656f145def
Because we enable and disable kernel networking functions we should use 'configure' instead of 'enable'. Change-Id: Ia0aa260bfa49c076ab62fd3a161b986140c7912d
451 lines
20 KiB
XML
451 lines
20 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="neutron-ml2-network-node">
|
|
<title>Configure network node</title>
|
|
<para>Before you install and configure OpenStack Networking, you
|
|
must configure certain kernel networking functions.</para>
|
|
<procedure>
|
|
<title>To configure kernel networking functions</title>
|
|
<step>
|
|
<para>Edit <filename>/etc/sysctl.conf</filename> to contain the
|
|
following:</para>
|
|
<programlisting>net.ipv4.ip_forward=1
|
|
net.ipv4.conf.all.rp_filter=0
|
|
net.ipv4.conf.default.rp_filter=0</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Implement the changes:</para>
|
|
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
|
|
<title>To install the Networking components</title>
|
|
<step>
|
|
<screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 \
|
|
neutron-plugin-openvswitch-agent openvswitch-datapath-dkms \
|
|
neutron-l3-agent neutron-dhcp-agent</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron openstack-neutron-ml2 \
|
|
openstack-neutron-openvswitch</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent openstack-neutron-l3-agent \
|
|
openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
|
|
<note os="ubuntu">
|
|
<para>Ubuntu installations using Linux kernel version 3.11 or
|
|
newer do not require the
|
|
<emphasis>openvswitch-datapath-dkms</emphasis>
|
|
package.</para>
|
|
</note>
|
|
<note os="sles;opensuse">
|
|
<para>SUSE does not use a separate ML2 plug-in package.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure os="debian">
|
|
<title>To install and configure the Networking components</title>
|
|
<step>
|
|
<screen><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms \
|
|
neutron-l3-agent neutron-dhcp-agent</userinput></screen>
|
|
<note>
|
|
<para>Debian does not use a separate ML2 plug-in package.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Respond to prompts for <link
|
|
linkend="debconf-dbconfig-common">database
|
|
management</link>, <link linkend="debconf-keystone_authtoken"
|
|
>Identity service credentials</link>, <link
|
|
linkend="debconf-api-endpoints">service endpoint
|
|
registration</link>, and <link linkend="debconf-rabbitmq"
|
|
>message broker credentials</link>.</para>
|
|
</step>
|
|
<step>
|
|
<para>Select the ML2 plug-in:</para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/neutron_1_plugin_selection.png"
|
|
/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<note>
|
|
<para>Selecting the ML2 plug-in also populates the
|
|
<option>service_plugins</option> and
|
|
<option>allow_overlapping_ips</option> keys in the
|
|
<filename>/etc/neutron/neutron.conf</filename> file with the
|
|
appropriate values.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
|
|
<title>To configure the Networking common components</title>
|
|
<para>The Networking common component configuration includes the
|
|
authentication mechanism, message broker, and plug-in.</para>
|
|
<step>
|
|
<para>Configure Networking to use the Identity service for
|
|
authentication:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and
|
|
add the following key to the <literal>[DEFAULT]</literal>
|
|
section:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
auth_strategy = keystone</programlisting>
|
|
<para>Add the following keys to the
|
|
<literal>[keystone_authtoken]</literal> section:</para>
|
|
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with
|
|
the password you chose for the <literal>neutron</literal>
|
|
user in the Identity service.</para>
|
|
<programlisting language="ini">[keystone_authtoken]
|
|
...
