diff --git a/doc/install-guide/source/neutron-compute-install-option1.rst b/doc/install-guide/source/neutron-compute-install-option1.rst index 26d9f1722b..f0295b68cd 100644 --- a/doc/install-guide/source/neutron-compute-install-option1.rst +++ b/doc/install-guide/source/neutron-compute-install-option1.rst @@ -1,7 +1,7 @@ Networking Option 1: Provider networks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Install and configure the Networking components on a *compute* node. +Configure the Networking components on a *compute* node. Configure the Linux bridge agent -------------------------------- @@ -10,37 +10,46 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure for instances including VXLAN tunnels for private networks and handles security groups. -Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. +#. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and + complete the following actions: -#. In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the public virtual network to the + public physical network interface: - .. code-block:: ini + .. code-block:: ini - [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + [linux_bridge] + physical_interface_mappings = public:PUBLIC_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical + public network interface. -#. In the ``[vxlan]`` section, disable VXLAN overlay networks: + * In the ``[vxlan]`` section, disable VXLAN overlay networks: - .. code-block:: ini + .. code-block:: ini - [vxlan] - enable_vxlan = False + [vxlan] + enable_vxlan = False -#. In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[agent]`` section, enable ARP spoofing protection: - .. code-block:: ini + .. code-block:: ini - [securitygroup] - ... - enable_security_group = True - enable_ipset = True - firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + [agent] + ... + prevent_arp_spoofing = True + + * In the ``[securitygroup]`` section, enable security groups, enable + :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall + driver: + + .. code-block:: ini + + [securitygroup] + ... + enable_security_group = True + enable_ipset = True + firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Return to :ref:`Networking compute node configuration `. diff --git a/doc/install-guide/source/neutron-compute-install-option2.rst b/doc/install-guide/source/neutron-compute-install-option2.rst index 9c3e2d33db..2a70187833 100644 --- a/doc/install-guide/source/neutron-compute-install-option2.rst +++ b/doc/install-guide/source/neutron-compute-install-option2.rst @@ -1,7 +1,7 @@ Networking Option 2: Self-service networks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Install and configure the Networking components on a *compute* node. +Configure the Networking components on a *compute* node. Configure the Linux bridge agent -------------------------------- @@ -10,45 +10,54 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure for instances including VXLAN tunnels for private networks and handles security groups. -Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. +#. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and + complete the following actions: -#. In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the public virtual network to the + public physical network interface: - .. code-block:: ini + .. code-block:: ini - [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + [linux_bridge] + physical_interface_mappings = public:PUBLIC_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical + public network interface. -#. In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the - IP address of the physical network interface that handles overlay - networks, and enable layer-2 population: + * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the + IP address of the physical network interface that handles overlay + networks, and enable layer-2 population: - .. code-block:: ini + .. code-block:: ini - [vxlan] - enable_vxlan = True - local_ip = OVERLAY_INTERFACE_IP_ADDRESS - l2_population = True + [vxlan] + enable_vxlan = True + local_ip = OVERLAY_INTERFACE_IP_ADDRESS + l2_population = True - Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the - underlying physical network interface that handles overlay networks. The - example architecture uses the management interface. + Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the + underlying physical network interface that handles overlay networks. The + example architecture uses the management interface. -#. In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[agent]`` section, enable ARP spoofing protection: - .. code-block:: ini + .. code-block:: ini - [securitygroup] - ... - enable_security_group = True - enable_ipset = True - firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + [agent] + ... + prevent_arp_spoofing = True + + * In the ``[securitygroup]`` section, enable security groups, enable + :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall + driver: + + .. code-block:: ini + + [securitygroup] + ... + enable_security_group = True + enable_ipset = True + firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Return to :ref:`Networking compute node configuration `. diff --git a/doc/install-guide/source/neutron-compute-install.rst b/doc/install-guide/source/neutron-compute-install.rst index ef4d94b702..35f304fe9f 100644 --- a/doc/install-guide/source/neutron-compute-install.rst +++ b/doc/install-guide/source/neutron-compute-install.rst @@ -10,7 +10,7 @@ Prerequisites Before you install and configure OpenStack Networking, you must kernel networking parameters to disable reverse-path filtering: -#. Edit the :file:`/etc/sysctl.conf` file to contain the following parameters: +#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters: .. code-block:: ini @@ -25,8 +25,8 @@ kernel networking parameters to disable reverse-path filtering: .. only:: ubuntu or rdo or obs -Install the Networking components ---------------------------------- +Install the components +---------------------- .. only:: ubuntu @@ -67,77 +67,78 @@ Install the Networking components Selecting the ML2 plug-in also populates the ``service_plugins`` and ``allow_overlapping_ips`` options in the - :file:`/etc/neutron/neutron.conf` file with the appropriate values. + ``/etc/neutron/neutron.conf`` file with the appropriate values. .. only:: ubuntu or rdo or obs -To configure the Networking common components ---------------------------------------------- +Configure the common component +------------------------------ The Networking common component configuration includes the authentication mechanism, message queue, and plug-in. .. include:: shared/note_configuration_vary_by_distribution.rst -Edit the ``/etc/neutron/neutron.conf`` file. +#. Edit the ``/etc/neutron/neutron.conf`` file and complete the following + actions: -#. In the ``[database]`` section, comment out any ``connection`` options - because compute nodes do not directly access the database. + * In the ``[database]`` section, comment out any ``connection`` options + because compute nodes do not directly access the