[install] Liberty updates for neutron

More neutron configuration updates for Liberty including
some changes for RDO packages.

1) Remove explicit configuration of kernel parameters
   because neutron handles them.
2) Explicitly add DNS resolver to virtual networks
   because default value prevents name resolution within
   instances.
3) Move some configuration options to better locations.
4) RDO: Remove workaround for init scripts.
5) RDO: Explicitly configure lock_path in neutron.conf file.
6) RDO: Install openstack-neutron package on compute nodes
   because it also installs packages on which the Linux
   bridge agent depends.

Change-Id: I2c70c64e1272ee33eb364c079d8187ade7235ee2
Implements: blueprint installguide-liberty
This commit is contained in:
Matthew Kassawara 2015-10-22 11:31:10 -06:00
parent 8e7059dfb8
commit 048ef85d2c
8 changed files with 83 additions and 126 deletions

View File

@ -84,29 +84,36 @@ Create the private project network
.. code-block:: console .. code-block:: console
$ neutron subnet-create private PRIVATE_NETWORK_CIDR --name private \ $ neutron subnet-create private PRIVATE_NETWORK_CIDR --name private \
--gateway PRIVATE_NETWORK_GATEWAY --dns-nameserver DNS_RESOLVER --gateway PRIVATE_NETWORK_GATEWAY
Replace ``PRIVATE_NETWORK_CIDR`` with the subnet you want to use on the Replace ``PRIVATE_NETWORK_CIDR`` with the subnet you want to use on the
private network. You can use any arbitrary value, although we recommend private network. You can use any arbitrary value, although we recommend
a network from `RFC 1918 <https://tools.ietf.org/html/rfc1918>`_. a network from `RFC 1918 <https://tools.ietf.org/html/rfc1918>`_.
Replace ``DNS_RESOLVER`` with the IP address of a DNS resolver. In
most cases, you can use one from the ``/etc/resolv.conf`` file on
the host.
Replace ``PRIVATE_NETWORK_GATEWAY`` with the gateway you want to use on Replace ``PRIVATE_NETWORK_GATEWAY`` with the gateway you want to use on
the private network, typically the ".1" IP address. the private network, typically the ".1" IP address.
**Example** **Example**
The private network uses 172.16.1.0/24 with a gateway on 172.16.1.1: The private network uses 172.16.1.0/24 with a gateway on 172.16.1.1.
A DHCP server assigns each instance an IP address from 172.16.1.2
to 172.16.1.254. All instances use 8.8.4.4 as a DNS resolver.
.. code-block:: console .. code-block:: console
$ neutron subnet-create private 172.16.1.0/24 --name private --gateway 172.16.1.1 $ neutron subnet-create private 172.16.1.0/24 --name private
--dns-nameserver 8.8.4.4 --gateway 172.16.1.1
Created a new subnet: Created a new subnet:
+-------------------+------------------------------------------------+ +-------------------+------------------------------------------------+
| Field | Value | | Field | Value |
+-------------------+------------------------------------------------+ +-------------------+------------------------------------------------+
| allocation_pools | {"start": "172.16.1.2", "end": "172.16.1.254"} | | allocation_pools | {"start": "172.16.1.2", "end": "172.16.1.254"} |
| cidr | 172.16.1.0/24 | | cidr | 172.16.1.0/24 |
| dns_nameservers | | | dns_nameservers | 8.8.4.4 |
| enable_dhcp | True | | enable_dhcp | True |
| gateway_ip | 172.16.1.1 | | gateway_ip | 172.16.1.1 |
| host_routes | | | host_routes | |

View File

@ -89,7 +89,7 @@ Create the public network
$ neutron subnet-create public PUBLIC_NETWORK_CIDR --name public \ $ neutron subnet-create public PUBLIC_NETWORK_CIDR --name public \
--allocation-pool start=START_IP_ADDRESS,end=END_IP_ADDRESS\ --allocation-pool start=START_IP_ADDRESS,end=END_IP_ADDRESS\
--gateway PUBLIC_NETWORK_GATEWAY --dns-nameserver DNS_RESOLVER --gateway PUBLIC_NETWORK_GATEWAY
Replace ``PUBLIC_NETWORK_CIDR`` with the subnet on the public physical Replace ``PUBLIC_NETWORK_CIDR`` with the subnet on the public physical
network in CIDR notation. network in CIDR notation.
@ -99,26 +99,31 @@ Create the public network
for instances. This range must not include any existing active IP for instances. This range must not include any existing active IP
addresses. addresses.
Replace ``DNS_RESOLVER`` with the IP address of a DNS resolver. In
most cases, you can use one from the ``/etc/resolv.conf`` file on
the host.
Replace ``PUBLIC_NETWORK_GATEWAY`` with the gateway IP address on the Replace ``PUBLIC_NETWORK_GATEWAY`` with the gateway IP address on the
public physical network, typically the ".1" IP address. public physical network, typically the ".1" IP address.
**Example** **Example**
The public physical network uses 203.0.113.0/24 with a gateway on The public network uses 203.0.113.0/24 with a gateway on 203.0.113.1.
203.0.113.1 and instances can use 203.0.113.101 to 203.0.113.200. A DHCP server assigns each instance an IP address from 203.0.113.101
to 203.0.113.200. All instances use 8.8.4.4 as a DNS resolver.
.. code-block:: console .. code-block:: console
$ neutron subnet-create public 203.0.113.0/24 --name public \ $ neutron subnet-create public 203.0.113.0/24 --name public \
--allocation-pool start=203.0.113.101,end=203.0.113.200 \ --allocation-pool start=203.0.113.101,end=203.0.113.200 \
--gateway 203.0.113.1 --dns-nameserver 8.8.4.4 --gateway 203.0.113.1
Created a new subnet: Created a new subnet:
+-------------------+----------------------------------------------------+ +-------------------+----------------------------------------------------+
| Field | Value | | Field | Value |
+-------------------+----------------------------------------------------+ +-------------------+----------------------------------------------------+
| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} | | allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} |
| cidr | 203.0.113.0/24 | | cidr | 203.0.113.0/24 |
| dns_nameservers | | | dns_nameservers | 8.8.4.4 |
| enable_dhcp | True | | enable_dhcp | True |
| gateway_ip | 203.0.113.1 | | gateway_ip | 203.0.113.1 |
| host_routes | | | host_routes | |

