From 70c905f6a8589837580890b7115ae32271eb2a25 Mon Sep 17 00:00:00 2001 From: Matt Kassawara Date: Thu, 13 Mar 2014 10:21:04 -0600 Subject: [PATCH] Restructured and updated Neutron compute section As part of the installation guide improvement project, I performed the following operations on the Neutron compute section: 1) Removed modularity since we will only support the ML2 plug-in for Icehouse. 2) Added some tags to separate content. Future patches will add descriptions of each procedure. 3) Unified indentation and spacing. 4) Removed database configuration steps since Icehouse uses AMQP on compute nodes. 5) Removed *.ini configuration steps since Icehouse doesn't require editing *.ini files. 6) Moved 'auth_uri' key under [keystone_authtoken] section in neutron.conf. 7) Removed defunct 'auth_url' key. This section should continue to work for installations using the Open vSwitch plug-in for Neutron. Future patches will update the content to use ML2. Change-Id: I2c6207b26a8f85078ac680110d3d3244e8affd75 Partial-Bug: #1291071 Implements: blueprint networking-install-guide-improvements --- .../section_neutron-compute-node.xml | 522 ++++++++---------- .../section_neutron-initial-networks.xml | 7 - 2 files changed, 240 insertions(+), 289 deletions(-) diff --git a/doc/install-guide/section_neutron-compute-node.xml b/doc/install-guide/section_neutron-compute-node.xml index 6a4fa29173..32c55c41b4 100644 --- a/doc/install-guide/section_neutron-compute-node.xml +++ b/doc/install-guide/section_neutron-compute-node.xml @@ -5,28 +5,29 @@ xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:svg="http://www.w3.org/2000/svg" xmlns:html="http://www.w3.org/1999/xhtml" version="5.0"> - Configure compute node with neutron services + Configure compute node This section details set up for any node that runs the - nova-compute component but does not run + nova-compute component but does not run the full network stack. - By default, the system-config-firewall automated - firewall configuration tool is in place on RHEL. This graphical interface - (and a curses-style interface with -tui on the end of - the name) enables you to configure IP tables as a basic firewall. You - should disable it when you work with OpenStack Networking unless you are - familiar with the underlying network technologies, as, by default, it - blocks various types of network traffic that are important to neutron - services. To disable it, launch the program and clear the - Enabled check box. + By default, the system-config-firewall automated + firewall configuration tool is in place on RHEL. This graphical interface + (and a curses-style interface with -tui on the end of + the name) enables you to configure IP tables as a basic firewall. You + should disable it when you work with OpenStack Networking unless you are + familiar with the underlying network technologies, as, by default, it + blocks various types of network traffic that are important to neutron + services. To disable it, launch the program and clear the + Enabled check box. After you successfully set up OpenStack Networking with Neutron, you can re-enable and configure the tool. However, during OpenStack Networking setup, disable the tool to make it easier to debug network issues. + Prerequisites Disable packet destination filtering (route verification) to let the networking services route traffic @@ -37,144 +38,216 @@ net.ipv4.conf.default.rp_filter=0 # sysctl -p + + + Install Open vSwitch plug-in + OpenStack Networking supports a variety of plug-ins. For + simplicity, we chose to cover the most common plug-in, Open + vSwitch, and configure it to use basic GRE tunnels for tenant + network traffic. - Install and configure your networking plug-in - components. To install and configure the network plug-in - that you chose when you set up your network node, see . - - - Configure Networking to use keystone for authentication: - - - Set the auth_strategy - configuration key to keystone in the - DEFAULT section of the file: - # openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone - - - Set the neutron configuration for - keystone authentication: - # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ - auth_host controller -# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ - auth_url http://controller:35357/v2.0 -# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ - admin_tenant_name service -# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ - admin_user neutron -# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ - admin_password NEUTRON_PASS - - - - Configure access to the RabbitMQ service: - # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - rpc_backend neutron.openstack.common.rpc.impl_kombu -# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - rabbit_host controller -# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - rabbit_userid guest -# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - rabbit_password RABBIT_PASS - - - Configure access to the Qpid message queue: - # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - rpc_backend neutron.openstack.common.rpc.impl_qpid -# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - qpid_hostname controller -# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - qpid_port 5672 -# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - qpid_username guest -# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ - qpid_password guest + Install the Open vSwitch plug-in and its + dependencies: + # apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms + # yum install openstack-neutron-openvswitch + # zypper install openstack-neutron-openvswitch-agent - Configure the core components of Neutron. Edit the - /etc/neutron/neutron.conf + Restart Open vSwitch: + # service openvswitch-switch restart + + + Start Open vSwitch and configure it to start when + the system boots: + # service openvswitch start +# chkconfig openvswitch on + # service openvswitch-switch start +# chkconfig openvswitch-switch on + + + You must set some common configuration options no + matter which networking technology you choose to use + with Open vSwitch. You must add the + br-int integration bridge, which + connects to the VMs. + # ovs-vsctl add-br br-int + + + You must set some common configuration options. You + must configure Networking core to use + OVS. Edit the + /etc/neutron/neutron.conf file: - auth_host = controller -admin_tenant_name = service -admin_user = neutron -admin_password = NEUTRON_PASS -auth_url = http://controller:35357/v2.0 -auth_strategy = keystone -rpc_backend = neutron.openstack.common.rpc.impl_kombu -rabbit_host = controller -rabbit_port = 5672 -# Change the following settings if you're not using the default RabbitMQ configuration -#rabbit_userid = guest -rabbit_password = RABBIT_PASS + core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 + core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 - - Set the root_helper configuration in the - [agent] section of /etc/neutron/neutron.conf: - # openstack-config --set /etc/neutron/neutron.conf AGENT \ - root_helper "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" + + You must configure a firewall as well. You should + use the same firewall plug-in that you chose to use when + you set up the network node. To do this, edit + /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini + file and set the firewall_driver + value under the securitygroup to the + same value used on the network node. For instance, if + you chose to use the Hybrid OVS-IPTables plug-in, your + configuration looks like this: + [securitygroup] +# Firewall driver for realizing neutron security group function. +firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver + + You must use at least the No-Op firewall. + Otherwise, Horizon and other OpenStack services cannot + get and set required VM boot options. + - - Configure Networking to connect to the database: - # openstack-config --set /etc/neutron/neutron.conf database connection \ - mysql://neutron:NEUTRON_DBPASS@controller/neutron + + Configure the OVS plug-in to start + on boot. + # chkconfig neutron-openvswitch-agent on + # chkconfig openstack-neutron-openvswitch-agent on + + + Tell the OVS plug-in to use GRE + tunneling with a br-int integration + bridge, a br-tun tunneling bridge, + and a local IP for the tunnel of + DATA_INTERFACE's IP Edit + the + /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini + file: + [ovs] +... +tenant_network_type = gre +tunnel_id_ranges = 1:1000 +enable_tunneling = True +integration_bridge = br-int +tunnel_bridge = br-tun +local_ip = DATA_INTERFACE_IP + + + + Configure common components + + Configure Networking to use keystone for authentication: + + + Set the auth_strategy + configuration key to keystone in the + [DEFAULT] section of the file: + # openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone + + + Set the neutron + configuration for + keystone + authentication: + # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ + auth_uri http://controller:5000 +# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ + auth_host controller +# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ + auth_protocol http +# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ + auth_port 35357 +# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ + admin_tenant_name service +# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ + admin_user neutron +# openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ + admin_password NEUTRON_PASS + + - Configure Networking to connect to the database. Edit - the [database] section in the same file, - as follows: - [database] -connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron - - - Edit the /etc/neutron/api-paste.ini - file and add these lines to the - [filter:authtoken] section: - [filter:authtoken] -paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory + To configure neutron + to use keystone + for authentication, edit the + /etc/neutron/neutron.conf file. + + + Set the auth_strategy + configuration key to keystone in the + [DEFAULT] section of the file: + [DEFAULT] +... +auth_strategy = keystone + + + Add these lines to the + [keystone_authtoken] section of the + file: + [keystone_authtoken] +... +auth_uri = http://controller:5000 auth_host = controller +auth_protocol = http +auth_port = 35357 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS + + - - Configure the /etc/neutron/api-paste.ini file for keystone - authentication: - # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ - paste.filter_factory keystoneclient.middleware.auth_token:filter_factory -# openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ - auth_host controller -# openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ - admin_tenant_name service -# openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ - admin_user neutron -# openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ - admin_password NEUTRON_PASS + + Configure access to the RabbitMQ service: + # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + rpc_backend neutron.openstack.common.rpc.impl_kombu +# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + rabbit_host controller +# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + rabbit_userid guest +# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + rabbit_password RABBIT_PASS + + Configure the RabbitMQ access. + Edit the /etc/neutron/neutron.conf file + to modify the following parameters in the + [DEFAULT] section. + rabbit_host = controller +rabbit_userid = guest +rabbit_password = RABBIT_PASS + + + Configure access to the Qpid message queue: + # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + rpc_backend neutron.openstack.common.rpc.impl_qpid +# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + qpid_hostname controller +# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + qpid_port 5672 +# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + qpid_username guest +# openstack-config --set /etc/neutron/neutron.conf DEFAULT \ + qpid_password guest + + + + Configure Compute services for Networking - Configure OpenStack Compute to use OpenStack Networking + Configure OpenStack Compute to use OpenStack Networking services. Configure the /etc/nova/nova.conf file as per instructions below: - # openstack-config --set /etc/nova/nova.conf DEFAULT \ - network_api_class nova.network.neutronv2.api.API + # openstack-config --set /etc/nova/nova.conf DEFAULT \ + network_api_class nova.network.neutronv2.api.API # openstack-config --set /etc/nova/nova.conf DEFAULT \ - neutron_url http://controller:9696 + neutron_url http://controller:9696 # openstack-config --set /etc/nova/nova.conf DEFAULT \ - neutron_auth_strategy keystone + neutron_auth_strategy keystone # openstack-config --set /etc/nova/nova.conf DEFAULT \ - neutron_admin_tenant_name service + neutron_admin_tenant_name service # openstack-config --set /etc/nova/nova.conf DEFAULT \ - neutron_admin_username neutron + neutron_admin_username neutron # openstack-config --set /etc/nova/nova.conf DEFAULT \ - neutron_admin_password NEUTRON_PASS + neutron_admin_password NEUTRON_PASS # openstack-config --set /etc/nova/nova.conf DEFAULT \ - neutron_admin_auth_url http://controller:35357/v2.0 + neutron_admin_auth_url http://controller:35357/v2.0 # openstack-config --set /etc/nova/nova.conf DEFAULT \ - linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver + linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ - firewall_driver nova.virt.firewall.NoopFirewallDriver + firewall_driver nova.virt.firewall.NoopFirewallDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ - security_group_api neutron + security_group_api neutron Configure OpenStack Compute to use OpenStack Networking services. Edit the /etc/nova/nova.conf file: @@ -195,7 +268,7 @@ security_group_api=neutron configured the network and compute nodes, you must edit the /etc/nova/nova.conf file to set the firewall driver to - nova.virt.firewall.NoopFirewallDriver. + nova.virt.firewall.NoopFirewallDriver. Because OpenStack Networking handles the firewall, this statement instructs Compute to not use a firewall. @@ -203,188 +276,73 @@ security_group_api=neutron If you want Networking to handle the firewall, edit the - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini + /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file to set the firewall_driver option to the firewall for the plug-in. For example, with - OVS, edit the file as + OVS, edit the file as follows: [securitygroup] # Firewall driver for realizing neutron security group function. firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver # openstack-config --set \ - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \ - neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver + /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \ + neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver If you do not want to use a firewall in Compute or Networking, edit both configuration files and set - firewall_driver=nova.virt.firewall.NoopFirewallDriver. + firewall_driver=nova.virt.firewall.NoopFirewallDriver. Also, edit the - /etc/nova/nova.conf file and + /etc/nova/nova.conf file and comment out or remove the - security_group_api=neutron + security_group_api=neutron statement. Otherwise, when you issue nova - list commands, the ERROR: The - server has either erred or is incapable of - performing the requested operation. (HTTP - 500) error might be returned. + list commands, the ERROR: The + server has either erred or is incapable of + performing the requested operation. (HTTP + 500) error might be returned. + + + Finalize installation + + The neutron-server + initialization script expects a symbolic link + /etc/neutron/plugin.ini pointing to the + configuration file associated with your chosen plug-in. Using + Open vSwitch, for example, the symbolic link must point to + /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini. + If this symbolic link does not exist, create it using