社区Liberty版本OpenStack VPNaaS:部署

环境还是虚拟机里devstack安装的L版本openstack,这里修改两处配置

第一点是ENABLED_SERVICES里添加q-vpn

# This allows us to pass ``ENABLED_SERVICES``
if ! isset ENABLED_SERVICES ; then
    # Keystone - nothing works without keystone
    ENABLED_SERVICES=key
    # Nova - services to support libvirt based openstack clouds
    ENABLED_SERVICES+=,n-api,n-cpu,n-net,n-cond,n-sch,n-novnc,n-crt,n-cauth
    # Glance services needed for Nova
    ENABLED_SERVICES+=,g-api,g-reg
    # Cinder
    ENABLED_SERVICES+=,c-sch,c-api,c-vol
    # Neutron
    ENABLED_SERVICES+=,q-svc,q-agt,q-dhcp,q-l3,q-meta,q-vpn
    # Dashboard
    ENABLED_SERVICES+=,horizon
    # Additional services
    #ENABLED_SERVICES+=,rabbit,tempest,mysql,dstat
    ENABLED_SERVICES+=,rabbit,mysql,dstat
fi

第二点是配置为非DVR

# Distributed Virtual Router (DVR) configuration
# Can be:
# - ``legacy``   - No DVR functionality
# - ``dvr_snat`` - Controller or single node DVR
# - ``dvr``      - Compute node in multi-node DVR
#
Q_DVR_MODE=${Q_DVR_MODE:-legacy}
if [[ "$Q_DVR_MODE" != "legacy" ]]; then
    Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch,linuxbridge,l2population
fi

去掉IPv6,暂时用不着

# Subnet IP version
#IP_VERSION=${IP_VERSION:-"4+6"}
IP_VERSION=${IP_VERSION:-"4"}
# Validate IP_VERSION
if [[ $IP_VERSION != "4" ]] && [[ $IP_VERSION != "6" ]] && [[ $IP_VERSION != "4+6" ]]; then
    die $LINENO "IP_VERSION must be either 4, 6, or 4+6"
fi

修改完之后,在devstack里执行./stack.sh,安装完之后,agentqq起来了

lihui@l-openstack:~/devstack$ neutron agent-list
+--------------------------------------+--------------------+-------------+-------+----------------+---------------------------+
| id                                   | agent_type         | host        | alive | admin_state_up | binary                    |
+--------------------------------------+--------------------+-------------+-------+----------------+---------------------------+
| 0a8e4851-fbf5-47c1-b294-fa1e85633168 | L3 agent           | l-openstack | :-)   | True           | neutron-vpn-agent         |
| 3e84c6bc-ff33-4a7a-9f78-4e1d6af029a9 | Metadata agent     | l-openstack | :-)   | True           | neutron-metadata-agent    |
| 555c346b-c243-4449-9346-e58dd1426304 | DHCP agent         | l-openstack | :-)   | True           | neutron-dhcp-agent        |
| 58f26842-4275-4c46-8317-ac7dab429b8e | Open vSwitch agent | l-openstack | :-)   | True           | neutron-openvswitch-agent |
+--------------------------------------+--------------------+-------------+-------+----------------+---------------------------+

网桥分布

lihui@l-openstack:~/devstack$ sudo ovs-vsctl show
e3bbb9f8-2dc6-4f7d-85a4-7584ac8584a1
    Bridge br-int
        fail_mode: secure
        Port "tap5f8ce545-7f"
            tag: 1
            Interface "tap5f8ce545-7f"
                type: internal
        Port patch-tun
            Interface patch-tun
                type: patch
                options: {peer=patch-int}
        Port "qr-4c259d08-89"
            tag: 1
            Interface "qr-4c259d08-89"
                type: internal
        Port br-int
            Interface br-int
                type: internal
    Bridge br-tun
        fail_mode: secure
        Port patch-int
            Interface patch-int
                type: patch
                options: {peer=patch-tun}
        Port br-tun
            Interface br-tun
                type: internal
    Bridge br-ex
        Port "qg-a6615f60-65"
            Interface "qg-a6615f60-65"
                type: internal
        Port br-ex
            Interface br-ex
                type: internal
    ovs_version: "2.0.2"

