚拟化有没有开,出现以下信息说明正常5 G$ j Q8 r3 R# {9 T6 k
# kvm-ok) Z) W4 c+ S0 v, z
INFO: /dev/kvm exists
+ ~1 L$ n! b. p7 Q; ]5 yKVM acceleration can be used5 n- s1 R% j& X, N' F
运行virt-host-validate查看你的环境对kvm的技持,如果全部为pass,说明可以
' G" l& N- n7 t' T# Q1 ~# virt-host-validate 6 i% V1 p9 Q* c' H7 Q
QEMU: Checking for hardware virtualization : PASS5 V, Z. M7 W1 A0 r; [/ r
QEMU: Checking if device /dev/kvm exists : PASS
5 V6 g0 b5 G9 F2 M如果你想使普通用户能够使用kvm,可以添加当前用户到libvirt组中
2 Y5 [0 ^9 H F a& R- u5 A7 a; m: Qcat /etc/group | grep libvirt | awk -F':' {'print $1'} | xargs -n1 sudo adduser $USER
. _8 L6 J/ g2 A2 O6 v5 ^' w: T6 H% I; N% p& t j$ p# o/ w% O
# add user to kvm group also
) [& V" ]( V$ y& G: `. U4 Asudo adduser $USER kvm
* p5 b, k# l7 d+ w) d9 T4 D9 v
" e' N- G' m+ B3 x6 a5 o# X4 X, p* x# relogin, then show group membership
) ^$ x3 p0 s% \4 ~) I) M7 G4 fexec su -l $USER
, R |, [# c% l8 m/ l& Tid | grep libvirt
% W8 C7 a- R1 `, p$ M/ A% Z缺省的,kvm会建立一个虚拟的交换机名字为virbr0, 使用192.168.122.0/24
9 [, ?; i5 Q- j* {$ K9 j& K# ip addr show virbr02 K$ Q/ ]$ a4 @9 a+ b4 T4 d
17: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000" H, i, d( k: }0 D# o
link/ether 52:54:00:d2:52:b5 brd ff:ff:ff:ff:ff:ff
2 F$ d& d. _! k& c: c: dinet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
( F+ w( G5 ~8 {6 Z! M8 c valid_lft forever preferred_lft forever
/ R+ B3 _+ |% ]( fvirbr0实际上是一个nat模式,我们可以通过iptables看到实际的情况
) d# g& {+ W: }9 B; H# iptable -t nat -vnL
4 H T4 y( m9 E9 _! c: U0 MChain POSTROUTING (policy ACCEPT 146 packets, 11359 bytes)
* ? A) V( h8 D( Jpkts bytes target prot opt in out source destination
+ a0 j9 P% D6 y: G# J0 0 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24 " b/ I ?, Q d) d5 x) z( U4 M
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255 ( ~: I( _+ V) w4 ?3 T) C2 c$ ^
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
7 t3 t4 K9 }. a: K3 c0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535( h9 i+ z; [" {
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
: B/ E9 l0 D+ q8 [+ a定义存储池,缺省的存储池是/var/lib/libvirt/images, 但你可以另外mount你想要的os磁盘
5 ~ i% o" K; h9 s! P# virsh pool-list --all
) @% E5 d9 m6 U( Q) g Name State Autostart $ a9 u" }& f. T9 @
-------------------------------------------
' p( V- d% F( `* |6 G$ O* F default active yes 2 y! L( i4 ?* I
- V5 `" a& {; P; }$ X
$ virsh pool-define-as kvmpool --type dir --target /data/kvm/pool# @5 c! Y7 V! x
Pool kvmpool defined
. F1 l" H. ]* f1 I( Q7 u4 h$ virsh pool-list --all
. v& Z& r8 M/ n4 f$ virsh pool-start kvmpool' L0 x' t' c7 ~6 [8 u4 d9 f2 D
$ virsh pool-autostart kvmpool6 I+ v9 T3 d+ U: f# X& O0 {: y ^9 ]
( [& J+ n" Z6 p. K) s4 N' M$ virsh pool-list --all- c0 Q9 w& U2 {% H* [! E1 p
