openstack/openstack-manuals
Code Issues Proposed changes

Update neutron content for Juno

Browse Source 
I updated neutron content in the installation guide for Juno
as follows:

1) Renamed files and IDs since the guide no longer needs to
   differentiate between the ML2 and OVS plug-ins.
2) Removed prompts specific to MySQL because most distributions
   will use MariaDB.
3) Explicitly created endpoint with 'regionOne' region to avoid
   inconsistent defaults.
4) Replaced 'auth_*' options with 'identity_uri' option.
5) Moved neutron configuration options to [neutron] section in
   nova.conf.
6) Recommended enabling verbose logging.
7) Removed workarounds for Ubuntu 12.04.
8) Removed note about CirrOS lacking support for the DHCP MTU
   option.
9) Explicitly defined flat external network type.
10) Added example command output and updated existing command
    output.
11) Added and updated glossary terms.
12) Implemented changes from the improvements blueprint including
    structure and phrasing.

Change-Id: I13baa94585bb6e8b22d8d79043fc84cbc2514954
Implements: blueprint installation-guide-improvements
This commit is contained in:
Matthew Kassawara
2014-09-19 18:06:56 -05:00
parent e3c33fe185
commit 4744c8f987
6 changed files with 666 additions and 546 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
doc/glossary/glossary-terms.xml
View File

@@ -2642,8 +2642,8 @@
</indexterm>
<glossdef>
<para>Daemon that provides DNS, DHCP, BOOTP, and TFTP services, used
by the Compute VLAN manager and FlatDHCP manager.</para>
<para>Daemon that provides DNS, DHCP, BOOTP, and TFTP services for
virtual networks.</para>
</glossdef>
</glossentry>
@@ -3369,12 +3369,11 @@
</indexterm>
<glossdef>
<para>The Network Controller provides virtual networks to enable
compute servers to interact with each other and with the public
network. All machines must have a public and private network
interface. A flat network is a private network interface, which is
controlled by the <literal>flat_interface</literal> option with flat
managers.</para>
<para>Virtual network type that uses neither VLANs nor tunnels to
segregate tenant traffic. Each flat network typically requires
a separate underlying physical interface defined by bridge
mappings. However, a flat network can contain multiple
subnets.</para>
</glossdef>
</glossentry>
@@ -3495,9 +3494,9 @@
</glossentry>
<glossentry>
<glossterm>Generic Receive Offload (GRO)</glossterm>
<glossterm>generic receive offload (GRO)</glossterm>
<indexterm class="singular">
<primary>Generic Receive Offload (GRO)</primary>
<primary>generic receive offload (GRO)</primary>
</indexterm>
<glossdef>
<para>Feature of certain network interface drivers that
@@ -4414,9 +4413,9 @@
</glossentry>
<glossentry>
<glossterm>internet protocol (IP)</glossterm>
<glossterm>Internet protocol (IP)</glossterm>
<indexterm class="singular">
<primary>internet protocol (IP)</primary>
<primary>Internet protocol (IP)</primary>
</indexterm>
<glossdef>
@@ -5272,6 +5271,20 @@
<glossdiv>
<title>N</title>
<glossentry>
<glossterm>network namespace</glossterm>
<indexterm class="singular">
<primary>network namespace</primary>
</indexterm>
<glossdef>
<para>Linux kernel feature that provides independent virtual
networking instances on a single host with separate routing
tables and interfaces. Similar to virtual routing and forwarding
(VRF) services on physical network equipment.</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Nebula</glossterm>
<indexterm class="singular">
@@ -5886,6 +5899,20 @@
</glossdef>
</glossentry>
<glossentry>
<glossterm>Open vSwitch (OVS) agent</glossterm>
<indexterm class="singular">
<primary>Open vSwitch (OVS) agent</primary>
</indexterm>
<glossdef>
<para>
Provides an interface to the underlying Open vSwitch service for
the Networking plug-in.
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Open vSwitch neutron plug-in</glossterm>
<indexterm class="singular">

13
doc/install-guide/ch_networking.xml
View File

@@ -14,7 +14,7 @@
enables you to deploy multiple network types per instance and
includes <glossterm baseform="plug-in">plug-ins</glossterm> for a
variety of products that support <glossterm>virtual
networking</glossterm>.</para>
networking</glossterm>.</para>
<para>For more information, see the <link
xlink:href="http://docs.openstack.org/admin-guide-cloud/content/ch_networking.html"
>Networking</link> chapter of the <citetitle>OpenStack Cloud
@@ -22,13 +22,10 @@
<section xml:id="section_neutron-networking">
<title>OpenStack Networking (neutron)</title>
<xi:include href="section_neutron-concepts.xml"/>
<section xml:id="section_neutron-networking-ml2">
<title>Modular Layer 2 (ML2) plug-in</title>
<xi:include href="section_neutron-ml2-controller-node.xml"/>
<xi:include href="section_neutron-ml2-network-node.xml"/>
<xi:include href="section_neutron-ml2-compute-node.xml"/>
<xi:include href="section_neutron-initial-networks.xml"/>
</section>
<xi:include href="section_neutron-controller-node.xml"/>
<xi:include href="section_neutron-network-node.xml"/>
<xi:include href="section_neutron-compute-node.xml"/>
<xi:include href="section_neutron-initial-networks.xml"/>
</section>
<section xml:id="section_nova-networking">
<title>Legacy networking (nova-network)</title>

247
doc/install-guide/section_neutron-ml2-compute-node.xml → doc/install-guide/section_neutron-compute-node.xml
View File

