Provider router with private networks This section describes how to install the OpenStack Networking service and its components for a single router use case: a provider router with private networks. This figure shows the set up: Because you run the DHCP agent and L3 agent on one node, you must set use_namespaces to True (which is the default) in the configuration files for both agents. The configuration includes these nodes:
Nodes for use case
Node Description
Controller Runs the Networking service, Identity Service, and all Compute services that are required to deploy a VM. The service must have at least two network interfaces. The first should be connected to the Management Network to communicate with the compute and network nodes. The second interface should be connected to the API/public network.
Compute Runs Compute and the Networking L2 agent. This node does not have access the public network. The node must have a network interface that communicates with the controller node through the management network. The VM receives its IP address from the DHCP agent on this network.
Network Runs Networking L2 agent, DHCP agent, and L3 agent. This node has access to the public network. The DHCP agent allocates IP addresses to the VMs on the network. The L3 agent performs NAT and enables the VMs to access the public network. The node must have: A network interface that communicates with the controller node through the management network A network interface on the data network that manages VM traffic A network interface that connects to the external gateway on the network
Install
Controller To install and configure the controller node Run this command: # apt-get install neutron-server # yum install openstack-neutron # zypper install openstack-neutron Configure Networking services: Edit the /etc/neutron/neutron.conf file and add these lines: core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 auth_strategy = keystone fake_rabbit = False rabbit_password = RABBIT_PASS [database] connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file and add these lines: [ovs] tenant_network_type = vlan network_vlan_ranges = physnet1:100:2999 Edit the /etc/neutron/api-paste.ini file and add these lines: admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Start the services: # service neutron-server restart
Network node Install and configure the network node Install the packages: # apt-get install neutron-plugin-openvswitch-agent \ neutron-dhcp-agent neutron-l3-agent # yum install openstack-neutron-openvswitch \ openstack-neutron # zypper install openstack-neutron-openvswitch-agent \ openstack-neutron openstack-neutron-dhcp-agent openstack-neutron-l3-agent Start Open vSwitch and configure it to start when the system boots: # service openvswitch-switch start # service openvswitch start # chkconfig openvswitch on # service openvswitch-switch start # chkconfig openvswitch-switch on Add the integration bridge to the Open vSwitch: # ovs-vsctl add-br br-int Update the OpenStack Networking /etc/neutron/neutron.conf configuration file: rabbit_password = guest rabbit_host = controller rabbit_password = RABBIT_PASS [database] connection = mysql://neutron:NEUTRON_DBPASS@controller:3306/neutron # openstack-config --set /etc/neutron/neutron.conf \ DEFAULT qpid_hostname controller # openstack-config --set /etc/neutron/neutron.conf \ database connection mysql://neutron:NEUTRON_DBPASS@controller:3306/neutron # openstack-config --set /etc/neutron/neutron.conf \ DEFAULT rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf \ DEFAULT rabbit_password RABBIT_PASS # openstack-config --set /etc/neutron/neutron.conf \ database connection mysql://neutron:NEUTRON_DBPASS@controller:3306/neutron Update the plug-in /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini configuration file: [ovs] tenant_network_type=vlan network_vlan_ranges = physnet1:1:4094 bridge_mappings = physnet1:br-eth1 All VM communication between the nodes occurs through the br-eth1 bridge. Create the br-eth1 network bridge: # ovs-vsctl add-br br-eth1 # ovs-vsctl add-port br-eth1 eth1 Create the external network bridge to the Open vSwitch: # ovs-vsctl add-br br-ex # ovs-vsctl add-port br-ex eth2 Edit the /etc/neutron/l3_agent.ini file and add these lines: [DEFAULT] auth_url = http://controller:35357/v2.0 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS metadata_ip = controller use_namespaces = True Edit the /etc/neutron/api-paste.ini file and add these lines: [DEFAULT] auth_host = controller admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Edit the /etc/neutron/dhcp_agent.ini file and add this line: use_namespaces = True Restart networking services: # service neutron-plugin-openvswitch-agent start # service neutron-dhcp-agent restart # service neutron-l3-agent restart Start and permanently enable networking services: # service neutron-openvswitch-agent start # service neutron-dhcp-agent start # service neutron-l3-agent start # chkconfig neutron-openvswitch-agent on # chkconfig neutron-dhcp-agent on # chkconfig neutron-l3-agent on # service openstack-neutron-openvswitch-agent start # service openstack-neutron-dhcp-agent start # service openstack-neutron-l3-agent start # chkconfig openstack-neutron-openvswitch-agent on # chkconfig openstack-neutron-dhcp-agent on # chkconfig openstack-neutron-l3-agent on Enable the neutron-ovs-cleanup service. This service starts on boot and ensures that Networking has full control over the creation and management of tap devices. # chkconfig neutron-ovs-cleanup on # chkconfig openstack-neutron-ovs-cleanup on
