Configure network node

Configure network node Before you start, set up a machine as a dedicated network node. Dedicated network nodes have a MGMT_INTERFACE NIC, a DATA_INTERFACE NIC, and a EXTERNAL_INTERFACE NIC. The management network handles communication among nodes. The data network handles communication coming to and from VMs. The external NIC connects the network node, and optionally to the controller node, so your VMs can connect to the outside world. All NICs must have static IPs. However, the data and external NICs have a special set up. For details about Networking plug-ins, see . By default, the system-config-firewall automated firewall configuration tool is in place on RHEL. This graphical interface (and a curses-style interface with -tui on the end of the name) enables you to configure IP tables as a basic firewall. You should disable it when you work with Networking unless you are familiar with the underlying network technologies, as, by default, it blocks various types of network traffic that are important to Networking. To disable it, simply launch the program and clear the Enabled check box. After you successfully set up OpenStack Networking, you can re-enable and configure the tool. However, during Networking set up, disable the tool to make it easier to debug network issues. Install the Networking packages and any dependencies. # apt-get install neutron-dhcp-agent neutron-l3-agent # yum install openstack-neutron # zypper install openstack-neutron openstack-neutron-l3-agent \ openstack-neutron-dhcp-agent openstack-neutron-metadata-agent Respond to prompts for database management, [keystone_authtoken] settings, RabbitMQ credentials and API endpoint registration. Configure basic Networking-related services to start at boot time: # for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done # for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done Enable packet forwarding and disable packet destination filtering so that the network node can coordinate traffic for the VMs. Edit the /etc/sysctl.conf file, as follows: net.ipv4.ip_forward=1 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 Use the sysctl command to ensure the changes made to the /etc/sysctl.conf file take effect: # sysctl -p It is recommended that the networking service is restarted after changing values related to the networking configuration. This ensures that all modified values take effect immediately: # service networking restart # service network restart Configure Networking to use keystone for authentication: Set the auth_strategy configuration key to keystone in the DEFAULT section of the file: # openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone Set the neutron configuration for keystone authentication: # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_port 35357 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_protocol http # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_user neutron # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_password NEUTRON_PASS To configure neutron to use keystone for authentication, edit the /etc/neutron/neutron.conffile. Set the auth_strategy configuration key to keystone in the DEFAULT section of the file: auth_strategy = keystone Add these lines to the keystone_authtoken section of the file: auth_host = controller auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Set the root_helper configuration in the [agent] section of /etc/neutron/neutron.conf: # openstack-config --set /etc/neutron/neutron.conf AGENT \ root_helper "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" Configure access to the RabbitMQ service: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_kombu # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_userid guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_password RABBIT_PASS Configure the RabbitMQ access. Edit the /etc/neutron/neutron.conf file to modify the following parameters in the DEFAULT section. rabbit_host = controller rabbit_userid = guest rabbit_password = RABBIT_PASS Configure access to the Qpid message queue: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_qpid # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_hostname controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_port 5672 # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_username guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_password guest Configure Networking to connect to the database: # openstack-config --set /etc/neutron/neutron.conf database connection \ mysql://neutron:NEUTRON_DBPASS@controller/neutron Configure Networking to connect to the database. Edit the [database] section in the same file, as follows: [database] connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron Configure the /etc/neutron/api-paste.ini file for keystone authentication: # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ paste.filter_factory keystoneclient.middleware.auth_token:filter_factory # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ auth_host