openstack/openstack-manuals
Code Issues Proposed changes

[install] Liberty updates for neutron

Browse Source 
Update neutron configuration for Liberty and address some
consistency issues.

Changes and testing specific to distribution packages
primarily involve Ubuntu. Other distributions may require
additional patches.

Change-Id: I81b1adef8b0455e4415b1dee0f3b91cbe5f600fa
Closes-Bug: 1502760
Implements: blueprint installguide-liberty
This commit is contained in:
Matthew Kassawara 2015-09-23 18:28:59 -05:00 committed by Tom Fifield
parent 0ca1bd741e
commit 88088445ab
7 changed files with 696 additions and 669 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
doc/install-guide/source/neutron-compute-install-option1.rst
View File

@ -1,7 +1,7 @@
Networking Option 1: Provider networks Networking Option 1: Provider networks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install and configure the Networking components on a *compute* node. Configure the Networking components on a *compute* node.
Configure the Linux bridge agent Configure the Linux bridge agent
-------------------------------- --------------------------------
@ -10,37 +10,46 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups. networks and handles security groups.
Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. #. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and
complete the following actions:
#. In the ``[linux_bridge]`` section, map the public virtual network to the * In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface: public physical network interface:
.. code-block:: ini .. code-block:: ini
[linux_bridge] [linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface. public network interface.
#. In the ``[vxlan]`` section, disable VXLAN overlay networks: * In the ``[vxlan]`` section, disable VXLAN overlay networks:
.. code-block:: ini .. code-block:: ini
[vxlan] [vxlan]
enable_vxlan = False enable_vxlan = False
#. In the ``[securitygroup]`` section, enable security groups, enable * In the ``[agent]`` section, enable ARP spoofing protection:
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [agent]
... ...
enable_security_group = True prevent_arp_spoofing = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver * In the ``[securitygroup]`` section, enable security groups, enable
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
driver:
.. code-block:: ini
[securitygroup]
...
enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Return to Return to
:ref:`Networking compute node configuration <neutron-compute-compute>`. :ref:`Networking compute node configuration <neutron-compute-compute>`.

67
doc/install-guide/source/neutron-compute-install-option2.rst
View File

@ -1,7 +1,7 @@
Networking Option 2: Self-service networks Networking Option 2: Self-service networks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install and configure the Networking components on a *compute* node. Configure the Networking components on a *compute* node.
Configure the Linux bridge agent Configure the Linux bridge agent
-------------------------------- --------------------------------
@ -10,45 +10,54 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups. networks and handles security groups.
Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. #. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and
complete the following actions:
#. In the ``[linux_bridge]`` section, map the public virtual network to the * In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface: public physical network interface:
.. code-block:: ini .. code-block:: ini
[linux_bridge] [linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface. public network interface.
#. In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the
IP address of the physical network interface that handles overlay IP address of the physical network interface that handles overlay
networks, and enable layer-2 population: networks, and enable layer-2 population:
.. code-block:: ini .. code-block:: ini
[vxlan] [vxlan]
enable_vxlan = True enable_vxlan = True
local_ip = OVERLAY_INTERFACE_IP_ADDRESS local_ip = OVERLAY_INTERFACE_IP_ADDRESS
l2_population = True l2_population = True
Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the
underlying physical network interface that handles overlay networks. The underlying physical network interface that handles overlay networks. The
example architecture uses the management interface. example architecture uses the management interface.
#. In the ``[securitygroup]`` section, enable security groups, enable * In the ``[agent]`` section, enable ARP spoofing protection:
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [agent]
... ...
enable_security_group = True prevent_arp_spoofing = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver * In the ``[securitygroup]`` section, enable security groups, enable
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
driver:
.. code-block:: ini
[securitygroup]
...
enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Return to Return to
:ref:`Networking compute node configuration <neutron-compute-compute>`. :ref:`Networking compute node configuration <neutron-compute-compute>`.

