7.2. Configure OpenStack Networking

7.2.1. Set the OpenStack Networking Plug-in

Enable the desired OpenStack Networking plug-in. Below are the procedures for enabling the ML2, Open vSwitch (OVS), and Linux Bridge plug-ins.

Note

The monolithic Open vSwitch and Linux Bridge plug-ins have been deprecated and will be removed in a future release; their functionality has instead been reimplemented as ML2 mechanisms.
OpenStack Networking plug-ins can be referenced in neutron.conf by their nominated short names, instead of their lengthy class names. For example: 
core_plugin = neutron.plugins.ml2.plugin:Ml2Plugin
will become: 
core_plugin = ml2
Take care not to introduce errant whitespace characters, as these could result in parse errors.

Table 7.1.  core_plugin

Short name Class name
bigswitch neutron.plugins.bigswitch.plugin:NeutronRestProxyV2
brocade neutron.plugins.brocade.NeutronPlugin:BrocadePluginV2
cisco neutron.plugins.cisco.network_plugin:PluginV2
embrane neutron.plugins.embrane.plugins.embrane_ovs_plugin:EmbraneOvsPlugin
hyperv neutron.plugins.hyperv.hyperv_neutron_plugin:HyperVNeutronPlugin
linuxbridge neutron.plugins.linuxbridge.lb_neutron_plugin:LinuxBridgePluginV2
midonet neutron.plugins.midonet.plugin:MidonetPluginV2
ml2 neutron.plugins.ml2.plugin:Ml2Plugin
mlnx neutron.plugins.mlnx.mlnx_plugin:MellanoxEswitchPlugin
nec neutron.plugins.nec.nec_plugin:NECPluginV2
openvswitch neutron.plugins.openvswitch.ovs_neutron_plugin:OVSNeutronPluginV2
plumgrid neutron.plugins.plumgrid.plumgrid_plugin.plumgrid_plugin:NeutronPluginPLUMgridV2
ryu neutron.plugins.ryu.ryu_neutron_plugin:RyuNeutronPluginV2
vmware neutron.plugins.vmware.plugin:NsxPlugin
The service_plugins option accepts a comma-delimited list of multiple service plugins.

Table 7.2.  service_plugins

Short name Class name
dummy neutron.tests.unit.dummy_plugin:DummyServicePlugin
router neutron.services.l3_router.l3_router_plugin:L3RouterPlugin
firewall neutron.services.firewall.fwaas_plugin:FirewallPlugin
lbaas neutron.services.loadbalancer.plugin:LoadBalancerPlugin
metering neutron.services.metering.metering_plugin:MeteringPlugin

7.2.1.1. Enable the ML2 Plug-in

Enable the ML2 plug-in on the node running the neutron-server service.

Procedure 7.1. Enabling the ML2 Plug-in

  1. Create a symbolic link to direct OpenStack Networking to the ml2_conf.ini file: 
    # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
  2. Set the tenant network type. Supported values are gre, local, vlan, and vxlan. The default value is local, but this is not recommended for enterprise deployments: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 tenant_network_type TYPE
    Replace TYPE with the tenant network type.
  3. If you chose flat or vlan networking, you must also map physical networks to VLAN ranges: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 network_vlan_ranges NAME:START:END
    Replace the following values:
    • Replace NAME with the name of the physical network.
    • Replace START with the VLAN identifier that starts the range.
    • Replace END with the VLAN identifier that ends the range.
    Multiple ranges can be specified using a comma-delimited list, for example: 
    physnet1:1000:2999,physnet2:3000:3999
  4. Set the driver types. Supported values are local, flat, vlan, gre, and vxlan: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 type_drivers TYPE
    Replace TYPE with the driver type. Specify multiple drivers using a comma-delimited list.
  5. Set the mechanism drivers. Available values are openvswitch, linuxbridge, and l2population: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 mechanism_drivers TYPE
    Replace TYPE with the mechanism driver type. Specify multiple mechanism drivers using a comma-delimited list.
  6. Enable L2 population: 
    # openstack-config --set /etc/neutron/plugin.ini \
   agent l2_population True
  7. Set the firewall driver in the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file or the /etc/neutron/plugins/linxbridge/linuxbridge_conf.ini file, depending on which plug-in agent you are using:

    1. Open vSwitch Firewall Driver

      # openstack-config --set /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
   securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

    2. Linux Bridge Firewall Driver

      # openstack-config --set /etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini					   
   securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
  8. Enable the ML2 plug-in and the L3 router: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT core_plugin ml2
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT service_plugins router

7.2.1.2. Enable the Open vSwitch Plug-in

Enable the Open vSwitch plug-in on the server hosting the neutron-server service.

