Before you install and configure OpenStack Networking, you must enable certain kernel networking functions. Edit the /etc/sysctl.conf file and add the following lines: net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 Implement the changes: # sysctl -p # apt-get install neutron-common neutron-plugin-ml2 neutron-plugin-openvswitch-agent \ openvswitch-datapath-dkms # yum install openstack-neutron-ml2 openstack-neutron-openvswitch # zypper install openstack-neutron-openvswitch-agent Ubuntu installations that use Linux kernel version 3.11 or later do not require the openvswitch-datapath-dkms package. SUSE does not use a separate ML2 plug-in package. The Networking common component configuration includes the authentication mechanism, message broker, and plug-in. Respond to prompts for database management, Identity service credentials, service endpoint registration, and message broker credentials. Configure Networking to use the Identity service for authentication: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ auth_strategy keystone # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_uri http://controller:5000 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_host controller # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_protocol http # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_port 35357 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_user neutron # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_password NEUTRON_PASS Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. Configure Networking to use the Identity service for authentication: Edit the /etc/neutron/neutron.conf file and add the following key to the [DEFAULT] section: [DEFAULT] ... auth_strategy = keystone Add the following keys to the [keystone_authtoken] section: [keystone_authtoken] ... auth_uri = http://controller:5000 auth_host = controller auth_protocol = http auth_port = 35357 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. Configure Networking to use the message broker: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_kombu # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_userid guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_password RABBIT_PASS Replace RABBIT_PASS with the password you chose for the guest account in RabbitMQ. Configure Networking to use the message broker: Edit the /etc/neutron/neutron.conf file and add the following keys to the [DEFAULT] section: Replace RABBIT_PASS with the password you chose for the guest account in RabbitMQ. [DEFAULT] ... rpc_backend = neutron.openstack.common.rpc.impl_kombu rabbit_host = controller rabbit_password = RABBIT_PASS Configure Networking to use the Modular Layer 2 (ML2) plug-in and associated services: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ core_plugin ml2 # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ service_plugins router To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/neutron.conf file. Configure Networking to use the Modular Layer 2 (ML2) plug-in and associated services: Edit the /etc/neutron/neutron.conf file and add the following keys to the [DEFAULT] section: [DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/neutron.conf file. The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to build the virtual networking framework for instances. Run the following commands: # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \ type_drivers gre # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \ tenant_network_types gre # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \ mechanism_drivers openvswitch # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \ tunnel_id_ranges 1:1000 # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \ local_ip INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \ tunnel_type gre # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \ enable_tunneling True # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \ firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \ enable_security_group True Replace INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS with the IP address of the instance tunnels network interface on your compute node. This guide uses 10.0.1.31 for the IP address of the instance tunnels network interface on the first compute node. Edit the /etc/neutron/plugins/ml2/ml2_conf.ini file and add the following keys to the [ml2] section: [ml2] ... type_drivers = gre tenant_network_types = gre mechanism_drivers = openvswitch Add the following keys to the [ml2_type_gre] section: [ml2_type_gre] ... tunnel_id_ranges = 1:1000 Add the [ovs] section and the following keys to it: Replace INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS with the IP address of the instance tunnels network interface on your compute node. [ovs] ... local_ip = INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS tunnel_type = gre enable_tunneling = True Add the [securitygroup] section and the following keys to it: [securitygroup] ... firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver enable_security_group = True The OVS service provides the underlying virtual networking framework for instances. Start the OVS service and configure it to start when the system boots: # service openvswitch start # chkconfig openvswitch on Start the OVS service and configure it to start when the system boots: # service openvswitch-switch start # chkconfig openvswitch-switch on Restart the OVS service: # service openvswitch-switch restart Restart the OVS service: # service openvswitch restart By default, most distributions configure Compute to use legacy networking. You must reconfigure Compute to manage networks through Networking. Run the following commands: # openstack-config --set /etc/nova/nova.conf DEFAULT \ network_api_class nova.network.neutronv2.api.API # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_url http://controller:9696 # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_auth_strategy keystone # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_tenant_name service # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_username neutron # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_password NEUTRON_PASS # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_auth_url http://controller:35357/v2.0 # openstack-config --set /etc/nova/nova.conf DEFAULT \ linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ firewall_driver nova.virt.firewall.NoopFirewallDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ security_group_api neutron Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. By default, Compute uses an internal firewall service. Since Networking includes a firewall service, you must disable the Compute firewall service by using the nova.virt.firewall.NoopFirewallDriver firewall driver. Edit the /etc/nova/nova.conf and add the following keys to the [DEFAULT] section: Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. [DEFAULT] ... network_api_class = nova.network.neutronv2.api.API neutron_url = http://controller:9696 neutron_auth_strategy = keystone neutron_admin_tenant_name = service neutron_admin_username = neutron neutron_admin_password = NEUTRON_PASS neutron_admin_auth_url = http://controller:35357/v2.0 linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver security_group_api = neutron By default, Compute uses an internal firewall service. Since Networking includes a firewall service, you must disable the Compute firewall service by using the nova.virt.firewall.NoopFirewallDriver firewall driver. The Networking service initialization scripts expect a symbolic link /etc/neutron/plugin.ini pointing to the configuration file associated with your chosen plug-in. Using the ML2 plug-in, for example, the symbolic link must point to /etc/neutron/plugins/ml2/ml2_conf.ini. If this symbolic link does not exist, create it using the following commands: # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini The Networking service initialization scripts expect the variable NEUTRON_PLUGIN_CONF in the /etc/sysconfig/neutron file to reference the configuration file associated with your chosen plug-in. Using ML2, for example, edit the /etc/sysconfig/neutron file and add the following: NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini" Restart the Compute service: # service openstack-nova-compute restart # service nova-compute restart Start the Open vSwitch (OVS) agent and configure it to start when the system boots: # service openstack-neutron-openvswitch-agent start # chkconfig openstack-neutron-openvswitch-agent on Restart the Open vSwitch (OVS) agent: # service neutron-plugin-openvswitch-agent restart