Install: Neutron updates for Mitaka

Update neutron content for Mitaka.

1) Change 'public' to 'provider' and 'private' to
   'self-service' to improve distinction between these
   networks using neutronish terms.
2) Remove explicit installation of some packages due to
   dependency fixes.
3) Remove explicit configuration of verbosity.
4) Remove explicit configuration of ARP spoofing protection.
5) Remove extraneous configuration for the metadata agent.
6) Remove extraneous configuration for nova-neutron
   interaction.
7) Reduce discussion of MTU because Mitaka fixes most
   of the issues, but we still need to explain the
   most limitation of overlay networks.
8) Generally improve wording.

Implements: blueprint installguide-mitaka
Change-Id: I3beff125b2eb8d264048530dc3bad7d346d2828b
This commit is contained in:
Matthew Kassawara 2016-03-02 12:55:37 -07:00
parent 415af6cd59
commit 117606139c
8 changed files with 75 additions and 227 deletions

View File

@ -1,3 +1,5 @@
.. _environment-networking:
Host networking
~~~~~~~~~~~~~~~

View File

@ -7,22 +7,22 @@ Configure the Linux bridge agent
--------------------------------
The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups.
networking infrastructure for instances and handles security groups.
* Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and
complete the following actions:
* In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface:
* In the ``[linux_bridge]`` section, map the provider virtual network to the
provider physical network interface:
.. code-block:: ini
[linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface.
Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying
provider physical network interface. See :ref:`environment-networking`
for more information.
* In the ``[vxlan]`` section, disable VXLAN overlay networks:
@ -31,14 +31,6 @@ networks and handles security groups.
[vxlan]
enable_vxlan = False
* In the ``[agent]`` section, enable ARP spoofing protection:
.. code-block:: ini
[agent]
...
prevent_arp_spoofing = True
* In the ``[securitygroup]`` section, enable security groups and
configure the Linux bridge :term:`iptables` firewall driver:

View File

@ -7,22 +7,22 @@ Configure the Linux bridge agent
--------------------------------
The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups.
networking infrastructure for instances and handles security groups.
* Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and
complete the following actions:
* In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface:
* In the ``[linux_bridge]`` section, map the provider virtual network to the
provider physical network interface:
.. code-block:: ini
[linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface.
Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying
provider physical network interface. See :ref:`environment-networking`
for more information.
* In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the
IP address of the physical network interface that handles overlay
@ -39,15 +39,8 @@ networks and handles security groups.
underlying physical network interface that handles overlay networks. The
example architecture uses the management interface to tunnel traffic to
the other nodes. Therefore, replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with
each node's own management IP address.
* In the ``[agent]`` section, enable ARP spoofing protection:
.. code-block:: ini
[agent]
...
prevent_arp_spoofing = True
the management IP address of the compute node. See
:ref:`environment-networking` for more information.
* In the ``[securitygroup]`` section, enable security groups and
configure the Linux bridge :term:`iptables` firewall driver:

View File

@ -19,13 +19,13 @@ Install the components
.. code-block:: console
# yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset
# yum install openstack-neutron-linuxbridge ebtables
.. only:: obs
.. code-block:: console
# zypper install --no-recommends openstack-neutron-linuxbridge-agent ipset
# zypper install --no-recommends openstack-neutron-linuxbridge-agent
.. only:: debian
@ -123,15 +123,6 @@ authentication mechanism, message queue, and plug-in.
...
lock_path = /var/lib/neutron/tmp
* (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
Configure networking options
----------------------------

View File

@ -12,7 +12,7 @@ Install the components
# apt-get install neutron-server neutron-plugin-ml2 \
neutron-plugin-linuxbridge-agent neutron-dhcp-agent \
neutron-metadata-agent python-neutronclient conntrack
neutron-metadata-agent conntrack
.. only:: debian
@ -42,7 +42,7 @@ Install the components
.. code-block:: console
# yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge python-neutronclient ebtables ipset
openstack-neutron-linuxbridge ebtables
.. only:: obs
@ -50,8 +50,7 @@ Install the components
# zypper install --no-recommends openstack-neutron \
openstack-neutron-server openstack-neutron-linuxbridge-agent \
openstack-neutron-dhcp-agent openstack-neutron-metadata-agent \
ipset
openstack-neutron-dhcp-agent openstack-neutron-metadata-agent
.. only:: debian
@ -78,7 +77,6 @@ Install the components
...
