ocean_version: '1.6.24'

index_url: 'http://pypi.oceanstack.slancer.com:6001/simple'
trusted_host: 'pypi.oceanstack.slancer.com'
extra_args: '-i {{ index_url }} --trusted-host {{ trusted_host }}'
extra_args_no_deps: '{{ extra_args }} --no-deps'
extra_args_cloud: '{{ extra_args_no_deps }} --prefix=/usr'

interface_dir: '/etc/network/interfaces.d'
cluster_interface_dir: '/home/lancer/cluster-master/services/network/etc/network/interfaces.d'

port: '.107'

neutron:
  section: 'DEFAULT'
  dvr_option: 'router_distributed'
  value: 'true'

l3:
  section: 'DEFAULT'
  agent_mode_option: 'agent_mode'
  agent_mode_snat: 'dvr_snat'
  agent_mode_dvr: 'dvr'

ovs:
  enable_dvr_section: 'agent'
  enable_dvr_option: 'enable_distributed_routing'
  value: 'true'
  bridge_mapping_section: 'ovs'
  bridge_mapping_option: 'bridge_mappings'
  bridge_mapping_value: 'physnet1:br-floating,physnet2:br-manage'

  
ml2:
  section: 'ml2'
  drivers_option: 'mechanism_drivers'
  drivers_value: 'openvswitch,linuxbridge,l2population'
  physical_network_mtus_option: 'physical_network_mtus' 
  physical_network_mtus_value: 'physnet1:1500,physnet2:1500'

oceanstack:
  master:
    services: '/home/lancer/cluster-master/services'

dvr.yml

---
- name: compute install neutron-vpn-agent
  when: inventory_hostname in groups['compute']
  apt:
    name: neutron-vpn-agent
    state: present

- name: backup neutron.conf
  raw: 'cd /etc/neutron;tar -cvf neutron.tar /etc/neutron'

- name: update neutron.conf
  ini_file:
    dest: /etc/neutron/neutron.conf
    section: '{{ neutron.section }}'
    option: '{{ neutron.dvr_option }}'
    value: '{{ neutron.value }}'

- name: network update l3_agent.ini
  when: inventory_hostname in groups['network']
  lineinfile:
    dest: /etc/neutron/l3_agent.ini
    regexp: '^[l3]'
    state: absent

- name: network update l3_agent.ini
  when: inventory_hostname in groups['network']
  lineinfile:
    dest: /etc/neutron/l3_agent.ini
    regexp: '^agent_mode = dvr_snat'
    state: absent

- name: network update l3_agent.ini
  when: inventory_hostname in groups['network']
  ini_file:
    dest: /etc/neutron/l3_agent.ini
    section: '{{ l3.section }}'
    option: '{{ l3.agent_mode_option }}'
    value: '{{ l3.agent_mode_snat }}'
  
- name: network update openvswitch_agent.ini
  when: inventory_hostname in groups['network']
  ini_file:
    dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini
    section: '{{ ovs.enable_dvr_section }}'
    option: '{{ ovs.enable_dvr_option }}'
    value: '{{ ovs.value }}'

- name: network update ml2_conf.ini
  when: inventory_hostname in groups['network']
  ini_file:
    dest: /etc/neutron/plugins/ml2/ml2_conf.ini
    section: '{{ ml2.section }}'
    option: '{{ ml2.drivers_option }}'
    value: 'openvswitch,linuxbridge,l2population'

- name: copy l3_agent.ini to compute 
  when: inventory_hostname in groups['compute']
  copy:
    src: 'l3_agent.ini'
    dest: '/etc/neutron'

- name: compute update l3_agent.ini
  when: inventory_hostname in groups['compute']
  lineinfile:
    dest: /etc/neutron/l3_agent.ini
    regexp: '^[l3]'
    state: absent

- name: compute update l3_agent.ini
  when: inventory_hostname in groups['compute']
  lineinfile:
    dest: /etc/neutron/l3_agent.ini
    regexp: '^agent_mode = dvr'
    state: absent

- name: compute update l3_agent.ini
  when: inventory_hostname in groups['compute']
  ini_file:
    dest: /etc/neutron/l3_agent.ini
    section: '{{ l3.section }}'
    option: '{{ l3.agent_mode_option }}'
    value: '{{ l3.agent_mode_dvr }}'

- name: compute update openvswitch_agent.ini
  when: inventory_hostname in groups['compute']
  ini_file:
    dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini
    section: '{{ ovs.enable_dvr_section }}'
    option: '{{ ovs.enable_dvr_option }}'
    value: '{{ ovs.value }}'

- name: compute update openvswitch_agent.ini
  when: inventory_hostname in groups['compute']
  ini_file:
    dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini
    section: '{{ ovs.bridge_mapping_section }}'
    option: '{{ ovs.bridge_mapping_option }}'
    value: '{{ ovs.bridge_mapping_value }}'