@@ -3,15 +3,18 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="neutron-ml2-compute-node">
<title>Configure compute node</title>
<para>Before you install and configure OpenStack Networking, you
must configure certain kernel networking functions.</para>
xml:id="neutron-compute-node">
<title>Install and configure compute node</title>
<para>The compute node handles connectivity and
<glossterm baseform="security group">security groups</glossterm>
for instances.</para>
<procedure>
<title>To configure kernel networking functions</title>
<title>To configure prerequisites</title>
<para>Before you install and configure OpenStack Networking, you
must configure certain kernel networking parameters.</para>
<step>
<para>Edit the <filename>/etc/sysctl.conf</filename> file and
add the following lines:</para>
<para>Edit the <filename>/etc/sysctl.conf</filename> file to
contain the following parameters:</para>
<programlisting>net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
</step>
@@ -23,22 +26,14 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
<title>To install the Networking components</title>
<step>
<screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent \
openvswitch-datapath-dkms</userinput></screen>
<screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron-ml2 openstack-neutron-openvswitch</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
<note os="ubuntu">
<para>Ubuntu installations that use Linux kernel version 3.11
or later do not require the
<emphasis>openvswitch-datapath-dkms</emphasis>
package.</para>
</note>
<note os="sles;opensuse">
<para>SUSE does not use a separate ML2 plug-in package.</para>
</note>
</step>
</procedure>
<procedure os="debian">
<title>To install and configure the Networking components</title>
<step>
@@ -70,7 +65,7 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
<note>
<para>Selecting the ML2 plug-in also populates the
<option>service_plugins</option> and
<option>allow_overlapping_ips</option> keys in the
<option>allow_overlapping_ips</option> options in the
<filename>/etc/neutron/neutron.conf</filename> file with the
appropriate values.</para>
</note>
@@ -81,62 +76,45 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
<para>The Networking common component configuration includes the
authentication mechanism, message broker, and plug-in.</para>
<step>
<para>Configure Networking to use the Identity service for
authentication:</para>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and complete the following actions:</para>
<substeps>
<step>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file and
add the following key to the <literal>[DEFAULT]</literal>
section:</para>
<para>In the <literal>[DEFAULT]</literal> section, configure
<application>RabbitMQ</application> message broker access:</para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy = keystone</programlisting>
<para>Add the following keys to the
<literal>[keystone_authtoken]</literal> section:</para>
rpc_backend = rabbit
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
password you chose for the <literal>guest</literal> account in
<application>RabbitMQ</application>.</para>
</step>
<step>
<para>In the <literal>[keystone_authtoken]</literal> section,
configure Identity service access:</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_protocol = http
auth_port = 35357
auth_uri = http://<replaceable>controller</replaceable>:5000/v2.0
identity_uri = http://<replaceable>controller</replaceable>:35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with
the password you chose for the <literal>neutron</literal>
user in the Identity service.</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose or the <literal>neutron</literal> user in the
Identity service.</para>
<note>
<para>Comment out any <literal>auth_host</literal>,
<literal>auth_port</literal>, and
<literal>auth_protocol</literal> options because the
<literal>identity_uri</literal> option replaces them.</para>
</note>
</step>
</substeps>
</step>
<step>
<para>Configure Networking to use the message broker:</para>
<substeps>
<step>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file and
add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with
the password you chose for the <literal>guest</literal>
account in <application>RabbitMQ</application>.</para>
<programlisting language="ini">[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step>
<para>Configure Networking to use the Modular Layer 2 (ML2)
plug-in and associated services:</para>
<substeps>
<step>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file and
add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>In the <literal>[DEFAULT]</literal> section, enable the
Modular Layer 2 (ML2) plug-in, router service, and overlapping
IP addresses:</para>
<programlisting language="ini">[DEFAULT]
...
core_plugin = ml2
@@ -144,52 +122,67 @@ service_plugins = router
allow_overlapping_ips = True</programlisting>
</step>
<step>
<para>(Optional) To assist with troubleshooting, add<literal>verbose
= True</literal> to the <literal>[DEFAULT]</literal>
section in the
<filename>/etc/neutron/neutron.conf</filename>
file.</para>
</step>
<para>(Optional) To assist with troubleshooting,
enable verbose logging in the <literal>[DEFAULT]</literal>
section:</para>
<programlisting language="ini">[DEFAULT]
...
verbose = True</programlisting>
</step>
</substeps>
</step>
</procedure>
<procedure>
<title>To configure the Modular Layer 2 (ML2) plug-in</title>
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism
(agent) to build the virtual networking framework for
instances.</para>
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to
build the virtual networking framework for instances.</para>
<step>
<para>Edit the
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
file and add the following keys to the
<literal>[ml2]</literal> section:</para>
<programlisting language="ini">[ml2]
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
file and complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[ml2]</literal> section, enable the
<glossterm baseform="flat network">flat</glossterm> and
<glossterm>generic routing encapsulation (GRE)</glossterm>
network type drivers, GRE tenant networks, and the OVS
mechanism driver:</para>
<programlisting language="ini">[ml2]
...
type_drivers = gre
type_drivers = flat,gre
tenant_network_types = gre
mechanism_drivers = openvswitch</programlisting>
<para>Add the following keys to the
<literal>[ml2_type_gre]</literal> section:</para>
<programlisting language="ini">[ml2_type_gre]
</step>
<step>
<para>In the <literal>[ml2_type_gre]</literal> section, configure
the tunnel identifier (id) range:</para>
<programlisting language="ini">[ml2_type_gre]
...
tunnel_id_ranges = 1:1000</programlisting>
<para>Add the <literal>[ovs]</literal> section and the following
keys to it:</para>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface
on your compute node.</para>
<programlisting language="ini">[ovs]
</step>
<step>
<para>In the <literal>[securitygroup]</literal> section, enable
security groups and configure the OVS
<glossterm>iptables</glossterm> firewall driver:</para>
<programlisting language="ini">[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
</step>
<step>
<para>In the <literal>[ovs]</literal> section, configure the
<glossterm>Open vSwitch (OVS) agent</glossterm>:</para>
<programlisting language="ini">[ovs]
...
local_ip = <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
tunnel_type = gre
enable_tunneling = True</programlisting>
<para>Add the <literal>[securitygroup]</literal> section and the
following keys to it:</para>
<programlisting language="ini">[securitygroup]
...
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True</programlisting>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface
on your compute node.</para>
</step>
</substeps>
</step>
</procedure>
<procedure>
@@ -219,31 +212,42 @@ enable_security_group = True</programlisting>
legacy networking. You must reconfigure Compute to manage
networks through Networking.</para>
<step>
<para>Edit the <filename>/etc/nova/nova.conf</filename> and add
the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user in
the Identity service.</para>
<programlisting language="ini">[DEFAULT]
<para>Edit the <filename>/etc/nova/nova.conf</filename> file and
complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[DEFAULT]</literal> section, configure
the <glossterm baseform="API">APIs</glossterm> and drivers:</para>
<programlisting language="ini">[DEFAULT]
...
network_api_class = nova.network.neutronv2.api.API
neutron_url = http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy = keystone
neutron_admin_tenant_name = service
neutron_admin_username = neutron
neutron_admin_password = <replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
security_group_api = neutron
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron</programlisting>
<note>
<para>By default, Compute uses an internal firewall service.
Since Networking includes a firewall service, you must
disable the Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal>
firewall driver.</para>
</note>
firewall_driver = nova.virt.firewall.NoopFirewallDriver</programlisting>
<note>
<para>By default, Compute uses an internal firewall service.
Since Networking includes a firewall service, you must
disable the Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal>
firewall driver.</para>
</note>
</step>
<step>
<para>In the <literal>[neutron]</literal> section, configure
access parameters:</para>
<programlisting language="ini">[neutron]
...
url = http://<replaceable>controller</replaceable>:9696
auth_strategy = keystone
admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
admin_tenant_name = service
admin_username = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
</step>
</substeps>
</step>
</procedure>
<procedure>
@@ -251,21 +255,18 @@ security_group_api = neutron</programlisting>
<step os="rhel;centos;fedora">
<para>The Networking service initialization scripts expect a
symbolic link <filename>/etc/neutron/plugin.ini</filename>
pointing to the configuration file associated with your chosen
plug-in. Using the ML2 plug-in, for example, the symbolic link
must point to
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
pointing to the ML2 plug-in configuration file,
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
following command:</para>
<screen><prompt>#</prompt> <userinput>ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The Networking service initialization scripts expect the
variable <literal>NEUTRON_PLUGIN_CONF</literal> in the
<filename>/etc/sysconfig/neutron</filename> file to
reference the configuration file associated with your chosen
plug-in. Using ML2, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
<filename>/etc/sysconfig/neutron</filename> file to
reference the ML2 plug-in configuration file. Edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"</programlisting>
</step>