Name State Autostart ( {8 e6 Q% H( |" P. i6 N
-------------------------------------------
" H7 X3 J Q" t6 O% ?6 t default active yes " n+ [6 q9 q1 i/ k* ~
kvmpool active yes$ Z1 s. R# O9 b8 o
布署一个vm在你的kvm上,建立一个1vcpu/1G RAM使用缺省的virbr0 NAT网络和缺省的pool storage
1 C' o) a4 k/ q3 v4 c" Dvirt-install --virt-type=kvm --name=ukvm1404 --ram 1024 --vcpus=1 --virt-type=kvm --hvm --cdrom ~/Downloads/mini.iso --network network=default --graphics vnc --disk pool=default,size=20,bus=virtio,format=qcow2 --noautoconsole
) T' O7 Q. Z/ ~; j: p& D Y w
+ J4 i) c7 L6 E: F; Y/ O# open console to VM' }+ q0 C# E# y# Y1 i# o/ V
virt-viewer ukvm1404
! W' t) Y' [* |" \3 _ `如果你想删除这个vm,可以使用如下命令:
/ R5 M, R/ Y6 Avirsh destroy ukvm1404% T5 E! ~0 [! S+ v8 |
virsh undefine ukvm1404; _# v9 |) ]8 @1 u& f
如你想要一个全部图形化的软件管理kvm,可以使用virt-manager,当你没安装图形介面时你可以使用x协议的ssh客户端,如xshell, 或xming+ssh客户端软件0 m( h" a# ^# a1 O" C: t
布署esxi在KVM中
% K) _* U/ R7 u2 R8 b* v5 ^1 [% g配置VT-x,你同样需要在ubuntu中配置VT1 K6 f' ~2 L: I9 X9 \( X
# vi /etc/modprobe.d/qemu-system-x86.conf 4 p c5 v& f9 g* Z V
+ W* ]4 |9 a1 Y. o# h# i0 koptions kvm_intel nested=1 enable_apicv=n3 [. X2 g- } S% \
options kvm ignore_msrs=1
9 d6 ~+ s/ A$ o; C# J- L+ s. S; \重启系统,执行下列命令,必须返回如下值' l& ?+ G) D" e! U
# want Y to be returned
2 e; B- G" p0 Q) F$ cat /sys/module/kvm/parameters/ignore_msrs
: {5 K3 C# |' ^- A. V# t
7 P! Q, i& G) b8 S# want N to be returned! C2 Y( o( g$ J
$ cat /sys/module/kvm_intel/parameters/enable_apicv+ H2 a. }3 h! ~) X, b( Z a! u
9 l; U4 X6 c9 e# want Y to be returned
9 ?+ `* w6 R5 @9 r% [; b. E" P% q$ cat /sys/module/kvm_intel/parameters/nested
. G% c" }: R1 M2 d: p3 s建立kvm虚拟机) t8 D7 S% j9 R8 ^
# virt-install --virt-type=kvm --name=esxi4 \' D. b( W: G# ?5 W
--ram 4096 --vcpus=4 \8 l9 \) s1 d" C5 u+ F
--virt-type=kvm --hvm \2 i9 K; _. `& t* E
--cdrom /data/iso/VMware-VMvisor-Installer-6.7.0.update03-14320388.x86_64.iso \
7 r. {5 b. S2 G' {--network network:default,model=e1000 \! {/ ]7 w! V. N$ C
--graphics vnc --video qxl \9 N* {) m; P- I: |$ x
--disk pool=default,size=80,sparse=true,bus=ide,format=qcow2 \
$ U& ^" ]$ M8 g$ ]& V5 M% k7 N--boot cdrom,hd --noautoconsole --force \
, m, E" c3 }8 B3 [/ t9 \--cpu host-model-only
5 Q0 W0 D2 L3 Q. H9 x2 D当然你也可以使用virt-manager来建立虚拟机。% _! A: q9 Q8 q6 x* }9 `
在kvm中部署嵌套esxi6.72 ^* i* m: k" _5 j
6 g* Q: o: R' ]% R重复建立两个虚拟机,建立两个esxi实现动态vmotion迁移,测试和建立步骤省略,经测试vmotion可以正常工作,不会出现崩溃现象。
3 G S8 M! v; F( x8 o/ F3 m* w) ?/ t. K5 K$ v' \
安装和配置网络组件在controller节点上' ]1 y% B2 o. \9 L/ Y; S8 h4 i- j \
. P$ v0 C( K& _' w( q* c安装包
) Q4 {' E3 ]' B0 }2 k# yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
) ?( f b+ j2 s! D/ [- h9 B) z配置服务器组件! `$ o; q2 z( G/ m0 K" t: J
网络服务组件配置包括数据,验证机制,消息队列,拓扑改变通知和插件.
