openstack/openstack-manuals
Code Issues Proposed changes

Restructured and updated Neutron network node section

Browse Source 
As part of the installation guide improvement project, I performed
the following operations on the Neutron network node section:

1) Removed modularity since we will only support the ML2 plug-in
   for Icehouse.
2) Added some <procedure> tags to separate content. Future patches
   will add descriptions of each procedure.
3) Unified indentation and spacing.
4) Removed *.ini configuration steps since Icehouse doesn't require
   editing *.ini files.
5) Moved 'auth_uri' key under [keystone_authtoken] section in
   neutron.conf.
6) Removed defunct reference in Neutron use cases section.

This section should continue to work for installations using the Open
vSwitch plug-in for Neutron. Future patches will update the content
to use ML2.

Change-Id: I23e0ba8df56ef3227443b5588ccb51325ec649dd
Partial-Bug: #1291071
Implements: blueprint networking-install-guide-improvements
This commit is contained in:
Matt Kassawara
2014-03-13 08:02:18 -06:00
parent 101dc2b971
commit ba782e5be6
2 changed files with 266 additions and 424 deletions
Download Patch File Download Diff File Expand all files Collapse all files

688
doc/install-guide/section_neutron-network-node.xml
View File

@@ -9,18 +9,14 @@
<note>
<para>Before you start, set up a machine as a dedicated network
node. Dedicated network nodes have a
<replaceable>MGMT_INTERFACE</replaceable> NIC, a
<replaceable>DATA_INTERFACE</replaceable> NIC, and a
<replaceable>EXTERNAL_INTERFACE</replaceable> NIC.</para>
<replaceable>MGMT_INTERFACE</replaceable> NIC, a
<replaceable>DATA_INTERFACE</replaceable> NIC, and a
<replaceable>EXTERNAL_INTERFACE</replaceable> NIC.</para>
<para>The management network handles communication among nodes.
The data network handles communication coming to and from VMs.
The external NIC connects the network node, and optionally to
the controller node, so your VMs can connect to the outside
world.</para>
<para>All NICs must have static IPs. However, the data and
external NICs have a special set up. For details about
Networking plug-ins, see <xref
linkend="install-neutron.install-plug-in"/>.</para>
</note>
<warning os="rhel;centos">
<para>By default, the <literal>system-config-firewall</literal>
@@ -39,6 +35,7 @@
network issues.</para>
</warning>
<procedure>
<title>Install agents and configure common components</title>
<step>
<para>Install the Networking packages and any dependencies.
</para>
@@ -49,18 +46,17 @@
</step>
<step os="debian">
<para>Respond to prompts for <link
linkend="debconf-dbconfig-common">database
management</link>, <link
linkend="debconf-keystone_authtoken"
><literal>[keystone_authtoken]</literal>
linkend="debconf-dbconfig-common">database
management</link>, <link
linkend="debconf-keystone_authtoken"
><literal>[keystone_authtoken]</literal>
settings</link>, <link linkend="debconf-rabbitqm">RabbitMQ
credentials</link> and <link
linkend="debconf-api-endpoints">API endpoint</link>
credentials</link> and <link
linkend="debconf-api-endpoints">API endpoint</link>
registration.</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure basic Networking-related services to start at
boot time:</para>
<para>Configure Networking agents to start at boot time:</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
</step>
@@ -86,32 +82,41 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
</note>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>DEFAULT</literal> section of the file:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
</step>
<step>
<para>Set the <systemitem class="service">neutron</systemitem> configuration for
<systemitem class="service">keystone</systemitem> authentication:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357</userinput>
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>DEFAULT</literal> section of the file:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
</step>
<step>
<para>Set the
<systemitem class="service">neutron</systemitem>
configuration for
<systemitem class="service">keystone</systemitem>
authentication:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http</userinput>
auth_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service</userinput>
auth_protocol http</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron</userinput>
auth_port 35357</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
</step></substeps>
</step>
<step os="ubuntu">
<para>To configure <systemitem class="service">neutron</systemitem> to use <systemitem class="service">keystone</systemitem>
for authentication, edit the <filename>/etc/neutron/neutron.conf</filename>file.</para>
<para>To configure <systemitem class="service">neutron</systemitem>
to use <systemitem class="service">keystone</systemitem>
for authentication, edit the
