From 8b47c31ceddfd6fa33f2eb2e966b4ac799396834 Mon Sep 17 00:00:00 2001
From: Matthew Kassawara <mkassawara@gmail.com>
Date: Tue, 7 Oct 2014 10:38:59 -0500
Subject: [PATCH] Update neutron content for Juno

I updated the neutron content in the installation guide for Juno
as follows:

1) Explicitly install ipset package on network and compute nodes
   as a workaround for potential dependency issues. See LP bug
   #1369386 and patch #111877.
2) Configure the ML2 plug-in to use ipset.

Change-Id: Ie986a3114ee778f97359b53d58ac805100575a37
---
 doc/glossary/glossary-terms.xml                    | 14 ++++++++++++++
 doc/install-guide/section_neutron-compute-node.xml | 12 +++++++-----
 .../section_neutron-controller-node.xml            |  6 ++++--
 doc/install-guide/section_neutron-network-node.xml | 12 +++++++-----
 4 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/doc/glossary/glossary-terms.xml b/doc/glossary/glossary-terms.xml
index b6ffa84e5b..1cfa4b06c9 100644
--- a/doc/glossary/glossary-terms.xml
+++ b/doc/glossary/glossary-terms.xml
@@ -4548,6 +4548,20 @@
       </glossdef>
     </glossentry>
 
+    <glossentry>
+      <glossterm>ipset</glossterm>
+      <indexterm class="singular">
+          <primary>ipset</primary>
+        </indexterm>
+
+      <glossdef>
+        <para>Extension to iptables that allows creation of firewall rules
+          that match entire "sets" of IP addresses simultaneously. These
+          sets reside in indexed data structures to increase efficiency,
+          particularly on systems with a large quantity of rules.</para>
+      </glossdef>
+    </glossentry>
+
     <glossentry>
       <glossterm>iptables</glossterm>
       <indexterm class="singular">
diff --git a/doc/install-guide/section_neutron-compute-node.xml b/doc/install-guide/section_neutron-compute-node.xml
index 9ff60d18fa..ef3f936398 100644
--- a/doc/install-guide/section_neutron-compute-node.xml
+++ b/doc/install-guide/section_neutron-compute-node.xml
@@ -26,9 +26,9 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
   <procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
     <title>To install the Networking components</title>
     <step>
-      <screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent</userinput></screen>
-      <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron-ml2 openstack-neutron-openvswitch</userinput></screen>
-      <screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
+      <screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent ipset</userinput></screen>
+      <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron-ml2 openstack-neutron-openvswitch ipset</userinput></screen>
+      <screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent ipset</userinput></screen>
       <note os="sles;opensuse">
         <para>SUSE does not use a separate ML2 plug-in package.</para>
       </note>
@@ -167,11 +167,13 @@ tunnel_id_ranges = 1:1000</programlisting>
         </step>
         <step>
           <para>In the <literal>[securitygroup]</literal> section, enable
-            security groups and configure the OVS
-            <glossterm>iptables</glossterm> firewall driver:</para>
+            security groups, enable <glossterm>ipset</glossterm>, and
+            configure the OVS <glossterm>iptables</glossterm> firewall
+            driver:</para>
           <programlisting language="ini">[securitygroup]
 ...
 enable_security_group = True
+enable_ipset = True
 firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
         </step>
        <step>
diff --git a/doc/install-guide/section_neutron-controller-node.xml b/doc/install-guide/section_neutron-controller-node.xml
index 46e3e0ac59..d06827ff32 100644
--- a/doc/install-guide/section_neutron-controller-node.xml
+++ b/doc/install-guide/section_neutron-controller-node.xml
@@ -301,11 +301,13 @@ tunnel_id_ranges = 1:1000</programlisting>
         </step>
         <step>
           <para>In the <literal>[securitygroup]</literal> section, enable
-            security groups and configure the OVS
-            <glossterm>iptables</glossterm> firewall driver:</para>
+            security groups, enable <glossterm>ipset</glossterm>, and
+            configure the OVS <glossterm>iptables</glossterm> firewall
+            driver:</para>
           <programlisting language="ini">[securitygroup]
 ...
 enable_security_group = True
+enable_ipset = True
 firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
         </step>
       </substeps>
diff --git a/doc/install-guide/section_neutron-network-node.xml b/doc/install-guide/section_neutron-network-node.xml
index c0b5c5ffb2..6ee643434f 100644
--- a/doc/install-guide/section_neutron-network-node.xml
+++ b/doc/install-guide/section_neutron-network-node.xml
@@ -27,10 +27,10 @@ net.ipv4.conf.default.rp_filter=0</programlisting>
     <title>To install the Networking components</title>
     <step>
       <screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent \
-  neutron-l3-agent neutron-dhcp-agent</userinput></screen>
-      <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch</userinput></screen>
+  neutron-l3-agent neutron-dhcp-agent ipset</userinput></screen>
+      <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-openvswitch ipset</userinput></screen>
       <screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent openstack-neutron-l3-agent \
-  openstack-neutron-dhcp-agent openstack-neutron-metadata-agent</userinput></screen>
+  openstack-neutron-dhcp-agent openstack-neutron-metadata-agent ipset</userinput></screen>
       <note os="sles;opensuse">
         <para>SUSE does not use a separate ML2 plug-in package.</para>
       </note>
@@ -180,11 +180,13 @@ tunnel_id_ranges = 1:1000</programlisting>
         </step>
         <step>
           <para>In the <literal>[securitygroup]</literal> section, enable
-            security groups and configure the OVS
-            <glossterm>iptables</glossterm> firewall driver:</para>
+            security groups, enable <glossterm>ipset</glossterm>, and
+            configure the OVS <glossterm>iptables</glossterm> firewall
+            driver:</para>
           <programlisting language="ini">[securitygroup]
 ...
 enable_security_group = True
+enable_ipset = True
 firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
         </step>
         <step>