- name: compute update ml2_conf.ini
  when: inventory_hostname in groups['compute']
  ini_file:
    dest: /etc/neutron/plugins/ml2/ml2_conf.ini
    section: '{{ ml2.section }}'
    option: '{{ ml2.physical_network_mtus_option }}'
    value: '{{ ml2.physical_network_mtus_value }}'

- include: slancer.yml

- name: compute backup interfaces.d
  when: inventory_hostname in groups['compute']
  raw: 'cd /etc/network;tar -cvf interfaces.d.tar interfaces.d'

- name: copy ifcfg-br-floating to compute 
  when: inventory_hostname in groups['compute']
  copy:
    src: '{{ cluster_interface_dir }}/ifcfg-br-floating'
    dest: '{{ interface_dir }}'

- name: copy ifcfg-p_ff798dba-0 to compute 
  when: inventory_hostname in groups['compute']
  copy:
    src: '{{ cluster_interface_dir }}/ifcfg-p_ff798dba-0'
    dest: '{{ interface_dir }}'

- name: copy ifcfg-p_ff798dba-1 to compute 
  when: inventory_hostname in groups['compute']
  copy:
    src: '{{cluster_interface_dir}}/ifcfg-p_ff798dba-1'
    dest: '{{interface_dir}}'

- name: copy ifcfg-br-manage to compute 
  when: inventory_hostname in groups['compute']
  copy:
    src: '{{cluster_interface_dir}}/ifcfg-br-manage'
    dest: '{{interface_dir}}'

- name: create ifcfg-br-ex to compute 
  when: inventory_hostname in groups['compute']
  template:
    src: 'ifcfg-br-ex.j2'
    dest: '{{interface_dir}}/ifcfg-br-ex'

- name: create ifcfg-interface to compute 
  when: inventory_hostname in groups['compute']
  template:
    src: 'ifcfg-interface.j2'
    dest: '{{interface_dir}}/ifcfg-{{interface}}{{port}}'

- name: compute setup interface
  when: inventory_hostname in groups['compute']
  raw: 'ifup {{interface}}{{port}};ifup p_ff798dba-0; ifup br-ex; ifup br-floating; ifup br-manage'

- name: compute setup interface
  when: inventory_hostname in groups['compute']
  raw: 'ifup p_ff798dba-1'

- name: copy neutron-vpn-agent.conf to compute 
  when: inventory_hostname in groups['compute']
  copy:
   src: 'neutron-vpn-agent.conf'
   dest: '/etc/init/'

- name: compute neutron-vpn-agent restart
  when: inventory_hostname in groups['compute']
  service:
   name: neutron-vpn-agent
   state: restarted

- name: compute neutron-openvswitch-agent restart
  when: inventory_hostname in groups['compute']
  service:
   name: neutron-openvswitch-agent
   state: restarted

- name: network neutron-vpn-agent restart
  when: inventory_hostname in groups['network']
  service:
   name: neutron-vpn-agent
   state: restarted


- name: controller neutron-server restart
  when: inventory_hostname in groups['controller']
  service:
   name: neutron-server
   state: restarted

slancer.yml

---
- name: install neutron slancer plugins
  pip:
    name: neutron-slancer
    version: '{{ ocean_version }}'
    extra_args: '{{ extra_args_cloud }}'

- name: post policy
  copy:
    src: '{{oceanstack.master.services}}/neutron/etc/neutron/policy.json'
    dest: /etc/neutron/policy.json

- name: post rootwrap
  copy:
    src: '{{oceanstack.master.services}}/neutron/etc/neutron/rootwrap.d/slancer.filters'
    dest: /etc/neutron/rootwrap.d/slancer.filters

- name: post config file
  copy:
    src: '{{oceanstack.master.services}}/neutron/etc/neutron/neutron_slancer.conf'
    dest: /etc/neutron/neutron_slancer.conf

ifcfg-br-ex.j2

1
2
3

auto br-ex
iface br-ex inet manual
bridge_ports {{ interface }}{{port}} p_ff798dba-0

ifcfg-interface.j2

1
2
3

auto {{ interface }}{{port}}
iface {{ interface }}{{port}} inet manual
vlan-raw-device {{ interface }}

