4dacac92a6
This is a second patch set for migrating the manual copy and paste configuration file changes to using openstack-config. This completes the Neutron section for installing on a dedicated controller, dedicated network node and a compute host. Change-Id: I5171c7e4573b1e95c41587a81f7c6f803f8975a3
1721 lines
96 KiB
XML
1721 lines
96 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xml:id="neutron-install-network-node"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:svg="http://www.w3.org/2000/svg"
|
|
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
|
|
<title>Install Networking services</title>
|
|
<para os="debian">When you install a Networking node, you must
|
|
configure it for API endpoints, RabbitMQ,
|
|
<code>keystone_authtoken</code>, and the database. Use
|
|
<package>debconf</package> to configure these values.</para>
|
|
<para os="debian">When you install a Networking package,
|
|
<package>debconf</package> prompts you to choose configuration
|
|
options including which plug-in to use, as follows:</para>
|
|
<informalfigure os="debian">
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/neutron_1_plugin_selection.png"
|
|
/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para os="debian">This parameter sets the
|
|
<parameter>core_plugin</parameter> option value in the
|
|
<filename>/etc/neutron/neutron.conf</filename> file.</para>
|
|
<note os="debian">
|
|
<para>When you install the <package>neutron-common</package>
|
|
package, all plug-ins are installed by default.</para>
|
|
</note>
|
|
<para os="debian">This table lists the values for the
|
|
<parameter>core_plugin</parameter> option. These values depend
|
|
on your response to the <package>debconf</package> prompt.</para>
|
|
<table rules="all" os="debian">
|
|
<caption>Plug-ins and the core_plugin option</caption>
|
|
<thead>
|
|
<tr>
|
|
<th>Plug-in</th>
|
|
<th>core_plugin value in
|
|
<filename>neutron.conf</filename></th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td><para>BigSwitch</para></td>
|
|
<td><para>neutron.plugins.bigswitch.plugin.NeutronRestProxyV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>Brocade</para></td>
|
|
<td><para>neutron.plugins.brocade.NeutronPlugin.BrocadePluginV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>Cisco</para></td>
|
|
<td><para>neutron.plugins.cisco.network_plugin.PluginV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>Hyper-V</para></td>
|
|
<td><para>neutron.plugins.hyperv.hyperv_neutron_plugin.HyperVNeutronPlugin</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>LinuxBridge</para></td>
|
|
<td><para>neutron.plugins.linuxbridge.lb_neutron_plugin.LinuxBridgePluginV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>Mellanox</para></td>
|
|
<td><para>neutron.plugins.mlnx.mlnx_plugin.MellanoxEswitchPlugin</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>MetaPlugin</para></td>
|
|
<td><para>neutron.plugins.metaplugin.meta_neutron_plugin.MetaPluginV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>Midonet</para></td>
|
|
<td><para>neutron.plugins.midonet.plugin.MidonetPluginV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>ml2</para></td>
|
|
<td><para>neutron.plugins.ml2.plugin.Ml2Plugin</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>Nec</para></td>
|
|
<td><para>neutron.plugins.nec.nec_plugin.NECPluginV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>OpenVSwitch</para></td>
|
|
<td><para>neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>PLUMgrid</para></td>
|
|
<td><para>neutron.plugins.plumgrid.plumgrid_nos_plugin.plumgrid_plugin.NeutronPluginPLUMgridV2</para></td>
|
|
</tr>
|
|
<tr>
|
|
<td><para>RYU</para></td>
|
|
<td><para>neutron.plugins.ryu.ryu_neutron_plugin.RyuNeutronPluginV2</para></td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<para os="debian">Depending on the value of
|
|
<parameter>core_plugin</parameter>, the start-up scripts start
|
|
the daemons by using the corresponding plug-in configuration file
|
|
directly. For example, if you selected the Open vSwitch plug-in,
|
|
<code>neutron-server</code> automatically launches with
|
|
<parameter>--config-file
|
|
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</parameter>.</para>
|
|
<para os="debian">The <package>neutron-common</package> package also
|
|
prompts you for the default network configuration:</para>
|
|
<informalfigure os="debian">
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/neutron_2_networking_type.png"
|
|
/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<informalfigure os="debian">
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/neutron_3_hypervisor_ip.png"
|
|
/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para os="rhel;centos;fedora;opensuse;sles;ubuntu">Before you
|
|
configure individual nodes for Networking, you must create the
|
|
required OpenStack components: user, service, database, and one or
|
|
more endpoints. After you complete these steps on the controller
|
|
node, follow the instructions in this guide to set up OpenStack
|
|
Networking nodes.</para>
|
|
<procedure os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<step>
|
|
<!-- TODO(sross): change this to use `openstack-db` once it supports Neutron -->
|
|
<!-- TODO(sross): move this into its own section -->
|
|
<para>Use the password that you set previously to log in as root
|
|
and create a <literal>neutron</literal> database:</para>
|
|
<screen><prompt>#</prompt> <userinput>mysql -u root -p</userinput>
|
|
<prompt>mysql></prompt> <userinput>CREATE DATABASE neutron;</userinput>
|
|
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
|
|
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
|
|
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
|
|
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the required user, service, and endpoint so that
|
|
Networking can interface with the Identity Service.</para>
|
|
<para>To list the tenant IDs:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone tenant-list</userinput></screen>
|
|
<para>To list role IDs:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone role-list</userinput></screen>
|
|
<para>Create a <literal>neutron</literal> user:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone user-create --name=neutron --pass=<replaceable>NEUTRON_PASS</replaceable> --email=<replaceable>neutron@example.com</replaceable></userinput></screen>
|
|
<para>Add the user role to the neutron user:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone user-role-add --user=neutron --tenant=service --role=admin</userinput></screen>
|
|
<para>Create the neutron service:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone service-create --name=neutron --type=network \
|
|
--description="OpenStack Networking Service"</userinput></screen>
|
|
<para>Create a Networking endpoint. Use the
|
|
<literal>id</literal> property for the service that was
|
|
returned in the previous step to create the endpoint:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone endpoint-create \
|
|
--service-id <replaceable>the_service_id_above</replaceable> \
|
|
--publicurl http://<replaceable>controller</replaceable>:9696 \
|
|
--adminurl http://<replaceable>controller</replaceable>:9696 \
|
|
--internalurl http://<replaceable>controller</replaceable>:9696</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<section xml:id="neutron-install.dedicated-network-node">
|
|
<title>Install Networking services on a dedicated network
|
|
node</title>
|
|
<note>
|
|
<para>Before you start, set up a machine as a dedicated network
|
|
node. Dedicated network nodes have a
|
|
<replaceable>MGMT_INTERFACE</replaceable> NIC, a
|
|
<replaceable>DATA_INTERFACE</replaceable> NIC, and a
|
|
<replaceable>EXTERNAL_INTERFACE</replaceable> NIC.</para>
|
|
<para>The management network handles communication among nodes.
