Scribd
Upload
94 views12 pages

OpenStack Pike Volet 3

This document provides instructions for configuring OpenStack Compute (Nova) and Networking (Neutron) services on a Control Node. It describes installing and configuring Nova Compute on the Control Node and a Compute Host. It also describes installing and configuring Neutron network services on the Control Node, including configuring the ML2 plugin to use Open vSwitch. SELinux policy changes are also provided to allow the services to run properly.

Uploaded by

IRIE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
94 views12 pages

OpenStack Pike Volet 3

This document provides instructions for configuring OpenStack Compute (Nova) and Networking (Neutron) services on a Control Node. It describes installing and configuring Nova Compute on the Control Node and a Compute Host. It also describes installing and configuring Neutron network services on the Control Node, including configuring the ML2 plugin to use Open vSwitch. SELinux policy changes are also provided to allow the services to run properly.

Uploaded by

IRIE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

OpenStack Pike

2017/09/03

Travaux de synthèse : Taylor VOLI

Volet 3
2

OpenStack Pike : Configure Nova#3


2017/09/03

Install OpenStack Compute Service (Nova).


This example is based on the emvironment like follows.
If you'd like to install Nova Compute on another Computer, refer to here.
eth0|10.0.0.30
+-----------+-----------+
| [ Control Node ] |
| |
| MariaDB RabbitMQ |
| Memcached httpd |
| Keystone Glance |
| Nova API,Compute |
+-----------------------+

Install KVM HyperVisor on Compute Host, refer to here.


[1]
It's unnecessarry to set Bridge networking on the section [2] of the link.
[2] Install Nova Compute.
# install from Pike, EPEL

[root@dlp ~(keystone)]#
yum --enablerepo=centos-openstack-pike,epel -y install openstack-nova-compute
[3] In addition to basic settings of Nova, add following settings.
[root@dlp ~(keystone)]#
vi /etc/nova/nova.conf
# add follows

# enable VNC
[vnc]
enabled = True
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = 10.0.0.30
novncproxy_base_url = http://10.0.0.30:6080/vnc_auto.html
[4] If SELinux is enabled, change policy like follows.
[root@dlp ~(keystone)]#
vi nova-compute_pol.te
# create new

module nova-compute_pol 1.0;

require {
type nova_var_lib_t;
type virtlogd_t;
class capability dac_override;
class file { append getattr open };
class dir search;

2
3

#============= virtlogd_t ==============


allow virtlogd_t nova_var_lib_t:dir search;
allow virtlogd_t nova_var_lib_t:file { append getattr open };
allow virtlogd_t self:capability dac_override;

[root@dlp ~(keystone)]#
checkmodule -m -M -o nova-compute_pol.mod nova-compute_pol.te

checkmodule: loading policy configuration from nova_pol.te


checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 17) to nova_pol.mod
[root@dlp ~(keystone)]#
semodule_package --outfile nova-compute_pol.pp --module nova-compute_pol.mod

[root@dlp ~(keystone)]#
semodule -i nova-compute_pol.pp

[5] If Firewalld is running, allow service ports.


[root@dlp ~(keystone)]#
firewall-cmd --add-port=5900-5999/tcp --permanent

success
[root@dlp ~(keystone)]#
firewall-cmd --reload

success
[6] Start Nova Compute.
[root@dlp ~(keystone)]#
systemctl start openstack-nova-compute

[root@dlp ~(keystone)]#
systemctl enable openstack-nova-compute
# discover Compute Node

[root@dlp ~(keystone)]#
su -s /bin/bash nova -c "nova-manage cell_v2 discover_hosts"
# show status

[root@dlp ~(keystone)]#
openstack compute service list

+----+------------------+---------------+----------+---------+-------+--------------
--------------+
| ID | Binary | Host | Zone | Status | State | Updated At
|

3
4

+----+------------------+---------------+----------+---------+-------+--------------
--------------+
| 4 | nova-consoleauth | dlp.srv.world | internal | enabled | up | 2017-09-
04T06:01:36.000000 |
| 5 | nova-conductor | dlp.srv.world | internal | enabled | up | 2017-09-
04T06:01:36.000000 |
| 6 | nova-scheduler | dlp.srv.world | internal | enabled | up | 2017-09-
04T06:01:36.000000 |
| 7 | nova-compute | dlp.srv.world | nova | enabled | up | None
|
+----+------------------+---------------+----------+---------+-------+--------------
--------------+

4
5

OpenStack Pike : Configure Neutron#2


2017/09/03

Configure OpenStack Network Service (Neutron).