<filename>/etc/neutron/neutron.conf</filename> file.</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
@@ -121,9 +126,12 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
</step>
<step>
<para>Add these lines to the
<literal>keystone_authtoken</literal> section of the
<literal>[keystone_authtoken]</literal> section of the
file:</para>
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
@@ -132,117 +140,221 @@ admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="rhel;centos;fedora">
<para>Set the <literal>root_helper</literal> configuration in the
<literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
root_helper "sudo neutron-rootwrap /etc/neutron/rootwrap.conf"</userinput></screen>
</step>
<step os="opensuse;sles">
<para>Configure access to the <application>RabbitMQ</application> service:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
<para>Configure access to the <application>RabbitMQ</application> service:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host controller</userinput>
rabbit_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest</userinput>
rabbit_userid guest</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Configure the <application>RabbitMQ</application> access. Edit the
<filename>/etc/neutron/neutron.conf</filename> file to
modify the following parameters in the
<literal>DEFAULT</literal> section.</para>
<programlisting language="ini">rabbit_host = controller
<para>Configure the <application>RabbitMQ</application> access.
Edit the <filename>/etc/neutron/neutron.conf</filename> file
to modify the following parameters in the
<literal>DEFAULT</literal> section.</para>
<programlisting language="ini">rabbit_host = <replaceable>controller</replaceable>
rabbit_userid = guest
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
<step os="rhel;centos;fedora">
<para>Configure access to the <application>Qpid</application> message queue:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_hostname <replaceable>controller</replaceable></userinput>
qpid_hostname <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_port 5672</userinput>
qpid_port 5672</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_username <replaceable>guest</replaceable></userinput>
qpid_username <replaceable>guest</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_password <replaceable>guest</replaceable></userinput></screen>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure Networking to connect to the database:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf database connection \
mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
</step>
<step os="ubuntu">
<para>Configure Networking to connect to the database. Edit
the <literal>[database]</literal> section in the same file,
as follows:</para>
<programlisting language="ini">[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
authentication:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
auth_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
file and add these lines to the
<literal>[filter:authtoken]</literal> section:</para>
<programlisting language="ini">[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = <replaceable>controller</replaceable>
auth_uri = http://<replaceable>controller</replaceable>:5000
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<warning>
<para><literal>keystoneclient.middleware.auth_token</literal>:
You must configure <literal>auth_uri</literal> to point to
the public identity endpoint. Otherwise, clients might not
be able to authenticate against an admin endpoint.</para>
</warning>
</step>
<step os="debian">
<para>Configure your network plug-in. For instructions, see
<link linkend="install-neutron.install-plug-in"
>instructions</link>. Then, return here.</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Install and configure a networking plug-in. OpenStack
Networking uses this plug-in to perform software-defined
networking. See <xref linkend="install-neutron.install-plug-in"/>
for further details. Then, return here when finished.</para>
qpid_password <replaceable>guest</replaceable></userinput></screen>
</step>
</procedure>
<para>Now that you've installed and configured a plug-in, it is time to configure
the remaining parts of OpenStack Networking.</para>
<procedure>
<title>Install and configure Open vSwitch (OVS) plug-in</title>
<para>OpenStack Networking supports a variety of plug-ins. For
simplicity, we chose to cover the most common plug-in, Open
vSwitch, and configure it to use basic GRE tunnels for tenant
network traffic.</para>
<step>
<para>Install the Open vSwitch plug-in and its
dependencies:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
</step>
<step>
<para>Start Open vSwitch:</para>
<screen os="debian;rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
<screen os="ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