Note

The monolithic Open vSwitch plug-in has been deprecated and will be removed in a future release; its functionality has instead been reimplemented as a ML2 mechanism.

Procedure 7.2. Enabling the Open vSwitch Plug-in

  1. Create a symbolic link to direct OpenStack Networking to the ovs_neutron_plugin.ini file: 
    # ln -s /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini \
   /etc/neutron/plugin.ini
  2. Set the tenant network type. Supported values are gre, local, vlan, and vxlan. The default value is local, but this is not recommended for enterprise deployments: 
    # openstack-config --set /etc/neutron/plugin.ini \
   OVS tenant_network_type TYPE
    Replace TYPE with the tenant network type.
  3. If you chose flat or vlan networking, you must also map physical networks to VLAN ranges: 
    # openstack-config --set /etc/neutron/plugin.ini \
   OVS network_vlan_ranges NAME:START:END
    Replace the following values:
    • Replace NAME with the name of the physical network.
    • Replace START with the VLAN identifier that starts the range.
    • Replace END with the VLAN identifier that ends the range.
    Multiple ranges can be specified using a comma-delimited list, for example: 
    physnet1:1000:2999,physnet2:3000:3999
  4. Set the firewall driver: 
    # openstack-config --set /etc/neutron/plugin.ini \
   securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
  5. Enable the Open vSwitch plug-in: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT core_plugin openvswitch

7.2.1.3. Enable the Linux Bridge Plug-in

Enable the Linux Bridge plug-in on the server hosting the neutron-server service.

Note

The monolithic Linux Bridge plug-in has been deprecated and will be removed in a future release; its functionality has instead been reimplemented as a ML2 mechanism.

Procedure 7.3. Enabling the Linux Bridge Plug-in

  1. Create a symbolic link to direct OpenStack Networking to the linuxbridge_conf.ini file: 
    # ln -s /etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini \
         /etc/neutron/plugin.ini
  2. Set the tenant network type. Supported values are flat, vlan, and local. The default is local, but this is not recommended for enterprise deployments: 
    # openstack-config --set /etc/neutron/plugin.ini \
   VLAN tenant_network_type TYPE
    Replace TYPE with the chosen tenant network type.
  3. If you chose flat or vlan networking, you must also map physical networks to VLAN ranges: 
    # openstack-config --set /etc/neutron/plugin.ini \
   LINUX_BRIDGE network_vlan_ranges NAME:START:END
    • Replace NAME with the name of the physical network.
    • Replace START with the VLAN identifier that starts the range.
    • Replace END with the VLAN identifier that ends the range.
    Multiple ranges can be specified using a comma-delimited list, for example: 
    physnet1:1000:2999,physnet2:3000:3999
  4. Set the firewall driver: 
    # openstack-config --set /etc/neutron/plugin.ini \
   securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
  5. Enable the Linux Bridge plug-in: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT core_plugin linuxbridge

7.2.2. Create the OpenStack Networking Database

Create the database and database user used by OpenStack Networking. All steps in this procedure must be performed on the database server, while logged in as the root user, and prior to starting the neutron-server service.

