openstack-manuals/doc/install-guide/section_neutron-install.xml

1465 lines
76 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="neutron-install-network-node"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
<title>Install Networking services</title>
<para os="debian">When you install a Networking node, you must
configure it for API endpoints, RabbitMQ,
<code>keystone_authtoken</code>, and the database. Use
<package>debconf</package> to configure these values.</para>
<para os="debian">When you install a Networking package,
<package>debconf</package> prompts you to choose configuration
options including which plug-in to use, as follows:</para>
<informalfigure os="debian">
<mediaobject>
<imageobject>
<imagedata scale="50"
fileref="figures/debconf-screenshots/neutron_1_plugin_selection.png"
/>
</imageobject>
</mediaobject>
</informalfigure>
<para os="debian">This parameter sets the
<parameter>core_plugin</parameter> option value in the
<filename>/etc/neutron/neutron.conf</filename> file.</para>
<note os="debian">
<para>When you install the <package>neutron-common</package>
package, all plug-ins are installed by default.</para>
</note>
<para os="debian">This table lists the values for the
<parameter>core_plugin</parameter> option. These values depend
on your response to the <package>debconf</package> prompt.</para>
<table rules="all" os="debian">
<caption>Plug-ins and the core_plugin option</caption>
<thead>
<tr>
<th>Plug-in</th>
<th>core_plugin value in
<filename>neutron.conf</filename></th>
</tr>
</thead>
<tbody>
<tr>
<td><para>BigSwitch</para></td>
<td><para>neutron.plugins.bigswitch.plugin.NeutronRestProxyV2</para></td>
</tr>
<tr>
<td><para>Brocade</para></td>
<td><para>neutron.plugins.brocade.NeutronPlugin.BrocadePluginV2</para></td>
</tr>
<tr>
<td><para>Cisco</para></td>
<td><para>neutron.plugins.cisco.network_plugin.PluginV2</para></td>
</tr>
<tr>
<td><para>Hyper-V</para></td>
<td><para>neutron.plugins.hyperv.hyperv_neutron_plugin.HyperVNeutronPlugin</para></td>
</tr>
<tr>
<td><para>LinuxBridge</para></td>
<td><para>neutron.plugins.linuxbridge.lb_neutron_plugin.LinuxBridgePluginV2</para></td>
</tr>
<tr>
<td><para>Mellanox</para></td>
<td><para>neutron.plugins.mlnx.mlnx_plugin.MellanoxEswitchPlugin</para></td>
</tr>
<tr>
<td><para>MetaPlugin</para></td>
<td><para>neutron.plugins.metaplugin.meta_neutron_plugin.MetaPluginV2</para></td>
</tr>
<tr>
<td><para>Midonet</para></td>
<td><para>neutron.plugins.midonet.plugin.MidonetPluginV2</para></td>
</tr>
<tr>
<td><para>ml2</para></td>
<td><para>neutron.plugins.ml2.plugin.Ml2Plugin</para></td>
</tr>
<tr>
<td><para>Nec</para></td>
<td><para>neutron.plugins.nec.nec_plugin.NECPluginV2</para></td>
</tr>
<tr>
<td><para>OpenVSwitch</para></td>
<td><para>neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</para></td>
</tr>
<tr>
<td><para>PLUMgrid</para></td>
<td><para>neutron.plugins.plumgrid.plumgrid_nos_plugin.plumgrid_plugin.NeutronPluginPLUMgridV2</para></td>
</tr>
<tr>
<td><para>RYU</para></td>
<td><para>neutron.plugins.ryu.ryu_neutron_plugin.RyuNeutronPluginV2</para></td>
</tr>
</tbody>
</table>
<para os="debian">Depending on the value of
<parameter>core_plugin</parameter>, the start-up scripts start
the daemons by using the corresponding plug-in configuration file
directly. For example, if you selected the Open vSwitch plug-in,
<code>neutron-server</code> automatically launches with
<parameter>--config-file
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</parameter>.</para>
<para os="debian">The <package>neutron-common</package> package also
prompts you for the default network configuration:</para>
<informalfigure os="debian">
<mediaobject>
<imageobject>
<imagedata scale="50"
fileref="figures/debconf-screenshots/neutron_2_networking_type.png"
/>
</imageobject>
</mediaobject>
</informalfigure>
<informalfigure os="debian">
<mediaobject>
<imageobject>
<imagedata scale="50"
fileref="figures/debconf-screenshots/neutron_3_hypervisor_ip.png"
/>
</imageobject>
</mediaobject>
</informalfigure>
<para os="rhel;centos;fedora;opensuse;sles;ubuntu">Before you
configure individual nodes for Networking, you must create the
required OpenStack components: user, service, database, and one or
more endpoints. After you complete these steps on the controller
node, follow the instructions in this guide to set up OpenStack
Networking nodes.</para>
<procedure os="rhel;centos;fedora;opensuse;sles;ubuntu">
<step>
<!-- TODO(sross): change this to use `openstack-db` once it supports Neutron -->
<!-- TODO(sross): move this into its own section -->
<para>Use the password that you set previously to log in as root
and create a <literal>neutron</literal> database:</para>
<screen><prompt>#</prompt> <userinput>mysql -u root -p</userinput>
<prompt>mysql></prompt> <userinput>CREATE DATABASE neutron;</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
</step>
<step>
<para>Create the required user, service, and endpoint so that
Networking can interface with the Identity Service.</para>
<para>To list the tenant IDs:</para>
<screen><prompt>#</prompt> <userinput>keystone tenant-list</userinput></screen>
<para>To list role IDs:</para>
<screen><prompt>#</prompt> <userinput>keystone role-list</userinput></screen>
<para>Create a <literal>neutron</literal> user:</para>
<screen><prompt>#</prompt> <userinput>keystone user-create --name=neutron --pass=<replaceable>NEUTRON_PASS</replaceable> --email=<replaceable>neutron@example.com</replaceable></userinput></screen>
<para>Add the user role to the neutron user:</para>
<screen><prompt>#</prompt> <userinput>keystone user-role-add --user=neutron --tenant=service --role=admin</userinput></screen>
<para>Create the neutron service:</para>
<screen><prompt>#</prompt> <userinput>keystone service-create --name=neutron --type=network \
--description="OpenStack Networking Service"</userinput></screen>
<para>Create a Networking endpoint. Use the
<literal>id</literal> property for the service that was
returned in the previous step to create the endpoint:</para>
<screen><prompt>#</prompt> <userinput>keystone endpoint-create \
--service-id <replaceable>the_service_id_above</replaceable> \
--publicurl http://<replaceable>controller</replaceable>:9696 \
--adminurl http://<replaceable>controller</replaceable>:9696 \
--internalurl http://<replaceable>controller</replaceable>:9696</userinput></screen>
</step>
</procedure>
<section xml:id="neutron-install.dedicated-network-node">
<title>Install Networking services on a dedicated network
node</title>
<note>
<para>Before you start, set up a machine as a dedicated network
node. Dedicated network nodes have a
<replaceable>MGMT_INTERFACE</replaceable> NIC, a
<replaceable>DATA_INTERFACE</replaceable> NIC, and a
<replaceable>EXTERNAL_INTERFACE</replaceable> NIC.</para>
<para>The management network handles communication among nodes.
