Neutron网络服务详解:从原理到生产实践
Neutron网络服务详解:从原理到生产实践
一、Neutron概述
1.1 Neutron是什么?
Neutron为OpenStack提供完整的网络虚拟化功能,支持灵活的网络拓扑配置、安全组、负载均衡、VPN等高级网络功能。Neutron采用插件化架构,支持多种网络后端实现。
Neutron的核心功能:
- 网络、子网、端口管理
- 路由器和浮动IP
- 安全组和网络ACL
- 负载均衡即服务(LBaaS)
- VPN即服务(VPNaaS)
- 防火墙即服务(FWaaS)
1.2 Neutron架构
Neutron采用分层架构设计:
| 层级 | 组件 | 功能描述 |
|---|---|---|
| API层 | neutron-api | REST API入口 |
| 插件层 | ML2 Plugin | 框架,支持多种驱动 |
| Agent层 | L2 Agent | 二层交换 |
| Agent层 | L3 Agent | 三层路由 |
| Agent层 | DHCP Agent | IP地址分配 |
| Agent层 | Metadata Agent | 实例元数据服务 |
二、Neutron核心概念
2.1 Network(网络)
Network是二层广播域隔离,每个Network都是独立的广播域。
Network类型:
| 类型 | 特点 | 适用场景 |
|---|---|---|
| Local | 仅本节点通信 | 单节点测试 |
| Flat | 无VLAN标签 | 简单网络 |
| VLAN | 802.1Q标签 | 多租户隔离 |
| VXLAN | VXLAN隧道 | 大规模部署 |
| Geneve | Geneve隧道 | 新一代虚拟网络 |
# 查看网络列表
openstack network list
# 创建网络
openstack network create --share --external public
openstack network create --internal private
# 创建VLAN网络
openstack network create --provider-network-type vlan \
--provider-physical-network physnet1 \
--provider-segment 100 \
vlan100
# 创建VXLAN网络
openstack network create --provider-network-type vxlan \
--vxlan-vni 1001 \
vxlan100
# 查看网络详情
openstack network show private
# 更新网络
openstack network set --description "Private Network" private
# 删除网络
openstack network delete private
2.2 Subnet(子网)
Subnet是IP地址分配池,定义IP地址范围和网关。
# 创建子网
openstack subnet create --network private \
--subnet-range 192.168.1.0/24 \
--gateway 192.168.1.1 \
--allocation-pool start=192.168.1.100,end=192.168.1.200 \
--dns-nameserver 8.8.8.8 \
private-subnet
# 查看子网列表
openstack subnet list
# 查看子网详情
openstack subnet show private-subnet
# 更新子网
openstack subnet set --dns-nameserver 8.8.4.4 private-subnet
# 删除子网
openstack subnet delete private-subnet
# 创建IPv6子网
openstack subnet create --network private \
--subnet-range fd00::1/64 \
--ipv6-address-mode slaac \
private-ipv6
2.3 Port(端口)
Port是网络接入点,关联MAC地址和IP地址。
# 查看端口列表
openstack port list
# 查看端口详情
openstack port show
# 创建端口
openstack port create --network private \
--fixed-ip subnet=private-subnet,ip-address=192.168.1.50 \
my-port
# 更新端口
openstack port set --name new-port-name my-port
# 绑定安全组
openstack port add security group web my-port
# 禁用端口
openstack port set --disable my-port
# 删除端口
openstack port delete my-port
2.4 Router(路由器)
Router实现网络间的三层路由功能。
# 创建路由器
openstack router create my-router
# 设置网关
openstack router set --external-gateway public my-router
# 创建内部接口
openstack router add subnet my-router private-subnet
# 查看路由器详情
openstack router show my-router
# 查看路由表
openstack router show my-router -f json | jq '.routes'
# 添加静态路由
openstack router add route my-router \
--destination 10.0.0.0/24 \
--nexthop 192.168.1.254
# 移除静态路由
openstack router remove route my-router \
--destination 10.0.0.0/24 \
--nexthop 192.168.1.254
# 移除内部接口
openstack router remove subnet my-router private-subnet
# 删除路由器
openstack router delete my-router
2.5 Floating IP(浮动IP)
浮动IP实现外部网络访问虚拟机。
# 创建浮动IP
openstack floating ip create public
# 查看浮动IP
openstack floating ip list
# 绑定到虚拟机
openstack server add floating ip my-instance 192.168.100.100
