This is for a node which runs the control components of Neutron, but does not run any of the components that provide the underlying functionality (such as the plug-in agent or the L3 agent). If you wish to have a combined controller/compute node follow these instructions, and then those for the compute node. By default, the system-config-firewall automated firewall configuration tool is in place on RHEL. This graphical interface (and a curses-style interface with -tui on the end of the name) enables you to configure IP tables as a basic firewall. You should disable it when you work with Neutron unless you are familiar with the underlying network technologies, as, by default, it blocks various types of network traffic that are important to Neutron. To disable it, simple launch the program and clear the Enabled check box. After you successfully set up OpenStack with Neutron, you can re-enable and configure the tool. However, during Neutron set up, disable the tool to make it easier to debug network issues. Before you configure individual nodes for Networking, you must create the required OpenStack components: user, service, database, and one or more endpoints. After you complete these steps on the controller node, follow the instructions in this guide to set up OpenStack Networking nodes. Use the password that you set previously to log in as root and create a neutron database: # mysql -u root -p mysql> CREATE DATABASE neutron; mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ IDENTIFIED BY 'NEUTRON_DBPASS'; mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ IDENTIFIED BY 'NEUTRON_DBPASS'; Create the required user, service, and endpoint so that Networking can interface with the Identity Service. Create a neutron user: # keystone user-create --name=neutron --pass=NEUTRON_PASS --email=neutron@example.com Add the user role to the neutron user: # keystone user-role-add --user=neutron --tenant=service --role=admin Create the neutron service: # keystone service-create --name=neutron --type=network \ --description="OpenStack Networking" Create a Networking endpoint: # keystone endpoint-create \ --service-id $(keystone service-list | awk '/ network / {print $2}') \ --publicurl http://controller:9696 \ --adminurl http://controller:9696 \ --internalurl http://controller:9696 Install the server component of Networking and any dependencies. # apt-get install neutron-server # yum install openstack-neutron python-neutron python-neutronclient # zypper install openstack-neutron python-neutron python-neutronclient Configure Networking to connect to the database: # openstack-config --set /etc/neutron/neutron.conf database connection \ mysql://neutron:NEUTRON_DBPASS@controller/neutron Configure Networking to use your MySQL database. Edit the /etc/neutron/neutron.conf file and add the following key under the [database] section. Replace NEUTRON_DBPASS with the password you chose for the Neutron database. [database] ... connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron Configure Networking to use keystone for authentication: Set the auth_strategy configuration key to keystone in the DEFAULT section of the file: # openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone Set the neutron configuration for keystone authentication: # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_host controller # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_url http://controller:35357/v2.0 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_user neutron # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_password NEUTRON_PASS Configure Networking to use keystone as the Identity Service for authentication. Edit the /etc/neutron/neutron.conf file and add the following key under the [DEFAULT] section. [DEFAULT] ... auth_strategy = keystone Add the following keys under the [keystone_authtoken] section. Replace NEUTRON_PASS with the password you chose for the Neutron user in Keystone. [keystone_authtoken] ... auth_host = controller auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS auth_uri = http://controller:5000 auth_url = http://controller:35357/v2.0 Edit the /etc/neutron/api-paste.ini file and add the following keys under the [filter:authtoken] section. Replace NEUTRON_PASS with the password you chose for the Neutron user in Keystone. [filter:authtoken] ... paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Configure the /etc/neutron/api-paste.ini file for keystone authentication: # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ paste.filter_factory keystoneclient.middleware.auth_token:filter_factory # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ auth_host controller # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_user neutron # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_password NEUTRON_PASS Configure access to the RabbitMQ service: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_kombu # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_userid guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_password RABBIT_PASS Configure access to the Qpid message queue: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_qpid # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_hostname controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_port 5672 # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_username guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_password guest Configure Networking to use your message broker. Edit the /etc/neutron/neutron.conf file and add the following keys under the [DEFAULT] section. Replace RABBIT_PASS with the password you chose for RabbitMQ. [DEFAULT] ... rpc_backend = neutron.openstack.common.rpc.impl_kombu rabbit_host = controller rabbit_password = RABBIT_PASS Set the root_helper configuration in the [agent] section of /etc/neutron/neutron.conf: # openstack-config --set /etc/neutron/neutron.conf AGENT \ root_helper "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" Although the controller node does not run any Networking agents, you must install and configure the same plug-in that you configured on the network node. Install and configure the Networking plug-ins on a dedicated controller node Configure OpenStack Compute to use OpenStack Networking services. Configure the /etc/nova/nova.conf file as per instructions below: # openstack-config --set /etc/nova/nova.conf DEFAULT \ network_api_class nova.network.neutronv2.api.API # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_url http://controller:9696 # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_auth_strategy keystone # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_tenant_name service # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_username neutron # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_password NEUTRON_PASS # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_auth_url http://controller:35357/v2.0 # openstack-config --set /etc/nova/nova.conf DEFAULT \ linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ firewall_driver nova.virt.firewall.NoopFirewallDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ security_group_api neutron Configure OpenStack Compute to use OpenStack Networking services. Edit the /etc/nova/nova.conf file: network_api_class=nova.network.neutronv2.api.API neutron_url=http://controller:9696 neutron_auth_strategy=keystone neutron_admin_tenant_name=service neutron_admin_username=neutron neutron_admin_password=NEUTRON_PASS neutron_admin_auth_url=http://controller:35357/v2.0 linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver=nova.virt.firewall.NoopFirewallDriver security_group_api=neutron Regardless of which firewall driver you chose when you configured the network and compute nodes, set this driver as the No-Op firewall. This firewall is a nova firewall, and because neutron handles the Firewall, you must tell nova not to use one. When Networking handles the firewall, the option firewall_driver should be set according to the specified plug-in. For example with OVS, edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [securitygroup] # Firewall driver for realizing neutron security group function. firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver # openstack-config --set \ /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini security_group \ neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver If you do not want to use a firewall in Compute or Networking, set firewall_driver=nova.virt.firewall.NoopFirewallDriver in both config files, and comment out or remove security_group_api=neutron in the /etc/nova/nova.conf file, otherwise you may encounter ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500) when issuing nova list commands. The neutron-server initialization script expects a symbolic link /etc/neutron/plugin.ini pointing to the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, the symbolic link must point to /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini. If this symbolic link does not exist, create it using the following commands: # cd /etc/neutron # ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini The openstack-neutron initialization script expects the variable NEUTRON_PLUGIN_CONF in file /etc/sysconfig/neutron to reference the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, edit the /etc/sysconfig/neutron file and add the following: NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini" Restart the Compute and Networking services: # service nova-api restart # service nova-scheduler restart # service nova-conductor restart # service neutron-server restart Restart the Compute services: # service openstack-nova-api restart # service openstack-nova-scheduler restart # service openstack-nova-conductor restart Start the Networking service and configure it to start when the system boots: # service neutron-server start # chkconfig neutron-server on # service openstack-neutron start # chkconfig openstack-neutron on

Install the Open vSwitch plug-in: # apt-get install neutron-plugin-openvswitch # yum install openstack-neutron-openvswitch # zypper install openstack-neutron-openvswitch-agent You must set some common configuration options no matter which networking technology you choose to use with Open vSwitch. You must configure Networking core to use OVS. Edit the /etc/neutron/neutron.conf file: core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 Configure the OVS plug-in for the networking type that you chose when you configured the network node: GRE tunneling or VLANs. The dedicated controller node does not need to run Open vSwitch or the Open vSwitch agent. Now, return to the general OVS instructions.

Tell the OVS plug-in to use GRE tunneling. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [ovs] tenant_network_type = gre tunnel_id_ranges = 1:1000 enable_tunneling = True Return to the general OVS instructions.

Tell OVS to use VLANS. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file, as follows: [ovs] tenant_network_type = vlan network_vlan_ranges = physnet1:1:4094 Return to the general OVS instructions.