CentOS 7

Định cấu hình Dịch vụ mạng OpenStack (Neutron).

Ví dụ này không phải là Cài đặt tất cả trong một như ở đây mà là Định cấu hình môi trường 3 nút như sau. Neutron cần một phần mềm plugin, có thể chọn nó từ một số phần mềm. Ví dụ này chọn plugin ML2. (nó sử dụng Open vSwitch trong phần phụ trợ)

 ----- ------- ------------------------------------------ ------- ------------- ------------ | | | eth0|10.0.0.30 eth0|10.0.0.50 eth0|10.0.0.51 ----------- ------------- ----------- -- --------- ------------- ----------- | [ Nút điều khiển ] | | [ Nút mạng ] | | [ Nút tính toán ] | | | | | | | | MariaDB RabbitMQ | | Mở vSwitch | | Libvirt | | Memcached httpd | | Đại lý L2 | | Điện toán Nova | | Keystone Glance | | Đại lý L3 | | Mở vSwitch | | API Nova | | Đại lý siêu dữ liệu | | Đại lý L2 | | Máy chủ neutron | | | | | | Đại lý siêu dữ liệu | | | | | -------------- -------------- ---- -------------------

[1]	Cài đặt dịch vụ neutron trên Network Node.

# install from Pike, EPEL

[root@network ~]#

yum --enablerepo=centos-openstack-pike,epel -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch

[2]	Định cấu hình làm nút Mạng.

[root@network ~]#

mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.org

[root@network ~]#

vi /etc/neutron/neutron.conf

# create new

[DEFAULT]
core_plugin = ml2
service_plugins = router
auth_strategy = keystone
state_path = /var/lib/neutron
allow_overlapping_ips = True
# RabbitMQ connection info
transport_url = rabbit://openstack:password@10.0.0.30

# Keystone auth info
[keystone_authtoken]
auth_uri = http://10.0.0.30:5000
auth_url = http://10.0.0.30:35357
memcached_servers = 10.0.0.30:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword

[oslo_concurrency]
lock_path = $state_path/lock

[root@network ~]#

chmod 640 /etc/neutron/neutron.conf

[root@network ~]#

chgrp neutron /etc/neutron/neutron.conf

[root@network ~]#

vi /etc/neutron/l3_agent.ini

# line 17: add

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

[root@network ~]#

vi /etc/neutron/dhcp_agent.ini

# line 17: add

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

# line 32: uncomment

dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq

# line 41: uncomment and change

enable_isolated_metadata =

True

[root@network ~]#

vi /etc/neutron/metadata_agent.ini

# line 23: uncomment and specify Nova API server

nova_metadata_host =

10.0.0.30

# line 35: uncomment and specify any secret key you like

metadata_proxy_shared_secret =

metadata_secret

# line 247: uncomment and specify Memcache server

memcache_servers =

10.0.0.30:11211

[root@network ~]#

vi /etc/neutron/plugins/ml2/ml2_conf.ini

# line 114: add ( it's OK with no value for "tenant_network_types" (set later if need) )

[ml2]

type_drivers = flat,vlan,gre,vxlan
tenant_network_types =
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security

# line 247: uncomment and add

enable_security_group = True

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

# end line: uncomment

enable_ipset = True

[3]	Nếu SELinux được bật, hãy thay đổi chính sách như sau.

[root@network ~]#

setsebool -P neutron_can_network on

[root@network ~]#

setsebool -P haproxy_connect_any on

[root@network ~]#

setsebool -P daemons_enable_cluster_mode on

[root@network ~]#

vi neutron-net_pol.te

# create new

module neutron-net_pol 1.0;

require {
        type sysfs_t;
        type http_port_t;
        type neutron_t;
        type neutron_tmp_t;
        type neutron_var_lib_t;
        type hostname_exec_t;
        type ovsdb_port_t;
        type openvswitch_t;
        type openflow_port_t;
        type haproxy_t;
        class file { execute execute_no_trans getattr open read create unlink write };
        class dir { add_name remove_name search write };
        class sock_file { create write unlink getattr setattr };
        class tcp_socket { name_bind name_connect };
        class filesystem getattr;
        class unix_stream_socket connectto;
}

#============= neutron_t ==============
allow neutron_t neutron_tmp_t:sock_file create;
allow neutron_t http_port_t:tcp_socket name_bind;
allow neutron_t sysfs_t:filesystem getattr;
allow neutron_t neutron_tmp_t:sock_file { create write getattr unlink setattr };
allow neutron_t openflow_port_t:tcp_socket name_bind;

#============= openvswitch_t ==============
allow openvswitch_t neutron_t:file { getattr open read };
allow openvswitch_t ovsdb_port_t:tcp_socket name_bind;
allow openvswitch_t hostname_exec_t:file { execute execute_no_trans getattr open read };
allow openvswitch_t neutron_t:dir search;

#============= haproxy_t ==============
allow haproxy_t neutron_t:unix_stream_socket connectto;
allow haproxy_t neutron_var_lib_t:dir { add_name remove_name search write };
allow haproxy_t neutron_var_lib_t:file { create getattr open read unlink write };
allow haproxy_t neutron_var_lib_t:sock_file write;
allow haproxy_t sysfs_t:filesystem getattr;

[root@network ~]#

checkmodule -m -M -o neutron-net_pol.mod neutron-net_pol.te

checkmodule: loading policy configuration from neutron-net_pol.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 17) to neutron-net_pol.mod
[root@network ~]#

semodule_package --outfile neutron-net_pol.pp --module neutron-net_pol.mod

[root@network ~]#

semodule -i neutron-net_pol.pp

[4]	Khởi động dịch vụ neutron.

[root@network ~]#

ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

[root@network ~]#

systemctl start openvswitch

[root@network ~]#

systemctl enable openvswitch

[root@network ~]#

ovs-vsctl add-br br-int

[root@network ~]#

for service in dhcp-agent l3-agent metadata-agent openvswitch-agent; do
systemctl start neutron-$service
systemctl enable neutron-$service
done