[install] Liberty updates for neutron
More neutron configuration updates for Liberty including some changes for RDO packages. 1) Remove explicit configuration of kernel parameters because neutron handles them. 2) Explicitly add DNS resolver to virtual networks because default value prevents name resolution within instances. 3) Move some configuration options to better locations. 4) RDO: Remove workaround for init scripts. 5) RDO: Explicitly configure lock_path in neutron.conf file. 6) RDO: Install openstack-neutron package on compute nodes because it also installs packages on which the Linux bridge agent depends. Change-Id: I2c70c64e1272ee33eb364c079d8187ade7235ee2 Implements: blueprint installguide-liberty
This commit is contained in:
parent
8e7059dfb8
commit
048ef85d2c
@ -84,29 +84,36 @@ Create the private project network
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-create private PRIVATE_NETWORK_CIDR --name private \
|
||||
--gateway PRIVATE_NETWORK_GATEWAY
|
||||
--dns-nameserver DNS_RESOLVER --gateway PRIVATE_NETWORK_GATEWAY
|
||||
|
||||
Replace ``PRIVATE_NETWORK_CIDR`` with the subnet you want to use on the
|
||||
private network. You can use any arbitrary value, although we recommend
|
||||
a network from `RFC 1918 <https://tools.ietf.org/html/rfc1918>`_.
|
||||
|
||||
Replace ``DNS_RESOLVER`` with the IP address of a DNS resolver. In
|
||||
most cases, you can use one from the ``/etc/resolv.conf`` file on
|
||||
the host.
|
||||
|
||||
Replace ``PRIVATE_NETWORK_GATEWAY`` with the gateway you want to use on
|
||||
the private network, typically the ".1" IP address.
|
||||
|
||||
**Example**
|
||||
|
||||
The private network uses 172.16.1.0/24 with a gateway on 172.16.1.1:
|
||||
The private network uses 172.16.1.0/24 with a gateway on 172.16.1.1.
|
||||
A DHCP server assigns each instance an IP address from 172.16.1.2
|
||||
to 172.16.1.254. All instances use 8.8.4.4 as a DNS resolver.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-create private 172.16.1.0/24 --name private --gateway 172.16.1.1
|
||||
$ neutron subnet-create private 172.16.1.0/24 --name private
|
||||
--dns-nameserver 8.8.4.4 --gateway 172.16.1.1
|
||||
Created a new subnet:
|
||||
+-------------------+------------------------------------------------+
|
||||
| Field | Value |
|
||||
+-------------------+------------------------------------------------+
|
||||
| allocation_pools | {"start": "172.16.1.2", "end": "172.16.1.254"} |
|
||||
| cidr | 172.16.1.0/24 |
|
||||
| dns_nameservers | |
|
||||
| dns_nameservers | 8.8.4.4 |
|
||||
| enable_dhcp | True |
|
||||
| gateway_ip | 172.16.1.1 |
|
||||
| host_routes | |
|
||||
|
@ -89,7 +89,7 @@ Create the public network
|
||||
|
||||
$ neutron subnet-create public PUBLIC_NETWORK_CIDR --name public \
|
||||
--allocation-pool start=START_IP_ADDRESS,end=END_IP_ADDRESS\
|
||||
--gateway PUBLIC_NETWORK_GATEWAY
|
||||
--dns-nameserver DNS_RESOLVER --gateway PUBLIC_NETWORK_GATEWAY
|
||||
|
||||
Replace ``PUBLIC_NETWORK_CIDR`` with the subnet on the public physical
|
||||
network in CIDR notation.
|
||||
@ -99,26 +99,31 @@ Create the public network
|
||||
for instances. This range must not include any existing active IP
|
||||
addresses.
|
||||
|
||||
Replace ``DNS_RESOLVER`` with the IP address of a DNS resolver. In
|
||||
most cases, you can use one from the ``/etc/resolv.conf`` file on
|
||||
the host.
