17fc8c8a8b
As part of the installation guide improvement project, I performed the following operations on the Networking chapter: 1) Moved Neutron ML2 sections before OVS sections and updated associated notes to steer users toward ML2. 2) Removed database population steps because Neutron populates the database at first run. 3) Moved 'enable_security_group' key to [securitygroup] section. 4) Removed extraneous colons from procedure titles. 5) Added command output to Neutron initial networks section. 6) Added command output to Nova initial networks section. Change-Id: Ie677d199d2c64ef2a564eaa551295e1a321db02c Partial-Bug: #1291071 Implements: blueprint networking-install-guide-improvements
262 lines
15 KiB
XML
262 lines
15 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xml:id="neutron-initial-networks"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:svg="http://www.w3.org/2000/svg"
|
|
xmlns:html="http://www.w3.org/1999/xhtml" version="5.0">
|
|
<title>Create initial networks</title>
|
|
<para>Before launching your first instance, you must create the
|
|
necessary virtual network infrastructure to which the instance will
|
|
connect, including the
|
|
<link linkend="neutron_initial-external-network">external network</link>
|
|
and
|
|
<link linkend="neutron_initial-tenant-network">tenant network</link>.
|
|
See <xref linkend="neutron_figure-neutron-initial-networks"/>. After
|
|
creating this infrastructure, we recommend that you
|
|
<link linkend="neutron_initial-networks-verify">verify
|
|
connectivity</link> and resolve any issues before proceeding further.
|
|
</para>
|
|
<figure xml:id="neutron_figure-neutron-initial-networks">
|
|
<title>Initial networks</title>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata contentwidth="6in"
|
|
fileref="figures/installguide_neutron-initial-networks.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</figure>
|
|
<section xml:id="neutron_initial-external-network">
|
|
<title>External network</title>
|
|
<para>The external network typically provides internet access for
|
|
your instances. By default, this network only allows internet
|
|
access <emphasis>from</emphasis> instances using
|
|
<glossterm>Network Address Translation (NAT)</glossterm>. You can
|
|
enable internet access <emphasis>to</emphasis> individual instances
|
|
using a <glossterm>floating IP address</glossterm> and suitable
|
|
<glossterm>security group</glossterm> rules. The <literal>admin</literal>
|
|
tenant owns this network because it provides external network
|
|
access for multiple tenants. You must also enable sharing to allow
|
|
access by those tenants.</para>
|
|
<note>
|
|
<para>Perform these commands on the controller node.</para>
|
|
</note>
|
|
<procedure>
|
|
<title>To create the external network</title>
|
|
<step>
|
|
<para>Source the <literal>admin</literal> tenant credentials:</para>
|
|
<screen><prompt>$</prompt> <userinput>source admin-openrc.sh</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the network:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-create ext-net --shared --router:external=True</userinput>
|
|
<computeroutput>Created a new network:
|
|
+---------------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+---------------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | 893aebb9-1c1e-48be-8908-6b947f3237b3 |
|
|
| name | ext-net |
|
|
| provider:network_type | gre |
|
|
| provider:physical_network | |
|
|
| provider:segmentation_id | 1 |
|
|
| router:external | True |
|
|
| shared | True |
|
|
| status | ACTIVE |
|
|
| subnets | |
|
|
| tenant_id | 54cd044c64d5408b83f843d63624e0d8 |
|
|
+---------------------------+--------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
<para>Like a physical network, a virtual network requires a
|
|
<glossterm>subnet</glossterm> assigned to it. The external network
|
|
shares the same subnet and <glossterm>gateway</glossterm> associated
|
|
with the physical network connected to the external interface on the
|
|
network node. You should specify an exclusive slice of this subnet
|
|
for <glossterm>router</glossterm> and floating IP addresses to prevent
|
|
interference with other devices on the external network.</para>
|
|
<para>Replace <replaceable>FLOATING_IP_START</replaceable> and
|
|
<replaceable>FLOATING_IP_END</replaceable> with the first and last
|
|
IP addresses of the range that you want to allocate for floating IP
|
|
addresses. Replace <replaceable>EXTERNAL_NETWORK_CIDR</replaceable>
|
|
with the subnet associated with the physical network. Replace
|
|
<replaceable>EXTERNAL_NETWORK_GATEWAY</replaceable> with the gateway
|
|
associated with the physical network, typically the ".1" IP address.