|
|
The data network handles communication coming to and from VMs.
|
|
The external NIC connects the network node, and optionally to
|
|
the controller node, so your VMs can connect to the outside
|
|
world.</para>
|
|
<para>All NICs must have static IPs. However, the data and
|
|
external NICs have a special set up. For details about
|
|
Networking plug-ins, see <xref
|
|
linkend="install-neutron.install-plug-in"/>.</para>
|
|
</note>
|
|
<warning os="rhel;centos">
|
|
<para>By default, the <literal>system-config-firewall</literal>
|
|
automated firewall configuration tool is in place on RHEL.
|
|
This graphical interface (and a curses-style interface with
|
|
<literal>-tui</literal> on the end of the name) enables you
|
|
to configure IP tables as a basic firewall. You should disable
|
|
it when you work with Networking unless you are familiar with
|
|
the underlying network technologies, as, by default, it blocks
|
|
various types of network traffic that are important to
|
|
Networking. To disable it, simply launch the program and clear
|
|
the <guilabel>Enabled</guilabel> check box.</para>
|
|
<para>After you successfully set up OpenStack Networking, you
|
|
can re-enable and configure the tool. However, during
|
|
Networking set up, disable the tool to make it easier to debug
|
|
network issues.</para>
|
|
</warning>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the OpenStack Networking service on the network
|
|
node:</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server neutron-dhcp-agent neutron-plugin-openvswitch-agent neutron-l3-agent</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron openstack-neutron-l3-agent \
|
|
openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
|
|
</step>
|
|
<step os="debian">
|
|
<para>Respond to prompts for <link
|
|
linkend="debconf-dbconfig-common">database
|
|
management</link>, <link
|
|
linkend="debconf-keystone_authtoken"
|
|
><literal>[keystone_authtoken]</literal>
|
|
settings</link>, <link linkend="debconf-rabbitqm">RabbitMQ
|
|
credentials</link> and <link
|
|
linkend="debconf-api-endpoints">API endpoint</link>
|
|
registration.</para>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure basic Networking-related services to start at
|
|
boot time:</para>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Enable packet forwarding and disable packet destination
|
|
filtering so that the network node can coordinate traffic
|
|
for the VMs. Edit the <filename>/etc/sysctl.conf</filename>
|
|
file, as follows:</para>
|
|
<programlisting language="ini">net.ipv4.ip_forward=1
|
|
net.ipv4.conf.all.rp_filter=0
|
|
net.ipv4.conf.default.rp_filter=0</programlisting>
|
|
<para>Use the <command>sysctl</command> command to ensure the
|
|
changes made to the <filename>/etc/sysctl.conf</filename>
|
|
file take effect:</para>
|
|
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
|
|
<note>
|
|
<para>It is recommended that the networking service is
|
|
restarted after changing values related to the networking
|
|
configuration. This ensures that all modified values take
|
|
effect immediately:</para>
|
|
<screen os="ubuntu"><prompt>#</prompt> <userinput>service networking restart</userinput></screen>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service network restart</userinput></screen>
|
|
</note>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Set the <literal>auth_strategy</literal>
|
|
configuration key to <literal>keystone</literal> in the
|
|
<literal>DEFAULT</literal> section of the file:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Set the <systemitem class="service">neutron</systemitem> configuration for
|
|
<systemitem class="service">keystone</systemitem> authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_port 35357</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_protocol http</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step></substeps>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>To configure <systemitem class="service">neutron</systemitem> to use <systemitem class="service">keystone</systemitem>
|
|
for authentication, edit the <filename>/etc/neutron/neutron.conf</filename>file.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Set the <literal>auth_strategy</literal>
|
|
configuration key to <literal>keystone</literal> in the
|
|
<literal>DEFAULT</literal> section of the file:</para>
|
|
<programlisting language="ini">auth_strategy = keystone</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Add these lines to the
|
|
<literal>keystone_authtoken</literal> section of the
|
|
file:</para>
|
|
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
|
|
auth_port = 35357
|
|
auth_protocol = http
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Set the <literal>root_helper</literal> configuration in the
|
|
<literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
|
|
root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
|
|
</step>
|
|
<step os="opensuse;sles">
|
|
<para>Configure access to the <application>RabbitMQ</application> service:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_host controller</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_userid guest</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Configure the <application>RabbitMQ</application> access. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file to
|
|
modify the following parameters in the
|
|
<literal>DEFAULT</literal> section.</para>
|
|
<programlisting language="ini">rabbit_host = controller
|
|
rabbit_userid = guest
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Configure access to the <application>Qpid</application> message queue:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_hostname <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_port 5672</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_username <replaceable>guest</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_password <replaceable>guest</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to connect to the database:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
|
|
mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Configure Networking to connect to the database. Edit
|
|
the <literal>[database]</literal> section in the same file,
|
|
as follows:</para>
|
|
<programlisting language="ini">[database]
|
|
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
|
|
authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
|
|
file and add these lines to the
|
|
<literal>[filter:authtoken]</literal> section:</para>
|
|
<programlisting language="ini">[filter:authtoken]
|
|
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
|
|
auth_host = <replaceable>controller</replaceable>
|
|
auth_uri = http://<replaceable>controller</replaceable>:5000
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
<warning>
|
|
<para><literal>keystoneclient.middleware.auth_token</literal>:
|
|
You must configure <literal>auth_uri</literal> to point to
|
|
the public identity endpoint. Otherwise, clients might not
|
|
be able to authenticate against an admin endpoint.</para>
|
|
</warning>
|
|
</step>
|
|
<step os="debian">
|
|
<para>Configure your network plug-in. For instructions, see
|
|
<link linkend="install-neutron.install-plug-in"
|
|
>instructions</link>. Then, return here.</para>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>Install and configure a networking plug-in. OpenStack
|
|
Networking uses this plug-in to perform software-defined
|
|
networking. See <xref linkend="install-neutron.install-plug-in"/>
|
|
for further details. Then, return here when finished.</para>
|
|
</step>
|
|
</procedure>
|
|
<para>Now that you've installed and configured a plug-in, it is time to configure
|
|
the remaining parts of OpenStack Networking.</para>
|
|
<procedure>
|
|
<step>
|
|
<para>To perform DHCP on the software-defined networks,
