Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

7.2. Configure OpenStack Networking

Important

In an unmodified Red Hat OpenStack Platform installation, the vif_plugging_is_fatal option is commented out in the [DEFAULT] section of the /etc/nova/nova.conf file, and defaults to True. This option controls whether instances should fail to boot if VIF plugging fails. Similarly, the notify_nova_on_port_status_changes and notify_nova_on_port_data_changes options are commented out in the [DEFAULT] section of the /etc/neutron/neutron.conf file, and default to False. These options control whether notifications should be sent to nova on port status or data changes. However, this combination of values can prevent instances from booting. To allow instances to boot correctly, set all of these options to either True or False. To set True, run the following commands: 
# openstack-config --set /etc/nova/nova.conf \
DEFAULT vif_plugging_is_fatal True
# openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_status_changes True
# openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_data_changes True
To set False, run the following commands instead: 
# openstack-config --set /etc/nova/nova.conf \
DEFAULT vif_plugging_is_fatal False
# openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_status_changes False
# openstack-config --set /etc/neutron/neutron.conf \
DEFAULT notify_nova_on_port_data_changes False

7.2.1. Set the OpenStack Networking Plug-in

OpenStack Networking plug-ins can be referenced in neutron.conf by their nominated short names, instead of their lengthy class names. For example: 
core_plugin = neutron.plugins.ml2.plugin:Ml2Plugin
will become: 
core_plugin = ml2
Take care not to introduce errant whitespace characters, as these could result in parse errors.
The service_plugins option accepts a comma-delimited list of multiple service plugins.

Table 7.1.  service_plugins

Short name Class name
dummy neutron.tests.unit.dummy_plugin:DummyServicePlugin
router neutron.services.l3_router.l3_router_plugin:L3RouterPlugin
firewall neutron.services.firewall.fwaas_plugin:FirewallPlugin
lbaas neutron.services.loadbalancer.plugin:LoadBalancerPlugin
metering neutron.services.metering.metering_plugin:MeteringPlugin

7.2.1.1. Enable the ML2 Plug-in

Enable the ML2 plug-in on the node running the neutron-server service.

Procedure 7.1. Enabling the ML2 Plug-in

  1. Create a symbolic link to direct OpenStack Networking to the ml2_conf.ini file: 
    # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
  2. Set the tenant network type. Supported values are gre, local, vlan, and vxlan. The default value is local, but this is not recommended for enterprise deployments: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 tenant_network_types TYPE
    Replace TYPE with the tenant network type.
  3. If you chose flat or vlan networking, you must also map physical networks to VLAN ranges: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 network_vlan_ranges NAME:START:END
    Replace the following values:
    • Replace NAME with the name of the physical network.
    • Replace START with the VLAN identifier that starts the range.
    • Replace END with the VLAN identifier that ends the range.
    Multiple ranges can be specified using a comma-delimited list, for example: 
    physnet1:1000:2999,physnet2:3000:3999
  4. Set the driver types. Supported values are local, flat, vlan, gre, and vxlan: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 type_drivers TYPE
    Replace TYPE with the driver type. Specify multiple drivers using a comma-delimited list.
  5. Set the mechanism drivers. Available values are openvswitch, linuxbridge, and l2population: 
    # openstack-config --set /etc/neutron/plugin.ini \
   ml2 mechanism_drivers TYPE
    Replace TYPE with the mechanism driver type. Specify multiple mechanism drivers using a comma-delimited list.
  6. Enable L2 population: 
    # openstack-config --set /etc/neutron/plugin.ini \
   agent l2_population True
  7. Set the firewall driver in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file or the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file, depending on which plug-in agent you are using:

    1. Open vSwitch Firewall Driver

      # openstack-config --set /etc/neutron/plugins/ml2/openvswitch_agent.ini
   securitygroup firewall_driver neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

    2. Linux Bridge Firewall Driver

      # openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini					   
   securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
  8. Enable the ML2 plug-in and the L3 router: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT core_plugin ml2
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT service_plugins router

7.2.2. Create the OpenStack Networking Database

Create the database and database user used by OpenStack Networking. All steps in this procedure must be performed on the database server, while logged in as the root user, and prior to starting the neutron-server service.

