diff --git a/doc/glossary/glossary-terms.xml b/doc/glossary/glossary-terms.xml
index 043ed6d387..e908978dd8 100644
--- a/doc/glossary/glossary-terms.xml
+++ b/doc/glossary/glossary-terms.xml
@@ -2093,6 +2093,14 @@
passes network traffic between different networks.
+
+ Generic Routing Encapsulation (GRE)
+
+ Protocol that encapsulates a wide variety of network
+ layer protocols inside virtual point-to-point links.
+
+
+ glance
diff --git a/doc/install-guide/ch_networking.xml b/doc/install-guide/ch_networking.xml
index e9a42809aa..0c64440826 100644
--- a/doc/install-guide/ch_networking.xml
+++ b/doc/install-guide/ch_networking.xml
@@ -32,9 +32,24 @@
Networking (neutron)
-
-
-
+
+ Open vSwitch (OVS) plug-in
+
+ We recommend using the Open vSwitch (OVS) plug-in until we
+ complete documentation for the Modular Layer 2 (ML2) plug-in.
+
+
+
+
+
+
+ Modular Layer 2 (ML2) plug-in
+
+ We are adding this documentation for Icehouse. Until complete,
+ we recommend using the Open vSwitch (OVS) plug-in.
+
+
+
diff --git a/doc/install-guide/section_neutron-ml2-controller-node.xml b/doc/install-guide/section_neutron-ml2-controller-node.xml
new file mode 100644
index 0000000000..1ab21a6337
--- /dev/null
+++ b/doc/install-guide/section_neutron-ml2-controller-node.xml
@@ -0,0 +1,495 @@
+
+
+ Configure controller node
+
+ Prerequisites
+ Before you configure
+ Networking, you must create Identity service credentials including a
+ user and service.
+ Before you configure Networking, you must create a
+ database and Identity service credentials including a user and
+ service.
+
+ Connect to the database as the root user, create the
+ neutron database, and grant the proper
+ access to it:
+ Replace NEUTRON_DBPASS with a suitable
+ password.
+ $mysql -u root -p
+mysql>CREATE DATABASE neutron;
+mysql>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
+IDENTIFIED BY 'NEUTRON_DBPASS';
+mysql>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
+IDENTIFIED BY 'NEUTRON_DBPASS';
+
+
+ Create Identity service credentials for Networking:
+
+
+ Create the neutron user:
+ Replace NEUTRON_PASS with a suitable
+ password and neutron@example.com with
+ a suitable e-mail address.
+ $keystone user-create --name neutron --pass NEUTRON_PASS --email neutron@example.com
+
+
+ Link the neutron user to the
+ service tenant and admin
+ role:
+ $keystone user-role-add --user neutron --tenant service --role admin
+
+
+ Create the neutron service:
+ $keystone service-create --name neutron --type network --description "OpenStack Networking"
+
+
+ Create the service endpoint:
+ $keystone endpoint-create \
+ --service-id $(keystone service-list | awk '/ network / {print $2}') \
+ --publicurl http://controller:9696 \
+ --adminurl http://controller:9696 \
+ --internalurl http://controller:9696
+
+
+
+
+
+ To install the Networking components:
+
+ #apt-get install neutron-server neutron-plugin-ml2
+ #yum install openstack-neutron openstack-neutron-ml2
+ #zypper install openstack-neutron openstack-neutron-server
+
+ SUSE does not use a separate ML2 plug-in package.
+
+
+
+
+ To configure the Networking server component:
+ The Networking server component configuration includes the database,
+ authentication mechanism, messaging service, topology change notifier,
+ and plug-in.
+
+ Respond to prompts for
+ database management,
+ Identity service
+ credentials,
+ service endpoint
+ registration, and
+ messaging service
+ credentials.
+
+
+ Configure Networking to use the database:
+ Replace NEUTRON_DBPASS with a suitable
+ password.
+ #openstack-config --set /etc/neutron/neutron.conf database connection \
+ mysql://neutron:NEUTRON_DBPASS@controller/neutron
+
+
+ Configure Networking to use the database:
+
+
+ Edit the /etc/neutron/neutron.conf
+ file and add the following key to the
+ [database] section:
+ Replace NEUTRON_DBPASS with the
+ password you chose for the database.
+ [database]
+...
+connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron
+
+
+
+
+ Configure Networking to use the Identity service for
+ authentication:
+ Replace NEUTRON_PASS with the
+ password you chose for the neutron user
+ in the Identity service.
+ #openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ auth_strategy keystone
+#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+ auth_uri http://controller:5000
+#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+ auth_host controller
+#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+ auth_protocol http
+#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+ auth_port 35357
+#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+ admin_tenant_name service
+#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+ admin_user neutron
+#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
+ admin_password NEUTRON_PASS
+
+
+ Configure Networking to use the Identity service for
+ authentication:
+
+
+ Edit the /etc/neutron/neutron.conf
+ file and add the following key to the
+ [DEFAULT] section:
+ [DEFAULT]
+...