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://controller:8774/v2
[nova]
...
@ -185,7 +183,6 @@ Install the components
...
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://controller:8774/v2
[nova]
...
@ -211,15 +208,6 @@ Install the components
...
lock_path = /var/lib/neutron/tmp
* (Optional) To assist with troubleshooting, enable verbose logging in
the ``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
Configure the Modular Layer 2 (ML2) plug-in
-------------------------------------------
@ -237,7 +225,7 @@ and switching) virtual networking infrastructure for instances.
...
type_drivers = flat,vlan
* In the ``[ml2]`` section, disable project (private) networks:
* In the ``[ml2]`` section, disable self-service networks:
.. code-block:: ini
@ -266,14 +254,14 @@ and switching) virtual networking infrastructure for instances.
...
extension_drivers = port_security
* In the ``[ml2_type_flat]`` section, configure the public flat provider
network:
* In the ``[ml2_type_flat]`` section, configure the provider virtual
network as a flat network:
.. code-block:: ini
[ml2_type_flat]
...
flat_networks = public
flat_networks = provider
* In the ``[securitygroup]`` section, enable :term:`ipset` to increase
efficiency of security group rules:
@ -288,22 +276,22 @@ Configure the Linux bridge agent
--------------------------------
The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups.
networking infrastructure for instances and handles security groups.
* Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and
complete the following actions:
* In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface:
* In the ``[linux_bridge]`` section, map the provider virtual network to the
provider physical network interface:
.. code-block:: ini
[linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface.
Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying
provider physical network interface. See :ref:`environment-networking`
for more information.
* In the ``[vxlan]`` section, disable VXLAN overlay networks:
@ -312,14 +300,6 @@ networks and handles security groups.
[vxlan]
enable_vxlan = False
* In the ``[agent]`` section, enable ARP spoofing protection:
.. code-block:: ini
[agent]
...
prevent_arp_spoofing = True
* In the ``[securitygroup]`` section, enable security groups and
configure the Linux bridge :term:`iptables` firewall driver:
@ -339,7 +319,7 @@ The :term:`DHCP agent` provides DHCP services for virtual networks.
actions:
* In the ``[DEFAULT]`` section, configure the Linux bridge interface driver,
Dnsmasq DHCP driver, and enable isolated metadata so instances on public
Dnsmasq DHCP driver, and enable isolated metadata so instances on provider
networks can access metadata over the network:
.. code-block:: ini
@ -350,15 +330,6 @@ The :term:`DHCP agent` provides DHCP services for virtual networks.
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
* (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
Return to
:ref:`Networking controller node configuration
<neutron-controller-metadata-agent>`.

View File

@ -12,14 +12,14 @@ Install the components
# apt-get install neutron-server neutron-plugin-ml2 \
neutron-plugin-linuxbridge-agent neutron-l3-agent neutron-dhcp-agent \
neutron-metadata-agent python-neutronclient conntrack
neutron-metadata-agent conntrack
.. only:: rdo
.. code-block:: console
# yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge python-neutronclient ebtables ipset
openstack-neutron-linuxbridge ebtables
.. only:: obs
@ -28,7 +28,7 @@ Install the components
# zypper install --no-recommends openstack-neutron \
openstack-neutron-server openstack-neutron-linuxbridge-agent \
openstack-neutron-l3-agent openstack-neutron-dhcp-agent \
openstack-neutron-metadata-agent ipset
openstack-neutron-metadata-agent
.. only:: debian
@ -144,7 +144,6 @@ Install the components
...
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://controller:8774/v2
[nova]
...
@ -170,15 +169,6 @@ Install the components
...
lock_path = /var/lib/neutron/tmp
* (Optional) To assist with troubleshooting, enable verbose logging in
the ``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
Configure the Modular Layer 2 (ML2) plug-in
-------------------------------------------
@ -196,7 +186,7 @@ and switching) virtual networking infrastructure for instances.