373
doc/install-guide/section_neutron-ml2-controller-node.xml → doc/install-guide/section_neutron-controller-node.xml
View File

@@ -3,56 +3,104 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="neutron-ml2-controller-node">
<title>Configure controller node</title>
xml:id="neutron-controller-node">
<title>Install and configure controller node</title>
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
<title>Prerequisites</title>
<title>To configure prerequisites</title>
<para>Before you configure OpenStack Networking (neutron), you must create
a database and Identity service credentials including a user and
service.</para>
a database and Identity service credentials including endpoints.</para>
<step>
<para>Connect to the database as the root user, create the
<literal>neutron</literal> database, and grant the proper
access to it:</para>
<para>Replace <replaceable>NEUTRON_DBPASS</replaceable> with a suitable
password.</para>
<screen><prompt>$</prompt> <userinput>mysql -u root -p</userinput>
<prompt>mysql></prompt> <userinput>CREATE DATABASE neutron;</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
<para>To create the database, complete these steps:</para>
<substeps>
<step>
<para>Use the database access client to connect to the database
server as the <literal>root</literal> user:</para>
<screen><prompt>$</prompt> <userinput>mysql -u root -p</userinput></screen>
</step>
<step>
<para>Create the <literal>neutron</literal> database:</para>
<screen><userinput>CREATE DATABASE neutron;</userinput></screen>
</step>
<step>
<para>Grant proper access to the <literal>neutron</literal>
database:</para>
<screen><userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
<userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
<para>Replace <replaceable>NEUTRON_DBPASS</replaceable> with a
suitable password.</para>
</step>
<step>
<para>Exit the database access client.</para>
</step>
</substeps>
</step>
<step>
<para>Create Identity service credentials for Networking:</para>
<para>Source the <literal>admin</literal> credentials to gain access to
admin-only CLI commands:</para>
<screen><prompt>$</prompt> <userinput>source admin-openrc.sh</userinput></screen>
</step>
<step>
<para>To create the Identity service credentials, complete these
steps:</para>
<substeps>
<step>
<para>Create the <literal>neutron</literal> user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --name neutron --pass <replaceable>NEUTRON_PASS</replaceable></userinput>
<computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 7fd67878dcd04d0393469ef825a7e005 |
| name | neutron |
| username | neutron |
+----------+----------------------------------+</computeroutput></screen>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with a suitable
password and <replaceable>neutron@example.com</replaceable> with
a suitable e-mail address.</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --name neutron --pass <replaceable>NEUTRON_PASS</replaceable> \
--email <replaceable>neutron@example.com</replaceable></userinput></screen>
password.</para>
</step>
<step>
<para>Link the <literal>neutron</literal> user to the
<literal>service</literal> tenant and <literal>admin</literal>
role:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user neutron --tenant service --role admin</userinput></screen>
<note>
<para>This command provides no output.</para>
</note>
</step>
<step>
<para>Create the <literal>neutron</literal> service:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name neutron --type network \
--description "OpenStack Networking"</userinput></screen>
--description "OpenStack Networking"</userinput>
<computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | 6369ddaf99a447f3a0d41dac5e342161 |
| name | neutron |
| type | network |
+-------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create the service endpoint:</para>
<para>Create the Identity service endpoints:</para>
<screen><prompt>$</prompt> <userinput>keystone endpoint-create \
--service-id \
$(keystone service-list | awk '/ network / {print $2}') \
--service-id $(keystone service-list | awk '/ network / {print $2}') \
--publicurl http://<replaceable>controller</replaceable>:9696 \
--adminurl http://<replaceable>controller</replaceable>:9696 \
--internalurl http://<replaceable>controller</replaceable>:9696</userinput></screen>
--internalurl http://<replaceable>controller</replaceable>:9696 \
--region regionOne</userinput>
<computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://controller:9696 |
| id | fa18b41938a94bf6b35e2c152063ee21 |
| internalurl | http://controller:9696 |
| publicurl | http://controller:9696 |
| region | regionOne |
| service_id | 6369ddaf99a447f3a0d41dac5e342161 |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</substeps>
</step>
@@ -100,7 +148,7 @@ IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
<note>
<para>Selecting the ML2 plug-in also populates the
<option>service_plugins</option> and
<option>allow_overlapping_ips</option> keys in the
<option>allow_overlapping_ips</option> options in the
<filename>/etc/neutron/neutron.conf</filename> file with the
appropriate values.</para>
</note>
@@ -109,101 +157,85 @@ IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
<title>To configure the Networking server component</title>
<para>The Networking server component configuration includes the database,
authentication mechanism, message broker, topology change notifier,
authentication mechanism, message broker, topology change notifications,
and plug-in.</para>
<warning><para>Once you configure the ML2 plug-in, be aware that disabling a
network type driver and re-enabling it later can lead to inconsistent data
stored in the neutron database. As of the Icehouse release, you can read
neutron logs for errors if this scenario occurs.</para></warning>
<step>
<para>Configure Networking to use the database:</para>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and complete the following actions:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename>
file and add the following key to the
<literal>[database]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_DBPASS</replaceable> with the
password you chose for the database.</para>
<para>In the <literal>[database]</literal> section, configure
database access:</para>
<programlisting language="ini">[database]
...
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
<para>Replace <replaceable>NEUTRON_DBPASS</replaceable> with the
password you chose for the database.</para>
</step>
</substeps>
</step>
<step>
<para>Configure Networking to use the Identity service for
authentication:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename>
file and add the following key to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting language="ini">[DEFAULT]
<para>In the <literal>[DEFAULT]</literal> section, configure
<application>RabbitMQ</application> message broker access:</para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy = keystone</programlisting>
<para>Add the following keys to the
<literal>[keystone_authtoken]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step>
<para>Configure Networking to use the message broker:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
rpc_backend = rabbit
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
password you chose for the <literal>guest</literal> account in
<application>RabbitMQ</application>.</para>
</step>
<step>
<para>In the <literal>[keystone_authtoken]</literal> section,
configure Identity service access:</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000/v2.0
identity_uri = http://<replaceable>controller</replaceable>:35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose or the <literal>neutron</literal> user in the
Identity service.</para>
<note>
<para>Comment out any <literal>auth_host</literal>,
<literal>auth_port</literal>, and
<literal>auth_protocol</literal> options because the
<literal>identity_uri</literal> option replaces them.</para>
</note>
</step>
<step>
<para>In the <literal>[DEFAULT]</literal> section, enable the
Modular Layer 2 (ML2) plug-in, router service, and overlapping
IP addresses:</para>
<programlisting language="ini">[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True</programlisting>
</step>
</substeps>