|
|
You should disable <glossterm>DHCP</glossterm> on this subnet because
|
|
instances do not connect directly to the external network and floating
|
|
IP addresses require manual assignment.</para>
|
|
<procedure>
|
|
<title>To create a subnet on the external network</title>
|
|
<step>
|
|
<para>Create the subnet:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create ext-net --name ext-subnet \
|
|
--allocation-pool start=<replaceable>FLOATING_IP_START</replaceable>,end=<replaceable>FLOATING_IP_END</replaceable> \
|
|
--disable-dhcp --gateway <replaceable>EXTERNAL_NETWORK_GATEWAY</replaceable> <replaceable>EXTERNAL_NETWORK_CIDR</replaceable></userinput></screen>
|
|
<para>For example, using <literal>203.0.113.0/24</literal> with
|
|
floating IP address range <literal>203.0.113.101</literal> to
|
|
<literal>203.0.113.200</literal>:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create ext-net --name ext-subnet \
|
|
--allocation-pool start=203.0.113.101,end=203.0.113.200 \
|
|
--disable-dhcp --gateway 203.0.113.1 203.0.113.0/24</userinput>
|
|
<computeroutput>Created a new subnet:
|
|
+-------------------+------------------------------------------------------+
|
|
| Field | Value |
|
|
+-------------------+------------------------------------------------------+
|
|
| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} |
|
|
| cidr | 203.0.113.0/24 |
|
|
| dns_nameservers | |
|
|
| enable_dhcp | False |
|
|
| gateway_ip | 203.0.113.1 |
|
|
| host_routes | |
|
|
| id | 9159f0dc-2b63-41cf-bd7a-289309da1391 |
|
|
| ip_version | 4 |
|
|
| ipv6_address_mode | |
|
|
| ipv6_ra_mode | |
|
|
| name | ext-subnet |
|
|
| network_id | 893aebb9-1c1e-48be-8908-6b947f3237b3 |
|
|
| tenant_id | 54cd044c64d5408b83f843d63624e0d8 |
|
|
+-------------------+------------------------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="neutron_initial-tenant-network">
|
|
<title>Tenant network</title>
|
|
<para>The tenant network provides internal network access for instances.
|
|
The architecture isolates this type of network from other tenants. The
|
|
<literal>demo</literal> tenant owns this network because it only
|
|
provides network access for instances within it.</para>
|
|
<note>
|
|
<para>Perform these commands on the controller node.</para>
|
|
</note>
|
|
<procedure>
|
|
<title>To create the tenant network</title>
|
|
<step>
|
|
<para>Source the <literal>demo</literal> tenant credentials:</para>
|
|
<screen><prompt>$</prompt> <userinput>source demo-openrc.sh</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the network:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-create demo-net</userinput>
|
|
<computeroutput>Created a new network:
|
|
+----------------+--------------------------------------+
|
|
| Field | Value |
|
|
+----------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | ac108952-6096-4243-adf4-bb6615b3de28 |
|
|
| name | demo-net |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | |
|
|
| tenant_id | cdef0071a0194d19ac6bb63802dc9bae |
|
|
+----------------+--------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
<para>Like the external network, your tenant network also requires
|
|
a subnet attached to it. You can specify any valid subnet because the
|
|
architecture isolates tenant networks. Replace
|
|
<replaceable>TENANT_NETWORK_CIDR</replaceable> with the subnet
|
|
you want to associate with the tenant network. Replace
|
|
<replaceable>TENANT_NETWORK_GATEWAY</replaceable> with the gateway you
|
|
want to associate with this network, typically the ".1" IP address. By
|
|
default, this subnet will use DHCP so your instances can obtain IP
|
|
addresses.</para>
|
|
<procedure>
|
|
<title>To create a subnet on the tenant network</title>
|
|
<step>
|
|
<para>Create the subnet:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create demo-net --name demo-subnet \
|
|
--gateway <replaceable>TENANT_NETWORK_GATEWAY</replaceable> <replaceable>TENANT_NETWORK_CIDR</replaceable></userinput></screen>
|
|
<para>Example using <literal>192.168.1.0/24</literal>:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create demo-net --name demo-subnet \
