Configure network nodeBefore you install and configure OpenStack Networking, you
must enable certain kernel networking functions.To enable kernel networking functionsEdit /etc/sysctl.conf to contain the
following:net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0Implement the changes:#sysctl -pTo install the Networking components#apt-get install neutron-plugin-ml2 \
neutron-plugin-openvswitch-agent openvswitch-datapath-dkms \
neutron-l3-agent neutron-dhcp-agent#yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-openvswitch#zypper install openstack-neutron-openvswitch-agent openstack-neutron-l3-agent \
openstack-neutron-dhcp-agent openstack-neutron-metadata-agentUbuntu installations using Linux kernel version 3.11 or
newer do not require the
openvswitch-datapath-dkms
package.SUSE does not use a separate ML2 plug-in package.To configure the Networking common componentsThe Networking common component configuration includes the
authentication mechanism, message broker, and plug-in.Respond to prompts for database
management, Identity service credentials, service endpoint
registration, and message broker credentials.Configure Networking to use the Identity service for
authentication:Replace NEUTRON_PASS with the
password you chose for the neutron user in
the Identity service.#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
auth_strategy keystone#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://controller:5000#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_host controller#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron#openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password NEUTRON_PASSConfigure Networking to use the Identity service for
authentication:Edit the
/etc/neutron/neutron.conf file and
add the following key to the [DEFAULT]
section:[DEFAULT]
...
auth_strategy = keystoneAdd the following keys to the
[keystone_authtoken] section:Replace NEUTRON_PASS with
the password you chose for the neutron
user in the Identity service.[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_host = controller
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = NEUTRON_PASSConfigure Networking to use the message broker:Replace RABBIT_PASS with the
password you chose for the guest account in
RabbitMQ.#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host controller#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password RABBIT_PASSConfigure Networking to use the message broker:Edit the
/etc/neutron/neutron.conf file and
add the following keys to the [DEFAULT]
section:Replace RABBIT_PASS with
the password you chose for the guest
account in RabbitMQ.[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = controller
rabbit_password = RABBIT_PASSConfigure Networking to use the Modular Layer 2 (ML2)
plug-in and associated services:#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
core_plugin ml2#openstack-config --set /etc/neutron/neutron.conf DEFAULT \
service_plugins routerTo assist with troubleshooting, add verbose =
True to the [DEFAULT] section
in the /etc/neutron/neutron.conf
file.Configure Networking to use the Modular Layer 2 (ML2)
plug-in and associated services:Edit the
/etc/neutron/neutron.conf file and
add the following keys to the [DEFAULT]
section:[DEFAULT]
...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = TrueTo assist with troubleshooting, add verbose
= True to the [DEFAULT]
section in the
/etc/neutron/neutron.conf
file.To configure the Layer-3 (L3) agentThe Layer-3 (L3) agent provides
routing services for instance virtual networks.Run the following commands:#openstack-config --set /etc/neutron/l3_agent.ini DEFAULT \
interface_driver neutron.agent.linux.interface.OVSInterfaceDriver#openstack-config --set /etc/neutron/l3_agent.ini DEFAULT \
use_namespaces TrueTo assist with troubleshooting, add verbose =
True to the [DEFAULT] section
in the /etc/neutron/l3_agent.ini
file.Edit the /etc/neutron/l3_agent.ini
file and add the following keys to the
[DEFAULT] section:[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = TrueTo assist with troubleshooting, add verbose =
True to the [DEFAULT] section
in the /etc/neutron/l3_agent.ini
file.To configure the DHCP agentThe DHCP agent provides
DHCP services for instance virtual
networks.Run the following commands:#openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
interface_driver neutron.agent.linux.interface.OVSInterfaceDriver#openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
dhcp_driver neutron.agent.linux.dhcp.Dnsmasq#openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
use_namespaces TrueTo assist with troubleshooting, add verbose =
True to the [DEFAULT] section
in the /etc/neutron/dhcp_agent.ini
file.Edit the /etc/neutron/dhcp_agent.ini
file and add the following keys to the
[DEFAULT] section:[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
use_namespaces = TrueTo assist with troubleshooting, add verbose =
True to the [DEFAULT] section
in the /etc/neutron/dhcp_agent.ini
file.Tunneling protocols such as
generic routing encapsulation (GRE)
include additional packet headers that increase overhead and
decrease space available for the payload or user data. Without
knowledge of the virtual network infrastructure, instances attempt
to send packets using the default Ethernet
maximum transmission unit (MTU) of 1500 bytes.