...
type_drivers = flat,vlan,vxlan
* In the ``[ml2]`` section, enable VXLAN project (private) networks:
* In the ``[ml2]`` section, enable VXLAN self-service networks:
.. code-block:: ini
@ -230,17 +220,17 @@ and switching) virtual networking infrastructure for instances.
...
extension_drivers = port_security
* In the ``[ml2_type_flat]`` section, configure the public flat provider
network:
* In the ``[ml2_type_flat]`` section, configure the provider virtual
network as a flat network:
.. code-block:: ini
[ml2_type_flat]
...
flat_networks = public
flat_networks = provider
* In the ``[ml2_type_vxlan]`` section, configure the VXLAN network identifier
range for private networks:
range for self-service networks:
.. code-block:: ini
@ -261,22 +251,22 @@ Configure the Linux bridge agent
--------------------------------
The Linux bridge agent builds layer-2 (bridging and switching) virtual
networking infrastructure for instances including VXLAN tunnels for private
networks and handles security groups.
networking infrastructure for instances and handles security groups.
* Edit the ``/etc/neutron/plugins/ml2/linuxbridge_agent.ini`` file and
complete the following actions:
* In the ``[linux_bridge]`` section, map the public virtual network to the
public physical network interface:
* In the ``[linux_bridge]`` section, map the provider virtual network to the
provider physical network interface:
.. code-block:: ini
[linux_bridge]
physical_interface_mappings = public:PUBLIC_INTERFACE_NAME
physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME
Replace ``PUBLIC_INTERFACE_NAME`` with the name of the underlying physical
public network interface.
Replace ``PROVIDER_INTERFACE_NAME`` with the name of the underlying
provider physical network interface. See :ref:`environment-networking`
for more information.
* In the ``[vxlan]`` section, enable VXLAN overlay networks, configure the
IP address of the physical network interface that handles overlay
@ -293,15 +283,8 @@ networks and handles security groups.
underlying physical network interface that handles overlay networks. The
example architecture uses the management interface to tunnel traffic to
the other nodes. Therefore, replace ``OVERLAY_INTERFACE_IP_ADDRESS`` with
each node's own management IP address.
* In the ``[agent]`` section, enable ARP spoofing protection:
.. code-block:: ini
[agent]
...
prevent_arp_spoofing = True
the management IP address of the controller node. See
:ref:`environment-networking` for more information.
* In the ``[securitygroup]`` section, enable security groups and
configure the Linux bridge :term:`iptables` firewall driver:
@ -316,8 +299,8 @@ networks and handles security groups.
Configure the layer-3 agent
---------------------------
The :term:`Layer-3 (L3) agent` provides routing and NAT services for virtual
networks.
The :term:`Layer-3 (L3) agent` provides routing and NAT services for
self-service virtual networks.
* Edit the ``/etc/neutron/l3_agent.ini`` file and complete the following
actions:
@ -337,15 +320,6 @@ networks.
The ``external_network_bridge`` option intentionally lacks a value
to enable multiple external networks on a single agent.
* (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
Configure the DHCP agent
------------------------
@ -355,7 +329,7 @@ The :term:`DHCP agent` provides DHCP services for virtual networks.
actions:
* In the ``[DEFAULT]`` section, configure the Linux bridge interface driver,
Dnsmasq DHCP driver, and enable isolated metadata so instances on public
Dnsmasq DHCP driver, and enable isolated metadata so instances on provider
networks can access metadata over the network:
.. code-block:: ini
@ -366,59 +340,6 @@ The :term:`DHCP agent` provides DHCP services for virtual networks.
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
* (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
Overlay networks such as VXLAN include additional packet headers that
increase overhead and decrease space available for the payload or user
data. Without knowledge of the virtual network infrastructure, instances
attempt to send packets using the default Ethernet :term:`maximum
transmission unit (MTU)` of 1500 bytes. :term:`Internet protocol (IP)`
networks contain the :term:`path MTU discovery (PMTUD)` mechanism to detect
end-to-end MTU and adjust packet size accordingly. However, some operating
systems and networks block or otherwise lack support for PMTUD causing
performance degradation or connectivity failure.
