17fc8c8a8b
As part of the installation guide improvement project, I performed the following operations on the Networking chapter: 1) Moved Neutron ML2 sections before OVS sections and updated associated notes to steer users toward ML2. 2) Removed database population steps because Neutron populates the database at first run. 3) Moved 'enable_security_group' key to [securitygroup] section. 4) Removed extraneous colons from procedure titles. 5) Added command output to Neutron initial networks section. 6) Added command output to Nova initial networks section. Change-Id: Ie677d199d2c64ef2a564eaa551295e1a321db02c Partial-Bug: #1291071 Implements: blueprint networking-install-guide-improvements
349 lines
20 KiB
XML
349 lines
20 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xml:id="neutron-controller-node"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:svg="http://www.w3.org/2000/svg"
|
|
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
|
|
<title>Configure controller node</title>
|
|
<warning os="rhel;centos">
|
|
<para>By default, the <literal>system-config-firewall</literal>
|
|
automated firewall configuration tool is in place on RHEL.
|
|
This graphical interface (and a curses-style interface with
|
|
<literal>-tui</literal> on the end of the name) enables you
|
|
to configure IP tables as a basic firewall. You should disable
|
|
it when you work with Neutron unless you are familiar with the
|
|
underlying network technologies, as, by default, it blocks
|
|
various types of network traffic that are important to
|
|
Neutron. To disable it, simple launch the program and clear
|
|
the <guilabel>Enabled</guilabel> check box.</para>
|
|
<para>After you successfully set up OpenStack with Neutron, you
|
|
can re-enable and configure the tool. However, during Neutron
|
|
set up, disable the tool to make it easier to debug network
|
|
issues.</para>
|
|
</warning>
|
|
<procedure os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<title>Prerequisites</title>
|
|
<para os="rhel;centos;fedora;opensuse;sles;ubuntu">Before you
|
|
configure individual nodes for Networking, you must create the
|
|
required OpenStack components: user, service, database, and one or
|
|
more endpoints. After you complete these steps on the controller
|
|
node, follow the instructions in this guide to set up OpenStack
|
|
Networking nodes.</para>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<!-- TODO(sross): change this to use `openstack-db` once it supports Neutron -->
|
|
<para>Connect to the MySQL database as the root user, create the
|
|
<literal>neutron</literal> database, and grant the proper
|
|
access to it:</para>
|
|
<screen><prompt>$</prompt> <userinput>mysql -u root -p</userinput>
|
|
<prompt>mysql></prompt> <userinput>CREATE DATABASE neutron;</userinput>
|
|
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
|
|
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput>
|
|
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
|
|
IDENTIFIED BY '<replaceable>NEUTRON_DBPASS</replaceable>';</userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>Create the required user, service, and endpoint so that
|
|
Networking can interface with the Identity Service.</para>
|
|
<para>Create a <literal>neutron</literal> user:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone user-create --name=neutron --pass=<replaceable>NEUTRON_PASS</replaceable> --email=<replaceable>neutron@example.com</replaceable></userinput></screen>
|
|
<para>Add the user role to the neutron user:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user=neutron --tenant=service --role=admin</userinput></screen>
|
|
<para>Create the neutron service:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone service-create --name=neutron --type=network \
|
|
--description="OpenStack Networking"</userinput></screen>
|
|
<para>Create a Networking endpoint:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone endpoint-create \
|
|
--service-id $(keystone service-list | awk '/ network / {print $2}') \
|
|
--publicurl http://<replaceable>controller</replaceable>:9696 \
|
|
--adminurl http://<replaceable>controller</replaceable>:9696 \
|
|
--internalurl http://<replaceable>controller</replaceable>:9696</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Install and configure server component</title>
|
|
<step>
|
|
<para>Install the server component of Networking and any dependencies.</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
|
|
<screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron python-neutron python-neutronclient</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron python-neutron python-neutronclient</userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to connect to the database:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf database connection \
|
|
mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@controller/neutron</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure Networking to use your MySQL database. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and add the
|
|
following key under the <literal>[database]</literal> section.
|
|
Replace <replaceable>NEUTRON_DBPASS</replaceable> with the password
|
|
you chose for the Neutron database.</para>
|
|
<programlisting language="ini">[database]
|
|
...
|
|
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>/neutron</programlisting>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to use
|
|
<systemitem class="service">keystone</systemitem> as the Identity
|
|
Service for authentication:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Set the <literal>auth_strategy</literal>
|
|
configuration key to <literal>keystone</literal> in the
|
|
<literal>DEFAULT</literal> section of the file:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Set the <systemitem class="service">neutron</systemitem> configuration for
|
|
<systemitem class="service">keystone</systemitem> authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_protocol http</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_port 35357</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure Networking to use
|
|
<systemitem class="service">keystone</systemitem> as the Identity
|
|
Service for authentication.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Edit the <filename>/etc/neutron/neutron.conf</filename>
|
|
file and add the
|
|
file and add the following key under the
|
|
<literal>[DEFAULT]</literal> section.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
auth_strategy = keystone</programlisting>
|
|
<para>Add the following keys under the
|
|
<literal>[keystone_authtoken]</literal> section. Replace
|
|
<replaceable>NEUTRON_PASS</replaceable> with the password you
|
|
chose for the Neutron user in Keystone.</para>
|
|
<programlisting language="ini">[keystone_authtoken]
|
|
...