# 解绑浮动IP
openstack server remove floating ip my-instance 192.168.100.100
# 释放浮动IP
openstack floating ip delete 192.168.100.100
2.6 Security Group(安全组)
安全组提供实例级别的防火墙规则。
# 创建安全组
openstack security group create web-sg
# 查看规则
openstack security group rule list web-sg
# 添加规则
# 允许SSH
openstack security group rule create --protocol tcp \
--dst-port 22 \
--remote-ip 0.0.0.0/0 \
web-sg
# 允许HTTP
openstack security group rule create --protocol tcp \
--dst-port 80 \
--remote-ip 0.0.0.0/0 \
web-sg
# 允许Ping
openstack security group rule create --protocol icmp \
--remote-ip 0.0.0.0/0 \
web-sg
# 允许所有出站
openstack security group rule create --protocol tcp \
--dst-port 1:65535 \
--remote-ip 0.0.0.0/0 \
-- egress \
web-sg
三、Neutron配置文件详解
3.1 Neutron主配置文件
# /etc/neutron/neutron.conf
[DEFAULT]
# 日志配置
log_dir = /var/log/neutron
logging_context_format_string = %(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s] %(instance)s%(message)s
# 插件配置
core_plugin = ml2
service_plugins = router,firewall,lbaas,vpnaas
# API服务器配置
api_workers = 4
rpc_workers = 4
# 认证配置
auth_strategy = keystone
# 通知配置
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
# 消息队列配置
transport_url = rabbit://openstack:rabbit_pass@controller
[database]
connection = mysql+pymysql://neutron:neutron_db_pass@controller/neutron
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = neutron
password = neutron_pass
[nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = nova_pass
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
3.2 ML2配置文件
# /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
# 类型驱动
type_drivers = flat,vlan,vxlan,geneve
# 租户网络类型
tenant_network_types = vxlan,vlan
# 机制驱动
mechanism_drivers = openvswitch,linuxbridge,l2population
# 扩展驱动
extension_drivers = port_security,qos
# 网络类型配置
[ml2_type_flat]
flat_networks = external,public
[ml2_type_vlan]
network_vlan_ranges = physnet1:100:200
[ml2_type_vxlan]
vxlan_group = 239.1.1.1
vni_ranges = 1001:2000
[ml2_type_geneve]
genev vni_ranges = 1:65535
[securitygroup]
enable_security_group = True
enable_ipset = True
firewall_driver = iptables_hybrid
[qos]
available_qos_rule_types = bandwidth_limit
3.3 Open vSwitch Agent配置
# /etc/neutron/plugins/ml2/openvswitch_agent.ini
[ovs]
# 物理网络接口映射
bridge_mappings = physnet1:br-ex,external:br-ex
# 启用VXLAN隧道
enable_tunneling = True
local_ip = 10.0.0.11
tunnel_types = vxlan
# L2 Population
l2_population = True
[agent]
# ARP spoofing防护
arp_spoofing_protection = True
# 启用VXLAN分流
tunnel_csum = True
# 代理配置
polling_interval = 2
quitting_rpc_timeout = 120
[securitygroup]
firewall_driver = iptables_hybrid
3.4 Linux Bridge Agent配置
# /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
# 物理网络接口映射
physical_interface_mappings = physnet1:ens4
# VXLAN配置
enable_vxlan = True
local_ip = 10.0.0.11
l2_population = True
[securitygroup]
firewall_driver = iptables_hybrid
四、高级网络功能
4.1 负载均衡即服务(Octavia)
# 创建负载均衡器
openstack loadbalancer create --name my-lb --vip-subnet-id public-subnet
# 创建监听器
openstack loadbalancer listener create --name http-listener \
