From 117606139c79b74658d5988a8584d3b1146e7ed2 Mon Sep 17 00:00:00 2001 From: Matthew Kassawara Date: Wed, 2 Mar 2016 12:55:37 -0700 Subject: [PATCH] Install: Neutron updates for Mitaka Update neutron content for Mitaka. 1) Change 'public' to 'provider' and 'private' to 'self-service' to improve distinction between these networks using neutronish terms. 2) Remove explicit installation of some packages due to dependency fixes. 3) Remove explicit configuration of verbosity. 4) Remove explicit configuration of ARP spoofing protection. 5) Remove extraneous configuration for the metadata agent. 6) Remove extraneous configuration for nova-neutron interaction. 7) Reduce discussion of MTU because Mitaka fixes most of the issues, but we still need to explain the most limitation of overlay networks. 8) Generally improve wording. Implements: blueprint installguide-mitaka Change-Id: I3beff125b2eb8d264048530dc3bad7d346d2828b --- .../source/environment-networking.rst | 2 + .../neutron-compute-install-option1.rst | 22 ++-- .../neutron-compute-install-option2.rst | 25 ++-- .../source/neutron-compute-install.rst | 13 +- .../neutron-controller-install-option1.rst | 59 +++------ .../neutron-controller-install-option2.rst | 119 +++--------------- .../source/neutron-controller-install.rst | 58 +++------ doc/install-guide/source/neutron-verify.rst | 4 + 8 files changed, 75 insertions(+), 227 deletions(-) diff --git a/doc/install-guide/source/environment-networking.rst b/doc/install-guide/source/environment-networking.rst index 02905aff8d..3312ed87d8 100644 --- a/doc/install-guide/source/environment-networking.rst +++ b/doc/install-guide/source/environment-networking.rst @@ -1,3 +1,5 @@ +.. _environment-networking: + Host networking ~~~~~~~~~~~~~~~ diff --git a/doc/install-guide/source/neutron-compute-install-option1.rst b/doc/install-guide/source/neutron-compute-install-option1.rst index a18e83e8a1..101dd7bdcd 100644 --- a/doc/install-guide/source/neutron-compute-install-option1.rst +++ b/doc/install-guide/source/neutron-compute-install-option1.rst @@ -7,22 +7,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, disable VXLAN overlay networks: @@ -31,14 +31,6 @@ networks and handles security groups. [vxlan] enable_vxlan = False - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: diff --git a/doc/install-guide/source/neutron-compute-install-option2.rst b/doc/install-guide/source/neutron-compute-install-option2.rst index 3d253cecc0..8bcfe44979 100644 --- a/doc/install-guide/source/neutron-compute-install-option2.rst +++ b/doc/install-guide/source/neutron-compute-install-option2.rst @@ -7,22 +7,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the IP address of the physical network interface that handles overlay @@ -39,15 +39,8 @@ networks and handles security groups. underlying physical network interface that handles overlay networks. The example architecture uses the management interface to tunnel traffic to the other nodes. Therefore, replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with - each node's own management IP address. - - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True + the management IP address of the compute node. See + :ref:`environment-networking` for more information. * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: diff --git a/doc/install-guide/source/neutron-compute-install.rst b/doc/install-guide/source/neutron-compute-install.rst index b64e19c225..37098d5e59 100644 --- a/doc/install-guide/source/neutron-compute-install.rst +++ b/doc/install-guide/source/neutron-compute-install.rst @@ -19,13 +19,13 @@ Install the components .. code-block:: console - # yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset + # yum install openstack-neutron-linuxbridge ebtables .. only:: obs .. code-block:: console - # zypper install --no-recommends openstack-neutron-linuxbridge-agent ipset + # zypper install --no-recommends openstack-neutron-linuxbridge-agent .. only:: debian @@ -123,15 +123,6 @@ authentication mechanism, message queue, and plug-in. ... lock_path = /var/lib/neutron/tmp - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure networking options ---------------------------- diff --git a/doc/install-guide/source/neutron-controller-install-option1.rst b/doc/install-guide/source/neutron-controller-install-option1.rst index ba398f8354..e7c2fc3168 