openstack/openstack-manuals
Code Issues Proposed changes
280d84e866
openstack-manuals/doc/install-guide/section_neutron-provider-router-with-private_networks.xml
nerminamiller 1fbcf5fef7 Update Neutron chapter of Install Guide 
Add content from Solly Ross
Remove plugin info
Flatten deployment use cases
Fix typos, mispellings, missing periods

Change-Id: I68334c2ea910326623474dab5e7632569d164acd
2013-10-17 08:25:22 +02:00

551 lines
30 KiB
XML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="section_networking-provider-router_with-provate-networks">
<title>Provider router with private networks</title>
<para>This section describes how to install the OpenStack Networking service and its components
for a single router use case—a provider router with private networks.</para>
<para>The following figure shows the setup:</para>
<note>
<para>Because you run the DHCP agent and L3 agent on one node, you must set
<literal>use_namespaces</literal> to <literal>True</literal> (which is the default)
in both agents' configuration files.</para>
</note>
<informalfigure>
<mediaobject>
<imageobject>
<imagedata
fileref="../common/figures/Neutron-PhysNet-Diagram.png"
contentwidth="6in"/>
</imageobject>
</mediaobject>
</informalfigure>
<para>The following nodes are in the setup:<table rules="all">
<caption>Nodes for use case</caption>
<thead>
<tr>
<th>Node</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><para>Controller</para></td>
<td><para>Runs the OpenStack Networking service,
OpenStack Identity and all of the
OpenStack Compute services that are
required to deploy a VM.</para>
<para>The service must have at least two
network interfaces. The first should be
connected to the "Management Network" to
communicate with the compute and network
nodes. The second interface should be
connected to the API/public
network.</para></td>
</tr>
<tr>
<td><para>Compute</para></td>
<td><para>Runs OpenStack Compute and the OpenStack
Networking L2 agent.</para>
<para>This node will not have access the
public network.</para>
<para>The node must have at least two network
interfaces. The first is used to
communicate with the controller node,
through the management network. The VM
will receive its IP address from the DHCP
agent on this network.</para></td>
</tr>
<tr>
<td><para>Network</para></td>
<td><para>Runs OpenStack Networking L2 agent, DHCP
agent, and L3 agent.</para>
<para>This node will have access to the public
network. The DHCP agent will allocate IP
addresses to the VMs on the network. The
L3 agent will perform NAT and enable the
VMs to access the public network.</para>
<para>The node must have at least three
network interfaces. The first communicates
with the controller node through the
management network. The second interface
is used for the VM traffic and is on the
data network. The third interface connects
to the external gateway on the network.
</para></td>
</tr>
</tbody>
</table></para>
<section xml:id="demo_installions">
<title>Install</title>
<section xml:id="controller-install-neutron-server">
<title>Controller</title>
<procedure>
<title>To install and configure the controller
node</title>
<step>
<para>Run the following command:</para>
<screen><prompt>#</prompt> <userinput>apt-get install neutron-server</userinput></screen>
</step>
<step>
<para>Configure Neutron services:</para>
<itemizedlist>
<listitem>
<para>Edit file <filename>/etc/neutron/neutron.conf</filename>
and modify:
<programlisting language="ini">core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
auth_strategy = keystone
fake_rabbit = False
rabbit_password = guest</programlisting>
</para>
</listitem>
<listitem>
<para>Edit file <filename>
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
and modify:</para>
<programlisting language="ini">[database]
sql_connection = mysql://neutron:password@localhost:3306/neutron
[ovs]
tenant_network_type = vlan
network_vlan_ranges = physnet1:100:2999</programlisting>
</listitem>
<listitem>
<para>Edit file <filename>
/etc/neutron/api-paste.ini</filename>
and modify:</para>
<programlisting language="ini">admin_tenant_name = service
admin_user = neutron
admin_password = password</programlisting>
</listitem>
</itemizedlist>
</step>
<step>
<para>Start the services:</para>
<screen><prompt>#</prompt> <userinput>service neutron-server restart</userinput></screen>
</step>
</procedure>
</section>
<section
xml:id="network-node-install-plugin-openvswitch-agent">
<title>Network node</title>
<procedure>
<title>To install and configure the network
node</title>
<step>
<para>Install the packages:</para>
<screen><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent \
neutron-dhcp-agent neutron-l3-agent</userinput></screen>
</step>
<step>
<para>Start Open vSwitch:</para>
<screen><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen>
</step>
<step>
<para>Add the integration bridge to the Open