Ideally, you can prevent these problems by enabling :term:`jumbo frames
<jumbo frame>` on the physical network that contains your tenant virtual
networks. Jumbo frames support MTUs up to approximately 9000 bytes which
negates the impact of VXLAN overhead on virtual networks. However, many
network devices lack support for jumbo frames and OpenStack administrators
often lack control over network infrastructure. Given the latter
complications, you can also prevent MTU problems by reducing the
instance MTU to account for VXLAN overhead. Determining the proper MTU
value often takes experimentation, but 1450 bytes works in most
environments. You can configure the DHCP server that assigns IP
addresses to your instances to also adjust the MTU.
.. note::
Some cloud images ignore the DHCP MTU option in which case you
should configure it using metadata, a script, or other suitable
method.
* In the ``[DEFAULT]`` section, enable the :term:`dnsmasq` configuration
file:
.. code-block:: ini
[DEFAULT]
...
dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf
* Create and edit the ``/etc/neutron/dnsmasq-neutron.conf`` file to
enable the DHCP MTU option (26) and configure it to 1450 bytes:
.. code-block:: ini
dhcp-option-force=26,1450
Return to
:ref:`Networking controller node configuration
<neutron-controller-metadata-agent>`.

View File

@ -147,20 +147,29 @@ You can deploy the Networking service using one of two architectures
represented by options 1 and 2.
Option 1 deploys the simplest possible architecture that only supports
attaching instances to public (provider) networks. No self-service
attaching instances to provider (external) networks. No self-service (private)
networks, routers, or floating IP addresses. Only the ``admin`` or other
privileged user can manage provider networks.
Option 2 augments option 1 with layer-3 services that support attaching
instances to self-service (private) networks. The ``demo`` or other
unprivileged user can manage self-service networks including routers that
provide connectivity between self-service and provider networks. Additionally,
instances to self-service networks. The ``demo`` or other unprivileged
user can manage self-service networks including routers that provide
connectivity between self-service and provider networks. Additionally,
floating IP addresses provide connectivity to instances using self-service
networks from external networks such as the Internet.
Self-service networks typically use overlay networks. Overlay network
protocols such as VXLAN include additional headers that increase overhead
and decrease space available for the payload or user data. Without knowledge
of the virtual network infrastructure, instances attempt to send packets
using the default Ethernet :term:`maximum transmission unit (MTU)` of 1500
bytes. The Networking service automatically provides the correct MTU value
to instances via DHCP. However, some cloud images do not use DHCP or ignore
the DHCP MTU option and require configuration using metadata or a script.
.. note::
Option 2 also supports attaching instances to public (provider) networks.
Option 2 also supports attaching instances to provider networks.
Choose one of the following networking options to configure services
specific to it. Afterwards, return here and proceed to
@ -183,53 +192,18 @@ such as credentials to instances.
* Edit the ``/etc/neutron/metadata_agent.ini`` file and complete the following
actions:
* In the ``[DEFAULT]`` section, configure access parameters:
.. code-block:: ini
[DEFAULT]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
auth_region = RegionOne
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = neutron
password = NEUTRON_PASS
Replace ``NEUTRON_PASS`` with the password you chose for the ``neutron``
user in the Identity service.
* In the ``[DEFAULT]`` section, configure the metadata host:
.. code-block:: ini
[DEFAULT]
...
nova_metadata_ip = controller
* In the ``[DEFAULT]`` section, configure the metadata proxy shared
* In the ``[DEFAULT]`` section, configure the metadata host and shared
secret:
.. code-block:: ini
[DEFAULT]
...
nova_metadata_ip = controller
metadata_proxy_shared_secret = METADATA_SECRET
Replace ``METADATA_SECRET`` with a suitable secret for the metadata proxy.
* (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
Configure Compute to use Networking
-----------------------------------

View File

@ -45,6 +45,10 @@ Verify operation
| dvr | Distributed Virtual Router |
+-----------------------+-----------------------------------------------+
.. note::
Actual output may differ slightly from this example.
Use the verification section for the networking option that you chose to
deploy.