7.2. Configure OpenStack Networking
Important
vif_plugging_is_fatal
option is commented out in the [DEFAULT]
section of the /etc/nova/nova.conf
file, and defaults to True
. This option controls whether instances should fail to boot if VIF plugging fails. Similarly, the notify_nova_on_port_status_changes
and notify_nova_on_port_data_changes
options are commented out in the [DEFAULT]
section of the /etc/neutron/neutron.conf
file, and default to False
. These options control whether notifications should be sent to nova on port status or data changes. However, this combination of values can prevent instances from booting. To allow instances to boot correctly, set all of these options to either True
or False
. To set True
, run the following commands:
#
openstack-config --set /etc/nova/nova.conf \
DEFAULT vif_plugging_is_fatal True
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_status_changes True
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_data_changes True
False
, run the following commands instead:
#
openstack-config --set /etc/nova/nova.conf \
DEFAULT vif_plugging_is_fatal False
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_status_changes False
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_data_changes False
7.2.1. Set the OpenStack Networking Plug-in
Note
neutron.conf
by their nominated short names, instead of their lengthy class names. For example:
core_plugin = neutron.plugins.ml2.plugin:Ml2Pluginwill become:
core_plugin = ml2
Short name | Class name |
---|---|
bigswitch | neutron.plugins.bigswitch.plugin:NeutronRestProxyV2 |
brocade | neutron.plugins.brocade.NeutronPlugin:BrocadePluginV2 |
cisco | neutron.plugins.cisco.network_plugin:PluginV2 |
embrane | neutron.plugins.embrane.plugins.embrane_ovs_plugin:EmbraneOvsPlugin |
hyperv | neutron.plugins.hyperv.hyperv_neutron_plugin:HyperVNeutronPlugin |
linuxbridge | neutron.plugins.linuxbridge.lb_neutron_plugin:LinuxBridgePluginV2 |
midonet | neutron.plugins.midonet.plugin:MidonetPluginV2 |
ml2 | neutron.plugins.ml2.plugin:Ml2Plugin |
mlnx | neutron.plugins.mlnx.mlnx_plugin:MellanoxEswitchPlugin |
nec | neutron.plugins.nec.nec_plugin:NECPluginV2 |
openvswitch | neutron.plugins.openvswitch.ovs_neutron_plugin:OVSNeutronPluginV2 |
plumgrid | neutron.plugins.plumgrid.plumgrid_plugin.plumgrid_plugin:NeutronPluginPLUMgridV2 |
ryu | neutron.plugins.ryu.ryu_neutron_plugin:RyuNeutronPluginV2 |
vmware | neutron.plugins.vmware.plugin:NsxPlugin |
service_plugins
option accepts a comma-delimited list of multiple service plugins.
Short name | Class name |
---|---|
dummy | neutron.tests.unit.dummy_plugin:DummyServicePlugin |
router | neutron.services.l3_router.l3_router_plugin:L3RouterPlugin |
firewall | neutron.services.firewall.fwaas_plugin:FirewallPlugin |
lbaas | neutron.services.loadbalancer.plugin:LoadBalancerPlugin |
metering | neutron.services.metering.metering_plugin:MeteringPlugin |
7.2.1.1. Enable the ML2 Plug-in
neutron-server
service.
Procedure 7.1. Enabling the ML2 Plug-in
- Create a symbolic link to direct OpenStack Networking to the
ml2_conf.ini
file:#
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
- Set the tenant network type. Supported values are
gre
,local
,vlan
, andvxlan
. The default value islocal
, but this is not recommended for enterprise deployments:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 tenant_network_types TYPE
Replace TYPE with the tenant network type. - If you chose
flat
orvlan
networking, you must also map physical networks to VLAN ranges:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 network_vlan_ranges NAME:START:END
Replace the following values:- Replace NAME with the name of the physical network.
- Replace START with the VLAN identifier that starts the range.