|
|
Networking supports several different plug-ins. However, in
|
|
general, you use the <application>dnsmasq</application> plug-in.</para>
|
|
<para>Configure the
|
|
<filename>/etc/neutron/dhcp_agent.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq</programlisting>
|
|
<screen os="rhel;centos;fedora;opensuse;sles">
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \
|
|
dhcp_driver neutron.agent.linux.dhcp.Dnsmasq</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>To allow virtual machines to access the Compute metadata
|
|
information, the Networking metadata agent must be enabled
|
|
and configured. The agent will act as a proxy for the
|
|
Compute metadata service.</para>
|
|
<para>On the controller, edit the
|
|
<filename>/etc/nova/nova.conf</filename> file to define a
|
|
secret key that will be shared between the Compute Service
|
|
and the Networking metadata agent.</para>
|
|
<para os="debian;ubuntu">Add to the
|
|
<literal>[DEFAULT]</literal> section:</para>
|
|
<programlisting os="ubuntu;debian" language="ini">[DEFAULT]
|
|
neutron_metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable>
|
|
service_neutron_metadata_proxy = true</programlisting>
|
|
<para os="opensuse;sles;rhel;centos;fedora">Set the
|
|
<literal>neutron_metadata_proxy_shared_secret</literal>
|
|
key:</para>
|
|
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
service_neutron_metadata_proxy true</userinput></screen>
|
|
<para>Restart the <systemitem class="service"
|
|
>nova-api</systemitem> service:</para>
|
|
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
|
|
<screen os="centos;rhel;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput></screen>
|
|
<para>On the network node, modify the metadata agent
|
|
configuration.</para>
|
|
<para os="debian;ubuntu">Edit the
|
|
<filename>/etc/neutron/metadata_agent.ini</filename> file
|
|
and modify the <literal>[DEFAULT]</literal> section:</para>
|
|
<programlisting os="debian;ubuntu" language="ini">[DEFAULT]
|
|
auth_url = http://controller:5000/v2.0
|
|
auth_region = regionOne
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable>
|
|
nova_metadata_ip = controller
|
|
metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable></programlisting>
|
|
<para os="opensuse;sles;rhel;centos;fedora">Set the required
|
|
keys:</para>
|
|
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
|
|
auth_url http://controller:5000/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
|
|
auth_region regionOne</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
|
|
nova_metadata_ip controller</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
|
|
metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput></screen>
|
|
<note>
|
|
<para>The value of <literal>auth_region</literal> is
|
|
case-sensitive and must match the endpoint region defined
|
|
in Keystone.</para>
|
|
</note>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>The <systemitem class="service">neutron-server</systemitem>
|
|
initialization script expects a symbolic link
|
|
<filename>/etc/neutron/plugin.ini</filename> pointing to the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, the symbolic link must point to
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
|
|
If this symbolic link does not exist, create it using the
|
|
following commands:</para>
|
|
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
|
|
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
|
|
</step>
|
|
<step os="sles;opensuse">
|
|
<para>The <systemitem class="service">openstack-neutron</systemitem>
|
|
initialization script expects the variable
|
|
<literal>NEUTRON_PLUGIN_CONF</literal> in file
|
|
<filename>/etc/sysconfig/neutron</filename> to reference the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, edit the
|
|
<filename>/etc/sysconfig/neutron</filename> file and add the
|
|
following:</para>
|
|
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Restart Networking services.</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-server restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-server restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron restart</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-neutron-dhcp-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-neutron-l3-agent restart</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent restart</userinput></screen>
|
|
<para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>After you configure the <link
|
|
linkend="install-neutron.dedicated-compute-node"
|
|
>compute</link> and <link
|
|
linkend="install-neutron.dedicated-controller-node"
|
|
>controller</link> nodes, <link
|
|
linkend="install-neutron.configure-networks">configure the
|
|
base networks</link>.</para>
|
|
</step>
|
|
</procedure>
|
|
<section xml:id="install-neutron.install-plug-in">
|
|
<title>Install and configure the Networking plug-ins</title>
|
|
<section xml:id="install-neutron.install-plug-in.ovs">
|
|
<title>Install the Open vSwitch (OVS) plug-in</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the Open vSwitch plug-in and its
|
|
dependencies:</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-switch</userinput></screen>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
|
|
<note os="ubuntu">
|
|
<para>On Ubuntu 12.04 LTS with GRE you must install
|
|
openvswitch-datapath-dkms and restart the service to
|
|
enable the GRE flow so that OVS 1.10 and higher is
|
|
used. Make sure you are running the OVS 1.10 kernel
|
|
module in addition to the OVS 1.10 user space. Both
|
|
the kernel module and user space are required for
|
|
VXLAN support. The error you see in the
|
|
<filename>/var/log/openvswitchovs-vswitchd.log</filename>
|
|
log file is "Stderr: 'ovs-ofctl: -1: negative values
|
|
not supported for in_port\n'". If you see this error,
|
|
make sure <command>modinfo openvswitch</command> shows
|
|
the right version. Also check the output from
|
|
<command>dmesg</command> for the version of the OVS
|
|
module being loaded.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Start Open vSwitch:</para>
|
|
<screen os="debian;rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
|
|
<screen os="ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
|
|
<para os="rhel;fedora;centos;opensuse;sles">And configure
|
|
it to start when the system boots:</para>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>No matter which networking technology you use, you
|
|
must add the <literal>br-int</literal> integration
|
|
bridge, which connects to the VMs, and the
|
|
<literal>br-ex</literal> external bridge, which
|
|
connects to the outside world.</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput>
|
|
<prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Add a <firstterm>port</firstterm> (connection) from
|
|
the <replaceable>EXTERNAL_INTERFACE</replaceable>
|
|
interface to <literal>br-ex</literal> interface:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></userinput></screen>
|
|
<warning>
|
|
<para>The host must have an IP address associated
|
|
with an interface other than <replaceable>EXTERNAL_INTERFACE</replaceable>,
|
|
and your remote terminal session must be associated with this other
|
|
IP address.</para>
|
|
<para>If you associate an IP address with <replaceable>EXTERNAL_INTERFACE</replaceable>,
|
|
that IP address stops working after you issue the <command>ovs-vsctl add-port br-ex <replaceable>EXTERNAL_INTERFACE</replaceable></command> command.
|
|
If you associate a remote terminal session with that
|
|
IP address, you lose connectivity with the host.</para>
|
|
<para>For more details about this behavior, see the
|
|
<emphasis>Configuration Problems</emphasis> section of the
|
|
<link xlink:href="http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=FAQ;hb=HEAD">Open vSwitch FAQ</link>.