|
|
auth_uri = http://<replaceable>controller</replaceable>:5000
|
|
auth_host = <replaceable>controller</replaceable>
|
|
auth_protocol = http
|
|
auth_port = 35357
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step>
|
|
<para>Configure Networking to use the message broker:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and
|
|
add the following keys to the <literal>[DEFAULT]</literal>
|
|
section:</para>
|
|
<para>Replace <replaceable>RABBIT_PASS</replaceable> with
|
|
the password you chose for the <literal>guest</literal>
|
|
account in <application>RabbitMQ</application>.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
rpc_backend = neutron.openstack.common.rpc.impl_kombu
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step>
|
|
<para>Configure Networking to use the Modular Layer 2 (ML2)
|
|
plug-in and associated services:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and
|
|
add the following keys to the <literal>[DEFAULT]</literal>
|
|
section:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
core_plugin = ml2
|
|
service_plugins = router
|
|
allow_overlapping_ips = True</programlisting>
|
|
<note>
|
|
<para>To assist with troubleshooting, add <literal>verbose
|
|
= True</literal> to the <literal>[DEFAULT]</literal>
|
|
section in the
|
|
<filename>/etc/neutron/neutron.conf</filename>
|
|
file.</para>
|
|
</note>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the Layer-3 (L3) agent</title>
|
|
<para>The <glossterm>Layer-3 (L3) agent</glossterm> provides
|
|
routing services for instance virtual networks.</para>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/l3_agent.ini</filename>
|
|
file and add the following keys to the
|
|
<literal>[DEFAULT]</literal> section:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
|
|
use_namespaces = True</programlisting>
|
|
<note>
|
|
<para>To assist with troubleshooting, add <literal>verbose =
|
|
True</literal> to the <literal>[DEFAULT]</literal> section
|
|
in the <filename>/etc/neutron/l3_agent.ini</filename>
|
|
file.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the DHCP agent</title>
|
|
<para>The <glossterm>DHCP agent</glossterm> provides
|
|
<glossterm>DHCP</glossterm> services for instance virtual
|
|
networks.</para>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/dhcp_agent.ini</filename>
|
|
file and add the following keys to the
|
|
<literal>[DEFAULT]</literal> section:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
|
|
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
|
|
use_namespaces = True</programlisting>
|
|
<note>
|
|
<para>To assist with troubleshooting, add <literal>verbose =
|
|
True</literal> to the <literal>[DEFAULT]</literal> section
|
|
in the <filename>/etc/neutron/dhcp_agent.ini</filename>
|
|
file.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Tunneling protocols such as
|
|
<glossterm>generic routing encapsulation (GRE)</glossterm>
|
|
include additional packet headers that increase overhead and
|
|
decrease space available for the payload or user data. Without
|
|
knowledge of the virtual network infrastructure, instances attempt
|
|
to send packets using the default Ethernet
|
|
<glossterm>maximum transmission unit (MTU)</glossterm> of 1500 bytes.
|
|
<glossterm>Internet protocol (IP)</glossterm> networks contain the
|
|
<glossterm>path MTU discovery (PMTUD)</glossterm> mechanism to detect
|
|
end-to-end MTU and adjust packet size accordingly. However, some
|
|
operating systems and networks block or otherwise lack support for
|
|
PMTUD causing performance degradation or connectivity failure.</para>
|
|
<para>Ideally, you can prevent these problems by enabling
|
|
<glossterm>jumbo frames</glossterm> on the physical network that
|
|
contains your tenant virtual networks. Jumbo frames support MTUs
|
|
up to approximately 9000 bytes which negates the impact of GRE
|
|
overhead on virtual networks. However, many network devices lack
|
|
support for jumbo frames and OpenStack administrators often lack
|
|
control of network infrastructure. Given the latter complications,
|
|
you can also prevent MTU problems by reducing the instance MTU to
|
|
account for GRE overhead. Determining the proper MTU value often
|
|
takes experimentation, but 1454 bytes works in most environments.
|
|
You can configure the <glossterm>DHCP</glossterm> server that assigns
|
|
IP addresses to your instances to also adjust the MTU.</para>
|
|
<note>
|
|
<para>Some cloud images such as CirrOS ignore the DHCP MTU
|
|
option.</para>
|
|
</note>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/dhcp_agent.ini</filename>
|
|
file and add the following keys to the
|
|
<literal>[DEFAULT]</literal> section:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Create and edit the
|
|
<filename>/etc/neutron/dnsmasq-neutron.conf</filename> file and
|
|
add the following keys:</para>
|
|
<programlisting>dhcp-option-force=26,1454</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Kill any existing
|
|
<systemitem role="process">dnsmasq</systemitem> processes:</para>
|
|
<screen><prompt>#</prompt> <userinput>pkill dnsmasq</userinput></screen>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the metadata agent</title>
|
|
<para>The <glossterm>metadata agent</glossterm> provides
|
|
configuration information such as credentials for remote access
|
|
to instances.</para>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/neutron/metadata_agent.ini</filename> file
|
|
and add the following keys to the <literal>[DEFAULT]</literal>
|
|
section:</para>
|
|
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
|
|
password you chose for the <literal>neutron</literal> user in
|
|
the Identity service. Replace
|
|
<replaceable>METADATA_SECRET</replaceable> with a suitable
|
|
secret for the metadata proxy.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
auth_url = http://<replaceable>controller</replaceable>:5000/v2.0
|
|
auth_region = regionOne
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable>
|
|
nova_metadata_ip = <replaceable>controller</replaceable>
|
|
metadata_proxy_shared_secret = <replaceable>METADATA_SECRET</replaceable></programlisting>
|
|
<note>
|
|
<para>To assist with troubleshooting, add <literal>verbose =
|
|
True</literal> to the <literal>[DEFAULT]</literal> section
|
|
in the <filename>/etc/neutron/metadata_agent.ini</filename>
|
|
file.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<note>
|
|
<para>Perform the next two steps on the
|
|
<emphasis>controller</emphasis> node.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>On the <emphasis>controller</emphasis> node, edit the
|
|
<filename>/etc/nova/nova.conf</filename> file and add the
|
|
following keys to the <literal>[DEFAULT]</literal>
|
|
section:</para>
|
|
<para>Replace <replaceable>METADATA_SECRET</replaceable> with
|
|
the secret you chose for the metadata proxy.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
service_neutron_metadata_proxy = true
|
|
neutron_metadata_proxy_shared_secret = <replaceable>METADATA_SECRET</replaceable></programlisting>
|
|
</step>
|
|
<step>
|
|
<para>On the <emphasis>controller</emphasis> node, restart the
|
|
Compute <glossterm>API</glossterm> service:</para>
|
|
<screen os="rhel;centos;fedora;sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput></screen>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the Modular Layer 2 (ML2) plug-in</title>
|
|
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism
|
|
(agent) to build virtual networking framework for
|
|
instances.</para>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
|
|
file.</para>
|
|
<para>Add the following keys to the <literal>[ml2]</literal>
|
|
section:</para>
|
|
<programlisting language="ini">[ml2]
|
|
...
