Configure network node Before you install and configure OpenStack Networking, you must enable certain kernel networking functions. To enable kernel networking functions Edit /etc/sysctl.conf to contain the following: net.ipv4.ip_forward=1 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 Implement the changes: # sysctl -p To install the Networking components # apt-get install neutron-plugin-ml2 \ neutron-plugin-openvswitch-agent openvswitch-datapath-dkms \ neutron-l3-agent neutron-dhcp-agent # yum install openstack-neutron openstack-neutron-ml2 \ openstack-neutron-openvswitch # zypper install openstack-neutron-openvswitch-agent openstack-neutron-l3-agent \ openstack-neutron-dhcp-agent openstack-neutron-metadata-agent Ubuntu installations using Linux kernel version 3.11 or newer do not require the openvswitch-datapath-dkms package. SUSE does not use a separate ML2 plug-in package. To configure the Networking common components The Networking common component configuration includes the authentication mechanism, message broker, and plug-in. Respond to prompts for database management, Identity service credentials, service endpoint registration, and message broker credentials. Configure Networking to use the Identity service for authentication: Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ auth_strategy keystone # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_uri http://controller:5000 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_host controller # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_protocol http # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_port 35357 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_user neutron # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_password NEUTRON_PASS Configure Networking to use the Identity service for authentication: Edit the /etc/neutron/neutron.conf file and add the following key to the [DEFAULT] section: [DEFAULT] ... auth_strategy = keystone Add the following keys to the [keystone_authtoken] section: Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. [keystone_authtoken] ... auth_uri = http://controller:5000 auth_host = controller auth_protocol = http auth_port = 35357 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Configure Networking to use the message broker: Replace RABBIT_PASS with the password you chose for the guest account in RabbitMQ. # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_kombu # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_userid guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_password RABBIT_PASS Configure Networking to use the message broker: Edit the /etc/neutron/neutron.conf file and add the following keys to the [DEFAULT] section: Replace RABBIT_PASS with the password you chose for the guest account in RabbitMQ. [DEFAULT] ... rpc_backend = neutron.openstack.common.rpc.impl_kombu rabbit_host = controller rabbit_password = RABBIT_PASS Configure Networking to use the Modular Layer 2 (ML2) plug-in and associated services: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ core_plugin ml2 # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ service_plugins router To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/neutron.conf file. Configure Networking to use the Modular Layer 2 (ML2) plug-in and associated services: Edit the /etc/neutron/neutron.conf file and add the following keys to the [DEFAULT] section: [DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/neutron.conf file. To configure the Layer-3 (L3) agent The Layer-3 (L3) agent provides routing services for instance virtual networks. Run the following commands: # openstack-config --set /etc/neutron/l3_agent.ini DEFAULT \ interface_driver neutron.agent.linux.interface.OVSInterfaceDriver # openstack-config --set /etc/neutron/l3_agent.ini DEFAULT \ use_namespaces True To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/l3_agent.ini file. Edit the /etc/neutron/l3_agent.ini file and add the following keys to the [DEFAULT] section: [DEFAULT] ... interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver use_namespaces = True To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/l3_agent.ini file. To configure the DHCP agent The DHCP agent provides DHCP services for instance virtual networks. Run the following commands: # openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \ interface_driver neutron.agent.linux.interface.OVSInterfaceDriver # openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \ dhcp_driver neutron.agent.linux.dhcp.Dnsmasq # openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \ use_namespaces True To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/dhcp_agent.ini file. Edit the /etc/neutron/dhcp_agent.ini file and add the following keys to the [DEFAULT] section: [DEFAULT] ... interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq use_namespaces = True To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/dhcp_agent.ini file. Tunneling protocols such as generic routing encapsulation (GRE) include additional packet headers that increase overhead and decrease space available for the payload or user data. Without knowledge of the virtual network infrastructure, instances attempt to send packets using the default Ethernet maximum transmission unit (MTU) of 1500 bytes. Internet protocol (IP) networks contain the path MTU discovery (PMTUD) mechanism to detect end-to-end MTU and adjust packet size accordingly. However, some operating systems and networks block or otherwise lack support for PMTUD causing performance degradation or connectivity failure. Ideally, you can prevent these problems by enabling jumbo frames on the physical network that contains your tenant virtual networks. Jumbo frames support MTUs up to approximately 9000 bytes which negates the impact of GRE overhead on virtual networks. However, many network devices lack support for jumbo frames and OpenStack administrators often lack control of network infrastructure. Given the latter complications, you can also prevent MTU problems by reducing the instance MTU to account for GRE overhead. Determining the proper MTU value often takes experimentation, but 1454 bytes works in most environments. You can configure the DHCP server that assigns IP addresses to your instances to also adjust the MTU. Some cloud images such as CirrOS ignore the DHCP MTU option. Edit the /etc/neutron/dhcp_agent.ini file and add the following keys to the [DEFAULT] section: [DEFAULT] ... dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf Run the following command: # openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \ dnsmasq_config_file /etc/neutron/dnsmasq-neutron.conf Create and edit the /etc/neutron/dnsmasq-neutron.conf file and add the following keys: dhcp-option-force=26,1454 Kill any existing dnsmasq processes: # killall dnsmasq To configure the metadata agent The metadata agent provides configuration information such as credentials for remote access to instances. Run the following commands: Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. Replace METADATA_SECRET with a suitable secret for the metadata proxy. # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ auth_url http://controller:5000/v2.0 # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ auth_region regionOne # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_tenant_name service # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_user