database. -#. In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, configure - RabbitMQ message queue access: + * In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, configure + RabbitMQ message queue access: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - rpc_backend = rabbit + [DEFAULT] + ... + rpc_backend = rabbit - [oslo_messaging_rabbit] - ... - rabbit_host = controller - rabbit_userid = openstack - rabbit_password = RABBIT_PASS + [oslo_messaging_rabbit] + ... + rabbit_host = controller + rabbit_userid = openstack + rabbit_password = RABBIT_PASS - Replace ``RABBIT_PASS`` with the password you chose for the ``openstack`` - account in RabbitMQ. + Replace ``RABBIT_PASS`` with the password you chose for the ``openstack`` + account in RabbitMQ. -#. In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure - Identity service access: + * In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure + Identity service access: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - auth_strategy = keystone + [DEFAULT] + ... + auth_strategy = keystone - [keystone_authtoken] - ... - auth_uri = http://controller:5000 - auth_url = http://controller:35357 - auth_plugin = password - project_domain_id = default - user_domain_id = default - project_name = service - username = neutron - password = NEUTRON_PASS + [keystone_authtoken] + ... + auth_uri = http://controller:5000 + auth_url = http://controller:35357 + auth_plugin = password + project_domain_id = default + user_domain_id = default + project_name = service + username = neutron + password = NEUTRON_PASS - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. + Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` + user in the Identity service. - .. note:: + .. note:: - Comment out or remove any other options in the - ``[keystone_authtoken]`` section. + Comment out or remove any other options in the + ``[keystone_authtoken]`` section. -#. (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: + * (Optional) To assist with troubleshooting, enable verbose logging in the + ``[DEFAULT]`` section: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - verbose = True + [DEFAULT] + ... + verbose = True Configure networking options ---------------------------- @@ -162,41 +163,26 @@ configure services specific to it. Configure Compute to use Networking ----------------------------------- -Edit the ``/etc/nova/nova.conf`` file. +#. Edit the ``/etc/nova/nova.conf`` file and complete the following actions: -#. In the ``[DEFAULT]`` section, configure Compute to use the Networking - service: + * In the ``[neutron]`` section, configure access parameters: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - network_api_class = nova.network.neutronv2.api.API - security_group_api = neutron - linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver - firewall_driver = nova.virt.firewall.NoopFirewallDriver + [neutron] + ... + url = http://controller:9696 + auth_url = http://controller:35357 + auth_plugin = password + project_domain_id = default + user_domain_id = default + region_name = RegionOne + project_name = service + username = neutron + password = NEUTRON_PASS - .. note:: - - The ``firewall_driver`` option uses the ``NoopFirewallDriver`` value - because Compute delegates security group (firewall) operation to the - Networking service. - -#. In the ``[neutron]`` section, configure access parameters: - - .. code-block:: ini - - [neutron] - ... - url = http://controller:9696 - auth_strategy = keystone - admin_auth_url = http://controller:35357/v2.0 - admin_tenant_name = service - admin_username = neutron - admin_password = NEUTRON_PASS - - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. + Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` + user in the Identity service. Finalize installation --------------------- @@ -204,8 +190,8 @@ Finalize installation .. only:: rdo #. The Networking service initialization scripts expect a symbolic link - :file:`/etc/neutron/plugin.ini` pointing to the ML2 plug-in configuration - file, :file:`/etc/neutron/plugins/ml2/ml2_conf.ini`. If this symbolic + ``/etc/neutron/plugin.ini`` pointing to the ML2 plug-in configuration + file, ``/etc/neutron/plugins/ml2/ml2_conf.ini``. If this symbolic link does not exist, create it using the following command: .. code-block:: console @@ -246,9 +232,9 @@ Finalize installation .. only:: obs #. The Networking service initialization scripts expect the variable - ``NEUTRON_PLUGIN_CONF`` in the :file:`/etc/sysconfig/neutron` file to + ``NEUTRON_PLUGIN_CONF`` in the ``/etc/sysconfig/neutron`` file to reference the ML2 plug-in configuration file. Edit the - :file:`/etc/sysconfig/neutron` file and add the following: + ``/etc/sysconfig/neutron`` file and add the following: .. code-block:: ini @@ -281,7 +267,7 @@ Finalize installation agent configuration file. Run the following commands to resolve this issue: - .. code:: console + .. code-block:: console # cp /etc/init/neutron-plugin-linuxbridge-agent.conf \ /etc/init/neutron-plugin-linuxbridge-agent.conf.orig diff --git a/doc/install-guide/source/neutron-controller-install-option1.rst b/doc/install-guide/source/neutron-controller-install-option1.rst index 29b8c53df0..7cef2600db 100644 --- a/doc/install-guide/source/neutron-controller-install-option1.rst +++ b/doc/install-guide/source/neutron-controller-install-option1.rst @@ -9,7 +9,7 @@ Prerequisites Before you configure networking option 1, you must configure kernel parameters to disable reverse-path filtering. -#. Edit the :file:`/etc/sysctl.conf` file to contain the following parameters: +#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters: .. code-block:: ini @@ -22,12 +22,12 @@ parameters to disable reverse-path filtering. # sysctl -p -Install the networking components ---------------------------------- +Install the components +---------------------- .. only:: ubuntu - .. code:: console + .. code-block:: console # apt-get install neutron-server neutron-plugin-ml2 \ neutron-plugin-linuxbridge-agent neutron-dhcp-agent \ @@ -35,14 +35,14 @@ Install the networking components .. only:: rdo - .. code:: console + .. code-block:: console # yum install openstack-neutron openstack-neutron-ml2 \ openstack-neutron-linuxbridge python-neutronclient .. only:: obs - .. code:: console + .. code-block:: console # zypper install --no-recommends openstack-neutron \ openstack-neutron-server openstack-neutron-linuxbridge-agent \ @@ -54,7 +54,7 @@ Install the networking components Install and configure the networking components ----------------------------------------------- - #. .. code:: console + #. .. code-block:: console # apt-get install neutron-server neutron-plugin-linuxbridge-agent \ neutron-dhcp-agent neutron-metadata-agent @@ -75,12 +75,12 @@ Install the networking components Selecting the ML2 plug-in also populates the ``service_plugins`` and ``allow_overlapping_ips`` options in the - :file:`/etc/neutron/neutron.conf` file with the appropriate values. + ``/etc/neutron/neutron.conf`` file with the appropriate values. .. only:: ubuntu or rdo or obs - Configure the Networking server