openstack-manuals/doc/install-guide/section_neutron-per-tenant-routers-with-private-networks.xml
Andreas Jaeger bbab391aeb Fix usage of $/# prompts
Use # prompt for root and $ for user actions.

Change-Id: Ia241921d4f3d072cf4d7459557a5d78d31d7049c
2014-03-14 08:30:08 +01:00

869 lines
48 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="section_networking-routers-with-private-networks">
<title>Per-tenant routers with private networks</title>
<para>This section describes how to install the OpenStack Networking
service and its components for a use case that has per-tenant
routers with private networks.</para>
<informalfigure>
<mediaobject>
<imageobject>
<imagedata contentwidth="6in"
fileref="../common/figures/UseCase-MultiRouter.png"
/>
</imageobject>
</mediaobject>
</informalfigure>
<para>The following figure shows the setup:</para>
<informalfigure>
<mediaobject>
<imageobject>
<imagedata contentwidth="6in"
fileref="../common/figures/demo_routers_with_private_networks.png"
/>
</imageobject>
</mediaobject>
</informalfigure>
<para>As shown in the figure, the setup includes:</para>
<itemizedlist>
<listitem>
<para>An interface for management traffic on each
node.</para>
</listitem>
<listitem>
<para>Use of the Open vSwitch plug-in.</para>
</listitem>
<listitem>
<para>GRE tunnels for data transport on all agents.</para>
</listitem>
<listitem>
<para>Floating IPs and router gateway ports that are
configured in an external network, and a physical
router that connects the floating IPs and router
gateway ports to the outside world.</para>
</listitem>
</itemizedlist>
<note>
<para>Because this example runs a DHCP agent and L3 agent on
one node, you must set the
<literal>use_namespace</literal> option to
<literal>True</literal> in the configuration file for
each agent. The default is <literal>True</literal>.</para>
</note>
<para>This table describes the nodes:</para>
<informaltable rules="all" width="100%">
<col width="20%"/>
<col width="80%"/>
<thead>
<tr>
<th>Node</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Controller Node</td>
<td><para>Runs Networking, Identity Service, and all
Compute services that are required to deploy
VMs (<systemitem class="service"
>nova-api</systemitem>, <systemitem
class="service"
>nova-scheduler</systemitem>, for
example). The node must have at least one
network interface, which connects to the
Management Network. The host name is
<literal>controlnode</literal>, which
other nodes resolve to the IP of the
controller node.</para><note>
<para>The <systemitem class="service"
>nova-network</systemitem> service
should not be running. This is replaced by
Networking.</para>
</note></td>
</tr>
<tr>
<td>Compute Node</td>
<td>Runs the Networking L2 agent and the Compute
services that run VMs (<systemitem class="service"
>nova-compute</systemitem> specifically, and
optionally other <systemitem class="service"
>nova-*</systemitem> services depending on
configuration). The node must have at least two
network interfaces. One interface communicates
with the controller node through the management
network. The other node is used for the VM traffic
on the data network. The VM receives its IP
address from the DHCP agent on this network.</td>
</tr>
<tr>
<td>Network Node</td>
<td>Runs Networking L2 agent, DHCP agent and L3 agent.