<para os="rhel;fedora;centos;opensuse;sles">And configure
it to start when the system boots:</para>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step>
<para>No matter which networking technology you use, you
must add the <literal>br-int</literal> integration
bridge, which connects to the VMs, and the
<literal>br-ex</literal> external bridge, which
connects to the outside world.</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
</step>
<step>
<para>Add a <glossterm>port</glossterm> (connection) from
the <replaceable>EXTERNAL_INTERFACE</replaceable>
interface to <literal>br-ex</literal> interface:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></userinput></screen>
<warning>
<para>The host must have an IP address associated
with an interface other than
<replaceable>EXTERNAL_INTERFACE</replaceable>,
and your remote terminal session must be associated with
this other IP address.</para>
<para>If you associate an IP address with
<replaceable>EXTERNAL_INTERFACE</replaceable>,
that IP address stops working after you issue the
<command>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></command>
command. If you associate a remote terminal session with that
IP address, you lose connectivity with the host.</para>
<para>For more details about this behavior, see the
<emphasis>Configuration Problems</emphasis> section of the
<link xlink:href="http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD">Open vSwitch FAQ</link>.</para>
</warning>
</step>
<step>
<para>Configure the
<replaceable>EXTERNAL_INTERFACE</replaceable> without
an IP address and in promiscuous mode. Additionally, you
must set the newly created <literal>br-ex</literal>
interface to have the IP address that formerly belonged
to <replaceable>EXTERNAL_INTERFACE</replaceable>.</para>
<warning os="ubuntu">
<para>Generic Receive Offload (GRO) should not be
enabled on this interface as it can cause severe
performance problems. It can be disabled with the
ethtool utility.</para>
</warning>
<para os="rhel;fedora;centos">Edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE</filename>
file:</para>
<programlisting language="ini" os="rhel;fedora;centos">DEVICE_INFO_HERE
ONBOOT=yes
BOOTPROTO=none
PROMISC=yes</programlisting>
</step>
<step os="rhel;fedora;centos">
<para>Create and edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-br-ex</filename>
file:</para>
<programlisting language="ini">DEVICE=br-ex
TYPE=Bridge
ONBOOT=no
BOOTPROTO=none
IPADDR=EXTERNAL_INTERFACE_IP
NETMASK=EXTERNAL_INTERFACE_NETMASK
GATEWAY=EXTERNAL_INTERFACE_GATEWAY</programlisting>
</step>
<step>
<para>You must set some common configuration options no
matter which networking technology you choose to use
with Open vSwitch. Configure the L3 and DHCP agents to
use <acronym>OVS</acronym> and namespaces. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True</programlisting>
<note>
<para>While the examples in this guide enable network
namespaces by default, you can disable them if issues
occur or your kernel does not support them. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">use_namespaces = False</programlisting>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
to disable overlapping IP addresses:</para>
<programlisting language="ini">allow_overlapping_ips = False</programlisting>
<para>Note that when network namespaces are disabled,
you can have only one router for each network node and
overlapping IP addresses are not supported.</para>
<para>You must complete additional steps after you
create the initial Neutron virtual networks and
router.</para>
</note>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Similarly, you must also tell Neutron core to use
<acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
</step>
<step>
<para>Configure a firewall plug-in. If you do not wish to
enforce firewall rules, called <glossterm
baseform="security group">security groups</glossterm>
by OpenStack, you can use
<literal>neutron.agent.firewall.NoopFirewall</literal>.
Otherwise, you can choose one of the Networking firewall
plug-ins. The most common choice is the Hybrid
OVS-IPTables driver, but you can also use the
Firewall-as-a-Service driver. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<warning>
<para>You must use at least the No-Op firewall.
Otherwise, Horizon and other OpenStack services cannot
get and set required VM boot options.</para>
</warning>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure the <acronym>OVS</acronym> plug-in to start
on boot.</para>
<screen os="fedora;centos;rhel"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step>
<para>Configure the <acronym>OVS</acronym> plug-in to
use GRE tunneling, the <literal>br-int</literal>
integration bridge, the <literal>br-tun</literal>
tunneling bridge, and a local IP for the
<replaceable>DATA_INTERFACE</replaceable> tunnel IP.
Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
...