156
doc/install-guide/source/neutron-compute-install.rst
View File

@ -10,7 +10,7 @@ Prerequisites
Before you install and configure OpenStack Networking, you must Before you install and configure OpenStack Networking, you must
kernel networking parameters to disable reverse-path filtering: kernel networking parameters to disable reverse-path filtering:
#. Edit the :file:`/etc/sysctl.conf` file to contain the following parameters: #. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
.. code-block:: ini .. code-block:: ini
@ -25,8 +25,8 @@ kernel networking parameters to disable reverse-path filtering:
.. only:: ubuntu or rdo or obs .. only:: ubuntu or rdo or obs
Install the Networking components Install the components
--------------------------------- ----------------------
.. only:: ubuntu .. only:: ubuntu
@ -67,77 +67,78 @@ Install the Networking components
Selecting the ML2 plug-in also populates the ``service_plugins`` and Selecting the ML2 plug-in also populates the ``service_plugins`` and
``allow_overlapping_ips`` options in the ``allow_overlapping_ips`` options in the
:file:`/etc/neutron/neutron.conf` file with the appropriate values. ``/etc/neutron/neutron.conf`` file with the appropriate values.
.. only:: ubuntu or rdo or obs .. only:: ubuntu or rdo or obs
To configure the Networking common components Configure the common component
--------------------------------------------- ------------------------------
The Networking common component configuration includes the The Networking common component configuration includes the
authentication mechanism, message queue, and plug-in. authentication mechanism, message queue, and plug-in.
.. include:: shared/note_configuration_vary_by_distribution.rst .. include:: shared/note_configuration_vary_by_distribution.rst
Edit the ``/etc/neutron/neutron.conf`` file. #. Edit the ``/etc/neutron/neutron.conf`` file and complete the following
actions:
#. In the ``[database]`` section, comment out any ``connection`` options * In the ``[database]`` section, comment out any ``connection`` options
because compute nodes do not directly access the database. because compute nodes do not directly access the database.
#. In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, configure * In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, configure
RabbitMQ message queue access: RabbitMQ message queue access:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
rpc_backend = rabbit rpc_backend = rabbit
[oslo_messaging_rabbit] [oslo_messaging_rabbit]
... ...
rabbit_host = controller rabbit_host = controller
rabbit_userid = openstack rabbit_userid = openstack
rabbit_password = RABBIT_PASS rabbit_password = RABBIT_PASS
Replace ``RABBIT_PASS`` with the password you chose for the ``openstack`` Replace ``RABBIT_PASS`` with the password you chose for the ``openstack``
account in RabbitMQ. account in RabbitMQ.
#. In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure * In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure
Identity service access: Identity service access:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
... ...
auth_uri = http://controller:5000 auth_uri = http://controller:5000
auth_url = http://controller:35357 auth_url = http://controller:35357
auth_plugin = password auth_plugin = password
project_domain_id = default project_domain_id = default
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = neutron username = neutron
password = NEUTRON_PASS password = NEUTRON_PASS
Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service. user in the Identity service.
.. note:: .. note::
Comment out or remove any other options in the Comment out or remove any other options in the
``[keystone_authtoken]`` section. ``[keystone_authtoken]`` section.
#. (Optional) To assist with troubleshooting, enable verbose logging in the * (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section: ``[DEFAULT]`` section:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
verbose = True verbose = True
Configure networking options Configure networking options
---------------------------- ----------------------------
@ -162,41 +163,26 @@ configure services specific to it.
Configure Compute to use Networking Configure Compute to use Networking
----------------------------------- -----------------------------------
Edit the ``/etc/nova/nova.conf`` file. #. Edit the ``/etc/nova/nova.conf`` file and complete the following actions:
#. In the ``[DEFAULT]`` section, configure Compute to use the Networking * In the ``[neutron]`` section, configure access parameters:
service:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [neutron]
... ...
network_api_class = nova.network.neutronv2.api.API url = http://controller:9696
security_group_api = neutron auth_url = http://controller:35357
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver auth_plugin = password
firewall_driver = nova.virt.firewall.NoopFirewallDriver project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
.. note:: Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service.
The ``firewall_driver`` option uses the ``NoopFirewallDriver`` value
because Compute delegates security group (firewall) operation to the
Networking service.
#. In the ``[neutron]`` section, configure access parameters:
.. code-block:: ini
[neutron]
...
url = http://controller:9696
auth_strategy = keystone
admin_auth_url = http://controller:35357/v2.0
admin_tenant_name = service
admin_username = neutron
admin_password = NEUTRON_PASS
Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service.
Finalize installation Finalize installation
--------------------- ---------------------
@ -204,8 +190,8 @@ Finalize installation
.. only:: rdo .. only:: rdo
#. The Networking service initialization scripts expect a symbolic link #. The Networking service initialization scripts expect a symbolic link
:file:`/etc/neutron/plugin.ini` pointing to the ML2 plug-in configuration ``/etc/neutron/plugin.ini`` pointing to the ML2 plug-in configuration
file, :file:`/etc/neutron/plugins/ml2/ml2_conf.ini`. If this symbolic file, ``/etc/neutron/plugins/ml2/ml2_conf.ini``. If this symbolic
link does not exist, create it using the following command: link does not exist, create it using the following command:
.. code-block:: console .. code-block:: console
@ -246,9 +232,9 @@ Finalize installation
.. only:: obs .. only:: obs
#. The Networking service initialization scripts expect the variable #. The Networking service initialization scripts expect the variable
``NEUTRON_PLUGIN_CONF`` in the :file:`/etc/sysconfig/neutron` file to ``NEUTRON_PLUGIN_CONF`` in the ``/etc/sysconfig/neutron`` file to
reference the ML2 plug-in configuration file. Edit the reference the ML2 plug-in configuration file. Edit the
:file:`/etc/sysconfig/neutron` file and add the following: ``/etc/sysconfig/neutron`` file and add the following:
.. code-block:: ini .. code-block:: ini
@ -281,7 +267,7 @@ Finalize installation
agent configuration file. Run the following commands to resolve this agent configuration file. Run the following commands to resolve this
issue: issue:
.. code:: console .. code-block:: console
# cp /etc/init/neutron-plugin-linuxbridge-agent.conf \ # cp /etc/init/neutron-plugin-linuxbridge-agent.conf \
/etc/init/neutron-plugin-linuxbridge-agent.conf.orig /etc/init/neutron-plugin-linuxbridge-agent.conf.orig

