OpenStack系列第三篇:CentOS7 上部署 OpenStack(Train版)集群教程 Ⅲ Nova Neutron 服务部署
文章目录
- 前言
- 1. Nova:计算服务
- 部署步骤(Controller 节点)
- 部署步骤(Compute 节点)
- 检测(Controller 节点)
- 2. Neutron:网络服务
- 部署步骤(Controller 节点)
- 细说 **混杂模式 promisc**:
- 部署步骤(Compute 节点)
- 检测(Controller 节点)
- 结语
前言
在完成前期的环境部署后,本篇将重点介绍如何部署 OpenStack 的两个核心服务:
1. Nova:计算服务
2. Neutron:网络服务
每个服务的部署将包含以下内容:作用、实现原理、部署流程以及关键配置的解释。
1. Nova:计算服务
Nova 是什么?
Nova 是 OpenStack 的计算服务,负责虚拟机实例的生命周期管理,包括创建、启动、停止、删除等操作。它通过管理计算资源实现虚拟机的调度和分配,支持多种虚拟化技术如 KVM、Xen、VMware 等。
实现原理:
Nova 的核心组件包括:
- nova-api:处理外部 API 请求。
- nova-scheduler:负责将虚拟机实例分配到合适的计算节点。
- nova-conductor:数据库访问代理,减轻 nova-compute 的负担。
- nova-compute:实际管理虚拟机实例的生命周期。
- nova-novncproxy:提供 VNC 访问虚拟机的服务。
- 组件之间通过消息队列(RabbitMQ)和数据库进行通信。
简单例子:
想象你要创建一台虚拟机,Nova 就像是“工厂经理”
- Nova 职能: 负责“生产”虚拟机。
- 工作内容: 当你通过 OpenStack 下达“我要创建一台 Ubuntu 虚拟机”的命令时,Nova 会调度计算节点上的资源(CPU、内存、硬盘),实际生成一个虚拟机。
部署步骤(Controller 节点)
- 安装 Nova 包:
yum install -y install openstack-nova-api openstack-nova-conductor openstack-nova-scheduler openstack-nova-novnproxy
- 检查安装是否成功:
cat /etc/passwd | grep nova && cat /etc/group | grep nova
- 创建数据库:
mysql -uroot -plian
> create database nova_api;
> create database nova_cell0;
> create database nova;
> grant all privileges on nova_api.* to 'nova'@'localhost' identified by 'lian';
> grant all privileges on nova_api.* to 'nova'@'%' identified by 'lian';
> grant all privileges on nova_cell0.* to 'nova'@'localhost' identified by 'lian';
> grant all privileges on nova_cell0.* to 'nova'@'%' identified by 'lian';
> grant all privileges on nova.* to 'nova'@'localhost' identified by 'lian';
> grant all privileges on nova.* to 'nova'@'%' identified by 'lian';
> quit
- 修改配置文件:
备份并编辑 nova.conf:
cp /etc/nova/nova.conf /etc/nova/nova.conf.bak
vim /etc/nova/nova.conf
以下是关键配置:
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://rabbitmq:lian@controller:5672
my_ip = 192.168.61.10
use_neutron = true
firewall_driver = nova.virt.firewall.NoopFirewallDriver
[api]
auth_strategy = keystone
[api_database]
connection = mysql+pymysql://nova:lian@controller/nova_api
[cinder]
os_region_name = RegionOne
[database]
connection = mysql+pymysql://nova:lian@controller/nova
[devices]
[ephemeral_storage_encryption]
[filter_scheduler]
[glance]
api_servers = http://controller:9292
[guestfs]
[healthcheck]
[hyperv]
[ironic]
[key_manager]
[keystone]
[keystone_authtoken]
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = project
username = nova
password = lian
[libvirt]
[metrics]
[mks]
[neutron]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = project
username = neutron
password = lian
service_metadata_proxy = true
metadata_proxy_shared_secret = METADATA_SECRET
[notifications]
[osapi_v21]
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[pci]
[placement]
auth_url = http://controller:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = project
username = placement
password = lian
region_name = RegionOne
[scheduler]
discover_hosts_in_cells_interval = 60
[vnc]
enabled = true
server_listen = $my_ip
server_proxyclient_address = $my_ip
注:这里我把后续部署服务要修改
nova.conf的一并配了
- 初始化 Keystone 数据库:
su nova -s /bin/sh -c "nova-manage api_db sync"
su nova -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1"
su nova -s /bin/sh -c "nova-manage cell_v2 map_cell0"
su nova -s /bin/sh -c "nova-manage db sync"
- 创建服务用户和 API 端点
openstack user create --domain default --password lian nova
openstack role add --project project --user nova admin
openstack service create --name nova compute
openstack endpoint create --region RegionOne nova public http://controller:8774/v2.1
openstack endpoint create --region RegionOne nova internal http://controller:8774/v2.1
openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1
- 启动并设置服务自启动