|
|
</para>
|
|
</warning>
|
|
</step>
|
|
<step>
|
|
<para>Configure the
|
|
<replaceable>EXTERNAL_INTERFACE</replaceable> without
|
|
an IP address and in promiscuous mode. Additionally, you
|
|
must set the newly created <literal>br-ex</literal>
|
|
interface to have the IP address that formerly belonged
|
|
to <replaceable>EXTERNAL_INTERFACE</replaceable>.</para>
|
|
<warning os="ubuntu">
|
|
<para>Generic Receive Offload (GRO) should not be
|
|
enabled on this interface as it can cause severe
|
|
performance problems. It can be disabled with the
|
|
ethtool utility.</para>
|
|
</warning>
|
|
<para os="rhel;fedora;centos">Edit the
|
|
<filename>/etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="rhel;fedora;centos">DEVICE_INFO_HERE
|
|
ONBOOT=yes
|
|
BOOTPROTO=none
|
|
PROMISC=yes</programlisting>
|
|
</step>
|
|
<step os="rhel;fedora;centos">
|
|
<para>Create and edit the
|
|
<filename>/etc/sysconfig/network-scripts/ifcfg-br-ex</filename>
|
|
file:</para>
|
|
<programlisting language="ini">DEVICE=br-ex
|
|
TYPE=Bridge
|
|
ONBOOT=no
|
|
BOOTPROTO=none
|
|
IPADDR=EXTERNAL_INTERFACE_IP
|
|
NETMASK=EXTERNAL_INTERFACE_NETMASK
|
|
GATEWAY=EXTERNAL_INTERFACE_GATEWAY</programlisting>
|
|
</step>
|
|
<!-- TODO(sross): support other distros -->
|
|
<step>
|
|
<para>You must set some common configuration options no
|
|
matter which networking technology you choose to use
|
|
with Open vSwitch. Configure the L3 and DHCP agents to
|
|
use <acronym>OVS</acronym> and namespaces. Edit the
|
|
<filename>/etc/neutron/l3_agent.ini</filename> and
|
|
<filename>/etc/neutron/dhcp_agent.ini</filename>
|
|
files, respectively:</para>
|
|
<programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
|
|
use_namespaces = True</programlisting>
|
|
<para os="rhel;centos">You must enable veth support if you
|
|
use certain kernels. Some kernels, such as recent
|
|
versions of RHEL (not RHOS) and CentOS, only partially
|
|
support namespaces. Edit the previous files, as
|
|
follows:</para>
|
|
<programlisting language="ini" os="rhel;centos">ovs_use_veth = True</programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>Similarly, you must also tell Neutron core to use
|
|
<acronym>OVS</acronym>. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Choose a networking technology to create the virtual
|
|
networks. Neutron supports GRE tunneling, VLANs, and
|
|
VXLANs. This guide shows how to configure GRE tunneling
|
|
and VLANs.</para>
|
|
<para>
|
|
<link linkend="install-neutron.install-plug-in.ovs.gre"
|
|
>GRE tunneling</link> is simpler to set up because it
|
|
does not require any special configuration from any
|
|
physical network hardware. However, its protocol makes
|
|
it difficult to filter traffic on the physical network.
|
|
Additionally, this configuration does not use
|
|
namespaces. You can have only one router for each
|
|
network node. However, you can enable namespacing, and
|
|
potentially veth, as described in the section detailing
|
|
how to use VLANs with <acronym>OVS</acronym>).</para>
|
|
<para>On the other hand, <link
|
|
linkend="install-neutron.install-plug-in.ovs.vlan"
|
|
>VLAN tagging</link> modifies the ethernet header of
|
|
packets. You can filter packets on the physical network
|
|
through normal methods. However, not all NICs handle the
|
|
increased packet size of VLAN-tagged packets well, and
|
|
you might need to complete additional configuration on
|
|
physical network hardware to ensure that your Neutron
|
|
VLANs do not interfere with any other VLANs on your
|
|
network and that any physical network hardware between
|
|
nodes does not strip VLAN tags.</para>
|
|
<note>
|
|
<para>While the examples in this guide enable network
|
|
namespaces by default, you can disable them if issues
|
|
occur or your kernel does not support them. Edit the
|
|
<filename>/etc/neutron/l3_agent.ini</filename> and
|
|
<filename>/etc/neutron/dhcp_agent.ini</filename>
|
|
files, respectively:</para>
|
|
<programlisting language="ini">use_namespaces = False</programlisting>
|
|
<para>Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file
|
|
to disable overlapping IP addresses:</para>
|
|
<programlisting language="ini">allow_overlapping_ips = False</programlisting>
|
|
<para>Note that when network namespaces are disabled,
|
|
you can have only one router for each network node and
|
|
overlapping IP addresses are not supported.</para>
|
|
<para>You must complete additional steps after you
|
|
create the initial Neutron virtual networks and
|
|
router.</para>
|
|
</note>
|
|
</step>
|
|
<!-- TODO(sross): support provider networks? you need to modify things above for this to work -->
|
|
<step>
|
|
<para>Configure a firewall plug-in. If you do not wish to
|
|
enforce firewall rules, called <firstterm>security
|
|
groups</firstterm> by OpenStack, you can use
|
|
<literal>neutron.agent.firewall.NoopFirewall</literal>.
|
|
Otherwise, you can choose one of the Networking firewall
|
|
plug-ins. The most common choice is the Hybrid
|
|
OVS-IPTables driver, but you can also use the
|
|
Firewall-as-a-Service driver. Edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[securitygroup]
|
|
# Firewall driver for realizing neutron security group function.
|
|
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<warning>
|
|
<para>You must use at least the No-Op firewall.
|
|
Otherwise, Horizon and other OpenStack services cannot
|
|
get and set required VM boot options.</para>
|
|
</warning>
|
|
</step>
|
|
<!-- TODO(sross): document other firewall options -->
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Configure the <acronym>OVS</acronym> plug-in to start
|
|
on boot.</para>
|
|
<screen os="fedora;centos;rhel"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Now, return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
<section xml:id="install-neutron.install-plug-in.ovs.gre">
|
|
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
|
|
for GRE tunneling</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Configure the <acronym>OVS</acronym> plug-in to
|
|
use GRE tunneling, the <literal>br-int</literal>
|
|
integration bridge, the <literal>br-tun</literal>
|
|
tunneling bridge, and a local IP for the
|
|
<replaceable>DATA_INTERFACE</replaceable> tunnel IP.
|
|
Edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True
|
|
integration_bridge = br-int
|
|
tunnel_bridge = br-tun
|
|
local_ip = DATA_INTERFACE_IP</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="install-neutron.install-plug-in.ovs.vlan">
|
|
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
|
|
for VLANs</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Configure <acronym>OVS</acronym> to use VLANS.
|
|
Edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = vlan
|
|
network_vlan_ranges = physnet1:1:4094
|
|
bridge_mappings = physnet1:br-DATA_INTERFACE</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Create the bridge for
|
|
<replaceable>DATA_INTERFACE</replaceable> and add
|
|
<replaceable>DATA_INTERFACE</replaceable> to
|
|
it:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
|
|
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Transfer the IP address for
|
|
<replaceable>DATA_INTERFACE</replaceable> to the
|
|
bridge in the same way that you transferred the
|
|
<replaceable>EXTERNAL_INTERFACE</replaceable> IP
|
|
address to <literal>br-ex</literal>. However, do not
|
|
turn on promiscuous mode.</para>
|
|
</step>
|
|
<step>
|
|
<para>Return to the <acronym>OVS</acronym> general
|
|
instruction.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
<section xml:id="install-neutron.dedicated-compute-node">
|
|
<title>Install networking support on a dedicated compute
|
|
node</title>
|
|
<note>
|
|
<para>This section details set up for any node that runs the
|
|
<literal>nova-compute</literal> component but does not run
|
|
the full network stack.</para>
|
|
</note>
|
|
<warning os="rhel;centos">
|
|
<para>By default, the <literal>system-config-firewall</literal>
|
|
automated firewall configuration tool is in place on RHEL.