This example is based on the emvironment like follows.
If you'd like to install Neutron services on another Computer, refer to here.
Neutron needs a plugin software, it's possible to choose it from some softwares.
This example chooses ML2 plugin. ( it uses Open vSwitch under the backend )
eth0|10.0.0.30
+-----------+-----------+
| [ Control Node ] |
| |
| MariaDB RabbitMQ |
| Memcached httpd |
| Keystone Glance |
| Nova API,Compute |
| Neutron Server |
| L2,L3,Metadata Agent |
+-----------------------+

[1] Install Neutron services.


# install from Pike, EPEL

[root@dlp ~(keystone)]#
yum --enablerepo=centos-openstack-pike,epel -y install openstack-neutron openstack-neutron-
ml2 openstack-neutron-openvswitch
[2] Configure Neutron.
[root@dlp ~(keystone)]#
mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.org

[root@dlp ~(keystone)]#
vi /etc/neutron/neutron.conf
# create new

[DEFAULT]
core_plugin = ml2
service_plugins = router
auth_strategy = keystone
state_path = /var/lib/neutron
dhcp_agent_notification = True
allow_overlapping_ips = True
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
# RabbitMQ connection info
transport_url = rabbit://openstack:[email protected]

# Keystone auth info


[keystone_authtoken]

5
6

auth_uri = http://10.0.0.30:5000
auth_url = http://10.0.0.30:35357
memcached_servers = 10.0.0.30:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword

# MariaDB connection info


[database]
connection = mysql+pymysql://neutron:[email protected]/neutron_ml2

# Nova connection info


[nova]
auth_url = http://10.0.0.30:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = servicepassword

[oslo_concurrency]
lock_path = $state_path/tmp

[root@dlp ~(keystone)]#
chmod 640 /etc/neutron/neutron.conf

[root@dlp ~(keystone)]#
chgrp neutron /etc/neutron/neutron.conf

[root@dlp ~(keystone)]#
vi /etc/neutron/l3_agent.ini
# line 17: add

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
[root@dlp ~(keystone)]#
vi /etc/neutron/dhcp_agent.ini
# line 17: add

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
# line 32: uncomment

dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
# line 41: uncomment and change

enable_isolated_metadata =
True

6
7

[root@dlp ~(keystone)]#
vi /etc/neutron/metadata_agent.ini
# line 23: uncomment and specify Nova API server

nova_metadata_host =
10.0.0.30
# line 35: uncomment and specify any secret key you like

metadata_proxy_shared_secret =
metadata_secret
# line 247: uncomment and specify Memcache server

memcache_servers =
10.0.0.30:11211
[root@dlp ~(keystone)]#
vi /etc/neutron/plugins/ml2/ml2_conf.ini
# line 114: add ( it's OK with no value for "tenant_network_types" (set later if need) )

[ml2]
type_drivers = flat,vlan,gre,vxlan
tenant_network_types =
mechanism_drivers = openvswitch,l2population
extension_drivers = port_security
# line 247: uncomment and add

enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
# end line: uncomment

enable_ipset = True
[root@dlp ~(keystone)]#
vi /etc/nova/nova.conf
# add follows into [DEFAULT] section

use_neutron = True
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
vif_plugging_is_fatal = True
vif_plugging_timeout = 300

# add follows to the end : Neutron auth info


# the value of metadata_proxy_shared_secret is the same with the one in
metadata_agent.ini
[neutron]
url = http://10.0.0.30:9696
auth_url = http://10.0.0.30:35357
auth_type = password
project_domain_name = default
user_domain_name = default

7
8

region_name = RegionOne
project_name = service
username = neutron
password = servicepassword
service_metadata_proxy = True
metadata_proxy_shared_secret = metadata_secret
[3] If SELinux is enabled, change policy like follows.
[root@dlp ~(keystone)]#
setsebool -P neutron_can_network on

