openstack-manuals/doc/install-guide/section_neutron-ml2-compute-node.xml
Tom Fifield bb6b30c2cb Fix use of securitygroup/firewall_driver
As reported by Boon Lee, various parts of the documentation were referring
to 'security_group' instead of 'securitygroup'. Additionally, the section
was left out of one command to configure the firewall_driver.

http://docs.openstack.org/trunk/config-reference/content/networking-options-securitygroups.html

Change-Id: I148f6a96064bd6fd31f9f6abaf6985881c337aa9
Closes-Bug: 1302945
2014-04-07 20:48:00 +08:00

401 lines
20 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="neutron-ml2-compute-node"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
<title>Configure compute node</title>
<procedure>
<title>Prerequisites</title>
<para>Before you configure Networking, you must enable certain kernel
networking functions.</para>
<step>
<para>Edit <filename>/etc/sysctl.conf</filename> to contain the
following:</para>
<programlisting>net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
</step>
<step>
<para>Implement the changes:</para>
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
</step>
</procedure>
<procedure>
<title>To install the Networking components:</title>
<step>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-common neutron-plugin-ml2 neutron-plugin-openvswitch-agent \
openvswitch-datapath-dkms</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron-ml2 openstack-neutron-openvswitch</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
<note os="ubuntu">
<para>Ubuntu installations using Linux kernel version 3.11 or newer
do not require the <emphasis>openvswitch-datapath-dkms</emphasis>
package.</para>
</note>
<note os="sles;opensuse">
<para>SUSE does not use a separate ML2 plug-in package.</para>
</note>
</step>
</procedure>
<procedure>
<title>To configure the Networking common components:</title>
<para>The Networking common component configuration includes the
authentication mechanism, messaging service, and plug-in.</para>
<step os="debian">
<para>Respond to prompts for
<link linkend="debconf-dbconfig-common">database management</link>,
<link linkend="debconf-keystone_authtoken">Identity service
credentials</link>,
<link linkend="debconf-api-endpoints">service endpoint
registration</link>, and
<link linkend="debconf-rabbitqm">messaging service
credentials</link>.</para>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure Networking to use the Identity service for
authentication:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
auth_strategy keystone</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Configure Networking to use the Identity service for
authentication:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename>
file and add the following key to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy = keystone</programlisting>
<para>Add the following keys to the
<literal>[keystone_authtoken]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="opensuse;sles">
<para>Configure Networking to use the messaging service:</para>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the password
you chose for the <literal>guest</literal> account in
<application>RabbitMQ</application>.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
</step>
<step os="rhel;centos;fedora">
<para>Configure Networking to use the messaging service:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_hostname <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_port 5672</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_username <replaceable>guest</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_password <replaceable>guest</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Configure Networking to use the messaging service:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
password you chose for the <literal>guest</literal> account in
<application>RabbitMQ</application>.</para>
<programlisting language="ini">[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure Networking to use the Modular Layer 2 (ML2) plug-in
and associated services:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
core_plugin neutron.plugins.ml2.plugin.Ml2Plugin</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
service_plugins neutron.services.l3_router.l3_router_plugin.L3RouterPlugin</userinput></screen>
<warning>
<para>You must comment out any lines in the
<literal>[service_providers]</literal> section.</para>
</warning>
<note>
<para>We recommend adding <literal>verbose = True</literal> to
the <literal>[DEFAULT]</literal> section in
<filename>/etc/neutron/neutron.conf</filename> to assist with
troubleshooting.</para>
</note>
</step>
<step os="ubuntu;debian">
<para>Configure Networking to use the Modular Layer 2 (ML2) plug-in
and associated services:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<programlisting os="ubuntu;debian" language="ini">[DEFAULT]
...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True</programlisting>
</step>
</substeps>
<warning>
<para>You must comment out any lines in the
<literal>[service_providers]</literal> section.</para>
</warning>
<note>
<para>We recommend adding <literal>verbose = True</literal> to
the <literal>[DEFAULT]</literal> section in
<filename>/etc/neutron/neutron.conf</filename> to assist with
troubleshooting.</para>
</note>
</step>
</procedure>
<procedure>
<title>To configure the Modular Layer 2 (ML2) plug-in:</title>
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to
build the virtual networking framework for instances.</para>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Run the following commands:</para>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface on
your compute node.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
type_drivers gre</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
