diff --git a/doc/install-guide/source/environment-networking.rst b/doc/install-guide/source/environment-networking.rst index 02905aff8d..3312ed87d8 100644 --- a/doc/install-guide/source/environment-networking.rst +++ b/doc/install-guide/source/environment-networking.rst @@ -1,3 +1,5 @@ +.. _environment-networking: + Host networking ~~~~~~~~~~~~~~~ diff --git a/doc/install-guide/source/neutron-compute-install-option1.rst b/doc/install-guide/source/neutron-compute-install-option1.rst index a18e83e8a1..101dd7bdcd 100644 --- a/doc/install-guide/source/neutron-compute-install-option1.rst +++ b/doc/install-guide/source/neutron-compute-install-option1.rst @@ -7,22 +7,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, disable VXLAN overlay networks: @@ -31,14 +31,6 @@ networks and handles security groups. [vxlan] enable_vxlan = False - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: diff --git a/doc/install-guide/source/neutron-compute-install-option2.rst b/doc/install-guide/source/neutron-compute-install-option2.rst index 3d253cecc0..8bcfe44979 100644 --- a/doc/install-guide/source/neutron-compute-install-option2.rst +++ b/doc/install-guide/source/neutron-compute-install-option2.rst @@ -7,22 +7,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the IP address of the physical network interface that handles overlay @@ -39,15 +39,8 @@ networks and handles security groups. underlying physical network interface that handles overlay networks. The example architecture uses the management interface to tunnel traffic to the other nodes. Therefore, replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with - each node's own management IP address. - - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True + the management IP address of the compute node. See + :ref:`environment-networking` for more information. * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: diff --git a/doc/install-guide/source/neutron-compute-install.rst b/doc/install-guide/source/neutron-compute-install.rst index b64e19c225..37098d5e59 100644 --- a/doc/install-guide/source/neutron-compute-install.rst +++ b/doc/install-guide/source/neutron-compute-install.rst @@ -19,13 +19,13 @@ Install the components .. code-block:: console - # yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset + # yum install openstack-neutron-linuxbridge ebtables .. only:: obs .. code-block:: console - # zypper install --no-recommends openstack-neutron-linuxbridge-agent ipset + # zypper install --no-recommends openstack-neutron-linuxbridge-agent .. only:: debian @@ -123,15 +123,6 @@ authentication mechanism, message queue, and plug-in. ... lock_path = /var/lib/neutron/tmp - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure networking options ---------------------------- diff --git a/doc/install-guide/source/neutron-controller-install-option1.rst b/doc/install-guide/source/neutron-controller-install-option1.rst index ba398f8354..e7c2fc3168 100644 --- a/doc/install-guide/source/neutron-controller-install-option1.rst +++ b/doc/install-guide/source/neutron-controller-install-option1.rst @@ -12,7 +12,7 @@ Install the components # apt-get install neutron-server neutron-plugin-ml2 \ neutron-plugin-linuxbridge-agent neutron-dhcp-agent \ - neutron-metadata-agent python-neutronclient conntrack + neutron-metadata-agent conntrack .. only:: debian @@ -42,7 +42,7 @@ Install the components .. code-block:: console # yum install openstack-neutron openstack-neutron-ml2 \ - openstack-neutron-linuxbridge python-neutronclient ebtables ipset + openstack-neutron-linuxbridge ebtables .. only:: obs @@ -50,8 +50,7 @@ Install the components # zypper install --no-recommends openstack-neutron \ openstack-neutron-server openstack-neutron-linuxbridge-agent \ - openstack-neutron-dhcp-agent openstack-neutron-metadata-agent \ - ipset + openstack-neutron-dhcp-agent openstack-neutron-metadata-agent .. only:: debian @@ -78,7 +77,6 @@ Install the components ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 [nova] ... @@ -185,7 +183,6 @@ Install the components ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 [nova] ... @@ -211,15 +208,6 @@ Install the components ... lock_path = /var/lib/neutron/tmp - * (Optional) To assist with troubleshooting, enable verbose logging in - the ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure the Modular Layer 2 (ML2) plug-in ------------------------------------------- @@ -237,7 +225,7 @@ and switching) virtual networking infrastructure for instances. ... type_drivers = flat,vlan - * In the ``[ml2]`` section, disable project (private) networks: + * In the ``[ml2]`` section, disable self-service networks: .. code-block:: ini @@ -266,14 +254,14 @@ and switching) virtual networking infrastructure for instances. ... extension_drivers = port_security - * In the ``[ml2_type_flat]`` section, configure the public flat provider - network: + * In the ``[ml2_type_flat]`` section, configure the provider virtual + network as a flat network: .. code-block:: ini [ml2_type_flat] ... - flat_networks = public + flat_networks = provider * In the ``[securitygroup]`` section, enable :term:`ipset` to increase efficiency of security group rules: @@ -288,22 +276,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, disable VXLAN overlay networks: @@ -312,14 +300,6 @@ networks and handles security groups. [vxlan] enable_vxlan = False - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True - * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: @@ -339,7 +319,7 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. actions: * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, - Dnsmasq DHCP driver, and enable isolated metadata so instances on public + Dnsmasq DHCP driver, and enable isolated metadata so instances on provider networks can access metadata over the network: .. code-block:: ini @@ -350,15 +330,6 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Return to :ref:`Networking controller node configuration `. diff --git a/doc/install-guide/source/neutron-controller-install-option2.rst b/doc/install-guide/source/neutron-controller-install-option2.rst index 001a5972ab..6a936f134b 100644 --- a/doc/install-guide/source/neutron-controller-install-option2.rst +++ b/doc/install-guide/source/neutron-controller-install-option2.rst @@ -12,14 +12,14 @@ Install the components # apt-get install neutron-server neutron-plugin-ml2 \ neutron-plugin-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent \ - neutron-metadata-agent python-neutronclient conntrack + neutron-metadata-agent conntrack .. only:: rdo .. code-block:: console # yum install openstack-neutron openstack-neutron-ml2 \ - openstack-neutron-linuxbridge python-neutronclient ebtables ipset + openstack-neutron-linuxbridge ebtables .. only:: obs @@ -28,7 +28,7 @@ Install the components # zypper install --no-recommends openstack-neutron \ openstack-neutron-server openstack-neutron-linuxbridge-agent \ openstack-neutron-l3-agent openstack-neutron-dhcp-agent \ - openstack-neutron-metadata-agent ipset + openstack-neutron-metadata-agent .. only:: debian @@ -144,7 +144,6 @@ Install the components ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True - nova_url = http://controller:8774/v2 [nova] ... @@ -170,15 +169,6 @@ Install the components ... lock_path = /var/lib/neutron/tmp - * (Optional) To assist with troubleshooting, enable verbose logging in - the ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure the Modular Layer 2 (ML2) plug-in ------------------------------------------- @@ -196,7 +186,7 @@ and switching) virtual networking infrastructure for instances. ... type_drivers = flat,vlan,vxlan - * In the ``[ml2]`` section, enable VXLAN project (private) networks: + * In the ``[ml2]`` section, enable VXLAN self-service networks: .. code-block:: ini @@ -230,17 +220,17 @@ and switching) virtual networking infrastructure for instances. ... extension_drivers = port_security - * In the ``[ml2_type_flat]`` section, configure the public flat provider - network: + * In the ``[ml2_type_flat]`` section, configure the provider virtual + network as a flat network: .. code-block:: ini [ml2_type_flat] ... - flat_networks = public + flat_networks = provider * In the ``[ml2_type_vxlan]`` section, configure the VXLAN network identifier - range for private networks: + range for self-service networks: .. code-block:: ini @@ -261,22 +251,22 @@ Configure the Linux bridge agent -------------------------------- The Linux bridge agent builds layer-2 (bridging and switching) virtual -networking infrastructure for instances including VXLAN tunnels for private -networks and handles security groups. +networking infrastructure for instances and handles security groups. * Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and complete the following actions: - * In the ``[linux_bridge]`` section, map the public virtual network to the - public physical network interface: + * In the ``[linux_bridge]`` section, map the provider virtual network to the + provider physical network interface: .. code-block:: ini [linux_bridge] - physical_interface_mappings = public:PUBLIC_INTERFACE_NAME + physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME - Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical - public network interface. + Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying + provider physical network interface. See :ref:`environment-networking` + for more information. * In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the IP address of the physical network interface that handles overlay @@ -293,15 +283,8 @@ networks and handles security groups. underlying physical network interface that handles overlay networks. The example architecture uses the management interface to tunnel traffic to the other nodes. Therefore, replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with - each node's own management IP address. - - * In the ``[agent]`` section, enable ARP spoofing protection: - - .. code-block:: ini - - [agent] - ... - prevent_arp_spoofing = True + the management IP address of the controller node. See + :ref:`environment-networking` for more information. * In the ``[securitygroup]`` section, enable security groups and configure the Linux bridge :term:`iptables` firewall driver: @@ -316,8 +299,8 @@ networks and handles security groups. Configure the layer-3 agent --------------------------- -The :term:`Layer-3 (L3) agent` provides routing and NAT services for virtual -networks. +The :term:`Layer-3 (L3) agent` provides routing and NAT services for +self-service virtual networks. * Edit the ``/etc/neutron/l3_agent.ini`` file and complete the following actions: @@ -337,15 +320,6 @@ networks. The ``external_network_bridge`` option intentionally lacks a value to enable multiple external networks on a single agent. - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure the DHCP agent ------------------------ @@ -355,7 +329,7 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. actions: * In the ``[DEFAULT]`` section, configure the Linux bridge interface driver, - Dnsmasq DHCP driver, and enable isolated metadata so instances on public + Dnsmasq DHCP driver, and enable isolated metadata so instances on provider networks can access metadata over the network: .. code-block:: ini @@ -366,59 +340,6 @@ The :term:`DHCP agent` provides DHCP services for virtual networks. dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - - Overlay networks such as VXLAN include additional packet headers that - increase overhead and decrease space available for the payload or user - data. Without knowledge of the virtual network infrastructure, instances - attempt to send packets using the default