From 048ef85d2c517da4e71f75c19571d5fc27311175 Mon Sep 17 00:00:00 2001 From: Matthew Kassawara Date: Thu, 22 Oct 2015 11:31:10 -0600 Subject: [PATCH] [install] Liberty updates for neutron More neutron configuration updates for Liberty including some changes for RDO packages. 1) Remove explicit configuration of kernel parameters because neutron handles them. 2) Explicitly add DNS resolver to virtual networks because default value prevents name resolution within instances. 3) Move some configuration options to better locations. 4) RDO: Remove workaround for init scripts. 5) RDO: Explicitly configure lock_path in neutron.conf file. 6) RDO: Install openstack-neutron package on compute nodes because it also installs packages on which the Linux bridge agent depends. Change-Id: I2c70c64e1272ee33eb364c079d8187ade7235ee2 Implements: blueprint installguide-liberty --- .../launch-instance-networks-private.rst | 15 ++++-- .../launch-instance-networks-public.rst | 15 ++++-- .../neutron-compute-install-option1.rst | 6 +-- .../neutron-compute-install-option2.rst | 6 +-- .../source/neutron-compute-install.rst | 48 +++++-------------- .../neutron-controller-install-option1.rst | 44 ++++++++--------- .../neutron-controller-install-option2.rst | 46 ++++++++---------- .../source/neutron-controller-install.rst | 29 ++--------- 8 files changed, 83 insertions(+), 126 deletions(-) diff --git a/doc/install-guide/source/launch-instance-networks-private.rst b/doc/install-guide/source/launch-instance-networks-private.rst index 6575277408..e0353e6dcb 100644 --- a/doc/install-guide/source/launch-instance-networks-private.rst +++ b/doc/install-guide/source/launch-instance-networks-private.rst @@ -84,29 +84,36 @@ Create the private project network .. code-block:: console $ neutron subnet-create private PRIVATE_NETWORK_CIDR --name private \ - --gateway PRIVATE_NETWORK_GATEWAY + --dns-nameserver DNS_RESOLVER --gateway PRIVATE_NETWORK_GATEWAY Replace ``PRIVATE_NETWORK_CIDR`` with the subnet you want to use on the private network. You can use any arbitrary value, although we recommend a network from `RFC 1918 `_. + Replace ``DNS_RESOLVER`` with the IP address of a DNS resolver. In + most cases, you can use one from the ``/etc/resolv.conf`` file on + the host. + Replace ``PRIVATE_NETWORK_GATEWAY`` with the gateway you want to use on the private network, typically the ".1" IP address. **Example** - The private network uses 172.16.1.0/24 with a gateway on 172.16.1.1: + The private network uses 172.16.1.0/24 with a gateway on 172.16.1.1. + A DHCP server assigns each instance an IP address from 172.16.1.2 + to 172.16.1.254. All instances use 8.8.4.4 as a DNS resolver. .. code-block:: console - $ neutron subnet-create private 172.16.1.0/24 --name private --gateway 172.16.1.1 + $ neutron subnet-create private 172.16.1.0/24 --name private + --dns-nameserver 8.8.4.4 --gateway 172.16.1.1 Created a new subnet: +-------------------+------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------+ | allocation_pools | {"start": "172.16.1.2", "end": "172.16.1.254"} | | cidr | 172.16.1.0/24 | - | dns_nameservers | | + | dns_nameservers | 8.8.4.4 | | enable_dhcp | True | | gateway_ip | 172.16.1.1 | | host_routes | | diff --git a/doc/install-guide/source/launch-instance-networks-public.rst b/doc/install-guide/source/launch-instance-networks-public.rst index 665aa173ca..1f5d76c64c 100644 --- a/doc/install-guide/source/launch-instance-networks-public.rst +++ b/doc/install-guide/source/launch-instance-networks-public.rst @@ -89,7 +89,7 @@ Create the public network $ neutron subnet-create public PUBLIC_NETWORK_CIDR --name public \ --allocation-pool start=START_IP_ADDRESS,end=END_IP_ADDRESS\ - --gateway PUBLIC_NETWORK_GATEWAY + --dns-nameserver DNS_RESOLVER --gateway PUBLIC_NETWORK_GATEWAY Replace ``PUBLIC_NETWORK_CIDR`` with the subnet on the public physical network in CIDR notation. @@ -99,26 +99,31 @@ Create the public network for instances. This range must not include any existing active IP addresses. + Replace ``DNS_RESOLVER`` with the IP address of a DNS resolver. In + most cases, you can use one from the ``/etc/resolv.conf`` file on + the host. + Replace ``PUBLIC_NETWORK_GATEWAY`` with the gateway IP address on the public physical network, typically the ".1" IP address. **Example** - The public physical network uses 203.0.113.0/24 with a gateway on - 203.0.113.1 and instances can use 203.0.113.101 to 203.0.113.200. + The public network uses 203.0.113.0/24 with a gateway on 203.0.113.1. + A DHCP server assigns each instance an IP address from 203.0.113.101 + to 203.0.113.200. All instances use 8.8.4.4 as a DNS resolver. .. code-block:: console $ neutron subnet-create public 203.0.113.0/24 --name public \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \ - --gateway 203.0.113.1 + --dns-nameserver 8.8.4.4 --gateway 203.0.113.1 Created a new subnet: +-------------------+----------------------------------------------------+ | Field | Value | +-------------------+----------------------------------------------------+ | allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} | | cidr | 203.0.113.0/24 | - | dns_nameservers | | + | dns_nameservers | 8.8.4.4 | | enable_dhcp | True | | gateway_ip | 203.0.113.1 | | host_routes | | diff --git a/doc/install-guide/source/neutron-compute-install-option1.rst b/doc/install-guide/source/neutron-compute-install-option1.rst index 20f7b80ad5..270672f362 100644 --- a/doc/install-guide/source/neutron-compute-install-option1.rst +++ b/doc/install-guide/source/neutron-compute-install-option1.rst @@ -39,16 +39,14 @@ networks and handles security groups. ... prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[securitygroup]`` section, enable security groups and + configure the Linux bridge :term:`iptables` firewall driver: .. code-block:: ini [securitygroup] ... enable_security_group = True - enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Return to diff --git a/doc/install-guide/source/neutron-compute-install-option2.rst b/doc/install-guide/source/neutron-compute-install-option2.rst index ccd0ac4a73..82e731638b 100644 --- a/doc/install-guide/source/neutron-compute-install-option2.rst +++ b/doc/install-guide/source/neutron-compute-install-option2.rst @@ -47,16 +47,14 @@ networks and handles security groups. ... prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[securitygroup]`` section, enable security groups and + configure the Linux bridge :term:`iptables` firewall driver: .. code-block:: ini [securitygroup] ... enable_security_group = True - enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Return to diff --git a/doc/install-guide/source/neutron-compute-install.rst b/doc/install-guide/source/neutron-compute-install.rst index b1991e8ef7..ada2de9c4b 100644 --- a/doc/install-guide/source/neutron-compute-install.rst +++ b/doc/install-guide/source/neutron-compute-install.rst @@ -4,25 +4,6 @@ Install and configure compute node The compute node handles connectivity and :term:`security groups ` for instances. -Prerequisites -------------- - -Before you install and configure OpenStack Networking, you must configure -kernel networking parameters to disable reverse-path filtering: - -#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters: - - .. code-block:: ini - - net.ipv4.conf.all.rp_filter=0 - net.ipv4.conf.default.rp_filter=0 - -#. Implement the changes: - - .. code-block:: console - - # sysctl -p - .. only:: ubuntu or rdo or obs Install the components @@ -38,7 +19,7 @@ Install the components .. code-block:: console - # yum install openstack-neutron-linuxbridge + # yum install openstack-neutron openstack-neutron-linuxbridge .. only:: obs @@ -131,6 +112,16 @@ authentication mechanism, message queue, and plug-in. Comment out or remove any other options in the ``[keystone_authtoken]`` section. + .. only:: rdo + + * In the ``[oslo_concurrency]`` section, configure the lock path: + + .. code-block:: ini + + [oslo_concurrency] + ... + lock_path = /var/lib/neutron/tmp + * (Optional) To assist with troubleshooting, enable verbose logging in the ``[DEFAULT]`` section: @@ -198,23 +189,6 @@ Finalize installation # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini - #. Due to a packaging issue, the Linux bridge agent initialization script - explicitly looks for the Linux bridge plug-in configuration file rather - than the agent configuration file. Run the following commands to resolve - this issue: - - .. code-block:: console - - # cp /usr/lib/systemd/system/neutron-linuxbridge-agent.service \ - /usr/lib/systemd/system/neutron-linuxbridge-agent.service.orig - # sed -i 's,openvswitch/linuxbridge_neutron_plugin.ini,ml2/linuxbridge_agent.ini,g' \ - /usr/lib/systemd/system/neutron-linuxbridge-agent.service - - .. note:: - - Future upgrades of the ``neutron-linuxbridge-agent`` package may - overwrite this modification. - #. Restart the Compute service: .. code-block:: console diff --git a/doc/install-guide/source/neutron-controller-install-option1.rst b/doc/install-guide/source/neutron-controller-install-option1.rst index 40cfda9528..c0225c61fe 100644 --- a/doc/install-guide/source/neutron-controller-install-option1.rst +++ b/doc/install-guide/source/neutron-controller-install-option1.rst @@ -3,25 +3,6 @@ Networking Option 1: Provider networks Install and configure the Networking components on the *controller* node. -Prerequisites -------------- - -Before you configure networking option 1, you must configure kernel -parameters to disable reverse-path filtering. - -#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters: - - .. code-block:: ini - - net.ipv4.conf.all.rp_filter=0 - net.ipv4.conf.default.rp_filter=0 - -#. Implement the changes: - - .. code-block:: console - - # sysctl -p - Install the components ---------------------- @@ -183,6 +164,16 @@ Install the components Replace ``NOVA_PASS`` with the password you chose for the ``nova`` user in the Identity service. + .. only:: rdo + + * In the ``[oslo_concurrency]`` section, configure the lock path: + + .. code-block:: ini + + [oslo_concurrency] + ... + lock_path = /var/lib/neutron/tmp + * (Optional) To assist with troubleshooting, enable verbose logging in the ``[DEFAULT]`` section: @@ -247,6 +238,15 @@ and switching) virtual networking infrastructure for instances. ... flat_networks = public + * In the ``[securitygroup]`` section, enable :term:`ipset` to increase + efficiency of security group rules: + + .. code-block:: ini + + [securitygroup] + ... + enable_ipset = True + Configure the Linux bridge agent -------------------------------- @@ -283,16 +283,14 @@ networks and handles security groups. ... prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[securitygroup]`` section, enable security groups and + configure the Linux bridge :term:`iptables` firewall driver: .. code-block:: ini [securitygroup] ... enable_security_group = True - enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Configure the DHCP agent diff --git a/doc/install-guide/source/neutron-controller-install-option2.rst b/doc/install-guide/source/neutron-controller-install-option2.rst index 13dd869585..18a3e57119 100644 --- a/doc/install-guide/source/neutron-controller-install-option2.rst +++ b/doc/install-guide/source/neutron-controller-install-option2.rst @@ -3,27 +3,6 @@ Networking Option 2: Self-service networks Install and configure the Networking components on the *controller* node. -Prerequisites -------------- - -Before you configure networking option 2, you must configure kernel -parameters to enable IP forwarding (routing) and disable reverse-path -filtering. - -#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters: - - .. code-block:: ini - - net.ipv4.ip_forward=1 - net.ipv4.conf.all.rp_filter=0 - net.ipv4.conf.default.rp_filter=0 - -#. Implement the changes: - - .. code-block:: console - - # sysctl -p - Install the components ---------------------- @@ -180,6 +159,16 @@ Install the components Replace ``NOVA_PASS`` with the password you chose for the ``nova`` user in the Identity service. + .. only:: rdo + + * In the ``[oslo_concurrency]`` section, configure the lock path: + + .. code-block:: ini + + [oslo_concurrency] + ... + lock_path = /var/lib/neutron/tmp + * (Optional) To assist with troubleshooting, enable verbose logging in the ``[DEFAULT]`` section: @@ -258,6 +247,15 @@ and switching) virtual networking infrastructure for instances. ... vni_ranges = 1:1000 + * In the ``[securitygroup]`` section, enable :term:`ipset` to increase + efficiency of security group rules: + + .. code-block:: ini + + [securitygroup] + ... + enable_ipset = True + Configure the Linux bridge agent -------------------------------- @@ -302,16 +300,14 @@ networks and handles security groups. ... prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups, enable - :term:`ipset`, and configure the Linux bridge :term:`iptables` firewall - driver: + * In the ``[securitygroup]`` section, enable security groups and + configure the Linux bridge :term:`iptables` firewall driver: .. code-block:: ini [securitygroup] ... enable_security_group = True - enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver Configure the layer-3 agent diff --git a/doc/install-guide/source/neutron-controller-install.rst b/doc/install-guide/source/neutron-controller-install.rst index 4eede9e70a..c4a0da290c 100644 --- a/doc/install-guide/source/neutron-controller-install.rst +++ b/doc/install-guide/source/neutron-controller-install.rst @@ -259,23 +259,6 @@ Finalize installation # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini - #. Due to a packaging issue, the Linux bridge agent initialization script - explicitly looks for the Linux bridge plug-in configuration file rather - than the agent configuration file. Run the following commands to resolve - this issue: - - .. code-block:: console - - # cp /usr/lib/systemd/system/neutron-linuxbridge-agent.service \ - /usr/lib/systemd/system/neutron-linuxbridge-agent.service.orig - # sed -i 's,openvswitch/linuxbridge_neutron_plugin.ini,ml2/linuxbridge_agent.ini,g' \ - /usr/lib/systemd/system/neutron-linuxbridge-agent.service - - .. note:: - - Future upgrades of the ``neutron-linuxbridge-agent`` package may - overwrite this modification. - #. Populate the database: .. code-block:: console @@ -288,12 +271,11 @@ Finalize installation Database population occurs later for Networking because the script requires complete server and plug-in configuration files. - #. Restart the Compute services: + #. Restart the Compute API service: .. code-block:: console - # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ - openstack-nova-conductor.service + # systemctl restart openstack-nova-api.service #. Start the Networking services and configure them to start when the system boots. @@ -327,12 +309,11 @@ Finalize installation NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini" - #. Restart the Compute services: + #. Restart the Compute API service: .. code-block:: console - # systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ - openstack-nova-conductor.service + # systemctl restart openstack-nova-api.service #. Start the Networking services and configure them to start when the system boots. @@ -371,7 +352,7 @@ Finalize installation Database population occurs later for Networking because the script requires complete server and plug-in configuration files. - #. Restart the nova-api service: + #. Restart the Compute API service: .. code-block:: console