Install and configure controller node

Install and configure controller node To configure prerequisites Before you configure the OpenStack Networking (neutron) service, you must create a database, service credentials, and API endpoints. To create the database, complete these steps: Use the database access client to connect to the database server as the root user: $ mysql -u root -p Create the neutron database: CREATE DATABASE neutron; Grant proper access to the neutron database: GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ IDENTIFIED BY 'NEUTRON_DBPASS'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ IDENTIFIED BY 'NEUTRON_DBPASS'; Replace NEUTRON_DBPASS with a suitable password. Exit the database access client. Source the admin credentials to gain access to admin-only CLI commands: $ source admin-openrc.sh To create the service credentials, complete these steps: Create the neutron user: $ keystone user-create --name neutron --pass NEUTRON_PASS +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 7fd67878dcd04d0393469ef825a7e005 | | name | neutron | | username | neutron | +----------+----------------------------------+ Replace NEUTRON_PASS with a suitable password. Add the admin role to the neutron user: $ keystone user-role-add --user neutron --tenant service --role admin This command provides no output. Create the neutron service entity: $ keystone service-create --name neutron --type network \ --description "OpenStack Networking" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | 6369ddaf99a447f3a0d41dac5e342161 | | name | neutron | | type | network | +-------------+----------------------------------+ Create the Networking service API endpoints: $ keystone endpoint-create \ --service-id $(keystone service-list | awk '/ network / {print $2}') \ --publicurl http://controller:9696 \ --adminurl http://controller:9696 \ --internalurl http://controller:9696 \ --region regionOne +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://controller:9696 | | id | fa18b41938a94bf6b35e2c152063ee21 | | internalurl | http://controller:9696 | | publicurl | http://controller:9696 | | region | regionOne | | service_id | 6369ddaf99a447f3a0d41dac5e342161 | +-------------+----------------------------------+ To install the Networking components # apt-get install neutron-server neutron-plugin-ml2 python-neutronclient # yum install openstack-neutron openstack-neutron-ml2 python-neutronclient which # zypper install openstack-neutron openstack-neutron-server SUSE does not use a separate ML2 plug-in package. To install and configure the Networking components # apt-get install neutron-server Debian does not use a separate ML2 plug-in package. Respond to prompts for database management, Identity service credentials, service endpoint registration, and message broker credentials. Select the ML2 plug-in: Selecting the ML2 plug-in also populates the and options in the /etc/neutron/neutron.conf file with the appropriate values. To configure the Networking server component The Networking server component configuration includes the database, authentication mechanism, message broker, topology change notifications, and plug-in. Edit the /etc/neutron/neutron.conf file and complete the following actions: In the [database] section, configure database access: [database] ... connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron Replace NEUTRON_DBPASS with the password you chose for the database. In the [DEFAULT] section, configure RabbitMQ message broker access: [DEFAULT] ... rpc_backend = rabbit rabbit_host = controller rabbit_password = RABBIT_PASS Replace RABBIT_PASS with the password you chose for the guest account in RabbitMQ. In the [DEFAULT] and [keystone_authtoken] sections, configure Identity service access: [DEFAULT] ... auth_strategy = keystone [keystone_authtoken] ... auth_uri = http://controller:5000/v2.0 identity_uri = http://controller:35357 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Replace NEUTRON_PASS with the password you chose or the neutron user in the Identity service. Comment out any auth_host, auth_port, and auth_protocol options because the identity_uri option replaces them. In the [DEFAULT] section, enable the Modular Layer 2 (ML2) plug-in, router service, and overlapping IP addresses: [DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True In the [DEFAULT] section, configure Networking to notify Compute of network topology changes: [DEFAULT] ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True nova_url = http://controller:8774/v2 nova_admin_auth_url = http://controller:35357/v2.0 nova_region_name = regionOne nova_admin_username = nova nova_admin_tenant_id = SERVICE_TENANT_ID nova_admin_password = NOVA_PASS Replace SERVICE_TENANT_ID with the service tenant identifier (id) in the Identity service and NOVA_PASS with the password you chose for the nova user in the Identity service. To obtain the service tenant identifier (id): $ source admin-openrc.sh $ keystone tenant-get service +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | f727b5ec2ceb4d71bad86dfc414449bf | | name | service | +-------------+----------------------------------+ (Optional) To assist with troubleshooting, enable verbose logging in the [DEFAULT] section: [DEFAULT] ... verbose = True To configure the Modular Layer 2 (ML2) plug-in The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to build the virtual networking framework for instances. However, the controller node does not need the OVS components because it does not handle instance network traffic. Edit the /etc/neutron/plugins/ml2/ml2_conf.ini file and complete the following actions: In the [ml2] section, enable the flat and generic routing encapsulation (GRE) network type drivers, GRE tenant networks, and the OVS mechanism driver: [ml2] ... type_drivers = flat,gre tenant_network_types = gre mechanism_drivers = openvswitch Once you configure the ML2 plug-in, be aware that disabling a network type driver and re-enabling it later can lead to database inconsistency. In the [ml2_type_gre] section, configure the tunnel identifier (id) range: [ml2_type_gre] ... tunnel_id_ranges = 1:1000 In the [securitygroup] section, enable security groups, enable ipset, and configure the OVS iptables firewall driver: [securitygroup] ... enable_security_group = True enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver To configure Compute to use Networking By default, distribution packages configure Compute to use legacy networking. You must reconfigure Compute to manage networks through Networking. Edit the /etc/nova/nova.conf file and complete the following actions: In the [DEFAULT] section, configure the APIs and drivers: [DEFAULT] ... network_api_class = nova.network.neutronv2.api.API security_group_api = neutron linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver By default, Compute uses an internal firewall service. Since Networking includes a firewall service, you must disable the Compute firewall service by using the nova.virt.firewall.NoopFirewallDriver firewall driver. In the [neutron] section, configure access parameters: [neutron] ... url = http://controller:9696 auth_strategy = keystone admin_auth_url = http://controller:35357/v2.0 admin_tenant_name = service admin_username = neutron admin_password = NEUTRON_PASS Replace NEUTRON_PASS with the password you chose for the neutron user in the Identity service. To finalize installation The Networking service initialization scripts expect a symbolic link /etc/neutron/plugin.ini pointing to the ML2 plug-in configuration file, /etc/neutron/plugins/ml2/ml2_conf.ini. If this symbolic link does not exist, create it using the following command: # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini The Networking service initialization scripts expect the variable NEUTRON_PLUGIN_CONF in the /etc/sysconfig/neutron file to reference the ML2 plug-in configuration file. Edit the /etc/sysconfig/neutron file and add the following: NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini" Populate the database: # su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \ --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade juno" neutron Database population occurs later for Networking because the script requires complete server and plug-in configuration files. Restart the Compute services: # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ openstack-nova-conductor.service On SLES: # service openstack-nova-api restart # service openstack-nova-scheduler restart # service openstack-nova-conductor restart On openSUSE: # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ openstack-nova-conductor.service # service nova-api restart # service nova-scheduler restart # service nova-conductor restart Start the Networking service and configure it to start when the system boots: # systemctl enable neutron-server.service # systemctl start neutron-server.service On SLES: # service openstack-neutron start # chkconfig openstack-neutron on On openSUSE: # systemctl enable openstack-neutron.service # systemctl start openstack-neutron.service Restart the Networking service: # service neutron-server restart Verify operation Perform these commands on the controller node. Source the admin credentials to gain access to admin-only CLI commands: $ source admin-openrc.sh List loaded extensions to verify successful launch of the neutron-server process: $ neutron ext-list +-----------------------+-----------------------------------------------+ | alias | name | +-----------------------+-----------------------------------------------+ | security-group | security-group | | l3_agent_scheduler | L3 Agent Scheduler | | ext-gw-mode | Neutron L3 Configurable external gateway mode | | binding | Port Binding | | provider | Provider Network | | agent | agent | | quotas | Quota management support | | dhcp_agent_scheduler | DHCP Agent Scheduler | | l3-ha | HA Router extension | | multi-provider | Multi Provider Network | | external-net | Neutron external network | | router | Neutron L3 Router | | allowed-address-pairs | Allowed Address Pairs | | extraroute | Neutron Extra Route | | extra_dhcp_opt | Neutron Extra DHCP opts | | dvr | Distributed Virtual Router | +-----------------------+-----------------------------------------------+