Ethernet :term:`maximum - transmission unit (MTU)` of 1500 bytes. :term:`Internet protocol (IP)` - networks contain the :term:`path MTU discovery (PMTUD)` mechanism to detect - end-to-end MTU and adjust packet size accordingly. However, some operating - systems and networks block or otherwise lack support for PMTUD causing - performance degradation or connectivity failure. - - Ideally, you can prevent these problems by enabling :term:`jumbo frames - ` on the physical network that contains your tenant virtual - networks. Jumbo frames support MTUs up to approximately 9000 bytes which - negates the impact of VXLAN overhead on virtual networks. However, many - network devices lack support for jumbo frames and OpenStack administrators - often lack control over network infrastructure. Given the latter - complications, you can also prevent MTU problems by reducing the - instance MTU to account for VXLAN overhead. Determining the proper MTU - value often takes experimentation, but 1450 bytes works in most - environments. You can configure the DHCP server that assigns IP - addresses to your instances to also adjust the MTU. - - .. note:: - - Some cloud images ignore the DHCP MTU option in which case you - should configure it using metadata, a script, or other suitable - method. - - * In the ``[DEFAULT]`` section, enable the :term:`dnsmasq` configuration - file: - - .. code-block:: ini - - [DEFAULT] - ... - dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf - - * Create and edit the ``/etc/neutron/dnsmasq-neutron.conf`` file to - enable the DHCP MTU option (26) and configure it to 1450 bytes: - - .. code-block:: ini - - dhcp-option-force=26,1450 - Return to :ref:`Networking controller node configuration `. diff --git a/doc/install-guide/source/neutron-controller-install.rst b/doc/install-guide/source/neutron-controller-install.rst index d94fb5ff0c..eabf70de67 100644 --- a/doc/install-guide/source/neutron-controller-install.rst +++ b/doc/install-guide/source/neutron-controller-install.rst @@ -147,20 +147,29 @@ You can deploy the Networking service using one of two architectures represented by options 1 and 2. Option 1 deploys the simplest possible architecture that only supports -attaching instances to public (provider) networks. No self-service +attaching instances to provider (external) networks. No self-service (private) networks, routers, or floating IP addresses. Only the ``admin`` or other privileged user can manage provider networks. Option 2 augments option 1 with layer-3 services that support attaching -instances to self-service (private) networks. The ``demo`` or other -unprivileged user can manage self-service networks including routers that -provide connectivity between self-service and provider networks. Additionally, +instances to self-service networks. The ``demo`` or other unprivileged +user can manage self-service networks including routers that provide +connectivity between self-service and provider networks. Additionally, floating IP addresses provide connectivity to instances using self-service networks from external networks such as the Internet. +Self-service networks typically use overlay networks. Overlay network +protocols such as VXLAN include additional headers that increase overhead +and decrease space available for the payload or user data. Without knowledge +of the virtual network infrastructure, instances attempt to send packets +using the default Ethernet :term:`maximum transmission unit (MTU)` of 1500 +bytes. The Networking service automatically provides the correct MTU value +to instances via DHCP. However, some cloud images do not use DHCP or ignore +the DHCP MTU option and require configuration using metadata or a script. + .. note:: - Option 2 also supports attaching instances to public (provider) networks. + Option 2 also supports attaching instances to provider networks. Choose one of the following networking options to configure services specific to it. Afterwards, return here and proceed to @@ -183,53 +192,18 @@ such as credentials to instances. * Edit the ``/etc/neutron/metadata_agent.ini`` file and complete the following actions: - * In the ``[DEFAULT]`` section, configure access parameters: - - .. code-block:: ini - - [DEFAULT] - ... - auth_uri = http://controller:5000 - auth_url = http://controller:35357 - auth_region = RegionOne - auth_type = password - project_domain_id = default - user_domain_id = default - project_name = service - username = neutron - password = NEUTRON_PASS - - Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron`` - user in the Identity service. - - * In the ``[DEFAULT]`` section, configure the metadata host: - - .. code-block:: ini - - [DEFAULT] - ... - nova_metadata_ip = controller - - * In the ``[DEFAULT]`` section, configure the metadata proxy shared + * In the ``[DEFAULT]`` section, configure the metadata host and shared secret: .. code-block:: ini [DEFAULT] ... + nova_metadata_ip = controller metadata_proxy_shared_secret = METADATA_SECRET Replace ``METADATA_SECRET`` with a suitable secret for the metadata proxy. - * (Optional) To assist with troubleshooting, enable verbose logging in the - ``[DEFAULT]`` section: - - .. code-block:: ini - - [DEFAULT] - ... - verbose = True - Configure Compute to use Networking ----------------------------------- diff --git a/doc/install-guide/source/neutron-verify.rst b/doc/install-guide/source/neutron-verify.rst index b7cacbbe6f..cb841a9cba 100644 --- a/doc/install-guide/source/neutron-verify.rst +++ b/doc/install-guide/source/neutron-verify.rst @@ -45,6 +45,10 @@ Verify operation | dvr | Distributed Virtual Router | +-----------------------+-----------------------------------------------+ + .. note:: + + Actual output may differ slightly from this example. + Use the verification section for the networking option that you chose to deploy.