" e( d* b, v5 I7 C' ?# A) x1 lEdit the /etc/neutron/neutron.conf file and complete the following actions:0 t& ^! ?: j- C }% ]4 H; ^
○ In the [database] section, configure database access:
) R3 u; o1 _* D# H [database]
) p8 v- ?( h( x # ...2 ]! |9 W. T. {
connection = mysql+pymysql://neutron:neutron123@dbs.flex.net/neutron5 M5 n3 s+ U; x1 r5 c; L) v
注意:注释或移除其它连接选项在[database]区域中: J" J& q1 |3 W( N
: O( L; ]7 {4 O4 n. P○ In the [DEFAULT] section, enable the Modular Layer 2 (ML2) plug-in and disable additional plug-ins:
- b/ O$ H/ f t c [DEFAULT], n) ^8 F& W4 x) |/ }- u' _
# ...
& J6 x$ X8 O3 d# F! ] b core_plugin = ml2( l. }3 C: ~' p# t
service_plugins =4 v9 H6 y% N( m0 A
+ v0 S: G4 r1 A3 Z0 ~2 z
○ In the [DEFAULT] section, configure RabbitMQ message queue access:
2 p% R5 J' [4 p7 K# E [DEFAULT]
$ w/ o0 Z5 P+ D0 E! j! q$ M # ...
2 L/ E4 D( r9 W5 q0 j2 C transport_url = rabbit://openstack:openstack123@dbs.flex.net2 W f6 E. Y2 @
9 U3 N, K3 f& j3 v( d○ In the [DEFAULT] and [keystone_authtoken] sections, configure Identity service access:
9 l* R5 F. p* K# t- x2 H! p [DEFAULT]
) o! O& A9 a( ? # ..., L5 c1 l* S1 r; f3 n1 `3 Y$ A
auth_strategy = keystone. r6 d E3 H6 _& \9 m6 D3 `+ z
" W9 b! x/ \3 r2 a
[keystone_authtoken]
# _) V7 y( K6 ~, Z6 o # ...4 H6 \5 O1 N% r6 `' p' p H8 B% F: C& n
www_authenticate_uri = http://stack.flex.net:5000$ O4 t# A" }' o2 h0 f7 S
auth_url = http://stack.flex.net:50002 G& z( z# E2 M
memcached_servers = dbs.flex.net:11211* k2 Q$ o! p: [) h% F9 v
auth_type = password }* }' {* [1 B- g
project_domain_name = default4 n6 m, B3 C" k! a
user_domain_name = default ^ H0 e% g3 e( T! s
project_name = service
* j8 a' f3 ~3 E, p# S M+ q, ]6 P9 ^ username = neutron4 c' {; O6 }5 J# x1 G4 O
password = neutron123
9 H6 [4 c) s8 W7 v* _8 K* N9 ~ y 注意:注释或移除其它连接选项在[keystone_authtoken]区域中
; h% S9 d' i0 u* k4 o6 H! a& J- e4 b3 `3 q* J# q6 a% P( {; o; N% E' L
○ In the [DEFAULT] and [nova] sections, configure Networking to notify Compute of network topology changes:; }9 m0 ^! c, O9 o
[DEFAULT]0 S8 r' O( y l# ]; G4 e
# ...! e/ a3 G: F7 Q0 w3 B+ _* @' O5 _4 ]
notify_nova_on_port_status_changes = true
$ v% B. x; H+ ^$ [) Q notify_nova_on_port_data_changes = true7 U' \ r8 c( w3 y
* L8 T% v6 y5 G& [' I& |
[nova]$ b. h) X: A) ]0 L+ I( z7 F
auth_url = http://stack.flex.net:50005 k1 b6 a* p2 m3 k- Y
auth_type = password0 @- J' K+ R9 x. A% Z: T6 O
project_domain_name = default
* r T$ b$ |( H. S ~2 L user_domain_name = default
4 Z& ^/ r/ G. Q5 z5 o; X region_name = RegionOne, B% h, {4 t$ Y, {0 j
project_name = service3 n2 W5 d4 y. U# }1 l
username = nova
7 E+ D- ?6 Q! e! B" a% b password = nova123
5 q* t. b. B8 F. K4 f7 e
( E. I* n+ l5 [2 w9 z, A○ In the [oslo_concurrency] section, configure the lock path:6 R7 C" V! P I4 P0 \9 I3 z
[oslo_concurrency]
