Merge "Remove deprecated neutron OVS plug-in content"

This commit is contained in:
Jenkins 2014-08-29 05:20:42 +00:00 committed by Gerrit Code Review
commit 0a5fc388ab
3 changed files with 0 additions and 1115 deletions

View File

@ -1,326 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="neutron-compute-node">
<title>Configure compute node</title>
<note>
<para>This section details set up for any node that runs the
<literal>nova-compute</literal> component but does not run
the full network stack.</para>
</note>
<warning os="rhel;centos">
<para>By default, the <literal>system-config-firewall</literal> automated
firewall configuration tool is in place on RHEL. This graphical interface
(and a curses-style interface with <literal>-tui</literal> on the end of
the name) enables you to configure IP tables as a basic firewall. You
should disable it when you work with OpenStack Networking unless you are
familiar with the underlying network technologies, as, by default, it
blocks various types of network traffic that are important to neutron
services. To disable it, launch the program and clear the
<guilabel>Enabled</guilabel> check box.</para>
<para>After you successfully set up OpenStack Networking with Neutron, you
can re-enable and configure the tool. However, during OpenStack
Networking setup, disable the tool to make it easier to debug network
issues.</para>
</warning>
<procedure>
<title>Prerequisites</title>
<step>
<para>Disable packet destination filtering (route
verification) to let the networking services route traffic
to the VMs. Edit the <filename>/etc/sysctl.conf</filename>
file and run the following command to activate
changes:</para>
<programlisting language="ini">net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
</step>
</procedure>
<procedure>
<title>Install Open vSwitch plug-in</title>
<para>OpenStack Networking supports a variety of plug-ins. For
simplicity, we chose to cover the most common plug-in, Open
vSwitch, and configure it to use basic GRE tunnels for tenant
network traffic.</para>
<step>
<para>Install the Open vSwitch plug-in and its
dependencies:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Restart Open vSwitch:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
</step>
<step os="rhel;fedora;centos;opensuse;sles">
<para>Start Open vSwitch and configure it to start when
the system boots:</para>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>You must set some common configuration options. You
must configure Networking core to use
<acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini" os="ubuntu;opensuse;sles">core_plugin = openvswitch</programlisting>
<programlisting language="ini" os="rhel;centos;fedora">core_plugin = openvswitch</programlisting>
</step>
<step>
<para>You must configure a firewall as well. You should
use the same firewall plug-in that you chose to use when
you set up the network node. To do this, edit
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file and set the <literal>firewall_driver</literal>
value under the <literal>securitygroup</literal> to the
same value used on the network node. For instance, if
you chose to use the Hybrid OVS-IPTables plug-in, your
configuration looks like this:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<warning>
<para>You must use at least the No-Op firewall.
Otherwise, Horizon and other OpenStack services cannot
get and set required VM boot options.</para>
</warning>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure the <acronym>OVS</acronym> plug-in to start
on boot.</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step>
<para>Tell the <acronym>OVS</acronym> plug-in to use GRE
tunneling with a <literal>br-int</literal> integration
bridge, a <literal>br-tun</literal> tunneling bridge,
and a local IP for the tunnel of
<replaceable>DATA_INTERFACE</replaceable>'s IP Edit
the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
...
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = <replaceable>DATA_INTERFACE_IP</replaceable></programlisting>
</step>
</procedure>
<procedure os="rhel;centos;fedora;sles;opensuse;ubuntu">
<title>Configure common components</title>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>[DEFAULT]</literal> section of the file:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
</step>
<step>
<para>Set the <systemitem class="service">neutron</systemitem>
configuration for
<systemitem class="service">keystone</systemitem>
authentication:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
</step>
</substeps>
</step>
<step os="ubuntu">
<para>To configure <systemitem class="service">neutron</systemitem>
to use <systemitem class="service">keystone</systemitem>
for authentication, edit the
<filename>/etc/neutron/neutron.conf</filename> file.</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>[DEFAULT]</literal> section of the file:</para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy = keystone</programlisting>
</step>
<step>
<para>Add these lines to the
<literal>[keystone_authtoken]</literal> section of the
file:</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="opensuse;sles;rhel;centos;fedora">
<para>Configure access to the <application>RabbitMQ</application> service:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Configure the <application>RabbitMQ</application> access.