|
||||
|
||||
Replace ``PUBLIC_NETWORK_GATEWAY`` with the gateway IP address on the
|
||||
public physical network, typically the ".1" IP address.
|
||||
|
||||
**Example**
|
||||
|
||||
The public physical network uses 203.0.113.0/24 with a gateway on
|
||||
203.0.113.1 and instances can use 203.0.113.101 to 203.0.113.200.
|
||||
The public network uses 203.0.113.0/24 with a gateway on 203.0.113.1.
|
||||
A DHCP server assigns each instance an IP address from 203.0.113.101
|
||||
to 203.0.113.200. All instances use 8.8.4.4 as a DNS resolver.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-create public 203.0.113.0/24 --name public \
|
||||
--allocation-pool start=203.0.113.101,end=203.0.113.200 \
|
||||
--gateway 203.0.113.1
|
||||
--dns-nameserver 8.8.4.4 --gateway 203.0.113.1
|
||||
Created a new subnet:
|
||||
+-------------------+----------------------------------------------------+
|
||||
| Field | Value |
|
||||
+-------------------+----------------------------------------------------+
|
||||
| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} |
|
||||
| cidr | 203.0.113.0/24 |
|
||||
| dns_nameservers | |
|
||||
| dns_nameservers | 8.8.4.4 |
|
||||
| enable_dhcp | True |
|
||||
| gateway_ip | 203.0.113.1 |
|
||||
| host_routes | |
|
||||
|
@ -39,16 +39,14 @@ networks and handles security groups.
|
||||
...
|
||||
prevent_arp_spoofing = True
|
||||
|
||||
* In the ``[securitygroup]`` section, enable security groups, enable
|
||||
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
|
||||
driver:
|
||||
* In the ``[securitygroup]`` section, enable security groups and
|
||||
configure the Linux bridge :term:`iptables` firewall driver:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[securitygroup]
|
||||
...
|
||||
enable_security_group = True
|
||||
enable_ipset = True
|
||||
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
|
||||
|
||||
Return to
|
||||
|
@ -47,16 +47,14 @@ networks and handles security groups.
|
||||
...
|
||||
prevent_arp_spoofing = True
|
||||
|
||||
* In the ``[securitygroup]`` section, enable security groups, enable
|
||||
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
|
||||
driver:
|
||||
* In the ``[securitygroup]`` section, enable security groups and
|
||||
configure the Linux bridge :term:`iptables` firewall driver:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[securitygroup]
|
||||
...
|
||||
enable_security_group = True
|
||||
enable_ipset = True
|
||||
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
|
||||
|
||||
Return to
|
||||
|
@ -4,25 +4,6 @@ Install and configure compute node
|
||||
The compute node handles connectivity and :term:`security groups <security
|
||||
group>` for instances.
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Before you install and configure OpenStack Networking, you must configure
|
||||
kernel networking parameters to disable reverse-path filtering:
|
||||
|
||||
#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
net.ipv4.conf.all.rp_filter=0
|
||||
net.ipv4.conf.default.rp_filter=0
|
||||
|
||||
#. Implement the changes:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# sysctl -p
|
||||
|
||||
.. only:: ubuntu or rdo or obs
|
||||
|
||||
Install the components
|
||||
@ -38,7 +19,7 @@ Install the components
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# yum install openstack-neutron-linuxbridge
|
||||
# yum install openstack-neutron openstack-neutron-linuxbridge
|
||||
|
||||
.. only:: obs
|
||||
|
||||
@ -131,6 +112,16 @@ authentication mechanism, message queue, and plug-in.
|
||||
Comment out or remove any other options in the
|
||||
``[keystone_authtoken]`` section.
|
||||
|
||||
.. only:: rdo
|
||||
|
||||
* In the ``[oslo_concurrency]`` section, configure the lock path:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[oslo_concurrency]
|
||||
...
