Before you start, set up a machine as a dedicated network node. Dedicated network nodes have a MGMT_INTERFACE NIC, a DATA_INTERFACE NIC, and an EXTERNAL_INTERFACE NIC. The management network handles communication among nodes. The data network handles communication coming to and from VMs. The external NIC connects the network node, and optionally to the controller node, so your VMs can connect to the outside world. By default, the system-config-firewall automated firewall configuration tool is in place on RHEL. This graphical interface (and a curses-style interface with -tui on the end of the name) enables you to configure IP tables as a basic firewall. You should disable it when you work with Networking unless you are familiar with the underlying network technologies. By default, it blocks various types of network traffic that are important to Networking. To disable it, simply launch the program and clear the Enabled check box. After you successfully set up OpenStack Networking, you can re-enable and configure the tool. However, during Networking set up, disable the tool to make it easier to debug network issues. Install the Networking packages and any dependencies. # apt-get install neutron-dhcp-agent neutron-l3-agent # yum install openstack-neutron # zypper install openstack-neutron openstack-neutron-l3-agent \ openstack-neutron-dhcp-agent openstack-neutron-metadata-agent Respond to prompts for database management, [keystone_authtoken] settings, RabbitMQ credentials and API endpoint registration. Configure Networking agents to start at boot time: # for s in neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done # for s in openstack-neutron-{dhcp,metadata,l3}-agent; do chkconfig $s on; done Enable packet forwarding and disable packet destination filtering so that the network node can coordinate traffic for the VMs. Edit the /etc/sysctl.conf file, as follows: net.ipv4.ip_forward=1 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 Use the sysctl command to ensure the changes made to the /etc/sysctl.conf file take effect: # sysctl -p It is recommended that the networking service is restarted after changing values related to the networking configuration. This ensures that all modified values take effect immediately: # service networking restart # service network restart Configure Networking to use keystone for authentication: Set the auth_strategy configuration key to keystone in the DEFAULT section of the file: # openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone Set the neutron configuration for keystone authentication: # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_uri http://controller:5000 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_host controller # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_protocol http # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ auth_port 35357 # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_tenant_name service # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_user neutron # openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \ admin_password NEUTRON_PASS To configure neutron to use keystone for authentication, edit the /etc/neutron/neutron.conf file. Set the auth_strategy configuration key to keystone in the DEFAULT section of the file: auth_strategy = keystone Add these lines to the [keystone_authtoken] section of the file: [keystone_authtoken] ... auth_uri = http://controller:5000 auth_host = controller auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS Configure access to the RabbitMQ service: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_kombu # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_host controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_userid guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rabbit_password RABBIT_PASS Configure the RabbitMQ access. Edit the /etc/neutron/neutron.conf file to modify the following parameters in the DEFAULT section. rabbit_host = controller rabbit_userid = guest rabbit_password = RABBIT_PASS Configure access to the Qpid message queue: # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_qpid # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_hostname controller # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_port 5672 # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_username guest # openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_password guest OpenStack Networking supports a variety of plug-ins. For simplicity, we chose to cover the most common plug-in, Open vSwitch, and configure it to use basic GRE tunnels for tenant network traffic. Install the Open vSwitch plug-in and its dependencies: # apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms # yum install openstack-neutron-openvswitch # zypper install openstack-neutron-openvswitch-agent Start Open vSwitch: # service openvswitch start # service openvswitch-switch start # service openvswitch-switch restart And configure it to start when the system boots: # chkconfig openvswitch on # chkconfig openvswitch-switch on No matter which networking technology you use, you must add the br-int integration bridge, which connects to the VMs, and the br-ex external bridge, which connects to the outside world. # ovs-vsctl add-br br-int # ovs-vsctl add-br br-ex Add a port (connection) from the EXTERNAL_INTERFACE interface to br-ex interface: # ovs-vsctl add-port br-ex EXTERNAL_INTERFACE The host must have an IP address associated with an interface other than EXTERNAL_INTERFACE, and your remote terminal session must be associated with this other IP address. If you associate an IP address with EXTERNAL_INTERFACE, that IP address stops working after you issue the ovs-vsctl add-port br-ex EXTERNAL_INTERFACE command. If you associate a remote terminal session with that IP address, you lose connectivity with the host. For more details about this behavior, see the Configuration Problems section of the Open vSwitch FAQ. Configure the EXTERNAL_INTERFACE without an IP address and in promiscuous mode. Additionally, you must set the newly created br-ex interface to have the IP address that formerly belonged to EXTERNAL_INTERFACE. Generic Receive Offload (GRO) should not be enabled on this interface as it can cause severe performance problems. It can be disabled with the ethtool utility. Edit the /etc/sysconfig/network-scripts/ifcfg-EXTERNAL_INTERFACE file: DEVICE_INFO_HERE ONBOOT=yes BOOTPROTO=none PROMISC=yes