component - ----------------------------------------- + Configure the server component + ------------------------------ The Networking server component configuration includes the database, authentication mechanism, message queue, topology change notifications, @@ -88,108 +88,109 @@ Install the networking components .. include:: shared/note_configuration_vary_by_distribution.rst - Edit the ``/etc/neutron/neutron.conf`` file. + #. Edit the ``/etc/neutron/neutron.conf`` file and complete the following + actions: - #. In the ``[database]`` section, configure database access: + * In the ``[database]`` section, configure database access: - .. code:: ini + .. code-block:: ini - [database] - ... - connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron + [database] + ... + connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron - Replace ``NEUTRON_DBPASS`` with the password you chose for the - database. + Replace ``NEUTRON_DBPASS`` with the password you chose for the + database. - #. In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2) - plug-in and disable additional plug-ins: + * In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2) + plug-in and disable additional plug-ins: - .. code:: ini + .. code-block:: ini - [DEFAULT] - ... - core_plugin = ml2 - service_plugins = + [DEFAULT] + ... + core_plugin = ml2 + service_plugins = - #. In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, - configure RabbitMQ message queue access: + * In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, + configure RabbitMQ message queue access: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - rpc_backend = rabbit + [DEFAULT] + ... + rpc_backend = rabbit - [oslo_messaging_rabbit] - ... - rabbit_host = controller - rabbit_userid = openstack - rabbit_password = RABBIT_PASS + [oslo_messaging_rabbit] + ... + rabbit_host = controller + rabbit_userid = openstack + rabbit_password = RABBIT_PASS - Replace ``RABBIT_PASS`` with the password you chose for the - ``openstack`` account in RabbitMQ. + Replace ``RABBIT_PASS`` with the password you chose for the + ``openstack`` account in RabbitMQ. - #. In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure - Identity service access: + * In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure + Identity service access: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - auth_strategy = keystone + [DEFAULT] + ... + auth_strategy = keystone - [keystone_authtoken] - ... - auth_uri = http://controller:5000 - auth_url = http://controller:35357 - auth_plugin = password - project_domain_id = default - user_domain_id = default - project_name = service - username = neutron - password = NEUTRON_PASS + [keystone_authtoken] + ... + auth_uri = http://controller:5000 + auth_url = http://controller:35357 + auth_plugin = password + project_domain_id = default + user_domain_id = default + project_name = service + username = neutron + password = NEUTRON_PASS - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. + Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` + user in the Identity service. - .. note:: + .. note:: - Comment out or remove any other options in the - ``[keystone_authtoken]`` section. + Comment out or remove any other options in the + ``[keystone_authtoken]`` section. - #. In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to - notify Compute of network topology changes: + * In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to + notify Compute of network topology changes: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - notify_nova_on_port_status_changes = True - notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 + [DEFAULT] + ... + notify_nova_on_port_status_changes = True + notify_nova_on_port_data_changes = True + nova_url = http://controller:8774/v2 - [nova] - ... - auth_url = http://controller:35357 - auth_plugin = password - project_domain_id = default - user_domain_id = default - region_name = RegionOne - project_name = service - username = nova - password = NOVA_PASS + [nova] + ... + auth_url = http://controller:35357 + auth_plugin = password + project_domain_id = default + user_domain_id = default + region_name = RegionOne + project_name = service + username = nova + password = NOVA_PASS - Replace ``NOVA_PASS`` with the password you chose for the ``nova`` - user in the Identity service. + Replace ``NOVA_PASS`` with the password you chose for the ``nova`` + user in the Identity service. - #. (Optional) To assist with troubleshooting, enable verbose logging in - the ``[DEFAULT]`` section: + * (Optional) To assist with troubleshooting, enable verbose logging in + the ``[DEFAULT]`` section: - .. code:: ini + .. code-block:: ini - [DEFAULT] - ... - verbose = True + [DEFAULT] + ... + verbose = True Configure the Modular Layer 2 (ML2) plug-in ------------------------------------------- @@ -197,53 +198,54 @@ Configure the Modular Layer 2 (ML2) plug-in The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging and switching) virtual networking infrastructure for instances. -Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file. +#. Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file and complete the + following actions: -#. In the ``[ml2]`` section, enable flat and VLAN networks: + * In the ``[ml2]`` section, enable flat and VLAN networks: - .. code:: ini + .. code-block:: ini - [ml2] - ... - type_drivers = flat,vlan + [ml2] + ... + type_drivers = flat,vlan -#. In the ``[ml2]`` section, disable project (private) networks: + * In the ``[ml2]`` section, disable project (private) networks: - .. code:: ini + .. code-block:: ini - [ml2] - ... - tenant_network_types = + [ml2] + ... + tenant_network_types = -#. In the ``[ml2]`` section, enable the Linux bridge mechanism: + * In the ``[ml2]`` section, enable the Linux bridge mechanism: - .. code:: ini + .. code-block:: ini - [ml2] - ... - mechanism_drivers = linuxbridge + [ml2] + ... + mechanism_drivers = linuxbridge - .. warning:: + .. warning:: - After you configure the ML2 plug-in, removing values in the - ``type_drivers`` option can lead to database inconsistency. + After you configure the ML2 plug-in, removing values in the + ``type_drivers`` option can lead to database inconsistency. -#. In the ``[ml2]`` section, enable the port security extension driver: + * In the ``[ml2]`` section, enable the port security extension driver: - .. code:: ini + .. code-block:: ini - [ml2] - ... - extension_drivers = port_security + [ml2] + ... + extension_drivers = port_security -#. In the ``[ml2_type_flat]`` section, configure the public flat provider - network: + * In the ``[ml2_type_flat]`` section, configure the public flat provider + network: - .. code-block:: ini + .. code-block:: ini - [ml2_type_flat] - ... - flat_networks = public + [ml2_type_flat] + ... + flat_networks = public Configure the Linux bridge agent -------------------------------- @@ -252,73 +254,75 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure for instances including VXLAN tunnels for private networks and handles security groups. -Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. +#. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and + complete the following actions: -#. In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the public virtual network to the + public physical network interface: - .. code-block:: ini + .. code-block:: ini - [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + [linux_bridge] + physical_interface_mappings = public:PUBLIC_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical + public network interface. -#. In the ``[vxlan]`` section, disable VXLAN overlay networks: + * In the ``[vxlan]`` section, disable VXLAN overlay networks: - .. code-block:: ini + .. code-block:: ini - [vxlan] - enable_vxlan = False + [vxlan] + enable_vxlan = False -#. In the ``[agent]`` section, enable ARP spoofing protection: + * In the ``[agent]`` section, enable ARP spoofing protection: - .. code-block:: ini + .. code-block:: ini - [agent] - ... - prevent_arp_spoofing = True + [agent] + ... + prevent_arp_spoofing = True -#. In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[securitygroup]`` section, enable security groups, enable + :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall + driver: - .. code-block:: ini + .. code-block:: ini - [securitygroup] - ... - enable_security_group = True - enable_ipset = True - firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + [securitygroup] + ... + enable_security_group = True + enable_ipset = True + firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Configure the DHCP agent ------------------------ The :term:`DHCP agent` provides DHCP services for virtual networks. -Edit the ``/etc/neutron/dhcp_agent.ini`` file. +#. Edit the ``/etc/neutron/dhcp_agent.ini`` file and complete the following + actions: -#. In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, - Dnsmasq DHCP driver, and enable isolated metadata so instances on public - networks can access metadata over the network: + * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, + Dnsmasq DHCP driver, and enable isolated metadata so instances on public + networks can access metadata over the network: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver - dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq - enable_isolated_metadata = True + [DEFAULT] + ... + interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver + dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq + enable_isolated_metadata = True -#. (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: + * (Optional) To assist with troubleshooting, enable verbose logging in the + ``[DEFAULT]`` section: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - verbose = True + [DEFAULT] + ... + verbose = True Return to :ref:`Networking controller node configuration diff --git a/doc/install-guide/source/neutron-controller-install-option2.rst b/doc/install-guide/source/neutron-controller-install-option2.rst index a96320844a..955d119e8a 100644 --- a/doc/install-guide/source/neutron-controller-install-option2.rst +++ b/doc/install-guide/source/neutron-controller-install-option2.rst @@ -10,7 +10,7 @@ Before you configure networking option 2, you must configure kernel parameters to enable IP forwarding (routing) and disable reverse-path filtering. -#. Edit the :file:`/etc/sysctl.conf` file to contain the following parameters: +#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters: .. code-block:: ini @@ -24,12 +24,12 @@ filtering. # sysctl -p -Install the Networking components ---------------------------------- +Install the components +---------------------- .. only:: ubuntu - .. code:: console + .. code-block:: console # apt-get install neutron-server neutron-plugin-ml2 \ neutron-plugin-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent \ @@ -37,14 +37,14 @@ Install the Networking components .. only:: rdo - .. code:: console + .. code-block:: console # yum install openstack-neutron openstack-neutron-ml2 \ openstack-neutron-linuxbridge python-neutronclient .. only:: obs - .. code:: console + .. code-block:: console # zypper install --no-recommends openstack-neutron \ openstack-neutron-server openstack-neutron-linuxbridge-agent \ @@ -56,7 +56,7 @@ Install the Networking components Install and configure the Networking components ----------------------------------------------- - #. .. code:: console + #. .. code-block:: console # apt-get install neutron-server neutron-plugin-linuxbridge-agent \ neutron-dhcp-agent neutron-metadata-agent @@ -77,116 +77,117 @@ Install the Networking components Selecting the ML2 plug-in also populates the ``service_plugins`` and ``allow_overlapping_ips`` options in the - :file:`/etc/neutron/neutron.conf` file with the appropriate values. + ``/etc/neutron/neutron.conf`` file with the appropriate values. .. only:: ubuntu or rdo or obs - Configure the Networking server component - ----------------------------------------- + Configure the server component + ------------------------------ - Edit the ``/etc/neutron/neutron.conf`` file. + #. Edit the ``/etc/neutron/neutron.conf`` file and complete the following + actions: - #. In the ``[database]`` section, configure database access: + * In the ``[database]`` section, configure database access: - .. code:: ini + .. code-block:: ini - [database] - ... - connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron + [database] + ... + connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron - Replace ``NEUTRON_DBPASS`` with the password you chose for the - database. + Replace ``NEUTRON_DBPASS`` with the password you chose for the + database. - #. In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2) - plug-in, router service, and overlapping IP addresses: + * In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2) + plug-in, router service, and overlapping IP addresses: - .. code:: ini + .. code-block:: ini - [DEFAULT] - ... - core_plugin = ml2 - service_plugins = router - allow_overlapping_ips = True + [DEFAULT] + ... + core_plugin = ml2 + service_plugins = router + allow_overlapping_ips = True - #. In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, - configure RabbitMQ message queue access: + * In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, + configure RabbitMQ message queue access: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - rpc_backend = rabbit + [DEFAULT] + ... + rpc_backend = rabbit - [oslo_messaging_rabbit] - ... - rabbit_host = controller - rabbit_userid = openstack - rabbit_password = RABBIT_PASS + [oslo_messaging_rabbit] + ... + rabbit_host = controller + rabbit_userid = openstack + rabbit_password = RABBIT_PASS - Replace ``RABBIT_PASS`` with the password you chose for the - ``openstack`` account in RabbitMQ. + Replace ``RABBIT_PASS`` with the password you chose for the + ``openstack`` account in RabbitMQ. - #. In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure - Identity service access: + * In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure + Identity service access: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - auth_strategy = keystone + [DEFAULT] + ... + auth_strategy = keystone - [keystone_authtoken] - ... - auth_uri = http://controller:5000 - auth_url = http://controller:35357 - auth_plugin = password - project_domain_id = default - user_domain_id = default - project_name = service - username = neutron - password = NEUTRON_PASS + [keystone_authtoken] + ... + auth_uri = http://controller:5000 + auth_url = http://controller:35357 + auth_plugin = password + project_domain_id = default + user_domain_id = default + project_name = service + username = neutron + password = NEUTRON_PASS - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. + Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` + user in the Identity service. - .. note:: + .. note:: - Comment out or remove any other options in the - ``[keystone_authtoken]`` section. + Comment out or remove any other options in the + ``[keystone_authtoken]`` section. - #. In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to - notify Compute of network topology changes: + * In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to + notify Compute of network topology changes: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - notify_nova_on_port_status_changes = True - notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 + [DEFAULT] + ... + notify_nova_on_port_status_changes = True + notify_nova_on_port_data_changes = True + nova_url = http://controller:8774/v2 - [nova] - ... - auth_url = http://controller:35357 - auth_plugin = password - project_domain_id = default - user_domain_id = default - region_name = RegionOne - project_name = service - username = nova - password = NOVA_PASS + [nova] + ... + auth_url = http://controller:35357 + auth_plugin = password + project_domain_id = default + user_domain_id = default + region_name = RegionOne + project_name = service + username = nova + password = NOVA_PASS - Replace ``NOVA_PASS`` with the password you chose for the ``nova`` - user in the Identity service. + Replace ``NOVA_PASS`` with the password you chose for the ``nova`` + user in the Identity service. - #. (Optional) To assist with troubleshooting, enable verbose logging in - the ``[DEFAULT]`` section: + * (Optional) To assist with troubleshooting, enable verbose logging in + the ``[DEFAULT]`` section: - .. code:: ini + .. code-block:: ini - [DEFAULT] - ... - verbose = True + [DEFAULT] + ... + verbose = True Configure the Modular Layer 2 (ML2) plug-in ------------------------------------------- @@ -194,67 +195,68 @@ Configure the Modular Layer 2 (ML2) plug-in The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging and switching) virtual networking infrastructure for instances. -Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file. +#. Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file and complete the + following actions: -#. In the ``[ml2]`` section, enable flat, VLAN, and VXLAN networks: + * In the ``[ml2]`` section, enable flat, VLAN, and VXLAN networks: - .. code:: ini + .. code-block:: ini - [ml2] - ... - type_drivers = flat,vlan,vxlan + [ml2] + ... + type_drivers = flat,vlan,vxlan -#. In the ``[ml2]`` section, enable VXLAN project (private) networks: + * In the ``[ml2]`` section, enable VXLAN project (private) networks: - .. code:: ini + .. code-block:: ini - [ml2] - ... - tenant_network_types = vxlan + [ml2] + ... + tenant_network_types = vxlan -#. In the ``[ml2]`` section, enable the Linux bridge and layer-2 population - mechanisms: + * In the ``[ml2]`` section, enable the Linux bridge and layer-2 population + mechanisms: - .. code:: ini + .. code-block:: ini - [ml2] - ... - mechanism_drivers = linuxbridge,l2population + [ml2] + ... + mechanism_drivers = linuxbridge,l2population - .. warning:: + .. warning:: - After you configure the ML2 plug-in, removing values in the - ``type_drivers`` option can lead to database inconsistency. + After you configure the ML2 plug-in, removing values in the + ``type_drivers`` option can lead to database inconsistency. - .. note:: + .. note:: - The Linux bridge agent only supports VXLAN overlay networks. + The Linux bridge agent only supports VXLAN overlay networks. -#. In the ``[ml2]`` section, enable the port security extension driver: + * In the ``[ml2]`` section, enable the port security extension driver: - .. code:: ini + .. code-block:: ini - [ml2] - ... - extension_drivers = port_security + [ml2] + ... + extension_drivers = port_security -#. In the ``[ml2_type_flat]`` section, configure the public flat provider - network: + * In the ``[ml2_type_flat]`` section, configure the public flat provider + network: - .. code-block:: ini + .. code-block:: ini - [ml2_type_flat] - ... - flat_networks = public + [ml2_type_flat] + ... + flat_networks = public -#. In the ``[ml2_type_vxlan]`` section, configure the VXLAN network identifier - range for private networks: + * In the ``[ml2_type_vxlan]`` section, configure the VXLAN network identifier + range for private networks: - .. code:: ini + .. code-block:: ini - [ml2_type_vxlan] - ... - vni_ranges = 1:1000 + [ml2_type_vxlan] + ... + vni_ranges = 1:1000 Configure the Linux bridge agent -------------------------------- @@ -263,53 +265,54 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure for instances including VXLAN tunnels for private networks and handles security groups. -Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. +#. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and + complete the following actions: -#. In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the public virtual network to the + public physical network interface: - .. code-block:: ini + .. code-block:: ini - [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + [linux_bridge] + physical_interface_mappings = public:PUBLIC_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical + public network interface. -#. In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the - IP address of the physical network interface that handles overlay - networks, and enable layer-2 population: + * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the + IP address of the physical network interface that handles overlay + networks, and enable layer-2 population: - .. code-block:: ini + .. code-block:: ini - [vxlan] - enable_vxlan = True - local_ip = OVERLAY_INTERFACE_IP_ADDRESS - l2_population = True + [vxlan] + enable_vxlan = True + local_ip = OVERLAY_INTERFACE_IP_ADDRESS + l2_population = True - Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the - underlying physical network interface that handles overlay networks. The - example architecture uses the management interface. + Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the + underlying physical network interface that handles overlay networks. The + example architecture uses the management interface. -#. In the ``[agent]`` section, enable ARP spoofing protection: + * In the ``[agent]`` section, enable ARP spoofing protection: - .. code-block:: ini + .. code-block:: ini - [agent] - ... - prevent_arp_spoofing = True + [agent] + ... + prevent_arp_spoofing = True -#. In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[securitygroup]`` section, enable security groups, enable + :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall + driver: - .. code-block:: ini + .. code-block:: ini - [securitygroup] - ... - enable_security_group = True - enable_ipset = True - firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + [securitygroup] + ... + enable_security_group = True + enable_ipset = True + firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Configure the layer-3 agent --------------------------- @@ -317,103 +320,105 @@ Configure the layer-3 agent The :term:`Layer-3 (L3) agent` provides routing and NAT services for virtual networks. -Edit the ``/etc/neutron/l3_agent.ini`` file: +#. Edit the ``/etc/neutron/l3_agent.ini`` file and complete the following + actions: -#. In the ``[DEFAULT]`` section, configure the Linux bridge interface driver - and external network bridge: + * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver + and external network bridge: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver - external_network_bridge = + [DEFAULT] + ... + interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver + external_network_bridge = - .. note:: + .. note:: - The ``external_network_bridge`` option intentionally lacks a value - to enable multiple external networks on a single agent. + The ``external_network_bridge`` option intentionally lacks a value + to enable multiple external networks on a single agent. -#. (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: + * (Optional) To assist with troubleshooting, enable verbose logging in the + ``[DEFAULT]`` section: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - verbose = True + [DEFAULT] + ... + verbose = True Configure the DHCP agent ------------------------ The :term:`DHCP agent` provides DHCP services for virtual networks. -Edit the ``/etc/neutron/dhcp_agent.ini`` file. +#. Edit the ``/etc/neutron/dhcp_agent.ini`` file and complete the following + actions: -#. In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, - Dnsmasq DHCP driver, and enable isolated metadata so instances on public - networks can access metadata over the network: + * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, + Dnsmasq DHCP driver, and enable isolated metadata so instances on public + networks can access metadata over the network: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver - dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq - enable_isolated_metadata = True + [DEFAULT] + ... + interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver + dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq + enable_isolated_metadata = True -Overlay networks such as VXLAN include additional packet headers that -increase overhead and decrease space available for the payload or user -data. Without knowledge of the virtual network infrastructure, instances -attempt to send packets using the default Ethernet :term:`maximum -transmission unit (MTU)` of 1500 bytes. :term:`Internet protocol (IP)` -networks contain the :term:`path MTU discovery (PMTUD)` mechanism to detect -end-to-end MTU and adjust packet size accordingly. However, some operating -systems and networks block or otherwise lack support for PMTUD causing -performance degradation or connectivity failure. + * (Optional) To assist with troubleshooting, enable verbose logging in the + ``[DEFAULT]`` section: -Ideally, you can prevent these problems by enabling :term:`jumbo frames -` on the physical network that contains your tenant virtual -networks. Jumbo frames support MTUs up to approximately 9000 bytes which -negates the impact of VXLAN overhead on virtual networks. However, many -network devices lack support for jumbo frames and OpenStack administrators -often lack control over network infrastructure. Given the latter -complications, you can also prevent MTU problems by reducing the -instance MTU to account for VXLAN overhead. Determining the proper MTU -value often takes experimentation, but 1450 bytes works in most -environments. You can configure the DHCP server that assigns IP -addresses to your instances to also adjust the MTU. + .. code-block:: ini -.. note:: + [DEFAULT] + ... + verbose = True - Some cloud images ignore the DHCP MTU option in which case you - should configure it using metadata, a script, or other suitable - method. + Overlay networks such as VXLAN include additional packet headers that + increase overhead and decrease space available for the payload or user + data. Without knowledge of the virtual network infrastructure, instances + attempt to send packets using the default Ethernet :term:`maximum + transmission unit (MTU)` of 1500 bytes. :term:`Internet protocol (IP)` + networks contain the :term:`path MTU discovery (PMTUD)` mechanism to detect + end-to-end MTU and adjust packet size accordingly. However, some operating + systems and networks block or otherwise lack support for PMTUD causing + performance degradation or connectivity failure. -#. In the ``[DEFAULT]`` section, enable the :term:`dnsmasq` configuration - file: + Ideally, you can prevent these problems by enabling :term:`jumbo frames + ` on the physical network that contains your tenant virtual + networks. Jumbo frames support MTUs up to approximately 9000 bytes which + negates the impact of VXLAN overhead on virtual networks. However, many + network devices lack support for jumbo frames and OpenStack administrators + often lack control over network infrastructure. Given the latter + complications, you can also prevent MTU problems by reducing the + instance MTU to account for VXLAN overhead. Determining the proper MTU + value often takes experimentation, but 1450 bytes works in most + environments. You can configure the DHCP server that assigns IP + addresses to your instances to also adjust the MTU. - .. code-block:: ini + .. note:: - [DEFAULT] - ... - dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf + Some cloud images ignore the DHCP MTU option in which case you + should configure it using metadata, a script, or other suitable + method. -#. Create and edit the :file:`/etc/neutron/dnsmasq-neutron.conf` file to - enable the DHCP MTU option (26) and configure it to 1450 bytes: + * In the ``[DEFAULT]`` section, enable the :term:`dnsmasq` configuration + file: - .. code-block:: ini + .. code-block:: ini - dhcp-option-force=26,1450 + [DEFAULT] + ... + dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf -#. (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: + * Create and edit the ``/etc/neutron/dnsmasq-neutron.conf`` file to + enable the DHCP MTU option (26) and configure it to 1450 bytes: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - verbose = True + dhcp-option-force=26,1450 Return to :ref:`Networking controller node configuration diff --git a/doc/install-guide/source/neutron-controller-install.rst b/doc/install-guide/source/neutron-controller-install.rst index b14bb211d5..d91bccfd38 100644 --- a/doc/install-guide/source/neutron-controller-install.rst +++ b/doc/install-guide/source/neutron-controller-install.rst @@ -9,106 +9,133 @@ must create a database, service credentials, and API endpoints. #. To create the