openstack-manuals/doc/install-guide/section_neutron-provider-router-with-private_networks.xml
sukhdev 280ae5b74e Add neutron ML2 plugin info to instalation guid
fixes bug: 1230276

Change-Id: I57bb01d491a847fbe2de96c43053d5bf11065954
2013-11-04 08:48:28 -06:00

585 lines
32 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="section_networking-provider-router_with-provate-networks">
<title>Provider router with private networks</title>
<para>This section describes how to install the OpenStack Networking service and its components
for a single router use case: a provider router with private networks.</para>
<para>The following figure shows the setup:</para>
<note>
<para>Because you run the DHCP agent and L3 agent on one node, you must set
<literal>use_namespaces</literal> to <literal>True</literal> (which is the default)
in both agents' configuration files.</para>
</note>
<informalfigure>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/Neutron-PhysNet-Diagram.png"
contentwidth="6in"/>
</imageobject>
</mediaobject>
</informalfigure>
<para>The following nodes are in the setup:<table rules="all">
<caption>Nodes for use case</caption>
<thead>
<tr>
<th>Node</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><para>Controller</para></td>
<td><para>Runs the OpenStack Networking service,
OpenStack Identity and all of the
OpenStack Compute services that are
required to deploy a VM.</para>
<para>The service must have at least two
network interfaces. The first should be
connected to the "Management Network" to
communicate with the compute and network
nodes. The second interface should be
connected to the API/public
network.</para></td>
</tr>
<tr>
<td><para>Compute</para></td>
<td><para>Runs OpenStack Compute and the OpenStack
Networking L2 agent.</para>
<para>This node will not have access the
public network.</para>
<para>The node must have at least two network
interfaces. The first is used to
communicate with the controller node,
through the management network. The VM
will receive its IP address from the DHCP
agent on this network.</para></td>
</tr>
<tr>
<td><para>Network</para></td>
<td><para>Runs OpenStack Networking L2 agent, DHCP
agent, and L3 agent.</para>
<para>This node will have access to the public
network. The DHCP agent will allocate IP
addresses to the VMs on the network. The
L3 agent will perform NAT and enable the
VMs to access the public network.</para>
<para>The node must have at least three
network interfaces. The first communicates
with the controller node through the
management network. The second interface
is used for the VM traffic and is on the
data network. The third interface connects
to the external gateway on the network.
</para></td>
</tr>
</tbody>
</table></para>
<section xml:id="demo_installions">
<title>Install</title>
<section xml:id="controller-install-neutron-server">
<title>Controller</title>
<procedure>
<title>To install and configure the controller
node</title>
<step>
<para>Run the following command:</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron</userinput></screen>
<screen os="opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron</userinput></screen>
</step>
<step>
<para>Configure Neutron services:</para>
<itemizedlist>
<listitem>
<para>Edit file <filename>/etc/neutron/neutron.conf</filename>
and modify:
<programlisting language="ini">core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
auth_strategy = keystone
fake_rabbit = False
rabbit_password = guest</programlisting>
</para>
</listitem>
<listitem>
<para>Edit file <filename>
/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
and modify:</para>
<programlisting language="ini">[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@localhost:3306/neutron
[ml2]
tenant_network_type = vlan
[ml2_type_vlan]
network_vlan_ranges = physnet1:100:2999</programlisting>
</listitem>
<listitem>
<para>Edit file <filename>
/etc/neutron/api-paste.ini</filename>
and modify:</para>
<programlisting language="ini">admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</listitem>
</itemizedlist>
</step>
<step>
<para>Start the services:</para>
<screen><prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
</step>
</procedure>
</section>
<section
xml:id="network-node-install-plugin-openvswitch-agent">
<title>Network node</title>
<procedure>
<title>To install and configure the network
node</title>
<step>
<para>Install the packages:</para>
<!-- FIXME openSUSE instructions -->
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent \
neutron-dhcp-agent neutron-l3-agent</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch \
openstack-neutron</userinput></screen>
</step>
<step>
<para>Start Open vSwitch:</para>
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service openvswitch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
</step>
<step>
<para>Add the integration bridge to the Open
vSwitch:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
</step>
<step>
<para>Update the OpenStack Networking
configuration file, <filename>
/etc/neutron/neutron.conf</filename>:</para>
<programlisting language="ini" os="debian;ubuntu">rabbit_password = guest