|
|
auth_uri = http://<replaceable>controller</replaceable>:5000
|
|
auth_host = <replaceable>controller</replaceable>
|
|
auth_protocol = http
|
|
auth_port = 35357
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="opensuse;sles">
|
|
<para>Configure access to the <application>RabbitMQ</application>
|
|
service:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_host controller</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_userid guest</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>Configure access to the <application>Qpid</application> message
|
|
queue:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_hostname <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_port 5672</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_username <replaceable>guest</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
qpid_password <replaceable>guest</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Configure Networking to use your message broker. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file and add
|
|
the following keys under the <literal>[DEFAULT]</literal>
|
|
section.</para>
|
|
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
|
|
password you chose for RabbitMQ.</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
rpc_backend = neutron.openstack.common.rpc.impl_kombu
|
|
rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Install and configure Open vSwitch (OVS) plug-in</title>
|
|
<para>OpenStack Networking supports a variety of plug-ins. For
|
|
simplicity, we chose to cover the most common plug-in, Open
|
|
vSwitch, and configure it to use basic GRE tunnels for tenant
|
|
network traffic.</para>
|
|
<step>
|
|
<para>Install the Open vSwitch plug-in:</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch</userinput></screen>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>You must set some common configuration options no
|
|
matter which networking technology you choose to use
|
|
with Open vSwitch. You must configure Networking core to
|
|
use <acronym>OVS</acronym>. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2</programlisting>
|
|
<note>
|
|
<para>The dedicated controller node does not need to run
|
|
Open vSwitch or the Open vSwitch agent.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Configure the <acronym>OVS</acronym> plug-in to use GRE
|
|
tunneling. Edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ovs]
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True</programlisting>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Configure Compute services for Networking</title>
|
|
<step>
|
|
<para os="rhel;centos;fedora;opensuse;sles">Configure Compute to use
|
|
OpenStack Networking services. Configure the
|
|
<filename>/etc/nova/nova.conf</filename> file as per instructions
|
|
below:</para>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
network_api_class nova.network.neutronv2.api.API</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_auth_strategy keystone</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_username neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
security_group_api neutron</userinput></screen>
|
|
<para os="ubuntu;debian">Configure Compute to use OpenStack Networking
|
|
services. Edit the <filename>/etc/nova/nova.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
|
|
neutron_url=http://<replaceable>controller</replaceable>:9696
|
|
neutron_auth_strategy=keystone
|
|
neutron_admin_tenant_name=service
|
|
neutron_admin_username=neutron
|
|
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
|
|
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
|
|
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
|
|
firewall_driver=nova.virt.firewall.NoopFirewallDriver
|
|
security_group_api=neutron</programlisting>
|
|
<note>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Regardless of which firewall driver you chose when you
|
|
configured the network and compute nodes, set this driver
|
|
as the No-Op firewall. This firewall is a
|
|
<systemitem class="service">nova</systemitem> firewall,
|
|
and because <systemitem class="service">neutron</systemitem>
|
|
handles the Firewall, you must tell
|
|
<systemitem class="service">nova</systemitem> not to use one.</para>
|
|
<para>When Networking handles the firewall, the option
|
|
<code>firewall_driver</code> should be set according to
|
|
the specified plug-in. For example with
|
|
<acronym>OVS</acronym>, edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">[securitygroup]
|
|
# Firewall driver for realizing neutron security group function.
|
|
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
|
|
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \
|
|
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
|
|
</listitem>
|
|
<listitem>
|
|
<para>If you do not want to use a firewall in Compute or
|
|
Networking, set
|
|
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>
|
|
in both config files, and comment out or remove
|
|
<code>security_group_api=neutron</code> in the
|
|
<filename>/etc/nova/nova.conf</filename> file, otherwise
|
|
you may encounter <errortext>ERROR: The server has either
|
|
erred or is incapable of performing the requested
|
|
operation. (HTTP 500)</errortext> when issuing
|
|
<command>nova list</command> commands.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</note>
|
|
</step>
|
|
<step os="rhel;centos;fedora">
|
|
<para>The <systemitem class="service">neutron-server</systemitem>
|
|
initialization script expects a symbolic link
|
|
<filename>/etc/neutron/plugin.ini</filename> pointing to the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, the symbolic link must point to
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
|
|
If this symbolic link does not exist, create it using the
|
|
following commands:</para>
|
|
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
|
|
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
|
|
</step>
|
|
<step os="sles;opensuse">
|
|
<para>The <systemitem class="service">openstack-neutron</systemitem>
|
|
initialization script expects the variable
|
|
<literal>NEUTRON_PLUGIN_CONF</literal> in file
|
|
<filename>/etc/sysconfig/neutron</filename> to reference the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, edit the
|
|
<filename>/etc/sysconfig/neutron</filename> file and add the
|
|
following:</para>
|
|
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Finalize installation</title>
|
|
<step os="ubuntu;debian">
|
|
<para>Restart the Compute and Networking services:</para>
|
|
<screen><prompt>#</prompt> <userinput>service nova-api restart</userinput>
|
|
<prompt>#</prompt> <userinput>service nova-scheduler restart</userinput>
|
|
<prompt>#</prompt> <userinput>service nova-conductor restart</userinput>
|
|
<prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
|
|
</step>
|
|
<step os="fedora;rhel;centos;opensuse;sles">
|
|
<para>Restart the Compute services:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openstack-nova-api restart</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-nova-scheduler restart</userinput>
|
|
<prompt>#</prompt> <userinput>service openstack-nova-conductor restart</userinput></screen>
|
|
</step>
|
|
<step os="fedora;rhel;centos;opensuse;sles">
|
|
<para>Start the Networking service and configure it to start when the
|
|
system boots:</para>
|
|
<screen os="fedora;rhel;centos"><prompt>#</prompt> <userinput>service neutron-server start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig neutron-server on</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openstack-neutron start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-neutron on</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|