Neutron (aussi appelé Quantum) est la stack de gestion du réseau sur OpenStack. C’est l’implémentation du SDN (Software Defined Network) dans le projet open source d’IaaS.
Son rôle est donc de communiquer avec différentes briques réseaux pour les assembler et les rendre pilotable de manière logicielle. Pour plus de détails, voir directement le projet sur openstack.org.
Contexte de l’exemple
Dans le cadre d’un POC, nous allons essentiellement nous servir de machines virtuelles x86. Nous n’allons pas utiliser les fonctionnalité de pilotage de materiel Cisco, Juniper ou autre.
+-------------------------+ +--------------------------+
| | | |
| | | |
| controller01 | | compute01 |
| | | |
| | | |
| eth0 eth2 eth3 | | eth3 eth2 eth0 |
+-------------------------+ +--------------------------+
| | | | | |
| | | | | |
| | | Réseau "privé" | | |
| | +--------------------+ | |
| | Réseau "public" | |
| +------------------------------------+ |
| Réseau "admin" |
+-------------------------------------------------------+
L’exemple que nous allons voir sera très simple, il consistera à instancier une VM sur un réseau privé, lui permettre de sortir et permettre également à l’exterieur de joindre la VM.
+-+ +-+
| | | |
| | | |
|V| |V|
|L| |L|
|A| |A|
|N| |N|
| | +-------+ | | +------------+
| | | | | | | |
|P|------------|router1|-----------|P|---------| instance1 |
|U| | | |R| | |
|B| +-------+ |I| +------------+
|L| |V|
|I| |E|
|C| | |
| | | |
+-+ +-+
Pour faciliter le déroulement, les opérations seront effectuées avec le compte admin même si certaines pourraient être faite en tant que simple user du tenant “admin”.
Prérequis
Comme les méthodes de déploiement d’OpenStack varient beaucoup, nous n’allons pas détailler ici comment mettre en place le service. Nous partons du principe que le service est “up and running”. Nous avons donc un service qui fonctionne avec les stack suivantes : keystone, glance, nova, horizon et bien sur neutron.
Nous avons également les droits d’administration du service chargés dans l’environnement de la ligne de commande.
[root@hostnamedab ~(keystone_admin)]# keystone service-list +----------------------------------+------------+----------------+----------------------------+ | id | name | type | description | +----------------------------------+------------+----------------+----------------------------+ | b0bee0b0e9f34f8bafd4ba7d54ba3d6e | ceilometer | metering | Openstack Metering Service | | 2a06e498c2b84cb48ebd578f6fa48297 | cinder | volume | Cinder Service | | 14fa9ec07e34443bba5daac33266671f | cinder_v2 | volumev2 | Cinder Service v2 | | 1f4e441ee6d5489281d3aa8d64e2a746 | glance | image | Openstack Image Service | | d189a66300e04e9b8ac8cacad3eca3a1 | heat | orchestration | Heat API | | f96774576d8846d7bdd04ec9ccefabb5 | heat-cfn | cloudformation | Heat CloudFormation API | | 9365681a0e3945e2806e83d85b8319bf | keystone | identity | OpenStack Identity Service | | f13396b4b11c45baa59f9de685f25020 | neutron | network | Neutron Networking Service | | 6cf6626654b04b89a988483fb566508d | nova | compute | Openstack Compute Service | | f783eff435804e449d529ef6d03745bf | nova_ec2 | ec2 | EC2 Service | +----------------------------------+------------+----------------+----------------------------+ [root@hostnamedab ~(keystone_admin)]# nova service-list +------------------+-------------+----------+---------+-------+----------------------------+-----------------+ | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason | +------------------+-------------+----------+---------+-------+----------------------------+-----------------+ | nova-consoleauth | hostnamedab | internal | enabled | up | 2014-02-26T14:29:25.000000 | None | | nova-scheduler | hostnamedab | internal | enabled | up | 2014-02-26T14:29:25.000000 | None | | nova-conductor | hostnamedab | internal | enabled | up | 2014-02-26T14:29:24.000000 | None | | nova-cert | hostnamedab | internal | enabled | up | 2014-02-26T14:29:25.000000 | None | | nova-compute | hostnamedbj | nova | enabled | up | 2014-02-26T14:29:28.000000 | None | | nova-console | hostnamedab | internal | enabled | down | 2014-02-26T09:30:20.000000 | None | +------------------+-------------+----------+---------+-------+----------------------------+-----------------+
Composition de la stack Neutron
Neutron a une architecture modulaire basé sur des agents qui auront la délégation d’une partie du service.
