Red Hat Training
A Red Hat training course is available for Red Hat OpenStack Platform
7.2. Configure OpenStack Networking
Important
vif_plugging_is_fatal
option is commented out in the [DEFAULT]
section of the /etc/nova/nova.conf
file, and defaults to True
. This option controls whether instances should fail to boot if VIF plugging fails. Similarly, the notify_nova_on_port_status_changes
and notify_nova_on_port_data_changes
options are commented out in the [DEFAULT]
section of the /etc/neutron/neutron.conf
file, and default to False
. These options control whether notifications should be sent to nova on port status or data changes. However, this combination of values can prevent instances from booting. To allow instances to boot correctly, set all of these options to either True
or False
. To set True
, run the following commands:
#
openstack-config --set /etc/nova/nova.conf \
DEFAULT vif_plugging_is_fatal True
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_status_changes True
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_data_changes True
False
, run the following commands instead:
#
openstack-config --set /etc/nova/nova.conf \
DEFAULT vif_plugging_is_fatal False
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_status_changes False
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_data_changes False
7.2.1. Set the OpenStack Networking Plug-in
neutron.conf
by their nominated short names, instead of their lengthy class names. For example:
core_plugin = neutron.plugins.ml2.plugin:Ml2Pluginwill become:
core_plugin = ml2
service_plugins
option accepts a comma-delimited list of multiple service plugins.
Table 7.1. service_plugins
Short name | Class name |
---|---|
dummy | neutron.tests.unit.dummy_plugin:DummyServicePlugin |
router | neutron.services.l3_router.l3_router_plugin:L3RouterPlugin |
firewall | neutron.services.firewall.fwaas_plugin:FirewallPlugin |
lbaas | neutron.services.loadbalancer.plugin:LoadBalancerPlugin |
metering | neutron.services.metering.metering_plugin:MeteringPlugin |
7.2.1.1. Enable the ML2 Plug-in
neutron-server
service.
Procedure 7.1. Enabling the ML2 Plug-in
- Create a symbolic link to direct OpenStack Networking to the
ml2_conf.ini
file:#
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
- Set the tenant network type. Supported values are
gre
,local
,vlan
, andvxlan
. The default value islocal
, but this is not recommended for enterprise deployments:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 tenant_network_types TYPE
Replace TYPE with the tenant network type. - If you chose
flat
orvlan
networking, you must also map physical networks to VLAN ranges:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 network_vlan_ranges NAME:START:END
Replace the following values:- Replace NAME with the name of the physical network.
- Replace START with the VLAN identifier that starts the range.
- Replace END with the VLAN identifier that ends the range.
Multiple ranges can be specified using a comma-delimited list, for example:physnet1:1000:2999,physnet2:3000:3999
- Set the driver types. Supported values are
local
,flat
,vlan
,gre
, andvxlan
:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 type_drivers TYPE
Replace TYPE with the driver type. Specify multiple drivers using a comma-delimited list. - Set the mechanism drivers. Available values are
openvswitch
,linuxbridge
, andl2population
:#
openstack-config --set /etc/neutron/plugin.ini \
ml2 mechanism_drivers TYPE
Replace TYPE with the mechanism driver type. Specify multiple mechanism drivers using a comma-delimited list. - Enable L2 population:
#
openstack-config --set /etc/neutron/plugin.ini \
agent l2_population True
- Set the firewall driver in the
/etc/neutron/plugins/ml2/openvswitch_agent.ini
file or the/etc/neutron/plugins/ml2/linuxbridge_agent.ini
file, depending on which plug-in agent you are using:Open vSwitch Firewall Driver
#
openstack-config --set /etc/neutron/plugins/ml2/openvswitch_agent.ini
securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
Linux Bridge Firewall Driver
#
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini
securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
- Enable the ML2 plug-in and the L3 router:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT core_plugin ml2
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT service_plugins router
7.2.2. Create the OpenStack Networking Database
root
user, and prior to starting the neutron-server
service.