+auth_strategy = keystone
+ Add the following keys to the
+ [keystone_authtoken] section:
+ Replace NEUTRON_PASS with the
+ password you chose for the neutron user
+ in the Identity service.
+ [keystone_authtoken]
+...
+auth_uri = http://controller:5000
+auth_host = controller
+auth_protocol = http
+auth_port = 35357
+admin_tenant_name = service
+admin_user = neutron
+admin_password = NEUTRON_PASS
+
+
+
+
+ Configure Networking to use the messaging service:
+ Replace RABBIT_PASS with the password
+ you chose for the guest account in
+ RabbitMQ.
+ #openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ rpc_backend neutron.openstack.common.rpc.impl_kombu
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ rabbit_host controller
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ rabbit_userid guest
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ rabbit_password RABBIT_PASS
+
+
+ Configure Networking to use the messaging service:
+ #openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ rpc_backend neutron.openstack.common.rpc.impl_qpid
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ qpid_hostname controller
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ qpid_port 5672
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ qpid_username guest
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ qpid_password guest
+
+
+ Configure Networking to use the messaging service:
+
+
+ Edit the /etc/neutron/neutron.conf file
+ and add the following keys to the [DEFAULT]
+ section:
+ Replace RABBIT_PASS with the
+ password you chose for the guest account in
+ RabbitMQ.
+ [DEFAULT]
+...
+rpc_backend = neutron.openstack.common.rpc.impl_kombu
+rabbit_host = controller
+rabbit_password = RABBIT_PASS
+
+
+
+
+ Configure Networking to notify Compute about network topology
+ changes:
+ Replace SERVICE_TENANT_ID with the
+ service tenant identifier (id) in the Identity
+ service and NOVA_PASS with the password
+ you chose for the nova user in the Identity
+ service.
+ #openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ notify_nova_on_port_status_changes True
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ notify_nova_on_port_data_changes True
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ nova_url http://controller:8774/v2
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ nova_admin_username nova
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ nova_admin_tenant_id SERVICE_TENANT_ID
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ nova_admin_password NOVA_PASS
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ nova_admin_auth_url http://controller:35357/v2.0
+
+ To obtain the service tenant
+ identifier (id):
+ $source admin-openrc.sh
+$keystone tenant-get service
++-------------+----------------------------------+
+| Property | Value |
++-------------+----------------------------------+
+| description | Service Tenant |
+| enabled | True |
+| id | f727b5ec2ceb4d71bad86dfc414449bf |
+| name | service |
++-------------+----------------------------------+
+
+
+
+ Configure Networking to notify Compute about network topology
+ changes:
+ Replace SERVICE_TENANT_ID with the
+ service tenant identifier (id) in the Identity
+ service and NOVA_PASS with the password
+ you chose for the nova user in the Identity
+ service.
+
+
+ Edit the /etc/neutron/neutron.conf file
+ and add the following keys to the [DEFAULT]
+ section:
+ [DEFAULT]
+...
+notify_nova_on_port_status_changes = True
+notify_nova_on_port_data_changes = True
+nova_url = http://controller:8774/v2
+nova_admin_username = nova
+nova_admin_tenant_id = SERVICE_TENANT_ID
+nova_admin_password = NOVA_PASS
+nova_admin_auth_url = http://controller:35357/v2.0
+
+
+
+ To obtain the service tenant
+ identifier (id):
+ $source admin-openrc.sh
+$keystone tenant-get service
++-------------+----------------------------------+
+| Property | Value |
++-------------+----------------------------------+
+| description | Service Tenant |
+| enabled | True |
+| id | f727b5ec2ceb4d71bad86dfc414449bf |
+| name | service |
++-------------+----------------------------------+
+
+
+
+ Configure Networking to use the Modular Layer 2 (ML2) plug-in
+ and associated services:
+ #openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ core_plugin neutron.plugins.ml2.plugin.Ml2Plugin
+#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
+ service_plugins neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
+
+ You must comment out any lines in the
+ [service_providers] section.
+
+
+ We recommend adding verbose = True to
+ the [DEFAULT] section in
+ /etc/neutron/neutron.conf to assist with
+ troubleshooting.
+
+
+
+ Configure Networking to use the Modular Layer 2 (ML2) plug-in
+ and associated services:
+
+
+ Edit the /etc/neutron/neutron.conf file
+ and add the following keys to the [DEFAULT]
+ section:
+ [DEFAULT]
+...
+core_plugin = ml2
+service_plugins = router
+allow_overlapping_ips = True
+
+
+
+ You must comment out any lines in the
+ [service_providers] section.
+
+
+ We recommend adding verbose = True to
+ the [DEFAULT] section in
+ /etc/neutron/neutron.conf to assist with
+ troubleshooting.
