文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Installing, Configuring, and Verifying Neutron

Neutron provides networking as a service for other service components, such as Nova. It also provides APIs to users. It supports equipment and technologies from different network vendors.

OpenStack supports several networking modes. This section uses provider networks as an example. Select either of the Linux Bridge and OVS deployment types.

Creating the Neutron Database

Perform the following operations on controller nodes.

  1. Connect to the MySQL database as user root.
    1
    		 
    mysql -u root -p
  2. Create a database for Neutron.
    1
    		 
    CREATE DATABASE neutron;
  3. Grant proper access to the database, and set the PASSWORD for accessing the database.
    1
2
3
4
    		 
    GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY '<PASSWORD>';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY '<PASSWORD>';

    Set PASSWORD to the password for accessing the Neutron database.

  4. Exit the database.
    1
    		 
    exit

Creating Service Credentials

Perform the following operations on controller nodes.

  1. Log in to the OpenStack CLI as the admin user.
    1
    		 
    source /etc/keystone/admin-openrc
  2. Create a neutron user.
    1
    		 
    openstack user create --domain default --password-prompt neutron
  3. Add the admin role to the neutron user.
    1
    		 
    openstack role add --project service --user neutron admin
  4. Create a neutron service entity.
    1
    		 
    openstack service create --name neutron --description "OpenStack Networking" network
  5. Create API endpoints of the network servers.
    1
2
3
    		 
    openstack endpoint create --region RegionOne network public http://controller:9696
openstack endpoint create --region RegionOne network internal http://controller:9696
openstack endpoint create --region RegionOne network admin http://controller:9696

Installing and Configuring Neutron (Provider-LinuxBridge-Controller Node)

Perform the following operations on Provider-LinuxBridge-controller nodes.

  1. Install components.
    1
    		 
    yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
  2. Edit the /etc/neutron/neutron.conf file.
    1. Configure database access. 
      1
2
      		 
      [database]
connection = mysql+pymysql://neutron:<PASSWORD>@controller/neutron
    2. Modify the content in the [DEFAULT] section. 
      1
2
3
4
5
6
7
      		 
      [DEFAULT]
core_plugin = ml2
service_plugins =
transport_url = rabbit://openstack:<PASSWORD>@controller
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true

      Leave service_plugins blank and set <PASSWORD> to the password of the rabbit OpenStack user.

    3. Configure Identity service access. 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
      		 
      [keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = <PASSWORD>
    4. Configure parameters in the [nova] section.

      By default, the configuration file does not contain this section. You need to add it.

      1
2
3
4
5
6
7
8
9
      		 
      [nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = <PASSWORD>
    5. Configure the lock path. 
      1
2
      		 
      [oslo_concurrency]
lock_path = /var/lib/neutron/tmp
  3. Edit the ML2 plugin /etc/neutron/plugins/ml2/ml2_conf.ini.
    1. Enable the flat and VLAN networks.

      You need to add [ml2], [ml2_type_flat], and [securitygroup].

      1
2
3
4
5
      		 
      [ml2]
type_drivers = flat,vlan
tenant_network_types =
mechanism_drivers = linuxbridge
extension_drivers = port_security

      Leave tenant_network_types unspecified.

    2. Set the flat network type to provider. 
      1
2
      		 
      [ml2_type_flat]
flat_networks = provider
    3. Configure the VLAN as a flat network. 
      1
2
      		 
      [ml2_type_vlan]
network_vlan_ranges = provider
    4. Enable ipset to improve security. 
      1
2
      		 
      [securitygroup]
enable_ipset = true
  4. Configure the Linux bridge agent and edit the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.
    1. Map the provider virtual network to the physical network. 
      1
2
      		 
      [linux_bridge]
physical_interface_mappings = provider:enp3s0

      In this example, the provider network uses the enp3s0 network port. Set the network port based on actual requirements. The physical network adapter is configured for the service network, not for the management network. For details, see Networking.

    2. Disable the VXLAN network. 
      1
2
      		 
      [vxlan]
enable_vxlan = false
    3. Enable the security group, configure the iptables firewall driver for the Linux bridge, save the configuration, and exit. 
      1
2
3
      		 
      [securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
    4. Check that the Linux operating system kernel supports bridge filters.

      Add the following to the /etc/sysctl.conf file, save the file, and exit:

      1
2
      		 
      net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1

    5. Add the network bridge filter. 
      1
2
3
      		 
      modprobe br_netfilter
sysctl -p
sed -i '$amodprobe br_netfilter' /etc/rc.local
  5. Configure the DHCP agent.

    Add the following to the /etc/neutron/dhcp_agent.ini file, save the file, and exit:

    1
2
3
4
    		 
    [DEFAULT]
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
  6. Configure the metadata agent.
    1
    		 
    vim /etc/neutron/metadata_agent.ini

    Configure the metadata host and shared key.

