Configure compute node with neutron services

Configure compute node with neutron services This section details set up for any node that runs the nova-compute component but does not run the full network stack. By default, the system-config-firewall automated firewall configuration tool is in place on RHEL. This graphical interface (and a curses-style interface with -tui on the end of the name) enables you to configure IP tables as a basic firewall. You should disable it when you work with OpenStack Networking unless you are familiar with the underlying network technologies, as, by default, it blocks various types of network traffic that are important to neutron services. To disable it, launch the program and clear the Enabled check box. After you successfully set up OpenStack Networking with Neutron, you can re-enable and configure the tool. However, during OpenStack Networking setup, disable the tool to make it easier to debug network issues. Disable packet destination filtering (route verification) to let the networking services route traffic to the VMs. Edit the /etc/sysctl.conf file and run the following command to activate changes: net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 # sysctl -p Install and configure your networking plug-in components. To install and configure the network plug-in that you chose when you set up your network node, see . Configure Networking to use keystone for authentication: Set the auth_strategy configuration key to keystone in the DEFAULT section of the file: # openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone Set the neutron configuration for keystone authentication: # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_host controller # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_url http://controller:35357/v2.0 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_user neutron # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_password NEUTRON_PASS Configure access to the RabbitMQ service: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_kombu # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_userid guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_password RABBIT_PASS Configure access to the Qpid message queue: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_qpid # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_hostname controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_port 5672 # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_username guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_password guest Configure the core components of Neutron. Edit the /etc/neutron/neutron.conf file: auth_host = controller admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS auth_url = http://controller:35357/v2.0 auth_strategy = keystone rpc_backend = neutron.openstack.common.rpc.impl_kombu rabbit_host = controller rabbit_port = 5672 # Change the following settings if you're not using the default RabbitMQ configuration #rabbit_userid = guest rabbit_password = RABBIT_PASS Set the root_helper configuration in the [agent] section of /etc/neutron/neutron.conf: # openstack-config --set /etc/neutron/neutron.conf AGENT \ root_helper "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" Configure Networking to connect to the database: # openstack-config --set /etc/neutron/neutron.conf database connection \ mysql://neutron:NEUTRON_DBPASS@controller/neutron Configure Networking to connect to the database. Edit the [database] section in the same file, as follows: [database] connection = mysql://neutron:NEUTRON_DBPASS@controller/neutron Edit the /etc/neutron/api-paste.ini file and add these lines to the [filter:authtoken] section: [filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory auth_host = controller admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Configure the /etc/neutron/api-paste.ini file for keystone authentication: # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ paste.filter_factory keystoneclient.middleware.auth_token:filter_factory # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ auth_host controller # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_user neutron # openstack-config --set /etc/neutron/api-paste.ini filter:authtoken \ admin_password NEUTRON_PASS Configure OpenStack Compute to use OpenStack Networking services. Configure the /etc/nova/nova.conf file as per instructions below: # openstack-config --set /etc/nova/nova.conf DEFAULT \ network_api_class nova.network.neutronv2.api.API # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_url http://controller:9696 # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_auth_strategy keystone # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_tenant_name service # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_username neutron # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_password NEUTRON_PASS # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_admin_auth_url http://controller:35357/v2.0 # openstack-config --set /etc/nova/nova.conf DEFAULT \ linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ firewall_driver nova.virt.firewall.NoopFirewallDriver # openstack-config --set /etc/nova/nova.conf DEFAULT \ security_group_api neutron Configure OpenStack Compute to use OpenStack Networking services. Edit the /etc/nova/nova.conf file: network_api_class=nova.network.neutronv2.api.API neutron_url=http://controller:9696 neutron_auth_strategy=keystone neutron_admin_tenant_name=service neutron_admin_username=neutron neutron_admin_password=NEUTRON_PASS neutron_admin_auth_url=http://controller:35357/v2.0 linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver=nova.virt.firewall.NoopFirewallDriver security_group_api=neutron No matter which firewall driver you chose when you configured the network and compute nodes, you must edit the /etc/nova/nova.conf file to set the firewall driver to nova.virt.firewall.NoopFirewallDriver. Because OpenStack Networking handles the firewall, this statement instructs Compute to not use a firewall. If you want Networking to handle the firewall, edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file to set the firewall_driver option to the firewall for the plug-in. For example, with OVS, edit the file as follows: [securitygroup] # Firewall driver for realizing neutron security group function. firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver # openstack-config --set \ /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \ neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver If you do not want to use a firewall in Compute or Networking, edit both configuration files and set firewall_driver=nova.virt.firewall.NoopFirewallDriver. Also, edit the /etc/nova/nova.conf file and comment out or remove the security_group_api=neutron statement. Otherwise, when you issue nova list commands, the ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500) error might be returned. Restart the Compute service. # service nova-compute restart # service openstack-nova-compute restart # service openstack-nova-compute restart Also restart your chosen Networking plug-in agent, for example, Open vSwitch. # service neutron-plugin-openvswitch-agent restart # service neutron-openvswitch-agent restart # service openstack-neutron-openvswitch-agent restart