The data network handles communication coming to and from VMs.
The external NIC connects the network node, and optionally to
the controller node, so your VMs can connect to the outside
world.</para>
<para>All NICs must have static IPs. However, the data and
external NICs have a special set up. For details about
Networking plug-ins, see <xref
linkend="install-neutron.install-plug-in"/>.</para>
</note>
<warning os="rhel;centos">
<para>By default, the <literal>system-config-firewall</literal>
automated firewall configuration tool is in place on RHEL.
This graphical interface (and a curses-style interface with
<literal>-tui</literal> on the end of the name) enables you
to configure IP tables as a basic firewall. You should disable
it when you work with Networking unless you are familiar with
the underlying network technologies, as, by default, it blocks
various types of network traffic that are important to
Networking. To disable it, simply launch the program and clear
the <guilabel>Enabled</guilabel> check box.</para>
<para>After you successfully set up OpenStack Networking, you
can re-enable and configure the tool. However, during
Networking set up, disable the tool to make it easier to debug
network issues.</para>
</warning>
<procedure>
<step>
<para>Install the OpenStack Networking service on the network
node:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server neutron-dhcp-agent neutron-plugin-openvswitch-agent neutron-l3-agent</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron openstack-neutron-l3-agent \
openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
</step>
<step os="debian">
<para>Respond to prompts for <link
linkend="debconf-dbconfig-common">database
management</link>, <link
linkend="debconf-keystone_authtoken"
><literal>[keystone_authtoken]</literal>
settings</link>, <link linkend="debconf-rabbitqm">RabbitMQ
credentials</link> and <link
linkend="debconf-api-endpoints">API endpoint</link>
registration.</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Configure basic Networking-related services to start at
boot time:</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done</userinput></screen>
</step>
<step>
<para>Enable packet forwarding and disable packet destination
filtering so that the network node can coordinate traffic
for the VMs. Edit the <filename>/etc/sysctl.conf</filename>
file, as follows:</para>
<programlisting language="ini">net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
<para>Use the <command>sysctl</command> command to ensure the
changes made to the <filename>/etc/sysctl.conf</filename>
file take effect:</para>
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
<note>
<para>It is recommended that the networking service is
restarted after changing values related to the networking
configuration. This ensures that all modified values take
effect immediately:</para>
<screen os="ubuntu"><prompt>#</prompt> <userinput>service networking restart</userinput></screen>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service network restart</userinput></screen>
</note>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>To configure Neutron to use Keystone for authentication, edit the <filename>/etc/neutron/neutron.conf</filename>
file.</para>
<substeps>
<step>
<para>Set the <literal>auth_strategy</literal>
configuration key to <literal>keystone</literal> in the
<literal>DEFAULT</literal> section of the file:</para>
<programlisting language="ini">auth_strategy = keystone</programlisting>
</step>
<step>
<para>Add these lines to the
<literal>keystone_authtoken</literal> section of the
file:</para>
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="rhel;centos;fedora">
<para>Edit the <literal>[agent]</literal> section in the
<filename>/etc/neutron/neutron.conf</filename> file and modify
the <literal>root_helper</literal> key:</para>
<programlisting language="ini">[agent]
...