View File

@ -39,16 +39,14 @@ networks and handles security groups.
... ...
prevent_arp_spoofing = True prevent_arp_spoofing = True
* In the ``[securitygroup]`` section, enable security groups, enable * In the ``[securitygroup]`` section, enable security groups and
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall configure the Linux bridge :term:`iptables` firewall driver:
driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [securitygroup]
... ...
enable_security_group = True enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Return to Return to

View File

@ -47,16 +47,14 @@ networks and handles security groups.
... ...
prevent_arp_spoofing = True prevent_arp_spoofing = True
* In the ``[securitygroup]`` section, enable security groups, enable * In the ``[securitygroup]`` section, enable security groups and
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall configure the Linux bridge :term:`iptables` firewall driver:
driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [securitygroup]
... ...
enable_security_group = True enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Return to Return to

View File

@ -4,25 +4,6 @@ Install and configure compute node
The compute node handles connectivity and :term:`security groups <security The compute node handles connectivity and :term:`security groups <security
group>` for instances. group>` for instances.
Prerequisites
-------------
Before you install and configure OpenStack Networking, you must configure
kernel networking parameters to disable reverse-path filtering:
#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
.. code-block:: ini
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
#. Implement the changes:
.. code-block:: console
# sysctl -p
.. only:: ubuntu or rdo or obs .. only:: ubuntu or rdo or obs
Install the components Install the components
@ -38,7 +19,7 @@ Install the components
.. code-block:: console .. code-block:: console
# yum install openstack-neutron-linuxbridge # yum install openstack-neutron openstack-neutron-linuxbridge
.. only:: obs .. only:: obs
@ -131,6 +112,16 @@ authentication mechanism, message queue, and plug-in.
Comment out or remove any other options in the Comment out or remove any other options in the
``[keystone_authtoken]`` section. ``[keystone_authtoken]`` section.
.. only:: rdo
* In the ``[oslo_concurrency]`` section, configure the lock path:
.. code-block:: ini
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
* (Optional) To assist with troubleshooting, enable verbose logging in the * (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section: ``[DEFAULT]`` section:
@ -198,23 +189,6 @@ Finalize installation
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
#. Due to a packaging issue, the Linux bridge agent initialization script
explicitly looks for the Linux bridge plug-in configuration file rather
than the agent configuration file. Run the following commands to resolve
this issue:
.. code-block:: console
# cp /usr/lib/systemd/system/neutron-linuxbridge-agent.service \
/usr/lib/systemd/system/neutron-linuxbridge-agent.service.orig
# sed -i 's,openvswitch/linuxbridge_neutron_plugin.ini,ml2/linuxbridge_agent.ini,g' \
/usr/lib/systemd/system/neutron-linuxbridge-agent.service
.. note::
Future upgrades of the ``neutron-linuxbridge-agent`` package may
overwrite this modification.
#. Restart the Compute service: #. Restart the Compute service:
.. code-block:: console .. code-block:: console

View File

@ -3,25 +3,6 @@ Networking Option 1: Provider networks
Install and configure the Networking components on the *controller* node. Install and configure the Networking components on the *controller* node.
Prerequisites
-------------
Before you configure networking option 1, you must configure kernel
parameters to disable reverse-path filtering.
#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
.. code-block:: ini
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
#. Implement the changes:
.. code-block:: console
# sysctl -p
Install the components Install the components
---------------------- ----------------------
@ -183,6 +164,16 @@ Install the components
Replace ``NOVA_PASS`` with the password you chose for the ``nova`` Replace ``NOVA_PASS`` with the password you chose for the ``nova``
user in the Identity service. user in the Identity service.
.. only:: rdo
* In the ``[oslo_concurrency]`` section, configure the lock path:
.. code-block:: ini
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
* (Optional) To assist with troubleshooting, enable verbose logging in * (Optional) To assist with troubleshooting, enable verbose logging in
the ``[DEFAULT]`` section: the ``[DEFAULT]`` section:
@ -247,6 +238,15 @@ and switching) virtual networking infrastructure for instances.
... ...
flat_networks = public flat_networks = public
* In the ``[securitygroup]`` section, enable :term:`ipset` to increase
efficiency of security group rules:
.. code-block:: ini
[securitygroup]
...
enable_ipset = True
Configure the Linux bridge agent Configure the Linux bridge agent
-------------------------------- --------------------------------
@ -283,16 +283,14 @@ networks and handles security groups.
... ...
prevent_arp_spoofing = True prevent_arp_spoofing = True
* In the ``[securitygroup]`` section, enable security groups, enable * In the ``[securitygroup]`` section, enable security groups and
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall configure the Linux bridge :term:`iptables` firewall driver:
driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [securitygroup]
... ...
enable_security_group = True enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Configure the DHCP agent Configure the DHCP agent