Internet protocol (IP) networks contain the
path MTU discovery (PMTUD) mechanism to detect
end-to-end MTU and adjust packet size accordingly. However, some
operating systems and networks block or otherwise lack support for
PMTUD causing performance degradation or connectivity failure.Ideally, you can prevent these problems by enabling
jumbo frames on the physical network that
contains your tenant virtual networks. Jumbo frames support MTUs
up to approximately 9000 bytes which negates the impact of GRE
overhead on virtual networks. However, many network devices lack
support for jumbo frames and OpenStack administrators often lack
control of network infrastructure. Given the latter complications,
you can also prevent MTU problems by reducing the instance MTU to
account for GRE overhead. Determining the proper MTU value often
takes experimentation, but 1454 bytes works in most environments.
You can configure the DHCP server that assigns
IP addresses to your instances to also adjust the MTU.Some cloud images such as CirrOS ignore the DHCP MTU
option.Edit the /etc/neutron/dhcp_agent.ini
file and add the following keys to the
[DEFAULT] section:[DEFAULT]
...
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.confRun the following command:#openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
dnsmasq_config_file /etc/neutron/dnsmasq-neutron.confCreate and edit the
/etc/neutron/dnsmasq-neutron.conf file and
add the following keys:dhcp-option-force=26,1454Kill any existing
dnsmasq processes:#killall dnsmasqTo configure the metadata agentThe metadata agent provides
configuration information such as credentials for remote access
to instances.Run the following commands:Replace NEUTRON_PASS with the
password you chose for the neutron user in
the Identity service. Replace
METADATA_SECRET with a suitable
secret for the metadata proxy.#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_url http://controller:5000/v2.0#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_region regionOne#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_tenant_name service#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_user neutron#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_password NEUTRON_PASS#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
nova_metadata_ip controller#openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
metadata_proxy_shared_secret METADATA_SECRETTo assist with troubleshooting, add verbose =
True to the [DEFAULT] section
in the /etc/neutron/metadata_agent.ini
file.Edit the
/etc/neutron/metadata_agent.ini file
and add the following keys to the [DEFAULT]
section:Replace NEUTRON_PASS with the
password you chose for the neutron user in
the Identity service. Replace
METADATA_SECRET with a suitable
secret for the metadata proxy.[DEFAULT]
...
auth_url = http://controller:5000/v2.0
auth_region = regionOne
admin_tenant_name = service
admin_user = neutron
admin_password = NEUTRON_PASS
nova_metadata_ip = controller
metadata_proxy_shared_secret = METADATA_SECRETTo assist with troubleshooting, add verbose =
True to the [DEFAULT] section
in the /etc/neutron/metadata_agent.ini
file.Perform the next two steps on the
controller node.On the controller node, configure
Compute to use the metadata service:Replace METADATA_SECRET with
the secret you chose for the metadata proxy.#openstack-config --set /etc/nova/nova.conf DEFAULT \
service_neutron_metadata_proxy true#openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_metadata_proxy_shared_secret METADATA_SECRETOn the controller node, edit the
/etc/nova/nova.conf file and add the
following keys to the [DEFAULT]
section:Replace METADATA_SECRET with
the secret you chose for the metadata proxy.[DEFAULT]
...
service_neutron_metadata_proxy = true
neutron_metadata_proxy_shared_secret = METADATA_SECRETOn the controller node, restart the
Compute API service:#service openstack-nova-api restart#service nova-api restartTo configure the Modular Layer 2 (ML2) plug-inThe ML2 plug-in uses the Open vSwitch (OVS) mechanism
(agent) to build virtual networking framework for
instances.Run the following commands:Replace
INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS
with the IP address of the instance tunnels network interface
on your network node. This guide uses
10.0.1.21 for the IP address of the
instance tunnels network interface on the network node.#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
type_drivers gre#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
tenant_network_types gre#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
mechanism_drivers openvswitch#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \
tunnel_id_ranges 1:1000#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
local_ip INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
tunnel_type gre#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
enable_tunneling True#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver#openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
enable_security_group TrueEdit the
/etc/neutron/plugins/ml2/ml2_conf.ini
file.Add the following keys to the [ml2]
section:[ml2]
...