|
|
This graphical interface (and a curses-style interface with
|
|
<literal>-tui</literal> on the end of the name) enables you
|
|
to configure IP tables as a basic firewall. You should disable
|
|
it when you work with Neutron unless you are familiar with the
|
|
underlying network technologies, as, by default, it blocks
|
|
various types of network traffic that are important to
|
|
Neutron. To disable it, simple launch the program and clear
|
|
the <guilabel>Enabled</guilabel> check box.</para>
|
|
<para>After you successfully set up OpenStack with Neutron, you
|
|
can re-enable and configure the tool. However, during Neutron
|
|
set up, disable the tool to make it easier to debug network
|
|
issues.</para>
|
|
</warning>
|
|
<procedure>
|
|
<step>
|
|
<para>Disable packet destination filtering (route
|
|
verification) to let the networking services route traffic
|
|
to the VMs. Edit the <filename>/etc/sysctl.conf</filename>
|
|
file and run the following command to activate
|
|
changes:</para>
|
|
<programlisting language="ini">net.ipv4.conf.all.rp_filter=0
|
|
net.ipv4.conf.default.rp_filter=0</programlisting>
|
|
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Install and configure your networking plug-in
|
|
components. To install and configure the network plug-in
|
|
that you chose when you set up your network node, see <xref
|
|
linkend="install-neutron.install-plugin-compute"/>.</para>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Set the <literal>auth_strategy</literal>
|
|
configuration key to <literal>keystone</literal> in the
|
|
<literal>DEFAULT</literal> section of the file:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Set the <systemitem class="service">neutron</systemitem> configuration for
|
|
<systemitem class="service">keystone</systemitem> authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step></substeps>
|
|
</step>
|
|
<step os="opensuse;sles">
|
|
<para>Configure access to the <application>RabbitMQ</application> service:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_host controller</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_userid guest</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Configure access to the <application>Qpid</application> message queue:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_hostname <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_port 5672</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_username <replaceable>guest</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_password <replaceable>guest</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure the core components of Neutron. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable>
|
|
auth_url = http://controller:35357/v2.0
|
|
auth_strategy = keystone
|
|
rpc_backend = neutron.openstack.common.rpc.impl_kombu
|
|
rabbit_host = controller
|
|
rabbit_port = 5672
|
|
# Change the following settings if you're not using the default RabbitMQ configuration
|
|
#rabbit_userid = guest
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Set the <literal>root_helper</literal> configuration in the
|
|
<literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
|
|
root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to connect to the database:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
|
|
mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Configure Networking to connect to the database. Edit
|
|
the <literal>[database]</literal> section in the same file,
|
|
as follows:</para>
|
|
<programlisting language="ini">[database]
|
|
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
|
|
file and add these lines to the
|
|
<literal>[filter:authtoken]</literal> section:</para>
|
|
<programlisting language="ini">[filter:authtoken]
|
|
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
|
|
auth_host = <replaceable>controller</replaceable>
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
|
|
authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
|
|
services. Configure the <filename>/etc/nova/nova.conf</filename>
|
|
file as per instructions below:</para>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
network_api_class nova.network.neutronv2.api.API</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_auth_strategy keystone</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_username neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
security_group_api neutron</userinput></screen>
|
|
<para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
|
|
services. Edit the <filename>/etc/nova/nova.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
|
|
neutron_url=http://<replaceable>controller</replaceable>:9696
|
|
neutron_auth_strategy=keystone
|
|
neutron_admin_tenant_name=service
|
|
neutron_admin_username=neutron
|
|
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
|
|
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
|
|
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
|
|
firewall_driver=nova.virt.firewall.NoopFirewallDriver
|
|
security_group_api=neutron</programlisting>
|
|
<note>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>No matter which firewall driver you chose when you
|
|
configured the network and compute nodes, you must
|
|
edit the <filename>/etc/nova/nova.conf</filename> file
|
|
to set the firewall driver to
|
|
<literal>nova.virt.firewall.NoopFirewallDriver</literal>.
|
|
Because OpenStack Networking handles the firewall,
|
|
this statement instructs Compute to not use a
|
|
firewall.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>If you want Networking to handle the firewall,
|
|
edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file to set the <code>firewall_driver</code> option to
|
|
the firewall for the plug-in. For example, with
|
|
<acronym>OVS</acronym>, edit the file as
|
|
follows:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">[securitygroup]
|
|
# Firewall driver for realizing neutron security group function.
|
|
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
|
|
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini security_group \
|
|
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
|
|
</listitem>
|
|
<listitem>
|
|
<para>If you do not want to use a firewall in Compute or
|
|
Networking, edit both configuration files and set
|
|
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>.
|
|
Also, edit the
|
|
<filename>/etc/nova/nova.conf</filename> file and
|
|
comment out or remove the
|
|
<code>security_group_api=neutron</code>
|
|
statement.</para>
|
|
<para>Otherwise, when you issue <command>nova
|
|
list</command> commands, the <errortext>ERROR: The
|
|
server has either erred or is incapable of
|
|
performing the requested operation. (HTTP
|
|
500)</errortext> error might be returned.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Restart the Compute service.</para>
|
|
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
|
|
<screen os="centos;rhel;fedora"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
|
|
<para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<section xml:id="install-neutron.install-plugin-compute">
|
|
<title>Install and configure Neutron plug-ins on a dedicated
|
|
compute node</title>
|
|
<section xml:id="install-neutron.install-plugin-compute.ovs">
|
|
<title>Install the Open vSwitch (OVS) plug-in on a dedicated
|
|
compute node</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the Open vSwitch plug-in and its
|
|
dependencies:</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-switch openvswitch-datapath-dkms</userinput></screen>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Restart Open vSwitch:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
|
|
</step>
|
|
<step os="rhel;fedora;centos;opensuse;sles">
|
|
<para>Start Open vSwitch and configure it to start when
|
|
the system boots:</para>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>You must set some common configuration options no
|
|
matter which networking technology you choose to use
|
|
with Open vSwitch. You must add the
|
|
<literal>br-int</literal> integration bridge, which
|
|
connects to the VMs.</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>You must set some common configuration options. You
|
|
must configure Networking core to use
|
|
<acronym>OVS</acronym>. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;opensuse;sles">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
|
|
<programlisting language="ini">auth_uri = http://<replaceable>controller</replaceable>:5000</programlisting>
|
|
<programlisting language="ini" os="rhel;centos;fedora">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
|
|
api_paste_config = /etc/neutron/api-paste.ini
|
|
rpc_backend = neutron.openstack.common.rpc.impl_qpid</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Configure the networking type that you chose when
|
|
you set up the network node: either <link
|
|
linkend="install-neutron.install-plugin-compute.ovs.gre"
|
|
>GRE tunneling</link> or <link
|
|
linkend="install-neutron.install-plugin-compute.ovs.vlan"
|
|
>VLANs</link>.</para>
|
|
</step>
|
|
<!-- TODO(sross): support provider networks? you need to modify things above for this to work -->
|
|
<step>
|
|
<para>You must configure a firewall as well. You should
|
|
use the same firewall plug-in that you chose to use when
|
|
you set up the network node. To do this, edit
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file and set the <literal>firewall_driver</literal>
|
|
value under the <literal>securitygroup</literal> to the
|
|
same value used on the network node. For instance, if
|
|
you chose to use the Hybrid OVS-IPTables plug-in, your
|
|
configuration looks like this:</para>
|
|
<programlisting language="ini">[securitygroup]