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
</programlisting>
</step>
<step os="opensuse;sles;ubuntu">
<para>Configure the RabbitMQ access. Edit the
<filename>/etc/neutron/neutron.conf</filename> file to
modify the following parameters in the
<literal>DEFAULT</literal> section.</para>
<programlisting language="ini">rabbit_host = controller
rabbit_userid = guest
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
<step os="rhel;centos;fedora">
<para>Configure access to the message queue. Edit the
<literal>DEFAULT</literal> section in
<filename>/etc/neutron/neutron.conf</filename>, assuming
you're using QPID:</para>
<programlisting language="ini">
rpc_backend = neutron.openstack.common.rpc.<replaceable>impl_qpid</replaceable>
qpid_hostname = <replaceable>controller</replaceable>
qpid_port = <replaceable>5672</replaceable>
qpid_username = <replaceable>guest</replaceable>
qpid_password = <replaceable>guest</replaceable></programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Configure Networking to connect to the database. Edit
the <literal>[database]</literal> section in the same file,
as follows:</para>
<programlisting language="ini">[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
file and add these lines to the
<literal>[filter:authtoken]</literal> section:</para>
<programlisting language="ini">[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = <replaceable>controller</replaceable>
auth_uri = http://<replaceable>controller</replaceable>:5000
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
<warning>
<para><literal>keystoneclient.middleware.auth_token</literal>:
You must configure <literal>auth_uri</literal> to point to
the public identity endpoint. Otherwise, clients might not
be able to authenticate against an admin endpoint.</para>
</warning>
</step>
<step os="debian">
<para>Configure your network plug-in. For instructions, see
<link linkend="install-neutron.install-plug-in"
>instructions</link>. Then, return here.</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Install and configure a networking plug-in. OpenStack
Networking uses this plug-in to perform software-defined
networking. For instructions, see <link
linkend="install-neutron.install-plug-in"
>instructions</link>. Then, return here.</para>
</step>
</procedure>
<para>Now that you've installed and configured a plug-in (you did
do that, right?), it is time to configure the remaining parts of
Networking.</para>
<procedure>
<step>
<para>To perform DHCP on the software-defined networks,
Networking supports several different plug-ins. However, in
general, you use the Dnsmasq plug-in. Edit the
<filename>/etc/neutron/dhcp_agent.ini</filename>
file:</para>
<programlisting language="ini">dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq</programlisting>
</step>
<step>
<para>To allow virtual machines to access the Compute metadata
information, the Networking metadata agent must be enabled
and configured. The agent will act as a proxy for the
Compute metadata service.</para>
<para>On the controller, edit the
<filename>/etc/nova/nova.conf</filename> file to define a
secret key that will be shared between the Compute Service
and the Networking metadata agent.</para>
<para os="debian;ubuntu">Add to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting os="ubuntu;debian" language="ini">[DEFAULT]
neutron_metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable>
service_neutron_metadata_proxy = true</programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the
<literal>neutron_metadata_proxy_shared_secret</literal>
key:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
service_neutron_metadata_proxy true</userinput></screen>
<para>Restart the <systemitem class="service"
>nova-api</systemitem> service:</para>
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-api restart</userinput></screen>
<screen os="centos;rhel;fedora;opensuse;sles"><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput></screen>
<para>On the network node, modify the metadata agent
configuration.</para>
<para os="debian;ubuntu">Edit the
<filename>/etc/neutron/metadata_agent.ini</filename> file
and modify the <literal>[DEFAULT]</literal> section:</para>
<programlisting os="debian;ubuntu" language="ini">[DEFAULT]
auth_url = http://controller:5000/v2.0
auth_region = regionOne
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
nova_metadata_ip = controller
metadata_proxy_shared_secret = <replaceable>METADATA_PASS</replaceable></programlisting>
<para os="opensuse;sles;rhel;centos;fedora">Set the required
keys:</para>
<screen os="opensuse;sles;rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_url http://controller:5000/v2.0</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
auth_region regionOne</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
nova_metadata_ip controller</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \
metadata_proxy_shared_secret <replaceable>METADATA_PASS</replaceable></userinput></screen>
<note>
<para>The value of <literal>auth_region</literal> is
case-sensitive and must match the endpoint region defined
in Keystone.</para>
</note>
</step>
<step os="rhel;centos;fedora">
<para>The <systemitem class="service">neutron-server</systemitem>
initialization script expects a symbolic link
<filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, the symbolic link must point to
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The <systemitem class="service">openstack-neutron</systemitem>
initialization script expects the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in file
<filename>/etc/sysconfig/neutron</filename> to reference the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
</step>
<step>
<para>Restart Networking services.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-server restart</userinput>
<prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-server restart</userinput>
<prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-metadata-agent restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-server restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-l3-agent restart</userinput>
<prompt>#</prompt> <userinput>service openstack-neutron-metadata-agent restart</userinput></screen>
<para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
</step>
<step>
<para>After you configure the <link
linkend="install-neutron.dedicated-compute-node"
>compute</link> and <link
linkend="install-neutron.dedicated-controller-node"
>controller</link> nodes, <link
linkend="install-neutron.configure-networks">configure the
base networks</link>.</para>
</step>
</procedure>
<section xml:id="install-neutron.install-plug-in">
<title>Install and configure the Networking plug-ins</title>
<section xml:id="install-neutron.install-plug-in.ovs">
<title>Install the Open vSwitch (OVS) plug-in</title>
<procedure>
<step>
<para>Install the Open vSwitch plug-in and its
dependencies:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-switch</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
<note os="ubuntu">
<para>On Ubuntu 12.04 LTS with GRE you must install
openvswitch-datapath-dkms and restart the service to
enable the GRE flow so that OVS 1.10 and higher is
used. Make sure you are running the OVS 1.10 kernel