[root@dlp ~(keystone)]#
setsebool -P haproxy_connect_any on

[root@dlp ~(keystone)]#
setsebool -P daemons_enable_cluster_mode on

[root@dlp ~(keystone)]#
vi neutron-services_pol.te
# create new

module neutron-services_pol 1.0;

require {
type sysfs_t;
type proc_t;
type http_port_t;
type httpd_config_t;
type neutron_t;
type neutron_tmp_t;
type neutron_var_lib_t;
type ovsdb_port_t;
type openvswitch_t;
type systemd_hwdb_exec_t;
type openflow_port_t;
type crontab_exec_t;
type glance_api_exec_t;
type NetworkManager_exec_t;
type loadkeys_exec_t;
type gpg_exec_t;
type mysqld_exec_t;
type glance_registry_exec_t;
type fsadm_exec_t;
type nova_exec_t;
type virtd_exec_t;
type chfn_exec_t;
type systemd_systemctl_exec_t;
type login_exec_t;
type kdumpctl_exec_t;
type debuginfo_exec_t;
type numad_exec_t;
type policykit_auth_exec_t;

8
9

type ssh_keygen_exec_t;
type vlock_exec_t;
type ssh_exec_t;
type dmesg_exec_t;
type glance_scrubber_exec_t;
type hostname_exec_t;
type dbusd_exec_t;
type plymouth_exec_t;
type journalctl_exec_t;
type fusermount_exec_t;
type ping_exec_t;
type gpg_agent_exec_t;
type su_exec_t;
type checkpolicy_exec_t;
type sendmail_exec_t;
type systemd_tmpfiles_exec_t;
type memcached_exec_t;
type virsh_exec_t;
type groupadd_exec_t;
type systemd_passwd_agent_exec_t;
type pinentry_exec_t;
type passwd_exec_t;
type systemd_notify_exec_t;
type traceroute_exec_t;
type mysqld_safe_exec_t;
type ssh_agent_exec_t;
type mandb_exec_t;
type mount_exec_t;
type rsync_exec_t;
type haproxy_t;
class file { create getattr open read unlink write };
class dir { add_name remove_name search write };
class sock_file { create write unlink getattr setattr };
class tcp_socket { name_bind name_connect };
class filesystem { getattr unmount };
class unix_stream_socket connectto;
}

#============= neutron_t ==============


allow neutron_t httpd_config_t:dir search;
allow neutron_t http_port_t:tcp_socket name_bind;
allow neutron_t sysfs_t:filesystem getattr;
allow neutron_t neutron_tmp_t:sock_file { create write getattr unlink setattr };
allow neutron_t openflow_port_t:tcp_socket name_bind;
allow neutron_t NetworkManager_exec_t:file getattr;
allow neutron_t checkpolicy_exec_t:file getattr;
allow neutron_t chfn_exec_t:file getattr;
allow neutron_t crontab_exec_t:file getattr;
allow neutron_t dbusd_exec_t:file getattr;
allow neutron_t debuginfo_exec_t:file getattr;
allow neutron_t dmesg_exec_t:file getattr;
allow neutron_t fsadm_exec_t:file getattr;
allow neutron_t fusermount_exec_t:file getattr;
allow neutron_t glance_api_exec_t:file getattr;
allow neutron_t glance_registry_exec_t:file getattr;

9
10

allow neutron_t glance_scrubber_exec_t:file getattr;