rabbit_host = controller</programlisting>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf \</userinput>
<userinput>DEFAULT qpid_hostname controller</userinput></screen>
</step>
<step>
<para>Update the plug-in configuration file,
<filename>
/etc/neutron/plugins/ml2/ml2_conf.ini
</filename>:</para>
<programlisting language="ini">[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller:3306/neutron
[ml2]
tenant_network_type=vlan
[ml2_type_vlan]
network_vlan_ranges = physnet1:1:4094
[ovs]
bridge_mappings = physnet1:br-eth1</programlisting>
</step>
<step>
<para>Create the network bridge <emphasis
role="bold">br-eth1</emphasis> (All VM
communication between the nodes occurs through
eth1):</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-eth1</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-eth1 eth1</userinput></screen>
</step>
<step>
<para>Create the external network bridge to the
Open vSwitch:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex eth2</userinput></screen>
</step>
<step>
<para>Edit the file <filename>
/etc/neutron/l3_agent.ini</filename>
and modify:</para>
<programlisting language="ini">[DEFAULT]
auth_url = http://controller:35357/v2.0
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable>
metadata_ip = controller
use_namespaces = True</programlisting>
</step>
<step>
<para>Edit the file <filename>
/etc/neutron/api-paste.ini</filename>
and modify:</para>
<programlisting language="ini">[DEFAULT]
auth_host = controller
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
<step>
<para>Edit the file <filename>
/etc/neutron/dhcp_agent.ini</filename>
and modify:</para>
<programlisting language="ini">use_namespaces = True</programlisting>
</step>
<step os="debian;ubuntu">
<para>Restart networking services:</para>
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent start</userinput>
<prompt>#</prompt> <userinput>service neutron-dhcp-agent restart</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent restart</userinput></screen>
</step>
<step os="rhel;centos;fedora">
<para>Start and permanently enable networking services:</para>
<screen><prompt>#</prompt> <userinput>service neutron-openvswitch-agent start</userinput>
<prompt>#</prompt> <userinput>service neutron-dhcp-agent start</userinput>
<prompt>#</prompt> <userinput>service neutron-l3-agent start</userinput>
<prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput>
<prompt>#</prompt> <userinput>chkconfig neutron-dhcp-agent on</userinput>
<prompt>#</prompt> <userinput>chkconfig neutron-l3-agent on</userinput></screen>
</step>
<step os="rhel;centos;fedora">
<!-- FIXME: Required on Debian/Ubuntu/openSUSE? -->
<para>
Enable the <systemitem class="service">neutron-ovs-cleanup</systemitem>
service. This service starts on boot and ensures that
Neutron has full control over the creation and management
of <literal>tap</literal> devices.
</para>
<screen><prompt>#</prompt> <userinput>chkconfig neutron-ovs-cleanup on</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="compute-node-install-openvswitch">
<title>Compute Node</title>
<procedure>
<title>To install and configure the compute node</title>
<step>
<!-- FIXME openSUSE, Fedora instructions -->
<para>Install the
packages:<screen><prompt>#</prompt> <userinput>apt-get install openvswitch-switch neutron-plugin-openvswitch-agent</userinput></screen></para>
</step>
<step>
<para>Start the OpenvSwitch
service:<screen><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen></para>
</step>
<step>
<para>Create the integration
bridge:<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen></para>
</step>
<step>
<para>Create the network bridge <emphasis
role="bold">br-eth1</emphasis> (All VM
communication between the nodes occurs through
eth1):</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-eth1</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-eth1 eth1</userinput></screen>
</step>
<step>
<para>Update the OpenStack Networking
configuration file <filename>
/etc/neutron/neutron.conf</filename>:</para>
<programlisting language="ini">rabbit_password = guest
rabbit_host = controller</programlisting>
</step>
<step>
<para>Update the file <filename>
/etc/neutron/plugins/ml2/ml2_conf.ini</filename>:</para>
<programlisting language="ini">[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller:3306/neutron
[ml2]
tenant_network_type = vlan
[ml2_type_vlan]
network_vlan_ranges = physnet1:1:4094
[ovs]
bridge_mappings = physnet1:br-eth1</programlisting>
</step>
<step>
<para>Restart the OpenvSwitch Neutron plug-in agent:</para>
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
</step>
</procedure>
</section>
</section>
<section xml:id="demo_logical_network_config">
<title>Logical Network Configuration</title>
<para>You can run the commands in the following procedures on
the network node.</para>
<note>
<para>Ensure that the following environment variables are
set. Various clients use these variables to access
OpenStack Identity.</para>
</note>
<para><itemizedlist>
<listitem>
<para>Create a <filename>novarc</filename> file:
<programlisting language="bash">export OS_TENANT_NAME=provider_tenant