module in addition to the OVS 1.10 user space. Both
the kernel module and user space are required for
VXLAN support. The error you see in the
<filename>/var/log/openvswitchovs-vswitchd.log</filename>
log file is "Stderr: 'ovs-ofctl: -1: negative values
not supported for in_port\n'". If you see this error,
make sure <command>modinfo openvswitch</command> shows
the right version. Also check the output from
<command>dmesg</command> for the version of the OVS
module being loaded.</para>
</note>
</step>
<step>
<para>Start Open vSwitch:</para>
<screen os="debian;rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
<screen os="ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
<para os="rhel;fedora;centos;opensuse;sles">And configure
it to start when the system boots:</para>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step>
<para>No matter which networking technology you use, you
must add the <literal>br-int</literal> integration
bridge, which connects to the VMs, and the
<literal>br-ex</literal> external bridge, which
connects to the outside world.</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
</step>
<step>
<para>Add a <firstterm>port</firstterm> (connection) from
the <replaceable>EXTERNAL_INTERFACE</replaceable>
interface to <literal>br-ex</literal> interface:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex EXTERNAL_INTERFACE</userinput></screen>
</step>
<step>
<para>Configure the
<replaceable>EXTERNAL_INTERFACE</replaceable> without
an IP address and in promiscuous mode. Additionally, you
must set the newly created <literal>br-ex</literal>
interface to have the IP address that formerly belonged
to <replaceable>EXTERNAL_INTERFACE</replaceable>.</para>
<warning os="ubuntu">
<para>Generic Receive Offload (GRO) should not be
enabled on this interface as it can cause severe
performance problems. It can be disabled with the
ethtool utility.</para>
</warning>
<para os="rhel;fedora;centos">Edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE</filename>
file:</para>
<programlisting language="ini" os="rhel;fedora;centos">DEVICE_INFO_HERE
ONBOOT=yes
BOOTPROTO=none
PROMISC=yes</programlisting>
</step>
<step os="rhel;fedora;centos">
<para>Create and edit the
<filename>/etc/sysconfig/network-scripts/ifcfg-br-ex</filename>
file:</para>
<programlisting language="ini">DEVICE=br-ex
TYPE=Bridge
ONBOOT=no
BOOTPROTO=none
IPADDR=EXTERNAL_INTERFACE_IP
NETMASK=EXTERNAL_INTERFACE_NETMASK
GATEWAY=EXTERNAL_INTERFACE_GATEWAY</programlisting>
</step>
<!-- TODO(sross): support other distros -->
<step>
<para>You must set some common configuration options no
matter which networking technology you choose to use
with Open vSwitch. Configure the L3 and DHCP agents to
use <acronym>OVS</acronym> and namespaces. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True</programlisting>
<para os="rhel;centos">You must enable veth support if you
use certain kernels. Some kernels, such as recent
versions of RHEL (not RHOS) and CentOS, only partially
support namespaces. Edit the previous files, as
follows:</para>
<programlisting language="ini" os="rhel;centos">ovs_use_veth = True</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Similarly, you must also tell Neutron core to use
<acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
</step>
<step>
<para>Choose a networking technology to create the virtual
networks. Neutron supports GRE tunneling, VLANs, and
VXLANs. This guide shows how to configure GRE tunneling
and VLANs.</para>
<para>
<link linkend="install-neutron.install-plug-in.ovs.gre"
>GRE tunneling</link> is simpler to set up because it
does not require any special configuration from any
physical network hardware. However, its protocol makes
it difficult to filter traffic on the physical network.
Additionally, this configuration does not use
namespaces. You can have only one router for each
network node. However, you can enable namespacing, and
potentially veth, as described in the section detailing
how to use VLANs with <acronym>OVS</acronym>).</para>
<para>On the other hand, <link
linkend="install-neutron.install-plug-in.ovs.vlan"
>VLAN tagging</link> modifies the ethernet header of
packets. You can filter packets on the physical network
through normal methods. However, not all NICs handle the
increased packet size of VLAN-tagged packets well, and
you might need to complete additional configuration on
physical network hardware to ensure that your Neutron
VLANs do not interfere with any other VLANs on your
network and that any physical network hardware between
nodes does not strip VLAN tags.</para>
<note>
<para>While the examples in this guide enable network
namespaces by default, you can disable them if issues
occur or your kernel does not support them. Edit the
<filename>/etc/neutron/l3_agent.ini</filename> and
<filename>/etc/neutron/dhcp_agent.ini</filename>
files, respectively:</para>
<programlisting language="ini">use_namespaces = False</programlisting>
<para>Edit the
<filename>/etc/neutron/neutron.conf</filename> file
to disable overlapping IP addresses:</para>
<programlisting language="ini">allow_overlapping_ips = False</programlisting>
<para>Note that when network namespaces are disabled,
you can have only one router for each network node and
overlapping IP addresses are not supported.</para>
<para>You must complete additional steps after you
create the initial Neutron virtual networks and
router.</para>
</note>
</step>
<!-- TODO(sross): support provider networks? you need to modify things above for this to work -->
<step>
<para>Configure a firewall plug-in. If you do not wish to
enforce firewall rules, called <firstterm>security
groups</firstterm> by OpenStack, you can use
<literal>neutron.agent.firewall.NoopFirewall</literal>.
Otherwise, you can choose one of the Networking firewall
plug-ins. The most common choice is the Hybrid
OVS-IPTables driver, but you can also use the
Firewall-as-a-Service driver. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<warning>
<para>You must use at least the No-Op firewall.
Otherwise, Horizon and other OpenStack services cannot
get and set required VM boot options.</para>
</warning>
</step>
<!-- TODO(sross): document other firewall options -->
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure the <acronym>OVS</acronym> plug-in to start
on boot.</para>
<screen os="fedora;centos;rhel"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step>
<para>Now, return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
<section xml:id="install-neutron.install-plug-in.ovs.gre">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for GRE tunneling</title>
<procedure>
<step>
<para>Configure the <acronym>OVS</acronym> plug-in to
use GRE tunneling, the <literal>br-int</literal>
integration bridge, the <literal>br-tun</literal>
tunneling bridge, and a local IP for the
<replaceable>DATA_INTERFACE</replaceable> tunnel IP.
Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = DATA_INTERFACE_IP</programlisting>
</step>
<step>
<para>Return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
</section>
<section xml:id="install-neutron.install-plug-in.ovs.vlan">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for VLANs</title>
<procedure>
<step>
<para>Configure <acronym>OVS</acronym> to use VLANS.
Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = vlan
network_vlan_ranges = physnet1:1:4094
bridge_mappings = physnet1:br-DATA_INTERFACE</programlisting>
</step>
<step>
<para>Create the bridge for
<replaceable>DATA_INTERFACE</replaceable> and add
<replaceable>DATA_INTERFACE</replaceable> to
it:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
</step>
<step>
<para>Transfer the IP address for
<replaceable>DATA_INTERFACE</replaceable> to the
bridge in the same way that you transferred the
<replaceable>EXTERNAL_INTERFACE</replaceable> IP
address to <literal>br-ex</literal>. However, do not
turn on promiscuous mode.</para>
</step>
<step>
<para>Return to the <acronym>OVS</acronym> general
instruction.</para>
</step>
</procedure>
</section>
</section>
</section>
</section>
<section xml:id="install-neutron.dedicated-compute-node">
<title>Install networking support on a dedicated compute
node</title>
<note>
<para>This section details set up for any node that runs the
<literal>nova-compute</literal> component but does not run
the full network stack.</para>
</note>
<warning os="rhel;centos">
<para>By default, the <literal>system-config-firewall</literal>
automated firewall configuration tool is in place on RHEL.
This graphical interface (and a curses-style interface with
<literal>-tui</literal> on the end of the name) enables you
to configure IP tables as a basic firewall. You should disable
it when you work with Neutron unless you are familiar with the
underlying network technologies, as, by default, it blocks
various types of network traffic that are important to
Neutron. To disable it, simple launch the program and clear
the <guilabel>Enabled</guilabel> check box.</para>
<para>After you successfully set up OpenStack with Neutron, you
can re-enable and configure the tool. However, during Neutron
set up, disable the tool to make it easier to debug network
issues.</para>
</warning>
<procedure>
<step>
<para>Disable packet destination filtering (route
verification) to let the networking services route traffic
to the VMs. Edit the <filename>/etc/sysctl.conf</filename>
file and run the following command to activate
changes:</para>
<programlisting language="ini">net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
</step>
<step>
<para>Install and configure your networking plug-in
components. To install and configure the network plug-in
that you chose when you set up your network node, see <xref
linkend="install-neutron.install-plugin-compute"/>.</para>
</step>
<step os="rhel;centos;fedora">
<para>Configure the core components of Neutron. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
auth_strategy = keystone
rpc_backend = neutron.openstack.common.rpc.impl_qpid
qpid_hostname = controller</programlisting>
</step>
<step os="opensuse;sles">
<para>Configure the core components of Neutron. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
auth_url = http://controller:35357/v2.0
auth_strategy = keystone
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = controller
rabbit_port = 5672
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
<step os="ubuntu;debian">
<para>Configure the core components of Neutron. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
auth_url = http://controller:35357/v2.0
auth_strategy = keystone
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = controller
rabbit_port = 5672
# Change the following settings if you're not using the default RabbitMQ configuration
#rabbit_userid = guest
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
<step os="rhel;centos;fedora">
<para>Edit the <literal>[agent]</literal> section in the
<filename>/etc/neutron/neutron.conf</filename> file and modify
the <literal>root_helper</literal> key:</para>
<programlisting language="ini">[agent]
...
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Edit the database URL under the
<literal>[database]</literal> section in the above file,
to tell Neutron how to connect to the database:</para>
<programlisting language="ini">[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
</step>
<step>
<para>Edit the <filename>/etc/neutron/api-paste.ini</filename>
file and add these lines to the
<literal>[filter:authtoken]</literal> section:</para>
<programlisting language="ini">[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
auth_host = <replaceable>controller</replaceable>
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
<step>
<para>Configure OpenStack Compute to use OpenStack Networking
services. Edit the <filename>/etc/nova/nova.conf</filename>
file:</para>
<programlisting language="ini">network_api_class=nova.network.neutronv2.api.API
neutron_url=http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron</programlisting>
<note>
<itemizedlist>
<listitem>
<para>No matter which firewall driver you chose when you
configured the network and compute nodes, you must
edit the <filename>/etc/nova/nova.conf</filename> file
to set the firewall driver to
<literal>nova.virt.firewall.NoopFirewallDriver</literal>.
Because OpenStack Networking handles the firewall,
this statement instructs Compute to not use a
firewall.</para>
</listitem>
<listitem>
<para>If you want Networking to handle the firewall,
edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file to set the <code>firewall_driver</code> option to
the firewall for the plug-in. For example, with
<acronym>OVS</acronym>, edit the file as
follows:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
</listitem>
<listitem>
<para>If you do not want to use a firewall in Compute or
Networking, edit both configuration files and set
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>.
Also, edit the
<filename>/etc/nova/nova.conf</filename> file and
comment out or remove the
<code>security_group_api=neutron</code>
statement.</para>
<para>Otherwise, when you issue <command>nova
list</command> commands, the <errortext>ERROR: The
server has either erred or is incapable of
performing the requested operation. (HTTP
500)</errortext> error might be returned.</para>
</listitem>
</itemizedlist>
</note>
</step>
<step>
<para>Restart the Compute service.</para>
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
<screen os="centos;rhel;fedora"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
<para>Also restart your chosen Networking plug-in agent, for example, Open vSwitch.</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
</step>
</procedure>
<section xml:id="install-neutron.install-plugin-compute">
<title>Install and configure Neutron plug-ins on a dedicated
compute node</title>
<section xml:id="install-neutron.install-plugin-compute.ovs">
<title>Install the Open vSwitch (OVS) plug-in on a dedicated
compute node</title>
<procedure>
<step>
<para>Install the Open vSwitch plug-in and its
dependencies:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-switch openvswitch-datapath-dkms</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Restart Open vSwitch:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
</step>
<step os="rhel;fedora;centos;opensuse;sles">
<para>Start Open vSwitch and configure it to start when
the system boots:</para>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step>
<para>You must set some common configuration options no
matter which networking technology you choose to use
with Open vSwitch. You must add the
<literal>br-int</literal> integration bridge, which
connects to the VMs.</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>You must set some common configuration options. You
must configure Networking core to use
<acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini" os="ubuntu;opensuse;sles">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
<programlisting language="ini">auth_uri = http://<replaceable>controller</replaceable>:5000</programlisting>
<programlisting language="ini" os="rhel;centos;fedora">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
api_paste_config = /etc/neutron/api-paste.ini
rpc_backend = neutron.openstack.common.rpc.impl_qpid</programlisting>
</step>
<step>
<para>Configure the networking type that you chose when
you set up the network node: either <link
linkend="install-neutron.install-plugin-compute.ovs.gre"
>GRE tunneling</link> or <link
linkend="install-neutron.install-plugin-compute.ovs.vlan"
>VLANs</link>.</para>
</step>
<!-- TODO(sross): support provider networks? you need to modify things above for this to work -->
<step>
<para>You must configure a firewall as well. You should
use the same firewall plug-in that you chose to use when
you set up the network node. To do this, edit
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file and set the <literal>firewall_driver</literal>
value under the <literal>securitygroup</literal> to the
same value used on the network node. For instance, if
you chose to use the Hybrid OVS-IPTables plug-in, your
configuration looks like this:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<warning>
<para>You must use at least the No-Op firewall.