- Replace END with the VLAN identifier that ends the range.
Multiple ranges can be specified using a comma-delimited list, for example:physnet1:1000:2999,physnet2:3000:3999
- Set the driver types. Supported values are
local
,flat
,vlan
,gre
, andvxlan
:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 type_drivers TYPE
Replace TYPE with the driver type. Specify multiple drivers using a comma-delimited list. - Set the mechanism drivers. Available values are
openvswitch
,linuxbridge
, andl2population
:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 mechanism_drivers TYPE
Replace TYPE with the mechanism driver type. Specify multiple mechanism drivers using a comma-delimited list. - Enable L2 population:
#
openstack-config --set /etc/neutron/plugin.ini \
agent l2_population True
- Set the firewall driver in the
/etc/neutron/plugins/ml2/openvswitch_agent.ini
file or the/etc/neutron/plugins/ml2/linuxbridge_agent.ini
file, depending on which plug-in agent you are using:Open vSwitch Firewall Driver
#
openstack-config --set /etc/neutron/plugins/ml2/openvswitch_agent.ini
securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
Linux Bridge Firewall Driver
#
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini
securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
- Enable the ML2 plug-in and the L3 router:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT core_plugin ml2
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT service_plugins router
7.2.1.2. Enable the Open vSwitch Plug-in
neutron-server
service.
Note
Procedure 7.2. Enabling the Open vSwitch Plug-in
- Create a symbolic link to direct OpenStack Networking to the
openvswitch_agent.ini
file:#
ln -s /etc/neutron/plugins/ml2/openvswitch_agent.ini \
/etc/neutron/plugin.ini
- Set the tenant network type. Supported values are
gre
,local
,vlan
, andvxlan
. The default value islocal
, but this is not recommended for enterprise deployments:#
openstack-config --set /etc/neutron/plugin.ini \
OVS tenant_network_type TYPE
Replace TYPE with the tenant network type. - If you chose
flat
orvlan
networking, you must also map physical networks to VLAN ranges:#
openstack-config --set /etc/neutron/plugin.ini \
OVS network_vlan_ranges NAME:START:END
Replace the following values:- Replace NAME with the name of the physical network.
- Replace START with the VLAN identifier that starts the range.
- Replace END with the VLAN identifier that ends the range.
Multiple ranges can be specified using a comma-delimited list, for example:physnet1:1000:2999,physnet2:3000:3999
- Set the firewall driver:
#
openstack-config --set /etc/neutron/plugin.ini \
securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
- Enable the Open vSwitch plug-in:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT core_plugin openvswitch
7.2.1.3. Enable the Linux Bridge Plug-in
neutron-server
service.
Note
Procedure 7.3. Enabling the Linux Bridge Plug-in
- Create a symbolic link to direct OpenStack Networking to the
linuxbridge_agent.ini
file:#
ln -s /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
/etc/neutron/plugin.ini
- Set the tenant network type. Supported values are
flat
,vlan
, andlocal
. The default islocal
, but this is not recommended for enterprise deployments:#
openstack-config --set /etc/neutron/plugin.ini \
VLAN tenant_network_type TYPE
Replace TYPE with the chosen tenant network type. - If you chose
flat
orvlan
networking, you must also map physical networks to VLAN ranges:#
openstack-config --set /etc/neutron/plugin.ini \
LINUX_BRIDGE network_vlan_ranges NAME:START:END
- Replace NAME with the name of the physical network.
- Replace START with the VLAN identifier that starts the range.
- Replace END with the VLAN identifier that ends the range.
Multiple ranges can be specified using a comma-delimited list, for example:physnet1:1000:2999,physnet2:3000:3999
- Set the firewall driver:
#
openstack-config --set /etc/neutron/plugin.ini \
securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
- Enable the Linux Bridge plug-in:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT core_plugin linuxbridge
7.2.2. Create the OpenStack Networking Database
root
user, and prior to starting the neutron-server
service.