vSwitch:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
</step>
<step>
<para>Update the OpenStack Networking
configuration file, <filename>
/etc/neutron/neutron.conf</filename>:</para>
<programlisting language="ini">rabbit_password = guest
rabbit_host = controller</programlisting>
</step>
<step>
<para>Update the plugin configuration file,
<filename>
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
</filename>:</para>
<programlisting language="ini">[database]
sql_connection = mysql://neutron:password@192.168.0.1:3306/neutron
[ovs]
tenant_network_type=vlan
network_vlan_ranges = physnet1:1:4094
bridge_mappings = physnet1:br-eth1</programlisting>
</step>
<step>
<para>Create the network bridge <emphasis
role="bold">br-eth1</emphasis> (All VM
communication between the nodes occurs through
eth1):</para>
<screen><prompt>#</prompt> <userinput>sudo ovs-vsctl add-br br-eth1
<prompt>#</prompt> sudo ovs-vsctl add-port br-eth1 eth1</userinput></screen>
</step>
<step>
<para>Create the external network bridge to the
Open vSwitch:</para>
<screen><prompt>#</prompt> <userinput>sudo ovs-vsctl add-br br-ex
<prompt>#</prompt> sudo ovs-vsctl add-port br-ex eth2</userinput></screen>
</step>
<step>
<para>Edit the file <filename>
/etc/neutron/l3_agent.ini</filename>
and modify:</para>
<programlisting language="ini">[DEFAULT]
auth_url = http://192.168.0.1:35357/v2.0
admin_tenant_name = service
admin_user = neutron
admin_password = password
metadata_ip = 192.168.0.1
use_namespaces = True</programlisting>
</step>
<step>
<para>Edit the file <filename>
/etc/neutron/api-paste.ini</filename>
and modify:</para>
<programlisting language="ini">[DEFAULT]
auth_host = 192.168.0.1
admin_tenant_name = service
admin_user = neutron
admin_password = password</programlisting>
</step>
<step>
<para>Edit the file <filename>
/etc/neutron/dhcp_agent.ini</filename>
and modify:</para>
<programlisting language="ini">use_namespaces = True</programlisting>
</step>
<step>
<para>Restart networking services:</para>
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent start
<prompt>#</prompt> service neutron-dhcp-agent restart
<prompt>#</prompt> service neutron-l3-agent restart</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="compute-node-install-openvswitch">
<title>Compute Node</title>
<procedure>
<title>To install and configure the compute node</title>
<step>
<para>Install the
packages:<screen><prompt>#</prompt> <userinput>apt-get install openvswitch-switch neutron-plugin-openvswitch-agent</userinput></screen></para>
</step>
<step>
<para>Start the OpenvSwitch
service:<screen><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput></screen></para>
</step>
<step>
<para>Create the integration
bridge:<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen></para>
</step>
<step>
<para>Create the network bridge <emphasis
role="bold">br-eth1</emphasis> (All VM
communication between the nodes occurs through
eth1):</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-eth1</userinput>
<prompt>#</prompt> <userinput>ovs-vsctl add-port br-eth1 eth1</userinput></screen>
</step>
<step>
<para>Update the OpenStack Networking
configuration file <filename>
/etc/neutron/neutron.conf</filename>:</para>
<programlisting language="ini">rabbit_password = guest
rabbit_host = controller</programlisting>
</step>
<step>
<para>Update the file <filename>
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>:</para>
<programlisting language="ini">[database]
sql_connection = mysql://neutron:password@192.168.0.1:3306/neutron
[ovs]
tenant_network_type = vlan
network_vlan_ranges = physnet1:1:4094
bridge_mappings = physnet1:br-eth1</programlisting>
</step>
<step>
<para>Restart the OpenvSwitch Neutron plugin agent:</para>
<screen><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
</step>
</procedure>
</section>
</section>
<section xml:id="demo_logical_network_config">
<title>Logical Network Configuration</title>
<para>You can run the commands in the following procedures on
the network node.</para>
<note>
<para>Ensure that the following environment variables are
set. Various clients use these variables to access
OpenStack Identity.</para>
</note>
<para><itemizedlist>
<listitem>
<para>Create a <filename>novarc</filename> file:
<programlisting language="bash">export OS_TENANT_NAME=provider_tenant
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL="http://192.168.0.1:5000/v2.0/"
export SERVICE_ENDPOINT="http://192.168.0.1:35357/v2.0"
export SERVICE_TOKEN=password</programlisting></para>
</listitem>
</itemizedlist>
</para>
<itemizedlist>
<listitem>
<para>Export the
variables:<screen><prompt>#</prompt> <userinput>source novarc echo "source novarc">>.bashrc</userinput></screen>
</para>
</listitem>
</itemizedlist>
<para>The admin user creates a network and subnet on behalf of
tenant_A. A user from tenant_A can also complete these