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = DATA_INTERFACE_IP</programlisting>
</step>
</procedure>
<procedure>
<title>Configure the agents</title>
<step>
<para>To perform DHCP on the software-defined networks,
Networking supports several different plug-ins. However, in
general, you use the <application>dnsmasq</application> plug-in.</para>
<para>Configure the
<filename>/etc/neutron/dhcp_agent.ini</filename>
file:</para>
<filename>/etc/neutron/dhcp_agent.ini</filename> file:</para>
<programlisting language="ini" os="ubuntu;debian">dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq</programlisting>
<screen os="rhel;centos;fedora;opensuse;sles">
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
dhcp_driver neutron.agent.linux.dhcp.Dnsmasq</userinput></screen>
dhcp_driver neutron.agent.linux.dhcp.Dnsmasq</userinput></screen>
</step>
<step>
<para>To allow virtual machines to access the Compute metadata
@@ -250,54 +362,56 @@ admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
and configured. The agent will act as a proxy for the
Compute metadata service.</para>
<para>On the controller, edit the
<filename>/etc/nova/nova.conf</filename> file to define a
<filename>/etc/nova/nova.conf</filename> file to define a
secret key that will be shared between the Compute Service
and the Networking metadata agent.</para>
<para os="debian;ubuntu">Add to the
<literal>[DEFAULT]</literal> section:</para>
<literal>[DEFAULT]</literal> section:</para>
<programlisting os="ubuntu;debian" language="ini">[DEFAULT]
...
neutron_metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable>
service_neutron_metadata_proxy = true</programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the
<literal>neutron_metadata_proxy_shared_secret</literal>
<literal>neutron_metadata_proxy_shared_secret</literal>
key:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput>
neutron_metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
service_neutron_metadata_proxy true</userinput></screen>
<para>Restart the <systemitem class="service"
>nova-api</systemitem> service:</para>
service_neutron_metadata_proxy true</userinput></screen>
<para>Restart the
<systemitem class="service">nova-api</systemitem> service:</para>
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
<screen os="centos;rhel;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput></screen>
<para>On the network node, modify the metadata agent
configuration.</para>
<para os="debian;ubuntu">Edit the
<filename>/etc/neutron/metadata_agent.ini</filename> file
<filename>/etc/neutron/metadata_agent.ini</filename> file
and modify the <literal>[DEFAULT]</literal> section:</para>
<programlisting os="debian;ubuntu" language="ini">[DEFAULT]
auth_url = http://controller:5000/v2.0
...
auth_url = http://<replaceable>controller</replaceable>:5000/v2.0
auth_region = regionOne
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
nova_metadata_ip = controller
nova_metadata_ip = <replaceable>controller</replaceable>
metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable></programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the required
keys:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_url http://controller:5000/v2.0</userinput>
auth_url http://<replaceable>controller</replaceable>:5000/v2.0</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_region regionOne</userinput>
auth_region regionOne</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_tenant_name service</userinput>
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_user neutron</userinput>
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
nova_metadata_ip controller</userinput>
nova_metadata_ip <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput></screen>
metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput></screen>
<note>
<para>The value of <literal>auth_region</literal> is
case-sensitive and must match the endpoint region defined
@@ -308,14 +422,17 @@ metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable></program
self-signed certificates, you must perform additional configuration
for the metadata agent because Networking cannot validate the SSL
certificates from the service catalog.</para>
<para os="debian;ubuntu">Add this statement to the <literal>[DEFAULT]</literal> section:</para>
<para os="debian;ubuntu">Add this statement to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting os="debian;ubuntu" language="ini">
neutron_insecure = True
</programlisting>
neutron_insecure = True</programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the required keys:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT neutron_insecure True</userinput></screen>
</note>
</step>
</procedure>
<procedure>
<title>Finalize installation</title>
<step os="rhel;centos;fedora">
<para>The <systemitem class="service">neutron-server</systemitem>
initialization script expects a symbolic link
@@ -343,293 +460,16 @@ neutron_insecure = True
<para>Restart Networking services.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent restart</userinput></screen>
