327 lines
18 KiB
XML
327 lines
18 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="neutron-compute-node">
|
|
<title>Configure compute node</title>
|
|
<note>
|
|
<para>This section details set up for any node that runs the
|
|
<literal>nova-compute</literal> component but does not run
|
|
the full network stack.</para>
|
|
</note>
|
|
<warning os="rhel;centos">
|
|
<para>By default, the <literal>system-config-firewall</literal> automated
|
|
firewall configuration tool is in place on RHEL. This graphical interface
|
|
(and a curses-style interface with <literal>-tui</literal> on the end of
|
|
the name) enables you to configure IP tables as a basic firewall. You
|
|
should disable it when you work with OpenStack Networking unless you are
|
|
familiar with the underlying network technologies, as, by default, it
|
|
blocks various types of network traffic that are important to neutron
|
|
services. To disable it, launch the program and clear the
|
|
<guilabel>Enabled</guilabel> check box.</para>
|
|
<para>After you successfully set up OpenStack Networking with Neutron, you
|
|
can re-enable and configure the tool. However, during OpenStack
|
|
Networking setup, disable the tool to make it easier to debug network
|
|
issues.</para>
|
|
</warning>
|
|
<procedure>
|
|
<title>Prerequisites</title>
|
|
<step>
|
|
<para>Disable packet destination filtering (route
|
|
verification) to let the networking services route traffic
|
|
to the VMs. Edit the <filename>/etc/sysctl.conf</filename>
|
|
file and run the following command to activate
|
|
changes:</para>
|
|
<programlisting language="ini">net.ipv4.conf.all.rp_filter=0
|
|
net.ipv4.conf.default.rp_filter=0</programlisting>
|
|
<screen><prompt>#</prompt> <userinput>sysctl -p</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Install Open vSwitch plug-in</title>
|
|
<para>OpenStack Networking supports a variety of plug-ins. For
|
|
simplicity, we chose to cover the most common plug-in, Open
|
|
vSwitch, and configure it to use basic GRE tunnels for tenant
|
|
network traffic.</para>
|
|
<step>
|
|
<para>Install the Open vSwitch plug-in and its
|
|
dependencies:</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install neutron-plugin-openvswitch-agent openvswitch-datapath-dkms</userinput></screen>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>yum install openstack-neutron-openvswitch</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-neutron-openvswitch-agent</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;debian">
|
|
<para>Restart Open vSwitch:</para>
|
|
<screen><prompt>#</prompt> <userinput>service openvswitch-switch restart</userinput></screen>
|
|
</step>
|
|
<step os="rhel;fedora;centos;opensuse;sles">
|
|
<para>Start Open vSwitch and configure it to start when
|
|
the system boots:</para>
|
|
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>service openvswitch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch on</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>service openvswitch-switch start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openvswitch-switch on</userinput></screen>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
|
|
<para>You must set some common configuration options. You
|
|
must configure Networking core to use
|
|
<acronym>OVS</acronym>. Edit the
|
|
<filename>/etc/neutron/neutron.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;opensuse;sles">core_plugin = openvswitch</programlisting>
|
|
<programlisting language="ini" os="rhel;centos;fedora">core_plugin = openvswitch</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>You must configure a firewall as well. You should
|
|
use the same firewall plug-in that you chose to use when
|
|
you set up the network node. To do this, edit
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file and set the <literal>firewall_driver</literal>
|
|
value under the <literal>securitygroup</literal> to the
|
|
same value used on the network node. For instance, if
|
|
you chose to use the Hybrid OVS-IPTables plug-in, your
|
|
configuration looks like this:</para>
|
|
<programlisting language="ini">[securitygroup]
|
|
# Firewall driver for realizing neutron security group function.
|
|
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<warning>
|
|
<para>You must use at least the No-Op firewall.