allow neutron_t gpg_agent_exec_t:file getattr;
allow neutron_t gpg_exec_t:file getattr;
allow neutron_t groupadd_exec_t:file getattr;
allow neutron_t hostname_exec_t:file getattr;
allow neutron_t journalctl_exec_t:file getattr;
allow neutron_t kdumpctl_exec_t:file getattr;
allow neutron_t loadkeys_exec_t:file getattr;
allow neutron_t login_exec_t:file getattr;
allow neutron_t mandb_exec_t:file getattr;
allow neutron_t memcached_exec_t:file getattr;
allow neutron_t mount_exec_t:file getattr;
allow neutron_t mysqld_exec_t:file getattr;
allow neutron_t mysqld_safe_exec_t:file getattr;
allow neutron_t nova_exec_t:file getattr;
allow neutron_t numad_exec_t:file getattr;
allow neutron_t passwd_exec_t:file getattr;
allow neutron_t pinentry_exec_t:file getattr;
allow neutron_t ping_exec_t:file getattr;
allow neutron_t plymouth_exec_t:file getattr;
allow neutron_t policykit_auth_exec_t:file getattr;
allow neutron_t proc_t:filesystem unmount;
allow neutron_t rsync_exec_t:file getattr;
allow neutron_t sendmail_exec_t:file getattr;
allow neutron_t ssh_agent_exec_t:file getattr;
allow neutron_t ssh_exec_t:file getattr;
allow neutron_t ssh_keygen_exec_t:file getattr;
allow neutron_t su_exec_t:file getattr;
allow neutron_t systemd_notify_exec_t:file getattr;
allow neutron_t systemd_passwd_agent_exec_t:file getattr;
allow neutron_t systemd_systemctl_exec_t:file getattr;
allow neutron_t systemd_tmpfiles_exec_t:file getattr;
allow neutron_t systemd_hwdb_exec_t:file getattr;
allow neutron_t traceroute_exec_t:file getattr;
allow neutron_t virsh_exec_t:file getattr;
allow neutron_t virtd_exec_t:file getattr;
allow neutron_t vlock_exec_t:file getattr;

#============= openvswitch_t ==============


allow openvswitch_t neutron_t:file { getattr open read };
allow openvswitch_t neutron_t:dir search;
allow openvswitch_t ovsdb_port_t:tcp_socket name_bind;

#============= haproxy_t ==============


allow haproxy_t neutron_t:unix_stream_socket connectto;
allow haproxy_t neutron_var_lib_t:dir { add_name remove_name search write };
allow haproxy_t neutron_var_lib_t:file { create getattr open read unlink write };
allow haproxy_t neutron_var_lib_t:sock_file write;
allow haproxy_t sysfs_t:filesystem getattr;

[root@dlp ~(keystone)]#
checkmodule -m -M -o neutron-services_pol.mod neutron-services_pol.te

checkmodule: loading policy configuration from neutron-services_pol.te

10
11

checkmodule: policy configuration loaded


checkmodule: writing binary representation (version 17) to neutron-services_pol.mod
[root@dlp ~(keystone)]#
semodule_package --outfile neutron-services_pol.pp --module neutron-services_pol.mod

[root@dlp ~(keystone)]#
semodule -i neutron-services_pol.pp

[4] If Firewalld is running, allow service ports.


[root@dlp ~(keystone)]#
firewall-cmd --add-port=9696/tcp --permanent

success
[root@dlp ~(keystone)]#
firewall-cmd --reload

success
[5] Start Neutron services.
[root@dlp ~(keystone)]#
systemctl start openvswitch

[root@dlp ~(keystone)]#
systemctl enable openvswitch

[root@dlp ~(keystone)]#
ovs-vsctl add-br br-int
[root@dlp ~(keystone)]#
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

[root@dlp ~(keystone)]#
su -s /bin/bash neutron -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-
file /etc/neutron/plugin.ini upgrade head"
[root@dlp ~(keystone)]#
for service in server dhcp-agent l3-agent metadata-agent openvswitch-agent; do
systemctl start neutron-$service
systemctl enable neutron-$service
done
[root@dlp ~(keystone)]#
systemctl restart openstack-nova-api openstack-nova-compute
# show status

[root@dlp ~(keystone)]#
openstack network agent list

11
12

+--------------+--------------------+---------------+----------+-------+-------+----
-----------------------+
| ID | Agent Type | Host | Avail... | Alive | State |
Binary |
+--------------+--------------------+---------------+----------+-------+-------+----
-----------------------+
| 0cc2b782-... | DHCP agent | dlp.srv.world | nova | :-) | UP |
neutron-dhcp-agent |
| 6be80ce0-... | Open vSwitch agent | dlp.srv.world | None | :-) | UP |
neutron-openvswitch-agent |
| 7ce65448-... | L3 agent | dlp.srv.world | nova | :-) | UP |
neutron-l3-agent |
| 94e8ae2f-... | Metadata agent | dlp.srv.world | None | :-) | UP |
neutron-metadata-agent |
+--------------+--------------------+---------------+----------+-------+-------+----
-----------------------+

12

You might also like