|
|
# Firewall driver for realizing neutron security group function.
|
|
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<warning>
|
|
<para>You must use at least the No-Op firewall.
|
|
Otherwise, Horizon and other OpenStack services cannot
|
|
get and set required VM boot options.</para>
|
|
</warning>
|
|
</step>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Configure the <acronym>OVS</acronym> plug-in to start
|
|
on boot.</para>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Now, return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
<section
|
|
xml:id="install-neutron.install-plugin-compute.ovs.gre">
|
|
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
|
|
for GRE tunneling on a dedicated compute node</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Tell the <acronym>OVS</acronym> plug-in to use GRE
|
|
tunneling with a <literal>br-int</literal> integration
|
|
bridge, a <literal>br-tun</literal> tunneling bridge,
|
|
and a local IP for the tunnel of
|
|
<replaceable>DATA_INTERFACE</replaceable>'s IP Edit
|
|
the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True
|
|
integration_bridge = br-int
|
|
tunnel_bridge = br-tun
|
|
local_ip = <replaceable>DATA_INTERFACE_IP</replaceable></programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Now, return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section
|
|
xml:id="install-neutron.install-plugin-compute.ovs.vlan">
|
|
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
|
|
for VLANs on a dedicated compute node</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Tell <acronym>OVS</acronym> to use VLANs. Edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = vlan
|
|
network_vlan_ranges = physnet1:1:4094
|
|
bridge_mappings = physnet1:br-<replaceable>DATA_INTERFACE</replaceable></programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Create the bridge for the
|
|
<replaceable>DATA_INTERFACE</replaceable> and add
|
|
<replaceable>DATA_INTERFACE</replaceable> to it, the
|
|
same way you did on the network node:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
|
|
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
<section xml:id="install-neutron.dedicated-controller-node">
|
|
<title>Install networking support on a dedicated controller
|
|
node</title>
|
|
<note>
|
|
<para>This is for a node which runs the control components of
|
|
Neutron, but does not run any of the components that provide
|
|
the underlying functionality (such as the plug-in agent or the
|
|
L3 agent). If you wish to have a combined controller/compute
|
|
node follow these instructions, and then those for the compute
|
|
node.</para>
|
|
</note>
|
|
<warning os="rhel;centos">
|
|
<para>By default, the <literal>system-config-firewall</literal>
|
|
automated firewall configuration tool is in place on RHEL.
|
|
This graphical interface (and a curses-style interface with
|
|
<literal>-tui</literal> on the end of the name) enables you
|
|
to configure IP tables as a basic firewall. You should disable
|
|
it when you work with Neutron unless you are familiar with the
|
|
underlying network technologies, as, by default, it blocks
|
|
various types of network traffic that are important to
|
|
Neutron. To disable it, simple launch the program and clear
|
|
the <guilabel>Enabled</guilabel> check box.</para>
|
|
<para>After you successfully set up OpenStack with Neutron, you
|
|
can re-enable and configure the tool. However, during Neutron
|
|
set up, disable the tool to make it easier to debug network
|
|
issues.</para>
|
|
</warning>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the server component of Networking and any dependencies.</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
|
|
<screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron python-neutron python-neutronclient</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron python-neutron python-neutronclient</userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to connect to the database:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DATABASE sql_connection \
|
|
mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure Networking to use your MySQL database. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and add the
|
|
following key under the <literal>[database]</literal> section. Replace
|
|
<replaceable>NEUTRON_DBPASS</replaceable> with the password you
|
|
chose for the Neutron database.</para>
|
|
<programlisting language="ini">[database]
|
|
...
|
|
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Set the <literal>auth_strategy</literal>
|
|
configuration key to <literal>keystone</literal> in the
|
|
<literal>DEFAULT</literal> section of the file:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Set the <systemitem class="service">neutron</systemitem> configuration for
|
|
<systemitem class="service">keystone</systemitem> authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step></substeps>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> as the Identity Service
|
|
for authentication.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and add the
|
|
following key under the <literal>[DEFAULT]</literal>
|
|
section.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
auth_strategy = keystone</programlisting>
|
|
<para>Add the following keys under the
|
|
<literal>[keystone_authtoken]</literal> section. Replace
|
|
<replaceable>NEUTRON_PASS</replaceable> with the password you
|
|
chose for the Neutron user in Keystone.</para>
|
|
<programlisting language="ini">[keystone_authtoken]
|
|
...
|
|
auth_host = <replaceable>controller</replaceable>
|
|
auth_port = 35357
|
|
auth_protocol = http
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable>
|
|
auth_uri = http://<replaceable>controller</replaceable>:5000
|
|
auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
|
|
</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/api-paste.ini</filename> file
|
|
and add the following keys under the
|
|
<literal>[filter:authtoken]</literal> section. Replace
|
|
<replaceable>NEUTRON_PASS</replaceable> with the password you
|
|
chose for the Neutron user in Keystone.</para>
|
|
<programlisting language="ini">[filter:authtoken]
|
|
...