318
doc/install-guide/source/neutron-controller-install-option1.rst
View File

@ -9,7 +9,7 @@ Prerequisites
Before you configure networking option 1, you must configure kernel Before you configure networking option 1, you must configure kernel
parameters to disable reverse-path filtering. parameters to disable reverse-path filtering.
#. Edit the :file:`/etc/sysctl.conf` file to contain the following parameters: #. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
.. code-block:: ini .. code-block:: ini
@ -22,12 +22,12 @@ parameters to disable reverse-path filtering.
# sysctl -p # sysctl -p
Install the networking components Install the components
--------------------------------- ----------------------
.. only:: ubuntu .. only:: ubuntu
.. code:: console .. code-block:: console
# apt-get install neutron-server neutron-plugin-ml2 \ # apt-get install neutron-server neutron-plugin-ml2 \
neutron-plugin-linuxbridge-agent neutron-dhcp-agent \ neutron-plugin-linuxbridge-agent neutron-dhcp-agent \
@ -35,14 +35,14 @@ Install the networking components
.. only:: rdo .. only:: rdo
.. code:: console .. code-block:: console
# yum install openstack-neutron openstack-neutron-ml2 \ # yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge python-neutronclient openstack-neutron-linuxbridge python-neutronclient
.. only:: obs .. only:: obs
.. code:: console .. code-block:: console
# zypper install --no-recommends openstack-neutron \ # zypper install --no-recommends openstack-neutron \
openstack-neutron-server openstack-neutron-linuxbridge-agent \ openstack-neutron-server openstack-neutron-linuxbridge-agent \
@ -54,7 +54,7 @@ Install the networking components
Install and configure the networking components Install and configure the networking components
----------------------------------------------- -----------------------------------------------
#. .. code:: console #. .. code-block:: console
# apt-get install neutron-server neutron-plugin-linuxbridge-agent \ # apt-get install neutron-server neutron-plugin-linuxbridge-agent \
neutron-dhcp-agent neutron-metadata-agent neutron-dhcp-agent neutron-metadata-agent
@ -75,12 +75,12 @@ Install the networking components
Selecting the ML2 plug-in also populates the ``service_plugins`` and Selecting the ML2 plug-in also populates the ``service_plugins`` and
``allow_overlapping_ips`` options in the ``allow_overlapping_ips`` options in the
:file:`/etc/neutron/neutron.conf` file with the appropriate values. ``/etc/neutron/neutron.conf`` file with the appropriate values.
.. only:: ubuntu or rdo or obs .. only:: ubuntu or rdo or obs
Configure the Networking server component Configure the server component
----------------------------------------- ------------------------------
The Networking server component configuration includes the database, The Networking server component configuration includes the database,
authentication mechanism, message queue, topology change notifications, authentication mechanism, message queue, topology change notifications,
@ -88,108 +88,109 @@ Install the networking components
.. include:: shared/note_configuration_vary_by_distribution.rst .. include:: shared/note_configuration_vary_by_distribution.rst
Edit the ``/etc/neutron/neutron.conf`` file. #. Edit the ``/etc/neutron/neutron.conf`` file and complete the following
actions:
#. In the ``[database]`` section, configure database access: * In the ``[database]`` section, configure database access:
.. code:: ini .. code-block:: ini
[database] [database]
... ...
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron
Replace ``NEUTRON_DBPASS`` with the password you chose for the Replace ``NEUTRON_DBPASS`` with the password you chose for the
database. database.
#. In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2) * In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2)
plug-in and disable additional plug-ins: plug-in and disable additional plug-ins:
.. code:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
core_plugin = ml2 core_plugin = ml2
service_plugins = service_plugins =
#. In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, * In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections,
configure RabbitMQ message queue access: configure RabbitMQ message queue access:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
rpc_backend = rabbit rpc_backend = rabbit
[oslo_messaging_rabbit] [oslo_messaging_rabbit]
... ...
rabbit_host = controller rabbit_host = controller
rabbit_userid = openstack rabbit_userid = openstack
rabbit_password = RABBIT_PASS rabbit_password = RABBIT_PASS
Replace ``RABBIT_PASS`` with the password you chose for the Replace ``RABBIT_PASS`` with the password you chose for the
``openstack`` account in RabbitMQ. ``openstack`` account in RabbitMQ.
#. In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure * In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure
Identity service access: Identity service access:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
... ...
auth_uri = http://controller:5000 auth_uri = http://controller:5000
auth_url = http://controller:35357 auth_url = http://controller:35357
auth_plugin = password auth_plugin = password
project_domain_id = default project_domain_id = default
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = neutron username = neutron
password = NEUTRON_PASS password = NEUTRON_PASS
Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service. user in the Identity service.
.. note:: .. note::
Comment out or remove any other options in the Comment out or remove any other options in the
``[keystone_authtoken]`` section. ``[keystone_authtoken]`` section.
#. In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to * In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to
notify Compute of network topology changes: notify Compute of network topology changes:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