Edit the <filename>/etc/neutron/neutron.conf</filename> file
to modify the following parameters in the
<literal>[DEFAULT]</literal> section.</para>
<programlisting language="ini">rabbit_host = <replaceable>controller</replaceable>
rabbit_userid = guest
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
</procedure>
<procedure>
<title>Configure Compute services for Networking</title>
<step>
<para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
services. Configure the <filename>/etc/nova/nova.conf</filename>
file as per instructions below:</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
network_api_class nova.network.neutronv2.api.API</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_auth_strategy keystone</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_username neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
security_group_api neutron</userinput></screen>
<para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
services. Edit the <filename>/etc/nova/nova.conf</filename>
file:</para>
<programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
neutron_url=http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron</programlisting>
<note>
<itemizedlist>
<listitem>
<para>No matter which firewall driver you chose when you
configured the network and compute nodes, you must
edit the <filename>/etc/nova/nova.conf</filename> file
to set the firewall driver to
<literal>nova.virt.firewall.NoopFirewallDriver</literal>.
Because OpenStack Networking handles the firewall,
this statement instructs Compute to not use a
firewall.</para>
</listitem>
<listitem>
<para>If you want Networking to handle the firewall,
edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file to set the <code>firewall_driver</code> option to
the firewall for the plug-in. For example, with
<acronym>OVS</acronym>, edit the file as
follows:</para>
<programlisting language="ini" os="ubuntu;debian">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
</listitem>
<listitem>
<para>If you do not want to use a firewall in Compute or
Networking, edit both configuration files and set
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>.
Also, edit the
<filename>/etc/nova/nova.conf</filename> file and
comment out or remove the
<code>security_group_api=neutron</code>
statement.</para>
<para>Otherwise, when you issue <command>nova
list</command> commands, the <errortext>ERROR: The
server has either erred or is incapable of
performing the requested operation. (HTTP
500)</errortext> error might be returned.</para>
</listitem>
</itemizedlist>
</note>
</step>
</procedure>
<procedure>
<title>Finalize installation</title>
<step os="rhel;centos;fedora">
<para>The <systemitem class="service">neutron-server</systemitem>
initialization script expects a symbolic link
<filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, the symbolic link must point to
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The <systemitem class="service">openstack-neutron</systemitem>
initialization script expects the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in file
<filename>/etc/sysconfig/neutron</filename> to reference the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
</step>
<step>
<para>Restart Networking services.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
</step>
<step>
<para>Restart the Compute service.</para>
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
<screen os="centos;rhel;fedora"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
</step>
</procedure>
</section>

View File

@ -1,332 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="neutron-controller-node">
<title>Configure controller node</title>
<warning os="rhel;centos">
<para>By default, the <literal>system-config-firewall</literal>
automated firewall configuration tool is in place on RHEL.
This graphical interface (and a curses-style interface with
<literal>-tui</literal> on the end of the name) enables you
to configure IP tables as a basic firewall. You should disable
it when you work with Neutron unless you are familiar with the
underlying network technologies, as, by default, it blocks
various types of network traffic that are important to
Neutron. To disable it, simple launch the program and clear
the <guilabel>Enabled</guilabel> check box.</para>
<para>After you successfully set up OpenStack with Neutron, you
can re-enable and configure the tool. However, during Neutron
set up, disable the tool to make it easier to debug network
issues.</para>
</warning>
<procedure os="rhel;centos;fedora;opensuse;sles;ubuntu">
<title>Prerequisites</title>
<para os="rhel;centos;fedora;opensuse;sles;ubuntu">Before you
configure individual nodes for Networking, you must create the
required OpenStack components: user, service, database, and one or
more endpoints. After you complete these steps on the controller
node, follow the instructions in this guide to set up OpenStack
Networking nodes.</para>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Connect to the MySQL database as the root user, create the
<literal>neutron</literal> database, and grant the proper
access to it:</para>
<screen><prompt>$</prompt> <userinput>mysql -u root -p</userinput>
<prompt>mysql></prompt> <userinput>CREATE DATABASE neutron;</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Create the required user, service, and endpoint so that
Networking can interface with the Identity Service.</para>
<para>Create a <literal>neutron</literal> user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --name=neutron --pass=<replaceable>NEUTRON_PASS</replaceable> --email=<replaceable>neutron@example.com</replaceable></userinput></screen>
<para>Add the user role to the neutron user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user=neutron --tenant=service --role=admin</userinput></screen>
<para>Create the neutron service:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name=neutron --type=network \
--description="OpenStack Networking"</userinput></screen>
<para>Create a Networking endpoint:</para>
<screen><prompt>$</prompt> <userinput>keystone endpoint-create \
--service-id $(keystone service-list | awk '/ network / {print $2}') \
--publicurl http://<replaceable>controller</replaceable>:9696 \
--adminurl http://<replaceable>controller</replaceable>:9696 \
--internalurl http://<replaceable>controller</replaceable>:9696</userinput></screen>
</step>
</procedure>
<procedure>
<title>Install and configure server component</title>
<step>
<para>Install the server component of Networking and any dependencies.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
<screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron python-neutron python-neutronclient</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron python-neutron python-neutronclient</userinput></screen>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure Networking to connect to the database:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf database connection \
mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Configure Networking to use your MySQL database. Edit the
<filename>/etc/neutron/neutron.conf</filename> file and add the
following key under the <literal>[database]</literal> section.