|
|
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure the <filename>/etc/neutron/api-paste.ini</filename> file for <systemitem class="service">keystone</systemitem>
|
|
authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
paste.filter_factory keystoneclient.middleware.auth_token:filter_factory</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="opensuse;sles">
|
|
<para>Configure access to the <application>RabbitMQ</application> service:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_host controller</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_userid guest</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Configure access to the <application>Qpid</application> message queue:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_hostname <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_port 5672</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_username <replaceable>guest</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_password <replaceable>guest</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure Networking to use your message broker. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and add
|
|
the following keys under the <literal>[DEFAULT]</literal>
|
|
section.</para>
|
|
<para>Replace
|
|
<replaceable>RABBIT_PASS</replaceable> with the password you chose
|
|
for RabbitMQ.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
rpc_backend = neutron.openstack.common.rpc.impl_kombu
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Set the <literal>root_helper</literal> configuration in the
|
|
<literal>[agent]</literal> section of <filename>/etc/neutron/neutron.conf</filename>:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf AGENT \
|
|
root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Although the controller node does not run any Networking agents,
|
|
you must install and configure the same plug-in that you configured
|
|
on the network node.</para>
|
|
<para><link linkend="install-neutron.install-plug-in-controller">
|
|
Install and configure the Networking plug-ins on a dedicated
|
|
controller node</link></para>
|
|
</step>
|
|
<step>
|
|
<para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
|
|
services. Configure the <filename>/etc/nova/nova.conf</filename>
|
|
file as per instructions below:</para>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
network_api_class nova.network.neutronv2.api.API</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_auth_strategy keystone</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_username neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
security_group_api neutron</userinput></screen>
|
|
<para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
|
|
services. Edit the <filename>/etc/nova/nova.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
|
|
neutron_url=http://<replaceable>controller</replaceable>:9696
|
|
neutron_auth_strategy=keystone
|
|
neutron_admin_tenant_name=service
|
|
neutron_admin_username=neutron
|
|
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
|
|
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
|
|
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
|
|
firewall_driver=nova.virt.firewall.NoopFirewallDriver
|
|
security_group_api=neutron</programlisting>
|
|
<note>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Regardless of which firewall driver you chose when you
|
|
configured the network and compute nodes, set this driver
|
|
as the No-Op firewall. This firewall is a
|
|
<systemitem class="service">nova</systemitem> firewall,
|
|
and because <systemitem class="service">neutron</systemitem>
|
|
handles the Firewall, you must tell <systemitem class="service">nova</systemitem>
|
|
not to use one.</para>
|
|
<para>When Networking handles the firewall, the option
|
|
<code>firewall_driver</code> should be set according to
|
|
the specified plug-in. For example with
|
|
<acronym>OVS</acronym>, edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">[securitygroup]
|
|
# Firewall driver for realizing neutron security group function.
|
|
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
|
|
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini security_group \
|
|
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
|
|
</listitem>
|
|
<listitem>
|
|
<para>If you do not want to use a firewall in Compute or
|
|
Networking, set
|
|
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>
|
|
in both config files, and comment out or remove
|
|
<code>security_group_api=neutron</code> in the
|
|
<filename>/etc/nova/nova.conf</filename> file, otherwise
|
|
you may encounter <errortext>ERROR: The server has either
|
|
erred or is incapable of performing the requested
|
|
operation. (HTTP 500)</errortext> when issuing
|
|
<command>nova list</command> commands.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</note>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>The <systemitem class="service">neutron-server</systemitem>
|
|
initialization script expects a symbolic link
|
|
<filename>/etc/neutron/plugin.ini</filename> pointing to the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, the symbolic link must point to
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
|
|
If this symbolic link does not exist, create it using the
|
|
following commands:</para>
|
|
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
|
|
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
|
|
</step>
|
|
<step os="sles;opensuse">
|
|
<para>The <systemitem class="service">openstack-neutron</systemitem>
|
|
initialization script expects the variable
|
|
<literal>NEUTRON_PLUGIN_CONF</literal> in file
|
|
<filename>/etc/sysconfig/neutron</filename> to reference the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, edit the
|
|
<filename>/etc/sysconfig/neutron</filename> file and add the
|
|
following:</para>
|
|
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
|
|
</step>
|
|
<step os="fedora;rhel;centos;opensuse;sles">
|
|
<para>Start <systemitem
|
|
class="service">neutron-server</systemitem> and set it to
|
|
start at boot:</para>
|
|
<screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>service neutron-server start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-server on</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openstack-neutron start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron on</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Restart
|
|
<systemitem class="service">neutron-server</systemitem>:</para>
|
|
<screen><prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<section xml:id="install-neutron.install-plug-in-controller">
|
|
<title>Install and configure the Neutron plug-ins on a dedicated
|
|
controller node</title>
|
|
<section xml:id="install-neutron.install-plug-in-controller.ovs">
|
|
<title>Install the Open vSwitch (OVS) plug-in on a dedicated
|
|
controller node</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Install the Open vSwitch plug-in:</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent</userinput></screen>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>You must set some common configuration options no
|
|
matter which networking technology you choose to use
|
|
with Open vSwitch. You must configure Networking core to
|
|
use <acronym>OVS</acronym>. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Configure the <acronym>OVS</acronym> plug-in for the
|
|
networking type that you chose when you configured the
|
|
network node: <link
|
|
linkend="install-neutron.install-plug-in-controller.ovs.gre"
|
|
>GRE tunneling</link> or <link
|
|
linkend="install-neutron.install-plug-in-controller.ovs.vlan"
|
|
>VLANs</link>.</para>
|
|
<!-- TODO(sross): support provider networks? you need to modify things above for this to work -->
|
|
<note>
|
|
<para>The dedicated controller node does not need to run
|
|
Open vSwitch or the Open vSwitch agent.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Now, return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
<section
|
|
xml:id="install-neutron.install-plug-in-controller.ovs.gre">
|
|
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
|
|
for GRE tunneling on a dedicated controller node</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Tell the <acronym>OVS</acronym> plug-in to use GRE
|
|
tunneling. Edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section
|
|
xml:id="install-neutron.install-plug-in-controller.ovs.vlan">
|
|
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
|
|
for VLANs on a dedicated controller node</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Tell <acronym>OVS</acronym> to use VLANS. Edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file, as follows:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = vlan
|
|
network_vlan_ranges = physnet1:1:4094</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
<section xml:id="install-neutron.configure-networks">
|
|
<title>Create the base Neutron networks</title>
|
|
<note>
|
|
<para>In these sections, replace
|
|
<replaceable>SPECIAL_OPTIONS</replaceable> with any options
|
|
specific to your Networking plug-in choices. See <link
|
|
linkend="install-neutron.configure-networks.plug-in-specific"
|
|
>here</link> to check if your plug-in requires any special
|
|
options.</para>
|
|
</note>
|
|
<procedure>
|
|
<step>
|
|
<para>Create the <literal>ext-net</literal> external network.