Procedure 7.4. Creating the OpenStack Networking Database
- Connect to the database service:
#
mysql -u root -p
- Create the database with one of the following names:This example creates the ML2
- If you are using the ML2 plug-in, the recommended database name is
neutron_ml2
- If you are using the Open vSwitch plug-in, the recommended database name is
ovs_neutron
. - If you are using the Linux Bridge plug-in, the recommended database name is
neutron_linux_bridge
.
neutron_ml2
database:mysql>
CREATE DATABASE neutron_ml2 character set utf8; - Create a
neutron
database user and grant the user access to theneutron_ml2
database:mysql>
GRANT ALL ON neutron_ml2.* TO 'neutron'@'%' IDENTIFIED BY 'PASSWORD';mysql>
GRANT ALL ON neutron_ml2.* TO 'neutron'@'localhost' IDENTIFIED BY 'PASSWORD';Replace PASSWORD with a secure password that will be used to authenticate with the database server as this user. - Flush the database privileges to ensure that they take effect immediately:
mysql>
FLUSH PRIVILEGES; - Exit the
mysql
client:mysql>
quit
7.2.3. Configure the OpenStack Networking Database Connection
/etc/neutron/plugin.ini
file. It must be updated to point to a valid database server before starting the service. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root
user.
Procedure 7.5. Configuring the OpenStack Networking SQL Database Connection
- Set the value of the
connection
configuration key.#
openstack-config --set /etc/neutron/plugin.ini \
DATABASE sql_connection mysql://USER:PASS@IP/DB
Replace the following values:- Replace USER with the OpenStack Networking database user name, usually
neutron
. - Replace PASS with the password of the database user.
- Replace IP with the IP address or host name of the database server.
- Replace DB with the name of the OpenStack Networking database.
Important
The IP address or host name specified in the connection configuration key must match the IP address or host name to which the OpenStack Networking database user was granted access when creating the OpenStack Networking database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the database, you must enter 'localhost'. - Upgrade the OpenStack Networking database schema:
#
neutron-db-manage --config-file /usr/share/neutron/neutron-dist.conf \
--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head
7.2.4. Create the OpenStack Networking Identity Records
services
tenant. For more information, see:
keystonerc_admin
file and on which the keystone command-line utility is installed.
Procedure 7.6. Creating Identity Records for OpenStack Networking
- Set up the shell to access Keystone as the administrative user:
#
source ~/keystonerc_admin
- Create the
neutron
user:[(keystone_admin)]#
keystone user-create --name neutron --pass PASSWORD
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 1df18bcd14404fa9ad954f9d5eb163bc | | name | neutron | | username | neutron | +----------+----------------------------------+Replace PASSWORD with a secure password that will be used by OpenStack Networking when authenticating with the Identity service. - Link the
neutron
user and theadmin
role together within the context of theservices
tenant:[(keystone_admin)]#
keystone user-role-add --user neutron --role admin --tenant services
- Create the
neutron
OpenStack Networking service entry:[(keystone_admin)]#
keystone service-create --name neutron \
--type network \
--description "OpenStack Networking"
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | 134e815915f442f89c39d2769e278f9b | | name | neutron | | type | network | +-------------+----------------------------------+ - Create the
neutron
endpoint entry:[(keystone_admin)]#
keystone endpoint-create
--service neutron \
--publicurl 'http://IP:9696' \
--adminurl 'http://IP:9696' \
--internalurl 'http://IP:9696' \
--region 'RegionOne'
Replace IP with the IP address or host name of the server that will act as the OpenStack Networking node.
7.2.5. Configure OpenStack Networking Authentication
root
user.
