openstack/openstack-manuals
Code Issues Proposed changes
824a25ce6d
openstack-manuals/doc/install-guide/section_neutron-ml2-compute-node.xml
Matt Kassawara 03cff88d61 Updated networking content 
I updated the networking content as follows:

1) Reordered example architectures to place the 3-node neutron
   architecture before the 2-node nova-network architecture which
   agrees with the order presented in other portions of the
   installation guide.
2) Changed network service naming to agree with conventions.
3) Permanently unlinked the Open vSwitch (OVS) plug-in sections from
   the Networking chapter. However, I will refrain from deleting
   the associated files in case we need to restore them.
4) Temporarily unlinked the Open vSwitch (OVS) portion of the Neutron
   concepts section until we can update it to reflect the Modular
   Layer 2 (ML2) plug-in.
5) Addressed other minor issues.

Change-Id: I7c285fcabaab65237477e8241f406dac28190344
Closes-Bug: #1309636
2014-04-18 17:07:39 -06:00

398 lines
20 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="neutron-ml2-compute-node"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
<title>Configure compute node</title>
<procedure>
<title>Prerequisites</title>
<para>Before you configure OpenStack Networking, you must enable certain
kernel networking functions.</para>
<step>
<para>Edit <filename>/etc/sysctl.conf</filename> to contain the
following:</para>
<programlisting>net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0</programlisting>
</step>
<step>
<para>Implement the changes:</para>
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
</step>
</procedure>
<procedure>
<title>To install the Networking components</title>
<step>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-common neutron-plugin-ml2 neutron-plugin-openvswitch-agent \
openvswitch-datapath-dkms</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron-ml2 openstack-neutron-openvswitch</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
<note os="ubuntu">
<para>Ubuntu installations using Linux kernel version 3.11 or newer
do not require the <emphasis>openvswitch-datapath-dkms</emphasis>
package.</para>
</note>
<note os="sles;opensuse">
<para>SUSE does not use a separate ML2 plug-in package.</para>
</note>
</step>
</procedure>
<procedure>
<title>To configure the Networking common components</title>
<para>The Networking common component configuration includes the
authentication mechanism, message broker, and plug-in.</para>
<step os="debian">
<para>Respond to prompts for
<link linkend="debconf-dbconfig-common">database management</link>,
<link linkend="debconf-keystone_authtoken">Identity service
credentials</link>,
<link linkend="debconf-api-endpoints">service endpoint
registration</link>, and
<link linkend="debconf-rabbitqm">message broker
credentials</link>.</para>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure Networking to use the Identity service for
authentication:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
auth_strategy keystone</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_protocol http</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
auth_port 35357</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_user neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Configure Networking to use the Identity service for
authentication:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename>
file and add the following key to the
<literal>[DEFAULT]</literal> section:</para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy = keystone</programlisting>
<para>Add the following keys to the
<literal>[keystone_authtoken]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<programlisting language="ini">[keystone_authtoken]
...
auth_uri = http://<replaceable>controller</replaceable>:5000
auth_host = <replaceable>controller</replaceable>
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="opensuse;sles">
<para>Configure Networking to use the message broker:</para>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the password
you chose for the <literal>guest</literal> account in
<application>RabbitMQ</application>.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_host <replaceable>controller</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_userid guest</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
</step>
<step os="rhel;centos;fedora">
<para>Configure Networking to use the message broker:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
rpc_backend neutron.openstack.common.rpc.impl_qpid</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
qpid_hostname <replaceable>controller</replaceable></userinput></screen>
</step>
<step os="ubuntu">
<para>Configure Networking to use the message broker:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<para>Replace <replaceable>RABBIT_PASS</replaceable> with the
password you chose for the <literal>guest</literal> account in
<application>RabbitMQ</application>.</para>
<programlisting language="ini">[DEFAULT]
...
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
</step>
</substeps>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Configure Networking to use the Modular Layer 2 (ML2) plug-in
and associated services:</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
core_plugin ml2</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
service_plugins router</userinput></screen>
<note>
<para>We recommend adding <literal>verbose = True</literal> to
the <literal>[DEFAULT]</literal> section in
<filename>/etc/neutron/neutron.conf</filename> to assist with
troubleshooting.</para>
</note>
</step>
<step os="ubuntu;debian">
<para>Configure Networking to use the Modular Layer 2 (ML2) plug-in
and associated services:</para>
<substeps>
<step>
<para>Edit the <filename>/etc/neutron/neutron.conf</filename> file
and add the following keys to the <literal>[DEFAULT]</literal>
section:</para>
<programlisting os="ubuntu;debian" language="ini">[DEFAULT]
...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True</programlisting>
<note>
<para>We recommend adding <literal>verbose = True</literal> to
the <literal>[DEFAULT]</literal> section in
<filename>/etc/neutron/neutron.conf</filename> to assist with
troubleshooting.</para>
</note>
</step>
</substeps>
</step>
<step>
<para>Comment out any lines in the
<literal>[service_providers]</literal> section.</para>
</step>
</procedure>
<procedure>
<title>To configure the Modular Layer 2 (ML2) plug-in</title>
<para>The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to
build the virtual networking framework for instances.</para>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Run the following commands:</para>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface on
your compute node. This guide uses
<literal>10.0.1.31</literal> for the IP address of the
instance tunnels network interface on the first compute
node.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
type_drivers gre</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
