Configure network nodePrerequisitesBefore you configure OpenStack Networking, you must enable certain
kernel networking functions.Edit /etc/sysctl.conf to contain the
following:net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0Implement the changes:#sysctl -pTo install the Networking components#apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent openvswitch-datapath-dkms \
neutron-l3-agent neutron-dhcp-agent#yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-openvswitch#zypper install openstack-neutron-openvswitch-agent openstack-neutron-l3-agent \
openstack-neutron-dhcp-agent openstack-neutron-metadata-agentUbuntu installations using Linux kernel version 3.11 or newer
do not require the openvswitch-datapath-dkms
package.SUSE does not use a separate ML2 plug-in package.To configure the Networking common componentsThe Networking common component configuration includes the
authentication mechanism, message broker, and plug-in.Respond to prompts for
database management,
Identity service
credentials,
service endpoint
registration, and
message broker
credentials.Configure Networking to use the Identity service for
authentication:Replace NEUTRON_PASS with the
password you chose for the neutron user
in the Identity service.#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
auth_strategy keystone#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://controller:5000#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_host controller#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password NEUTRON_PASSConfigure Networking to use the Identity service for
authentication:Edit the /etc/neutron/neutron.conf
file and add the following key to the
[DEFAULT] section:[DEFAULT]
...
auth_strategy = keystoneAdd the following keys to the
[keystone_authtoken] section:Replace NEUTRON_PASS with the
password you chose for the neutron user
in the Identity service.[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_host = controller
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = NEUTRON_PASSConfigure Networking to use the message broker:Replace RABBIT_PASS with the password
you chose for the guest account in
RabbitMQ.#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host controller#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password RABBIT_PASSConfigure Networking to use the message broker:#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_qpid#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_hostname controllerConfigure Networking to use the message broker:Edit the /etc/neutron/neutron.conf file
and add the following keys to the [DEFAULT]
section:Replace RABBIT_PASS with the
password you chose for the guest account in
RabbitMQ.[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = controller
rabbit_password = RABBIT_PASSConfigure Networking to use the Modular Layer 2 (ML2) plug-in
and associated services:#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
core_plugin ml2#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
service_plugins routerWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/neutron.conf to assist with
troubleshooting.Configure Networking to use the Modular Layer 2 (ML2) plug-in
and associated services:Edit the /etc/neutron/neutron.conf file
and add the following keys to the [DEFAULT]
section:[DEFAULT]
...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = TrueWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/neutron.conf to assist with
troubleshooting.Comment out any lines in the
[service_providers] section.To configure the Layer-3 (L3) agentThe Layer-3 (L3) agent provides routing
services for instance virtual networks.Run the following commands:#openstack-config --set /etc/neutron/l3_agent.ini DEFAULT \
interface_driver neutron.agent.linux.interface.OVSInterfaceDriver#openstack-config --set /etc/neutron/l3_agent.ini DEFAULT \
use_namespaces TrueWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/l3_agent.ini to assist with
troubleshooting.Edit the /etc/neutron/l3_agent.ini file
and add the following keys to the [DEFAULT]
section:[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = TrueWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/l3_agent.ini to assist with
troubleshooting.To configure the DHCP agentThe DHCP agent provides
DHCP services for instance virtual
networks.Run the following commands:#openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
interface_driver neutron.agent.linux.interface.OVSInterfaceDriver#openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
dhcp_driver neutron.agent.linux.dhcp.Dnsmasq#openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
use_namespaces TrueWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/dhcp_agent.ini to assist with
troubleshooting.Edit the /etc/neutron/dhcp_agent.ini file
and add the following keys to the [DEFAULT]
section:[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
use_namespaces = TrueWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/dhcp_agent.ini to assist with
troubleshooting.To configure the metadata agentThe metadata agent provides configuration
information such as credentials for remote access to instances.Run the following commands:Replace NEUTRON_PASS with the
password you chose for the neutron user
in the Identity service. Replace
METADATA_SECRET with a suitable
secret for the metadata proxy.#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_url http://controller:5000/v2.0#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_region regionOne#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_tenant_name service#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_user neutron#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_password NEUTRON_PASS#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
nova_metadata_ip controller#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
metadata_proxy_shared_secret METADATA_SECRETWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/metadata_agent.ini to assist with
troubleshooting.Edit the /etc/neutron/metadata_agent.ini file
and add the following keys to the [DEFAULT]
section:Replace NEUTRON_PASS with the
password you chose for the neutron user
in the Identity service. Replace
METADATA_SECRET with a suitable
secret for the metadata proxy.[DEFAULT]
...
auth_url = http://controller:5000/v2.0
auth_region = regionOne
admin_tenant_name = service
admin_user = neutron
admin_password = NEUTRON_PASS
nova_metadata_ip = controller
metadata_proxy_shared_secret = METADATA_SECRETWe recommend adding verbose = True to
the [DEFAULT] section in
/etc/neutron/metadata_agent.ini to assist with
troubleshooting.Perform the next two steps on the
controller node.On the controller node, configure Compute to
use the metadata service:Replace
METADATA_SECRET with the secret you chose
for the metadata proxy.#openstack-config --set /etc/nova/nova.conf DEFAULT \
service_neutron_metadata_proxy true#openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_metadata_proxy_shared_secret METADATA_SECRETOn the controller node, edit the
/etc/nova/nova.conf file and add the following
keys to the [DEFAULT] section:Replace
METADATA_SECRET with the secret you chose
for the metadata proxy.[DEFAULT]
...