Replace <replaceable>NEUTRON_DBPASS</replaceable> with the password
you chose for the Neutron database.</para>
<programlisting language="ini">[database]
...
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure Networking to use
<systemitem class="service">keystone</systemitem> as the Identity
Service for authentication:</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>DEFAULT</literal> section of the file:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
</step>
<step>
<para>Set the <systemitem class="service">neutron</systemitem> configuration for
<systemitem class="service">keystone</systemitem> authentication:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
</step>
</substeps>
</step>
<step os="ubuntu;debian">
<para>Configure Networking to use
<systemitem class="service">keystone</systemitem> as the Identity
Service for authentication.</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename>
file and add the
file and add the following key under the
<literal>[DEFAULT]</literal> section.</para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy = keystone</programlisting>
<para>Add the following keys under the
<literal>[keystone_authtoken]</literal> section. Replace
<replaceable>NEUTRON_PASS</replaceable> with the password you
chose for the Neutron user in Keystone.</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="opensuse;sles;rhel;centos;fedora">
<para>Configure access to the <application>RabbitMQ</application>
service:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host controller</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Configure Networking to use your message broker. Edit the
<filename>/etc/neutron/neutron.conf</filename> file and add
the following keys under the <literal>[DEFAULT]</literal>
section.</para>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
password you chose for RabbitMQ.</para>
<programlisting language="ini">[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
</procedure>
<procedure>
<title>Install and configure Open vSwitch (OVS) plug-in</title>
<para>OpenStack Networking supports a variety of plug-ins. For
simplicity, we chose to cover the most common plug-in, Open
vSwitch, and configure it to use basic GRE tunnels for tenant
network traffic.</para>
<step>
<para>Install the Open vSwitch plug-in:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
</step>
<step>
<para>You must set some common configuration options no
matter which networking technology you choose to use
with Open vSwitch. You must configure Networking core to
use <acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">core_plugin = openvswitch</programlisting>
<note>
<para>The dedicated controller node does not need to run
Open vSwitch or the Open vSwitch agent.</para>
</note>
</step>
<step>
<para>Configure the <acronym>OVS</acronym> plug-in to use GRE
tunneling. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True</programlisting>
</step>
</procedure>
<procedure>
<title>Configure Compute services for Networking</title>
<step>
<para os="rhel;centos;fedora;opensuse;sles">Configure Compute to use
OpenStack Networking services. Configure the
<filename>/etc/nova/nova.conf</filename> file as per instructions
below:</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
network_api_class nova.network.neutronv2.api.API</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_auth_strategy keystone</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_username neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
security_group_api neutron</userinput></screen>
<para os="ubuntu;debian">Configure Compute to use OpenStack Networking
services. Edit the <filename>/etc/nova/nova.conf</filename>
file:</para>
<programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
neutron_url=http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron</programlisting>
<note>
<itemizedlist>
<listitem>
<para>Regardless of which firewall driver you chose when you
configured the network and compute nodes, set this driver
as the No-Op firewall. This firewall is a
<systemitem class="service">nova</systemitem> firewall,
and because <systemitem class="service">neutron</systemitem>
handles the Firewall, you must tell
<systemitem class="service">nova</systemitem> not to use one.</para>
<para>When Networking handles the firewall, the option
<code>firewall_driver</code> should be set according to
the specified plug-in. For example with
<acronym>OVS</acronym>, edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini" os="ubuntu;debian">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
</listitem>
<listitem>
<para>If you do not want to use a firewall in Compute or
Networking, set
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>
in both config files, and comment out or remove
<code>security_group_api=neutron</code> in the
<filename>/etc/nova/nova.conf</filename> file, otherwise
you may encounter <errortext>ERROR: The server has either
erred or is incapable of performing the requested
operation. (HTTP 500)</errortext> when issuing
<command>nova list</command> commands.</para>
</listitem>
</itemizedlist>
</note>
</step>
<step os="rhel;centos;fedora">
<para>The <systemitem class="service">neutron-server</systemitem>
initialization script expects a symbolic link
<filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, the symbolic link must point to
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The <systemitem class="service">openstack-neutron</systemitem>
initialization script expects the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in file
<filename>/etc/sysconfig/neutron</filename> to reference the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
</step>
</procedure>
<procedure>