- neutron-server : gestion générale du service
- neutron-metadata-agent : permet de communiquer avec les éléments d’OpenStack
- neutron-rootwrap : gestion de l’élévation des privilèges
- neutron-openvswitch-agent : prend en charge tout le pilotage de Open vSwitch
- neutron-lbaas-agent : prend en charge la gestion des Load Ballancer
- neutron-dhcp-agent : prend en charge la gestion des serveurs DHCP
- neutron-l3-agent : pilote toute la partie N3 (OSI), notamment l’implémentation des routeurs au travers des namespaces
En fonction du rôle des noeuds, certaines parties devront être présentes ou non suivant les cas.
Configuration
Ce n’est pas le lieu ici pour discuter de la configuration, mais voici tout de même un extrait des éléments les plus importants pour permettre de resituer le contexte.
[root@hostnamedab ~(keystone_admin)]# cat /etc/neutron/neutron.conf | grep -v "^#" |grep -v "^$" [DEFAULT] debug = False verbose = True use_syslog = False log_dir =/var/log/neutron bind_host = 0.0.0.0 bind_port = 9696 core_plugin =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 service_plugins =neutron.services.loadbalancer.plugin.LoadBalancerPlugin auth_strategy = keystone base_mac = fa:16:3e:00:00:00 mac_generation_retries = 16 dhcp_lease_duration = 120 allow_bulk = True allow_overlapping_ips = True rpc_backend = neutron.openstack.common.rpc.impl_qpid control_exchange = neutron qpid_hostname = 192.168.41.129 qpid_port = 5672 qpid_username = guest qpid_password = guest qpid_heartbeat = 60 qpid_protocol = tcp qpid_tcp_nodelay = True dhcp_agents_per_network = 1 api_workers = 0 qpid_reconnect_limit=0 qpid_reconnect_interval_max=0 qpid_reconnect_timeout=0 qpid_reconnect=True qpid_reconnect_interval_min=0 qpid_reconnect_interval=0 [quotas] [agent] [keystone_authtoken] auth_host = 192.168.41.129 auth_port = 35357 auth_protocol = http admin_tenant_name = services admin_user = neutron admin_password = patapouf auth_uri=http://192.168.41.129:5000/ [database] connection = mysql://neutron:patapouf@192.168.41.129/ovs_neutron max_retries = 10 retry_interval = 10 idle_timeout = 3600 [service_providers] [AGENT] root_helper=sudo neutron-rootwrap /etc/neutron/rootwrap.conf [root@hostnamedab neutron(keystone_admin)]# cat /etc/neutron/l3_agent.ini | grep -v "^#" |grep -v "^$" [DEFAULT] debug = False interface_driver =neutron.agent.linux.interface.OVSInterfaceDriver use_namespaces = True handle_internal_only_routers = True external_network_bridge = br-ex metadata_port = 9697 send_arp_for_ha = 3 periodic_interval = 40 periodic_fuzzy_delay = 5 enable_metadata_proxy = True [root@hostnamedab neutron(keystone_admin)]# cat /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini | grep -v "^#" |grep -v "^$" [ovs] [agent] [securitygroup] [OVS] tunnel_id_ranges=1:1000 tenant_network_type=gre local_ip=192.168.44.129 enable_tunneling=True integration_bridge=br-int tunnel_bridge=br-tun [AGENT] polling_interval=2 [SECURITYGROUP] firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver [root@hostnamedab neutron(keystone_admin)]# cat /etc/nova/nova.conf | grep -v "^#" |grep -v "^$" | grep neutron service_neutron_metadata_proxy=True neutron_metadata_proxy_shared_secret=patapouf neutron_default_tenant_id=default network_api_class=nova.network.neutronv2.api.API neutron_url=http://192.168.41.129:9696 neutron_url_timeout=30 neutron_admin_username=neutron neutron_admin_password=patapouf neutron_admin_tenant_name=services neutron_region_name=RegionOne neutron_admin_auth_url=http://192.168.41.129:35357/v2.0 neutron_auth_strategy=keystone neutron_ovs_bridge=br-int neutron_extension_sync_interval=600 security_group_api=neutron
Création d’un réseau public et raccordement d’une instance
Récupération de tenant-id admin.
[root@hostnamedab ~(keystone_admin)]# keystone tenant-list | grep admin | awk '{print $2;}'
5f8ffb039ce844bc94ba031be85e0936
Création du réseau et du sous-réseau mytenantnet.