8 X, e7 u$ X( C: o7 L. F; G # ...
" u3 r# O: } X4 y, }: F: C: [' W2 E lock_path = /var/lib/neutron/tmp% L) G9 g: o. C' f
配置模块Layer 2 (ML2)插件- Z7 W0 k+ k8 s" x4 A0 b4 U
实列中使用ML2插件,ML2使用Linux bridge机制建立layer-2(桥接和交换)虚拟网络架构。
% A$ D6 K; F* i7 n# n Edit the /etc/neutron/plugins/ml2/ml2_conf.ini file and complete the following actions:( Y. y" n- u) W4 l! N- h I
○ In the [ml2] section, enable flat and VLAN networks:
8 _5 T7 {+ x% |9 | [ml2]! k3 |& Q" ~+ e5 t$ y
# ...
& ?1 \! b) T. q% _- ? type_drivers = flat,vlan9 l9 P2 B5 Y! o6 b5 S
, J6 ]1 H8 {( h' v8 c" ^6 x
○ In the [ml2] section, disable self-service networks:
" R: A; ?* F; y+ W [ml2]
3 ?' C6 c" B6 r: G1 `, |" d9 v5 y% I: O # ...
3 X+ [3 f) x0 F: t tenant_network_types =
, k, p+ A# l7 P4 R. w! h r" g& s2 ^: x% T
○ In the [ml2] section, enable the Linux bridge mechanism:8 S: w( ?3 Z2 P5 u5 ?
[ml2]
4 c9 j% ~1 ?0 s2 d4 a # ...- W5 w# }; }+ B2 p; H
mechanism_drivers = linuxbridge
0 [8 E5 p9 t! _ 警告:配置ML2插件后, 从type_drivers移除这个选项会导致数据库不一致.- s* S. W' @2 ^' l, J& l% g
% U8 ]8 b% s+ I6 T/ Y2 r, X- \
○ In the [ml2] section, enable the port security extension driver:
) g v* N9 t6 H% G5 g5 v# Q [ml2]
1 r. F' z7 d& R p; s& i: Y # ...% g, G3 A7 k1 h$ @: U' P: P9 o P" l
extension_drivers = port_security
! Q) q% u2 A1 A3 l$ n9 |# P! [8 E% e/ f+ c
○ In the [ml2_type_flat] section, configure the provider virtual network as a flat network:6 m- T( K' @+ M/ g4 h. B
[ml2_type_flat]
9 s. K: |6 ]& I4 b& c. E0 ? # ...
' K9 m* [, x, q& Z! O% T5 m flat_networks = provider7 H2 Q3 Z* B2 I; A6 R. q4 C0 g
) Z+ z2 o- C5 u8 H0 R○ In the [securitygroup] section, enable ipset to increase efficiency of security group rules:, k+ F" Q' B* B! I9 K% _
[securitygroup]! S# i, y9 b& o& B
# ...
; \ w0 T8 Q+ R6 m enable_ipset = true- |: _$ E# }+ b! r2 t9 v. u
Configure the Linux bridge agent) Y2 L- Y" B' }/ x" ]4 u3 D
The Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure for instances and handles security groups.- u8 f' x" {. G4 t
Edit the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file and complete the following actions:
7 J# f+ _& I! [ Q○ In the [linux_bridge] section, map the provider virtual network to the provider physical network interface:+ C$ Y2 z% H" U; ?# j J
[linux_bridge]
7 q" I) U) @6 X# Q+ b7 ?' I6 x0 k physical_interface_mappings = provider:eht1, U; v) x; o5 ^6 @- o* s) Z4 Z
使用eth1物理网络接口做为租户的网络连接.