Procedure 7.2. Creating the OpenStack Networking Database

  1. Connect to the database service: 
    # mysql -u root -p
  2. Create the database with one of the following names:
    • If you are using the ML2 plug-in, the recommended database name is neutron_ml2
    • If you are using the Open vSwitch plug-in, the recommended database name is ovs_neutron.
    • If you are using the Linux Bridge plug-in, the recommended database name is neutron_linux_bridge.
    This example creates the ML2 neutron_ml2 database: 
    mysql> CREATE DATABASE neutron_ml2 character set utf8;
  3. Create a neutron database user and grant the user access to the neutron_ml2 database: 
    mysql> GRANT ALL ON neutron_ml2.* TO 'neutron'@'%' IDENTIFIED BY 'PASSWORD';
mysql> GRANT ALL ON neutron_ml2.* TO 'neutron'@'localhost' IDENTIFIED BY 'PASSWORD';
    Replace PASSWORD with a secure password that will be used to authenticate with the database server as this user.
  4. Flush the database privileges to ensure that they take effect immediately: 
    mysql> FLUSH PRIVILEGES;
  5. Exit the mysql client: 
    mysql> quit

7.2.3. Configure the OpenStack Networking Database Connection

The database connection string used by OpenStack Networking is defined in the /etc/neutron/plugin.ini file. It must be updated to point to a valid database server before starting the service. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root user.

Procedure 7.3. Configuring the OpenStack Networking SQL Database Connection

  1. Set the value of the connection configuration key. 
    # openstack-config --set /etc/neutron/plugin.ini \
   DATABASE sql_connection mysql://USER:PASS@IP/DB
    Replace the following values:
    • Replace USER with the OpenStack Networking database user name, usually neutron.
    • Replace PASS with the password of the database user.
    • Replace IP with the IP address or host name of the database server.
    • Replace DB with the name of the OpenStack Networking database.

    Important

    The IP address or host name specified in the connection configuration key must match the IP address or host name to which the OpenStack Networking database user was granted access when creating the OpenStack Networking database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the database, you must enter 'localhost'.
  2. Upgrade the OpenStack Networking database schema: 
    # neutron-db-manage --config-file /usr/share/neutron/neutron-dist.conf \
   --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head

7.2.4. Create the OpenStack Networking Identity Records

Create and configure Identity service records required by OpenStack Networking. These entries assist other OpenStack services attempting to locate and access the functionality provided by OpenStack Networking.
This procedure assumes that you have already created an administrative user account and a services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 7.4. Creating Identity Records for OpenStack Networking

  1. Set up the shell to access Keystone as the administrative user: 
    # source ~/keystonerc_admin
  2. Create the neutron user: 
    [(keystone_admin)]# openstack user create --password PASSWORD neutron
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | 8f0d819a4ae54bf9b12d01d0fb095805 |
| name     | neutron                          |
| username | neutron                          |
+----------+----------------------------------+
    Replace PASSWORD with a secure password that will be used by OpenStack Networking when authenticating with the Identity service.
  3. Link the neutron user and the admin role together within the context of the services tenant: 
    [(keystone_admin)]# openstack role add --project services --user neutron admin
  4. Create the neutron OpenStack Networking service entry: 
    [(keystone_admin)]# openstack service create --name neutron \
   --description "OpenStack Networking" \
   network
  5. Create the neutron endpoint entry: 
    [(keystone_admin)]# openstack endpoint create
   --publicurl 'http://IP:9696' \
   --adminurl 'http://IP:9696' \
   --internalurl 'http://IP:9696' \
   --region RegionOne \
   neutron
    Replace IP with the IP address or host name of the server that will act as the OpenStack Networking node.

7.2.5. Configure OpenStack Networking Authentication

Configure OpenStack Networking to use the Identity service for authentication. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root user.

Procedure 7.5. Configuring the OpenStack Networking Service to Authenticate through the Identity Service

  1. Set the authentication strategy to keystone: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT auth_strategy keystone
  2. Set the Identity service host that OpenStack Networking must use: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken auth_host IP
    Replace IP with the IP address or host name of the server hosting the Identity service.
  3. Set OpenStack Networking to authenticate as the correct tenant: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken admin_tenant_name services
    Replace services with the name of the tenant created for the use of OpenStack Networking. Examples in this guide use services.
  4. Set OpenStack Networking to authenticate using the neutron administrative user account: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken admin_user neutron
  5. Set OpenStack Networking to use the correct neutron administrative user account password: 
    # openstack-config --set /etc/neutron/neutron.conf \
   keystone_authtoken admin_password PASSWORD
    Replace PASSWORD with the password set when the neutron user was created.