Procedure 7.2. Creating the OpenStack Networking Database
- Connect to the database service:
#
mysql -u root -p
- Create the database with one of the following names:This example creates the ML2
- If you are using the ML2 plug-in, the recommended database name is
neutron_ml2
- If you are using the Open vSwitch plug-in, the recommended database name is
ovs_neutron
. - If you are using the Linux Bridge plug-in, the recommended database name is
neutron_linux_bridge
.
neutron_ml2
database:mysql>
CREATE DATABASE neutron_ml2 character set utf8; - Create a
neutron
database user and grant the user access to theneutron_ml2
database:mysql>
GRANT ALL ON neutron_ml2.* TO 'neutron'@'%' IDENTIFIED BY 'PASSWORD';mysql>
GRANT ALL ON neutron_ml2.* TO 'neutron'@'localhost' IDENTIFIED BY 'PASSWORD';Replace PASSWORD with a secure password that will be used to authenticate with the database server as this user. - Flush the database privileges to ensure that they take effect immediately:
mysql>
FLUSH PRIVILEGES; - Exit the
mysql
client:mysql>
quit
7.2.3. Configure the OpenStack Networking Database Connection
/etc/neutron/plugin.ini
file. It must be updated to point to a valid database server before starting the service. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root
user.
Procedure 7.3. Configuring the OpenStack Networking SQL Database Connection
- Set the value of the
connection
configuration key.#
openstack-config --set /etc/neutron/plugin.ini \
DATABASE sql_connection mysql://USER:PASS@IP/DB
Replace the following values:- Replace USER with the OpenStack Networking database user name, usually
neutron
. - Replace PASS with the password of the database user.
- Replace IP with the IP address or host name of the database server.
- Replace DB with the name of the OpenStack Networking database.
Important
The IP address or host name specified in the connection configuration key must match the IP address or host name to which the OpenStack Networking database user was granted access when creating the OpenStack Networking database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the database, you must enter 'localhost'. - Upgrade the OpenStack Networking database schema:
#
neutron-db-manage --config-file /usr/share/neutron/neutron-dist.conf \
--config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head
7.2.4. Create the OpenStack Networking Identity Records
services
tenant. For more information, see:
keystonerc_admin
file and on which the keystone command-line utility is installed.
Procedure 7.4. Creating Identity Records for OpenStack Networking
- Set up the shell to access Keystone as the administrative user:
#
source ~/keystonerc_admin
- Create the
neutron
user:[(keystone_admin)]#
openstack user create --password PASSWORD neutron
+----------+----------------------------------+ | Field | Value | +----------+----------------------------------+ | email | None | | enabled | True | | id | 8f0d819a4ae54bf9b12d01d0fb095805 | | name | neutron | | username | neutron | +----------+----------------------------------+Replace PASSWORD with a secure password that will be used by OpenStack Networking when authenticating with the Identity service. - Link the
neutron
user and theadmin
role together within the context of theservices
tenant:[(keystone_admin)]#
openstack role add --project services --user neutron admin
- Create the
neutron
OpenStack Networking service entry:[(keystone_admin)]#
openstack service create --name neutron \
--description "OpenStack Networking" \
network
- Create the
neutron
endpoint entry:[(keystone_admin)]#
openstack endpoint create
--publicurl 'http://IP:9696' \
--adminurl 'http://IP:9696' \
--internalurl 'http://IP:9696' \
--region RegionOne \
neutron
Replace IP with the IP address or host name of the server that will act as the OpenStack Networking node.
7.2.5. Configure OpenStack Networking Authentication
root
user.
Procedure 7.5. Configuring the OpenStack Networking Service to Authenticate through the Identity Service
- Set the authentication strategy to
keystone
:#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT auth_strategy keystone
- Set the Identity service host that OpenStack Networking must use:
#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken auth_host IP
Replace IP with the IP address or host name of the server hosting the Identity service. - Set OpenStack Networking to authenticate as the correct tenant:
#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken admin_tenant_name services
Replace services with the name of the tenant created for the use of OpenStack Networking. Examples in this guide useservices
. - Set OpenStack Networking to authenticate using the
neutron
administrative user account:#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken admin_user neutron
- Set OpenStack Networking to use the correct
neutron
administrative user account password:#
openstack-config --set /etc/neutron/neutron.conf \
keystone_authtoken admin_password PASSWORD
Replace PASSWORD with the password set when theneutron
user was created.