This node has access to the external network. The
DHCP agent allocates IP addresses to the VMs on
data network. (Technically, the addresses are
allocated by the Networking server, and
distributed by the dhcp agent.) The node must have
at least two network interfaces. One interface
communicates with the controller node through the
management network. The other interface is used as
external network. GRE tunnels are set up as data
networks.</td>
</tr>
<tr>
<td>Router</td>
<td>Router has IP 30.0.0.1, which is the default
gateway for all VMs. The router must be able to
access public networks.</td>
</tr>
</tbody>
</informaltable>
<para>The use case assumes the following:</para>
<para><emphasis role="bold">Controller node</emphasis></para>
<orderedlist>
<listitem>
<para>Relevant Compute services are installed, configured,
and running.</para>
</listitem>
<listitem>
<para>Glance is installed, configured, and running. In
addition, an image named <literal>tty</literal> must
be present.</para>
</listitem>
<listitem>
<para>Identity is installed, configured, and running. A
Networking user named <emphasis role="bold"
>neutron</emphasis> should be created on tenant
<emphasis role="bold">service</emphasis> with
password <replaceable
>NEUTRON_PASS</replaceable>.</para>
</listitem>
<listitem>
<para>Additional services: <itemizedlist>
<listitem>
<para>RabbitMQ is running with default guest
and password <replaceable>RABBIT_PASS</replaceable>.</para>
</listitem>
<listitem
os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>MySQL server (user is <emphasis
role="bold">root</emphasis>).</para>
</listitem>
</itemizedlist></para>
</listitem>
</orderedlist>
<para><emphasis role="bold">Compute node</emphasis></para>
<para>Install and configure Compute.</para>
<section xml:id="demo_routers_with_private_networks_installions">
<title>Install</title>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Controller node - Networking
server</emphasis></para>
<procedure>
<step>
<para>Install the Networking server.</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Create database <emphasis role="bold"
>ovs_neutron</emphasis>.</para>
</step>
<step>
<para>Update the Networking configuration
file, <filename>
/etc/neutron/neutron.conf</filename>,
with plug-in choice and Identity Service
user as necessary:</para>
<programlisting language="ini" os="rhel;centos;fedora;opensuse;sles;ubuntu">[DEFAULT]
core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
control_exchange = neutron
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>:3306/neutron
[keystone_authtoken]
admin_tenant_name=service
admin_user=neutron
admin_password=<replaceable>NEUTRON_PASS</replaceable></programlisting>
<programlisting language="ini" os="debian">[DEFAULT]
control_exchange = neutron
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>:3306/neutron</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Update the plug-in configuration file,
<filename>/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>Start the Networking server.</para>
<para>The Networking server can be a service
of the operating system. The command to
start the service depends on your
operating system. The following command
runs the Networking server
directly:</para>
<screen><prompt>#</prompt> <userinput>neutron-server --config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini \
--config-file /etc/neutron/neutron.conf</userinput></screen>
</step>
</procedure>
</listitem>
<listitem>
<para><emphasis role="bold">Compute node - Compute </emphasis><procedure>
<step>
<para>Install Compute services.</para>
</step>
<step>
<para>Update the Compute <filename>
/etc/nova/nova.conf</filename>
configuration file. Make sure the
following line appears at the end of
this file:</para>
<programlisting language="ini">network_api_class=nova.network.neutronv2.api.API
neutron_admin_username=neutron
neutron_admin_password=<replaceable>NEUTRON_PASS</replaceable>
neutron_admin_auth_url=http://controlnode:35357/v2.0/
neutron_auth_strategy=keystone
neutron_admin_tenant_name=service
neutron_url=http://controlnode:9696/</programlisting>
</step>
<step>
<para>Restart relevant Compute
services.</para>
</step>
</procedure></para>
</listitem>
<listitem>
<para><emphasis role="bold">Compute and Networking
node - L2 agent</emphasis></para>
<procedure>
<step>
<para>Install and start Open vSwitch.</para>
</step>
<step>
<para>Install the L2 agent (Neutron Open
vSwitch agent).</para>
</step>
<step>
<para>Add the integration bridge to the Open
vSwitch:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-int</userinput></screen>
</step>
<step>
<para>Update the Networking configuration
file, <filename>
/etc/neutron/neutron.conf</filename>:</para>
<programlisting language="ini">[DEFAULT]
core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
control_exchange = neutron
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
[database]
connection = mysql://neutron:<replaceable>NEUTRON_DBPASS</replaceable>@<replaceable>controller</replaceable>:3306/neutron</programlisting>
</step>
<step>
<para>Update the plug-in configuration file,
<filename>
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini</filename>.</para>
<para>Compute node:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
local_ip = 9.181.89.202</programlisting>
<para>Network node:</para>
<programlisting language="ini">[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
local_ip = 9.181.89.203</programlisting>
</step>
<step>
<para>Create the integration bridge <emphasis
role="bold">br-int</emphasis>:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl --may-exist add-br br-int</userinput></screen>
</step>
<step>
<para>Start the Networking L2 agent</para>
<para>The Networking Open vSwitch L2 agent can
be a service of the operating system. The
command to start depends on your operating
system. The following command runs the
service directly:</para>
<screen><prompt>#</prompt> <userinput>neutron-openvswitch-agent --config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini \
--config-file /etc/neutron/neutron.conf</userinput></screen>
</step>
</procedure>
</listitem>
<listitem>
<para><emphasis role="bold">Network node - DHCP
agent</emphasis></para>
<procedure>
<step>
<para>Install the DHCP agent.</para>
</step>
<step>
<para>Update the Networking configuration
file, <filename>
/etc/neutron/neutron.conf</filename></para>
<programlisting language="ini">[DEFAULT]
core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
control_exchange = neutron
rabbit_host = <replaceable>controller</replaceable>
rabbit_password = <replaceable>RABBIT_PASS</replaceable>
notification_driver = neutron.openstack.common.notifier.rabbit_notifier
allow_overlapping_ips = True</programlisting>
<para><emphasis role="bold">Set
<literal>allow_overlapping_ips</literal>
because TenantA and TenantC use
overlapping subnets.</emphasis></para>
</step>
<step>
<para>Update the DHCP <filename>
/etc/neutron/dhcp_agent.ini</filename>
configuration file:</para>
<programlisting language="ini">interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver</programlisting>
</step>
<step>
<para>Start the DHCP agent.</para>
<para>The Networking DHCP agent can be a
service of operating system. The command
to start the service depends on your
operating system. The following command
runs the service directly:</para>
<screen><prompt>#</prompt> <userinput>neutron-dhcp-agent --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/dhcp_agent.ini</userinput></screen>
</step>
</procedure>
</listitem>
<listitem>
<para><emphasis role="bold">Network node - L3
agent</emphasis></para>
<procedure>
<step>
<para>Install the L3 agent.</para>
</step>
<step>
<para>Add the external network bridge</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-br br-ex</userinput></screen>
</step>
<step>
<para>Add the physical interface, for example
eth0, that is connected to the outside
network to this bridge:</para>
<screen><prompt>#</prompt> <userinput>ovs-vsctl add-port br-ex eth0</userinput></screen>
</step>
<step>
<para>Update the L3 configuration file
<filename>
/etc/neutron/l3_agent.ini</filename>:</para>
<programlisting language="ini">[DEFAULT]
interface_driver=neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces=True</programlisting>
<para><emphasis role="bold">Set the
<literal>use_namespaces</literal>
option (it is True by default) because
TenantA and TenantC have overlapping
subnets, and the routers are hosted on
one l3 agent network
node.</emphasis></para>
</step>
<step>
<para>Start the L3 agent</para>
<para>The Networking L3 agent can be a service
of the operating system. The command to start
the service depends on your operating
system. The following command starts the
agent directly:</para>
<screen><prompt>#</prompt> <userinput>neutron-l3-agent --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/l3_agent.ini</userinput></screen>
</step>
</procedure>
</listitem>
</itemizedlist>
</section>
<section xml:id="demo_per_tenant_router_network_config">
<title>Configure logical network</title>
<para>You can run these commands on the network node.</para>
<note>
<para>Ensure that the following environment variables are
set. Various clients use these to access the Identity
Service.</para>
<programlisting language="bash">export OS_USERNAME=admin
export OS_PASSWORD=<replaceable>ADMIN_PASS</replaceable>
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://<replaceable>controller</replaceable>:5000/v2.0/</programlisting>
</note>
<procedure>
<step>
<para>Get the tenant ID (Used as $TENANT_ID
later):</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput>
<computeroutput>+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 247e478c599f45b5bd297e8ddbbc9b6a | TenantA | True |
| 2b4fec24e62e4ff28a8445ad83150f9d | TenantC | True |
| 3719a4940bf24b5a8124b58c9b0a6ee6 | TenantB | True |
| 5fcfbc3283a142a5bb6978b549a511ac | demo | True |
| b7445f221cda4f4a8ac7db6b218b1339 | admin | True |
+----------------------------------+---------+---------+</computeroutput></screen>
</step>
<step>
<para>Get user information:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput>
<computeroutput>+----------------------------------+-------+---------+-------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------------------+
| 5a9149ed991744fa85f71e4aa92eb7ec | demo | True | |
| 5b419c74980d46a1ab184e7571a8154e | admin | True | admin@example.com |
| 8e37cb8193cb4873a35802d257348431 | UserC | True | |
| c11f6b09ed3c45c09c21cbbc23e93066 | UserB | True | |
| ca567c4f6c0942bdac0e011e97bddbe3 | UserA | True | |
+----------------------------------+-------+---------+-------------------+</computeroutput></screen>
</step>
<step>
<para>Create the external network and its subnet by
admin user:</para>
<screen><prompt>$</prompt> <userinput>neutron net-create Ext-Net --provider:network_type local --router:external true</userinput>
<computeroutput>Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 2c757c9e-d3d6-4154-9a77-336eb99bd573 |
| name | Ext-Net |
| provider:network_type | local |
| provider:physical_network | |
| provider:segmentation_id | |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | b7445f221cda4f4a8ac7db6b218b1339 |
+---------------------------+--------------------------------------+</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>neutron subnet-create Ext-Net 30.0.0.0/24 --disable-dhcp</userinput>
<computeroutput>Created a new subnet:
+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "30.0.0.2", "end": "30.0.0.254"} |
| cidr | 30.0.0.0/24 |
| dns_nameservers | |
| enable_dhcp | False |
| gateway_ip | 30.0.0.1 |
| host_routes | |
| id | ba754a55-7ce8-46bb-8d97-aa83f4ffa5f9 |
| ip_version | 4 |
| name | |
| network_id | 2c757c9e-d3d6-4154-9a77-336eb99bd573 |
| tenant_id | b7445f221cda4f4a8ac7db6b218b1339 |
+------------------+--------------------------------------------+</computeroutput></screen>
<para><emphasis role="bold">
<literal>provider:network_type local</literal>
means that Networking does not have to realize
this network through provider network.