Compute Node Install and configure the compute node Install the packages: # apt-get install openvswitch-switch neutron-plugin-openvswitch-agent # zypper install openstack-neutron-openvswitch-agent # yum install openstack-neutron-openvswitch Start the OpenvSwitch service and configure it to start when the system boots: # service openvswitch-switch start # service openvswitch start # chkconfig openvswitch on # service openvswitch-switch start # chkconfig openvswitch-switch on Create the integration bridge: # ovs-vsctl add-br br-int All VM communication between the nodes occurs through the br-eth1 bridge. Create the br-eth1 network bridge: # ovs-vsctl add-br br-eth1 # ovs-vsctl add-port br-eth1 eth1 Edit the OpenStack Networking /etc/neutron/neutron.conf configuration file and add this line: rabbit_password = guest rabbit_host = controller rabbit_password = RABBIT_PASS [database] connection = mysql://neutron:NEUTRON_DBPASS@controller:3306/neutron # openstack-config --set /etc/neutron/neutron.conf \ DEFAULT qpid_hostname controller # openstack-config --set /etc/neutron/neutron.conf \ database connection mysql://neutron:NEUTRON_DBPASS@controller:3306/neutron # openstack-config --set /etc/neutron/neutron.conf \ DEFAULT rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf \ DEFAULT rabbit_password RABBIT_PASS # openstack-config --set /etc/neutron/neutron.conf \ database connection mysql://neutron:NEUTRON_DBPASS@controller:3306/neutron Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file and add these lines: [ovs] tenant_network_type = vlan network_vlan_ranges = physnet1:1:4094 bridge_mappings = physnet1:br-eth1 Restart the OpenvSwitch Neutron plug-in agent: # service neutron-plugin-openvswitch-agent restart Start and permanently enable networking services: # service neutron-openvswitch-agent start # chkconfig neutron-openvswitch-agent on # service openstack-neutron-openvswitch-agent start # chkconfig openstack-neutron-openvswitch-agent on
Logical network configuration Run these commands on the network node. Ensure that the following environment variables are set. Various clients use these variables to access the Identity Service. Create an adminrc file that contains these lines: export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL="http://controller:5000/v2.0/" Export the environment variables in the adminrc file: # source adminrc The admin tenant can define resources that other tenants can use but cannot modify. These resources are a provider network and its associated router. The admin user creates a network and subnet on behalf of tenant_A. A tenant_A user can also complete these steps. Configure internal networking Get the tenant_A tenant ID: # TENANT_ID=$(keystone tenant-list | awk '/ tenant_A / { print $2 }') Create the net1 internal network for the tenant_A tenant: # neutron net-create --tenant-id $TENANT_ID net1 +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | e99a361c-0af8-4163-9feb-8554d4c37e4f | | name | net1 | | provider:network_type | vlan | | provider:physical_network | physnet1 | | provider:segmentation_id | 1024 | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | e40fa60181524f9f9ee7aa1038748f08 | +---------------------------+--------------------------------------+ Create a subnet on the net1 network and store its ID in a variable: # neutron subnet-create --tenant-id $TENANT_ID net1 10.5.5.0/24 \ --dns_nameservers list=true 8.8.8.7 8.8.8.8 +------------------+--------------------------------------------+ | Field | Value | +------------------+--------------------------------------------+ | allocation_pools | {"start": "10.5.5.2", "end": "10.5.5.254"} | | cidr | 10.5.5.0/24 | | dns_nameservers | 8.8.8.7 | | | 8.8.8.8 | | enable_dhcp | True | | gateway_ip | 10.5.5.1 | | host_routes | | | id | c395cb5d-ba03-41ee-8a12-7e792d51a167 | | ip_version | 4 | | name | | | network_id | e99a361c-0af8-4163-9feb-8554d4c37e4f | | tenant_id | e40fa60181524f9f9ee7aa1038748f08 | +------------------+--------------------------------------------+ # SUBNET_ID=c395cb5d-ba03-41ee-8a12-7e792d51a167 The id value will be different on your system. A user with the admin role in the admin tenant must complete these steps. Configure the router and external networking Create a router1 router and store its ID in the ROUTER_ID variable: # neutron router-create router1 +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | external_gateway_info | | | id | 685f64e7-a020-4fdf-a8ad-e41194ae124b | | name | router1 | | status | ACTIVE | | tenant_id | 48fb81ab2f6b409bafac8961a594980f | +-----------------------+--------------------------------------+ # ROUTER_ID=685f64e7-a020-4fdf-a8ad-e41194ae124b The id value will be different on your system. The --tenant-id parameter is not specified, so this router is assigned to the admin tenant. Add an interface to the router1 router and attach it to the subnet from net1: # neutron router-interface-add $ROUTER_ID $SUBNET_ID Added interface to router 685f64e7-a020-4fdf-a8ad-e41194ae124b You can repeat this step to add interfaces for networks that belong to other tenants. Create the ext_net external network and store its ID in a the EXTERNAL_NETWORK_ID variable: # neutron net-create ext_net \ --router:external=True --provider:network_type=vlan \ --provider:physical_network=physnet1 --provider:segmentation_id=1 +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | 8858732b-0400-41f6-8e5c-25590e67ffeb | | name | ext_net | | provider:network_type | vlan | | provider:physical_network | physnet1 | | provider:segmentation_id | 1 | | router:external | True | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | 48fb81ab2f6b409bafac8961a594980f | +---------------------------+--------------------------------------+ # EXTERNAL_NETWORK_ID=8858732b-0400-41f6-8e5c-25590e67ffeb Create the subnet for floating IPs. The DHCP service is disabled for this subnet. # neutron subnet-create ext_net \ --allocation-pool start=7.7.7.130,end=7.7.7.150 \ --gateway 7.7.7.1 7.7.7.0/24 --disable-dhcp +------------------+--------------------------------------------------+ | Field | Value | +------------------+--------------------------------------------------+ | allocation_pools | {"start": "7.7.7.130", "end": "7.7.7.150"} | | cidr | 7.7.7.0/24 | | dns_nameservers | | | enable_dhcp | False | | gateway_ip | 7.7.7.1 | | host_routes | | | id | aef60b55-cbff-405d-a81d-406283ac6cff | | ip_version | 4 | | name | | | network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb | | tenant_id | 48fb81ab2f6b409bafac8961a594980f | +------------------+--------------------------------------------------+ Set the gateway for the router to the external network: # neutron router-gateway-set $ROUTER_ID $EXTERNAL_NETWORK_ID Set gateway for router 685f64e7-a020-4fdf-a8ad-e41194ae124b A user from tenant_A completes these steps, so the credentials in the environment variables are different than those in the previous procedure. Allocate floating IP addresses You can associate a floating IP address with a VM after it starts. Store the port ID that was allocated for the VM in the PORT_ID variable: # nova list +--------------------------------------+--------+--------+---------------+ | ID | Name | Status | Networks | +--------------------------------------+--------+--------+---------------+ | 1cdc671d-a296-4476-9a75-f9ca1d92fd26 | testvm | ACTIVE | net1=10.5.5.3 | +--------------------------------------+--------+--------+---------------+ # neutron port-list -- --device_id 1cdc671d-a296-4476-9a75-f9ca1d92fd26 +--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+ | id | name | mac_address | fixed_ips | +--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+ | 9aa47099-b87b-488c-8c1d-32f993626a30 | | fa:16:3e:b4:d6:6c | {"subnet_id": "c395cb5d-ba03-41ee-8a12-7e792d51a167", "ip_address": "10.5.5.3"} | +--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+ # PORT_ID=9aa47099-b87b-488c-8c1d-32f993626a30 Allocate a floating IP and store its ID in the FLOATING_ID variable: # neutron floatingip-create ext_net +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | fixed_ip_address | | | floating_ip_address | 7.7.7.131 | | floating_network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb | | id | 40952c83-2541-4d0c-b58e-812c835079a5 | | port_id | | | router_id | | | tenant_id | e40fa60181524f9f9ee7aa1038748f08 | +---------------------+--------------------------------------+ # FLOATING_ID=7.7.7.131 Associate the floating IP with the port for the VM: # neutron floatingip-associate $FLOATING_ID $PORT_ID Associated floatingip 40952c83-2541-4d0c-b58e-812c835079a5 Show the floating IP: # neutron floatingip-show $FLOATING_ID +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | fixed_ip_address | 10.5.5.3 | | floating_ip_address | 7.7.7.131 | | floating_network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb | | id | 40952c83-2541-4d0c-b58e-812c835079a5 | | port_id | 9aa47099-b87b-488c-8c1d-32f993626a30 | | router_id | 685f64e7-a020-4fdf-a8ad-e41194ae124b | | tenant_id | e40fa60181524f9f9ee7aa1038748f08 | +---------------------+--------------------------------------+ Test the floating IP: # ping 7.7.7.131 PING 7.7.7.131 (7.7.7.131) 56(84) bytes of data. 64 bytes from 7.7.7.131: icmp_req=2 ttl=64 time=0.152 ms 64 bytes from 7.7.7.131: icmp_req=3 ttl=64 time=0.049 ms
Use case: provider router with private networks This use case provides each tenant with one or more private networks that connect to the outside world through an OpenStack Networking router. When each tenant gets exactly one network, this architecture maps to the same logical topology as the VlanManager in Compute (although of course, Networking does not require VLANs). Using the Networking API, the tenant can only see a network for each private network assigned to that tenant. The router object in the API is created and owned by the cloud administrator. This model supports assigning public addresses to VMs by using floating IPs; the router maps public addresses from the external network to fixed IPs on private networks. Hosts without floating IPs can still create outbound connections to the external network because the provider router performs SNAT to the router's external IP. The IP address of the physical router is used as the gateway_ip of the external network subnet, so the provider has a default router for Internet traffic. The router provides L3 connectivity among private networks. Tenants can reach instances for other tenants unless you use additional filtering, such as, security groups). With a single router, tenant networks cannot use overlapping IPs. To resolve this issue, the administrator can create private networks on behalf of the tenants.