bb6b30c2cb
As reported by Boon Lee, various parts of the documentation were referring to 'security_group' instead of 'securitygroup'. Additionally, the section was left out of one command to configure the firewall_driver. http://docs.openstack.org/trunk/config-reference/content/networking-options-securitygroups.html Change-Id: I148f6a96064bd6fd31f9f6abaf6985881c337aa9 Closes-Bug: 1302945
401 lines
20 KiB
XML
401 lines
20 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xml:id="neutron-ml2-compute-node"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:svg="http://www.w3.org/2000/svg"
|
|
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
|
|
<title>Configure compute node</title>
|
|
<procedure>
|
|
<title>Prerequisites</title>
|
|
<para>Before you configure Networking, you must enable certain kernel
|
|
networking functions.</para>
|
|
<step>
|
|
<para>Edit <filename>/etc/sysctl.conf</filename> to contain the
|
|
following:</para>
|
|
<programlisting>net.ipv4.conf.all.rp_filter=0
|
|
net.ipv4.conf.default.rp_filter=0</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Implement the changes:</para>
|
|
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To install the Networking components:</title>
|
|
<step>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-common neutron-plugin-ml2 neutron-plugin-openvswitch-agent \
|
|
openvswitch-datapath-dkms</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron-ml2 openstack-neutron-openvswitch</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
|
|
<note os="ubuntu">
|
|
<para>Ubuntu installations using Linux kernel version 3.11 or newer
|
|
do not require the <emphasis>openvswitch-datapath-dkms</emphasis>
|
|
package.</para>
|
|
</note>
|
|
<note os="sles;opensuse">
|
|
<para>SUSE does not use a separate ML2 plug-in package.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the Networking common components:</title>
|
|
<para>The Networking common component configuration includes the
|
|
authentication mechanism, messaging service, and plug-in.</para>
|
|
<step os="debian">
|
|
<para>Respond to prompts for
|
|
<link linkend="debconf-dbconfig-common">database management</link>,
|
|
<link linkend="debconf-keystone_authtoken">Identity service
|
|
credentials</link>,
|
|
<link linkend="debconf-api-endpoints">service endpoint
|
|
registration</link>, and
|
|
<link linkend="debconf-rabbitqm">messaging service
|
|
credentials</link>.</para>
|
|
</step>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Configure Networking to use the Identity service for
|
|
authentication:</para>
|
|
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
|
|
password you chose for the <literal>neutron</literal> user
|
|
in the Identity service.</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
auth_strategy keystone</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_protocol http</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_port 35357</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Configure Networking to use the Identity service for
|
|
authentication:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/neutron.conf</filename>
|
|
file and add the following key to the
|
|
<literal>[DEFAULT]</literal> section:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
auth_strategy = keystone</programlisting>
|
|
<para>Add the following keys to the
|
|
<literal>[keystone_authtoken]</literal> section:</para>
|
|
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
|
|
password you chose for the <literal>neutron</literal> user
|
|
in the Identity service.</para>
|
|
<programlisting language="ini">[keystone_authtoken]
|
|
...
|
|
auth_uri = http://<replaceable>controller</replaceable>:5000
|
|
auth_host = <replaceable>controller</replaceable>
|
|
auth_protocol = http
|
|
auth_port = 35357
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="opensuse;sles">
|
|
<para>Configure Networking to use the messaging service:</para>
|
|
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the password
|
|
you chose for the <literal>guest</literal> account in
|
|
<application>RabbitMQ</application>.</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_userid guest</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Configure Networking to use the messaging service:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_hostname <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_port 5672</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_username <replaceable>guest</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_password <replaceable>guest</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Configure Networking to use the messaging service:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
|
|
and add the following keys to the <literal>[DEFAULT]</literal>
|
|
section:</para>
|
|
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
|
|
password you chose for the <literal>guest</literal> account in
|
|
<application>RabbitMQ</application>.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
rpc_backend = neutron.openstack.common.rpc.impl_kombu
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Configure Networking to use the Modular Layer 2 (ML2) plug-in
|
|
and associated services:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
core_plugin neutron.plugins.ml2.plugin.Ml2Plugin</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
service_plugins neutron.services.l3_router.l3_router_plugin.L3RouterPlugin</userinput></screen>
|
|
<warning>
|
|
<para>You must comment out any lines in the
|
|
<literal>[service_providers]</literal> section.</para>
|
|
</warning>
|
|
<note>
|
|
<para>We recommend adding <literal>verbose = True</literal> to
|
|
the <literal>[DEFAULT]</literal> section in
|
|
<filename>/etc/neutron/neutron.conf</filename> to assist with
|
|
troubleshooting.</para>
|
|
</note>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure Networking to use the Modular Layer 2 (ML2) plug-in
|
|
and associated services:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
|
|
and add the following keys to the <literal>[DEFAULT]</literal>
|
|
section:</para>
|
|
<programlisting os="ubuntu;debian" language="ini">[DEFAULT]
|
|
...
|
|
core_plugin = ml2
|
|
service_plugins = router
|
|
allow_overlapping_ips = True</programlisting>
|
|
</step>
|
|
</substeps>
|
|
<warning>
|
|
<para>You must comment out any lines in the
|
|
<literal>[service_providers]</literal> section.</para>
|
|
</warning>
|
|
<note>
|
|
<para>We recommend adding <literal>verbose = True</literal> to
|
|
the <literal>[DEFAULT]</literal> section in
|
|
<filename>/etc/neutron/neutron.conf</filename> to assist with
|
|
troubleshooting.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the Modular Layer 2 (ML2) plug-in:</title>
|
|
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to
|
|
build the virtual networking framework for instances.</para>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Run the following commands:</para>
|
|
<para>Replace
|
|
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
|
|
with the IP address of the instance tunnels network interface on
|
|
your compute node.</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
|
|
type_drivers gre</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
|
|
tenant_network_types gre</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
|
|
mechanism_drivers openvswitch</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \
|
|
tunnel_id_ranges 1:1000</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
|
|
local_ip <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
|
|
tunnel_type gre</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
|
|
enable_tunneling True</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set/etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
|
|
firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
|
|
enable_security_group True</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Edit the
|
|
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
|
|
file:</para>
|
|
<para>Add the following keys to the <literal>[ml2]</literal>
|
|
section:</para>
|
|
<programlisting language="ini">[ml2]
|
|
...