systemctl enable openstack-nova-api openstack-nova-scheduler.service openstack-nova-conductor openstack-nova-novncproxy
systemctl start openstack-nova-api openstack-nova-scheduler.service openstack-nova-conductor openstack-nova-novncproxy
- 验证服务状态
netstat -nutpl | grep 877
openstack compute service list # 以下输出才是正常的
+----+----------------+------------+----------+---------+-------+----------------------------+
| ID | Binary | Host | Zone | Status | State | Updated At |
+----+----------------+------------+----------+---------+-------+----------------------------+
| 1 | nova-conductor | controller | internal | enabled | up | 2024-12-27T07:17:39.000000 |
| 2 | nova-scheduler | controller | internal | enabled | up | 2024-12-27T07:17:40.000000 |
+----+----------------+------------+----------+---------+-------+----------------------------+
部署步骤(Compute 节点)
- 安装 Nova 包
yum install -y openstack-nova-compute
如果遇到以下依赖错误:
Error: Package: python2-qpid-proton-0.26.0-2.el7.x86_64 (openstack-train)
Requires: qpid-proton-c(x86-64) = 0.26.0-2.el7
# 或
Error: Package: 1:openstack-nova-compute-20.6.0-1.el7.noarch (openstack-train)
Requires: qemu-kvm-rhev >= 2.10.0
解决方法:
yum -y install python2-qpid-proton-0.26.0-2.el7.x86_64
# 或
yum -y install openstack-nova-compute-20.6.0-1.el7.noarch
# 再执行
yum install -y openstack-nova-compute
要是提示找不到或没有包的报错
vim CentOS-Base.repo
# 里面追加
[Virt]
name=CentOS-$releasever - Base
baseurl=http://mirrors.aliyun.com/centos/7/virt/x86_64/kvm-common/
gpgcheck=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
# 执行
yum clean all && yum makecache
yum install -y openstack-nova-compute
- 检查安装是否成功:
cat /etc/passwd | grep nova && cat /etc/group | grep nova
- 修改配置文件
cp /etc/nova/nova.conf /etc/nova/nova.conf.bak
vim /etc/nova/nova.conf
以下是关键配置:
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://rabbitmq:lian@controller:5672
my_ip = 192.168.61.20
use_neutron = true
firewall_driver = nova.virt.firewall.NoopFirewallDriver
vif_plugging_is_fatal = false
vif_plugging_timeout = 0
[api]
auth_strategy = keystone
[database]
[devices]
[ephemeral_storage_encryption]
[filter_scheduler]
[glance]
api_servers = http://controller:9292
[guestfs]
[healthcheck]
[hyperv]
[ironic]
[key_manager]
[keystone]
[keystone_authtoken]
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name =Default
user_domain_name = Default
project_name = project
username = nova
password = lian
[libvirt]
virt_type = qemu
[metrics]
[mks]
[neutron]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = project
username = neutron
password = lian
[placement]
auth_url = http://controller:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = project
username = placement
password = lian
region_name = RegionOne
[vnc]
enabled = true
server_listen = 0.0.0.0
server_proxyclient_address = $my_ip
novncproxy_base_url = http://192.168.61.10:6080/vnc_auto.html
注:这里我把后续部署服务要修改
nova.conf的一并配了
- 启动并设置服务自启动
systemctl enable libvirtd.service openstack-nova-compute.service
systemctl start libvirtd.service openstack-nova-compute.service
检测(Controller 节点)
openstack compute service list
# 这样子输出就是正常的
+----+----------------+------------+----------+---------+-------+----------------------------+
| ID | Binary | Host | Zone | Status | State | Updated At |
+----+----------------+------------+----------+---------+-------+----------------------------+
| 1 | nova-conductor | controller | internal | enabled | up | 2024-12-27T08:15:51.000000 |
| 2 | nova-scheduler | controller | internal | enabled | up | 2024-12-27T08:15:51.000000 |
| 9 | nova-compute | compute | nova | enabled | up | 2024-12-27T08:15:57.000000 |
+----+----------------+------------+----------+---------+-------+----------------------------+
openstack catalog list # 查看服务对应端点列表
nova-status upgrade check #检测工具(看到success就是正常)
2. Neutron:网络服务
Neutron 是什么?