notify_nova_on_port_status_changes = True notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True notify_nova_on_port_data_changes = True
nova_url = http://controller:8774/v2 nova_url = http://controller:8774/v2
[nova] [nova]
... ...
auth_url = http://controller:35357 auth_url = http://controller:35357
auth_plugin = password auth_plugin = password
project_domain_id = default project_domain_id = default
user_domain_id = default user_domain_id = default
region_name = RegionOne region_name = RegionOne
project_name = service project_name = service
username = nova username = nova
password = NOVA_PASS password = NOVA_PASS
Replace ``NOVA_PASS`` with the password you chose for the ``nova`` Replace ``NOVA_PASS`` with the password you chose for the ``nova``
user in the Identity service. user in the Identity service.
#. (Optional) To assist with troubleshooting, enable verbose logging in * (Optional) To assist with troubleshooting, enable verbose logging in
the ``[DEFAULT]`` section: the ``[DEFAULT]`` section:
.. code:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
verbose = True verbose = True
Configure the Modular Layer 2 (ML2) plug-in Configure the Modular Layer 2 (ML2) plug-in
------------------------------------------- -------------------------------------------
@ -197,53 +198,54 @@ Configure the Modular Layer 2 (ML2) plug-in
The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging
and switching) virtual networking infrastructure for instances. and switching) virtual networking infrastructure for instances.
Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file. #. Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file and complete the
following actions:
#. In the ``[ml2]`` section, enable flat and VLAN networks: * In the ``[ml2]`` section, enable flat and VLAN networks:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
type_drivers = flat,vlan type_drivers = flat,vlan
#. In the ``[ml2]`` section, disable project (private) networks: * In the ``[ml2]`` section, disable project (private) networks:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
tenant_network_types = tenant_network_types =
#. In the ``[ml2]`` section, enable the Linux bridge mechanism: * In the ``[ml2]`` section, enable the Linux bridge mechanism:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
mechanism_drivers = linuxbridge mechanism_drivers = linuxbridge
.. warning:: .. warning::
After you configure the ML2 plug-in, removing values in the After you configure the ML2 plug-in, removing values in the
``type_drivers`` option can lead to database inconsistency. ``type_drivers`` option can lead to database inconsistency.
#. In the ``[ml2]`` section, enable the port security extension driver: * In the ``[ml2]`` section, enable the port security extension driver:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
extension_drivers = port_security extension_drivers = port_security
#. In the ``[ml2_type_flat]`` section, configure the public flat provider * In the ``[ml2_type_flat]`` section, configure the public flat provider
network: network:
.. code-block:: ini .. code-block:: ini
[ml2_type_flat] [ml2_type_flat]
... ...
flat_networks = public flat_networks = public
Configure the Linux bridge agent Configure the Linux bridge agent
-------------------------------- --------------------------------
@ -252,73 +254,75 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups. networks and handles security groups.
Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. #. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and
complete the following actions:
#. In the ``[linux_bridge]`` section, map the public virtual network to the * In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface: public physical network interface:
.. code-block:: ini .. code-block:: ini
[linux_bridge] [linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface. public network interface.
#. In the ``[vxlan]`` section, disable VXLAN overlay networks: * In the ``[vxlan]`` section, disable VXLAN overlay networks:
.. code-block:: ini .. code-block:: ini
[vxlan] [vxlan]
enable_vxlan = False enable_vxlan = False
#. In the ``[agent]`` section, enable ARP spoofing protection: * In the ``[agent]`` section, enable ARP spoofing protection:
.. code-block:: ini .. code-block:: ini
[agent] [agent]
... ...
prevent_arp_spoofing = True prevent_arp_spoofing = True
#. In the ``[securitygroup]`` section, enable security groups, enable * In the ``[securitygroup]`` section, enable security groups, enable
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
driver: driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [securitygroup]
... ...
enable_security_group = True enable_security_group = True
enable_ipset = True enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Configure the DHCP agent Configure the DHCP agent
------------------------ ------------------------
The :term:`DHCP agent` provides DHCP services for virtual networks. The :term:`DHCP agent` provides DHCP services for virtual networks.
Edit the ``/etc/neutron/dhcp_agent.ini`` file. #. Edit the ``/etc/neutron/dhcp_agent.ini`` file and complete the following
actions:
#. In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver,
Dnsmasq DHCP driver, and enable isolated metadata so instances on public Dnsmasq DHCP driver, and enable isolated metadata so instances on public
networks can access metadata over the network: networks can access metadata over the network:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True enable_isolated_metadata = True
#. (Optional) To assist with troubleshooting, enable verbose logging in the * (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section: ``[DEFAULT]`` section:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
verbose = True verbose = True
Return to Return to
:ref:`Networking controller node configuration :ref:`Networking controller node configuration