<title>Finalize installation</title>
<step os="ubuntu;debian">
<para>Restart the Compute and Networking services:</para>
<screen><prompt>#</prompt> <userinput>service nova-api restart</userinput>
<prompt>#</prompt> <userinput>service nova-scheduler restart</userinput>
<prompt>#</prompt> <userinput>service nova-conductor restart</userinput>
<prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
</step>
<step os="fedora;rhel;centos;opensuse;sles">
<para>Restart the Compute services:</para>
<screen><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput>
<prompt>#</prompt> <userinput>service openstack-nova-scheduler restart</userinput>
<prompt>#</prompt> <userinput>service openstack-nova-conductor restart</userinput></screen>
</step>
<step os="fedora;rhel;centos;opensuse;sles">
<para>Start the Networking service and configure it to start when the
system boots:</para>
<screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>service neutron-server start</userinput>
<prompt>#</prompt> <userinput>chkconfig neutron-server on</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openstack-neutron start</userinput>
<prompt>#</prompt> <userinput>chkconfig openstack-neutron on</userinput></screen>
</step>
</procedure>
</section>

View File

@ -1,457 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="neutron-network-node">
<title>Configure network node</title>
<note>
<para>Before you start, set up a machine as a dedicated network
node. Dedicated network nodes have a
<replaceable>MGMT_INTERFACE</replaceable> NIC, a
<replaceable>DATA_INTERFACE</replaceable> NIC, and an
<replaceable>EXTERNAL_INTERFACE</replaceable> NIC.</para>
<para>The management network handles communication among nodes.
The data network handles communication coming to and from VMs.
The external NIC connects the network node, and optionally to
the controller node, so your VMs can connect to the outside
world.</para>
</note>
<warning os="rhel;centos">
<para>By default, the <literal>system-config-firewall</literal> automated
firewall configuration tool is in place on RHEL. This graphical interface
(and a curses-style interface with <literal>-tui</literal> on the end of
the name) enables you to configure IP tables as a basic firewall. You
should disable it when you work with Networking unless you are familiar
with the underlying network technologies. By default, it blocks various
types of network traffic that are important to Networking. To disable it,
simply launch the program and clear the <guilabel>Enabled</guilabel> check
box.</para>
<para>After you successfully set up OpenStack Networking, you
can re-enable and configure the tool. However, during
Networking set up, disable the tool to make it easier to debug
network issues.</para>
</warning>
<procedure>
<title>Install agents and configure common components</title>
<step>
<para>Install the Networking packages and any dependencies.
</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-dhcp-agent neutron-l3-agent</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron openstack-neutron-l3-agent \
openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
</step>
<step os="debian">
<para>Respond to prompts for <link
linkend="debconf-dbconfig-common">database
management</link>, <link
linkend="debconf-keystone_authtoken"
><literal>[keystone_authtoken]</literal>
settings</link>, <link linkend="debconf-rabbitmq">RabbitMQ
credentials</link> and <link
linkend="debconf-api-endpoints">API endpoint</link>
registration.</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure Networking agents to start at boot time:</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
</step>
<step>
<para>Enable packet forwarding and disable packet destination
filtering so that the network node can coordinate traffic
for the VMs. Edit the <filename>/etc/sysctl.conf</filename>
file, as follows:</para>
<programlisting language="ini">net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
<para>Use the <command>sysctl</command> command to ensure the
changes made to the <filename>/etc/sysctl.conf</filename>
file take effect:</para>
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
<note>
<para>It is recommended that the networking service is
restarted after changing values related to the networking
configuration. This ensures that all modified values take
effect immediately:</para>
<screen os="ubuntu"><prompt>#</prompt> <userinput>service networking restart</userinput></screen>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service network restart</userinput></screen>
</note>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>DEFAULT</literal> section of the file:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
</step>
<step>
<para>Set the
<systemitem class="service">neutron</systemitem>
configuration for
<systemitem class="service">keystone</systemitem>
authentication:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
</step></substeps>
</step>
<step os="ubuntu">
<para>To configure <systemitem class="service">neutron</systemitem>
to use <systemitem class="service">keystone</systemitem>
for authentication, edit the
<filename>/etc/neutron/neutron.conf</filename> file.</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>DEFAULT</literal> section of the file:</para>
<programlisting language="ini">auth_strategy = keystone</programlisting>
</step>
<step>
<para>Add these lines to the
<literal>[keystone_authtoken]</literal> section of the
file:</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="opensuse;sles;rhel;centos;fedora">
<para>Configure access to the <application>RabbitMQ</application> service:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Configure the <application>RabbitMQ</application> access.