7.2.6. Configure the Firewall to Allow OpenStack Networking Traffic

OpenStack Networking receives connections on TCP port 9696. The firewall on the OpenStack Networking node must be configured to allow network traffic on this port. All steps in this procedure must be performed on the server hosting OpenStack Networking, while logged in as the root user.

Procedure 7.6. Configuring the Firewall to Allow OpenStack Networking Traffic

  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing TCP traffic on port 9696. 
    -A INPUT -p tcp -m multiport --dports 9696 -j ACCEPT
  3. Add an INPUT rule for the firewall to accept VXLAN connections on port 4789. The new rules must appear before any INPUT rules that REJECT traffic: 
    -A INPUT -p udp -m udp --dport 4789 -j ACCEPT
  4. Save the changes to the /etc/sysconfig/iptables file.
  5. Restart the iptables service to ensure that the change takes effect: 
    # systemctl restart iptables.service

7.2.7. Configure RabbitMQ Message Broker Settings for OpenStack Networking

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on the system hosting OpenStack Networking, while logged in as the root user.

Procedure 7.7. Configuring the OpenStack Networking Service to use the RabbitMQ Message Broker

  1. Set RabbitMQ as the RPC back end: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rpc_backend neutron.openstack.common.rpc.impl_kombu
  2. Set OpenStack Networking to connect to the RabbitMQ host: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_port 5672
  4. Set the RabbitMQ user name and password created for OpenStack Networking when RabbitMQ was configured: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_userid neutron
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_password NEUTRON_PASS
    Replace neutron and NEUTRON_PASS with the RabbitMQ user name and password created for OpenStack Networking.
  5. When RabbitMQ was launched, the neutron user was granted read and write permissions to all resources: specifically, through the virtual host /. Configure the Networking service to connect to this virtual host: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_virtual_host /

7.2.8. Enable SSL Communication Between OpenStack Networking and the Message Broker

If you enabled SSL on the message broker, you must configure OpenStack Networking accordingly. This procedure requires the exported client certificates and key file. See Section 2.3.5, “Export an SSL Certificate for Clients” for instructions on how to export these files.

Procedure 7.8. Enabling SSL Communication Between OpenStack Networking and the RabbitMQ Message Broker

  1. Enable SSL communication with the message broker: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT rabbit_use_ssl True
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT kombu_ssl_certfile /path/to/client.crt
# openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
    Replace the following values:
    • Replace /path/to/client.crt with the absolute path to the exported client certificate.
    • Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
  2. If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command: 
    # openstack-config --set /etc/neutron/neutron.conf \
 DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
    Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).

7.2.9. Configure OpenStack Networking to Communicate with the Compute Service

Configure OpenStack Networking to communicate with the Compute service about network topology changes.

Procedure 7.9. Configuring OpenStack Networking to Communicate with the Compute Service

  1. Set OpenStack Networking to connect to the Compute controller node: 
    # openstack-config --set /etc/neutron/neutron.conf \
   nova url http://CONTROLLER_IP:9696
    Replace CONTROLLER_IP with the IP address or host name of the Compute controller node.
  2. Set the user name, password, and tenant for the nova user: 
    # openstack-config --set /etc/neutron/neutron.conf \
    nova username nova
# openstack-config --set /etc/neutron/neutron.conf \
   nova auth_type password
# openstack-config --set /etc/neutron/neutron.conf \
   nova password PASSWORD
 # openstack-config --set /etc/neutron/neutron.conf \
   nova project_name SERVICES
    Replace the SERVICES with the correct name of the nova project. Replace PASSWORD with the password set when the nova user was created.
  3. Set OpenStack Networking to connect to the Compute controller node in an administrative context: 
    # openstack-config --set /etc/neutron/neutron.conf \
   DEFAULT nova auth_url http://CONTROLLER_IP:35357/v3
    Replace CONTROLLER_IP with the IP address or host name of the Compute controller node.
  4. Set OpenStack Networking to use the correct region for the Compute controller node: 
    # openstack-config --set /etc/neutron/neutron.conf \
   nova region_name RegionOne

7.2.10. Launch OpenStack Networking

Launch the neutron-server service and configure it to start at boot time: 
# systemctl start neutron-server.service
# systemctl enable neutron-server.service

Important

By default, OpenStack Networking does not enforce Classless Inter-Domain Routing (CIDR) checking of IP addresses. This is to maintain backwards compatibility with previous releases. If you require such checks set the value of the force_gateway_on_subnet configuration key to True in the /etc/neutron/neutron.conf file.