Neutron 是 OpenStack 的网络服务组件,主要负责为虚拟机提供网络连接、IP 地址分配、安全组管理等功能。它支持多种网络模型,包括平面网络、VLAN 和 VXLAN,满足多种网络需求。
简单来说,Neutron 就像是云平台的“网络管理员”,它负责把虚拟机连起来,分配IP地址,确保每台虚拟机能连通其他虚拟机或外部网络,同时还能设置“防火墙规则”(安全组)保护数据。
实现流程:
- 网络连接管理: Neutron 创建和管理虚拟机之间的网络通道,可以让虚拟机彼此通信,或者通过外部网络访问互联网。
- IP 地址分配: Neutron 使用 DHCP 动态分配 IP 地址给虚拟机,确保每台虚拟机都有独立的地址。
- 安全组设置: 通过安全组实现虚拟机的“防火墙”,只允许特定的流量通过,防止未经授权的访问。
简单例子:
假设你是一家餐厅老板,Neutron 就像是你请的网络管理员。
- 网络连接管理: Neutron 就是为餐厅里的每张餐桌布线(虚拟机之间通信),确保每张桌子能点单(互通)。
- IP 地址分配: 像服务员分发桌号牌一样,Neutron 为每台虚拟机分配一个唯一的“桌号”(IP 地址),让服务流程井然有序。
- 安全组设置: 安全组就像为贵宾包间设的门禁规则,只有允许的客人才可以进入,保护“包间”隐私。
部署步骤(Controller 节点)
- 开启网卡混杂模式
ifconfig ens33 promisc
修改 /etc/profile 并追加:
ifconfig ens33 promisc
检测:
ip a # 看 ens33 网口有没有带promisc字样
细说 混杂模式 promisc:
开启网卡混杂模式的目的是 让网卡能够接收所有经过它的网络数据包,而不仅仅是发给它自己的数据包。 在普通模式下,网卡只接收目标 MAC 地址是自己或者广播的数据包,但在混杂模式下,网卡可以接收所有数据包,无论目标地址是谁。
在 OpenStack 的 Neutron 部署中,混杂模式主要用于 Linux Bridge 或 Open vSwitch 的网络桥接场景。通过开启混杂模式,物理网卡能够捕获并处理虚拟机之间、虚拟机与外部网络之间的所有网络流量,从而实现虚拟机的网络通信。
举个通俗易懂的例子:
假设你是一位保安,正常情况下你只会检查寄到你家门口的快递(目标地址是你自己的包裹)。但有一天,你被要求在整个社区里帮忙分拣所有的快递,这时你需要进入“混杂模式”,无论快递目标是谁,你都需要接收和处理。在 OpenStack 中的作用:
- 虚拟机网络通信:虚拟机的网络流量需要通过宿主机的网卡发送和接收。如果网卡不工作在混杂模式,很多虚拟机间的通信包可能被网卡丢弃。
- 网络桥接功能:Linux Bridge 或 Open vSwitch 通过物理网卡与外部网络进行通信,混杂模式确保网卡能够接收所有必要的流量。
- 支持浮动 IP:当 Neutron 使用浮动 IP(Floating IP)时,网络流量会通过 NAT 转发到虚拟机,网卡需要混杂模式来接收这些流量。
不开启混杂模式会导致虚拟机之间或虚拟机与外部网络的通信异常,因为网卡只接收发给它自己的数据包,而丢弃了转发给虚拟机的数据包。
- 配置网络过滤规则
在 /etc/sysctl.conf 文件中追加以下内容:
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
加载规则:
modprobe br_netfilter
sysctl -p
- 安装必要软件包
yum -y install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge
- 创建数据库:
mysql -uroot -plian
> create database neutron;
> grant all privileges on neutron.* to 'neutron'@'localhost' identified by 'lian';
> grant all privileges on neutron.* to 'neutron'@'%' identified by 'lian';
> quit
- 配置 Neutron 服务
备份配置文件并编辑/etc/neutron/neutron.conf:
cp /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
vim /etc/neutron/neutron.conf
修改如下关键配置:
[DEFAULT]
controller_ip = 192.168.61.10
core_plugin = ml2
service_plugins =
transport_url = rabbit://rabbitmq:lian@controller
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[cors]
[database]
connection = mysql+pymysql://neutron:lian@192.168.61.10/neutron
[keystone_authtoken]
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = project
username = neutron
password = lian
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = project
username = nova
password = lian
region_name = RegionOne
server_proxyclient_address = 192.168.61.10
备份配置文件并编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini:
cp /etc/neutron/plugins/ml2/linuxbridge_agent.ini /etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
修改如下关键配置:
[DEFAULT]
[linux_bridge]
physical_interface_mappings = provider:ens33
[vxlan]
enable_vxlan = false
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
备份配置文件并编辑 /etc/neutron/dhcp_agent.ini:
cp /etc/neutron/dhcp_agent.ini /etc/neutron/dhcp_agent.ini.bak
vim /etc/neutron/dhcp_agent.ini
修改如下关键配置:
[DEFAULT]
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
cp /etc/neutron/metadata_agent.ini /etc/neutron/metadata_agent.ini.bak
vim /etc/neutron/metadata_agent.ini
改为
[DEFAULT]
nova_metadata_host = controller
metadata_proxy_shared_secret = METADATA_SECRET
配置软连接:
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
- 初始化 Neutron 数据库:
su neutron -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head"