455
doc/install-guide/source/neutron-controller-install-option2.rst
View File

@ -10,7 +10,7 @@ Before you configure networking option 2, you must configure kernel
parameters to enable IP forwarding (routing) and disable reverse-path parameters to enable IP forwarding (routing) and disable reverse-path
filtering. filtering.
#. Edit the :file:`/etc/sysctl.conf` file to contain the following parameters: #. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
.. code-block:: ini .. code-block:: ini
@ -24,12 +24,12 @@ filtering.
# sysctl -p # sysctl -p
Install the Networking components Install the components
--------------------------------- ----------------------
.. only:: ubuntu .. only:: ubuntu
.. code:: console .. code-block:: console
# apt-get install neutron-server neutron-plugin-ml2 \ # apt-get install neutron-server neutron-plugin-ml2 \
neutron-plugin-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent \ neutron-plugin-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent \
@ -37,14 +37,14 @@ Install the Networking components
.. only:: rdo .. only:: rdo
.. code:: console .. code-block:: console
# yum install openstack-neutron openstack-neutron-ml2 \ # yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge python-neutronclient openstack-neutron-linuxbridge python-neutronclient
.. only:: obs .. only:: obs
.. code:: console .. code-block:: console
# zypper install --no-recommends openstack-neutron \ # zypper install --no-recommends openstack-neutron \
openstack-neutron-server openstack-neutron-linuxbridge-agent \ openstack-neutron-server openstack-neutron-linuxbridge-agent \
@ -56,7 +56,7 @@ Install the Networking components
Install and configure the Networking components Install and configure the Networking components
----------------------------------------------- -----------------------------------------------
#. .. code:: console #. .. code-block:: console
# apt-get install neutron-server neutron-plugin-linuxbridge-agent \ # apt-get install neutron-server neutron-plugin-linuxbridge-agent \
neutron-dhcp-agent neutron-metadata-agent neutron-dhcp-agent neutron-metadata-agent
@ -77,116 +77,117 @@ Install the Networking components
Selecting the ML2 plug-in also populates the ``service_plugins`` and Selecting the ML2 plug-in also populates the ``service_plugins`` and
``allow_overlapping_ips`` options in the ``allow_overlapping_ips`` options in the
:file:`/etc/neutron/neutron.conf` file with the appropriate values. ``/etc/neutron/neutron.conf`` file with the appropriate values.
.. only:: ubuntu or rdo or obs .. only:: ubuntu or rdo or obs
Configure the Networking server component Configure the server component
----------------------------------------- ------------------------------
Edit the ``/etc/neutron/neutron.conf`` file. #. Edit the ``/etc/neutron/neutron.conf`` file and complete the following
actions:
#. In the ``[database]`` section, configure database access: * In the ``[database]`` section, configure database access:
.. code:: ini .. code-block:: ini
[database] [database]
... ...
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron
Replace ``NEUTRON_DBPASS`` with the password you chose for the Replace ``NEUTRON_DBPASS`` with the password you chose for the
database. database.
#. In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2) * In the ``[DEFAULT]`` section, enable the Modular Layer 2 (ML2)
plug-in, router service, and overlapping IP addresses: plug-in, router service, and overlapping IP addresses:
.. code:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
core_plugin = ml2 core_plugin = ml2
service_plugins = router service_plugins = router
allow_overlapping_ips = True allow_overlapping_ips = True
#. In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections, * In the ``[DEFAULT]`` and ``[oslo_messaging_rabbit]`` sections,
configure RabbitMQ message queue access: configure RabbitMQ message queue access:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
rpc_backend = rabbit rpc_backend = rabbit
[oslo_messaging_rabbit] [oslo_messaging_rabbit]
... ...
rabbit_host = controller rabbit_host = controller
rabbit_userid = openstack rabbit_userid = openstack
rabbit_password = RABBIT_PASS rabbit_password = RABBIT_PASS
Replace ``RABBIT_PASS`` with the password you chose for the Replace ``RABBIT_PASS`` with the password you chose for the
``openstack`` account in RabbitMQ. ``openstack`` account in RabbitMQ.
#. In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure * In the ``[DEFAULT]`` and ``[keystone_authtoken]`` sections, configure
Identity service access: Identity service access:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
... ...
auth_uri = http://controller:5000 auth_uri = http://controller:5000
auth_url = http://controller:35357 auth_url = http://controller:35357
auth_plugin = password auth_plugin = password
project_domain_id = default project_domain_id = default
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = neutron username = neutron
password = NEUTRON_PASS password = NEUTRON_PASS
Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service. user in the Identity service.
.. note:: .. note::
Comment out or remove any other options in the Comment out or remove any other options in the
``[keystone_authtoken]`` section. ``[keystone_authtoken]`` section.
#. In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to * In the ``[DEFAULT]`` and ``[nova]`` sections, configure Networking to
notify Compute of network topology changes: notify Compute of network topology changes:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
notify_nova_on_port_status_changes = True notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True notify_nova_on_port_data_changes = True
nova_url = http://controller:8774/v2 nova_url = http://controller:8774/v2
[nova] [nova]
... ...
auth_url = http://controller:35357 auth_url = http://controller:35357
auth_plugin = password auth_plugin = password
project_domain_id = default project_domain_id = default
user_domain_id = default user_domain_id = default
region_name = RegionOne region_name = RegionOne
project_name = service project_name = service
username = nova username = nova
password = NOVA_PASS password = NOVA_PASS
Replace ``NOVA_PASS`` with the password you chose for the ``nova`` Replace ``NOVA_PASS`` with the password you chose for the ``nova``
user in the Identity service. user in the Identity service.
#. (Optional) To assist with troubleshooting, enable verbose logging in * (Optional) To assist with troubleshooting, enable verbose logging in
the ``[DEFAULT]`` section: the ``[DEFAULT]`` section:
.. code:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
verbose = True verbose = True
Configure the Modular Layer 2 (ML2) plug-in Configure the Modular Layer 2 (ML2) plug-in
------------------------------------------- -------------------------------------------
@ -194,67 +195,68 @@ Configure the Modular Layer 2 (ML2) plug-in
The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging
and switching) virtual networking infrastructure for instances. and switching) virtual networking infrastructure for instances.
Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file. #. Edit the ``/etc/neutron/plugins/ml2/ml2_conf.ini`` file and complete the
following actions:
#. In the ``[ml2]`` section, enable flat, VLAN, and VXLAN networks: * In the ``[ml2]`` section, enable flat, VLAN, and VXLAN networks:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
type_drivers = flat,vlan,vxlan type_drivers = flat,vlan,vxlan
#. In the ``[ml2]`` section, enable VXLAN project (private) networks: * In the ``[ml2]`` section, enable VXLAN project (private) networks:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
tenant_network_types = vxlan tenant_network_types = vxlan
#. In the ``[ml2]`` section, enable the Linux bridge and layer-2 population * In the ``[ml2]`` section, enable the Linux bridge and layer-2 population
mechanisms: mechanisms:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
mechanism_drivers = linuxbridge,l2population mechanism_drivers = linuxbridge,l2population
.. warning:: .. warning::
After you configure the ML2 plug-in, removing values in the After you configure the ML2 plug-in, removing values in the
``type_drivers`` option can lead to database inconsistency. ``type_drivers`` option can lead to database inconsistency.
.. note:: .. note::
The Linux bridge agent only supports VXLAN overlay networks. The Linux bridge agent only supports VXLAN overlay networks.
#. In the ``[ml2]`` section, enable the port security extension driver: * In the ``[ml2]`` section, enable the port security extension driver:
.. code:: ini .. code-block:: ini
[ml2] [ml2]
... ...
extension_drivers = port_security extension_drivers = port_security
#. In the ``[ml2_type_flat]`` section, configure the public flat provider * In the ``[ml2_type_flat]`` section, configure the public flat provider