controller # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ auth_uri http://controller:5000 # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_user neutron # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_password NEUTRON_PASS Edit the /etc/neutron/api-paste.ini file and add these lines to the [filter:authtoken] section: [filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory auth_host = controller auth_uri = http://controller:5000 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS keystoneclient.middleware.auth_token: You must configure auth_uri to point to the public identity endpoint. Otherwise, clients might not be able to authenticate against an admin endpoint. Configure your network plug-in. For instructions, see instructions. Then, return here. Install and configure a networking plug-in. OpenStack Networking uses this plug-in to perform software-defined networking. See for further details. Then, return here when finished. Now that you've installed and configured a plug-in, it is time to configure the remaining parts of OpenStack Networking. To perform DHCP on the software-defined networks, Networking supports several different plug-ins. However, in general, you use the dnsmasq plug-in. Configure the /etc/neutron/dhcp_agent.ini file: dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq # openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \ dhcp_driver neutron.agent.linux.dhcp.Dnsmasq To allow virtual machines to access the Compute metadata information, the Networking metadata agent must be enabled and configured. The agent will act as a proxy for the Compute metadata service. On the controller, edit the /etc/nova/nova.conf file to define a secret key that will be shared between the Compute Service and the Networking metadata agent. Add to the [DEFAULT] section: [DEFAULT] neutron_metadata_proxy_shared_secret = METADATA_PASS service_neutron_metadata_proxy = true Set the neutron_metadata_proxy_shared_secret key: # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_metadata_proxy_shared_secret METADATA_PASS # openstack-config --set /etc/nova/nova.conf DEFAULT \ service_neutron_metadata_proxy true Restart the nova-api service: # service nova-api restart # service openstack-nova-api restart On the network node, modify the metadata agent configuration. Edit the /etc/neutron/metadata_agent.ini file and modify the [DEFAULT] section: [DEFAULT] auth_url = http://controller:5000/v2.0 auth_region = regionOne admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS nova_metadata_ip = controller metadata_proxy_shared_secret = METADATA_PASS Set the required keys: # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ auth_url http://controller:5000/v2.0 # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ auth_region regionOne # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_tenant_name service # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_user neutron # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_password NEUTRON_PASS # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ nova_metadata_ip controller # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ metadata_proxy_shared_secret METADATA_PASS The value of auth_region is case-sensitive and must match the endpoint region defined in Keystone. If you serve the OpenStack Networking API over HTTPS with self-signed certificates, you must perform additional configuration for the metadata agent because Networking cannot validate the SSL certificates from the service catalog. Add this statement to the [DEFAULT] section: neutron_insecure = True Set the required keys: # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT neutron_insecure True The neutron-server initialization script expects a symbolic link /etc/neutron/plugin.ini pointing to the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, the symbolic link must point to /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini. If this symbolic link does not exist, create it using the following commands: # cd /etc/neutron # ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini The openstack-neutron initialization script expects the variable NEUTRON_PLUGIN_CONF in file /etc/sysconfig/neutron to reference the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, edit the /etc/sysconfig/neutron file and add the following: NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini" Restart Networking services. # service neutron-dhcp-agent restart # service neutron-l3-agent restart # service neutron-metadata-agent restart # service neutron-dhcp-agent restart # service neutron-l3-agent restart # service neutron-metadata-agent restart # service openstack-neutron-dhcp-agent restart # service openstack-neutron-l3-agent restart # service openstack-neutron-metadata-agent restart Also restart your chosen Networking plug-in agent, for example, Open vSwitch. # service neutron-plugin-openvswitch-agent restart # service neutron-openvswitch-agent restart # service openstack-neutron-openvswitch-agent restart