) [5 w+ N8 D- K# Q0 s0 K
# K" d o! R' Y- o( ]○ In the [vxlan] section, disable VXLAN overlay networks:. D4 r5 R) T. K/ U
[vxlan]
" r" h! s m& f" H9 \' O9 A enable_vxlan = false
- ` ? P& t( X3 f$ I+ ^/ D" w7 L○ In the [securitygroup] section, enable security groups and configure the Linux bridge iptables firewall driver:
- Q0 t# o) T% [5 L7 `( @# o8 u [securitygroup]
/ T/ {2 c) w+ C2 L # ...- m! x5 ?8 g1 |5 x( }3 O
enable_security_group = true
$ v8 q- {' R' S. O8 I$ Q* U8 @ firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver; \+ `% {* C4 T1 y& V+ k% q
. ]2 h" Z. `. K6 q1 d$ N: J* @4 s○ Ensure your Linux operating system kernel supports network bridge filters by verifying all the following sysctl values are set to 1:
& u+ l8 T! x% L2 q net.bridge.bridge-nf-call-iptables. _/ G! b8 z( |' G g# r
net.bridge.bridge-nf-call-ip6tables
8 {- s& D0 S4 V8 {2 B2 q; Q4 j( s4 ~0 A' h$ f% {; k
# modprobe br_netfilter
2 a9 P5 [6 P9 J: {7 z6 |% O # vi /etc/sysctl.conf( C" k R. \" `/ U: D5 [' B) T
net.bridge.bridge-nf-call-ip6tables = 1& ~. \" o v8 \. o6 o' p
net.bridge.bridge-nf-call-iptables = 1 ( h! K4 l8 _+ d3 t& y
# sysctl -p* w% [2 _ l4 m" w; M' @
net.bridge.bridge-nf-call-ip6tables = 1
( y o0 m8 ]9 N$ E& ?% z net.bridge.bridge-nf-call-iptables = 1* U1 ^+ x4 L) @" H$ l2 d
+ m6 P0 V5 X6 R# L; q
为了网络支持桥接, 通常的需要加载br_netfilter内核模块. 但这里可以忽略错误,当你重启neutron时会自动加载.) h& w3 g5 ~% {9 W5 T$ t0 X
Configure the DHCP agent
" J# |" ], a; a: d7 [3 |
) b5 j- d! ]# ]' gThe DHCP agent provides DHCP services for virtual networks.
( v+ t& K! M$ ]+ K7 hEdit the /etc/neutron/dhcp_agent.ini file and complete the following actions:+ \1 w8 L: X ?# a/ S! D3 J
○ In the [DEFAULT] section, configure the Linux bridge interface driver, Dnsmasq DHCP driver, and enable isolated metadata so instances on provider networks can access metadata over the network:
8 b2 _8 C' k( @ Y! \' L[DEFAULT]
0 J6 w# m' y6 v# ...
9 ?0 T+ w4 G, z/ B# r& e3 ]( t; Cinterface_driver = linuxbridge' s$ z& _3 n; f& w" @7 ?
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq0 N! X% `% A/ L6 ?6 _4 n8 ^5 E, S
enable_isolated_metadata = true
; P, S% \9 b: D6 E8 u8 x
" R- [0 ~$ ?5 S, `% K3 v5 R完成后返回网络配置或继续网络选项2/ s: [3 U3 k3 Z7 b
2 r) ]# @( `+ n) r5 W2 {! K2019-09-04 21:02:50
: h+ V- s5 p# y. @ k2 c5 M% rInstall and configure the Networking components on the controller node.% F8 g2 H$ Z7 ^; Y
2 o5 Y* Q. h' S4 O# w( oInstall the components
, a" v1 r/ z5 O4 z* C# yum install openstack-neutron openstack-neutron-ml2 \; l9 x% Y l5 S* [ p9 }3 `
openstack-neutron-linuxbridge ebtables
2 P& M/ Z8 u l& F* X/ yConfigure the server component$ ` f. M' G: N& }. |
. M; a* m; b+ p
Edit the /etc/neutron/neutron.conf file and complete the following actions:
+ T3 x- F' V1 c○ In the [database] section, configure database access:1 C% l7 R7 s$ {
[database]
" Z+ x5 A- @: d4 e# ...% x% |: N' ^- S7 d7 Z
connection = mysql+pymysql://neutron:neutron123@stack.flex.net/neutron
- A# I+ D- d# L7 ?6 p1 a$ U注意:注释或移除其它连接选项在[database]区域中
) }, G6 V( }( K. l○ In the [DEFAULT] section, enable the Modular Layer 2 (ML2) plug-in, router service, and overlapping IP addresses:
" s3 |( U' w' j[DEFAULT]
) Q9 \4 g5 i( h5 ~; s4 }" s
% \ j, l; p" R) j* z...