登录并检查 neutron 数据库
- 创建服务用户和 API 端点
openstack role add --project project --user neutron admin
openstack user create --domain default --password lian neutron
openstack role add --project project --user neutron admin
openstack service create --name neutron network
openstack endpoint create --region RegionOne neutron public
openstack endpoint create --region RegionOne neutron public http://controller:9696
openstack endpoint create --region RegionOne neutron internal http://controller:9696
openstack endpoint create --region RegionOne neutron admin http://controller:9696
- 启动服务
systemctl restart openstack-nova-api
systemctl enable neutron-server neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent
systemctl start neutron-server neutron-linuxbridge-agent neutron-dhcp-agent neutron-metadata-agent
- 检测
systemctl status neutron-server.service
curl http://controller:9696测试
部署步骤(Compute 节点)
- 开启网卡混杂模式
ifconfig ens33 promisc
修改 /etc/profile 并追加:
ifconfig ens33 promisc
检测:
ip a # 看 ens33 网口有没有带promisc字样
- 配置网络过滤规则
在 /etc/sysctl.conf 文件中追加以下内容:
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
加载规则:
modprobe br_netfilter
sysctl -p
- 安装必要软件包
yum -y install openstack-neutron-linuxbridge
- 配置 Neutron 服务
备份配置文件并编辑/etc/neutron/neutron.conf:
cp /etc/neutron/neutron.conf /etc/neutron/neutron.conf.bak
vim /etc/neutron/neutron.conf
修改如下关键配置:
[DEFAULT]
transport_url = rabbit://rabbitmq:lian@controller:5672
auth_strategy = keystone
[keystone_authtoken]
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_namei = project
username = neutron
password = lian
[cors]
[database]
[keystone_authtoken]
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[privsep]
[ssl]
备份配置文件并编辑 /etc/neutron/plugins/ml2/linuxbridge_agent.ini:
cp /etc/neutron/plugins/ml2/linuxbridge_agent.ini etc/neutron/plugins/ml2/linuxbridge_agent.ini.bak
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
修改如下关键配置:
[DEFAULT]
[linux_bridge]
physical_interface_mappings = provider:ens33
[vxlan]
enable_vxlan = false
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
- 启动服务
systemctl restart openstack-nova-compute && systemctl enable neutron-linuxbridge-agent && systemctl start neutron-linuxbridge-agent
检测(Controller 节点)
- Controller 节点检测网络代理状态:
openstack network agent list
输出如下即表示正常:
+--------------------------------------+--------------------+------------+-------------------+-------+-------+---------------------------+
| ID | Agent Type | Host | Availability Zone | Alive | State | Binary |
+--------------------------------------+--------------------+------------+-------------------+-------+-------+---------------------------+
| 0637523e-667e-4f70-8262-53137e55e7a6 | DHCP agent | controller | nova | :-) | UP | neutron-dhcp-agent |
| 7a66b1fe-3e9d-46a7-ab0b-7029e179f7b0 | Linux bridge agent | compute | None | :-) | UP | neutron-linuxbridge-agent |
| 8ade812c-498a-4db5-8704-bb25f1747cbd | Metadata agent | controller | None | :-) | UP | neutron-metadata-agent |
| e909004c-ab3a-457b-ade3-e45e60d0722a | Linux bridge agent | controller | None | :-) | UP | neutron-linuxbridge-agent |
+--------------------------------------+--------------------+------------+-------------------+-------+-------+---------------------------+
其他测试:
neutron-status upgrade check
curl http://controller:9696
结语
这里就完成了 Nova Neutron 的服务部署,后面会继续记录OpenStack的完整部署过程,并详细分享过程中遇到的各种坑点——包括那些连官方文档和教材中未提及的细节问题!希望通过这个教程,大家能轻松实现一次性部署成功。