7.2.6. Configure the Firewall to Allow OpenStack Networking Traffic
9696
. The firewall on the OpenStack Networking node must be configured to allow network traffic on this port. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root
user.
Procedure 7.6. Configuring the Firewall to Allow OpenStack Networking Traffic
- Open the
/etc/sysconfig/iptables
file in a text editor. - Add an INPUT rule allowing TCP traffic on port
9696
.-A INPUT -p tcp -m multiport --dports 9696 -j ACCEPT
- Add an INPUT rule for the firewall to accept VXLAN connections on port
4789
. The new rules must appear before any INPUT rules that REJECT traffic:-A INPUT -p udp -m udp --dport 4789 -j ACCEPT
- Save the changes to the
/etc/sysconfig/iptables
file. - Restart the
iptables
service to ensure that the change takes effect:#
systemctl restart iptables.service
7.2.7. Configure RabbitMQ Message Broker Settings for OpenStack Networking
root
user.
Procedure 7.7. Configuring the OpenStack Networking Service to use the RabbitMQ Message Broker
- Set RabbitMQ as the RPC back end:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rpc_backend neutron.openstack.common.rpc.impl_kombu
- Set OpenStack Networking to connect to the RabbitMQ host:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_host RABBITMQ_HOST
Replace RABBITMQ_HOST with the IP address or host name of the message broker. - Set the message broker port to
5672
:#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_port 5672
- Set the RabbitMQ user name and password created for OpenStack Networking when RabbitMQ was configured:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_userid neutron
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_password NEUTRON_PASS
Replaceneutron
and NEUTRON_PASS with the RabbitMQ user name and password created for OpenStack Networking. - When RabbitMQ was launched, the
neutron
user was granted read and write permissions to all resources: specifically, through the virtual host/
. Configure the Networking service to connect to this virtual host:#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_virtual_host /
7.2.8. Enable SSL Communication Between OpenStack Networking and the Message Broker
Procedure 7.8. Enabling SSL Communication Between OpenStack Networking and the RabbitMQ Message Broker
- Enable SSL communication with the message broker:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT rabbit_use_ssl True
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT kombu_ssl_certfile /path/to/client.crt
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
Replace the following values:- Replace /path/to/client.crt with the absolute path to the exported client certificate.
- Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
- If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).
7.2.9. Configure OpenStack Networking to Communicate with the Compute Service
Procedure 7.9. Configuring OpenStack Networking to Communicate with the Compute Service
- Set OpenStack Networking to connect to the Compute controller node:
#
openstack-config --set /etc/neutron/neutron.conf \
nova url http://CONTROLLER_IP:9696
Replace CONTROLLER_IP with the IP address or host name of the Compute controller node. - Set the user name, password, and tenant for the
nova
user:#
openstack-config --set /etc/neutron/neutron.conf \
nova username nova
#
openstack-config --set /etc/neutron/neutron.conf \
nova auth_type password
#
openstack-config --set /etc/neutron/neutron.conf \
nova password PASSWORD
#
openstack-config --set /etc/neutron/neutron.conf \
nova project_name SERVICES
Replace the SERVICES with the correct name of the nova project. Replace PASSWORD with the password set when thenova
user was created. - Set OpenStack Networking to connect to the Compute controller node in an administrative context:
#
openstack-config --set /etc/neutron/neutron.conf \
DEFAULT nova auth_url http://CONTROLLER_IP:35357/v3
Replace CONTROLLER_IP with the IP address or host name of the Compute controller node. - Set OpenStack Networking to use the correct region for the Compute controller node:
#
openstack-config --set /etc/neutron/neutron.conf \
nova region_name RegionOne
7.2.10. Launch OpenStack Networking
neutron-server
service and configure it to start at boot time:
#
systemctl start neutron-server.service
#
systemctl enable neutron-server.service
Important
force_gateway_on_subnet
configuration key to True
in the /etc/neutron/neutron.conf
file.