    1
2
3
    		 
    [DEFAULT]
nova_metadata_host = controller
metadata_proxy_shared_secret = <PASSWORD>
  7. Configure the Computer service to use the Networking service.
    1
    		 
    vim /etc/nova/nova.conf

    Set access parameters, enable the metadata agent, and set the password.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
    		 
    [neutron]
# ...
url = http://controller:9696
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = <PASSWORD>
service_metadata_proxy = true
metadata_proxy_shared_secret = <PASSWORD>

    Before performing this operation, ensure that Nova has been installed.

  8. Perform network initialization.
    1
    		 
    ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
  9. Populate the databases.
    1
    		 
    su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
  10. Enable the network service and configure it to start as the system boots.
    1
2
3
    		 
    systemctl enable openstack-neutron-server.service openstack-neutron-linuxbridge-agent.service openstack-neutron-dhcp-agent.service openstack-neutron-metadata-agent.service
systemctl start openstack-neutron-server.service openstack-neutron-linuxbridge-agent.service openstack-neutron-dhcp-agent.service \
openstack-neutron-metadata-agent.service

Installing and Configuring Neutron (Provider-LinuxBridge-Compute Node)

Perform the following operations on Provider-LinuxBridge-compute nodes.

  1. Install components.
    1
    		 
    yum -y install openstack-neutron-linuxbridge ebtables ipset
  2. Edit the /etc/neutron/neutron.conf file to configure public components.
    1. In the [database] section, comment out all connection options (commented by default), because the compute node does not directly access the database.
    2. Configure RabbitMQ message queue access. 
      1
2
      		 
      [DEFAULT]
transport_url = rabbit://openstack:<PASSWORD>@controller
    3. Configure Identity service access. 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
      		 
      [DEFAULT]
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = <PASSWORD>
    4. Configure the lock path. 
      1
2
      		 
      [oslo_concurrency]
lock_path = /var/lib/neutron/tmp
  3. Add the following to the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file to configure the Linux bridge agent:
    1. Map the provider virtual network to the provider physical network port. 
      1
2
      		 
      [linux_bridge]
physical_interface_mappings = provider:enp3s0

      In this example, the provider network uses the enp3s0 network port. Set the network port based on actual requirements. The physical network adapter is configured for the service network, not for the management network. For details, see Networking.

    2. Disable the VXLAN network. 
      1
2
      		 
      [vxlan]
enable_vxlan = false
    3. Enable the security group and configure the iptables firewall driver for the Linux bridge. 
      1
2
3
      		 
      [securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
  4. Check that the Linux operating system kernel supports bridge filters.

    Add the following to the /etc/sysctl.conf file:

    1
2
    		 
    net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1

    :

  5. Add the network bridge filter.
    1
2
3
    		 
    modprobe br_netfilter
sysctl -p
sed -i '$amodprobe br_netfilter' /etc/rc.local
  6. Enable the Linux bridge agent and configure it to start as the system boots.
    1
2
    		 
    systemctl enable openstack-neutron-linuxbridge-agent.service
systemctl start openstack-neutron-linuxbridge-agent.service

Installing and Configuring Neutron (Provider-OVS-Controller Node)

Perform the following operations on Provider-OVS-controller nodes.

  1. Install components.
    1
    		 
    yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch-agent openstack-neutron-dhcp-agent openstack-neutron-metadata-agent ebtables
  2. Modify the /etc/sysctl.conf file.
    1. Add the following content to the file: 
      1
2
3
      		 
      net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
    2. Make the configuration take effect. 
      1
      		 
      sysctl -p
  3. Edit the /etc/neutron/neutron.conf file.
    1. Configure database access. 
      1
2
      		 
      [database]
connection = mysql+pymysql://neutron:<PASSWORD>@controller/neutron
    2. Enable the ML2 plugin and disable other plugins. 
      1
2
3
4
5
6
7
      		 
      [DEFAULT]
core_plugin = ml2
service_plugins =
transport_url = rabbit://openstack:<PASSWORD>@controller
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
    3. Configure Identity service access. 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
      		 
      [keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = <PASSWORD>
    4. Configure Nova parameters.

      You need to add [nova].

      1
2
3
4
5
6
7
8
9
      		 
      [nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = <PASSWORD>
    5. Configure the lock path. 
      1
2
      		 
      [oslo_concurrency]
lock_path = /var/lib/neutron/tmp
  4. Edit the ML2 plugin /etc/neutron/plugins/ml2/ml2_conf.ini.
    1. Enable the flat and VLAN networks.

      You need to add [ml2], [ml2_type_flat], [ml2_type_vlan], and [securitygroup].

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
      		 
      [ml2]
type_drivers = flat,vlan
tenant_network_types =
mechanism_drivers = openvswitch
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_vlan]
network_vlan_ranges = provider
[securitygroup]
enable_ipset = true
  5. Configures the DHCP agent.