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL="http://controller:5000/v2.0/"
export SERVICE_ENDPOINT="http://controller:35357/v2.0"
export SERVICE_TOKEN=password</programlisting></para>
</listitem>
</itemizedlist>
</para>
<itemizedlist>
<listitem>
<para>Export the
variables:<screen><prompt>#</prompt> <userinput>source novarc echo "source novarc">>.bashrc</userinput></screen>
</para>
</listitem>
</itemizedlist>
<para>The admin user creates a network and subnet on behalf of
tenant_A. A user from tenant_A can also complete these
steps. <procedure>
<title>To configure internal networking</title>
<step>
<para>Get the tenant ID (Used as $TENANT_ID
later).</para>
<screen><prompt>#</prompt> <userinput>keystone tenant-list</userinput>
<computeroutput>+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 48fb81ab2f6b409bafac8961a594980f | provider_tenant | True |
| cbb574ac1e654a0a992bfc0554237abf | service | True |
| e371436fe2854ed89cca6c33ae7a83cd | invisible_to_admin | True |
| e40fa60181524f9f9ee7aa1038748f08 | tenant_A | True |
+----------------------------------+--------------------+---------+</computeroutput></screen>
</step>
<step>
<para>Create an internal network named <emphasis
role="bold">net1</emphasis> for tenant_A
($TENANT_ID will be
e40fa60181524f9f9ee7aa1038748f08):</para>
<screen><prompt>#</prompt> <userinput>neutron net-create --tenant-id $TENANT_ID net1</userinput>
<computeroutput>+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | e99a361c-0af8-4163-9feb-8554d4c37e4f |
| name | net1 |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 1024 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+---------------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create a subnet on the network <emphasis
role="bold">net1</emphasis> (ID field
below is used as $SUBNET_ID later):</para>
<screen><prompt>#</prompt> <userinput>neutron subnet-create --tenant-id $TENANT_ID net1 10.5.5.0/24</userinput>
<computeroutput>+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "10.5.5.2", "end": "10.5.5.254"} |
| cidr | 10.5.5.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.5.5.1 |
| host_routes | |
| id | c395cb5d-ba03-41ee-8a12-7e792d51a167 |
| ip_version | 4 |
| name | |
| network_id | e99a361c-0af8-4163-9feb-8554d4c37e4f |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+------------------+--------------------------------------------+</computeroutput></screen>
</step>
</procedure></para>
<para>A user with the admin role must complete the following
steps. In this procedure, the user is admin from provider_tenant.<procedure>
<title>To configure the router and external
networking</title>
<step>
<para>Create a router named <emphasis role="bold"
>router1</emphasis> (ID is used as
$ROUTER_ID later):</para>
<screen><prompt>#</prompt> <userinput>neutron router-create router1</userinput>
<computeroutput>+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | 685f64e7-a020-4fdf-a8ad-e41194ae124b |
| name | router1 |
| status | ACTIVE |
| tenant_id | 48fb81ab2f6b409bafac8961a594980f |
+-----------------------+--------------------------------------+</computeroutput></screen>
<note>
<para>The <parameter>--tenant-id</parameter>
parameter is not specified, so this router
is assigned to the provider_tenant
tenant.</para>
</note>
</step>
<step>
<para>Add an interface to <emphasis role="bold"
>router1</emphasis> and attach it to the
subnet from <emphasis role="bold"
>net1</emphasis>:</para>
<screen><prompt>#</prompt> <userinput>neutron router-interface-add $ROUTER_ID $SUBNET_ID</userinput>
<computeroutput>Added interface to router 685f64e7-a020-4fdf-a8ad-e41194ae124b</computeroutput></screen>
<note>
<para>You can repeat this step to add more
interfaces for other networks that belong
to other tenants.</para>
</note>
</step>
<step>
<para>Create the external network named <emphasis
role="bold">ext_net</emphasis>:</para>
<screen><prompt>#</prompt> <userinput>neutron net-create ext_net --router:external=True</userinput>
<computeroutput>+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| name | ext_net |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 1 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 48fb81ab2f6b409bafac8961a594980f |
+---------------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create the subnet for floating IPs.</para>
<note>
<para>The DHCP service is disabled for this
subnet.</para>
</note>
<screen><prompt>#</prompt> <userinput>neutron subnet-create ext_net \
--allocation-pool start=7.7.7.130,end=7.7.7.150 \
--gateway 7.7.7.1 7.7.7.0/24 --disable-dhcp</userinput>
<computeroutput>+------------------+--------------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------------+
| allocation_pools | {"start": "7.7.7.130", "end": "7.7.7.150"} |
| cidr | 7.7.7.0/24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 7.7.7.1 |
| host_routes | |
| id | aef60b55-cbff-405d-a81d-406283ac6cff |
| ip_version | 4 |
| name | |
| network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| tenant_id | 48fb81ab2f6b409bafac8961a594980f |