Install and configure the Networking plug-ins

Install the Open vSwitch (OVS) plug-in Install the Open vSwitch plug-in and its dependencies: # apt-get install neutron-plugin-openvswitch-agent # yum install openstack-neutron-openvswitch # zypper install openstack-neutron-openvswitch-agent On Ubuntu 12.04 LTS with GRE you must install openvswitch-datapath-dkms and restart the service to enable the GRE flow so that OVS 1.10 and higher is used. Make sure you are running the OVS 1.10 kernel module in addition to the OVS 1.10 user space. Both the kernel module and user space are required for VXLAN support. The error you see in the /var/log/openvswitchovs-vswitchd.log log file is "Stderr: 'ovs-ofctl: -1: negative values not supported for in_port\n'". If you see this error, make sure modinfo openvswitch shows the right version. Also check the output from dmesg for the version of the OVS module being loaded. Start Open vSwitch: # service openvswitch start # service openvswitch-switch start # service openvswitch-switch restart And configure it to start when the system boots: # chkconfig openvswitch on # chkconfig openvswitch-switch on No matter which networking technology you use, you must add the br-int integration bridge, which connects to the VMs, and the br-ex external bridge, which connects to the outside world. # ovs-vsctl add-br br-int # ovs-vsctl add-br br-ex Add a port (connection) from the EXTERNAL_INTERFACE interface to br-ex interface: # ovs-vsctl add-port br-ex EXTERNAL_INTERFACE The host must have an IP address associated with an interface other than EXTERNAL_INTERFACE, and your remote terminal session must be associated with this other IP address. If you associate an IP address with EXTERNAL_INTERFACE, that IP address stops working after you issue the ovs-vsctl add-port br-ex EXTERNAL_INTERFACE command. If you associate a remote terminal session with that IP address, you lose connectivity with the host. For more details about this behavior, see the Configuration Problems section of the Open vSwitch FAQ. Configure the EXTERNAL_INTERFACE without an IP address and in promiscuous mode. Additionally, you must set the newly created br-ex interface to have the IP address that formerly belonged to EXTERNAL_INTERFACE. Generic Receive Offload (GRO) should not be enabled on this interface as it can cause severe performance problems. It can be disabled with the ethtool utility. Edit the /etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE file: DEVICE_INFO_HERE ONBOOT=yes BOOTPROTO=none PROMISC=yes Create and edit the /etc/sysconfig/network-scripts/ifcfg-br-ex file: DEVICE=br-ex TYPE=Bridge ONBOOT=no BOOTPROTO=none IPADDR=EXTERNAL_INTERFACE_IP NETMASK=EXTERNAL_INTERFACE_NETMASK GATEWAY=EXTERNAL_INTERFACE_GATEWAY You must set some common configuration options no matter which networking technology you choose to use with Open vSwitch. Configure the L3 and DHCP agents to use OVS and namespaces. Edit the /etc/neutron/l3_agent.ini and /etc/neutron/dhcp_agent.ini files, respectively: interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver use_namespaces = True Similarly, you must also tell Neutron core to use OVS. Edit the /etc/neutron/neutron.conf file: core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 Choose a networking technology to create the virtual networks. Neutron supports GRE tunneling, VLANs, and VXLANs. This guide shows how to configure GRE tunneling and VLANs. GRE tunneling is simpler to set up because it does not require any special configuration from any physical network hardware. However, its protocol makes it difficult to filter traffic on the physical network. Additionally, this configuration does not use namespaces. You can have only one router for each network node. However, you can enable namespacing as described in the section detailing how to use VLANs with OVS. On the other hand, VLAN tagging modifies the ethernet header of packets. You can filter packets on the physical network through normal methods. However, not all NICs handle the increased packet size of VLAN-tagged packets well, and you might need to complete additional configuration on physical network hardware to ensure that your Neutron VLANs do not interfere with any other VLANs on your network and that any physical network hardware between nodes does not strip VLAN tags. While the examples in this guide enable network namespaces by default, you can disable them if issues occur or your kernel does not support them. Edit the /etc/neutron/l3_agent.ini and /etc/neutron/dhcp_agent.ini files, respectively: use_namespaces = False Edit the /etc/neutron/neutron.conf file to disable overlapping IP addresses: allow_overlapping_ips = False Note that when network namespaces are disabled, you can have only one router for each network node and overlapping IP addresses are not supported. You must complete additional steps after you create the initial Neutron virtual networks and router. Configure a firewall plug-in. If you do not wish to enforce firewall rules, called security groups by OpenStack, you can use neutron.agent.firewall.NoopFirewall. Otherwise, you can choose one of the Networking firewall plug-ins. The most common choice is the Hybrid OVS-IPTables driver, but you can also use the Firewall-as-a-Service driver. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [securitygroup] # Firewall driver for realizing neutron security group function. firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver You must use at least the No-Op firewall. Otherwise, Horizon and other OpenStack services cannot get and set required VM boot options. Configure the OVS plug-in to start on boot. # chkconfig neutron-openvswitch-agent on # chkconfig openstack-neutron-openvswitch-agent on Now, return to the general OVS instructions.

Configure the Neutron <acronym>OVS</acronym> plug-in for GRE tunneling Configure the OVS plug-in to use GRE tunneling, the br-int integration bridge, the br-tun tunneling bridge, and a local IP for the DATA_INTERFACE tunnel IP. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [ovs] tenant_network_type = gre tunnel_id_ranges = 1:1000 enable_tunneling = True integration_bridge = br-int tunnel_bridge = br-tun local_ip = DATA_INTERFACE_IP Return to the general OVS instructions.

Configure the Neutron <acronym>OVS</acronym> plug-in for VLANs Configure OVS to use VLANS. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [ovs] tenant_network_type = vlan network_vlan_ranges = physnet1:1:4094 bridge_mappings = physnet1:br-DATA_INTERFACE Create the bridge for DATA_INTERFACE and add DATA_INTERFACE to it: # ovs-vsctl add-br br-DATA_INTERFACE # ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE Transfer the IP address for DATA_INTERFACE to the bridge in the same way that you transferred the EXTERNAL_INTERFACE IP address to br-ex. However, do not turn on promiscuous mode. Return to the OVS general instruction.