|
|
Otherwise, Horizon and other OpenStack services cannot
|
|
get and set required VM boot options.</para>
|
|
</warning>
|
|
</step>
|
|
<step os="rhel;centos;fedora;sles;opensuse">
|
|
<para>Configure the <acronym>OVS</acronym> plug-in to start
|
|
on boot.</para>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>chkconfig neutron-openvswitch-agent on</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>chkconfig openstack-neutron-openvswitch-agent on</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Tell the <acronym>OVS</acronym> plug-in to use GRE
|
|
tunneling with a <literal>br-int</literal> integration
|
|
bridge, a <literal>br-tun</literal> tunneling bridge,
|
|
and a local IP for the tunnel of
|
|
<replaceable>DATA_INTERFACE</replaceable>'s IP Edit
|
|
the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file:</para>
|
|
<programlisting language="ini">[ovs]
|
|
...
|
|
tenant_network_type = gre
|
|
tunnel_id_ranges = 1:1000
|
|
enable_tunneling = True
|
|
integration_bridge = br-int
|
|
tunnel_bridge = br-tun
|
|
local_ip = <replaceable>DATA_INTERFACE_IP</replaceable></programlisting>
|
|
</step>
|
|
</procedure>
|
|
<procedure os="rhel;centos;fedora;sles;opensuse;ubuntu">
|
|
<title>Configure common components</title>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Configure Networking to use <systemitem class="service">keystone</systemitem> for authentication:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Set the <literal>auth_strategy</literal>
|
|
configuration key to <literal>keystone</literal> in the
|
|
<literal>[DEFAULT]</literal> section of the file:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Set the <systemitem class="service">neutron</systemitem>
|
|
configuration for
|
|
<systemitem class="service">keystone</systemitem>
|
|
authentication:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_uri http://<replaceable>controller</replaceable>:5000</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_protocol http</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
auth_port 35357</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_user neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf keystone_authtoken \
|
|
admin_password <replaceable>NEUTRON_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>To configure <systemitem class="service">neutron</systemitem>
|
|
to use <systemitem class="service">keystone</systemitem>
|
|
for authentication, edit the
|
|
<filename>/etc/neutron/neutron.conf</filename> file.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Set the <literal>auth_strategy</literal>
|
|
configuration key to <literal>keystone</literal> in the
|
|
<literal>[DEFAULT]</literal> section of the file:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
auth_strategy = keystone</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Add these lines to the
|
|
<literal>[keystone_authtoken]</literal> section of the
|
|
file:</para>
|
|
<programlisting language="ini">[keystone_authtoken]
|
|
...
|
|
auth_uri = http://<replaceable>controller</replaceable>:5000
|
|
auth_host = <replaceable>controller</replaceable>
|
|
auth_protocol = http
|
|
auth_port = 35357
|
|
admin_tenant_name = service
|
|
admin_user = neutron
|
|
admin_password = <replaceable>NEUTRON_PASS</replaceable></programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="opensuse;sles;rhel;centos;fedora">
|
|
<para>Configure access to the <application>RabbitMQ</application> service:</para>
|
|
<screen><prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rpc_backend neutron.openstack.common.rpc.impl_kombu</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_host <replaceable>controller</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_userid guest</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/neutron/neutron.conf DEFAULT \
|
|
rabbit_password <replaceable>RABBIT_PASS</replaceable></userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>Configure the <application>RabbitMQ</application> access.
|
|
Edit the <filename>/etc/neutron/neutron.conf</filename> file
|
|
to modify the following parameters in the
|
|
<literal>[DEFAULT]</literal> section.</para>
|
|
<programlisting language="ini">rabbit_host = <replaceable>controller</replaceable>
|
|
rabbit_userid = guest
|
|
rabbit_password = <replaceable>RABBIT_PASS</replaceable></programlisting>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Configure Compute services for Networking</title>
|
|
<step>
|
|
<para os="rhel;centos;fedora;opensuse;sles">Configure OpenStack Compute to use OpenStack Networking
|
|
services. Configure the <filename>/etc/nova/nova.conf</filename>
|
|
file as per instructions below:</para>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
network_api_class nova.network.neutronv2.api.API</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_url http://<replaceable>controller</replaceable>:9696</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_auth_strategy keystone</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_tenant_name service</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_username neutron</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_password <replaceable>NEUTRON_PASS</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
neutron_admin_auth_url http://<replaceable>controller</replaceable>:35357/v2.0</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
linuxnet_interface_driver nova.network.linux_net.LinuxOVSInterfaceDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
firewall_driver nova.virt.firewall.NoopFirewallDriver</userinput>
|
|
<prompt>#</prompt> <userinput>openstack-config --set /etc/nova/nova.conf DEFAULT \
|
|
security_group_api neutron</userinput></screen>
|
|
<para os="ubuntu;debian">Configure OpenStack Compute to use OpenStack Networking
|
|
services. Edit the <filename>/etc/nova/nova.conf</filename>
|
|
file:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">network_api_class=nova.network.neutronv2.api.API
|
|
neutron_url=http://<replaceable>controller</replaceable>:9696
|
|
neutron_auth_strategy=keystone
|
|
neutron_admin_tenant_name=service
|
|
neutron_admin_username=neutron
|
|
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
|
|
neutron_admin_auth_url=http://<replaceable>controller</replaceable>:35357/v2.0
|
|
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
|
|
firewall_driver=nova.virt.firewall.NoopFirewallDriver
|
|
security_group_api=neutron</programlisting>
|
|
<note>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>No matter which firewall driver you chose when you
|
|
configured the network and compute nodes, you must
|
|
edit the <filename>/etc/nova/nova.conf</filename> file
|
|
to set the firewall driver to
|
|
<literal>nova.virt.firewall.NoopFirewallDriver</literal>.