|
||||
lock_path = /var/lib/neutron/tmp
|
||||
|
||||
* (Optional) To assist with troubleshooting, enable verbose logging in the
|
||||
``[DEFAULT]`` section:
|
||||
|
||||
@ -198,23 +189,6 @@ Finalize installation
|
||||
|
||||
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
|
||||
|
||||
#. Due to a packaging issue, the Linux bridge agent initialization script
|
||||
explicitly looks for the Linux bridge plug-in configuration file rather
|
||||
than the agent configuration file. Run the following commands to resolve
|
||||
this issue:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# cp /usr/lib/systemd/system/neutron-linuxbridge-agent.service \
|
||||
/usr/lib/systemd/system/neutron-linuxbridge-agent.service.orig
|
||||
# sed -i 's,openvswitch/linuxbridge_neutron_plugin.ini,ml2/linuxbridge_agent.ini,g' \
|
||||
/usr/lib/systemd/system/neutron-linuxbridge-agent.service
|
||||
|
||||
.. note::
|
||||
|
||||
Future upgrades of the ``neutron-linuxbridge-agent`` package may
|
||||
overwrite this modification.
|
||||
|
||||
#. Restart the Compute service:
|
||||
|
||||
.. code-block:: console
|
||||
|
@ -3,25 +3,6 @@ Networking Option 1: Provider networks
|
||||
|
||||
Install and configure the Networking components on the *controller* node.
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Before you configure networking option 1, you must configure kernel
|
||||
parameters to disable reverse-path filtering.
|
||||
|
||||
#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
net.ipv4.conf.all.rp_filter=0
|
||||
net.ipv4.conf.default.rp_filter=0
|
||||
|
||||
#. Implement the changes:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# sysctl -p
|
||||
|
||||
Install the components
|
||||
----------------------
|
||||
|
||||
@ -183,6 +164,16 @@ Install the components
|
||||
Replace ``NOVA_PASS`` with the password you chose for the ``nova``
|
||||
user in the Identity service.
|
||||
|
||||
.. only:: rdo
|
||||
|
||||
* In the ``[oslo_concurrency]`` section, configure the lock path:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[oslo_concurrency]
|
||||
...
|
||||
lock_path = /var/lib/neutron/tmp
|
||||
|
||||
* (Optional) To assist with troubleshooting, enable verbose logging in
|
||||
the ``[DEFAULT]`` section:
|
||||
|
||||
@ -247,6 +238,15 @@ and switching) virtual networking infrastructure for instances.
|
||||
...
|
||||
flat_networks = public
|
||||
|
||||
* In the ``[securitygroup]`` section, enable :term:`ipset` to increase
|
||||
efficiency of security group rules:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[securitygroup]
|
||||
...
|
||||
enable_ipset = True
|
||||
|
||||
Configure the Linux bridge agent
|
||||
--------------------------------
|
||||
|
||||
@ -283,16 +283,14 @@ networks and handles security groups.
|
||||
...
|
||||
prevent_arp_spoofing = True
|
||||
|
||||
* In the ``[securitygroup]`` section, enable security groups, enable
|
||||
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
|
||||
driver:
|
||||
* In the ``[securitygroup]`` section, enable security groups and
|
||||
configure the Linux bridge :term:`iptables` firewall driver:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[securitygroup]
|
||||
...
|
||||
enable_security_group = True
|
||||
enable_ipset = True
|
||||
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
|
||||
|
||||
Configure the DHCP agent
|
||||
|
@ -3,27 +3,6 @@ Networking Option 2: Self-service networks
|
||||
|
||||
Install and configure the Networking components on the *controller* node.