type_drivers = gre
tenant_network_types = gre
mechanism_drivers = openvswitchAdd the following keys to the
[ml2_type_gre] section:[ml2_type_gre]
...
tunnel_id_ranges = 1:1000Add the [ovs] section and the following
keys to it:Replace
INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS
with the IP address of the instance tunnels network interface
on your network node.[ovs]
...
local_ip = INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS
tunnel_type = gre
enable_tunneling = TrueAdd the [securitygroup] section and the
following keys to it:[securitygroup]
...
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = TrueTo configure the Open vSwitch (OVS) serviceThe OVS service provides the underlying virtual networking
framework for instances. The integration bridge
br-int handles internal instance network
traffic within OVS. The external bridge br-ex
handles external instance network traffic within OVS. The
external bridge requires a port on the physical external network
interface to provide instances with external network access. In
essence, this port bridges the virtual and physical external
networks in your environment.Start the OVS service and configure it to start when the
system boots:#service openvswitch start#chkconfig openvswitch onStart the OVS service and configure it to start when the
system boots:#service openvswitch-switch start#chkconfig openvswitch-switch onRestart the OVS service:#service openvswitch-switch restartRestart the OVS service:#service openvswitch restartAdd the external bridge:#ovs-vsctl add-br br-exAdd a port to the external bridge that connects to the
physical external network interface:Replace INTERFACE_NAME with the
actual interface name. For example, eth2
or ens256.#ovs-vsctl add-port br-ex INTERFACE_NAMEDepending on your network interface driver, you may need
to disable Generic Receive Offload
(GRO) to achieve suitable throughput between
your instances and the external network.To temporarily disable GRO on the external network
interface while testing your environment:#ethtool -K INTERFACE_NAME gro offTo finalize the installationThe Networking service initialization scripts expect a
symbolic link /etc/neutron/plugin.ini
pointing to the configuration file associated with your chosen
plug-in. Using the ML2 plug-in, for example, the symbolic link
must point to
/etc/neutron/plugins/ml2/ml2_conf.ini.
If this symbolic link does not exist, create it using the
following commands:#ln -s plugins/ml2/ml2_conf.ini /etc/neutron/plugin.iniDue to a packaging bug, the Open vSwitch agent
initialization script explicitly looks for the Open vSwitch
plug-in configuration file rather than a symbolic link
/etc/neutron/plugin.ini pointing to the
ML2 plug-in configuration file. Run the following commands to
resolve this issue:#cp /etc/init.d/neutron-openvswitch-agent /etc/init.d/neutron-openvswitch-agent.orig#sed -i 's,plugins/openvswitch/ovs_neutron_plugin.ini,plugin.ini,g' /etc/init.d/neutron-openvswitch-agentThe Networking service initialization scripts expect the
variable NEUTRON_PLUGIN_CONF in the
/etc/sysconfig/neutron file to
reference the configuration file associated with your chosen
plug-in. Using ML2, for example, edit the
/etc/sysconfig/neutron file and add the
following:NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"Start the Networking services and configure them to start
when the system boots:#service neutron-openvswitch-agent start#service neutron-l3-agent start#service neutron-dhcp-agent start#service neutron-metadata-agent start#chkconfig neutron-openvswitch-agent on#chkconfig neutron-l3-agent on#chkconfig neutron-dhcp-agent on#chkconfig neutron-metadata-agent on#chkconfig neutron-ovs-cleanup on#service openstack-neutron-openvswitch-agent start#service openstack-neutron-l3-agent start#service openstack-neutron-dhcp-agent start#service openstack-neutron-metadata-agent start#chkconfig openstack-neutron-openvswitch-agent on#chkconfig openstack-neutron-l3-agent on#chkconfig openstack-neutron-dhcp-agent on#chkconfig openstack-neutron-metadata-agent on#chkconfig openstack-neutron-ovs-cleanup onRestart the Networking services:#service neutron-plugin-openvswitch-agent restart#service neutron-l3-agent restart#service neutron-dhcp-agent restart#service neutron-metadata-agent restart