Procedure 7.4. Creating the OpenStack Networking Database

  1. Connect to the database service: 
    # mysql -u root -p
  2. Create the database with one of the following names:
    • If you are using the ML2 plug-in, the recommended database name is neutron_ml2
    • If you are using the Open vSwitch plug-in, the recommended database name is ovs_neutron.
    • If you are using the Linux Bridge plug-in, the recommended database name is neutron_linux_bridge.
    This example creates the ML2 neutron_ml2 database: 
    mysql> CREATE DATABASE neutron_ml2 character set utf8;
  3. Create a neutron database user and grant the user access to the neutron_ml2 database: 
    mysql> GRANT ALL ON neutron_ml2.* TO 'neutron'@'%' IDENTIFIED BY 'PASSWORD';
mysql> GRANT ALL ON neutron_ml2.* TO 'neutron'@'localhost' IDENTIFIED BY 'PASSWORD';
    Replace PASSWORD with a secure password that will be used to authenticate with the database server as this user.
  4. Flush the database privileges to ensure that they take effect immediately: 
    mysql> FLUSH PRIVILEGES;
  5. Exit the mysql client: 
    mysql> quit

7.2.3. Configure the OpenStack Networking Database Connection

The database connection string used by OpenStack Networking is defined in the /etc/neutron/plugin.ini file. It must be updated to point to a valid database server before starting the service. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root user.

Procedure 7.5. Configuring the OpenStack Networking SQL Database Connection

  1. Set the value of the connection configuration key. 
    # openstack-config --set /etc/neutron/plugin.ini \
   DATABASE sql_connection mysql://USER:PASS@IP/DB
    Replace the following values:
    • Replace USER with the OpenStack Networking database user name, usually neutron.
    • Replace PASS with the password of the database user.
    • Replace IP with the IP address or host name of the database server.
    • Replace DB with the name of the OpenStack Networking database.

    Important

    The IP address or host name specified in the connection configuration key must match the IP address or host name to which the OpenStack Networking database user was granted access when creating the OpenStack Networking database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the database, you must enter 'localhost'.
  2. Upgrade the OpenStack Networking database schema: 
    # neutron-db-manage --config-file /usr/share/neutron/neutron-dist.conf \
   --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head

7.2.4. Create the OpenStack Networking Identity Records

Create and configure Identity service records required by OpenStack Networking. These entries assist other OpenStack services attempting to locate and access the functionality provided by OpenStack Networking.
This procedure assumes that you have already created an administrative user account and a services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 7.6. Creating Identity Records for OpenStack Networking

  1. Set up the shell to access Keystone as the administrative user: 
    # source ~/keystonerc_admin
  2. Create the neutron user: 
    [(keystone_admin)]# keystone user-create --name neutron --pass PASSWORD
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | 1df18bcd14404fa9ad954f9d5eb163bc |
|   name   |              neutron             |
| username |              neutron             |
+----------+----------------------------------+
    Replace PASSWORD with a secure password that will be used by OpenStack Networking when authenticating with the Identity service.
  3. Link the neutron user and the admin role together within the context of the services tenant: 
    [(keystone_admin)]# keystone user-role-add --user neutron --role admin --tenant services
  4. Create the neutron OpenStack Networking service entry: 
    [(keystone_admin)]# keystone service-create --name neutron \
   --type network \
   --description "OpenStack Networking"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |        OpenStack Networking      |
|   enabled   |               True               |
|      id     | 134e815915f442f89c39d2769e278f9b |
|     name    |              neutron             |
|     type    |              network             |
+-------------+----------------------------------+
  5. Create the neutron endpoint entry: 
    [(keystone_admin)]# keystone endpoint-create
   --service neutron \
   --publicurl 'http://IP:9696' \
   --adminurl 'http://IP:9696' \
   --internalurl 'http://IP:9696' \
   --region 'RegionOne'
    Replace IP with the IP address or host name of the server that will act as the OpenStack Networking node.

7.2.5. Configure OpenStack Networking Authentication

Configure OpenStack Networking to use the Identity service for authentication. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root user.

Procedure 7.7. Configuring the OpenStack Networking Service to Authenticate through the Identity Service

  1. Set the authentication strategy to keystone: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT auth_strategy keystone
  2. Set the Identity service host that OpenStack Networking must use: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken auth_host IP
    Replace IP with the IP address or host name of the server hosting the Identity service.
  3. Set OpenStack Networking to authenticate as the correct tenant: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken admin_tenant_name services
    Replace services with the name of the tenant created for the use of OpenStack Networking. Examples in this guide use services.
  4. Set OpenStack Networking to authenticate using the neutron administrative user account: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken admin_user neutron
  5. Set OpenStack Networking to use the correct neutron administrative user account password: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken admin_password PASSWORD
    Replace PASSWORD with the password set when the neutron user was created.