network: network:
.. code-block:: ini .. code-block:: ini
[ml2_type_flat] [ml2_type_flat]
... ...
flat_networks = public flat_networks = public
#. In the ``[ml2_type_vxlan]`` section, configure the VXLAN network identifier * In the ``[ml2_type_vxlan]`` section, configure the VXLAN network identifier
range for private networks: range for private networks:
.. code:: ini .. code-block:: ini
[ml2_type_vxlan] [ml2_type_vxlan]
... ...
vni_ranges = 1:1000 vni_ranges = 1:1000
Configure the Linux bridge agent Configure the Linux bridge agent
-------------------------------- --------------------------------
@ -263,53 +265,54 @@ The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups. networks and handles security groups.
Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file. #. Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.conf`` file and
complete the following actions:
#. In the ``[linux_bridge]`` section, map the public virtual network to the * In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface: public physical network interface:
.. code-block:: ini .. code-block:: ini
[linux_bridge] [linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface. public network interface.
#. In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the
IP address of the physical network interface that handles overlay IP address of the physical network interface that handles overlay
networks, and enable layer-2 population: networks, and enable layer-2 population:
.. code-block:: ini .. code-block:: ini
[vxlan] [vxlan]
enable_vxlan = True enable_vxlan = True
local_ip = OVERLAY_INTERFACE_IP_ADDRESS local_ip = OVERLAY_INTERFACE_IP_ADDRESS
l2_population = True l2_population = True
Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the Replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with the IP address of the
underlying physical network interface that handles overlay networks. The underlying physical network interface that handles overlay networks. The
example architecture uses the management interface. example architecture uses the management interface.
#. In the ``[agent]`` section, enable ARP spoofing protection: * In the ``[agent]`` section, enable ARP spoofing protection:
.. code-block:: ini .. code-block:: ini
[agent] [agent]
... ...
prevent_arp_spoofing = True prevent_arp_spoofing = True
#. In the ``[securitygroup]`` section, enable security groups, enable * In the ``[securitygroup]`` section, enable security groups, enable
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
driver: driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [securitygroup]
... ...
enable_security_group = True enable_security_group = True
enable_ipset = True enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Configure the layer-3 agent Configure the layer-3 agent
--------------------------- ---------------------------
@ -317,103 +320,105 @@ Configure the layer-3 agent
The :term:`Layer-3 (L3) agent` provides routing and NAT services for virtual The :term:`Layer-3 (L3) agent` provides routing and NAT services for virtual
networks. networks.
Edit the ``/etc/neutron/l3_agent.ini`` file: #. Edit the ``/etc/neutron/l3_agent.ini`` file and complete the following
actions:
#. In the ``[DEFAULT]`` section, configure the Linux bridge interface driver * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver
and external network bridge: and external network bridge:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
external_network_bridge = external_network_bridge =
.. note:: .. note::
The ``external_network_bridge`` option intentionally lacks a value The ``external_network_bridge`` option intentionally lacks a value
to enable multiple external networks on a single agent. to enable multiple external networks on a single agent.
#. (Optional) To assist with troubleshooting, enable verbose logging in the * (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section: ``[DEFAULT]`` section:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
verbose = True verbose = True
Configure the DHCP agent Configure the DHCP agent
------------------------ ------------------------
The :term:`DHCP agent` provides DHCP services for virtual networks. The :term:`DHCP agent` provides DHCP services for virtual networks.
Edit the ``/etc/neutron/dhcp_agent.ini`` file. #. Edit the ``/etc/neutron/dhcp_agent.ini`` file and complete the following
actions:
#. In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver,
Dnsmasq DHCP driver, and enable isolated metadata so instances on public Dnsmasq DHCP driver, and enable isolated metadata so instances on public
networks can access metadata over the network: networks can access metadata over the network:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True enable_isolated_metadata = True
Overlay networks such as VXLAN include additional packet headers that * (Optional) To assist with troubleshooting, enable verbose logging in the
increase overhead and decrease space available for the payload or user ``[DEFAULT]`` section:
data. Without knowledge of the virtual network infrastructure, instances
attempt to send packets using the default Ethernet :term:`maximum
transmission unit (MTU)` of 1500 bytes. :term:`Internet protocol (IP)`
networks contain the :term:`path MTU discovery (PMTUD)` mechanism to detect
end-to-end MTU and adjust packet size accordingly. However, some operating
systems and networks block or otherwise lack support for PMTUD causing
performance degradation or connectivity failure.
Ideally, you can prevent these problems by enabling :term:`jumbo frames .. code-block:: ini
<jumbo frame>` on the physical network that contains your tenant virtual
networks. Jumbo frames support MTUs up to approximately 9000 bytes which
negates the impact of VXLAN overhead on virtual networks. However, many
network devices lack support for jumbo frames and OpenStack administrators
often lack control over network infrastructure. Given the latter
complications, you can also prevent MTU problems by reducing the
instance MTU to account for VXLAN overhead. Determining the proper MTU
value often takes experimentation, but 1450 bytes works in most
environments. You can configure the DHCP server that assigns IP
addresses to your instances to also adjust the MTU.
.. note:: [DEFAULT]
...
verbose = True
Some cloud images ignore the DHCP MTU option in which case you Overlay networks such as VXLAN include additional packet headers that
should configure it using metadata, a script, or other suitable increase overhead and decrease space available for the payload or user
method. data. Without knowledge of the virtual network infrastructure, instances
attempt to send packets using the default Ethernet :term:`maximum
transmission unit (MTU)` of 1500 bytes. :term:`Internet protocol (IP)`
networks contain the :term:`path MTU discovery (PMTUD)` mechanism to detect
end-to-end MTU and adjust packet size accordingly. However, some operating
systems and networks block or otherwise lack support for PMTUD causing
performance degradation or connectivity failure.
#. In the ``[DEFAULT]`` section, enable the :term:`dnsmasq` configuration Ideally, you can prevent these problems by enabling :term:`jumbo frames
file: <jumbo frame>` on the physical network that contains your tenant virtual
networks. Jumbo frames support MTUs up to approximately 9000 bytes which
negates the impact of VXLAN overhead on virtual networks. However, many
network devices lack support for jumbo frames and OpenStack administrators
often lack control over network infrastructure. Given the latter
complications, you can also prevent MTU problems by reducing the
instance MTU to account for VXLAN overhead. Determining the proper MTU
value often takes experimentation, but 1450 bytes works in most
environments. You can configure the DHCP server that assigns IP
addresses to your instances to also adjust the MTU.
.. code-block:: ini .. note::
[DEFAULT] Some cloud images ignore the DHCP MTU option in which case you
... should configure it using metadata, a script, or other suitable
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf method.
#. Create and edit the :file:`/etc/neutron/dnsmasq-neutron.conf` file to * In the ``[DEFAULT]`` section, enable the :term:`dnsmasq` configuration
enable the DHCP MTU option (26) and configure it to 1450 bytes: file:
.. code-block:: ini .. code-block:: ini
dhcp-option-force=26,1450 [DEFAULT]
...
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
#. (Optional) To assist with troubleshooting, enable verbose logging in the * Create and edit the ``/etc/neutron/dnsmasq-neutron.conf`` file to
``[DEFAULT]`` section: enable the DHCP MTU option (26) and configure it to 1450 bytes:
.. code-block:: ini .. code-block:: ini
[DEFAULT] dhcp-option-force=26,1450
...
verbose = True
Return to Return to
:ref:`Networking controller node configuration :ref:`Networking controller node configuration

