Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / neutron / 0575ae4a1e276d4701333a0156550e41e87a264c / . / README.rst
blob: 57153ed7a108011108a5323b0d73261995e24ef4 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]5Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]8
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]9Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]12
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]13Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]23 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]24 allow_pagination: true
25 pagination_max_limit: 100
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]26 bind:
27 address: 172.20.0.1
28 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]29 database:
30 engine: mysql
31 host: 127.0.0.1
32 port: 3306
33 name: neutron
34 user: neutron
35 password: pwd
36 identity:
37 engine: keystone
38 host: 127.0.0.1
39 port: 35357
40 user: neutron
41 password: pwd
42 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]43 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]44 message_queue:
45 engine: rabbitmq
46 host: 127.0.0.1
47 port: 5672
48 user: openstack
49 password: pwd
50 virtual_host: '/openstack'
51 metadata:
52 host: 127.0.0.1
53 port: 8775
54 password: pass
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]55 audit:
56 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]57
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]58Note: The pagination is useful to retrieve a large bunch of resources,
59because a single request may fail (timeout). This is enabled with both
60parameters *allow_pagination* and *pagination_max_limit* as shown above.
61
Dmitry Ukov596ddcf2017-05-04 18:16:16 +0400[diff] [blame]62
63Configuration of policy.json file
64
65.. code-block:: yaml
66
67 neutron:
68 server:
69 ....
70 policy:
71 create_subnet: 'rule:admin_or_network_owner'
72 'get_network:queue_id': 'rule:admin_only'
73 # Add key without value to remove line from policy.json
74 'create_network:shared':
75
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]76Neutron LBaaSv2 enablement
77--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]78
79.. code-block:: yaml
80
81 neutron:
82 server:
83 lbaas:
84 enabled: true
85 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]86 octavia:
87 engine: octavia
88 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
89 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]90 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]91 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]92 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]93 controller_address: 10.182.129.239
94 controller_user: admin
95 controller_password: Cloudlab2016
96 controller_cloud_name: Default-Cloud
97 avi_adc2:
98 engine: avinetworks
99 ...
100
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]101Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
102automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]103
104.. code-block:: yaml
105
106 neutron:
107 server:
108 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]109 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]110
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]111
112Neutron FWaaSv1 enablement
113--------------------------
114
115.. code-block:: yaml
116
117 neutron:
118 fwaas:
119 enabled: true
120 version: ocata
121 api_version: v1
122
123
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]124Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]125----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]126
127.. code-block:: yaml
128
129 neutron:
130 server:
131 cors:
132 allowed_origin: https:localhost.local,http:localhost.local
133 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
134 allow_methods: GET,PUT,POST,DELETE,PATCH
135 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
136 allow_credentials: True
137 max_age: 86400
138
139
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]140Neutron VXLAN tenant networks with Network nodes
141------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]142
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]143With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]144
145This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]146routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]147infrastructure and that remains encapsulated. External traffic will be
148routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]149
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]150The intention is that each tenant will require at least two (2) vrouters
151one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]152
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]153Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]154
155.. code-block:: yaml
156
157 neutron:
158 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]159 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]160 bind:
161 address: 172.20.0.1
162 port: 9696
163 database:
164 engine: mysql
165 host: 127.0.0.1
166 port: 3306
167 name: neutron
168 user: neutron
169 password: pwd
170 identity:
171 engine: keystone
172 host: 127.0.0.1
173 port: 35357
174 user: neutron
175 password: pwd
176 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]177 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]178 message_queue:
179 engine: rabbitmq
180 host: 127.0.0.1
181 port: 5672
182 user: openstack
183 password: pwd
184 virtual_host: '/openstack'
185 global_physnet_mtu: 9000
186 l3_ha: False # Which type of router will be created by default
187 dvr: True # disabled for non DVR use case
188 backend:
189 engine: ml2
190 tenant_network_types: "flat,vxlan"