2 J: P: m8 v0 R/ g+ _# t0 Zcore_plugin = ml28 M1 g# i0 u$ E* U( z
service_plugins = router# \/ r9 k& d7 t
allow_overlapping_ips = true
' p0 w) F0 t0 O7 C- B/ v○ In the [DEFAULT] section, configure RabbitMQ message queue access:
- _" }% ]7 F7 i" t[DEFAULT]: K+ m) v2 M! Q& t8 M: d
& u) |3 d5 @; j/ g- d7 y5 v. T, s
...# J; b! y; {) v/ D5 g: A
transport_url = rabbit://openstack:openstack123@dbs.flex.net
' ?% v- O* f# |) Q W○ In the [DEFAULT] and [keystone_authtoken] sections, configure Identity service access:+ h% n' c* z, B1 R: b# r+ c
[DEFAULT]( t5 x3 c Z# `) _0 F
+ _5 R9 d- F3 ?) S( ?: i4 Z...* @/ ]3 `5 g0 b) Z
auth_strategy = keystone) ], J5 R0 ? f4 X5 e
+ \! ]% e* [2 ^1 y/ m5 i
[keystone_authtoken]
5 Y. V6 W1 k7 u# o" L# ...: P% J0 k7 d& b. E- u; P% h
www_authenticate_uri = http://stack.flex.net:5000
6 [+ z. i; u2 Q% V; }auth_url = http://stack.flex.net:5000" a; W2 {8 m* g+ O& ^% B
memcached_servers = controller:11211 h7 _0 ~6 i- b9 x* e. `: A( |
auth_type = password4 ^" B: Y" d' u0 s. p5 p, R
project_domain_name = default- C/ \0 t2 e; u5 j2 B$ U
user_domain_name = default
' ~% s- R4 @7 N' @, vproject_name = service
, M% G' ~' y( Z( }7 L5 ?0 Husername = neutron
1 \% K% h r" V0 b3 ~9 apassword = neutron123
7 y# G8 O: |! q9 |2 Z/ p注意:注释或移除在[keystone_authtoken]区域中其它选项.7 ~+ n0 F4 ]7 u! `% B# K7 i% K# Z
○ In the [DEFAULT] and [nova] sections, configure Networking to notify Compute of network topology changes:
: z; T& o! [3 @[DEFAULT]
; _0 p! [- T/ X0 \# y
6 ]4 }0 y* W1 F3 M, c% p0 {: S# L...$ F/ E* ?1 S4 d8 w6 n8 P4 p0 H
notify_nova_on_port_status_changes = true
- e. h2 W% ^8 c9 V( Ynotify_nova_on_port_data_changes = true* S2 N( \; s: ]
; N! J/ q; n5 {! `$ m2 X+ r
[nova]; B6 `( L+ Y8 }/ C, x' X6 q
# ...7 ^- s! G# e: H8 r) k# K/ y
auth_url = http://stack.flex.net:50005 m- G h, V/ r0 w4 e/ u6 c
auth_type = password. f0 k' k3 Q) L* \ m
project_domain_name = default
6 q# y; I! K6 \4 Huser_domain_name = default$ M; N* d$ ^2 @) J! e8 ]
region_name = RegionOne# m! E# l% b& T! T1 q4 @$ I
project_name = service
9 U1 h9 J* |( O7 l m& ^6 dusername = nova
% m; T% I+ M2 s* g7 c }password = nova123
7 T% r% u; R" D- _1 G" X○ In the [oslo_concurrency] section, configure the lock path:
, Y9 J ^: @4 z. F/ @6 k2 E[oslo_concurrency]
& U' B, H. i3 V* r* B/ M: p) S& W
* b1 a3 |+ m- c9 u.../ O# N3 c! h. _; u
lock_path = /var/lib/neutron/tmp/ P" f) a, b) q
3. Configure the Modular Layer 2 (ML2) plug-in3 C0 A; R ~/ Q) `; n- r7 }% ^& C; y
The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging and switching) virtual networking infrastructure for instances.