|
|
Because OpenStack Networking handles the firewall,
|
|
this statement instructs Compute to not use a
|
|
firewall.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>If you want Networking to handle the firewall,
|
|
edit the
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>
|
|
file to set the <code>firewall_driver</code> option to
|
|
the firewall for the plug-in. For example, with
|
|
<acronym>OVS</acronym>, edit the file as
|
|
follows:</para>
|
|
<programlisting language="ini" os="ubuntu;debian">[securitygroup]
|
|
# Firewall driver for realizing neutron security group function.
|
|
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</programlisting>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set \
|
|
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini securitygroup firewall_driver \
|
|
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</userinput></screen>
|
|
</listitem>
|
|
<listitem>
|
|
<para>If you do not want to use a firewall in Compute or
|
|
Networking, edit both configuration files and set
|
|
<code>firewall_driver=nova.virt.firewall.NoopFirewallDriver</code>.
|
|
Also, edit the
|
|
<filename>/etc/nova/nova.conf</filename> file and
|
|
comment out or remove the
|
|
<code>security_group_api=neutron</code>
|
|
statement.</para>
|
|
<para>Otherwise, when you issue <command>nova
|
|
list</command> commands, the <errortext>ERROR: The
|
|
server has either erred or is incapable of
|
|
performing the requested operation. (HTTP
|
|
500)</errortext> error might be returned.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>Finalize installation</title>
|
|
<step os="rhel;centos;fedora">
|
|
<para>The <systemitem class="service">neutron-server</systemitem>
|
|
initialization script expects a symbolic link
|
|
<filename>/etc/neutron/plugin.ini</filename> pointing to the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, the symbolic link must point to
|
|
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.
|
|
If this symbolic link does not exist, create it using the
|
|
following commands:</para>
|
|
<screen><prompt>#</prompt> <userinput>cd /etc/neutron</userinput>
|
|
<prompt>#</prompt> <userinput>ln -s plugins/openvswitch/ovs_neutron_plugin.ini plugin.ini</userinput></screen>
|
|
</step>
|
|
<step os="sles;opensuse">
|
|
<para>The <systemitem class="service">openstack-neutron</systemitem>
|
|
initialization script expects the variable
|
|
<literal>NEUTRON_PLUGIN_CONF</literal> in file
|
|
<filename>/etc/sysconfig/neutron</filename> to reference the
|
|
configuration file associated with your chosen plug-in. Using
|
|
Open vSwitch, for example, edit the
|
|
<filename>/etc/sysconfig/neutron</filename> file and add the
|
|
following:</para>
|
|
<programlisting>NEUTRON_PLUGIN_CONF="/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini"</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Restart Networking services.</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service neutron-plugin-openvswitch-agent restart</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service neutron-openvswitch-agent restart</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-neutron-openvswitch-agent restart</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Restart the Compute service.</para>
|
|
<screen os="debian;ubuntu"><prompt>#</prompt> <userinput>service nova-compute restart</userinput></screen>
|
|
<screen os="centos;rhel;fedora"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>service openstack-nova-compute restart</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|