100644 --- a/doc/install-guide/source/neutron-controller-install-option1.rst +++ b/doc/install-guide/source/neutron-controller-install-option1.rst @@ -12,7 +12,7 @@ Install the components # apt-get install neutron-server neutron-plugin-ml2 \ neutron-plugin-linuxbridge-agent neutron-dhcp-agent \ - neutron-metadata-agent python-neutronclient conntrack + neutron-metadata-agent conntrack .. only:: debian @@ -42,7 +42,7 @@ Install the components .. code-block:: console # yum install openstack-neutron openstack-neutron-ml2 \ - openstack-neutron-linuxbridge python-neutronclient ebtables ipset + openstack-neutron-linuxbridge ebtables .. only:: obs @@ -50,8 +50,7 @@ Install the components # zypper install --no-recommends openstack-neutron \ openstack-neutron-server openstack-neutron-linuxbridge-agent \ - openstack-neutron-dhcp-agent openstack-neutron-metadata-agent \ - ipset + openstack-neutron-dhcp-agent openstack-neutron-metadata-agent .. only:: debian @@ -78,7 +77,6 @@ Install the components ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 [nova] ... @@ -185,7 +183,6 @@ Install the components ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 [nova] ... @@ -211,15 +208,6 @@ Install the components ... lock_path = /var/lib/neutron/tmp - * (Optional) To assist with troubleshooting, enable verbose logging in - the ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure the Modular Layer 2 (ML2) plug-in ------------------------------------------- @@ -237,7 +225,7 @@ and switching) virtual networking infrastructure for instances. ... type_drivers = flat,vlan - * In the ``[ml2]`` section, disable project (private) networks: + * In the ``[ml2]`` section, disable self-service networks: .. code-block:: ini @@ -266,14 +254,14 @@ and switching) virtual networking infrastructure for instances. ... extension_drivers = port_security - * In the ``[ml2_type_flat]`` section, configure the public flat provider - network: + * In the ``[ml2_type_flat]`` section, configure the provider virtual + network as a flat network: .. code-block:: ini [ml2_type_flat] ... - flat_networks = public + flat_networks = provider * In the ``[securitygroup]`` section, enable :term:`ipset` to increase efficiency of security group rules: @@ -288,22 +276,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, disable VXLAN overlay networks: @@ -312,14 +300,6 @@ networks and handles security groups. [vxlan] enable_vxlan = False - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: @@ -339,7 +319,7 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. actions: * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, - Dnsmasq DHCP driver, and enable isolated metadata so instances on public + Dnsmasq DHCP driver, and enable isolated metadata so instances on provider networks can access metadata over the network: .. code-block:: ini @@ -350,15 +330,6 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Return to :ref:`Networking controller node configuration `. diff --git a/doc/install-guide/source/neutron-controller-install-option2.rst b/doc/install-guide/source/neutron-controller-install-option2.rst index 001a5972ab..6a936f134b 100644 --- a/doc/install-guide/source/neutron-controller-install-option2.rst +++ b/doc/install-guide/source/neutron-controller-install-option2.rst @@ -12,14 +12,14 @@ Install the components # apt-get install neutron-server neutron-plugin-ml2 \ neutron-plugin-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent \ - neutron-metadata-agent python-neutronclient conntrack + neutron-metadata-agent conntrack .. only:: rdo .. code-block:: console # yum install openstack-neutron openstack-neutron-ml2 \ - openstack-neutron-linuxbridge python-neutronclient ebtables ipset + openstack-neutron-linuxbridge ebtables .. only:: obs @@ -28,7 +28,7 @@ Install the components # zypper install --no-recommends openstack-neutron \ openstack-neutron-server openstack-neutron-linuxbridge-agent \ openstack-neutron-l3-agent openstack-neutron-dhcp-agent \ - openstack-neutron-metadata-agent ipset + openstack-neutron-metadata-agent .. only:: debian @@ -144,7 +144,6 @@ Install the components ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 [nova] ... @@ -170,15 +169,6 @@ Install the components ... lock_path = /var/lib/neutron/tmp - * (Optional) To assist with troubleshooting, enable verbose logging in - the ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure the Modular Layer 2 (ML2) plug-in ------------------------------------------- @@ -196,7 +186,7 @@ and switching) virtual networking infrastructure for instances. ... type_drivers = flat,vlan,vxlan - * In the ``[ml2]`` section, enable VXLAN project (private) networks: + * In the ``[ml2]`` section, enable VXLAN self-service networks: .. code-block:: ini @@ -230,17 +220,17 @@ and switching) virtual networking infrastructure for instances. ... extension_drivers = port_security - * In the ``[ml2_type_flat]`` section, configure the public flat provider - network: + * In the ``[ml2_type_flat]`` section, configure the provider virtual + network as a flat network: .. code-block:: ini [ml2_type_flat] ... - flat_networks = public + flat_networks = provider * In the ``[ml2_type_vxlan]`` section, configure the VXLAN network identifier - range for private networks: + range for self-service networks: .. code-block:: ini @@ -261,22 +251,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the IP address of the physical network interface that handles overlay @@ -293,15 +283,8 @@ networks and handles security groups. underlying physical network interface that handles overlay networks. The example architecture uses the management interface to tunnel traffic to the other nodes. Therefore, replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with - each node's own management IP address. - - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True + the management IP address of the controller node. See + :ref:`environment-networking` for more information. * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: @@ -316,8 +299,8 @@ networks and handles security groups. Configure the layer-3 agent --------------------------- -The :term:`Layer-3 (L3) agent` provides routing and NAT services for virtual -networks. +The :term:`Layer-3 (L3) agent` provides routing and NAT services for +self-service virtual networks. * Edit the ``/etc/neutron/l3_agent.ini`` file and complete the following actions: @@ -337,15 +320,6 @@ networks. The ``external_network_bridge`` option intentionally lacks a value to enable multiple external networks on a single agent. - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure the DHCP agent ------------------------ @@ -355,7 +329,7 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. actions: * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, - Dnsmasq DHCP driver, and enable isolated metadata so instances on public + Dnsmasq DHCP driver, and enable isolated metadata so instances on provider networks can access metadata over the network: .. code-block:: ini @@ -366,59 +340,6 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - - Overlay networks such as VXLAN include additional packet headers that - increase overhead and decrease space available for the payload or user - data. Without knowledge of the virtual network infrastructure, instances - attempt to send packets using the default Ethernet :term:`maximum - transmission unit (MTU)` of 1500 bytes. :term:`Internet protocol (IP)` - networks contain the :term:`path MTU discovery (PMTUD)` mechanism to detect - end-to-end MTU and adjust packet size accordingly. However, some operating - systems and networks block or otherwise lack support for PMTUD causing - performance degradation or connectivity failure. - - Ideally, you can prevent these problems by enabling :term:`jumbo frames - ` on the physical network that contains your tenant virtual - networks. Jumbo frames support MTUs up to approximately 9000 bytes which - negates the impact of VXLAN overhead on virtual networks. However, many - network devices lack support for jumbo frames and OpenStack administrators - often lack control over network infrastructure. Given the latter - complications, you can also prevent MTU problems by reducing the - instance MTU to account for VXLAN overhead. Determining the proper MTU - value often takes experimentation, but 1450 bytes works in most - environments. You can configure the DHCP server that assigns IP - addresses to your instances to also adjust the MTU. - - .. note:: - - Some cloud images ignore the DHCP MTU option in which case you - should configure it using metadata, a script, or other suitable - method. - - * In the ``[DEFAULT]`` section, enable the :term:`dnsmasq` configuration - file: - - .. code-block:: ini - - [DEFAULT] - ... - dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf - - * Create and edit the ``/etc/neutron/dnsmasq-neutron.conf`` file to - enable the DHCP MTU option (26) and configure it to 1450 bytes: - - .. code-block:: ini - - dhcp-option-force=26,1450 - Return to :ref:`Networking controller node configuration `. diff --git a/doc/install-guide/source/neutron-controller-install.rst b/doc/install-guide/source/neutron-controller-install.rst index d94fb5ff0c..eabf70de67 100644 --- a/doc/install-guide/source/neutron-controller-install.rst +++ b/doc/install-guide/source/neutron-controller-install.rst @@ -147,20 +147,29 @@ You can deploy the Networking service using one of two architectures represented by options 1 and 2. Option 1 deploys the simplest possible architecture that only supports -attaching instances to public (provider) networks. No self-service +attaching instances to provider (external) networks. No self-service (private) networks, routers, or floating IP addresses. Only the ``admin`` or other privileged user can manage provider networks. Option 2 augments option 1 with layer-3 services that support attaching -instances to self-service (private) networks. The ``demo`` or other -unprivileged user can manage self-service networks including routers that -provide connectivity between self-service and provider networks. Additionally, +instances to self-service networks. The ``demo`` or other unprivileged +user can manage self-service networks including routers that provide +connectivity between self-service and provider networks. Additionally, floating IP addresses provide connectivity to instances using self-service networks from external networks such as the Internet. +Self-service networks typically use overlay networks. Overlay network +protocols such as VXLAN include additional headers that increase overhead +and decrease space available for the payload or user data. Without knowledge +of the virtual network infrastructure, instances attempt to send packets +using the default Ethernet :term:`maximum transmission unit (MTU)` of 1500 +bytes. The Networking service automatically provides the correct MTU value +to instances via DHCP. However, some cloud images do not use DHCP or ignore +the DHCP MTU option and require configuration using metadata or a script. + .. note:: - Option 2 also supports attaching instances to public (provider) networks. + Option 2 also supports attaching instances to provider networks. Choose one of the following networking options to configure services specific to it. Afterwards, return here and proceed to @@ -183,53 +192,18 @@ such as credentials to instances. * Edit the ``/etc/neutron/metadata_agent.ini`` file and complete the following actions: - * In the ``[DEFAULT]`` section, configure access parameters: - - .. code-block:: ini - - [DEFAULT] - ... - auth_uri = http://controller:5000 - auth_url = http://controller:35357 - auth_region = RegionOne - auth_type = password - project_domain_id = default - user_domain_id = default - project_name = service - username = neutron - password = NEUTRON_PASS - - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. - - * In the ``[DEFAULT]`` section, configure the metadata host: - - .. code-block:: ini - - [DEFAULT] - ... - nova_metadata_ip = controller - - * In the ``[DEFAULT]`` section, configure the metadata proxy shared + * In the ``[DEFAULT]`` section, configure the metadata host and shared secret: .. code-block:: ini [DEFAULT] ... + nova_metadata_ip = controller metadata_proxy_shared_secret = METADATA_SECRET Replace ``METADATA_SECRET`` with a suitable secret for the metadata proxy. - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure Compute to use Networking ----------------------------------- diff --git a/doc/install-guide/source/neutron-verify.rst b/doc/install-guide/source/neutron-verify.rst index b7cacbbe6f..cb841a9cba 100644 --- a/doc/install-guide/source/neutron-verify.rst +++ b/doc/install-guide/source/neutron-verify.rst @@ -45,6 +45,10 @@ Verify operation | dvr | Distributed Virtual Router | +-----------------------+-----------------------------------------------+ + .. note:: + + Actual output may differ slightly from this example. + Use the verification section for the networking option that you chose to deploy.