service_neutron_metadata_proxy = true
neutron_metadata_proxy_shared_secret = METADATA_SECRETOn the controller node, restart the Compute
API service:#service openstack-nova-api restart#service nova-api restartTo configure the Modular Layer 2 (ML2) plug-inThe ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to
build virtual networking framework for instances.Run the following commands:Replace
INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS
with the IP address of the instance tunnels network interface
on your network node. This guide uses
10.0.1.21 for the IP address of the
instance tunnels network interface on the network
node.#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
type_drivers gre#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
tenant_network_types gre#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
mechanism_drivers openvswitch#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \
tunnel_id_ranges 1:1000#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
local_ip INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
tunnel_type gre#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
enable_tunneling True#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
enable_security_group TrueEdit the
/etc/neutron/plugins/ml2/ml2_conf.ini
file.Add the following keys to the [ml2]
section:[ml2]
...
type_drivers = gre
tenant_network_types = gre
mechanism_drivers = openvswitchAdd the following keys to the
[ml2_type_gre] section:[ml2_type_gre]
...
tunnel_id_ranges = 1:1000Add the [ovs] section and the following
keys to it:Replace
INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS
with the IP address of the instance tunnels network interface on
your network node.[ovs]
...
local_ip = INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS
tunnel_type = gre
enable_tunneling = TrueAdd the [securitygroup] section and the
following keys to it:[securitygroup]
...
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = TrueTo configure the Open vSwitch (OVS) serviceThe OVS service provides the underlying virtual networking framework
for instances. The integration bridge br-int handles
internal instance network traffic within OVS. The external bridge
br-ext handles external instance network traffic
within OVS. The external bridge requires a port on the physical external
network interface to provide instances with external network access.
In essence, this port bridges the virtual and physical external
networks in your environment.Start the OVS service and configure it to start when the system
boots:#service openvswitch start#chkconfig openvswitch onStart the OVS service and configure it to start when the system
boots:#service openvswitch-switch start#chkconfig openvswitch-switch onRestart the OVS service:#service openvswitch-switch restartRestart the OVS service:#service openvswitch restartAdd the integration bridge:#ovs-vsctl add-br br-intAdd the external bridge:#ovs-vsctl add-br br-exAdd a port to the external bridge that connects to the physical
external network interface:Replace INTERFACE_NAME with the
actual interface name. For example, eth2 or
ens256.#ovs-vsctl add-port br-ex INTERFACE_NAMEDepending on your network interface driver, you may need to
disable Generic Receive Offload (GRO) to
achieve suitable throughput between your instances and the external
network.To temporarily disable GRO on the external network interface
while testing your environment:#ethtool -K INTERFACE_NAME gro offTo finalize the installationThe Networking service initialization scripts expect a symbolic
link /etc/neutron/plugin.ini pointing to the
configuration file associated with your chosen plug-in. Using
the ML2 plug-in, for example, the symbolic link must point to
/etc/neutron/plugins/ml2/ml2_conf.ini.
If this symbolic link does not exist, create it using the
following commands:#ln -s plugins/ml2/ml2_conf.ini /etc/neutron/plugin.iniDue to a packaging bug, the Open vSwitch agent initialization
script explicitly looks for the Open vSwitch plug-in configuration
file rather than a symbolic link
/etc/neutron/plugin.ini pointing to the ML2
plug-in configuration file. Run the following commands to resolve this
issue:#cp /etc/init.d/neutron-openvswitch-agent /etc/init.d/neutron-openvswitch-agent.orig#sed -i 's,plugins/openvswitch/ovs_neutron_plugin.ini,plugin.ini,g' /etc/init.d/neutron-openvswitch-agentThe Networking service initialization scripts expect the variable
NEUTRON_PLUGIN_CONF in the
/etc/sysconfig/neutron file to reference the
configuration file associated with your chosen plug-in. Using
ML2, for example, edit the
/etc/sysconfig/neutron file and add the
following:NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"Start the Networking services and configure them to start when
the system boots:#service neutron-openvswitch-agent start#service neutron-l3-agent start#service neutron-dhcp-agent start#service neutron-metadata-agent start#chkconfig neutron-openvswitch-agent on#chkconfig neutron-l3-agent on#chkconfig neutron-dhcp-agent on#chkconfig neutron-metadata-agent on#service openstack-neutron-openvswitch-agent start#service openstack-neutron-l3-agent start#service openstack-neutron-dhcp-agent start#service openstack-neutron-metadata-agent start#chkconfig openstack-neutron-openvswitch-agent on#chkconfig openstack-neutron-l3-agent on#chkconfig openstack-neutron-dhcp-agent on#chkconfig openstack-neutron-metadata-agent onRestart the Networking services:#service neutron-plugin-openvswitch-agent restart#service neutron-l3-agent restart#service neutron-dhcp-agent restart#service neutron-metadata-agent restart