    Edit the /etc/neutron/dhcp_agent.ini file.

    1
2
3
4
5
    		 
    [DEFAULT]
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
interface_driver = openvswitch
force_metadata = true
  6. Configure the metadata agent.

    Edit the /etc/neutron/metadata_agent.ini file.

    Configure the metadata host and shared key.

    1
2
3
    		 
    [DEFAULT]
nova_metadata_host = controller
metadata_proxy_shared_secret = <PASSWORD>

    PASSWORD is the password for accessing the Neutron database.

  7. Perform network initialization.
    1
    		 
    ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
  8. Populate the databases.
    1
2
    		 
    su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
  9. Enable the network service and configure it to start as the system boots.
    1
2
3
4
5
6
    		 
    systemctl enable openstack-neutron-server.service \
openstack-neutron-openvswitch-agent.service openstack-neutron-dhcp-agent.service \
openstack-neutron-metadata-agent.service
systemctl start openstack-neutron-server.service \
openstack-neutron-openvswitch-agent.service openstack-neutron-dhcp-agent.service \
openstack-neutron-metadata-agent.service

Installing and Configuring Neutron (Provider-OVS-Compute Node)

Perform the following operations on Provider-OVS-compute nodes.

  1. Install components.
    1
    		 
    yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch-agent openstack-neutron-dhcp-agent openstack-neutron-metadata-agent ebtables ipset
  2. Modify the /etc/sysctl.conf file.
    1. Add the following content to the file: 
      1
2
3
      		 
      net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
    2. Make the configuration take effect. 
      1
      		 
      sysctl -p
  3. Edit the /etc/neutron/neutron.conf file to configure public components.
    1. Configure RabbitMQ message queue access. 
      1
2
      		 
      [DEFAULT]
transport_url = rabbit://openstack:<PASSWORD>@controller

      PASSWORD indicates the password set by the RabbitMQ service for the openstack user.

    2. Configure Identity service access. 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
      		 
      [DEFAULT]
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = <PASSWORD>

      PASSWORD is the password for accessing the Neutron database.

    3. Configure the lock path. 
      1
2
      		 
      [oslo_concurrency]
lock_path = /var/lib/neutron/tmp
  4. In the /etc/neutron/plugins/ml2/openvswitch_agent.ini file, add [linux_openvswitch], [vxlan], [ovs], and [securitygroup] to configure the OpenStack agent.
    1
2
3
4
5
6
7
8
9
    		 
    [linux_openvswitch]
physical_interface_mappings = provider:enp3s0
[vxlan]
enable_vxlan = false
[ovs]
bridge_mappings = provider:br-provider
[securitygroup]
enable_security_group=true
firewall_driver = iptables_hybrid
  5. Edit the /etc/neutron/dhcp_agent.ini file to configure the DHCP agent.
    1
2
3
4
    		 
    [DEFAULT]
interface_driver = openvswitch
enable_isolated_metadata = true
force_metadata = true
  6. In the /etc/neutron/metadata_agent.ini file, configure the metadata agent. 
    1
2
3
    		 
    [DEFAULT]
nova_metadata_host = controller
metadata_proxy_shared_secret = <PASSWORD>

    PASSWORD is the password for accessing the Neutron database.

  7. Enable the OVS agent and configure it to start as the system boots.
    1
2
3
4
    		 
    systemctl enable openstack-neutron-openvswitch-agent.service openstack-neutron-dhcp-agent.service \
openstack-neutron-metadata-agent.service
systemctl start openstack-neutron-openvswitch-agent.service openstack-neutron-dhcp-agent.service \
openstack-neutron-metadata-agent.service
  8. Create an OVS provider.
    1
2
    		 
    ovs-vsctl add-br br-provider
ovs-vsctl add-port br-provider enp3s0

    If openvswitch-agent cannot obtain the root permission, the openvswitch service fails to be started. In this case, you need to upgrade the sudo software package.

    yum update sudo

Verifying Neutron

Perform the following operation on controller nodes.

  1. List the Neutron agents that are successfully started.
    1
    		 
    openstack network agent list

Table 1 Common Neutron commands

Command

Description

openstack network create --share --external \

--provider-physical-network provider \

--provider-network-type flat enp3s0

Creates a shared virtual network.

openstack subnet create --network provider \

--allocation-pool start=172.168.204.50,end=172.168.204.100 \

--dns-nameserver 8.8.8.8 --gateway 172.168.204.1 \

--subnet-range 172.168.204.0/24 subnet1

Creates a subnet.

NOTE:

In this command, the network name is subnet1, DHCP range is 172.168.204.50 to 172.168.204.100, DNS IP address is 8.8.8.8, gateway IP address is 172.168.204.1, and network is 172.168.204.0/24.

openstack network list

Checks the current network type.

openstack subnet list

Checks the subnet.

openstack port list

Checks the network ports.