</step>
<step>
<para>Configure Networking to notify Compute about network topology
changes:</para>
<para>Replace <replaceable>SERVICE_TENANT_ID</replaceable> with the
<literal>service</literal> tenant identifier (id) in the Identity
service and <replaceable>NOVA_PASS</replaceable> with the password
you chose for the <literal>nova</literal> user in the Identity
service.</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>In the <literal>[DEFAULT]</literal> section, configure
Networking to notify Compute of network topology changes:</para>
<programlisting language="ini">[DEFAULT]
...
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://<replaceable>controller</replaceable>:8774/v2
nova_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
nova_region_name = regionOne
nova_admin_username = nova
nova_admin_tenant_id = <replaceable>SERVICE_TENANT_ID</replaceable>
nova_admin_password = <replaceable>NOVA_PASS</replaceable>
nova_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0</programlisting>
</step>
</substeps>
<note>
<para>To obtain the <literal>service</literal> tenant
identifier (id):</para>
<screen><prompt>$</prompt> <userinput>source admin-openrc.sh</userinput>
nova_admin_password = <replaceable>NOVA_PASS</replaceable></programlisting>
<para>Replace <replaceable>SERVICE_TENANT_ID</replaceable> with the
<literal>service</literal> tenant identifier (id) in the Identity
service and <replaceable>NOVA_PASS</replaceable> with the password
you chose for the <literal>nova</literal> user in the Identity
service.</para>
<note>
<para>To obtain the <literal>service</literal> tenant
identifier (id):</para>
<screen><prompt>$</prompt> <userinput>source admin-openrc.sh</userinput>
<prompt>$</prompt> <userinput>keystone tenant-get service</userinput>
<computeroutput>+-------------+----------------------------------+
| Property | Value |
@@ -213,58 +245,65 @@ nova_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0</p
| id | f727b5ec2ceb4d71bad86dfc414449bf |
| name | service |
+-------------+----------------------------------+</computeroutput></screen>
</note>
</step>
<step>
<para>Configure Networking to use the Modular Layer 2 (ML2) plug-in
and associated services:</para>
<substeps>
</note>
</step>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
<para>(Optional) To assist with troubleshooting,
enable verbose logging in the <literal>[DEFAULT]</literal>
section:</para>
<programlisting language="ini">[DEFAULT]
...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True</programlisting>
</step>
<step>
<para>(Optional) To assist with troubleshooting, add <literal>verbose = True</literal> to
the <literal>[DEFAULT]</literal> section in
<filename>/etc/neutron/neutron.conf</filename>.</para>
verbose = True</programlisting>
</step>
</substeps>
</step>
</procedure>
<procedure>
<title>To configure the Modular Layer 2 (ML2) plug-in</title>
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to
build the virtual networking framework for instances. However, the
controller node does not need the OVS agent or service because it
does not handle instance network traffic.</para>
<para>The ML2 plug-in uses the
<glossterm baseform="Open vSwitch">Open vSwitch (OVS)</glossterm>
mechanism (agent) to build the virtual networking framework for
instances. However, the controller node does not need the OVS
components because it does not handle instance network traffic.</para>
<step>
<para>Edit the
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
file:</para>
<para>Add the following keys to the <literal>[ml2]</literal>
section:</para>
<programlisting language="ini">[ml2]
file and complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[ml2]</literal> section, enable the
<glossterm baseform="flat network">flat</glossterm> and
<glossterm>generic routing encapsulation (GRE)</glossterm>
network type drivers, GRE tenant networks, and the OVS
mechanism driver:</para>
<programlisting language="ini">[ml2]
...
type_drivers = gre
type_drivers = flat,gre
tenant_network_types = gre
mechanism_drivers = openvswitch</programlisting>
<para>Add the following key to the
<literal>[ml2_type_gre]</literal> section:</para>
<programlisting language="ini">[ml2_type_gre]
<warning>
<para>Once you configure the ML2 plug-in, be aware that disabling
a network type driver and re-enabling it later can lead to
database inconsistency.</para>
</warning>
</step>
<step>
<para>In the <literal>[ml2_type_gre]</literal> section, configure
the tunnel identifier (id) range:</para>
<programlisting language="ini">[ml2_type_gre]
...
tunnel_id_ranges = 1:1000</programlisting>
<para>Add the <literal>[securitygroup]</literal> section and the
following keys to it:</para>
<programlisting language="ini">[securitygroup]
</step>
<step>
<para>In the <literal>[securitygroup]</literal> section, enable
security groups and configure the OVS
<glossterm>iptables</glossterm> firewall driver:</para>
<programlisting language="ini">[securitygroup]
...
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True</programlisting>
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
</step>
</substeps>
</step>
</procedure>
<procedure>
@@ -273,50 +312,60 @@ enable_security_group = True</programlisting>
networking. You must reconfigure Compute to manage networks through
Networking.</para>
<step>
<para>Edit the <filename>/etc/nova/nova.conf</filename> and add the
following keys to the <literal>[DEFAULT]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<programlisting language="ini">[DEFAULT]
<para>Edit the <filename>/etc/nova/nova.conf</filename> file and
complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[DEFAULT]</literal> section, configure
the <glossterm baseform="API">APIs</glossterm> and drivers:</para>
<programlisting language="ini">[DEFAULT]
...
network_api_class = nova.network.neutronv2.api.API
neutron_url = http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy = keystone
neutron_admin_tenant_name = service
neutron_admin_username = neutron
neutron_admin_password = <replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
security_group_api = neutron
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron</programlisting>
<note>
<para>By default, Compute uses an internal firewall service. Since
Networking includes a firewall service, you must disable the
Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal> firewall
driver.</para>
</note>
firewall_driver = nova.virt.firewall.NoopFirewallDriver</programlisting>
<note>
<para>By default, Compute uses an internal firewall service.
Since Networking includes a firewall service, you must
disable the Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal>
firewall driver.</para>
</note>
</step>
<step>
<para>In the <literal>[neutron]</literal> section, configure
access parameters:</para>
<programlisting language="ini">[neutron]
...
url = http://<replaceable>controller</replaceable>:9696
auth_strategy = keystone
admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
admin_tenant_name = service
admin_username = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
</step>
</substeps>
</step>
</procedure>
<procedure>
<title>To finalize installation</title>
<step os="rhel;centos;fedora">
<para>The Networking service initialization scripts expect a symbolic
link <filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
ML2, for example, the symbolic link must point to
<para>The Networking service initialization scripts expect a
symbolic link <filename>/etc/neutron/plugin.ini</filename>
pointing to the ML2 plug-in configuration file,
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
following command:</para>
<screen><prompt>#</prompt> <userinput>ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The Networking service initialization scripts expect the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in file
<filename>/etc/sysconfig/neutron</filename> to reference the
configuration file associated with your chosen plug-in. Using
ML2, for example, edit the
<para>The Networking service initialization scripts expect the
variable <literal>NEUTRON_PLUGIN_CONF</literal> in the
<filename>/etc/sysconfig/neutron</filename> file to
reference the ML2 plug-in configuration file. Edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"</programlisting>