: N# b3 `) T, H5 H0 qEdit the /etc/neutron/plugins/ml2/ml2_conf.ini file and complete the following actions:$ @2 p( p# N, n
○ In the [ml2] section, enable flat, VLAN, and VXLAN networks:
2 `* v; N' X0 X! G[ml2]3 |+ B0 w% E( X9 C% l! d$ K! v
) E' V; S# {' y* \% u/ a...% D! s p+ h( B1 t, s
type_drivers = flat,vlan,vxlan
0 I: g/ K' t% p# l7 I9 F' |$ I+ ^○ In the [ml2] section, enable VXLAN self-service networks:* ?( }" r+ p. }8 ~) A3 T+ L" i+ e
[ml2]
- p$ ~! X9 u7 E) y7 Q
3 K% \& P$ p0 |+ A...
" b2 {- G4 T# y) otenant_network_types = vxlan
`: K; i" G) x5 Q○ In the [ml2] section, enable the Linux bridge and layer-2 population mechanisms:/ M7 Q5 Z0 ~; P& K- o- l1 U
[ml2]4 D4 t& M- C& j# S# C: ?
+ m8 G# q" q5 x: ]...
" q/ J p$ [# ^/ o& y: q/ ^ Kmechanism_drivers = linuxbridge,l2population
; \: L! a8 Y/ H2 Z0 X0 X4 o9 N/ \注意:配置ML2插件后, 从type_drivers移除这个选项会导致数据库不一致并且Linux bridge只支持VXLAN overlay network.
" x% \/ O7 k$ B. ^' X$ G○ In the [ml2] section, enable the port security extension driver:
5 i1 _8 e; G: c9 \2 U; O' T[ml2]
3 }* n" l4 P& b( D4 u
1 M: |& U; j$ Z... s }. r, h0 b
extension_drivers = port_security( S0 a' g2 R/ w# i' ]3 z9 r
○ In the [ml2_type_flat] section, configure the provider virtual network as a flat network:
2 h' l( Y! M% s6 c1 S7 q, ~6 z/ O[ml2_type_flat]* C$ ?+ ?& r* e2 }3 J( \0 O
# r, y+ i" {: Y& P1 D0 N5 ~...
! l0 p3 T' W) h/ ?2 F+ Q! d8 ^4 ]' Pflat_networks = provider
" f% e k, J! R. B: o& D; a○ In the [ml2_type_vxlan] section, configure the VXLAN network identifier range for self-service networks:( q# Y" C/ \% w' }
[ml2_type_vxlan]
; n, d& ]: i! i, Q6 N. d, f- k
+ m: }5 h/ r, F6 {( U$ X...
- s# w- }$ c) h' yvni_ranges = 1:1000
# a- ~/ @( h n4 d9 n# F4 o6 w○ In the [securitygroup] section, enable ipset to increase efficiency of security group rules:
" S6 a# e) r& K+ f8 y[securitygroup]6 G& v# k3 ^2 ` u
+ m- t0 z. O. h6 ^ n* P...