Otherwise, Horizon and other OpenStack services cannot
get and set required VM boot options.</para>
</warning>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure the <acronym>OVS</acronym> plug-in to start
on boot.</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step>
<para>Now, return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
<section
xml:id="install-neutron.install-plugin-compute.ovs.gre">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for GRE tunneling on a dedicated compute node</title>
<procedure>
<step>
<para>Tell the <acronym>OVS</acronym> plug-in to use GRE
tunneling with a <literal>br-int</literal> integration
bridge, a <literal>br-tun</literal> tunneling bridge,
and a local IP for the tunnel of
<replaceable>DATA_INTERFACE</replaceable>'s IP Edit
the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = <replaceable>DATA_INTERFACE_IP</replaceable></programlisting>
</step>
<step>
<para>Now, return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
</section>
<section
xml:id="install-neutron.install-plugin-compute.ovs.vlan">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for VLANs on a dedicated compute node</title>
<procedure>
<step>
<para>Tell <acronym>OVS</acronym> to use VLANs. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = vlan
network_vlan_ranges = physnet1:1:4094
bridge_mappings = physnet1:br-<replaceable>DATA_INTERFACE</replaceable></programlisting>
</step>
<step>
<para>Create the bridge for the
<replaceable>DATA_INTERFACE</replaceable> and add
<replaceable>DATA_INTERFACE</replaceable> to it, the
same way you did on the network node:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-DATA_INTERFACE</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE</userinput></screen>
</step>
<step>
<para>Return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
</section>
</section>
</section>
</section>
<section xml:id="install-neutron.dedicated-controller-node">
<title>Install networking support on a dedicated controller
node</title>
<note>
<para>This is for a node which runs the control components of
Neutron, but does not run any of the components that provide
the underlying functionality (such as the plug-in agent or the
L3 agent). If you wish to have a combined controller/compute
node follow these instructions, and then those for the compute
node.</para>
</note>
<warning os="rhel;centos">
<para>By default, the <literal>system-config-firewall</literal>
automated firewall configuration tool is in place on RHEL.
This graphical interface (and a curses-style interface with
<literal>-tui</literal> on the end of the name) enables you
to configure IP tables as a basic firewall. You should disable
it when you work with Neutron unless you are familiar with the
underlying network technologies, as, by default, it blocks
various types of network traffic that are important to
Neutron. To disable it, simple launch the program and clear
the <guilabel>Enabled</guilabel> check box.</para>
<para>After you successfully set up OpenStack with Neutron, you
can re-enable and configure the tool. However, during Neutron
set up, disable the tool to make it easier to debug network
issues.</para>
</warning>
<procedure>
<step>
<para>Install the main Neutron server, Neutron libraries for
Python, and the Neutron command-line interface (CLI):</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
<screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron python-neutron python-neutronclient</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron python-neutron python-neutronclient</userinput></screen>
</step>
<step>
<para>Configure the core components of Neutron. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">auth_host = <replaceable>controller</replaceable>
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
auth_strategy = keystone</programlisting>
<programlisting os="rhel;fedora;centos" language="ini">
rpc_backend = neutron.openstack.common.rpc.impl_qpid
qpid_hostname = <replaceable>controller</replaceable>
qpid_port = 5672
qpid_username = guest
qpid_password = guest</programlisting>
<programlisting os="ubuntu;debian;opensuse;sles" language="ini">
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = <replaceable>controller</replaceable>
rabbit_port = 5672
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
<programlisting os="ubuntu;debian" language="ini">
# Change the following settings if you're not using the default RabbitMQ configuration
#rabbit_userid = guest</programlisting>
</step>
<step os="rhel;centos;fedora">
<para>Edit the <literal>[agent]</literal> section in the
<filename>/etc/neutron/neutron.conf</filename> file and modify
the <literal>root_helper</literal> key:</para>
<programlisting language="ini">[agent]
...