<para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
</step>
<!-- FIXME
<step>
<para>After you configure the <link
linkend="install-neutron.dedicated-compute-node"
>compute</link> and <link
linkend="install-neutron.dedicated-controller-node"
>controller</link> nodes, <link
linkend="install-neutron.configure-networks">configure the
base networks</link>.</para>
</step>
-->
</procedure>
<section xml:id="install-neutron.install-plug-in">
<title>Install and configure the Networking plug-ins</title>
<section xml:id="install-neutron.install-plug-in.ovs">
<title>Install the Open vSwitch (OVS) plug-in</title>
<procedure>
<step>
<para>Install the Open vSwitch plug-in and its
dependencies:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
<note os="ubuntu">
<para>On Ubuntu 12.04 LTS with GRE you must install
openvswitch-datapath-dkms and restart the service to
enable the GRE flow so that OVS 1.10 and higher is
used. Make sure you are running the OVS 1.10 kernel
module in addition to the OVS 1.10 user space. Both
the kernel module and user space are required for
VXLAN support. The error you see in the
<filename>/var/log/openvswitchovs-vswitchd.log</filename>
log file is "Stderr: 'ovs-ofctl: -1: negative values
not supported for in_port\n'". If you see this error,
make sure <command>modinfo openvswitch</command> shows
the right version. Also check the output from
<command>dmesg</command> for the version of the OVS
module being loaded.</para>
</note>
</step>
<step>
<para>Start Open vSwitch:</para>
<screen os="debian;rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
<screen os="ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
<para os="rhel;fedora;centos;opensuse;sles">And configure
it to start when the system boots:</para>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step>
<para>No matter which networking technology you use, you
must add the <literal>br-int</literal> integration
bridge, which connects to the VMs, and the
<literal>br-ex</literal> external bridge, which
connects to the outside world.</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
</step>
<step>
<para>Add a <glossterm>port</glossterm> (connection) from
the <replaceable>EXTERNAL_INTERFACE</replaceable>
interface to <literal>br-ex</literal> interface:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></userinput></screen>
<warning>
<para>The host must have an IP address associated
with an interface other than <replaceable>EXTERNAL_INTERFACE</replaceable>,
and your remote terminal session must be associated with this other
IP address.</para>
<para>If you associate an IP address with <replaceable>EXTERNAL_INTERFACE</replaceable>,
that IP address stops working after you issue the <command>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></command> command.
If you associate a remote terminal session with that
IP address, you lose connectivity with the host.</para>
<para>For more details about this behavior, see the
<emphasis>Configuration Problems</emphasis> section of the
<link xlink:href="http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD">Open vSwitch FAQ</link>.
</para>
</warning>
</step>
<step>
<para>Configure the
<replaceable>EXTERNAL_INTERFACE</replaceable> without
an IP address and in promiscuous mode. Additionally, you
must set the newly created <literal>br-ex</literal>
interface to have the IP address that formerly belonged
to <replaceable>EXTERNAL_INTERFACE</replaceable>.</para>
<warning os="ubuntu">
<para>Generic Receive Offload (GRO) should not be
enabled on this interface as it can cause severe
performance problems. It can be disabled with the
ethtool utility.</para>
</warning>
<para os="rhel;fedora;centos">Edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE</filename>
file:</para>
<programlisting language="ini" os="rhel;fedora;centos">DEVICE_INFO_HERE
ONBOOT=yes
BOOTPROTO=none
PROMISC=yes</programlisting>
</step>
<step os="rhel;fedora;centos">
<para>Create and edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-br-ex</filename>
file:</para>
<programlisting language="ini">DEVICE=br-ex
TYPE=Bridge
ONBOOT=no
BOOTPROTO=none
IPADDR=EXTERNAL_INTERFACE_IP
NETMASK=EXTERNAL_INTERFACE_NETMASK
GATEWAY=EXTERNAL_INTERFACE_GATEWAY</programlisting>
</step>
<!-- TODO(sross): support other distros -->
<step>
<para>You must set some common configuration options no
matter which networking technology you choose to use
with Open vSwitch. Configure the L3 and DHCP agents to
use <acronym>OVS</acronym> and namespaces. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Similarly, you must also tell Neutron core to use
<acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
</step>
<step>
<para>Choose a networking technology to create the virtual
networks. Neutron supports GRE tunneling, VLANs, and
VXLANs. This guide shows how to configure GRE tunneling
and VLANs.</para>
<para>
<link linkend="install-neutron.install-plug-in.ovs.gre"
>GRE tunneling</link> is simpler to set up because it
does not require any special configuration from any
physical network hardware. However, its protocol makes
it difficult to filter traffic on the physical network.