312
doc/install-guide/source/neutron-controller-install.rst
View File

@ -9,106 +9,133 @@ must create a database, service credentials, and API endpoints.
#. To create the database, complete these steps: #. To create the database, complete these steps:
a. Use the database access client to connect to the database server as the * Use the database access client to connect to the database server as the
``root`` user: ``root`` user:
.. code:: console .. code-block:: console
$ mysql -u root -p $ mysql -u root -p
#. Create the ``neutron`` database: * Create the ``neutron`` database:
.. code:: console .. code-block:: console
CREATE DATABASE neutron; CREATE DATABASE neutron;
#. Grant proper access to the ``neutron`` database, replacing * Grant proper access to the ``neutron`` database, replacing
``NEUTRON_DBPASS`` with a suitable password: ``NEUTRON_DBPASS`` with a suitable password:
.. code:: console .. code-block:: console
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY 'NEUTRON_DBPASS'; IDENTIFIED BY 'NEUTRON_DBPASS';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY 'NEUTRON_DBPASS'; IDENTIFIED BY 'NEUTRON_DBPASS';
#. Exit the database access client. * Exit the database access client.
#. Source the ``admin`` credentials to gain access to admin-only CLI #. Source the ``admin`` credentials to gain access to admin-only CLI
commands: commands:
.. code:: console .. code-block:: console
$ source admin-openrc.sh $ source admin-openrc.sh
#. To create the service credentials, complete these steps: #. To create the service credentials, complete these steps:
a. Create the ``neutron`` user: * Create the ``neutron`` user:
.. code:: console .. code-block:: console
$ openstack user create --password-prompt neutron $ openstack user create --domain default --password-prompt neutron
User Password: User Password:
Repeat User Password: Repeat User Password:
+----------+----------------------------------+ +-----------+----------------------------------+
| Field | Value | | Field | Value |
+----------+----------------------------------+ +-----------+----------------------------------+
| email | None | | domain_id | default |
| enabled | True | | enabled | True |
| id | ab67f043d9304017aaa73d692eeb4945 | | id | b20a6692f77b4258926881bf831eb683 |
| name | neutron | | name | neutron |
| username | neutron | +-----------+----------------------------------+
+----------+----------------------------------+
#. Add the ``admin`` role to the ``neutron`` user:
.. code:: console * Add the ``admin`` role to the ``neutron`` user:
$ openstack role add --project service --user neutron admin .. code-block:: console
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+
#. Create the ``neutron`` service entity: $ openstack role add --project service --user neutron admin
.. code:: console .. note::
$ openstack service create --name neutron \ This command provides no output.
--description "OpenStack Networking" network
+-------------+----------------------------------+ * Create the ``neutron`` service entity:
| Field | Value |
+-------------+----------------------------------+ .. code-block:: console
| description | OpenStack Networking |
| enabled | True | $ openstack service create --name neutron \
| id | f71529314dab4a4d8eca427e701d209e | --description "OpenStack Networking" network
| name | neutron | +-------------+----------------------------------+
| type | network | | Field | Value |
+-------------+----------------------------------+ +-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | f71529314dab4a4d8eca427e701d209e |
| name | neutron |
| type | network |
+-------------+----------------------------------+
#. Create the Networking service API endpoints: #. Create the Networking service API endpoints:
.. code:: console .. code-block:: console
$ openstack endpoint create \ $ openstack endpoint create --region RegionOne \
--publicurl http://controller:9696 \ network public http://controller:9696
--adminurl http://controller:9696 \
--internalurl http://controller:9696 \
--region RegionOne \
network
+--------------+----------------------------------+ +--------------+----------------------------------+
| Field | Value | | Field | Value |
+--------------+----------------------------------+ +--------------+----------------------------------+
| adminurl | http://controller:9696 | | enabled | True |
| id | 04a7d3c1de784099aaba83a8a74100b3 | | id | 85d80a6d02fc4b7683f611d7fc1493a3 |
| internalurl | http://controller:9696 | | interface | public |
| publicurl | http://controller:9696 |
| region | RegionOne | | region | RegionOne |
| region_id | RegionOne |
| service_id | f71529314dab4a4d8eca427e701d209e | | service_id | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron | | service_name | neutron |
| service_type | network | | service_type | network |
| url | http://controller:9696 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
network internal http://controller:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 09753b537ac74422a68d2d791cf3714f |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron |
| service_type | network |
| url | http://controller:9696 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
network admin http://controller:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1ee14289c9374dffb5db92a5c112fc4e |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f71529314dab4a4d8eca427e701d209e |
| service_name | neutron |
| service_type | network |
| url | http://controller:9696 |
+--------------+----------------------------------+ +--------------+----------------------------------+
Configure networking options Configure networking options
@ -137,99 +164,86 @@ Configure the metadata agent
The :term:`metadata agent <Metadata agent>` provides configuration information The :term:`metadata agent <Metadata agent>` provides configuration information
such as credentials to instances. such as credentials to instances.
Edit the ``/etc/neutron/metadata_agent.ini`` file. #. Edit the ``/etc/neutron/metadata_agent.ini`` file and complete the following
actions:
#. In the ``[DEFAULT]`` section, configure access parameters: * In the ``[DEFAULT]`` section, configure access parameters:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
auth_uri = http://controller:5000 auth_uri = http://controller:5000
auth_url = http://controller:35357 auth_url = http://controller:35357
auth_region = RegionOne auth_region = RegionOne
auth_plugin = password auth_plugin = password
project_domain_id = default project_domain_id = default
user_domain_id = default user_domain_id = default
project_name = service project_name = service
username = neutron username = neutron
password = NEUTRON_PASS password = NEUTRON_PASS
Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service. user in the Identity service.
#. In the ``[DEFAULT]`` section, configure the metadata host: * In the ``[DEFAULT]`` section, configure the metadata host:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
nova_metadata_ip = controller nova_metadata_ip = controller
#. In the ``[DEFAULT]`` section, configure the metadata proxy shared * In the ``[DEFAULT]`` section, configure the metadata proxy shared
secret: secret:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
metadata_proxy_shared_secret = METADATA_SECRET metadata_proxy_shared_secret = METADATA_SECRET
Replace ``METADATA_SECRET`` with a suitable secret for the metadata proxy. Replace ``METADATA_SECRET`` with a suitable secret for the metadata proxy.
#. (Optional) To assist with troubleshooting, enable verbose logging in the * (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section: ``[DEFAULT]`` section:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [DEFAULT]