database, complete these steps: - a. Use the database access client to connect to the database server as the + * Use the database access client to connect to the database server as the ``root`` user: - .. code:: console + .. code-block:: console - $ mysql -u root -p + $ mysql -u root -p - #. Create the ``neutron`` database: + * Create the ``neutron`` database: - .. code:: console + .. code-block:: console - CREATE DATABASE neutron; + CREATE DATABASE neutron; - #. Grant proper access to the ``neutron`` database, replacing - ``NEUTRON_DBPASS`` with a suitable password: + * Grant proper access to the ``neutron`` database, replacing + ``NEUTRON_DBPASS`` with a suitable password: - .. code:: console + .. code-block:: console - GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ - IDENTIFIED BY 'NEUTRON_DBPASS'; - GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ - IDENTIFIED BY 'NEUTRON_DBPASS'; + GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ + IDENTIFIED BY 'NEUTRON_DBPASS'; + GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ + IDENTIFIED BY 'NEUTRON_DBPASS'; - #. Exit the database access client. + * Exit the database access client. #. Source the ``admin`` credentials to gain access to admin-only CLI commands: - .. code:: console + .. code-block:: console $ source admin-openrc.sh #. To create the service credentials, complete these steps: - a. Create the ``neutron`` user: + * Create the ``neutron`` user: - .. code:: console + .. code-block:: console - $ openstack user create --password-prompt neutron - User Password: - Repeat User Password: - +----------+----------------------------------+ - | Field | Value | - +----------+----------------------------------+ - | email | None | - | enabled | True | - | id | ab67f043d9304017aaa73d692eeb4945 | - | name | neutron | - | username | neutron | - +----------+----------------------------------+ + $ openstack user create --domain default --password-prompt neutron + User Password: + Repeat User Password: + +-----------+----------------------------------+ + | Field | Value | + +-----------+----------------------------------+ + | domain_id | default | + | enabled | True | + | id | b20a6692f77b4258926881bf831eb683 | + | name | neutron | + +-----------+----------------------------------+ - #. Add the ``admin`` role to the ``neutron`` user: - .. code:: console + * Add the ``admin`` role to the ``neutron`` user: - $ openstack role add --project service --user neutron admin - +-------+----------------------------------+ - | Field | Value | - +-------+----------------------------------+ - | id | cd2cb9a39e874ea69e5d4b896eb16128 | - | name | admin | - +-------+----------------------------------+ + .. code-block:: console - #. Create the ``neutron`` service entity: + $ openstack role add --project service --user neutron admin - .. code:: console + .. note:: - $ openstack service create --name neutron \ - --description "OpenStack Networking" network - +-------------+----------------------------------+ - | Field | Value | - +-------------+----------------------------------+ - | description | OpenStack Networking | - | enabled | True | - | id | f71529314dab4a4d8eca427e701d209e | - | name | neutron | - | type | network | - +-------------+----------------------------------+ + This command provides no output. + + * Create the ``neutron`` service entity: + + .. code-block:: console + + $ openstack service create --name neutron \ + --description "OpenStack Networking" network + +-------------+----------------------------------+ + | Field | Value | + +-------------+----------------------------------+ + | description | OpenStack Networking | + | enabled | True | + | id | f71529314dab4a4d8eca427e701d209e | + | name | neutron | + | type | network | + +-------------+----------------------------------+ #. Create the Networking service API endpoints: - .. code:: console + .. code-block:: console - $ openstack endpoint create \ - --publicurl http://controller:9696 \ - --adminurl http://controller:9696 \ - --internalurl http://controller:9696 \ - --region RegionOne \ - network + $ openstack endpoint create --region RegionOne \ + network public http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ - | adminurl | http://controller:9696 | - | id | 04a7d3c1de784099aaba83a8a74100b3 | - | internalurl | http://controller:9696 | - | publicurl | http://controller:9696 | + | enabled | True | + | id | 85d80a6d02fc4b7683f611d7fc1493a3 | + | interface | public | | region | RegionOne | + | region_id | RegionOne | | service_id | f71529314dab4a4d8eca427e701d209e | | service_name | neutron | | service_type | network | + | url | http://controller:9696 | + +--------------+----------------------------------+ + + $ openstack endpoint create --region RegionOne \ + network internal http://controller:9696 + +--------------+----------------------------------+ + | Field | Value | + +--------------+----------------------------------+ + | enabled | True | + | id | 09753b537ac74422a68d2d791cf3714f | + | interface | internal | + | region | RegionOne | + | region_id | RegionOne | + | service_id | f71529314dab4a4d8eca427e701d209e | + | service_name | neutron | + | service_type | network | + | url | http://controller:9696 | + +--------------+----------------------------------+ + + $ openstack endpoint create --region RegionOne \ + network admin http://controller:9696 + +--------------+----------------------------------+ + | Field | Value | + +--------------+----------------------------------+ + | enabled | True | + | id | 1ee14289c9374dffb5db92a5c112fc4e | + | interface | admin | + | region | RegionOne | + | region_id | RegionOne | + | service_id | f71529314dab4a4d8eca427e701d209e | + | service_name | neutron | + | service_type | network | + | url | http://controller:9696 | +--------------+----------------------------------+ Configure networking options @@ -137,99 +164,86 @@ Configure the metadata agent The :term:`metadata agent ` provides configuration information such as credentials to instances. -Edit the ``/etc/neutron/metadata_agent.ini`` file. +#. Edit the ``/etc/neutron/metadata_agent.ini`` file and complete the following + actions: -#. In the ``[DEFAULT]`` section, configure access parameters: + * In the ``[DEFAULT]`` section, configure access parameters: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - auth_uri = http://controller:5000 - auth_url = http://controller:35357 - auth_region = RegionOne - auth_plugin = password - project_domain_id = default - user_domain_id = default - project_name = service - username = neutron - password = NEUTRON_PASS + [DEFAULT] + ... + auth_uri = http://controller:5000 + auth_url = http://controller:35357 + auth_region = RegionOne + auth_plugin = password + project_domain_id = default + user_domain_id = default + project_name = service + username = neutron + password = NEUTRON_PASS - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. + Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` + user in the Identity service. -#. In the ``[DEFAULT]`` section, configure the metadata host: + * In the ``[DEFAULT]`` section, configure