|
|
type_drivers = gre
|
|
tenant_network_types = gre
|
|
mechanism_drivers = openvswitch</programlisting>
|
|
<para>Add the following keys to the
|
|
<literal>[ml2_type_gre]</literal> section:</para>
|
|
<programlisting language="ini">[ml2_type_gre]
|
|
...
|
|
tunnel_id_ranges = 1:1000</programlisting>
|
|
<para>Add the <literal>[ovs]</literal> section and the following
|
|
keys to it:</para>
|
|
<para>Replace
|
|
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
|
|
with the IP address of the instance tunnels network interface on
|
|
your compute node.</para>
|
|
<programlisting language="ini">[ovs]
|
|
...
|
|
local_ip = <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
|
|
tunnel_type = gre
|
|
enable_tunneling = True</programlisting>
|
|
<para>Add the <literal>[securitygroup]</literal> section and the
|
|
following keys to it:</para>
|
|
<programlisting language="ini">[securitygroup]
|
|
...
|
|
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<para>Add the following key to the
|
|
<literal>[securitygroup]</literal> section:</para>
|
|
<programlisting language="ini">[securitygroup]
|
|
...
|
|
enable_security_group = True</programlisting>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure the Open vSwitch (OVS) service:</title>
|
|
<para>The OVS service provides the underlying virtual networking framework
|
|
for instances. The integration bridge <literal>br-int</literal> handles
|
|
internal instance network traffic within OVS.</para>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Start the OVS service and configure it to start when the system
|
|
boots:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
|
|
</step>
|
|
<step os="sles;opensuse">
|
|
<para>Start the OVS service and configure it to start when the system
|
|
boots:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Restart the OVS service:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
|
|
</step>
|
|
<step os="debian">
|
|
<para>Restart the OVS service:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch restart</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Add the integration bridge:</para>
|
|
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To configure Compute to use Networking:</title>
|
|
<para>By default, most distributions configure Compute to use legacy
|
|
networking. You must reconfigure Compute to manage networks through
|
|
OpenStack Networking.</para>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Run the following commands:</para>
|
|
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
|
|
password you chose for the <literal>neutron</literal> user
|
|
in the Identity service.</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
network_api_class nova.network.neutronv2.api.API</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_auth_strategy keystone</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_username neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
security_group_api neutron</userinput></screen>
|
|
<note>
|
|
<para>By default, Compute uses an internal firewall service. Since
|
|
Networking includes a firewall service, you must disable the
|
|
Compute firewall service by using the
|
|
<literal>nova.virt.firewall.NoopFirewallDriver</literal> firewall
|
|
driver.</para>
|
|
</note>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Edit the <filename>/etc/nova/nova.conf</filename> and add the
|
|
following keys to the <literal>[DEFAULT]</literal> section:</para>
|
|
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
|
|
password you chose for the <literal>neutron</literal> user
|
|
in the Identity service.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
network_api_class = nova.network.neutronv2.api.API
|
|
neutron_url = http://<replaceable>controller</replaceable>:9696
|
|
neutron_auth_strategy = keystone
|
|
neutron_admin_tenant_name = service
|
|
neutron_admin_username = neutron
|
|
neutron_admin_password = <replaceable>NEUTRON_PASS</replaceable>
|
|
neutron_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
|
|
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
|
|
firewall_driver = nova.virt.firewall.NoopFirewallDriver
|
|
security_group_api = neutron</programlisting>
|
|
<note>
|
|
<para>By default, Compute uses an internal firewall service. Since
|
|
Networking includes a firewall service, you must disable the
|
|
Compute firewall service by using the
|
|
<literal>nova.virt.firewall.NoopFirewallDriver</literal> firewall
|
|
driver.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To finalize the installation:</title>
|
|
<step os="rhel;centos;fedora">
|
|
<para>The Networking service initialization scripts expect a symbolic
|
|
link <filename>/etc/neutron/plugin.ini</filename> pointing to the
|
|
configuration file associated with your chosen plug-in. Using
|
|
ML2, for example, the symbolic link must point to
|
|
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
|
|
If this symbolic link does not exist, create it using the
|
|
following commands:</para>
|
|
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
|
|
<prompt>#</prompt> <userinput>ln -s plugins/ml2/ml2_conf.ini plugin.ini</userinput></screen>
|
|
</step>
|
|
<step os="sles;opensuse">
|
|
<para>The Networking service initialization scripts expect the variable
|
|
<literal>NEUTRON_PLUGIN_CONF</literal> in the
|
|
<filename>/etc/sysconfig/neutron</filename> file to reference the
|
|
configuration file associated with your chosen plug-in. Using
|
|
ML2, for example, edit the
|
|
<filename>/etc/sysconfig/neutron</filename> file and add the
|
|
following:</para>
|
|
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Restart the Compute service:</para>
|
|
<screen os="rhel;centos;fedora;sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Start the Open vSwitch (OVS) agent and configure it to start when
|
|
the system boots:</para>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Restart the Open vSwitch (OVS) agent:</para>
|
|
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|