48
doc/install-guide/section_neutron-initial-networks.xml
View File

@@ -43,12 +43,14 @@
<procedure>
<title>To create the external network</title>
<step>
<para>Source the <literal>admin</literal> tenant credentials:</para>
<para>Source the <literal>admin</literal> credentials to gain access to
admin-only CLI commands:</para>
<screen><prompt>$</prompt> <userinput>source admin-openrc.sh</userinput></screen>
</step>
<step>
<para>Create the network:</para>
<screen><prompt>$</prompt> <userinput>neutron net-create ext-net --shared --router:external True</userinput>
<screen><prompt>$</prompt> <userinput>neutron net-create ext-net --shared --router:external True \
--provider:physical_network external --provider:network_type flat</userinput>
<computeroutput>Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
@@ -56,9 +58,9 @@
| admin_state_up | True |
| id | 893aebb9-1c1e-48be-8908-6b947f3237b3 |
| name | ext-net |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 1 |
| provider:network_type | flat |
| provider:physical_network | external |
| provider:segmentation_id | |
| router:external | True |
| shared | True |
| status | ACTIVE |
@@ -74,16 +76,6 @@
network node. You should specify an exclusive slice of this subnet
for <glossterm>router</glossterm> and floating IP addresses to prevent
interference with other devices on the external network.</para>
<para>Replace <replaceable>FLOATING_IP_START</replaceable> and
<replaceable>FLOATING_IP_END</replaceable> with the first and last
IP addresses of the range that you want to allocate for floating IP
addresses. Replace <replaceable>EXTERNAL_NETWORK_CIDR</replaceable>
with the subnet associated with the physical network. Replace
<replaceable>EXTERNAL_NETWORK_GATEWAY</replaceable> with the gateway
associated with the physical network, typically the ".1" IP address.
You should disable <glossterm>DHCP</glossterm> on this subnet because
instances do not connect directly to the external network and floating
IP addresses require manual assignment.</para>
<procedure>
<title>To create a subnet on the external network</title>
<step>
@@ -91,6 +83,16 @@
<screen><prompt>$</prompt> <userinput>neutron subnet-create ext-net --name ext-subnet \
--allocation-pool start=<replaceable>FLOATING_IP_START</replaceable>,end=<replaceable>FLOATING_IP_END</replaceable> \
--disable-dhcp --gateway <replaceable>EXTERNAL_NETWORK_GATEWAY</replaceable> <replaceable>EXTERNAL_NETWORK_CIDR</replaceable></userinput></screen>
<para>Replace <replaceable>FLOATING_IP_START</replaceable> and
<replaceable>FLOATING_IP_END</replaceable> with the first and last
IP addresses of the range that you want to allocate for floating IP
addresses. Replace <replaceable>EXTERNAL_NETWORK_CIDR</replaceable>
with the subnet associated with the physical network. Replace
<replaceable>EXTERNAL_NETWORK_GATEWAY</replaceable> with the gateway
associated with the physical network, typically the ".1" IP address.
You should disable <glossterm>DHCP</glossterm> on this subnet because
instances do not connect directly to the external network and
floating IP addresses require manual assignment.</para>
<para>For example, using <literal>203.0.113.0/24</literal> with
floating IP address range <literal>203.0.113.101</literal> to
<literal>203.0.113.200</literal>:</para>
@@ -130,7 +132,8 @@
<procedure>
<title>To create the tenant network</title>
<step>
<para>Source the <literal>demo</literal> tenant credentials:</para>
<para>Source the <literal>demo</literal> credentials to gain access to
user-only CLI commands:</para>
<screen><prompt>$</prompt> <userinput>source demo-openrc.sh</userinput></screen>
</step>
<step>
@@ -152,19 +155,18 @@
</procedure>
<para>Like the external network, your tenant network also requires
a subnet attached to it. You can specify any valid subnet because the
architecture isolates tenant networks. Replace
<replaceable>TENANT_NETWORK_CIDR</replaceable> with the subnet
you want to associate with the tenant network. Replace
<replaceable>TENANT_NETWORK_GATEWAY</replaceable> with the gateway you
want to associate with this network, typically the ".1" IP address. By
default, this subnet will use DHCP so your instances can obtain IP
addresses.</para>
architecture isolates tenant networks. By default, this subnet will
use DHCP so your instances can obtain IP addresses.</para>
<procedure>
<title>To create a subnet on the tenant network</title>
<step>
<para>Create the subnet:</para>
<screen><prompt>$</prompt> <userinput>neutron subnet-create demo-net --name demo-subnet \
--gateway <replaceable>TENANT_NETWORK_GATEWAY</replaceable> <replaceable>TENANT_NETWORK_CIDR</replaceable></userinput></screen>
<para>Replace <replaceable>TENANT_NETWORK_CIDR</replaceable> with the
subnet you want to associate with the tenant network and
<replaceable>TENANT_NETWORK_GATEWAY</replaceable> with the gateway
you want to associate with it, typically the ".1" IP address.</para>
<para>Example using <literal>192.168.1.0/24</literal>:</para>
<screen><prompt>$</prompt> <userinput>neutron subnet-create demo-net --name demo-subnet \
--gateway 192.168.1.1 192.168.1.0/24</userinput>