--protocol HTTP --port 80 \
my-lb
# 创建负载均衡池
openstack loadbalancer pool create --name web-pool \
--lb-algorithm ROUND_ROBIN \
--listener http-listener \
--protocol HTTP
# 添加成员
openstack loadbalancer member create --address 192.168.1.100 \
--subnet-id private-subnet --port 80 \
web-pool
# 创建健康检查
openstack loadbalancer healthmonitor create \
--type HTTP --delay 5 --timeout 2 --max-retries 3 \
--url-path /health \
web-pool
4.2 VPN即服务
# 创建VPN服务
openstack vpn service create --name my-vpn \
--router my-router
# 创建IKE策略
openstack vpn ike policy create --name ike-policy \
--encryption-algorithm aes-256 \
--auth-algorithm sha256 \
--ike-version v2
# 创建IPsec策略
openstack vpn ipsec policy create --name ipsec-policy \
--encryption-algorithm aes-256 \
--auth-algorithm sha256 \
--pfs group14
# 创建VPN连接
openstack vpn ipsec site connection create \
--name site-connection \
--vpnservice my-vpn \
--ikepolicy ike-policy \
--ipsecpolicy ipsec-policy \
--peer-address 203.0.113.100 \
--peer-id 203.0.113.100 \
--peer-cidr 10.1.0.0/24 \
--psk secret123
4.3 QoS策略
# 创建QoS策略
openstack network qos policy create --shared bandwidth-limit
# 创建带宽限制规则
openstack network qos rule create --type bandwidth-limit \
--max-kbps 10000 \
--max-burst-kbits 1000 \
bandwidth-limit
# 应用QoS到端口
openstack port set --qos-policy bandwidth-limit my-port
# 应用QoS到网络
openstack network set --qos-policy bandwidth-limit private
五、常见问题与解决方案
5.1 虚拟机无法获取IP地址
# 检查DHCP Agent
openstack network agent list | grep dhcp
# 检查网络命名空间
ip netns list
# 检查DHCP Agent日志
sudo tail -f /var/log/neutron/neutron-dhcp-agent.log
# 检查端口状态
openstack port show
# 重启DHCP Agent
sudo systemctl restart neutron-dhcp-agent
5.2 虚拟机无法访问外网
# 检查L3 Agent
openstack network agent list | grep l3
# 检查路由器网关
openstack router show my-router
# 检查浮动IP
openstack floating ip list
# 检查NAT规则
sudo iptables -t nat -L -n
# 检查路由表
ip route
5.3 VXLAN隧道不通
# 检查VXLAN接口
ip -d link show vxlan100
# 检查组播组
bridge mdb show
# 检查VTEP IP
ip addr show | grep 10.0.0
# 检查防火墙(UDP 4789端口)
sudo iptables -L -n | grep 4789
# 测试VXLAN连通性
nc -u -z 10.0.0.21 4789
5.4 安全组规则不生效
# 检查iptables规则
sudo iptables -L -n -v | grep
# 检查ovs-vsctl
sudo ovs-vsctl show
# 检查安全组状态
openstack security group show web-sg
# 重启安全组Agent
sudo systemctl restart neutron-linuxbridge-agent
六、生产环境最佳实践
6.1 网络规划
# 推荐的网络分段
# Management: 10.0.0.0/24
# Tunnel: 10.0.1.0/24
# Storage: 10.0.2.0/24
# Tenant: 10.1.0.0/16
# External: 203.0.113.0/24
6.2 高可用配置
# L3 Agent高可用
# /etc/neutron/l3_agent.ini
[DEFAULT]
ha_router_namespaces = True
ha_vrrp_auth_password = your_vrrp_password
ha_confs_path = /var/lib/neutron/ha_confs
# 启用VRRP
agent_mode = dvr_snat # 或 legacy
6.3 性能优化
# 增加Agent线程数
[DEFAULT]
api_workers = 8
rpc_workers = 8
# 优化VXLAN
[agent]
tunnel_csum = False
l2_population = True
# 优化iptables
[securitygroup]
firewall_driver = iptables_hybrid
6.4 监控告警
# 监控关键指标
# - Neutron Agent状态
# - DHCP租约数量
# - 路由器连接数
# - 浮动IP使用率
# - 安全组规则数量
# 配置告警
# - Agent离线告警
# - 端口数量告警
# - 带宽使用告警
七、总结
本文详细介绍了Neutron网络服务的核心概念、配置方法和最佳实践。
核心要点:
下篇预告: 《Cinder块存储服务详解》
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。