|
|
type_drivers = gre
|
|
tenant_network_types = gre
|
|
mechanism_drivers = openvswitch</programlisting>
|
|
<para>Add the following keys to the
|
|
<literal>[ml2_type_gre]</literal> section:</para>
|
|
<programlisting language="ini">[ml2_type_gre]
|
|
...
|
|
tunnel_id_ranges = 1:1000</programlisting>
|
|
<para>Add the <literal>[ovs]</literal> section and the following
|
|
keys to it:</para>
|
|
<para>Replace
|
|
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
|
|
with the IP address of the instance tunnels network interface
|
|
on your network node.</para>
|
|
<programlisting language="ini">[ovs]
|
|
...
|
|
local_ip = <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
|
|
tunnel_type = gre
|
|
enable_tunneling = True</programlisting>
|
|
<para>Add the <literal>[securitygroup]</literal> section and the
|
|
following keys to it:</para>
|
|
<programlisting language="ini">[securitygroup]
|
|
...
|
|
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
|
|
enable_security_group = True</programlisting>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the Open vSwitch (OVS) service</title>
|
|
<para>The OVS service provides the underlying virtual networking
|
|
framework for instances. The integration bridge
|
|
<literal>br-int</literal> handles internal instance network
|
|
traffic within OVS. The external bridge <literal>br-ex</literal>
|
|
handles external instance network traffic within OVS. The
|
|
external bridge requires a port on the physical external network
|
|
interface to provide instances with external network access. In
|
|
essence, this port bridges the virtual and physical external
|
|
networks in your environment.</para>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Start the OVS service and configure it to start when the
|
|
system boots:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
|
|
</step>
|
|
<step os="sles;opensuse">
|
|
<para>Start the OVS service and configure it to start when the
|
|
system boots:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
|
|
</step>
|
|
<step os="debian;ubuntu">
|
|
<para>Restart the OVS service:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Add the external bridge:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Add a port to the external bridge that connects to the
|
|
physical external network interface:</para>
|
|
<para>Replace <replaceable>INTERFACE_NAME</replaceable> with the
|
|
actual interface name. For example, <emphasis>eth2</emphasis>
|
|
or <emphasis>ens256</emphasis>.</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>INTERFACE_NAME</replaceable></userinput></screen>
|
|
<note>
|
|
<para>Depending on your network interface driver, you may need
|
|
to disable <glossterm>Generic Receive Offload
|
|
(GRO)</glossterm> to achieve suitable throughput between
|
|
your instances and the external network.</para>
|
|
<para>To temporarily disable GRO on the external network
|
|
interface while testing your environment:</para>
|
|
<screen><prompt>#</prompt> <userinput>ethtool -K <replaceable>INTERFACE_NAME</replaceable> gro off</userinput></screen>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To finalize the installation</title>
|
|
<step os="rhel;centos;fedora">
|
|
<para>The Networking service initialization scripts expect a
|
|
symbolic link <filename>/etc/neutron/plugin.ini</filename>
|
|
pointing to the configuration file associated with your chosen
|
|
plug-in. Using the ML2 plug-in, for example, the symbolic link
|
|
must point to
|
|
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
|
|
If this symbolic link does not exist, create it using the
|
|
following commands:</para>
|
|
<screen><prompt>#</prompt> <userinput>ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini</userinput></screen></step>
|
|
<step os="sles;opensuse">
|
|
<para>The Networking service initialization scripts expect the
|
|
variable <literal>NEUTRON_PLUGIN_CONF</literal> in the
|
|
<filename>/etc/sysconfig/neutron</filename> file to
|
|
reference the configuration file associated with your chosen
|
|
plug-in. Using ML2, for example, edit the
|
|
<filename>/etc/sysconfig/neutron</filename> file and add the
|
|
following:</para>
|
|
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"</programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Start the Networking services and configure them to start
|
|
when the system boots:</para>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-l3-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-dhcp-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-metadata-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-l3-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-dhcp-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-metadata-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-ovs-cleanup on</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-neutron-l3-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-neutron-dhcp-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-l3-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-dhcp-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-metadata-agent on</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-ovs-cleanup on</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Restart the Networking services:</para>
|
|
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|