Procedure 7.7. Configuring the OpenStack Networking Service to Authenticate through the Identity Service
- Set the authentication strategy to
keystone
:#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT auth_strategy keystone
- Set the Identity service host that OpenStack Networking must use:
#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken auth_host IP
Replace IP with the IP address or host name of the server hosting the Identity service. - Set OpenStack Networking to authenticate as the correct tenant:
#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken admin_tenant_name services
Replace services with the name of the tenant created for the use of OpenStack Networking. Examples in this guide useservices
. - Set OpenStack Networking to authenticate using the
neutron
administrative user account:#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken admin_user neutron
- Set OpenStack Networking to use the correct
neutron
administrative user account password:#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken admin_password PASSWORD
Replace PASSWORD with the password set when theneutron
user was created.
7.2.6. Configure the Firewall to Allow OpenStack Networking Traffic
9696
. The firewall on the OpenStack Networking node must be configured to allow network traffic on this port. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root
user.
Procedure 7.8. Configuring the Firewall to Allow OpenStack Networking Traffic
- Open the
/etc/sysconfig/iptables
file in a text editor. - Add an INPUT rule allowing TCP traffic on port
9696
. The new rule must appear before any INPUT rules that REJECT traffic:-A INPUT -p tcp -m multiport --dports 9696 -j ACCEPT
- Save the changes to the
/etc/sysconfig/iptables
file. - Restart the
iptables
service to ensure that the change takes effect:#
systemctl restart iptables.service
7.2.7. Configure RabbitMQ Message Broker Settings for OpenStack Networking
root
user.
Procedure 7.9. Configuring the OpenStack Networking Service to use the RabbitMQ Message Broker
- Set RabbitMQ as the RPC back end:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rpc_backend neutron.openstack.common.rpc.impl_kombu
- Set OpenStack Networking to connect to the RabbitMQ host:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_host RABBITMQ_HOST
Replace RABBITMQ_HOST with the IP address or host name of the message broker. - Set the message broker port to
5672
:#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_port 5672
- Set the RabbitMQ user name and password created for OpenStack Networking when RabbitMQ was configured:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_userid neutron
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_password NEUTRON_PASS
Replaceneutron
and NEUTRON_PASS with the RabbitMQ user name and password created for OpenStack Networking. - When RabbitMQ was launched, the
neutron
user was granted read and write permissions to all resources: specifically, through the virtual host/
. Configure the Networking service to connect to this virtual host:#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_virtual_host /
7.2.8. Enable SSL Communication Between OpenStack Networking and the Message Broker
Procedure 7.10. Enabling SSL Communication Between OpenStack Networking and the RabbitMQ Message Broker
- Enable SSL communication with the message broker:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_use_ssl True
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT kombu_ssl_certfile /path/to/client.crt
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
Replace the following values:- Replace /path/to/client.crt with the absolute path to the exported client certificate.
- Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
- If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).
7.2.9. Configure OpenStack Networking to Communicate with the Compute Service
Procedure 7.11. Configuring OpenStack Networking to Communicate with the Compute Service
- Set OpenStack Networking to connect to the Compute controller node:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT nova_url http://CONTROLLER_IP:8774/v2
Replace CONTROLLER_IP with the IP address or host name of the Compute controller node. - Set the user name, password, and tenant for the
nova
user:#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT nova_admin_username nova
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT nova_admin_tenant_id TENANT_ID
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT nova_admin_password PASSWORD
Replace TENANT_ID with the unique identifier of the tenant created for the use of the Compute service. Replace PASSWORD with the password set when thenova
user was created. - Set OpenStack Networking to connect to the Compute controller node in an administrative context:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT nova_admin_auth_url http://CONTROLLER_IP:35357/v2.0
Replace CONTROLLER_IP with the IP address or host name of the Compute controller node. - Set OpenStack Networking to use the correct region for the Compute controller node:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT nova_region_name RegionOne
7.2.10. Launch OpenStack Networking
neutron-server
service and configure it to start at boot time:
#
systemctl start neutron-server.service
#
systemctl enable neutron-server.service
Important
force_gateway_on_subnet
configuration key to True
in the /etc/neutron/neutron.conf
file.