steps. <procedure>
<title>To configure internal networking</title>
<step>
<para>Get the tenant ID (Used as $TENANT_ID
later).</para>
<screen><prompt>#</prompt> <userinput>keystone tenant-list</userinput>
<computeroutput>+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 48fb81ab2f6b409bafac8961a594980f | provider_tenant | True |
| cbb574ac1e654a0a992bfc0554237abf | service | True |
| e371436fe2854ed89cca6c33ae7a83cd | invisible_to_admin | True |
| e40fa60181524f9f9ee7aa1038748f08 | tenant_A | True |
+----------------------------------+--------------------+---------+</computeroutput></screen>
</step>
<step>
<para>Create an internal network named <emphasis
role="bold">net1</emphasis> for tenant_A
($TENANT_ID will be
e40fa60181524f9f9ee7aa1038748f08):</para>
<screen><prompt>#</prompt> <userinput>neutron net-create --tenant-id $TENANT_ID net1</userinput>
<computeroutput>+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | e99a361c-0af8-4163-9feb-8554d4c37e4f |
| name | net1 |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 1024 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+---------------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create a subnet on the network <emphasis
role="bold">net1</emphasis> (ID field
below is used as $SUBNET_ID later):</para>
<screen><prompt>#</prompt> <userinput>neutron subnet-create --tenant-id $TENANT_ID net1 10.5.5.0/24</userinput>
<computeroutput>+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "10.5.5.2", "end": "10.5.5.254"} |
| cidr | 10.5.5.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.5.5.1 |
| host_routes | |
| id | c395cb5d-ba03-41ee-8a12-7e792d51a167 |
| ip_version | 4 |
| name | |
| network_id | e99a361c-0af8-4163-9feb-8554d4c37e4f |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+------------------+--------------------------------------------+</computeroutput></screen>
</step>
</procedure></para>
<para>A user with the admin role must complete the following
steps. In this procedure, the user is admin from provider_tenant.<procedure>
<title>To configure the router and external
networking</title>
<step>
<para>Create a router named <emphasis role="bold"
>router1</emphasis> (ID is used as
$ROUTER_ID later):</para>
<screen><prompt>#</prompt> <userinput>neutron router-create router1</userinput>
<computeroutput>+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | 685f64e7-a020-4fdf-a8ad-e41194ae124b |
| name | router1 |
| status | ACTIVE |
| tenant_id | 48fb81ab2f6b409bafac8961a594980f |
+-----------------------+--------------------------------------+</computeroutput></screen>
<note>
<para>The <parameter>--tenant-id</parameter>
parameter is not specified, so this router
is assigned to the provider_tenant
tenant.</para>
</note>
</step>
<step>
<para>Add an interface to <emphasis role="bold"
>router1</emphasis> and attach it to the
subnet from <emphasis role="bold"
>net1</emphasis>:</para>
<screen><prompt>#</prompt> <userinput>neutron router-interface-add $ROUTER_ID $SUBNET_ID</userinput>
<computeroutput>Added interface to router 685f64e7-a020-4fdf-a8ad-e41194ae124b</computeroutput></screen>
<note>
<para>You can repeat this step to add more
interfaces for other networks that belong
to other tenants.</para>
</note>
</step>
<step>
<para>Create the external network named <emphasis
role="bold">ext_net</emphasis>:</para>
<screen><prompt>#</prompt> <userinput>neutron net-create ext_net --router:external=True</userinput>
<computeroutput>+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| name | ext_net |
| provider:network_type | vlan |
| provider:physical_network | physnet1 |
| provider:segmentation_id | 1 |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 48fb81ab2f6b409bafac8961a594980f |
+---------------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create the subnet for floating IPs.</para>
<note>
<para>The DHCP service is disabled for this
subnet.</para>
</note>
<screen><prompt>#</prompt> <userinput>neutron subnet-create ext_net \
--allocation-pool start=7.7.7.130,end=7.7.7.150 \
--gateway 7.7.7.1 7.7.7.0/24 --disable-dhcp</userinput>
<computeroutput>+------------------+--------------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------------+
| allocation_pools | {"start": "7.7.7.130", "end": "7.7.7.150"} |
| cidr | 7.7.7.0/24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 7.7.7.1 |
| host_routes | |
| id | aef60b55-cbff-405d-a81d-406283ac6cff |
| ip_version | 4 |
| name | |
| network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| tenant_id | 48fb81ab2f6b409bafac8961a594980f |
+------------------+--------------------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Set the router's gateway to be the external
network:</para>
<screen><prompt>#</prompt> <userinput>neutron router-gateway-set $ROUTER_ID $EXTERNAL_NETWORK_ID</userinput>
