The "security_group_api" config option in nova was deleted in the Newton release: I921650d8730201c2f14deb7e679647a892dbe48a The use_neutron option should be used instead. This updates the docs where the security_group_api option was mentioned. Change-Id: Ie53a5498e1a2152157d5b2a56abb97ba36cbf86c
17 KiB
Use Networking
You can manage OpenStack Networking services by using the service command. For example:
# service neutron-server stop
# service neutron-server status
# service neutron-server start
# service neutron-server restart
Log files are in the /var/log/neutron
directory.
Configuration files are in the /etc/neutron
directory.
Administrators and projects can use OpenStack Networking to build rich network topologies. Administrators can create network connectivity on behalf of projects.
Core Networking API features
After installing and configuring Networking (neutron), projects and
administrators can perform create-read-update-delete (CRUD) API
networking operations. This is performed using the Networking API
directly with either the neutron
command-line interface (CLI) or the openstack
CLI. The neutron
CLI is a wrapper
around the Networking API. Every Networking API call has a corresponding
neutron
command.
The openstack
CLI is a common interface for all OpenStack projects, however, not every
API operation has been implemented. For the list of available commands,
see Command
List.
The neutron
CLI
includes a number of options. For details, see Create
and manage networks.
Basic Networking operations
To learn about advanced capabilities available through the neutron
command-line
interface (CLI), read the networking section Create
and manage networks in the OpenStack End User Guide.
This table shows example openstack
commands that enable you to complete
basic network operations:
Operation | Command |
---|---|
Creates a network. |
|
Creates a subnet that is associated with net1. |
|
Lists ports for a specified project. |
|
Lists ports for a specified project and displays the
ID , Fixed IP Addresses |
|
Shows information for a specified port. |
|
Basic Networking operations
Note
The device_owner
field describes who owns the port. A
port whose device_owner
begins with:
network
is created by Networking.compute
is created by Compute.
Administrative operations
The administrator can run any openstack
command on behalf of projects by
specifying an Identity project
in the command, as
follows:
$ openstack network create --project PROJECT_ID NETWORK_NAME
For example:
$ openstack network create --project 5e4bbe24b67a4410bc4d9fae29ec394e net1
Note
To view all project IDs in Identity, run the following command as an Identity service admin user:
$ openstack project list
Advanced Networking operations
This table shows example CLI commands that enable you to complete advanced network operations:
Operation | Command |
---|---|
Creates a network that all projects can use. |
|
Creates a subnet with a specified gateway IP address. |
|
Creates a subnet that has no gateway IP address. |
|
Creates a subnet with DHCP disabled. |
|
Specifies a set of host routes |
|
Creates a subnet with a specified set of dns name servers. |
|
Displays all ports and IPs allocated on a network. | $ openstack port list --network NET_ID |
Advanced Networking operations
Note
During port creation and update, specific extra-dhcp-options can be
left blank. For example, router
and
classless-static-route
. This causes dnsmasq to have an
empty option in the opts
file related to the network. For
example:
tag:tag0,option:classless-static-route,
tag:tag0,option:router,
Use Compute with Networking
Basic Compute and Networking operations
This table shows example openstack
commands that enable you to complete
basic VM networking operations:
Action | Command |
---|---|
Checks available networks. |
|
Boots a VM with a single NIC on a selected Networking network. |
|
Searches for ports with a device_id that matches the
Compute instance UUID. See :ref: Create and
delete VMs |
$ openstack port list --server VM_ID |
Searches for ports, but shows only the mac_address of
the port. |
|
Temporarily disables a port from sending traffic. |
|
Basic Compute and Networking operations
Note
The device_id
can also be a logical router ID.
Note
- When you boot a Compute VM, a port on the network that corresponds to the VM NIC is automatically created and associated with the default security group. You can configure security group rules to enable users to access the VM.
Advanced VM creation operations
This table shows example openstack
commands that enable you to complete
advanced VM creation operations:
Operation | Command |
---|---|
Boots a VM with multiple NICs. | $ openstack server create --image
IMAGE --flavor FLAVOR --nic
net-id=NET_ID VM_NAME
net-id=NET2-ID VM_NAME |
Boots a VM with a specific IP address. Note that you cannot use the
--max or --min parameters in this case. |
$ openstack server create --image
IMAGE --flavor FLAVOR --nic
net-id=NET_ID VM_NAME
v4-fixed-ip=IP-ADDR VM_NAME |
Boots a VM that connects to all networks that are accessible to the
project who submits the request (without the --nic
option). |
$ openstack server create --image
IMAGE --flavor FLAVOR |
Advanced VM creation operations
Note
Cloud images that distribution vendors offer usually have only one active NIC configured. When you boot with multiple NICs, you must configure additional interfaces on the image or the NICs are not reachable.
The following Debian/Ubuntu-based example shows how to set up the
interfaces within the instance in the
/etc/network/interfaces
file. You must apply this
configuration to the image.
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet dhcp
Enable ping and SSH on VMs (security groups)
You must configure security group rules depending on the type of plug-in you are using. If you are using a plug-in that:
Implements Networking security groups, you can configure security group rules directly by using the
openstack security group rule create
command. This example enablesping
andssh
access to your VMs.$ openstack security group rule create --protocol icmp \ --ingress SECURITY_GROUP
$ openstack security group rule create --protocol tcp \ --egress --description "Sample Security Group" SECURITY_GROUP
Does not implement Networking security groups, you can configure security group rules by using the
openstack security group rule create
oreuca-authorize
command. Theseopenstack
commands enableping
andssh
access to your VMs.$ openstack security group rule create --protocol icmp default $ openstack security group rule create --protocol tcp --dst-port 22:22 default
Note
If your plug-in implements Networking security groups, you can also
leverage Compute security groups by setting
use_neutron = True
in the nova.conf
file.
After you set this option, all Compute security group commands are
proxied to Networking.