测试

路由器创建测试

在界面创建路由器，进入控制节点查看路由器的详细信息。

1	neutron router-show [router-id]

router-show

distributed的值为True，说明路由器为分布式。

检查路由器的网络命名空间

控制节点

查看当前路由器所在的控制节点。

1	neutron l3-agent-list-hosting-router [router-id]

l3-agent-list-hosting-router

active，表示路由器在当前的控制节点上。

进入相应的控制节点，并查看是否有路由器的网络命名空间。

1	ip netns \| grep [router-id]

ip-nents

snat-xxx的网络命名空间包含端口转发的详细规则。

计算节点

找到虚拟机位于的计算节点。

1	nova show [uuid]

nova-show

进入计算节点，并查看路由器的网络命名空间。

1	ip netns \| grep [router-id]

ip-nents

当且仅当计算节点有qrouter-xxx的网络命名空间时，可以判定DVR部署成功。

端口转发测试

在虚拟机内部创建一个服务，如Apache服务。

1	service httpd start

Apache服务默认的端口号为80。

可以利用curl命令访问本机的80端口。

1	curl 0.0.0.0:80

还可以利用netstat命令查看Apache服务占用的端口。

1	netstat -anp \| grep httpd

通过界面，在路由器上面添加端口转发规则。
add-rule

通过界面，在安全组开放对端口的访问。
add_safe_group

最后，利用浏览器测试端口转发。

带宽限速测试

虚拟机安装speedtest-cli，可以对公网IP和路由器带宽进行测速。

speedtest

speedtest

验证脚本

verify.yml

---
- name: verify
  include: check_interface_command.yml command='ip a show {{item}}'
  with_items:
    - br-ex
    - br-floating
    - '{{interface}}{{port}}'
    - br-manage
    - p_ff798dba-0
    - p_ff798dba-1
  when: inventory_hostname in groups['compute']

- name: compute check neutron-vpn-agent
  include: check_service_command.yml command='service neutron-vpn-agent status'
  when: inventory_hostname in groups['compute']

- name: network check neutron-vpn-agent
  include: check_service_command.yml command='service neutron-vpn-agent status'
  when: inventory_hostname in groups['network']

- name: controller check neutron-server
  include: check_service_command.yml command='service neutron-server status'
  when: inventory_hostname in groups['controller']

check_interface_command.yml

---
- name: check interface
  shell: '{{ command }}'
  register: result

- name: check result
  fail:
    msg: '{{result}}'
  when: '"DOWN" in result.stdout'

check_service_command.yml

---
- name: check service 
  shell: '{{ command }}'
  register: result

- name: check result
  fail:
    msg: '{{result}}'
  when: '"running" not in result.stdout'

回退脚本

---
- name: compute stop neutron-vpn-agent
  when: inventory_hostname in groups['compute']
  service:
   name: neutron-vpn-agent
   state: stopped

- name: update neutron.conf
  ini_file:
    dest: /etc/neutron/neutron.conf
    section: '{{ neutron.section }}'
    option: '{{ neutron.dvr_option }}'
    value: 'false'

- name: network update l3_agent.ini
  when: inventory_hostname in groups['network']
  ini_file:
    dest: /etc/neutron/l3_agent.ini
    section: '{{ l3.section }}'
    option: '{{ l3.agent_mode_option }}'
    value: 'legacy'
  
- name: network update openvswitch_agent.ini
  when: inventory_hostname in groups['network']
  ini_file:
    dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini
    section: '{{ ovs.enable_dvr_section }}'
    option: '{{ ovs.enable_dvr_option }}'
    value: 'false'

- name: network update openvswitch_agent.ini
  when: inventory_hostname in groups['compute']
  ini_file:
    dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini
    section: '{{ ovs.enable_dvr_section }}'
    option: '{{ ovs.enable_dvr_option }}'
    value: 'false'

- name: network restart neutron-openvswitch-agent
  when: inventory_hostname in groups['network']
  service:
    name: neutron-openvswitch-agent
    state: restarted 

- name: network restart neutron-vpn-agent 
  when: inventory_hostname in groups['network']
  service:
   name: neutron-vpn-agent
   state: restarted

- name: controller restart neutron-server
  when: inventory_hostname in groups['controller']
  service:
    name: neutron-server
    state: restarted

- name: compute restart neutron-openvswitch-agent
  when: inventory_hostname in groups['compute']
  service:
   name: neutron-openvswitch-agent
   state: restarted

DVR去哪儿了

目录

部署

部署文档

安装neutron-vpn-agent

安装neutron-slancer

修改配置文件

neutron.conf

l3_agent.ini

openvswitch_agent.ini

ml2_conf.ini

neutron-vpn-agent.conf

neutron_slancer.conf

slancer.filters

计算节点添加bridge

添加br-ex网桥

添加bond0.107子接口

添加p_ff798dba-0子接口

添加br-floating ovs网桥

添加br-manage ovs网桥

添加p_ff798dba-1子接口

启动子接口和网桥

重启服务

neutron-server

neutron-vpn-agent

neutron-openvswitch-agent

部署脚本

执行

setup_neutron_dvr.yml

dvr_common.yml