|
|
--gateway 192.168.1.1 192.168.1.0/24</userinput>
|
|
<computeroutput>Created a new subnet:
|
|
+-------------------+------------------------------------------------------+
|
|
| Field | Value |
|
|
+-------------------+------------------------------------------------------+
|
|
| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} |
|
|
| cidr | 192.168.1.0/24 |
|
|
| dns_nameservers | |
|
|
| enable_dhcp | True |
|
|
| gateway_ip | 192.168.1.1 |
|
|
| host_routes | |
|
|
| id | 69d38773-794a-4e49-b887-6de6734e792d |
|
|
| ip_version | 4 |
|
|
| ipv6_address_mode | |
|
|
| ipv6_ra_mode | |
|
|
| name | demo-subnet |
|
|
| network_id | ac108952-6096-4243-adf4-bb6615b3de28 |
|
|
| tenant_id | cdef0071a0194d19ac6bb63802dc9bae |
|
|
+-------------------+------------------------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
<para>A virtual router passes network traffic between two or more virtual
|
|
networks. Each router requires one or more
|
|
<glossterm baseform="interface">interfaces</glossterm> and/or gateways
|
|
that provide access to specific networks. In this case, you will create
|
|
a router and attach your tenant and external networks to it.</para>
|
|
<procedure>
|
|
<title>To create a router on the tenant network and attach the external
|
|
and tenant networks to it</title>
|
|
<step>
|
|
<para>Create the router:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron router-create demo-router</userinput>
|
|
<computeroutput>Created a new router:
|
|
+-----------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+-----------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| external_gateway_info | |
|
|
| id | 635660ae-a254-4feb-8993-295aa9ec6418 |
|
|
| name | demo-router |
|
|
| status | ACTIVE |
|
|
| tenant_id | cdef0071a0194d19ac6bb63802dc9bae |
|
|
+-----------------------+--------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Attach the router to the <literal>demo</literal> tenant
|
|
subnet:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron router-interface-add demo-router demo-subnet</userinput>
|
|
<computeroutput>Added interface b1a894fd-aee8-475c-9262-4342afdc1b58 to router demo-router.</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Attach the router to the external network by setting it as
|
|
the gateway:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron router-gateway-set demo-router ext-net</userinput>
|
|
<computeroutput>Set gateway for router demo-router</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="neutron_initial-networks-verify">
|
|
<title>Verify connectivity</title>
|
|
<para>We recommend that you verify network connectivity and resolve any
|
|
issues before proceeding further. Following the external network
|
|
subnet example using <literal>203.0.113.0/24</literal>, the tenant
|
|
router gateway should occupy the lowest IP address in the floating
|
|
IP address range, <literal>203.0.113.101</literal>. If you configured
|
|
your external physical network and virtual networks correctly, you
|
|
you should be able to <command>ping</command> this IP address from any
|
|
host on your external physical network.</para>
|
|
<note>
|
|
<para>If you are building your OpenStack nodes as virtual machines,
|
|
you must configure the hypervisor to permit promiscuous mode on the
|
|
external network.</para>
|
|
</note>
|
|
<procedure>
|
|
<title>To verify network connectivity</title>
|
|
<step>
|
|
<para>Ping the tenant router gateway:</para>
|
|
<screen><prompt>$</prompt> <userinput>ping -c 4 203.0.113.101</userinput>
|
|
<computeroutput>PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.
|
|
64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms
|
|
64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms
|
|
64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms
|
|
64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms
|
|
|
|
--- 203.0.113.101 ping statistics ---
|
|
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
|
|
rtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
</section>
|