480
doc/install-guide/section_neutron-ml2-network-node.xml → doc/install-guide/section_neutron-network-node.xml
View File

@@ -3,15 +3,17 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="neutron-ml2-network-node">
<title>Configure network node</title>
<para>Before you install and configure OpenStack Networking, you
must configure certain kernel networking functions.</para>
xml:id="neutron-network-node">
<title>Install and configure network node</title>
<para>The network node primarily handles internal and external routing
and <glossterm>DHCP</glossterm> services for virtual networks.</para>
<procedure>
<title>To configure kernel networking functions</title>
<title>To configure prerequisites</title>
<para>Before you install and configure OpenStack Networking, you
must configure certain kernel networking parameters.</para>
<step>
<para>Edit <filename>/etc/sysctl.conf</filename> to contain the
following:</para>
<para>Edit the <filename>/etc/sysctl.conf</filename> file to
contain the following parameters:</para>
<programlisting>net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
@@ -24,19 +26,11 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
<title>To install the Networking components</title>
<step>
<screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 \
neutron-plugin-openvswitch-agent openvswitch-datapath-dkms \
<screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent \
neutron-l3-agent neutron-dhcp-agent</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-openvswitch</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent openstack-neutron-l3-agent \
openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
<note os="ubuntu">
<para>Ubuntu installations using Linux kernel version 3.11 or
newer do not require the
<emphasis>openvswitch-datapath-dkms</emphasis>
package.</para>
</note>
<note os="sles;opensuse">
<para>SUSE does not use a separate ML2 plug-in package.</para>
</note>
@@ -52,13 +46,14 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
</note>
</step>
<step>
<para>Respond to prompts for <link
linkend="debconf-dbconfig-common">database
management</link>, <link linkend="debconf-keystone_authtoken"
>Identity service credentials</link>, <link
linkend="debconf-api-endpoints">service endpoint
registration</link>, and <link linkend="debconf-rabbitmq"
>message broker credentials</link>.</para>
<para>Respond to prompts for
<link linkend="debconf-dbconfig-common">database management</link>,
<link linkend="debconf-keystone_authtoken">Identity service
credentials</link>,
<link linkend="debconf-api-endpoints">service endpoint
registration</link>, and
<link linkend="debconf-rabbitmq">message broker
credentials</link>.</para>
</step>
<step>
<para>Select the ML2 plug-in:</para>
@@ -74,7 +69,7 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
<note>
<para>Selecting the ML2 plug-in also populates the
<option>service_plugins</option> and
<option>allow_overlapping_ips</option> keys in the
<option>allow_overlapping_ips</option> options in the
<filename>/etc/neutron/neutron.conf</filename> file with the
appropriate values.</para>
</note>
@@ -85,62 +80,45 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
<para>The Networking common component configuration includes the
authentication mechanism, message broker, and plug-in.</para>
<step>
<para>Configure Networking to use the Identity service for
authentication:</para>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and complete the following actions:</para>
<substeps>
<step>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file and
add the following key to the <literal>[DEFAULT]</literal>
section:</para>
<para>In the <literal>[DEFAULT]</literal> section, configure
<application>RabbitMQ</application> message broker access:</para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy = keystone</programlisting>
<para>Add the following keys to the
<literal>[keystone_authtoken]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with
the password you chose for the <literal>neutron</literal>
user in the Identity service.</para>
rpc_backend = rabbit
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
password you chose for the <literal>guest</literal> account in
<application>RabbitMQ</application>.</para>
</step>
<step>
<para>In the <literal>[keystone_authtoken]</literal> section,
configure Identity service access:</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_protocol = http
auth_port = 35357
auth_uri = http://<replaceable>controller</replaceable>:5000/v2.0
identity_uri = http://<replaceable>controller</replaceable>:35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose or the <literal>neutron</literal> user in the
Identity service.</para>
<note>
<para>Comment out any <literal>auth_host</literal>,
<literal>auth_port</literal>, and
<literal>auth_protocol</literal> options because the
<literal>identity_uri</literal> option replaces them.</para>
</note>
</step>
</substeps>
</step>
<step>
<para>Configure Networking to use the message broker:</para>
<substeps>
<step>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file and
add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with
the password you chose for the <literal>guest</literal>
account in <application>RabbitMQ</application>.</para>
<programlisting language="ini">[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step>
<para>Configure Networking to use the Modular Layer 2 (ML2)
plug-in and associated services:</para>
<substeps>
<step>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file and
add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>In the <literal>[DEFAULT]</literal> section, enable the
Modular Layer 2 (ML2) plug-in, router service, and overlapping
IP addresses:</para>
<programlisting language="ini">[DEFAULT]
...
core_plugin = ml2
@@ -148,156 +126,265 @@ service_plugins = router
allow_overlapping_ips = True</programlisting>
</step>
<step>
<para>(Optional) To assist with troubleshooting, add <literal>verbose
= True</literal> to the <literal>[DEFAULT]</literal>
section in the
<filename>/etc/neutron/neutron.conf</filename>
file.</para>
</step>
<para>(Optional) To assist with troubleshooting,
enable verbose logging in the <literal>[DEFAULT]</literal>
section:</para>
<programlisting language="ini">[DEFAULT]
...
verbose = True</programlisting>
</step>
</substeps>
</step>
</procedure>
<procedure>
<title>To configure the Modular Layer 2 (ML2) plug-in</title>
<para>The ML2 plug-in uses the
<glossterm baseform="Open vSwitch">Open vSwitch (OVS)</glossterm>
mechanism (agent) to build the virtual networking framework for
instances.</para>
<step>
<para>Edit the
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
file and complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[ml2]</literal> section, enable the
<glossterm baseform="flat network">flat</glossterm> and
<glossterm>generic routing encapsulation (GRE)</glossterm>
network type drivers, GRE tenant networks, and the OVS
mechanism driver:</para>
<programlisting language="ini">[ml2]
...
type_drivers = flat,gre
tenant_network_types = gre
mechanism_drivers = openvswitch</programlisting>
</step>
<step>
<para>In the <literal>[ml2_type_flat]</literal> section, configure
the external network:</para>
<programlisting language="ini">[ml2_type_flat]
...
flat_networks = external</programlisting>
</step>
<step>
<para>In the <literal>[ml2_type_gre]</literal> section, configure
the tunnel identifier (id) range:</para>
<programlisting language="ini">[ml2_type_gre]
...