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
</programlisting>
</step>
<step>
<para>Edit the database URL under the
<literal>[database]</literal> section in the above file,
to tell Neutron how to connect to the database:</para>
<programlisting language="ini">[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
</step>
<step>
<para>Configure the Neutron copy of the
<filename>api-paste.ini</filename> at
<filename>/etc/neutron/api-paste.ini</filename>
file:</para>
<programlisting language="ini">[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
<step>
<para>Configure the plug-in that is configured on the network
node on this node also.</para>
<para>Although this node does not run any agents that provide
underlying functionality, the <systemitem class="service"
>neutron-server</systemitem> service must know which
plug-in is running because it interfaces with the plug-in.</para>
</step>
<step>
<para>Tell Nova about Neutron. Specifically, you must tell
Nova that Neutron handles networking and the firewall. Edit
the <filename>/etc/nova/nova.conf</filename> file:</para>
<programlisting language="ini">network_api_class=nova.network.neutronv2.api.API
neutron_url=http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_admin_username=neutron
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
security_group_api=neutron</programlisting>
<note>
<para>Regardless of which firewall driver you chose when you
configured the network and compute nodes, set this driver
as the No-Op firewall. This firewall is a
<emphasis>Nova</emphasis> firewall, and because Neutron
handles the Firewall, you must tell Nova not to use
one.</para>
<para>When Networking handles the firewall, the option
<code>firewall_driver</code> should be set according to
the specified plug-in. For example with
<acronym>OVS</acronym>, edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<para>If you do not want to use a firewall in Compute or
Networking, set
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>
in both config files, and comment out or remove
<code>security_group_api=neutron</code> in the
<filename>/etc/nova/nova.conf</filename> file, otherwise
you may encounter <errortext>ERROR: The server has either
erred or is incapable of performing the requested
operation. (HTTP 500)</errortext> when issuing
<command>nova list</command> commands.</para>
</note>
</step>
<step os="rhel;centos;fedora">
<para>The <systemitem class="service">neutron-server</systemitem>
initialization script expects a symbolic link
<filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, the symbolic link must point to
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The <systemitem class="service">openstack-neutron</systemitem>
initialization script expects the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in file
<filename>/etc/sysconfig/neutron</filename> to reference the
configuration file associated with your chosen plug-in. Using
Open vSwitch, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
</step>
<step os="fedora;rhel;centos;opensuse;sles">
<para>Start neutron-server and set it to start at boot:</para>
<screen><prompt>#</prompt> <userinput>service neutron-server start</userinput>
<prompt>#</prompt> <userinput>chkconfig neutron-server on</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Restart neutron-server:</para>
<screen><prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
</step>
</procedure>
<section xml:id="install-neutron.install-plug-in-controller">
<title>Install and configure the Neutron plug-ins on a dedicated
controller node</title>
<section xml:id="install-neutron.install-plug-in-controller.ovs">
<title>Install the Open vSwitch (OVS) plug-in on a dedicated
controller node</title>
<procedure>
<step>
<para>Install the Open vSwitch plug-in:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
</step>
<step>
<para>You must set some common configuration options no
matter which networking technology you choose to use
with Open vSwitch. You must configure Networking core to
use <acronym>OVS</acronym>. Edit the
<filename>/etc/neutron/neutron.conf</filename>
file:</para>
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
</step>
<step>
<para>Configure the <acronym>OVS</acronym> plug-in for the
networking type that you chose when you configured the
network node: <link
linkend="install-neutron.install-plug-in-controller.ovs.gre"
>GRE tunneling</link> or <link
linkend="install-neutron.install-plug-in-controller.ovs.vlan"
>VLANs</link>.</para>
<!-- TODO(sross): support provider networks? you need to modify things above for this to work -->
<note>
<para>The dedicated controller node does not need to run
Open vSwitch or the Open vSwitch agent.</para>
</note>
</step>
<step>
<para>Now, return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
<section
xml:id="install-neutron.install-plug-in-controller.ovs.gre">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for GRE tunneling on a dedicated controller node</title>
<procedure>
<step>
<para>Tell the <acronym>OVS</acronym> plug-in to use GRE
tunneling. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True</programlisting>
</step>
<step>
<para>Return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
</section>
<section
xml:id="install-neutron.install-plug-in-controller.ovs.vlan">
<title>Configure the Neutron <acronym>OVS</acronym> plug-in
for VLANs on a dedicated controller node</title>
<procedure>
<step>
<para>Tell <acronym>OVS</acronym> to use VLANS. Edit the
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
file, as follows:</para>
<programlisting language="ini">[ovs]
tenant_network_type = vlan
network_vlan_ranges = physnet1:1:4094</programlisting>
</step>
<step>
<para>Return to the general <acronym>OVS</acronym>
instructions.</para>
</step>
</procedure>
</section>
</section>
</section>
</section>
<section xml:id="install-neutron.configure-networks">
<title>Create the base Neutron networks</title>
<note>
<para>In these sections, replace
<replaceable>SPECIAL_OPTIONS</replaceable> with any options
specific to your Networking plug-in choices. See <link
linkend="install-neutron.configure-networks.plug-in-specific"
>here</link> to check if your plug-in requires any special
options.</para>
</note>
<procedure>
<step>
<para>Create the <literal>ext-net</literal> external network.