Create and edit the /etc/sysconfig/network-scripts/ifcfg-br-ex file: DEVICE=br-ex TYPE=Bridge ONBOOT=no BOOTPROTO=none IPADDR=EXTERNAL_INTERFACE_IP NETMASK=EXTERNAL_INTERFACE_NETMASK GATEWAY=EXTERNAL_INTERFACE_GATEWAY You must set some common configuration options no matter which networking technology you choose to use with Open vSwitch. Configure the L3 and DHCP agents to use OVS and namespaces. Edit the /etc/neutron/l3_agent.ini and /etc/neutron/dhcp_agent.ini files, respectively: interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver use_namespaces = True While the examples in this guide enable network namespaces by default, you can disable them if issues occur or your kernel does not support them. Edit the /etc/neutron/l3_agent.ini and /etc/neutron/dhcp_agent.ini files, respectively: use_namespaces = False Edit the /etc/neutron/neutron.conf file to disable overlapping IP addresses: allow_overlapping_ips = False Note that when network namespaces are disabled, you can have only one router for each network node and overlapping IP addresses are not supported. You must complete additional steps after you create the initial Neutron virtual networks and router. Similarly, you must also tell Neutron core to use OVS. Edit the /etc/neutron/neutron.conf file: core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 Configure a firewall plug-in. If you do not wish to enforce firewall rules, called security groups by OpenStack, you can use neutron.agent.firewall.NoopFirewall. Otherwise, you can choose one of the Networking firewall plug-ins. The most common choice is the Hybrid OVS-IPTables driver, but you can also use the Firewall-as-a-Service driver. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [securitygroup] # Firewall driver for realizing neutron security group function. firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver You must use at least the No-Op firewall. Otherwise, Horizon and other OpenStack services cannot get and set required VM boot options. Configure the OVS plug-in to start on boot. # chkconfig neutron-openvswitch-agent on # chkconfig openstack-neutron-openvswitch-agent on Configure the OVS plug-in to use GRE tunneling, the br-int integration bridge, the br-tun tunneling bridge, and a local IP for the DATA_INTERFACE tunnel IP. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file: [ovs] ... tenant_network_type = gre tunnel_id_ranges = 1:1000 enable_tunneling = True integration_bridge = br-int tunnel_bridge = br-tun local_ip = DATA_INTERFACE_IP To perform DHCP on the software-defined networks, Networking supports several different plug-ins. However, in general, you use the dnsmasq plug-in. Configure the /etc/neutron/dhcp_agent.ini file: dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq # openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT \ dhcp_driver neutron.agent.linux.dhcp.Dnsmasq To allow virtual machines to access the Compute metadata information, the Networking metadata agent must be enabled and configured. The agent will act as a proxy for the Compute metadata service. On the controller, edit the /etc/nova/nova.conf file to define a secret key that will be shared between the Compute service and the Networking metadata agent. Add to the [DEFAULT] section: [DEFAULT] ... neutron_metadata_proxy_shared_secret = METADATA_PASS service_neutron_metadata_proxy = true Set the neutron_metadata_proxy_shared_secret key: # openstack-config --set /etc/nova/nova.conf DEFAULT \ neutron_metadata_proxy_shared_secret METADATA_PASS # openstack-config --set /etc/nova/nova.conf DEFAULT \ service_neutron_metadata_proxy true Restart the nova-api service: # service nova-api restart # service openstack-nova-api restart On the network node, modify the metadata agent configuration. Edit the /etc/neutron/metadata_agent.ini file and modify the [DEFAULT] section: [DEFAULT] ... auth_url = http://controller:5000/v2.0 auth_region = regionOne admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS nova_metadata_ip = controller metadata_proxy_shared_secret = METADATA_PASS Set the required keys: # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ auth_url http://controller:5000/v2.0 # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ auth_region regionOne # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_tenant_name service # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_user neutron # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ admin_password NEUTRON_PASS # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ nova_metadata_ip controller # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT \ metadata_proxy_shared_secret METADATA_PASS The value of auth_region is case-sensitive and must match the endpoint region defined in Keystone. If you serve the OpenStack Networking API over HTTPS with self-signed certificates, you must perform additional configuration for the metadata agent because Networking cannot validate the SSL certificates from the service catalog. Add this statement to the [DEFAULT] section: neutron_insecure = True Set the required keys: # openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT neutron_insecure True The neutron-server initialization script expects a symbolic link /etc/neutron/plugin.ini pointing to the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, the symbolic link must point to /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini. If this symbolic link does not exist, create it using the following commands: # cd /etc/neutron # ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini The openstack-neutron initialization script expects the variable NEUTRON_PLUGIN_CONF in file /etc/sysconfig/neutron to reference the configuration file associated with your chosen plug-in. Using Open vSwitch, for example, edit the /etc/sysconfig/neutron file and add the following: NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini" Restart Networking services. # service neutron-dhcp-agent restart # service neutron-l3-agent restart # service neutron-metadata-agent restart # service neutron-plugin-openvswitch-agent restart # service neutron-dhcp-agent restart # service neutron-l3-agent restart # service neutron-metadata-agent restart # service neutron-openvswitch-agent restart # service openstack-neutron-dhcp-agent restart # service openstack-neutron-l3-agent restart # service openstack-neutron-metadata-agent restart # service openstack-neutron-openvswitch-agent restart