neutron # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_password NEUTRON_PASS # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ nova_metadata_ip controller # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ metadata_proxy_shared_secret METADATA_SECRET To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/metadata_agent.ini file. Edit the /etc/neutron/metadata_agent.ini file and add the following keys to the [DEFAULT] section: Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. Replace METADATA_SECRET with a suitable secret for the metadata proxy. [DEFAULT] ... auth_url = http://controller:5000/v2.0 auth_region = regionOne admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS nova_metadata_ip = controller metadata_proxy_shared_secret = METADATA_SECRET To assist with troubleshooting, add verbose = True to the [DEFAULT] section in the /etc/neutron/metadata_agent.ini file. Perform the next two steps on the controller node. On the controller node, configure Compute to use the metadata service: Replace METADATA_SECRET with the secret you chose for the metadata proxy. # openstack-config --set /etc/nova/nova.conf DEFAULT \ service_neutron_metadata_proxy true # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_metadata_proxy_shared_secret METADATA_SECRET On the controller node, edit the /etc/nova/nova.conf file and add the following keys to the [DEFAULT] section: Replace METADATA_SECRET with the secret you chose for the metadata proxy. [DEFAULT] ... service_neutron_metadata_proxy = true neutron_metadata_proxy_shared_secret = METADATA_SECRET On the controller node, restart the Compute API service: # service openstack-nova-api restart # service nova-api restart To configure the Modular Layer 2 (ML2) plug-in The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to build virtual networking framework for instances. Run the following commands: Replace INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS with the IP address of the instance tunnels network interface on your network node. This guide uses 10.0.1.21 for the IP address of the instance tunnels network interface on the network node. # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \ type_drivers gre # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \ tenant_network_types gre # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \ mechanism_drivers openvswitch # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \ tunnel_id_ranges 1:1000 # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \ local_ip INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \ tunnel_type gre # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \ enable_tunneling True # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \ firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver # openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \ enable_security_group True Edit the /etc/neutron/plugins/ml2/ml2_conf.ini file. Add the following keys to the [ml2] section: [ml2] ... type_drivers = gre tenant_network_types = gre mechanism_drivers = openvswitch Add the following keys to the [ml2_type_gre] section: [ml2_type_gre] ... tunnel_id_ranges = 1:1000 Add the [ovs] section and the following keys to it: Replace INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS with the IP address of the instance tunnels network interface on your network node. [ovs] ... local_ip = INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS tunnel_type = gre enable_tunneling = True Add the [securitygroup] section and the following keys to it: [securitygroup] ... firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver enable_security_group = True To configure the Open vSwitch (OVS) service The OVS service provides the underlying virtual networking framework for instances. The integration bridge br-int handles internal instance network traffic within OVS. The external bridge br-ex handles external instance network traffic within OVS. The external bridge requires a port on the physical external network interface to provide instances with external network access. In essence, this port bridges the virtual and physical external networks in your environment. Start the OVS service and configure it to start when the system boots: # service openvswitch start # chkconfig openvswitch on Start the OVS service and configure it to start when the system boots: # service openvswitch-switch start # chkconfig openvswitch-switch on Restart the OVS service: # service openvswitch-switch restart Restart the OVS service: # service openvswitch restart Add the external bridge: # ovs-vsctl add-br br-ex Add a port to the external bridge that connects to the physical external network interface: Replace INTERFACE_NAME with the actual interface name. For example, eth2 or ens256. # ovs-vsctl add-port br-ex INTERFACE_NAME Depending on your network interface driver, you may need to disable Generic Receive Offload (GRO) to achieve suitable throughput between your instances and the external network. To temporarily disable GRO on the external network interface while testing your environment: # ethtool -K INTERFACE_NAME gro off To finalize the installation The Networking service initialization scripts expect a symbolic link /etc/neutron/plugin.ini pointing to the configuration file associated with your chosen plug-in. Using the ML2 plug-in, for example, the symbolic link must point to /etc/neutron/plugins/ml2/ml2_conf.ini. If this symbolic link does not exist, create it using the following commands: # ln -s plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini Due to a packaging bug, the Open vSwitch agent initialization script explicitly looks for the Open vSwitch plug-in configuration file rather than a symbolic link /etc/neutron/plugin.ini pointing to the ML2 plug-in configuration file. Run the following commands to resolve this issue: # cp /etc/init.d/neutron-openvswitch-agent /etc/init.d/neutron-openvswitch-agent.orig # sed -i 's,plugins/openvswitch/ovs_neutron_plugin.ini,plugin.ini,g' /etc/init.d/neutron-openvswitch-agent The Networking service initialization scripts expect the variable NEUTRON_PLUGIN_CONF in the /etc/sysconfig/neutron file to reference the configuration file associated with your chosen plug-in. Using ML2, for example, edit the /etc/sysconfig/neutron file and add the following: NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini" Start the Networking services and configure them to start when the system boots: # service neutron-openvswitch-agent start # service neutron-l3-agent start # service neutron-dhcp-agent start # service neutron-metadata-agent start # chkconfig neutron-openvswitch-agent on # chkconfig neutron-l3-agent on # chkconfig neutron-dhcp-agent on # chkconfig neutron-metadata-agent on # chkconfig neutron-ovs-cleanup on # service openstack-neutron-openvswitch-agent start # service openstack-neutron-l3-agent start # service openstack-neutron-dhcp-agent start # service openstack-neutron-metadata-agent start # chkconfig openstack-neutron-openvswitch-agent on # chkconfig openstack-neutron-l3-agent on # chkconfig openstack-neutron-dhcp-agent on # chkconfig openstack-neutron-metadata-agent on # chkconfig openstack-neutron-ovs-cleanup on Restart the Networking services: # service neutron-plugin-openvswitch-agent restart # service neutron-l3-agent restart # service neutron-dhcp-agent restart # service neutron-metadata-agent restart