... ...
verbose = True verbose = True
Configure Compute to use Networking Configure Compute to use Networking
----------------------------------- -----------------------------------
Edit the ``/etc/nova/nova.conf`` file: #. Edit the ``/etc/nova/nova.conf`` file and perform the following actions:
#. In the ``[DEFAULT]`` section, configure Compute to use the Networking * In the ``[neutron]`` section, configure access parameters, enable the
service: metadata proxy, and configure the secret:
.. code-block:: ini .. code-block:: ini
[DEFAULT] [neutron]
network_api_class = nova.network.neutronv2.api.API ...
security_group_api = neutron url = http://controller:9696
linuxnet_interface_driver = nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver auth_url = http://controller:35357
firewall_driver = nova.virt.firewall.NoopFirewallDriver auth_plugin = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
.. note:: service_metadata_proxy = True
metadata_proxy_shared_secret = METADATA_SECRET
The ``firewall_driver`` option uses the ``NoopFirewallDriver`` value Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
because Compute delegates security group (firewall) operation to the user in the Identity service.
Networking service.
#. In the ``[neutron]`` section, configure access parameters, enable the Replace ``METADATA_SECRET`` with the secret you chose for the metadata
metadata proxy, and configure the secret: proxy.
.. code-block:: ini
[neutron]
...
url = http://controller:9696
auth_strategy = keystone
admin_auth_url = http://controller:35357/v2.0
admin_tenant_name = service
admin_username = neutron
admin_password = NEUTRON_PASS
service_metadata_proxy = True
metadata_proxy_shared_secret = METADATA_SECRET
Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service.
Replace ``METADATA_SECRET`` with the secret you chose for the metadata
proxy.
Finalize installation Finalize installation
--------------------- ---------------------
@ -237,11 +251,11 @@ Finalize installation
.. only:: rdo .. only:: rdo
#. The Networking service initialization scripts expect a symbolic link #. The Networking service initialization scripts expect a symbolic link
:file:`/etc/neutron/plugin.ini` pointing to the ML2 plug-in configuration ``/etc/neutron/plugin.ini`` pointing to the ML2 plug-in configuration
file, :file:`/etc/neutron/plugins/ml2/ml2_conf.ini`. If this symbolic file, ``/etc/neutron/plugins/ml2/ml2_conf.ini``. If this symbolic
link does not exist, create it using the following command: link does not exist, create it using the following command:
.. code:: console .. code-block:: console
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
@ -264,7 +278,7 @@ Finalize installation
#. Populate the database: #. Populate the database:
.. code:: console .. code-block:: console
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
@ -276,7 +290,7 @@ Finalize installation
#. Restart the Compute services: #. Restart the Compute services:
.. code:: console .. code-block:: console
# systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-conductor.service
@ -286,7 +300,7 @@ Finalize installation
For both networking options: For both networking options:
.. code:: console .. code-block:: console
# systemctl enable neutron-server.service \ # systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \ neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
@ -297,7 +311,7 @@ Finalize installation
For networking option 2, also enable and start the layer-3 service: For networking option 2, also enable and start the layer-3 service:
.. code:: console .. code-block:: console
# systemctl enable neutron-l3-agent.service # systemctl enable neutron-l3-agent.service
# systemctl start neutron-l3-agent.service # systemctl start neutron-l3-agent.service
@ -305,17 +319,17 @@ Finalize installation
.. only:: obs .. only:: obs
#. The Networking service initialization scripts expect the variable #. The Networking service initialization scripts expect the variable
``NEUTRON_PLUGIN_CONF`` in the :file:`/etc/sysconfig/neutron` file to ``NEUTRON_PLUGIN_CONF`` in the ``/etc/sysconfig/neutron`` file to
reference the ML2 plug-in configuration file. Edit the reference the ML2 plug-in configuration file. Edit the
:file:`/etc/sysconfig/neutron` file and add the following: ``/etc/sysconfig/neutron`` file and add the following:
.. code:: console .. code-block:: console
NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini" NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"
#. Restart the Compute services: #. Restart the Compute services:
.. code:: console .. code-block:: console
# systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-conductor.service
@ -325,7 +339,7 @@ Finalize installation
For both networking options: For both networking options:
.. code:: console .. code-block:: console
# systemctl enable openstack-neutron.service \ # systemctl enable openstack-neutron.service \
openstack-neutron-linuxbridge.service \ openstack-neutron-linuxbridge.service \
@ -338,7 +352,7 @@ Finalize installation
For networking option 2, also enable and start the layer-3 service: For networking option 2, also enable and start the layer-3 service:
.. code:: console .. code-block:: console
# systemctl enable openstack-neutron-l3-agent.service # systemctl enable openstack-neutron-l3-agent.service
# systemctl start openstack-neutron-l3-agent.service # systemctl start openstack-neutron-l3-agent.service
@ -350,7 +364,7 @@ Finalize installation
agent configuration file. Run the following commands to resolve this agent configuration file. Run the following commands to resolve this
issue: issue:
.. code:: console .. code-block:: console
# cp /etc/init/neutron-plugin-linuxbridge-agent.conf \ # cp /etc/init/neutron-plugin-linuxbridge-agent.conf \
/etc/init/neutron-plugin-linuxbridge-agent.conf.orig /etc/init/neutron-plugin-linuxbridge-agent.conf.orig
@ -359,7 +373,7 @@ Finalize installation
#. Populate the database: #. Populate the database:
.. code:: console .. code-block:: console
# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
@ -371,7 +385,7 @@ Finalize installation
#. Restart the nova-api service: #. Restart the nova-api service:
.. code:: console .. code-block:: console
# service nova-api restart # service nova-api restart
@ -379,7 +393,7 @@ Finalize installation
For both networking options: For both networking options:
.. code:: console .. code-block:: console
# service neutron-server restart # service neutron-server restart
# service neutron-plugin-linuxbridge-agent restart # service neutron-plugin-linuxbridge-agent restart
@ -388,6 +402,6 @@ Finalize installation
For networking option 2, also restart the layer-3 service: For networking option 2, also restart the layer-3 service:
.. code:: console .. code-block:: console
# service neutron-l3-agent restart # service neutron-l3-agent restart

4
doc/install-guide/source/neutron-verify.rst
View File

@ -4,14 +4,14 @@ Verify operation
#. Source the ``admin`` credentials to gain access to admin-only CLI #. Source the ``admin`` credentials to gain access to admin-only CLI
commands: commands:
.. code:: console .. code-block:: console
$ source admin-openrc.sh $ source admin-openrc.sh
#. List loaded extensions to verify successful launch of the #. List loaded extensions to verify successful launch of the
``neutron-server`` process: ``neutron-server`` process:
.. code:: console .. code-block:: console
$ neutron ext-list $ neutron ext-list
+-----------------------+-----------------------------------------------+ +-----------------------+-----------------------------------------------+