Edit the <filename>/etc/neutron/neutron.conf</filename> file
to modify the following parameters in the
<literal>DEFAULT</literal> section.</para>
<programlisting language="ini">rabbit_host = <replaceable>controller</replaceable>
rabbit_userid = guest
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
</procedure>
<procedure>
<title>Install and configure the Open vSwitch (OVS) plug-in</title>
<para>OpenStack Networking supports a variety of plug-ins. For
simplicity, we chose to cover the most common plug-in, Open
vSwitch, and configure it to use basic GRE tunnels for tenant
network traffic.</para>
<step>
<para>Install the Open vSwitch plug-in and its
dependencies:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
</step>
<step>
<para>Start Open vSwitch:</para>
<screen os="debian;rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
<screen os="ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
<para os="rhel;fedora;centos;opensuse;sles">And configure
it to start when the system boots:</para>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step>
<para>No matter which networking technology you use, you must add the
<literal>br-ex</literal> external bridge, which
connects to the outside world.</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
</step>
<step>
<para>Add a <glossterm>port</glossterm> (connection) from
the <replaceable>EXTERNAL_INTERFACE</replaceable>
interface to <literal>br-ex</literal> interface:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></userinput></screen>
<warning>
<para>The host must have an IP address associated
with an interface other than
<replaceable>EXTERNAL_INTERFACE</replaceable>,
and your remote terminal session must be associated with
this other IP address.</para>
<para>If you associate an IP address with
<replaceable>EXTERNAL_INTERFACE</replaceable>,
that IP address stops working after you issue the
<command>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></command>
command. If you associate a remote terminal session with that
IP address, you lose connectivity with the host.</para>
<para>For more details about this behavior, see the
<emphasis>Configuration Problems</emphasis> section of the
<link xlink:href="http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD">Open vSwitch FAQ</link>.</para>
</warning>
</step>
<step>
<para>Configure the
<replaceable>EXTERNAL_INTERFACE</replaceable> without
an IP address and in promiscuous mode. Additionally, you
must set the newly created <literal>br-ex</literal>
interface to have the IP address that formerly belonged
to <replaceable>EXTERNAL_INTERFACE</replaceable>.</para>
<warning os="ubuntu">
<para>Generic Receive Offload (GRO) should not be
enabled on this interface as it can cause severe
performance problems. It can be disabled with the
ethtool utility.</para>
</warning>
<para os="rhel;fedora;centos">Edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE</filename>
file:</para>
<programlisting language="ini" os="rhel;fedora;centos">DEVICE_INFO_HERE
ONBOOT=yes
BOOTPROTO=none
PROMISC=yes</programlisting>
</step>
<step os="rhel;fedora;centos">
<para>Create and edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-br-ex</filename>
file:</para>
<programlisting language="ini">DEVICE=br-ex
TYPE=Bridge
ONBOOT=no
BOOTPROTO=none
IPADDR=EXTERNAL_INTERFACE_IP
NETMASK=EXTERNAL_INTERFACE_NETMASK
GATEWAY=EXTERNAL_INTERFACE_GATEWAY</programlisting>
</step>
<step>
<para>You must set some common configuration options no
matter which networking technology you choose to use
with Open vSwitch. Configure the L3 and DHCP agents to
use <acronym>OVS</acronym> and namespaces. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True</programlisting>
<note>
<para>While the examples in this guide enable network
namespaces by default, you can disable them if issues
occur or your kernel does not support them. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">use_namespaces = False</programlisting>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
to disable overlapping IP addresses:</para>
<programlisting language="ini">allow_overlapping_ips = False</programlisting>
<para>Note that when network namespaces are disabled,
you can have only one router for each network node and
overlapping IP addresses are not supported.</para>
<para>You must complete additional steps after you
create the initial Neutron virtual networks and
router.</para>
</note>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Similarly, you must also tell Neutron core to use
<acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">core_plugin = openvswitch</programlisting>
</step>
<step>
<para>Configure a firewall plug-in. If you do not wish to
enforce firewall rules, called <glossterm
baseform="security group">security groups</glossterm>
by OpenStack, you can use
<literal>neutron.agent.firewall.NoopFirewall</literal>.