tenant_network_types gre</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
mechanism_drivers openvswitch</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \
tunnel_id_ranges 1:1000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
local_ip <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
tunnel_type gre</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
enable_tunneling True</userinput>
<prompt>#</prompt> <userinput>openstack-config --set/etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
enable_security_group True</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Edit the
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
file:</para>
<para>Add the following keys to the <literal>[ml2]</literal>
section:</para>
<programlisting language="ini">[ml2]
...
type_drivers = gre
tenant_network_types = gre
mechanism_drivers = openvswitch</programlisting>
<para>Add the following keys to the
<literal>[ml2_type_gre]</literal> section:</para>
<programlisting language="ini">[ml2_type_gre]
...
tunnel_id_ranges = 1:1000</programlisting>
<para>Add the <literal>[ovs]</literal> section and the following
keys to it:</para>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface on
your compute node.</para>
<programlisting language="ini">[ovs]
...
local_ip = <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
tunnel_type = gre
enable_tunneling = True</programlisting>
<para>Add the <literal>[securitygroup]</literal> section and the
following keys to it:</para>
<programlisting language="ini">[securitygroup]
...
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
<para>Add the following key to the
<literal>[securitygroup]</literal> section:</para>
<programlisting language="ini">[securitygroup]
...
enable_security_group = True</programlisting>
</step>
</procedure>
<procedure>
<title>To configure the Open vSwitch (OVS) service:</title>
<para>The OVS service provides the underlying virtual networking framework
for instances. The integration bridge <literal>br-int</literal> handles
internal instance network traffic within OVS.</para>
<step os="rhel;centos;fedora">
<para>Start the OVS service and configure it to start when the system
boots:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
</step>
<step os="sles;opensuse">
<para>Start the OVS service and configure it to start when the system
boots:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step os="ubuntu">
<para>Restart the OVS service:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
</step>
<step os="debian">
<para>Restart the OVS service:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch restart</userinput></screen>
</step>
<step>
<para>Add the integration bridge:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
</step>
</procedure>
<procedure>
<title>To configure Compute to use Networking:</title>
<para>By default, most distributions configure Compute to use legacy
networking. You must reconfigure Compute to manage networks through
OpenStack Networking.</para>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Run the following commands:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
network_api_class nova.network.neutronv2.api.API</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_auth_strategy keystone</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_username neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
security_group_api neutron</userinput></screen>
<note>
<para>By default, Compute uses an internal firewall service. Since
Networking includes a firewall service, you must disable the
Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal> firewall
driver.</para>
</note>
</step>
<step os="ubuntu;debian">
<para>Edit the <filename>/etc/nova/nova.conf</filename> and add the
following keys to the <literal>[DEFAULT]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<programlisting language="ini">[DEFAULT]
...
network_api_class = nova.network.neutronv2.api.API
neutron_url = http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy = keystone
neutron_admin_tenant_name = service
neutron_admin_username = neutron
neutron_admin_password = <replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron</programlisting>
<note>
<para>By default, Compute uses an internal firewall service. Since
Networking includes a firewall service, you must disable the
Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal> firewall
driver.</para>
</note>
</step>
</procedure>
<procedure>
<title>To finalize the installation:</title>
<step os="rhel;centos;fedora">
<para>The Networking service initialization scripts expect a symbolic
link <filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
ML2, for example, the symbolic link must point to
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
<prompt>#</prompt> <userinput>ln -s plugins/ml2/ml2_conf.ini plugin.ini</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The Networking service initialization scripts expect the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in the
<filename>/etc/sysconfig/neutron</filename> file to reference the
configuration file associated with your chosen plug-in. Using
ML2, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"</programlisting>
</step>
<step>
<para>Restart the Compute service:</para>
<screen os="rhel;centos;fedora;sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Start the Open vSwitch (OVS) agent and configure it to start when
the system boots:</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent start</userinput>
<prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent start</userinput>
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Restart the Open vSwitch (OVS) agent:</para>
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
</step>
</procedure>
</section>