[root@hostnamedab ~(keystone_admin)]# neutron net-create --tenant-id 5f8ffb039ce844bc94ba031be85e0936 mytenantnet
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 00bcfcc4-236e-40bd-ba54-74c85ae0d05e |
| name | mytenantnet |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 1 |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 5f8ffb039ce844bc94ba031be85e0936 |
+---------------------------+--------------------------------------+
[root@hostnamedab ~(keystone_admin)]# neutron subnet-create --tenant-id 5f8ffb039ce844bc94ba031be85e0936 mytenantnet 192.168.165.0/24 --gateway 192.168.165.1
Created a new subnet:
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| allocation_pools | {"start": "192.168.165.2", "end": "192.168.165.254"} |
| cidr | 192.168.165.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 192.168.165.1 |
| host_routes | |
| id | efab7729-96ca-4b04-9ab7-3fd6d7c1d22b |
| ip_version | 4 |
| name | |
| network_id | 00bcfcc4-236e-40bd-ba54-74c85ae0d05e |
| tenant_id | 5f8ffb039ce844bc94ba031be85e0936 |
+------------------+------------------------------------------------------+
Boot d’une instance avec un raccordement réseau sur mytenantnet.
[root@hostnamedab ~(keystone_admin)]# nova boot --flavor m1.small --image cirros --security-groups allowall --nic net-id=00bcfcc4-236e-40bd-ba54-74c85ae0d05e instance1
+--------------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------------+--------------------------------------+
| OS-EXT-STS:task_state | scheduling |
| image | cirros |
| OS-EXT-STS:vm_state | building |
| OS-EXT-SRV-ATTR:instance_name | instance-00000003 |
| OS-SRV-USG:launched_at | None |
| flavor | m1.small |
| id | efcb16e5-b815-4b6d-af4f-930e3830036e |
| security_groups | [{u'name': u'allowall'}] |
| user_id | ab1435cbeb5d46829299525fc4b37c7d |
| OS-DCF:diskConfig | MANUAL |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-AZ:availability_zone | nova |
| config_drive | |
| status | BUILD |
| updated | 2014-02-26T16:10:38Z |
| hostId | |
| OS-EXT-SRV-ATTR:host | None |
| OS-SRV-USG:terminated_at | None |
| key_name | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| name | instance1 |
| adminPass | rKkadB45VXRV |
| tenant_id | 5f8ffb039ce844bc94ba031be85e0936 |
| created | 2014-02-26T16:10:37Z |
| os-extended-volumes:volumes_attached | [] |
| metadata | {} |
+--------------------------------------+--------------------------------------+
[root@hostnamedab ~(keystone_admin)]# nova show instance1
+--------------------------------------+----------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------+
| status | ACTIVE |
| updated | 2014-02-26T16:11:17Z |
| OS-EXT-STS:task_state | None |
| OS-EXT-SRV-ATTR:host | hostnamedbj |
| key_name | None |
| image | cirros (3257ad97-ac1e-4059-afb1-ad0de2aa01b1) |
| hostId | 67a93b4953c7cf7ac992a4c27f8551f70aa7e113df364523a225460f |
| OS-EXT-STS:vm_state | active |
| OS-EXT-SRV-ATTR:instance_name | instance-00000003 |
| OS-SRV-USG:launched_at | 2014-02-26T16:11:17.000000 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | hostnamedbj.dsit.sncf.fr |
| flavor | m1.small (2) |
| id | efcb16e5-b815-4b6d-af4f-930e3830036e |
| security_groups | [{u'name': u'allowall'}] |
| OS-SRV-USG:terminated_at | None |
| user_id | ab1435cbeb5d46829299525fc4b37c7d |
| name | instance1 |
| created | 2014-02-26T16:10:37Z |
| mytenantnet network | 192.168.165.2 |
| tenant_id | 5f8ffb039ce844bc94ba031be85e0936 |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| os-extended-volumes:volumes_attached | [] |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | nova |
| config_drive | |
+--------------------------------------+----------------------------------------------------------+
Création du réseau public, du routeur et raccordement
Déclaration du réseau public.