|
|
This network represents a slice of the outside world. VMs
|
|
are not directly linked to this network; instead, they
|
|
connect to internal networks. Outgoing traffic is routed by
|
|
Neutron to the external network. Additionally, floating IP
|
|
addresses from the subnet for <literal>ext-net</literal>
|
|
might be assigned to VMs so that the external network can
|
|
contact them. Neutron routes the traffic
|
|
appropriately.</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron net-create ext-net -- --router:external=True <replaceable>SPECIAL_OPTIONS</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the associated subnet with the same gateway and
|
|
CIDR as <replaceable>EXTERNAL_INTERFACE</replaceable>. It
|
|
does not have DHCP because it represents a slice of the
|
|
external world:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron subnet-create ext-net \
|
|
--allocation-pool start=<replaceable>FLOATING_IP_START</replaceable>,end=<replaceable>FLOATING_IP_END</replaceable> \
|
|
--gateway=<replaceable>EXTERNAL_INTERFACE_GATEWAY</replaceable> --enable_dhcp=False \
|
|
<replaceable>EXTERNAL_INTERFACE_CIDR</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create one or more initial tenants, for example:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone tenant-create --name <replaceable>DEMO_TENANT</replaceable></userinput></screen>
|
|
<para os="rhel;centos;fedora;opensuse;sles;ubuntu"> See <xref
|
|
linkend="keystone-users"/> for further details.</para>
|
|
<para os="debian"> See <xref linkend="keystone-install"/> for
|
|
further details.</para>
|
|
</step>
|
|
<step>
|
|
<para>Create the router attached to the external network. This
|
|
router routes traffic to the internal subnets as
|
|
appropriate. You can create it under a given tenant: Append
|
|
<literal>--tenant-id</literal> option with a value of
|
|
<replaceable>DEMO_TENANT_ID</replaceable> to the
|
|
command.</para>
|
|
<para>Use the following to quickly get the
|
|
<replaceable>DEMO_TENANT</replaceable> tenant-id:</para>
|
|
<screen><prompt>#</prompt> <userinput>keystone tenant-list | grep <replaceable>DEMO_TENANT</replaceable> | awk '{print $2;}'</userinput></screen>
|
|
<para>Then create the router:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron router-create ext-to-int --tenant-id <replaceable>DEMO_TENANT_ID</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Connect the router to <literal>ext-net</literal> by
|
|
setting the gateway for the router as
|
|
<literal>ext-net</literal>:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron router-gateway-set <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>EXT_NET_ID</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create an internal network for
|
|
<replaceable>DEMO_TENANT</replaceable> (and associated
|
|
subnet over an arbitrary internal IP range, such as,
|
|
<literal>10.5.5.0/24</literal>), and connect it to the
|
|
router by setting it as a port:</para>
|
|
<screen><prompt>#</prompt> <userinput>neutron net-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net <replaceable>SPECIAL_OPTIONS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>neutron subnet-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net 10.5.5.0/24 --gateway 10.5.5.1</userinput>
|
|
<prompt>#</prompt> <userinput>neutron router-interface-add <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>DEMO_NET_SUBNET_ID</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Check the special options page for your plug-in for
|
|
remaining steps. Now, return to the general
|
|
<acronym>OVS</acronym> instructions.</para>
|
|
</step>
|
|
</procedure>
|
|
<section
|
|
xml:id="install-neutron.configure-networks.plug-in-specific">
|
|
<title>Plug-in-specific Neutron network options</title>
|
|
<section
|
|
xml:id="install-neutron.configure-networks.plug-in-specific.ovs">
|
|
<title>Open vSwitch Network configuration options</title>
|
|
<section
|
|
xml:id="install-neutron.configure-networks.plug-in-specific.ovs.gre">
|
|
<title>GRE tunneling network options</title>
|
|
<note>
|
|
<para>While this guide currently enables network
|
|
namespaces by default, you can disable them if you have
|
|
issues or your kernel does not support them. If you
|
|
disabled namespaces, you must perform some additional
|
|
configuration for the L3 agent.</para>
|
|
<para>After you create all the networks, tell the L3 agent
|
|
what the external network ID is, as well as the ID of
|
|
the router associated with this machine (because you are
|
|
not using namespaces, there can be only one router for
|
|
each machine). To do this, edit the
|
|
<filename>/etc/neutron/l3_agent.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">gateway_external_network_id = <replaceable>EXT_NET_ID</replaceable>
|
|
router_id = <replaceable>EXT_TO_INT_ID</replaceable></programlisting>
|
|
<para>Then, restart the L3 agent:</para>
|
|
<screen><prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput></screen>
|
|
</note>
|
|
<para>When creating networks, you should use the
|
|
options:</para>
|
|
<screen><userinput>--provider:network_type gre --provider:segmentation_id SEG_ID</userinput></screen>
|
|
<para><replaceable>SEG_ID</replaceable> should be
|
|
<literal>2</literal> for the external network, and just
|
|
any unique number inside the tunnel range specified before
|
|
for any other network.</para>
|
|
<note>
|
|
<para>These options are not needed beyond the first
|
|
network, as Neutron automatically increments the
|
|
segmentation id and copy the network type option for any
|
|
additional networks.</para>
|
|
</note>
|
|
<para>Now, return to the general <acronym>OVS</acronym>
|
|
instructions.</para>
|
|
</section>
|
|
<section
|
|
xml:id="install-neutron.configure-networks.plug-in-specific.ovs.vlan">
|
|
<title>VLAN network options</title>
|
|
<para>When creating networks, use these options:</para>
|
|
<screen><userinput>--provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id SEG_ID</userinput> </screen>
|
|
<para><replaceable>SEG_ID</replaceable> should be
|
|
<literal>2</literal> for the external network, and just
|
|
any unique number inside the vlan range specified above
|
|
for any other network.</para>
|
|
<note>
|
|
<para>These options are not needed beyond the first
|
|
network, as Neutron automatically increments the
|
|
segmentation ID and copies the network type and physical
|
|
network options for any additional networks. They are
|
|
only needed if you wish to modify those values in any
|
|
way.</para>
|
|
</note>
|
|
<warning>
|
|
<para>Some NICs have Linux drivers that do not handle
|
|
VLANs properly. See the
|
|
<literal>ovs-vlan-bug-workaround</literal> and
|
|
<literal>ovs-vlan-test</literal> man pages for more
|
|
information. Additionally, you might try turning off
|
|
<literal>rx-vlan-offload</literal> and
|
|
<literal>tx-vlan-offload</literal> by using
|
|
<literal>ethtool</literal> on the
|
|
<replaceable>DATA_INTERFACE</replaceable>. Another
|
|
potential caveat to VLAN functionality is that VLAN tags
|
|
add an additional 4 bytes to the packet size. If your
|
|
NICs cannot handle large packets, make sure to set the
|
|
MTU to a value that is 4 bytes less than the normal
|
|
value on the
|
|
<replaceable>DATA_INTERFACE</replaceable>.</para>
|
|
<para>If you run OpenStack inside a virtualized
|
|
environment (for testing purposes), switching to the
|
|
<literal>virtio</literal> NIC type (or a similar
|
|
technology if you are not using KVM/QEMU to run your
|
|
host VMs) might solve the issue.</para>
|
|
</warning>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
</section>
|