This network represents a slice of the outside world. VMs
are not directly linked to this network; instead, they
connect to internal networks. Outgoing traffic is routed by
Neutron to the external network. Additionally, floating IP
addresses from the subnet for <literal>ext-net</literal>
might be assigned to VMs so that the external network can
contact them. Neutron routes the traffic
appropriately.</para>
<screen><prompt>#</prompt> <userinput>neutron net-create ext-net -- --router:external=True <replaceable>SPECIAL_OPTIONS</replaceable></userinput></screen>
</step>
<step>
<para>Create the associated subnet with the same gateway and
CIDR as <replaceable>EXTERNAL_INTERFACE</replaceable>. It
does not have DHCP because it represents a slice of the
external world:</para>
<screen><prompt>#</prompt> <userinput>neutron subnet-create ext-net \
--allocation-pool start=<replaceable>FLOATING_IP_START</replaceable>,end=<replaceable>FLOATING_IP_END</replaceable> \
--gateway=<replaceable>EXTERNAL_INTERFACE_GATEWAY</replaceable> --enable_dhcp=False \
<replaceable>EXTERNAL_INTERFACE_CIDR</replaceable></userinput></screen>
</step>
<step>
<para>Create one or more initial tenants, for example:</para>
<screen><prompt>#</prompt> <userinput>keystone tenant-create --name <replaceable>DEMO_TENANT</replaceable></userinput></screen>
<para os="rhel;centos;fedora;opensuse;sles;ubuntu"> See <xref
linkend="keystone-users"/> for further details.</para>
<para os="debian"> See <xref linkend="keystone-install"/> for
further details.</para>
</step>
<step>
<para>Create the router attached to the external network. This
router routes traffic to the internal subnets as
appropriate. You can create it under a given tenant: Append
<literal>--tenant-id</literal> option with a value of
<replaceable>DEMO_TENANT_ID</replaceable> to the
command.</para>
<para>Use the following to quickly get the
<replaceable>DEMO_TENANT</replaceable> tenant-id:</para>
<screen><prompt>#</prompt> <userinput>keystone tenant-list | grep <replaceable>DEMO_TENANT</replaceable> | awk '{print $2;}'</userinput></screen>
<para>Then create the router:</para>
<screen><prompt>#</prompt> <userinput>neutron router-create ext-to-int --tenant-id <replaceable>DEMO_TENANT_ID</replaceable></userinput></screen>
</step>
<step>
<para>Connect the router to <literal>ext-net</literal> by
setting the gateway for the router as
<literal>ext-net</literal>:</para>
<screen><prompt>#</prompt> <userinput>neutron router-gateway-set <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>EXT_NET_ID</replaceable></userinput></screen>
</step>
<step>
<para>Create an internal network for
<replaceable>DEMO_TENANT</replaceable> (and associated
subnet over an arbitrary internal IP range, such as,
<literal>10.5.5.0/24</literal>), and connect it to the
router by setting it as a port:</para>
<screen><prompt>#</prompt> <userinput>neutron net-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net <replaceable>SPECIAL_OPTIONS</replaceable></userinput>
<prompt>#</prompt> <userinput>neutron subnet-create --tenant-id <replaceable>DEMO_TENANT_ID</replaceable> demo-net 10.5.5.0/24 --gateway 10.5.5.1</userinput>
<prompt>#</prompt> <userinput>neutron router-interface-add <replaceable>EXT_TO_INT_ID</replaceable> <replaceable>DEMO_NET_SUBNET_ID</replaceable></userinput></screen>
</step>
<step>
<para>Check the special options page for your plug-in for
remaining steps. Now, return to the general
<acronym>OVS</acronym> instructions.</para>
</step>
</procedure>
<section
xml:id="install-neutron.configure-networks.plug-in-specific">
<title>Plug-in-specific Neutron network options</title>
<section
xml:id="install-neutron.configure-networks.plug-in-specific.ovs">
<title>Open vSwitch Network configuration options</title>
<section
xml:id="install-neutron.configure-networks.plug-in-specific.ovs.gre">
<title>GRE tunneling network options</title>
<note>
<para>While this guide currently enables network
namespaces by default, you can disable them if you have
issues or your kernel does not support them. If you
disabled namespaces, you must perform some additional
configuration for the L3 agent.</para>
<para>After you create all the networks, tell the L3 agent
what the external network ID is, as well as the ID of
the router associated with this machine (because you are
not using namespaces, there can be only one router for
each machine). To do this, edit the
<filename>/etc/neutron/l3_agent.ini</filename>
file:</para>
<programlisting language="ini">gateway_external_network_id = <replaceable>EXT_NET_ID</replaceable>
router_id = <replaceable>EXT_TO_INT_ID</replaceable></programlisting>
<para>Then, restart the L3 agent:</para>
<screen><prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput></screen>
</note>
<para>When creating networks, you should use the
options:</para>
<screen><userinput>--provider:network_type gre --provider:segmentation_id SEG_ID</userinput></screen>
<para><replaceable>SEG_ID</replaceable> should be
<literal>2</literal> for the external network, and just
any unique number inside the tunnel range specified before
for any other network.</para>
<note>
<para>These options are not needed beyond the first
network, as Neutron automatically increments the
segmentation id and copy the network type option for any
additional networks.</para>
</note>
<para>Now, return to the general <acronym>OVS</acronym>
instructions.</para>
</section>
<section
xml:id="install-neutron.configure-networks.plug-in-specific.ovs.vlan">
<title>VLAN network options</title>
<para>When creating networks, use these options:</para>
<screen><userinput>--provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id SEG_ID</userinput> </screen>
<para><replaceable>SEG_ID</replaceable> should be
<literal>2</literal> for the external network, and just
any unique number inside the vlan range specified above
for any other network.</para>
<note>
<para>These options are not needed beyond the first
network, as Neutron automatically increments the
segmentation ID and copies the network type and physical
network options for any additional networks. They are
only needed if you wish to modify those values in any
way.</para>
</note>
<warning>
<para>Some NICs have Linux drivers that do not handle
VLANs properly. See the
<literal>ovs-vlan-bug-workaround</literal> and
<literal>ovs-vlan-test</literal> man pages for more
information. Additionally, you might try turning off
<literal>rx-vlan-offload</literal> and
<literal>tx-vlan-offload</literal> by using
<literal>ethtool</literal> on the
<replaceable>DATA_INTERFACE</replaceable>. Another
potential caveat to VLAN functionality is that VLAN tags
add an additional 4 bytes to the packet size. If your
NICs cannot handle large packets, make sure to set the
MTU to a value that is 4 bytes less than the normal
value on the
<replaceable>DATA_INTERFACE</replaceable>.</para>
<para>If you run OpenStack inside a virtualized
environment (for testing purposes), switching to the
<literal>virtio</literal> NIC type (or a similar
technology if you are not using KVM/QEMU to run your
host VMs) might solve the issue.</para>
</warning>
</section>
</section>
</section>
</section>
</section>