<literal>router:external true</literal>
means that an external network is created
where you can create the floating IP and router
gateway port.</emphasis></para>
</step>
<step>
<para>Add an IP on the external network to br-ex.</para>
<para>Because br-ex is the external network bridge,
add an IP 30.0.0.100/24 to br-ex and ping the
floating IP of the VM from our network
node.</para>
<screen><prompt>#</prompt> <userinput>ip addr add 30.0.0.100/24 dev br-ex</userinput>
<prompt>#</prompt> <userinput>ip link set br-ex up</userinput></screen>
</step>
<step>
<para>Serve TenantA.</para>
<para>For TenantA, create a private network, subnet,
server, router, and floating IP.</para>
<substeps>
<step>
<para>Create a network for TenantA:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 net-create TenantA-Net</userinput>
<computeroutput>Created a new network:
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | 7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 |
| name | TenantA-Net |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
+-----------------+--------------------------------------+</computeroutput></screen>
<para>After that, you can use admin user to
query the provider network
information:</para>
<screen><prompt>$</prompt> <userinput>neutron net-show TenantA-Net</userinput>
<computeroutput>+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 |
| name | TenantA-Net |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 1 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
+---------------------------+--------------------------------------+</computeroutput></screen>
<para>The network has GRE tunnel ID (for
example, provider:segmentation_id)
1.</para>
</step>
<step>
<para>Create a subnet on the network
TenantA-Net:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 subnet-create TenantA-Net 10.0.0.0/24</userinput>
<computeroutput>Created a new subnet:
+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "10.0.0.2", "end": "10.0.0.254"} |
| cidr | 10.0.0.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.0.1 |
| host_routes | |
| id | 51e2c223-0492-4385-b6e9-83d4e6d10657 |
| ip_version | 4 |
| name | |
| network_id | 7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 |
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
+------------------+--------------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create a server for TenantA:</para>
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 boot --image tty --flavor 1 \
--nic net-id=7d0e8d5d-c63c-4f13-a117-4dc4e33e7d68 TenantA_VM1</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 list</userinput>
<computeroutput>+--------------------------------------+-------------+--------+----------------------+
| ID | Name | Status | Networks |
+--------------------------------------+-------------+--------+----------------------+
| 7c5e6499-7ef7-4e36-8216-62c2941d21ff | TenantA_VM1 | ACTIVE | TenantA-Net=10.0.0.3 |
+--------------------------------------+-------------+--------+----------------------+</computeroutput></screen>
<note>
<para>It is important to understand that
you should not attach the instance to
Ext-Net directly. Instead, you must
use a floating IP to make it
accessible from the external
network.</para>
</note>
</step>
<step>
<para>Create and configure a router for
TenantA:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 router-create TenantA-R1</userinput>
<computeroutput>Created a new router:
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | 59cd02cb-6ee6-41e1-9165-d251214594fd |
| name | TenantA-R1 |
| status | ACTIVE |
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
+-----------------------+--------------------------------------+</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 router-interface-add \
TenantA-R1 51e2c223-0492-4385-b6e9-83d4e6d10657</userinput></screen>
<para>Added interface to router
TenantA-R1</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 \
router-gateway-set TenantA-R1 Ext-Net</userinput></screen>
</step>
</substeps>
</step>
<step>
<para>Associate a floating IP for TenantA_VM1.</para>
<substeps>
<step>
<para>Create a floating IP:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 floatingip-create Ext-Net</userinput>
<computeroutput>Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 30.0.0.2 |
| floating_network_id | 2c757c9e-d3d6-4154-9a77-336eb99bd573 |
| id | 5a1f90ed-aa3c-4df3-82cb-116556e96bf1 |
| port_id | |
| router_id | |
| tenant_id | 247e478c599f45b5bd297e8ddbbc9b6a |
