By default, the system-config-firewall automated firewall configuration tool is in place on RHEL. This graphical interface (and a curses-style interface with -tui on the end of the name) enables you to configure IP tables as a basic firewall. You should disable it when you work with Neutron unless you are familiar with the underlying network technologies, as, by default, it blocks various types of network traffic that are important to Neutron. To disable it, simple launch the program and clear the Enabled check box. After you successfully set up OpenStack with Neutron, you can re-enable and configure the tool. However, during Neutron set up, disable the tool to make it easier to debug network issues. Before you configure individual nodes for Networking, you must create the required OpenStack components: user, service, database, and one or more endpoints. After you complete these steps on the controller node, follow the instructions in this guide to set up OpenStack Networking nodes. Connect to the MySQL database as the root user, create the neutron database, and grant the proper access to it: $ mysql -u root -p mysql> CREATE DATABASE neutron; mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ IDENTIFIED BY 'NEUTRON_DBPASS'; mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ IDENTIFIED BY 'NEUTRON_DBPASS'; Create the required user, service, and endpoint so that Networking can interface with the Identity Service. Create a neutron user: $ keystone user-create --name=neutron --pass=NEUTRON_PASS --email=neutron@example.com Add the user role to the neutron user: $ keystone user-role-add --user=neutron --tenant=service --role=admin Create the neutron service: $ keystone service-create --name=neutron --type=network \ --description="OpenStack Networking" Create a Networking endpoint: $ keystone endpoint-create \ --service-id $(keystone service-list | awk '/ network / {print $2}') \ --publicurl http://controller:9696 \ --adminurl http://controller:9696 \ --internalurl http://controller:9696 Install the server component of Networking and any dependencies. # apt-get install neutron-server # yum install openstack-neutron python-neutron python-neutronclient # zypper install openstack-neutron python-neutron python-neutronclient Configure Networking to connect to the database: # openstack-config --set /etc/neutron/neutron.conf database connection \ mysql://neutron:NEUTRON_DBPASS@controller/neutron Configure Networking to use your MySQL database. Edit the /etc/neutron/neutron.conf file and add the following key under the [database] section. Replace NEUTRON_DBPASS with the password you chose for the Neutron database. [database] ... connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron Configure Networking to use keystone as the Identity Service for authentication: Set the auth_strategy configuration key to keystone in the DEFAULT section of the file: # openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone Set the neutron configuration for keystone authentication: # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_uri http://controller:5000 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_host controller # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_protocol http # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_port 35357 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_user neutron # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_password NEUTRON_PASS Configure Networking to use keystone as the Identity Service for authentication. Edit the /etc/neutron/neutron.conf file and add the file and add the following key under the [DEFAULT] section. [DEFAULT] ... auth_strategy = keystone Add the following keys under the [keystone_authtoken] section. Replace NEUTRON_PASS with the password you chose for the Neutron user in Keystone. [keystone_authtoken] ... auth_uri = http://controller:5000 auth_host = controller auth_protocol = http auth_port = 35357 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Configure access to the RabbitMQ service: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_kombu # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_userid guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_password RABBIT_PASS Configure access to the Qpid message queue: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_qpid # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_hostname controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_port 5672 # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_username guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_password guest Configure Networking to use your message broker. Edit the /etc/neutron/neutron.conf file and add the following keys under the [DEFAULT] section. Replace RABBIT_PASS with the password you chose for RabbitMQ. [DEFAULT] ... rpc_backend = neutron.openstack.common.rpc.impl_kombu rabbit_host = controller rabbit_password = RABBIT_PASS OpenStack Networking supports a variety of plug-ins. For simplicity, we chose to cover the most common plug-in, Open vSwitch, and configure it to use basic GRE tunnels for tenant network traffic. Install the Open vSwitch plug-in: # apt-get install neutron-plugin-openvswitch # yum install openstack-neutron-openvswitch # zypper install openstack-neutron-openvswitch-agent You must set some common configuration options no matter which networking technology you choose to use with Open vSwitch. You must configure Networking core to use OVS. Edit the /etc/neutron/neutron.conf file: core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 The dedicated controller node does not need to run Open vSwitch or the Open vSwitch agent. Configure the OVS plug-in to use GRE tunneling. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [ovs] tenant_network_type = gre tunnel_id_ranges = 1:1000 enable_tunneling = True Configure Compute to use OpenStack Networking services. Configure the /etc/nova/nova.conf file as per instructions below: # openstack-config --set /etc/nova/nova.conf DEFAULT \ network_api_class nova.network.neutronv2.api.API # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_url http://controller:9696 # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_auth_strategy keystone # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_tenant_name service # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_username neutron # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_password NEUTRON_PASS # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_auth_url http://controller:35357/v2.0 # openstack-config --set /etc/nova/nova.conf DEFAULT \ linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ firewall_driver nova.virt.firewall.NoopFirewallDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ security_group_api neutron Configure Compute to use OpenStack Networking services. Edit the /etc/nova/nova.conf file: network_api_class=nova.network.neutronv2.api.API neutron_url=http://controller:9696 neutron_auth_strategy=keystone neutron_admin_tenant_name=service neutron_admin_username=neutron neutron_admin_password=NEUTRON_PASS neutron_admin_auth_url=http://controller:35357/v2.0 linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver=nova.virt.firewall.NoopFirewallDriver security_group_api=neutron Regardless of which firewall driver you chose when you configured the network and compute nodes, set this driver as the No-Op firewall. This firewall is a nova firewall, and because neutron handles the Firewall, you must tell nova not to use one. When Networking handles the firewall, the option firewall_driver should be set according to the specified plug-in. For example with OVS, edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [securitygroup] # Firewall driver for realizing neutron security group function. firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver # openstack-config --set \ /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \ neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver If you do not want to use a firewall in Compute or Networking, set firewall_driver=nova.virt.firewall.NoopFirewallDriver in both config files, and comment out or remove security_group_api=neutron in the /etc/nova/nova.conf file, otherwise you may encounter ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500) when issuing nova list commands. The neutron-server initialization script expects a symbolic link /etc/neutron/plugin.ini pointing to the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, the symbolic link must point to /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini. If this symbolic link does not exist, create it using the following commands: # cd /etc/neutron # ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini The openstack-neutron initialization script expects the variable NEUTRON_PLUGIN_CONF in file /etc/sysconfig/neutron to reference the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, edit the /etc/sysconfig/neutron file and add the following: NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini" Restart the Compute and Networking services: # service nova-api restart # service nova-scheduler restart # service nova-conductor restart # service neutron-server restart Restart the Compute services: # service openstack-nova-api restart # service openstack-nova-scheduler restart # service openstack-nova-conductor restart Start the Networking service and configure it to start when the system boots: # service neutron-server start # chkconfig neutron-server on # service openstack-neutron start # chkconfig openstack-neutron on