+------------------+--------------------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Set the router's gateway to be the external
network:</para>
<screen><prompt>#</prompt> <userinput>neutron router-gateway-set $ROUTER_ID $EXTERNAL_NETWORK_ID</userinput>
<computeroutput>Set gateway for router 685f64e7-a020-4fdf-a8ad-e41194ae124b</computeroutput></screen>
</step>
</procedure></para>
<para>A user from tenant_A completes the following steps, so
the credentials in the environment variables are different
than those in the previous procedure. <procedure>
<title>To allocate floating IP addresses</title>
<step>
<para>A floating IP address can be associated with
a VM after it starts. The ID of the port
($PORT_ID) that was allocated for the VM is
required and can be found as follows:</para>
<screen><prompt>#</prompt> <userinput>nova list</userinput>
<computeroutput>+--------------------------------------+--------+--------+---------------+
| ID | Name | Status | Networks |
+--------------------------------------+--------+--------+---------------+
| 1cdc671d-a296-4476-9a75-f9ca1d92fd26 | testvm | ACTIVE | net1=10.5.5.3 |
+--------------------------------------+--------+--------+---------------+
</computeroutput>
<userinput>neutron port-list -- --device_id 1cdc671d-a296-4476-9a75-f9ca1d92fd26</userinput>
<computeroutput>+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| 9aa47099-b87b-488c-8c1d-32f993626a30 | | fa:16:3e:b4:d6:6c | {"subnet_id": "c395cb5d-ba03-41ee-8a12-7e792d51a167", "ip_address": "10.5.5.3"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Allocate a floating IP (Used as
$FLOATING_ID):</para>
<screen><prompt>#</prompt> <userinput>neutron floatingip-create ext_net</userinput>
<computeroutput>+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 7.7.7.131 |
| floating_network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| id | 40952c83-2541-4d0c-b58e-812c835079a5 |
| port_id | |
| router_id | |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+---------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Associate the floating IP with the VM's
port:</para>
<screen><prompt>#</prompt> <userinput>neutron floatingip-associate $FLOATING_ID $PORT_ID</userinput>
<computeroutput>Associated floatingip 40952c83-2541-4d0c-b58e-812c835079a5</computeroutput></screen>
</step>
<step>
<para>Show the floating IP:</para>
<screen><prompt>#</prompt> <userinput>neutron floatingip-show $FLOATING_ID</userinput>
<computeroutput>+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | 10.5.5.3 |
| floating_ip_address | 7.7.7.131 |
| floating_network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| id | 40952c83-2541-4d0c-b58e-812c835079a5 |
| port_id | 9aa47099-b87b-488c-8c1d-32f993626a30 |
| router_id | 685f64e7-a020-4fdf-a8ad-e41194ae124b |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+---------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Test the floating IP:</para>
<screen><prompt>#</prompt> <userinput>ping 7.7.7.131</userinput>
<computeroutput>PING 7.7.7.131 (7.7.7.131) 56(84) bytes of data.
64 bytes from 7.7.7.131: icmp_req=2 ttl=64 time=0.152 ms
64 bytes from 7.7.7.131: icmp_req=3 ttl=64 time=0.049 ms
</computeroutput></screen>
</step>
</procedure>
</para>
</section>
<section xml:id="section_use-cases-single-router">
<title>Use case: provider router with private networks</title>
<para>This use case provides each tenant with one or more private networks, which connect to
the outside world via an OpenStack Networking router. When each tenant gets exactly one
network, this architecture maps to the same logical topology as the VlanManager in
OpenStack Compute (although of course, OpenStack Networking doesn't require VLANs).
Using the OpenStack Networking API, the tenant can only see a network for each private
network assigned to that tenant. The router object in the API is created and owned by
the cloud administrator.</para>
<para>This model supports giving VMs public addresses using "floating IPs", in which the
router maps public addresses from the external network to fixed IPs on private networks.
Hosts without floating IPs can still create outbound connections to the external
network, because the provider router performs SNAT to the router's external IP. The IP
address of the physical router is used as the <literal>gateway_ip</literal> of the
external network subnet, so the provider has a default router for Internet traffic.</para>
<para>
The router provides L3 connectivity between private networks, meaning
that different tenants can reach each other's instances unless additional
filtering is used (for example, security groups). Because there is only a single
router, tenant networks cannot use overlapping IPs. Thus, it is likely
that the administrator would create the private networks on behalf of the tenants.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata scale="55" fileref="../common/figures/UseCase-SingleRouter.png"/>
</imageobject>
</mediaobject>
<!--Image source link: https://docs.google.com/a/nicira.com/drawings/d/1DKxeZZXml_fNZHRoGPKkC7sGdkPJZCtWytYZqHIp_ZE/edit -->
</para>
</section>
</section>