7.2.6. Configure the Firewall to Allow OpenStack Networking Traffic

OpenStack Networking receives connections on TCP port 9696. The firewall on the OpenStack Networking node must be configured to allow network traffic on this port. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root user.

Procedure 7.8. Configuring the Firewall to Allow OpenStack Networking Traffic

  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing TCP traffic on port 9696. The new rule must appear before any INPUT rules that REJECT traffic: 
    -A INPUT -p tcp -m multiport --dports 9696 -j ACCEPT
  3. Save the changes to the /etc/sysconfig/iptables file.
  4. Restart the iptables service to ensure that the change takes effect: 
    # systemctl restart iptables.service

7.2.7. Configure RabbitMQ Message Broker Settings for OpenStack Networking

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on the system hosting OpenStack Networking, while logged in as the root user.

Procedure 7.9. Configuring the OpenStack Networking Service to use the RabbitMQ Message Broker

  1. Set RabbitMQ as the RPC back end: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rpc_backend neutron.openstack.common.rpc.impl_kombu
  2. Set OpenStack Networking to connect to the RabbitMQ host: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_port 5672
  4. Set the RabbitMQ user name and password created for OpenStack Networking when RabbitMQ was configured: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_userid neutron
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_password NEUTRON_PASS
    Replace neutron and NEUTRON_PASS with the RabbitMQ user name and password created for OpenStack Networking.
  5. When RabbitMQ was launched, the neutron user was granted read and write permissions to all resources: specifically, through the virtual host /. Configure the Networking service to connect to this virtual host: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_virtual_host /

7.2.8. Enable SSL Communication Between OpenStack Networking and the Message Broker

If you enabled SSL on the message broker, you must configure OpenStack Networking accordingly. This procedure requires the exported client certificates and key file. See Section 2.3.5, “Export an SSL Certificate for Clients” for instructions on how to export these files.

Procedure 7.10. Enabling SSL Communication Between OpenStack Networking and the RabbitMQ Message Broker

  1. Enable SSL communication with the message broker: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_use_ssl True
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT kombu_ssl_certfile /path/to/client.crt
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
    Replace the following values:
    • Replace /path/to/client.crt with the absolute path to the exported client certificate.
    • Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
  2. If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command: 
    # openstack-config --set /etc/neutron/neutron.conf \
 DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
    Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).

7.2.9. Configure OpenStack Networking to Communicate with the Compute Service

Configure OpenStack Networking to communicate with the Compute service about network topology changes.

Procedure 7.11. Configuring OpenStack Networking to Communicate with the Compute Service

  1. Set OpenStack Networking to connect to the Compute controller node: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT nova_url http://CONTROLLER_IP:8774/v2
    Replace CONTROLLER_IP with the IP address or host name of the Compute controller node.
  2. Set the user name, password, and tenant for the nova user: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT nova_admin_username nova
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT nova_admin_tenant_id TENANT_ID
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT nova_admin_password PASSWORD
    Replace TENANT_ID with the unique identifier of the tenant created for the use of the Compute service. Replace PASSWORD with the password set when the nova user was created.
  3. Set OpenStack Networking to connect to the Compute controller node in an administrative context: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT nova_admin_auth_url http://CONTROLLER_IP:35357/v2.0
    Replace CONTROLLER_IP with the IP address or host name of the Compute controller node.
  4. Set OpenStack Networking to use the correct region for the Compute controller node: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT nova_region_name RegionOne

7.2.10. Launch OpenStack Networking

Launch the neutron-server service and configure it to start at boot time: 
# systemctl start neutron-server.service
# systemctl enable neutron-server.service

Important

By default, OpenStack Networking does not enforce Classless Inter-Domain Routing (CIDR) checking of IP addresses. This is to maintain backwards compatibility with previous releases. If you require such checks set the value of the force_gateway_on_subnet configuration key to True in the /etc/neutron/neutron.conf file.