[root@hostnamedab ~(keystone_admin)]# neutron net-create public -- --router:external=True
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 8cce6638-d41f-4b58-8549-2a10f3bf7b06 |
| name | public |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 2 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 5f8ffb039ce844bc94ba031be85e0936 |
+---------------------------+--------------------------------------+
[root@hostnamedab ~(keystone_admin)]# neutron subnet-create public --allocation-pool start=10.6.27.150,end=10.6.27.249 --gateway 10.6.27.1 --enable_dhcp=False 10.6.27.0/24
Created a new subnet:
+------------------+------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------+
| allocation_pools | {"start": "10.6.27.150", "end": "10.6.27.249"} |
| cidr | 10.6.27.0/24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 10.6.27.1 |
| host_routes | |
| id | 67ddd6df-b592-4d9e-9906-34e93563eb2c |
| ip_version | 4 |
| name | |
| network_id | 8cce6638-d41f-4b58-8549-2a10f3bf7b06 |
| tenant_id | 5f8ffb039ce844bc94ba031be85e0936 |
+------------------+------------------------------------------------+
Creation du router et raccordement du le réseau public et le réseau du tenant.
[root@hostnamedab ~(keystone_admin)]# neutron router-create router1 --tenant-id 5f8ffb039ce844bc94ba031be85e0936 Created a new router: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | external_gateway_info | | | id | 7c93ac79-fa36-490d-a57e-bd1768b1550f | | name | router1 | | status | ACTIVE | | tenant_id | 5f8ffb039ce844bc94ba031be85e0936 | +-----------------------+--------------------------------------+ [root@hostnamedab ~(keystone_admin)]# neutron router-gateway-set router1 public Set gateway for router router1 [root@hostnamedab ~(keystone_admin)]# neutron router-interface-add router1 efab7729-96ca-4b04-9ab7-3fd6d7c1d22b Added interface 7c158f46-923c-44cd-841b-06b9009c32e4 to router router1.
Activer l’IP publique de l’instance
Création d’une floating IP et association au port de l’instance.
[root@hostnamedab ~(keystone_admin)]# neutron floatingip-create public
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 10.6.27.151 |
| floating_network_id | 8cce6638-d41f-4b58-8549-2a10f3bf7b06 |
| id | b649f35e-866f-4333-a048-b981be798c35 |
| port_id | |
| router_id | |
| tenant_id | 5f8ffb039ce844bc94ba031be85e0936 |
+---------------------+--------------------------------------+
[root@hostnamedab ~(keystone_admin)]# neutron port-list
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| 0170ce1a-aa3a-4ef3-981d-e9fb8b3c4924 | | fa:16:3e:7f:71:b5 | {"subnet_id": "efab7729-96ca-4b04-9ab7-3fd6d7c1d22b", "ip_address": "192.168.165.2"} |
| 2d96e1f5-e03c-4f96-98cb-79f386602859 | | fa:16:3e:16:21:59 | {"subnet_id": "efab7729-96ca-4b04-9ab7-3fd6d7c1d22b", "ip_address": "192.168.165.3"} |
| 49c50a0f-f3c2-43ae-89a7-53b9acc82cf5 | | fa:16:3e:6c:a7:22 | {"subnet_id": "67ddd6df-b592-4d9e-9906-34e93563eb2c", "ip_address": "10.6.27.150"} |
| 5d4eb754-b3da-4df0-9c96-dd2e529ce839 | | fa:16:3e:71:56:e1 | {"subnet_id": "67ddd6df-b592-4d9e-9906-34e93563eb2c", "ip_address": "10.6.27.151"} |
| 7c158f46-923c-44cd-841b-06b9009c32e4 | | fa:16:3e:51:d3:45 | {"subnet_id": "efab7729-96ca-4b04-9ab7-3fd6d7c1d22b", "ip_address": "192.168.165.1"} |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
[root@hostnamedab ~(keystone_admin)]# neutron floatingip-associate b649f35e-866f-4333-a048-b981be798c35 0170ce1a-aa3a-4ef3-981d-e9fb8b3c4924
Associated floatingip b649f35e-866f-4333-a048-b981be798c35
Test
On lance simplement une connexion SSH sur l’instance pour vérifier qu’elle est joignable.
pjbt05841@hostnamedug:~$ ssh cirros@10.6.27.151
Warning: Permanently added '10.6.27.151' (RSA) to the list of known hosts.
cirros@10.6.27.151's password:
$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether fa:16:3e:7f:71:b5 brd ff:ff:ff:ff:ff:ff
inet 192.168.165.2/24 brd 192.168.165.255 scope global eth0
inet6 fe80::f816:3eff:fe7f:71b5/64 scope link
valid_lft forever preferred_lft forever
Leave a Reply