tunnel_id_ranges = 1:1000</programlisting>
</step>
<step>
<para>In the <literal>[securitygroup]</literal> section, enable
security groups and configure the OVS
<glossterm>iptables</glossterm> firewall driver:</para>
<programlisting language="ini">[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
</step>
<step>
<para>In the <literal>[ovs]</literal> section, configure the
<glossterm>Open vSwitch (OVS) agent</glossterm>:</para>
<programlisting language="ini">[ovs]
...
local_ip = <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
tunnel_type = gre
enable_tunneling = True
bridge_mapping = external:br-ex</programlisting>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface
on your network node.</para>
</step>
</substeps>
</step>
</procedure>
<procedure>
<title>To configure the Layer-3 (L3) agent</title>
<para>The <glossterm>Layer-3 (L3) agent</glossterm> provides
routing services for instance virtual networks.</para>
routing services for virtual networks.</para>
<step>
<para>Edit the <filename>/etc/neutron/l3_agent.ini</filename>
file and add the following keys to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting language="ini">[DEFAULT]
<para>Edit the <filename>/etc/neutron/l3_agent.ini</filename> file
and complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[DEFAULT]</literal> section, configure
the driver and enable
<glossterm baseform="network namespace">network
namespaces</glossterm>:</para>
<programlisting language="ini">[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True</programlisting>
</step>
<step>
<para>(Optional) To assist with troubleshooting,
enable verbose logging in the <literal>[DEFAULT]</literal>
section:</para>
<programlisting language="ini">[DEFAULT]
...
verbose = True</programlisting>
</step>
</substeps>
</step>
<step>
<para>(Optional) To assist with troubleshooting, add <literal>verbose =
True</literal> to the <literal>[DEFAULT]</literal> section
in the <filename>/etc/neutron/l3_agent.ini</filename>
file.</para>
</step>
</procedure>
<procedure>
<title>To configure the DHCP agent</title>
<para>The <glossterm>DHCP agent</glossterm> provides
<glossterm>DHCP</glossterm> services for instance virtual
networks.</para>
<para>The <glossterm>DHCP agent</glossterm> provides DHCP
services for virtual networks.</para>
<step>
<para>Edit the <filename>/etc/neutron/dhcp_agent.ini</filename>
file and add the following keys to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting language="ini">[DEFAULT]
<para>Edit the <filename>/etc/neutron/dhcp_agent.ini</filename> file
and complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[DEFAULT]</literal> section, configure
the drivers and enable namespaces:</para>
<programlisting language="ini">[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
use_namespaces = True</programlisting>
</step>
<step>
<para>(Optional) To assist with troubleshooting,
enable verbose logging in the <literal>[DEFAULT]</literal>
section:</para>
<programlisting language="ini">[DEFAULT]
...
verbose = True</programlisting>
</step>
</substeps>
</step>
<step>
<para>(Optional) To assist with troubleshooting, add <literal>verbose =
True</literal> to the <literal>[DEFAULT]</literal> section
in the <filename>/etc/neutron/dhcp_agent.ini</filename>
file.</para>
</step>
<step>
<para>Tunneling protocols such as
<glossterm>generic routing encapsulation (GRE)</glossterm>
include additional packet headers that increase overhead and
decrease space available for the payload or user data. Without
knowledge of the virtual network infrastructure, instances attempt
to send packets using the default Ethernet
<glossterm>maximum transmission unit (MTU)</glossterm> of 1500 bytes.
<glossterm>Internet protocol (IP)</glossterm> networks contain the
<glossterm>path MTU discovery (PMTUD)</glossterm> mechanism to detect
end-to-end MTU and adjust packet size accordingly. However, some
operating systems and networks block or otherwise lack support for
PMTUD causing performance degradation or connectivity failure.</para>
<para>(Optional)</para>
<para>Tunneling protocols such as GRE include additional packet
headers that increase overhead and decrease space available for the
payload or user data. Without knowledge of the virtual network
infrastructure, instances attempt to send packets using the default
Ethernet <glossterm>maximum transmission unit (MTU)</glossterm> of
1500 bytes. <glossterm>Internet protocol (IP)</glossterm> networks
contain the <glossterm>path MTU discovery (PMTUD)</glossterm>
mechanism to detect end-to-end MTU and adjust packet size
accordingly. However, some operating systems and networks block or
otherwise lack support for PMTUD causing performance degradation
or connectivity failure.</para>
<para>Ideally, you can prevent these problems by enabling
<glossterm>jumbo frames</glossterm> on the physical network that
contains your tenant virtual networks. Jumbo frames support MTUs
up to approximately 9000 bytes which negates the impact of GRE
overhead on virtual networks. However, many network devices lack
support for jumbo frames and OpenStack administrators often lack
control of network infrastructure. Given the latter complications,
you can also prevent MTU problems by reducing the instance MTU to
account for GRE overhead. Determining the proper MTU value often
takes experimentation, but 1454 bytes works in most environments.
You can configure the <glossterm>DHCP</glossterm> server that assigns
IP addresses to your instances to also adjust the MTU.</para>
<glossterm baseform="jumbo frame">jumbo frames</glossterm> on the
physical network that contains your tenant virtual networks.
Jumbo frames support MTUs up to approximately 9000 bytes which
negates the impact of GRE overhead on virtual networks. However,
many network devices lack support for jumbo frames and OpenStack
administrators often lack control over network infrastructure.
Given the latter complications, you can also prevent MTU problems
by reducing the instance MTU to account for GRE overhead.
Determining the proper MTU value often takes experimentation,
but 1454 bytes works in most environments. You can configure the
DHCP server that assigns IP addresses to your instances to also
adjust the MTU.</para>
<note>
<para>Some cloud images such as CirrOS ignore the DHCP MTU
option.</para>
<para>Some cloud images ignore the DHCP MTU option in which case
you should configure it using metadata, script, or other suitable
method.</para>
</note>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/dhcp_agent.ini</filename>
file and add the following keys to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting language="ini">[DEFAULT]
file and complete the following action:</para>
<substeps>
<step>
<para>In the <literal>[DEFAULT]</literal> section, enable the
<glossterm>dnsmasq</glossterm> configuration file:</para>
<programlisting language="ini">[DEFAULT]
...
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf</programlisting>
</step>
</substeps>
</step>
<step>
<para>Create and edit the
<filename>/etc/neutron/dnsmasq-neutron.conf</filename> file and
add the following keys:</para>
<programlisting>dhcp-option-force=26,1454</programlisting>
complete the following action:</para>
<substeps>
<step>
<para>Enable the DHCP MTU option (26) and configure it to
1454 bytes:</para>
<programlisting language="ini">dhcp-option-force=26,1454</programlisting>
</step>
</substeps>
</step>
<step>
<para>Kill any existing
<systemitem role="process">dnsmasq</systemitem> processes:</para>