tenant_network_types gre</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 \
mechanism_drivers openvswitch</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_gre \
tunnel_id_ranges 1:1000</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
local_ip <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
tunnel_type gre</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ovs \
enable_tunneling True</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup \
enable_security_group True</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Edit the
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>
file:</para>
<para>Add the following keys to the <literal>[ml2]</literal>
section:</para>
<programlisting language="ini">[ml2]
...
type_drivers = gre
tenant_network_types = gre
mechanism_drivers = openvswitch</programlisting>
<para>Add the following keys to the
<literal>[ml2_type_gre]</literal> section:</para>
<programlisting language="ini">[ml2_type_gre]
...
tunnel_id_ranges = 1:1000</programlisting>
<para>Add the <literal>[ovs]</literal> section and the following
keys to it:</para>
<para>Replace
<replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
with the IP address of the instance tunnels network interface on
your compute node.</para>
<programlisting language="ini">[ovs]
...
local_ip = <replaceable>INSTANCE_TUNNELS_INTERFACE_IP_ADDRESS</replaceable>
tunnel_type = gre
enable_tunneling = True</programlisting>
<para>Add the <literal>[securitygroup]</literal> section and the
following keys to it:</para>
<programlisting language="ini">[securitygroup]
...
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True</programlisting>
</step>
</procedure>
<procedure>
<title>To configure the Open vSwitch (OVS) service</title>
<para>The OVS service provides the underlying virtual networking framework
for instances. The integration bridge <literal>br-int</literal> handles
internal instance network traffic within OVS.</para>
<step os="rhel;centos;fedora">
<para>Start the OVS service and configure it to start when the system
boots:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
</step>
<step os="sles;opensuse">
<para>Start the OVS service and configure it to start when the system
boots:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
</step>
<step os="ubuntu">
<para>Restart the OVS service:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
</step>
<step os="debian">
<para>Restart the OVS service:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch restart</userinput></screen>
</step>
<step>
<para>Add the integration bridge:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
</step>
</procedure>
<procedure>
<title>To configure Compute to use Networking</title>
<para>By default, most distributions configure Compute to use legacy
networking. You must reconfigure Compute to manage networks through
Networking.</para>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Run the following commands:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
network_api_class nova.network.neutronv2.api.API</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_auth_strategy keystone</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_tenant_name service</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_username neutron</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
security_group_api neutron</userinput></screen>
<note>
<para>By default, Compute uses an internal firewall service. Since
Networking includes a firewall service, you must disable the
Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal> firewall
driver.</para>
</note>
</step>
<step os="ubuntu;debian">
<para>Edit the <filename>/etc/nova/nova.conf</filename> and add the
following keys to the <literal>[DEFAULT]</literal> section:</para>
<para>Replace <replaceable>NEUTRON_PASS</replaceable> with the
password you chose for the <literal>neutron</literal> user
in the Identity service.</para>
<programlisting language="ini">[DEFAULT]
...
network_api_class = nova.network.neutronv2.api.API
neutron_url = http://<replaceable>controller</replaceable>:9696
neutron_auth_strategy = keystone
neutron_admin_tenant_name = service
neutron_admin_username = neutron
neutron_admin_password = <replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url = http://<replaceable>controller</replaceable>:35357/v2.0
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron</programlisting>
<note>
<para>By default, Compute uses an internal firewall service. Since
Networking includes a firewall service, you must disable the
Compute firewall service by using the
<literal>nova.virt.firewall.NoopFirewallDriver</literal> firewall
driver.</para>
</note>
</step>
</procedure>
<procedure>
<title>To finalize the installation</title>
<step os="rhel;centos;fedora">
<para>The Networking service initialization scripts expect a symbolic
link <filename>/etc/neutron/plugin.ini</filename> pointing to the
configuration file associated with your chosen plug-in. Using
the ML2 plug-in, for example, the symbolic link must point to
<filename>/etc/neutron/plugins/ml2/ml2_conf.ini</filename>.
If this symbolic link does not exist, create it using the
following commands:</para>
<screen><prompt>#</prompt> <userinput>ln -s plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini</userinput></screen>
<!-- https://bugzilla.redhat.com/show_bug.cgi?id=1087647 -->
<para>Due to a packaging bug, the Open vSwitch agent initialization
script explicitly looks for the Open vSwitch plug-in configuration
file rather than a symbolic link
<filename>/etc/neutron/plugin.ini</filename> pointing to the ML2
plug-in configuration file. Run the following commands to resolve this
issue:</para>
<screen><prompt>#</prompt> <userinput>cp /etc/init.d/neutron-openvswitch-agent /etc/init.d/neutron-openvswitch-agent.orig</userinput>
<prompt>#</prompt> <userinput>sed -i 's,plugins/openvswitch/ovs_neutron_plugin.ini,plugin.ini,g' /etc/init.d/neutron-openvswitch-agent</userinput></screen>
</step>
<step os="sles;opensuse">
<para>The Networking service initialization scripts expect the variable
<literal>NEUTRON_PLUGIN_CONF</literal> in the
<filename>/etc/sysconfig/neutron</filename> file to reference the
configuration file associated with your chosen plug-in. Using
ML2, for example, edit the
<filename>/etc/sysconfig/neutron</filename> file and add the
following:</para>
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"</programlisting>
</step>
<step>
<para>Restart the Compute service:</para>
<screen os="rhel;centos;fedora;sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
</step>
<step os="rhel;centos;fedora;sles;opensuse">
<para>Start the Open vSwitch (OVS) agent and configure it to start when
the system boots:</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent start</userinput>
<prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent start</userinput>
<prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Restart the Open vSwitch (OVS) agent:</para>
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
</step>
</procedure>
</section>
View Git Blame Copy Permalink