<computeroutput>Set gateway for router 685f64e7-a020-4fdf-a8ad-e41194ae124b</computeroutput></screen>
</step>
</procedure></para>
<para>A user from tenant_A completes the following steps, so
the credentials in the environment variables are different
than those in the previous procedure. <procedure>
<title>To allocate floating IP addresses</title>
<step>
<para>A floating IP address can be associated with
a VM after it starts. The ID of the port
($PORT_ID) that was allocated for the VM is
required and can be found as follows:</para>
<screen><prompt>#</prompt> <userinput>nova list</userinput>
<computeroutput>+--------------------------------------+--------+--------+---------------+
| ID | Name | Status | Networks |
+--------------------------------------+--------+--------+---------------+
| 1cdc671d-a296-4476-9a75-f9ca1d92fd26 | testvm | ACTIVE | net1=10.5.5.3 |
+--------------------------------------+--------+--------+---------------+
</computeroutput>
<userinput>neutron port-list -- --device_id 1cdc671d-a296-4476-9a75-f9ca1d92fd26</userinput>
<computeroutput>+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| 9aa47099-b87b-488c-8c1d-32f993626a30 | | fa:16:3e:b4:d6:6c | {"subnet_id": "c395cb5d-ba03-41ee-8a12-7e792d51a167", "ip_address": "10.5.5.3"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Allocate a floating IP (Used as
$FLOATING_ID):</para>
<screen><prompt>#</prompt> <userinput>neutron floatingip-create ext_net</userinput>
<computeroutput>+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 7.7.7.131 |
| floating_network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| id | 40952c83-2541-4d0c-b58e-812c835079a5 |
| port_id | |
| router_id | |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+---------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Associate the floating IP with the VM's
port:</para>
<screen><prompt>#</prompt> <userinput>neutron floatingip-associate $FLOATING_ID $PORT_ID</userinput>
<computeroutput>Associated floatingip 40952c83-2541-4d0c-b58e-812c835079a5</computeroutput></screen>
</step>
<step>
<para>Show the floating IP:</para>
<screen><prompt>#</prompt> <userinput>neutron floatingip-show $FLOATING_ID</userinput>
<computeroutput>+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | 10.5.5.3 |
| floating_ip_address | 7.7.7.131 |
| floating_network_id | 8858732b-0400-41f6-8e5c-25590e67ffeb |
| id | 40952c83-2541-4d0c-b58e-812c835079a5 |
| port_id | 9aa47099-b87b-488c-8c1d-32f993626a30 |
| router_id | 685f64e7-a020-4fdf-a8ad-e41194ae124b |
| tenant_id | e40fa60181524f9f9ee7aa1038748f08 |
+---------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Test the floating IP:</para>
<screen><prompt>#</prompt> <userinput>ping 7.7.7.131</userinput>
<computeroutput>PING 7.7.7.131 (7.7.7.131) 56(84) bytes of data.
64 bytes from 7.7.7.131: icmp_req=2 ttl=64 time=0.152 ms
64 bytes from 7.7.7.131: icmp_req=3 ttl=64 time=0.049 ms
</computeroutput></screen>
</step>
</procedure>
</para>
</section>
<section xml:id="section_use-cases-single-router">
<title>Use case: provider router with private networks</title>
<para>This use case provides each tenant with one or more private networks, which connect to
the outside world via an OpenStack Networking router. When each tenant gets exactly one
network, this architecture maps to the same logical topology as the VlanManager in
OpenStack Compute (although of course, OpenStack Networking doesn't require VLANs).
Using the OpenStack Networking API, the tenant can only see a network for each private
network assigned to that tenant. The router object in the API is created and owned by
the cloud administrator.</para>
<para>This model supports giving VMs public addresses using "floating IPs", in which the
router maps public addresses from the external network to fixed IPs on private networks.
Hosts without floating IPs can still create outbound connections to the external
network, because the provider router performs SNAT to the router's external IP. The IP
address of the physical router is used as the <literal>gateway_ip</literal> of the
external network subnet, so the provider has a default router for Internet traffic.</para>
<para>
The router provides L3 connectivity between private networks, meaning
that different tenants can reach each other's instances unless additional
filtering is used (for example, security groups). Because there is only a single
router, tenant networks cannot use overlapping IPs. Thus, it is likely
that the administrator would create the private networks on behalf of the tenants.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata scale="55" fileref="../common/figures/UseCase-SingleRouter.png"/>
</imageobject>
</mediaobject>
<!--Image source link: https://docs.google.com/a/nicira.com/drawings/d/1DKxeZZXml_fNZHRoGPKkC7sGdkPJZCtWytYZqHIp_ZE/edit -->
</para>
</section>
</section>
View Git Blame Copy Permalink