<screen><prompt>#</prompt> <userinput>pkill dnsmasq</userinput></screen>
<screen><prompt>#</prompt> <userinput>pkill dnsmasq</userinput></screen>
</step>
</substeps>
</step>
</procedure>
<procedure>
<title>To configure the metadata agent</title>
<para>The <glossterm>metadata agent</glossterm> provides
configuration information such as credentials for remote access
to instances.</para>
<para>The <glossterm baseform="Metadata agent">metadata agent</glossterm>
provides configuration information such as credentials to
instances.</para>
<step>
<para>Edit the
<filename>/etc/neutron/metadata_agent.ini</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user in
the Identity service. Replace
<replaceable>METADATA_SECRET</replaceable> with a suitable
secret for the metadata proxy.</para>
<programlisting language="ini">[DEFAULT]
<para>Edit the <filename>/etc/neutron/metadata_agent.ini</filename>
file and complete the following actions:</para>
<substeps>
<step>
<para>In the <literal>[DEFAULT]</literal> section, configure
access parameters:</para>
<programlisting language="ini">[DEFAULT]
...
auth_url = http://<replaceable>controller</replaceable>:5000/v2.0
auth_region = regionOne
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
nova_metadata_ip = <replaceable>controller</replaceable>
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user in
the Identity service.</para>
</step>
<step>
<para>In the <literal>[DEFAULT]</literal> section, configure the
metadata host:</para>
<programlisting language="ini">[DEFAULT]
...
nova_metadata_ip = <replaceable>controller</replaceable></programlisting>
</step>
<step>
<para>In the <literal>[DEFAULT]</literal> section, configure the
metadata proxy shared secret:</para>
<programlisting language="ini">[DEFAULT]
...
metadata_proxy_shared_secret = <replaceable>METADATA_SECRET</replaceable></programlisting>
</step>
<step>
<para>(Optional) To assist with troubleshooting, add <literal>verbose =
True</literal> to the <literal>[DEFAULT]</literal> section
in the <filename>/etc/neutron/metadata_agent.ini</filename>
file.</para>
</step>
<step>
<note>
<para>Perform the next two steps on the
<emphasis>controller</emphasis> node.</para>
</note>
<para>Replace <replaceable>METADATA_SECRET</replaceable> with a
suitable secret for the metadata proxy.</para>
</step>
<step>
<para>(Optional) To assist with troubleshooting,
enable verbose logging in the <literal>[DEFAULT]</literal>
section:</para>
<programlisting language="ini">[DEFAULT]
...
verbose = True</programlisting>
</step>
</substeps>
</step>
<step>
<para>On the <emphasis>controller</emphasis> node, edit the
<filename>/etc/nova/nova.conf</filename> file and add the
following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>Replace <replaceable>METADATA_SECRET</replaceable> with
the secret you chose for the metadata proxy.</para>
<programlisting language="ini">[DEFAULT]
<filename>/etc/nova/nova.conf</filename> file and complete the
following action:</para>
<substeps>
<step>
<para>In the <literal>[neutron]</literal> section, enable the
metadata proxy and configure the secret:</para>
<programlisting language="ini">[neutron]
...
service_neutron_metadata_proxy = true
neutron_metadata_proxy_shared_secret = <replaceable>METADATA_SECRET</replaceable></programlisting>
service_metadata_proxy = True
metadata_proxy_shared_secret = <replaceable>METADATA_SECRET</replaceable></programlisting>
<para>Replace <replaceable>METADATA_SECRET</replaceable> with
the secret you chose for the metadata proxy.</para>
</step>
</substeps>
</step>
<step>
<para>On the <emphasis>controller</emphasis> node, restart the
@@ -306,56 +393,16 @@ neutron_metadata_proxy_shared_secret = <replaceable>METADATA_SECRET</replaceable
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
</step>
</procedure>
<procedure>
<title>To configure the Modular Layer 2 (ML2) plug-in</title>
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism
(agent) to build virtual networking framework for
instances.</para>
<step>
<para>Edit the
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
file.</para>
<para>Add the following keys to the <literal>[ml2]</literal>
section:</para>
<programlisting language="ini">[ml2]
...
type_drivers = gre
tenant_network_types = gre
mechanism_drivers = openvswitch</programlisting>
<para>Add the following keys to the
<literal>[ml2_type_gre]</literal> section:</para>
<programlisting language="ini">[ml2_type_gre]
...
tunnel_id_ranges = 1:1000</programlisting>
<para>Add the <literal>[ovs]</literal> section and the following
keys to it:</para>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface
on your network node.</para>
<programlisting language="ini">[ovs]
...
local_ip = <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
tunnel_type = gre
enable_tunneling = True</programlisting>
<para>Add the <literal>[securitygroup]</literal> section and the
following keys to it:</para>
<programlisting language="ini">[securitygroup]
...
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True</programlisting>
</step>
</procedure>
<procedure>
<title>To configure the Open vSwitch (OVS) service</title>
<para>The OVS service provides the underlying virtual networking
framework for instances. The integration bridge
<literal>br-int</literal> handles internal instance network
<literal>br-int</literal> handles internal instance network
traffic within OVS. The external bridge <literal>br-ex</literal>
handles external instance network traffic within OVS. The
external bridge requires a port on the physical external network
interface to provide instances with external network access. In
essence, this port bridges the virtual and physical external
essence, this port connects the virtual and physical external
networks in your environment.</para>
<step os="rhel;centos;fedora">
<para>Start the OVS service and configure it to start when the
@@ -386,7 +433,7 @@ enable_security_group = True</programlisting>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>INTERFACE_NAME</replaceable></userinput></screen>
<note>
<para>Depending on your network interface driver, you may need
to disable <glossterm>Generic Receive Offload
to disable <glossterm>generic receive offload
(GRO)</glossterm> to achieve suitable throughput between
your instances and the external network.</para>
<para>To temporarily disable GRO on the external network
@@ -400,20 +447,17 @@ enable_security_group = True</programlisting>
<step os="rhel;centos;fedora">
<para>The Networking service initialization scripts expect a
symbolic link <filename>/etc/neutron/plugin.ini</filename>
pointing to the configuration file associated with your chosen
plug-in. Using the ML2 plug-in, for example, the symbolic link
must point to
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
pointing to the ML2 plug-in configuration file,
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
following command:</para>
<screen><prompt>#</prompt> <userinput>ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini</userinput></screen></step>
<step os="sles;opensuse">
<para>The Networking service initialization scripts expect the
variable <literal>NEUTRON_PLUGIN_CONF</literal> in the
<filename>/etc/sysconfig/neutron</filename> file to
reference the configuration file associated with your chosen
plug-in. Using ML2, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
<filename>/etc/sysconfig/neutron</filename> file to
reference the ML2 plug-in configurarion file. Edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"</programlisting>
</step>