br-int和br-tun直连,但是有一点,这里默认创建的public external网络,不是flat类型,而是vxlan类型

lihui@l-openstack:~/devstack$ neutron net-show 7ef2c15b-c1d6-4b55-bd8e-f22efbda17e4
+-----------------------+--------------------------------------+
| Field                 | Value                                |
+-----------------------+--------------------------------------+
| admin_state_up        | True                                 |
| id                    | 7ef2c15b-c1d6-4b55-bd8e-f22efbda17e4 |
| mtu                   | 1450                                 |
| name                  | public                               |
| port_security_enabled | True                                 |
| router:external       | True                                 |
| shared                | False                                |
| status                | ACTIVE                               |
| subnets               | e56b52dd-1a4b-481e-80a2-feb101d0ecd7 |
| tenant_id             | 794198dcae7641b0ab8d77a27d180aba     |
+-----------------------+--------------------------------------+

原因是在lib/neutron-legacy里有这么一段代码

# Create an external network, and a subnet. Configure the external network as router gw
        if [ "$Q_USE_PROVIDERNET_FOR_PUBLIC" = "True" ]; then
            EXT_NET_ID=$(neutron net-create "$PUBLIC_NETWORK_NAME" -- --router:external=True --provider:network_type=flat --provider:physical_network=${PUBLIC_PHYSICAL_NETWORK} | grep ' id ' | get_field 2)
        else
            EXT_NET_ID=$(neutron net-create "$PUBLIC_NETWORK_NAME" -- --router:external=True | grep ' id ' | get_field 2)
        fi
        die_if_not_set $LINENO EXT_NET_ID "Failure creating EXT_NET_ID for $PUBLIC_NETWORK_NAME"

        if [[ "$IP_VERSION" =~ 4.* ]]; then
            # Configure router for IPv4 public access
            _neutron_configure_router_v4
        fi

        if [[ "$IP_VERSION" =~ .*6 ]]; then
            # Configure router for IPv6 public access
            _neutron_configure_router_v6
        fi

这里的$Q_USE_PROVIDERNET_FOR_PUBLIC配置为False,因此走到了else里,从而默认是vxlan类型;但是如果设置为True,在下面这段代码里会走到_neutron_configure_router_v4

# Create an external network, and a subnet. Configure the external network as router gw
        if [ "$Q_USE_PROVIDERNET_FOR_PUBLIC" = "True" ]; then
            EXT_NET_ID=$(neutron net-create "$PUBLIC_NETWORK_NAME" -- --router:external=True --provider:network_type=flat --provider:physical_network=${PUBLIC_PHYSICAL_NETWORK} | grep ' id ' | get_field 2)
        else
            EXT_NET_ID=$(neutron net-create "$PUBLIC_NETWORK_NAME" -- --router:external=True | grep ' id ' | get_field 2)
        fi
        die_if_not_set $LINENO EXT_NET_ID "Failure creating EXT_NET_ID for $PUBLIC_NETWORK_NAME"

        if [[ "$IP_VERSION" =~ 4.* ]]; then
            # Configure router for IPv4 public access
            _neutron_configure_router_v4
        fi

在_neutron_configure_router_v4里的最后一步

if [[ "$ext_gw_interface" != "none" ]]; then
            local cidr_len=${FLOATING_RANGE#*/}
            local testcmd="ip -o link | grep -q $ext_gw_interface"
            test_with_retry "$testcmd" "$ext_gw_interface creation failed"
            if [[ $(ip addr show dev $ext_gw_interface | grep -c $ext_gw_ip) == 0 && ( $Q_USE_PROVIDERNET_FOR_PUBLIC == "False" || $Q_USE_PUBLIC_VETH == "True" ) ]]; then
                sudo ip addr add $ext_gw_ip/$cidr_len dev $ext_gw_interface
                sudo ip link set $ext_gw_interface up
            fi
            ROUTER_GW_IP=`neutron port-list -c fixed_ips -c device_owner | grep router_gateway | awk -F '"' -v subnet_id=$PUB_SUBNET_ID '$4 == subnet_id { print $8; }'`
            die_if_not_set $LINENO ROUTER_GW_IP "Failure retrieving ROUTER_GW_IP"
            sudo ip route replace  $FIXED_RANGE via $ROUTER_GW_IP
        fi

ip route replace的时候,会报错,无法将子网下一跳设置为router gateway ip

这里就先不管了,的确ALL-IN-ONE的OpenStack得好好捋一捋流程走向,不管怎么样,先把VPN相关服务都起来,接下来就是创建服务,最终达到能够测试的目的

发表回复