Install and configure OpenStack Networking plug-ins on a dedicated compute node

Install the Open vSwitch (OVS) plug-in on a dedicated compute node Install the Open vSwitch plug-in and its dependencies: # apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms # yum install openstack-neutron-openvswitch # zypper install openstack-neutron-openvswitch-agent Restart Open vSwitch: # service openvswitch-switch restart Start Open vSwitch and configure it to start when the system boots: # service openvswitch start # chkconfig openvswitch on # service openvswitch-switch start # chkconfig openvswitch-switch on You must set some common configuration options no matter which networking technology you choose to use with Open vSwitch. You must add the br-int integration bridge, which connects to the VMs. # ovs-vsctl add-br br-int You must set some common configuration options. You must configure Networking core to use OVS. Edit the /etc/neutron/neutron.conf file: core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 auth_uri = http://controller:5000 core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 api_paste_config = /etc/neutron/api-paste.ini rpc_backend = neutron.openstack.common.rpc.impl_qpid Configure the networking type that you chose when you set up the network node: either GRE tunneling or VLANs. You must configure a firewall as well. You should use the same firewall plug-in that you chose to use when you set up the network node. To do this, edit /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file and set the firewall_driver value under the securitygroup to the same value used on the network node. For instance, if you chose to use the Hybrid OVS-IPTables plug-in, your configuration looks like this: [securitygroup] # Firewall driver for realizing neutron security group function. firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver You must use at least the No-Op firewall. Otherwise, Horizon and other OpenStack services cannot get and set required VM boot options. Configure the OVS plug-in to start on boot. # chkconfig neutron-openvswitch-agent on # chkconfig openstack-neutron-openvswitch-agent on Now, return to the general OVS instructions.

Configure the Neutron <acronym>OVS</acronym> plug-in for GRE tunneling on a dedicated compute node Tell the OVS plug-in to use GRE tunneling with a br-int integration bridge, a br-tun tunneling bridge, and a local IP for the tunnel of DATA_INTERFACE's IP Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [ovs] tenant_network_type = gre tunnel_id_ranges = 1:1000 enable_tunneling = True integration_bridge = br-int tunnel_bridge = br-tun local_ip = DATA_INTERFACE_IP Now, return to the general OVS instructions.

Configure the Neutron <acronym>OVS</acronym> plug-in for VLANs on a dedicated compute node Tell OVS to use VLANs. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [ovs] tenant_network_type = vlan network_vlan_ranges = physnet1:1:4094 bridge_mappings = physnet1:br-DATA_INTERFACE Create the bridge for the DATA_INTERFACE and add DATA_INTERFACE to it, the same way you did on the network node: # ovs-vsctl add-br br-DATA_INTERFACE # ovs-vsctl add-port br-DATA_INTERFACE DATA_INTERFACE Return to the general OVS instructions.