+
+
+
+
+ To configure the Modular Layer 2 (ML2) plug-in:
+ The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to
+ build the virtual networking framework for instances. However, the
+ controller node does not need the OVS agent or service because it
+ does not handle instance network traffic.
+
+ Run the following commands:
+ #openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
+ type_drivers gre
+#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
+ tenant_network_types gre
+#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
+ mechanism_drivers openvswitch
+#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \
+ tunnel_id_ranges 1:1000
+#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
+ firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini security_group \
+ enable_security_group True
+
+
+ Edit the
+ /etc/neutron/plugins/ml2/ml2_conf.ini
+ file:
+ Add the following keys to the [ml2]
+ section:
+ [ml2]
+...
+type_drivers = gre
+tenant_network_types = gre
+mechanism_drivers = openvswitch
+ Add the following key to the
+ [ml2_type_gre] section:
+ [ml2_type_gre]
+...
+tunnel_id_ranges = 1:1000
+ Add the [securitygroup] section and the
+ following keys to it:
+ [securitygroup]
+...
+firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+ Add the following key to the
+ [security_group] section:
+ [security_group]
+...
+enable_security_group = True
+
+
+
+ To configure Compute to use Networking:
+ By default, most distributions configure Compute to use legacy
+ networking. You must reconfigure Compute to manage networks through
+ OpenStack Networking.
+
+ Run the following commands:
+ Replace NEUTRON_PASS with the
+ password you chose for the neutron user
+ in the Identity service.
+ #openstack-config --set /etc/nova/nova.conf DEFAULT \
+ network_api_class nova.network.neutronv2.api.API
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ neutron_url http://controller:9696
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ neutron_auth_strategy keystone
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ neutron_admin_tenant_name service
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ neutron_admin_username neutron
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ neutron_admin_password NEUTRON_PASS
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ neutron_admin_auth_url http://controller:35357/v2.0
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ firewall_driver nova.virt.firewall.NoopFirewallDriver
+#openstack-config --set /etc/nova/nova.conf DEFAULT \
+ security_group_api neutron
+
+ By default, Compute uses an internal firewall service. Since
+ Networking includes a firewall service, you must disable the
+ Compute firewall service by using the
+ nova.virt.firewall.NoopFirewallDriver firewall
+ driver.
+
+
+
+ Edit the /etc/nova/nova.conf and add the
+ following keys to the [DEFAULT] section:
+ Replace NEUTRON_PASS with the
+ password you chose for the neutron user
+ in the Identity service.
+ [DEFAULT]
+...
+network_api_class = nova.network.neutronv2.api.API
+neutron_url = http://controller:9696
+neutron_auth_strategy = keystone
+neutron_admin_tenant_name = service
+neutron_admin_username = neutron
+neutron_admin_password = NEUTRON_PASS
+neutron_admin_auth_url = http://controller:35357/v2.0
+linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
+firewall_driver = nova.virt.firewall.NoopFirewallDriver
+security_group_api = neutron
+
+ By default, Compute uses an internal firewall service. Since
+ Networking includes a firewall service, you must disable the
+ Compute firewall service by using the
+ nova.virt.firewall.NoopFirewallDriver firewall
+ driver.
+
+
+
+
+ To finalize installation:
+
+ The Networking service initialization scripts expect a symbolic
+ link /etc/neutron/plugin.ini pointing to the
+ configuration file associated with your chosen plug-in. Using
+ ML2, for example, the symbolic link must point to
+ /etc/neutron/plugins/ml2/ml2_conf.ini.
+ If this symbolic link does not exist, create it using the
+ following commands:
+ #cd /etc/neutron
+#ln -s plugins/ml2/ml2_conf.ini plugin.ini
+
+
+ The Networking service initialization scripts expect the variable
+ NEUTRON_PLUGIN_CONF in file
+ /etc/sysconfig/neutron to reference the
+ configuration file associated with your chosen plug-in. Using
+ ML2, for example, edit the
+ /etc/sysconfig/neutron file and add the
+ following:
+ NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"
+
+
+ Populate the Networking database:
+ Replace NEUTRON_DBPASS with the
+ password you chose for the database.
+ #openstack-db --init --service neutron --password NEUTRON_DBPASS
+
+
+
+ Restart the Compute services:
+ #service openstack-nova-api restart
+#service openstack-nova-scheduler restart
+#service openstack-nova-conductor restart
+ #service nova-api restart
+#service nova-scheduler restart
+#service nova-conductor restart
+
+
+ Start the Networking service and configure it to start when the
+ system boots:
+ #service neutron-server start
+#chkconfig neutron-server on
+ #service openstack-neutron start
+#chkconfig openstack-neutron on
+
+
+ Restart the Networking service:
+ #service neutron-server restart
+
+
+