View File

@ -3,27 +3,6 @@ Networking Option 2: Self-service networks
Install and configure the Networking components on the *controller* node. Install and configure the Networking components on the *controller* node.
Prerequisites
-------------
Before you configure networking option 2, you must configure kernel
parameters to enable IP forwarding (routing) and disable reverse-path
filtering.
#. Edit the ``/etc/sysctl.conf`` file to contain the following parameters:
.. code-block:: ini
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
#. Implement the changes:
.. code-block:: console
# sysctl -p
Install the components Install the components
---------------------- ----------------------
@ -180,6 +159,16 @@ Install the components
Replace ``NOVA_PASS`` with the password you chose for the ``nova`` Replace ``NOVA_PASS`` with the password you chose for the ``nova``
user in the Identity service. user in the Identity service.
.. only:: rdo
* In the ``[oslo_concurrency]`` section, configure the lock path:
.. code-block:: ini
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
* (Optional) To assist with troubleshooting, enable verbose logging in * (Optional) To assist with troubleshooting, enable verbose logging in
the ``[DEFAULT]`` section: the ``[DEFAULT]`` section:
@ -258,6 +247,15 @@ and switching) virtual networking infrastructure for instances.
... ...
vni_ranges = 1:1000 vni_ranges = 1:1000
* In the ``[securitygroup]`` section, enable :term:`ipset` to increase
efficiency of security group rules:
.. code-block:: ini
[securitygroup]
...
enable_ipset = True
Configure the Linux bridge agent Configure the Linux bridge agent
-------------------------------- --------------------------------
@ -302,16 +300,14 @@ networks and handles security groups.
... ...
prevent_arp_spoofing = True prevent_arp_spoofing = True
* In the ``[securitygroup]`` section, enable security groups, enable * In the ``[securitygroup]`` section, enable security groups and
:term:`ipset`, and configure the Linux bridge :term:`iptables` firewall configure the Linux bridge :term:`iptables` firewall driver:
driver:
.. code-block:: ini .. code-block:: ini
[securitygroup] [securitygroup]
... ...
enable_security_group = True enable_security_group = True
enable_ipset = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Configure the layer-3 agent Configure the layer-3 agent

View File

@ -259,23 +259,6 @@ Finalize installation
# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini # ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
#. Due to a packaging issue, the Linux bridge agent initialization script
explicitly looks for the Linux bridge plug-in configuration file rather
than the agent configuration file. Run the following commands to resolve
this issue:
.. code-block:: console
# cp /usr/lib/systemd/system/neutron-linuxbridge-agent.service \
/usr/lib/systemd/system/neutron-linuxbridge-agent.service.orig
# sed -i 's,openvswitch/linuxbridge_neutron_plugin.ini,ml2/linuxbridge_agent.ini,g' \
/usr/lib/systemd/system/neutron-linuxbridge-agent.service
.. note::
Future upgrades of the ``neutron-linuxbridge-agent`` package may
overwrite this modification.
#. Populate the database: #. Populate the database:
.. code-block:: console .. code-block:: console
@ -288,12 +271,11 @@ Finalize installation
Database population occurs later for Networking because the script Database population occurs later for Networking because the script
requires complete server and plug-in configuration files. requires complete server and plug-in configuration files.
#. Restart the Compute services: #. Restart the Compute API service:
.. code-block:: console .. code-block:: console
# systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ # systemctl restart openstack-nova-api.service
openstack-nova-conductor.service
#. Start the Networking services and configure them to start when the system #. Start the Networking services and configure them to start when the system
boots. boots.
@ -327,12 +309,11 @@ Finalize installation
NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini" NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/ml2/ml2_conf.ini"
#. Restart the Compute services: #. Restart the Compute API service:
.. code-block:: console .. code-block:: console
# systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \ # systemctl restart openstack-nova-api.service
openstack-nova-conductor.service
#. Start the Networking services and configure them to start when the system #. Start the Networking services and configure them to start when the system
boots. boots.
@ -371,7 +352,7 @@ Finalize installation
Database population occurs later for Networking because the script Database population occurs later for Networking because the script
requires complete server and plug-in configuration files. requires complete server and plug-in configuration files.
#. Restart the nova-api service: #. Restart the Compute API service:
.. code-block:: console .. code-block:: console