Otherwise, you can choose one of the Networking firewall
plug-ins. The most common choice is the Hybrid
OVS-IPTables driver, but you can also use the
Firewall-as-a-Service driver. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<warning>
<para>You must use at least the No-Op firewall.
Otherwise, Horizon and other OpenStack services cannot
get and set required VM boot options.</para>
</warning>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure the <acronym>OVS</acronym> plug-in to start
on boot.</para>
<screen os="fedora;centos;rhel"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step>
<para>Configure the <acronym>OVS</acronym> plug-in to
use GRE tunneling, the <literal>br-int</literal>
integration bridge, the <literal>br-tun</literal>
tunneling bridge, and a local IP for the
<replaceable>DATA_INTERFACE</replaceable> tunnel IP.
Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
...
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = DATA_INTERFACE_IP</programlisting>
</step>
</procedure>
<procedure>
<title>Configure the agents</title>
<step>
<para>To perform DHCP on the software-defined networks,
Networking supports several different plug-ins. However, in
general, you use the <application>dnsmasq</application> plug-in.</para>
<para>Configure the
<filename>/etc/neutron/dhcp_agent.ini</filename> file:</para>
<programlisting language="ini" os="ubuntu;debian">dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq</programlisting>
<screen os="rhel;centos;fedora;opensuse;sles">
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
dhcp_driver neutron.agent.linux.dhcp.Dnsmasq</userinput></screen>
</step>
<step>
<para>To allow virtual machines to access the Compute metadata
information, the Networking metadata agent must be enabled
and configured. The agent will act as a proxy for the
Compute metadata service.</para>
<para>On the controller, edit the
<filename>/etc/nova/nova.conf</filename> file to define a
secret key that will be shared between the Compute service
and the Networking metadata agent.</para>
<para os="debian;ubuntu">Add to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting os="ubuntu;debian" language="ini">[DEFAULT]
...
neutron_metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable>
service_neutron_metadata_proxy = true</programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the
<literal>neutron_metadata_proxy_shared_secret</literal>
key:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
service_neutron_metadata_proxy true</userinput></screen>
<para>Restart the
<systemitem class="service">nova-api</systemitem> service:</para>
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
<screen os="centos;rhel;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput></screen>
<para>On the network node, modify the metadata agent
configuration.</para>
<para os="debian;ubuntu">Edit the
<filename>/etc/neutron/metadata_agent.ini</filename> file
and modify the <literal>[DEFAULT]</literal> section:</para>
<programlisting os="debian;ubuntu" language="ini">[DEFAULT]
...
auth_url = http://<replaceable>controller</replaceable>:5000/v2.0
auth_region = regionOne
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
nova_metadata_ip = <replaceable>controller</replaceable>
metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable></programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the required
keys:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_url http://<replaceable>controller</replaceable>:5000/v2.0</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_region regionOne</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
nova_metadata_ip <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput></screen>
<note>
<para>The value of <literal>auth_region</literal> is
case-sensitive and must match the endpoint region defined
in Keystone.</para>
</note>
<note>
<para>If you serve the OpenStack Networking API over HTTPS with
self-signed certificates, you must perform additional configuration
for the metadata agent because Networking cannot validate the SSL
certificates from the service catalog.</para>
<para os="debian;ubuntu">Add this statement to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting os="debian;ubuntu" language="ini">
neutron_insecure = True</programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the required keys:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT neutron_insecure True</userinput></screen>
</note>
</step>
</procedure>
<procedure>
<title>Finalize installation</title>
<step os="rhel;centos;fedora">
<para>The <systemitem class="service">neutron-server</systemitem>
initialization script expects a symbolic link
<filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, the symbolic link must point to
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The <systemitem class="service">openstack-neutron</systemitem>
initialization script expects the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in file
<filename>/etc/sysconfig/neutron</filename> to reference the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
</step>
<step>
<para>Restart Networking services.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
</step>
</procedure>
</section>