: J2 {. K( A! k2 U# o2 n. d7 H! oenable_ipset = true
; Z5 F% z8 j# g: y' Y) A$ w& g4. Configure the Linux bridge agent
* Z0 ]- ?1 L/ r! T+ t( d' EThe Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure for instances and handles security groups. K& N0 h5 Y8 p% l( q7 s5 a; Q
Edit the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file and complete the following actions:* @ Q2 b1 N: B
○ In the [linux_bridge] section, map the provider virtual network to the provider physical network interface:
; C# k' p9 @. ~[linux_bridge]- K9 i$ H- ]& O( E# ~3 `2 l
physical_interface_mappings = provider:external:eth1
s9 y; Z; i: B& C
6 w* j" j0 n- A+ |8 _) y! `' T3 hReplace PROVIDER_INTERFACE_NAME with the name of the underlying provider physical network interface." A7 J' A. z; ^3 B! n0 X h, f
○ In the [vxlan] section, enable VXLAN overlay networks, configure the IP address of the physical network interface that handles overlay networks, and enable layer-2 population:3 R% A, N6 A6 f; u% {
[vxlan]
, P% ?) u" ^" \) penable_vxlan = true6 d: } Q4 e7 I
local_ip = OVERLAY_INTERFACE_IP_ADDRESS/ o7 F5 e! d9 p# W9 f1 v
l2_population = true
* _& s: J0 A2 ]2 E$ V$ t! x3 n. J
8 t: y+ N: u$ S1 z# CReplace OVERLAY_INTERFACE_IP_ADDRESS with the IP address of the underlying physical network interface that handles overlay networks. The example architecture uses the management interface to tunnel traffic to the other nodes. Therefore, replace OVERLAY_INTERFACE_IP_ADDRESS with the management IP address of the controller node. See Host networking for more information.
9 N* r$ A' U6 U* p5 J○ In the [securitygroup] section, enable security groups and configure the Linux bridge iptables firewall driver:2 t8 T$ \! q$ l
[securitygroup], }% f B% ?' J; Y# d+ f
o# n$ x' [ R% ^
...
7 R3 R% r# x% T1 m1 S" O. K! Uenable_security_group = true, u9 x; H% Z1 e7 Q
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
( y" p( w* p0 l, ?○ Ensure your Linux operating system kernel supports network bridge filters by verifying all the following sysctl values are set to 1:* F+ | s( P2 q$ `3 U; P. Z9 e
net.bridge.bridge-nf-call-iptables. I) ^4 c# ~9 J5 D
net.bridge.bridge-nf-call-ip6tables
( q0 ~$ F0 z$ a% v, C
7 e( M3 Z7 I9 `/ F8 c" b+ d% o4 P. ^To enable networking bridge support, typically the br_netfilter kernel module needs to be loaded. Check your operating system’s documentation for additional details on enabling this module.
/ o T2 T& a4 G. ~* {+ V5. Configure the layer-3 agent
* K( ]( _+ E: K9 P9 MThe Layer-3 (L3) agent provides routing and NAT services for self-service virtual networks.
6 v* J7 Y+ m9 H | r6 M! YEdit the /etc/neutron/l3_agent.ini file and complete the following actions:2 D& O' ~, t& d y$ q
○ In the [DEFAULT] section, configure the Linux bridge interface driver and external network bridge:
. _6 D5 W' k9 t$ F. s! ~1 d[DEFAULT]
0 w- {+ m& l& ]5 F9 k* A) B/ J+ e" A2 J/ \9 I
... G8 d' Z' C& [/ S8 m; h
interface_driver = linuxbridge- o9 v4 C+ Q! u: S4 c. T
6. Configure the DHCP agent- a% W- m, L/ V9 q! P6 n6 v1 I5 L* b
The DHCP agent provides DHCP services for virtual networks.+ p% w4 G" z! p* r
Edit the /etc/neutron/dhcp_agent.ini file and complete the following actions:* \7 Q% S1 N, B8 a1 X
○ In the [DEFAULT] section, configure the Linux bridge interface driver, Dnsmasq DHCP driver, and enable isolated metadata so instances on provider networks can access metadata over the network:8 b% x( k: T* A. A$ n( m
[DEFAULT]
0 \; m' z& q! y2 ?7 r$ i8 c3 u2 `" l4 P* L. ]& M5 k$ ~
...- \. |8 D. _$ Q) o4 D3 h5 \1 z9 f
interface_driver = linuxbridge
! n* s: K+ j4 l' V) ?9 kdhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
7 |) w) `- z9 I& ~% i# ]# S& |4 eenable_isolated_metadata = true
- s# E% S8 S" L) [完成后返回网络配置
7 C$ j9 W7 ~9 h2 x. Y7 B6 M! n9 P/ H& X& J! I+ D# {$ P; W- q
5 m; d! j' t0 f9 |9 I9 Z! F: ^: I2 R
|
|
发表于 2019-10-8 08:02:12