the metadata host: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - nova_metadata_ip = controller + [DEFAULT] + ... + nova_metadata_ip = controller -#. In the ``[DEFAULT]`` section, configure the metadata proxy shared - secret: + * In the ``[DEFAULT]`` section, configure the metadata proxy shared + secret: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - metadata_proxy_shared_secret = METADATA_SECRET + [DEFAULT] + ... + metadata_proxy_shared_secret = METADATA_SECRET - Replace ``METADATA_SECRET`` with a suitable secret for the metadata proxy. + Replace ``METADATA_SECRET`` with a suitable secret for the metadata proxy. -#. (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: + * (Optional) To assist with troubleshooting, enable verbose logging in the + ``[DEFAULT]`` section: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - verbose = True + [DEFAULT] + ... + verbose = True Configure Compute to use Networking ----------------------------------- -Edit the ``/etc/nova/nova.conf`` file: +#. Edit the ``/etc/nova/nova.conf`` file and perform the following actions: -#. In the ``[DEFAULT]`` section, configure Compute to use the Networking - service: + * In the ``[neutron]`` section, configure access parameters, enable the + metadata proxy, and configure the secret: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - network_api_class = nova.network.neutronv2.api.API - security_group_api = neutron - linuxnet_interface_driver = nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver - firewall_driver = nova.virt.firewall.NoopFirewallDriver + [neutron] + ... + url = http://controller:9696 + auth_url = http://controller:35357 + auth_plugin = password + project_domain_id = default + user_domain_id = default + region_name = RegionOne + project_name = service + username = neutron + password = NEUTRON_PASS - .. note:: + service_metadata_proxy = True + metadata_proxy_shared_secret = METADATA_SECRET - The ``firewall_driver`` option uses the ``NoopFirewallDriver`` value - because Compute delegates security group (firewall) operation to the - Networking service. + Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` + user in the Identity service. -#. In the ``[neutron]`` section, configure access parameters, enable the - metadata proxy, and configure the secret: - - .. code-block:: ini - - [neutron] - ... - url = http://controller:9696 - auth_strategy = keystone - admin_auth_url = http://controller:35357/v2.0 - admin_tenant_name = service - admin_username = neutron - admin_password = NEUTRON_PASS - - service_metadata_proxy = True - metadata_proxy_shared_secret = METADATA_SECRET - - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. - - Replace ``METADATA_SECRET`` with the secret you chose for the metadata - proxy. + Replace ``METADATA_SECRET`` with the secret you chose for the metadata + proxy. Finalize installation --------------------- @@ -237,11 +251,11 @@ Finalize installation .. only:: rdo #. The Networking service initialization scripts expect a symbolic link - :file:`/etc/neutron/plugin.ini` pointing to the ML2 plug-in configuration - file, :file:`/etc/neutron/plugins/ml2/ml2_conf.ini`. If this symbolic + ``/etc/neutron/plugin.ini`` pointing to the ML2 plug-in configuration + file, ``/etc/neutron/plugins/ml2/ml2_conf.ini``. If this symbolic link does not exist, create it using the following command: - .. code:: console + .. code-block:: console # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini @@ -264,7 +278,7 @@ Finalize installation #. Populate the database: - .. code:: console + .. code-block:: console # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron @@ -276,7 +290,7 @@ Finalize installation #. Restart the Compute services: - .. code:: console + .. code-block:: console # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ openstack-nova-conductor.service @@ -286,7 +300,7 @@ Finalize installation For both networking options: - .. code:: console + .. code-block:: console # systemctl enable neutron-server.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ @@ -297,7 +311,7 @@ Finalize installation For networking option 2, also enable and start the layer-3 service: - .. code:: console + .. code-block:: console # systemctl enable neutron-l3-agent.service # systemctl start neutron-l3-agent.service @@ -305,17 +319,17 @@ Finalize installation .. only:: obs #. The Networking service initialization scripts expect the variable - ``NEUTRON_PLUGIN_CONF`` in the :file:`/etc/sysconfig/neutron` file to + ``NEUTRON_PLUGIN_CONF`` in the ``/etc/sysconfig/neutron`` file to reference the ML2 plug-in configuration file. Edit the - :file:`/etc/sysconfig/neutron` file and add the following: + ``/etc/sysconfig/neutron`` file and add the following: - .. code:: console + .. code-block:: console NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini" #. Restart the Compute services: - .. code:: console + .. code-block:: console # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ openstack-nova-conductor.service @@ -325,7 +339,7 @@ Finalize installation For both networking options: - .. code:: console + .. code-block:: console # systemctl enable openstack-neutron.service \ openstack-neutron-linuxbridge.service \ @@ -338,7 +352,7 @@ Finalize installation For networking option 2, also enable and start the layer-3 service: - .. code:: console + .. code-block:: console # systemctl enable openstack-neutron-l3-agent.service # systemctl start openstack-neutron-l3-agent.service @@ -350,7 +364,7 @@ Finalize installation agent configuration file. Run the following commands to resolve this issue: - .. code:: console + .. code-block:: console # cp /etc/init/neutron-plugin-linuxbridge-agent.conf \ /etc/init/neutron-plugin-linuxbridge-agent.conf.orig @@ -359,7 +373,7 @@ Finalize installation #. Populate the database: - .. code:: console + .. code-block:: console # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron @@ -371,7 +385,7 @@ Finalize installation #. Restart the nova-api service: - .. code:: console + .. code-block:: console # service nova-api restart @@ -379,7 +393,7 @@ Finalize installation For both networking options: - .. code:: console + .. code-block:: console # service neutron-server restart # service neutron-plugin-linuxbridge-agent restart @@ -388,6 +402,6 @@ Finalize installation For networking option 2, also restart the layer-3 service: - .. code:: console + .. code-block:: console # service neutron-l3-agent restart diff --git a/doc/install-guide/source/neutron-verify.rst b/doc/install-guide/source/neutron-verify.rst index 69e2662387..36e7959072 100644 --- a/doc/install-guide/source/neutron-verify.rst +++ b/doc/install-guide/source/neutron-verify.rst @@ -4,14 +4,14 @@ Verify operation #. Source the ``admin`` credentials to gain access to admin-only CLI commands: - .. code:: console + .. code-block:: console $ source admin-openrc.sh #. List loaded extensions to verify successful launch of the ``neutron-server`` process: - .. code:: console + .. code-block:: console $ neutron ext-list +-----------------------+-----------------------------------------------+