+---------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Get the port ID of the VM with ID
7c5e6499-7ef7-4e36-8216-62c2941d21ff:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 port-list -- \
--device_id 7c5e6499-7ef7-4e36-8216-62c2941d21ff</userinput>
<computeroutput>+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| 6071d430-c66e-4125-b972-9a937c427520 | | fa:16:3e:a0:73:0d | {"subnet_id": "51e2c223-0492-4385-b6e9-83d4e6d10657", "ip_address": "10.0.0.3"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Associate the floating IP with the VM
port:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantA --os-username UserA --os-password password \
--os-auth-url=http://localhost:5000/v2.0 floatingip-associate \
5a1f90ed-aa3c-4df3-82cb-116556e96bf1 6071d430-c66e-4125-b972-9a937c427520</userinput>
<computeroutput>Associated floatingip 5a1f90ed-aa3c-4df3-82cb-116556e96bf1
</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>neutron floatingip-list</userinput>
<computeroutput>+--------------------------------------+------------------+---------------------+--------------------------------------+
| id | fixed_ip_address | floating_ip_address | port_id |
+--------------------------------------+------------------+---------------------+--------------------------------------+
| 5a1f90ed-aa3c-4df3-82cb-116556e96bf1 | 10.0.0.3 | 30.0.0.2 | 6071d430-c66e-4125-b972-9a937c427520 |
+--------------------------------------+------------------+---------------------+--------------------------------------+
</computeroutput></screen>
</step>
</substeps>
</step>
<step>
<para>Ping the public network from the server of
TenantA.</para>
<para>In my environment, 192.168.1.0/24 is my public
network connected with my physical router, which
also connects to the external network 30.0.0.0/24.
With the floating IP and virtual router, you can
ping the public network within the server of
tenant A:</para>
<screen><prompt>$</prompt> <userinput>ping 192.168.1.1</userinput>
<computeroutput>PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=1.74 ms
64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=1.50 ms
64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=1.23 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.234/1.495/1.745/0.211 ms
</computeroutput></screen>
</step>
<step>
<para>Ping the floating IP of TenantA's server:</para>
<screen><prompt>$</prompt> <userinput>ping 30.0.0.2</userinput>
<computeroutput>PING 30.0.0.2 (30.0.0.2) 56(84) bytes of data.
64 bytes from 30.0.0.2: icmp_req=1 ttl=63 time=45.0 ms
64 bytes from 30.0.0.2: icmp_req=2 ttl=63 time=0.898 ms
64 bytes from 30.0.0.2: icmp_req=3 ttl=63 time=0.940 ms
^C
--- 30.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.898/15.621/45.027/20.793 ms
</computeroutput></screen>
</step>
<step>
<para>Create other servers for TenantA.</para>
<para>You can create more servers for TenantA and add
floating IPs for them.</para>
</step>
<step>
<para>Serve TenantC.</para>
<para>For TenantC, you create two private networks
with subnet 10.0.0.0/24 and subnet 10.0.1.0/24,
some servers, one router to connect to these two
subnets and some floating IPs.</para>
<substeps>
<step>
<para>Create networks and subnets for
TenantC:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 net-create TenantC-Net1</userinput>
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 subnet-create TenantC-Net1 \
10.0.0.0/24 --name TenantC-Subnet1</userinput>
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 net-create TenantC-Net2</userinput>
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 subnet-create TenantC-Net2 \
10.0.1.0/24 --name TenantC-Subnet2</userinput>
</screen>
<para>After that you can use admin user to
query the network's provider network
information:</para>
<screen><prompt>$</prompt> <userinput>neutron net-show TenantC-Net1</userinput>
<computeroutput>+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 91309738-c317-40a3-81bb-bed7a3917a85 |
| name | TenantC-Net1 |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 2 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | cf03fd1e-164b-4527-bc87-2b2631634b83 |
| tenant_id | 2b4fec24e62e4ff28a8445ad83150f9d |
+---------------------------+--------------------------------------+
</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>neutron net-show TenantC-Net2</userinput>
<computeroutput>+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 5b373ad2-7866-44f4-8087-f87148abd623 |
| name | TenantC-Net2 |
| provider:network_type | gre |
| provider:physical_network | |