Additionally, this configuration does not use
namespaces. You can have only one router for each
network node. However, you can enable namespacing as
described in the section detailing
how to use VLANs with <acronym>OVS</acronym>.</para>
<para>On the other hand, <link
linkend="install-neutron.install-plug-in.ovs.vlan"
>VLAN tagging</link> modifies the ethernet header of
packets. You can filter packets on the physical network
through normal methods. However, not all NICs handle the
increased packet size of VLAN-tagged packets well, and
you might need to complete additional configuration on
physical network hardware to ensure that your Neutron
VLANs do not interfere with any other VLANs on your
network and that any physical network hardware between
nodes does not strip VLAN tags.</para>
<note>
<para>While the examples in this guide enable network
namespaces by default, you can disable them if issues
occur or your kernel does not support them. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">use_namespaces = False</programlisting>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file
to disable overlapping IP addresses:</para>
<programlisting language="ini">allow_overlapping_ips = False</programlisting>
<para>Note that when network namespaces are disabled,
you can have only one router for each network node and
overlapping IP addresses are not supported.</para>
<para>You must complete additional steps after you
create the initial Neutron virtual networks and
router.</para>
</note>
</step>
<!-- TODO(sross): support provider networks? you need to modify things above for this to work -->
<step>
<para>Configure a firewall plug-in. If you do not wish to
enforce firewall rules, called <glossterm
baseform="security group">security groups</glossterm>
by OpenStack, you can use
<literal>neutron.agent.firewall.NoopFirewall</literal>.
Otherwise, you can choose one of the Networking firewall
plug-ins. The most common choice is the Hybrid
OVS-IPTables driver, but you can also use the
Firewall-as-a-Service driver. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<warning>
<para>You must use at least the No-Op firewall.
Otherwise, Horizon and other OpenStack services cannot
get and set required VM boot options.</para>
</warning>
</step>
<!-- TODO(sross): document other firewall options -->
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure the <acronym>OVS</acronym> plug-in to start
on boot.</para>
<screen os="fedora;centos;rhel"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step>
<para>Now, return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
<section xml:id="install-neutron.install-plug-in.ovs.gre">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for GRE tunneling</title>
<procedure>
<step>
<para>Configure the <acronym>OVS</acronym> plug-in to
use GRE tunneling, the <literal>br-int</literal>
integration bridge, the <literal>br-tun</literal>
tunneling bridge, and a local IP for the
<replaceable>DATA_INTERFACE</replaceable> tunnel IP.
Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = DATA_INTERFACE_IP</programlisting>
</step>
<step>
<para>Return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
</section>
<section xml:id="install-neutron.install-plug-in.ovs.vlan">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for VLANs</title>
<procedure>
<step>
<para>Configure <acronym>OVS</acronym> to use VLANS.
Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = vlan
network_vlan_ranges = physnet1:1:4094
bridge_mappings = physnet1:br-DATA_INTERFACE</programlisting>
</step>
<step>
<para>Create the bridge for
<replaceable>DATA_INTERFACE</replaceable> and add
<replaceable>DATA_INTERFACE</replaceable> to
it:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
</step>
<step>
<para>Transfer the IP address for
<replaceable>DATA_INTERFACE</replaceable> to the
bridge in the same way that you transferred the
<replaceable>EXTERNAL_INTERFACE</replaceable> IP
address to <literal>br-ex</literal>. However, do not
turn on promiscuous mode.</para>
</step>
<step>
<para>Return to the <acronym>OVS</acronym> general
instruction.</para>
</step>
</procedure>
</section>
</section>
</section>
</section>

2
doc/install-guide/section_neutron-single-flat.xml
View File

@@ -313,9 +313,11 @@ neutron_url=http://<replaceable>controller</replaceable>:9696/</programlisting>
<listitem>
<para>Install and start Open vSwitch.
Then, configure <systemitem class="service">neutron</systemitem> accordingly.</para>
<!--
<para>
See <xref linkend="install-neutron.install-plug-in"/>
for detailed instructions.</para>
-->
</listitem>
<listitem>
<para>Add the integration bridge to Open