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Before you configure networking option 2, you must configure kernel
|
||||
parameters to enable IP forwarding (routing) and disable reverse-path
|
||||
filtering.
|
||||
|
||||
#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
net.ipv4.ip_forward=1
|
||||
net.ipv4.conf.all.rp_filter=0
|
||||
net.ipv4.conf.default.rp_filter=0
|
||||
|
||||
#. Implement the changes:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# sysctl -p
|
||||
|
||||
Install the components
|
||||
----------------------
|
||||
|
||||
@ -180,6 +159,16 @@ Install the components
|
||||
Replace ``NOVA_PASS`` with the password you chose for the ``nova``
|
||||
user in the Identity service.
|
||||
|
||||
.. only:: rdo
|
||||
|
||||
* In the ``[oslo_concurrency]`` section, configure the lock path:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[oslo_concurrency]
|
||||
...
|
||||
lock_path = /var/lib/neutron/tmp
|
||||
|
||||
* (Optional) To assist with troubleshooting, enable verbose logging in
|
||||
the ``[DEFAULT]`` section:
|
||||
|
||||
@ -258,6 +247,15 @@ and switching) virtual networking infrastructure for instances.
|
||||
...
|
||||
vni_ranges = 1:1000
|
||||
|
||||
* In the ``[securitygroup]`` section, enable :term:`ipset` to increase
|
||||
efficiency of security group rules:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[securitygroup]
|
||||
...
|
||||
enable_ipset = True
|
||||
|
||||
Configure the Linux bridge agent
|
||||
--------------------------------
|
||||
|
||||
@ -302,16 +300,14 @@ networks and handles security groups.
|
||||
...
|
||||
prevent_arp_spoofing = True
|
||||
|
||||
* In the ``[securitygroup]`` section, enable security groups, enable
|
||||
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall
|
||||
driver:
|
||||
* In the ``[securitygroup]`` section, enable security groups and
|
||||
configure the Linux bridge :term:`iptables` firewall driver:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[securitygroup]
|
||||
...
|
||||
enable_security_group = True
|
||||
enable_ipset = True
|
||||
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
|
||||
|
||||
Configure the layer-3 agent
|
||||
|
@ -259,23 +259,6 @@ Finalize installation
|
||||
|
||||
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
|
||||
|
||||
#. Due to a packaging issue, the Linux bridge agent initialization script
|
||||
explicitly looks for the Linux bridge plug-in configuration file rather
|
||||
than the agent configuration file. Run the following commands to resolve
|
||||
this issue:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# cp /usr/lib/systemd/system/neutron-linuxbridge-agent.service \
|
||||
/usr/lib/systemd/system/neutron-linuxbridge-agent.service.orig
|
||||
# sed -i 's,openvswitch/linuxbridge_neutron_plugin.ini,ml2/linuxbridge_agent.ini,g' \
|
||||
/usr/lib/systemd/system/neutron-linuxbridge-agent.service
|
||||
|
||||
.. note::
|
||||
|
||||
Future upgrades of the ``neutron-linuxbridge-agent`` package may
|
||||
overwrite this modification.
|
||||
|
||||
#. Populate the database:
|
||||
|
||||
.. code-block:: console
|
||||
@ -288,12 +271,11 @@ Finalize installation
|
||||
Database population occurs later for Networking because the script
|
||||
requires complete server and plug-in configuration files.
|
||||
|
||||
#. Restart the Compute services:
|
||||
#. Restart the Compute API service:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \
|
||||
openstack-nova-conductor.service
|
||||
# systemctl restart openstack-nova-api.service
|
||||
|
||||
#. Start the Networking services and configure them to start when the system
|
||||
boots.
|
||||
@ -327,12 +309,11 @@ Finalize installation
|
||||
|
||||
NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"
|
||||
|
||||
#. Restart the Compute services:
|
||||
#. Restart the Compute API service:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \
|
||||
openstack-nova-conductor.service
|
||||
# systemctl restart openstack-nova-api.service
|
||||
|
||||
#. Start the Networking services and configure them to start when the system
|
||||
boots.
|
||||
@ -371,7 +352,7 @@ Finalize installation
|
||||
Database population occurs later for Networking because the script
|
||||
requires complete server and plug-in configuration files.
|
||||
|
||||
#. Restart the nova-api service:
|
||||
#. Restart the Compute API service:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user