the + following commands: + # cd /etc/neutron +# ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini + + + The openstack-neutron + initialization script expects the variable + NEUTRON_PLUGIN_CONF in file + /etc/sysconfig/neutron to reference the + configuration file associated with your chosen plug-in. Using + Open vSwitch, for example, edit the + /etc/sysconfig/neutron file and add the + following: + NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini" + + + Restart Networking services. + # service neutron-plugin-openvswitch-agent restart + # service neutron-openvswitch-agent restart + # service openstack-neutron-openvswitch-agent restart + Restart the Compute service. # service nova-compute restart # service openstack-nova-compute restart # service openstack-nova-compute restart - Also restart your chosen Networking plug-in agent, for example, Open vSwitch. - # service neutron-plugin-openvswitch-agent restart - # service neutron-openvswitch-agent restart - # service openstack-neutron-openvswitch-agent restart -
- Install and configure OpenStack Networking plug-ins on a dedicated - compute node -
- Install the Open vSwitch (OVS) plug-in on a dedicated - compute node - - - Install the Open vSwitch plug-in and its - dependencies: - # apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms - # yum install openstack-neutron-openvswitch - # zypper install openstack-neutron-openvswitch-agent - - - Restart Open vSwitch: - # service openvswitch-switch restart - - - Start Open vSwitch and configure it to start when - the system boots: - # service openvswitch start -# chkconfig openvswitch on - # service openvswitch-switch start -# chkconfig openvswitch-switch on - - - You must set some common configuration options no - matter which networking technology you choose to use - with Open vSwitch. You must add the - br-int integration bridge, which - connects to the VMs. - # ovs-vsctl add-br br-int - - - You must set some common configuration options. You - must configure Networking core to use - OVS. Edit the - /etc/neutron/neutron.conf - file: - core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 - auth_uri = http://controller:5000 - core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 -api_paste_config = /etc/neutron/api-paste.ini -rpc_backend = neutron.openstack.common.rpc.impl_qpid - - - Configure the networking type that you chose when - you set up the network node: either GRE tunneling or VLANs. - - - - You must configure a firewall as well. You should - use the same firewall plug-in that you chose to use when - you set up the network node. To do this, edit - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini - file and set the firewall_driver - value under the securitygroup to the - same value used on the network node. For instance, if - you chose to use the Hybrid OVS-IPTables plug-in, your - configuration looks like this: - [securitygroup] -# Firewall driver for realizing neutron security group function. -firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver - - You must use at least the No-Op firewall. - Otherwise, Horizon and other OpenStack services cannot - get and set required VM boot options. - - - - Configure the OVS plug-in to start - on boot. - # chkconfig neutron-openvswitch-agent on - # chkconfig openstack-neutron-openvswitch-agent on - - - Now, return to the general OVS - instructions. - - -
- Configure the Neutron <acronym>OVS</acronym> plug-in - for GRE tunneling on a dedicated compute node - - - Tell the OVS plug-in to use GRE - tunneling with a br-int integration - bridge, a br-tun tunneling bridge, - and a local IP for the tunnel of - DATA_INTERFACE's IP Edit - the - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini - file: - [ovs] -tenant_network_type = gre -tunnel_id_ranges = 1:1000 -enable_tunneling = True -integration_bridge = br-int -tunnel_bridge = br-tun -local_ip = DATA_INTERFACE_IP - - - Now, return to the general OVS - instructions. - - -
-
- Configure the Neutron <acronym>OVS</acronym> plug-in - for VLANs on a dedicated compute node - - - Tell OVS to use VLANs. Edit the - /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini - file: - [ovs] -tenant_network_type = vlan -network_vlan_ranges = physnet1:1:4094 -bridge_mappings = physnet1:br-DATA_INTERFACE - - - Create the bridge for the - DATA_INTERFACE and add - DATA_INTERFACE to it, the - same way you did on the network node: - # ovs-vsctl add-br br-DATA_INTERFACE -# ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE - - - Return to the general OVS - instructions. - - -
-
-
diff --git a/doc/install-guide/section_neutron-initial-networks.xml b/doc/install-guide/section_neutron-initial-networks.xml index 69bf9f0d9f..0975169fc2 100644 --- a/doc/install-guide/section_neutron-initial-networks.xml +++ b/doc/install-guide/section_neutron-initial-networks.xml @@ -70,11 +70,6 @@ # neutron subnet-create --tenant-id DEMO_TENANT_ID demo-net 10.5.5.0/24 --gateway 10.5.5.1 # neutron router-interface-add EXT_TO_INT_ID DEMO_NET_SUBNET_ID - - Check the special options page for your plug-in for - remaining steps. Now, return to the general - OVS instructions. -
@@ -116,8 +111,6 @@ router_id = EXT_TO_INT_ID increment the segmentation ID and copy the network type option for any additional networks. - Now, return to the general OVS - instructions.