| provider:segmentation_id | 3 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | 38f0b2f0-9f98-4bf6-9520-f4abede03300 |
| tenant_id | 2b4fec24e62e4ff28a8445ad83150f9d |
+---------------------------+--------------------------------------+</computeroutput></screen>
<para>You can see GRE tunnel IDs (such as,
provider:segmentation_id) 2 and 3. And
also note the network IDs and subnet IDs
because you use them to create VMs and
the router.</para>
</step>
<step>
<para>Create a server TenantC-VM1 for TenantC
on TenantC-Net1.</para>
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 boot --image tty --flavor 1 \
--nic net-id=91309738-c317-40a3-81bb-bed7a3917a85 TenantC_VM1</userinput></screen>
</step>
<step>
<para>Create a server TenantC-VM3 for TenantC
on TenantC-Net2.</para>
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 boot --image tty --flavor 1 \
--nic net-id=5b373ad2-7866-44f4-8087-f87148abd623 TenantC_VM3</userinput></screen>
</step>
<step>
<para>List servers of TenantC.</para>
<screen><prompt>$</prompt> <userinput>nova --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 list</userinput>
<computeroutput>+--------------------------------------+-------------+--------+-----------------------+
| ID | Name | Status | Networks |
+--------------------------------------+-------------+--------+-----------------------+
| b739fa09-902f-4b37-bcb4-06e8a2506823 | TenantC_VM1 | ACTIVE | TenantC-Net1=10.0.0.3 |
| 17e255b2-b14f-48b3-ab32-5df36566d2e8 | TenantC_VM3 | ACTIVE | TenantC-Net2=10.0.1.3 |
+--------------------------------------+-------------+--------+-----------------------+</computeroutput></screen>
<para>Note the server IDs because you use them
later.</para>
</step>
<step>
<para>Make sure servers get their IPs.</para>
<para>You can use VNC to log on the VMs to
check if they get IPs. If not, you must
make sure that the Networking components
are running correctly and the GRE tunnels
work.</para>
</step>
<step>
<para>Create and configure a router for
TenantC:</para>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 router-create TenantC-R1</userinput></screen>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 router-interface-add \
TenantC-R1 cf03fd1e-164b-4527-bc87-2b2631634b83</userinput>
<prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 router-interface-add \
TenantC-R1 38f0b2f0-9f98-4bf6-9520-f4abede03300</userinput></screen>
<screen><prompt>$</prompt> <userinput>neutron --os-tenant-name TenantC --os-username UserC --os-password password \
--os-auth-url=http://localhost:5000/v2.0 \
router-gateway-set TenantC-R1 Ext-Net</userinput></screen>
</step>
<step>
<para>Checkpoint: ping from within TenantC's
servers.</para>
<para>Because a router connects to two
subnets, the VMs on these subnets can ping
each other. And because the gateway for
the router is set, TenantC's servers can
ping external network IPs, such as
192.168.1.1, 30.0.0.1, and so on.</para>
</step>
<step>
<para>Associate floating IPs for TenantC's
servers.</para>
<para>Because a router connects to two
subnets, the VMs on these subnets can ping
each other. And because the gateway
interface for the router is set, TenantC's
servers can ping external network IPs,
such as 192.168.1.1, 30.0.0.1, and so
on.</para>
</step>
<step>
<para>Associate floating IPs for TenantC's
servers.</para>
<para>You can use similar commands to the ones
used in the section for TenantA.</para>
</step>
</substeps>
</step>
</procedure>
</section>
<section xml:id="section_use-cases-tenant-router">
<title>Use case: per-tenant routers with private
networks</title>
<para>This use case represents a more advanced router scenario
in which each tenant gets at least one router, and
potentially has access to the Networking API to create
additional routers. The tenant can create their own
networks, potentially uplinking those networks to a
router. This model enables tenant-defined, multi-tier
applications, with each tier being a separate network
behind the router. Because there are multiple routers,
tenant subnets can overlap without conflicting, because
access to external networks all happens through SNAT or
floating IPs. Each router uplink and floating IP is
allocated from the external network subnet.</para>
<mediaobject>
<imageobject>
<imagedata scale="55"
fileref="../common/figures/UseCase-MultiRouter.png"
align="left"/>
</imageobject>
</mediaobject>
<!--Image source link: https://docs.google.com/a/nicira.com/drawings/d/1mmQc8cBUoTEfEns-ehIyQSTvOrjUdl5xeGDv9suVyAY/edit -->
</section>
</section>