191 external_mtu: 9000
192 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]193 ovs:
194 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]195
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]196Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]197
198.. code-block:: yaml
199
200 neutron:
201 gateway:
202 enabled: True
203 version: mitaka
204 message_queue:
205 engine: rabbitmq
206 host: 127.0.0.1
207 port: 5672
208 user: openstack
209 password: pwd
210 virtual_host: '/openstack'
211 local_ip: 192.168.20.20 # br-mesh ip address
212 dvr: True # disabled for non DVR use case
213 agent_mode: dvr_snat
214 metadata:
215 host: 127.0.0.1
216 password: pass
217 backend:
218 engine: ml2
219 tenant_network_types: "flat,vxlan"
220 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]221 ovs:
222 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]223
224Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]225
226.. code-block:: yaml
227
228 neutron:
229 compute:
230 enabled: True
231 version: mitaka
232 message_queue:
233 engine: rabbitmq
234 host: 127.0.0.1
235 port: 5672
236 user: openstack
237 password: pwd
238 virtual_host: '/openstack'
239 local_ip: 192.168.20.20 # br-mesh ip address
240 dvr: True # disabled for non DVR use case
241 agent_mode: dvr
242 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
243 metadata:
244 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]245 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]246 backend:
247 engine: ml2
248 tenant_network_types: "flat,vxlan"
249 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]250 ovs:
251 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]252 audit:
253 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]254
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]255
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]256Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]257----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]258
259This section describes a network solution that utilises VxLAN overlay
260 networks without DVR with all routers being managed on the network nodes.
261
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]262Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]263
264.. code-block:: yaml
265
266 neutron:
267 server:
268 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]269 bind:
270 address: 172.20.0.1
271 port: 9696
272 database:
273 engine: mysql
274 host: 127.0.0.1
275 port: 3306
276 name: neutron
277 user: neutron
278 password: pwd
279 identity:
280 engine: keystone
281 host: 127.0.0.1
282 port: 35357
283 user: neutron
284 password: pwd
285 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]286 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]287 message_queue:
288 engine: rabbitmq
289 host: 127.0.0.1
290 port: 5672
291 user: openstack
292 password: pwd
293 virtual_host: '/openstack'
294 global_physnet_mtu: 9000
295 l3_ha: True
296 dvr: False
297 backend:
298 engine: ml2
299 tenant_network_types= "flat,vxlan"
300 external_mtu: 9000
301 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]302 ovs:
303 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]304
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]305Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]306
307.. code-block:: yaml
308
309 neutron:
310 gateway:
311 enabled: True
312 version: mitaka
313 message_queue:
314 engine: rabbitmq
315 host: 127.0.0.1
316 port: 5672
317 user: openstack
318 password: pwd
319 virtual_host: '/openstack'
320 local_ip: 192.168.20.20 # br-mesh ip address
321 dvr: False
322 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]323 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]324 metadata:
325 host: 127.0.0.1
326 password: pass
327 backend:
328 engine: ml2
329 tenant_network_types: "flat,vxlan"
330 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]331 ovs:
332 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]333
334Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]335
336.. code-block:: yaml
337
338 neutron:
339 compute:
340 enabled: True
341 version: mitaka
342 message_queue:
343 engine: rabbitmq
344 host: 127.0.0.1
345 port: 5672
346 user: openstack
347 password: pwd
348 virtual_host: '/openstack'
349 local_ip: 192.168.20.20 # br-mesh ip address
350 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]351 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]352 backend:
353 engine: ml2
354 tenant_network_types: "flat,vxlan"
355 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]356 ovs:
357 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]358
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]359Neutron VXLAN tenant networks with Network Nodes with DVR
360---------------------------------------------------------
361
362With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]363
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]364This section describes a network solution that utilises VxLAN
365overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]366Node is used only for SNAT.
367
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]368Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]369
370.. code-block:: yaml
371
372 neutron:
373 server:
374 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]375 bind:
376 address: 172.20.0.1
377 port: 9696
378 database:
379 engine: mysql
380 host: 127.0.0.1
381 port: 3306
382 name: neutron
383 user: neutron
384 password: pwd
385 identity:
386 engine: keystone
387 host: 127.0.0.1
388 port: 35357
389 user: neutron
390 password: pwd
391 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]392 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]393 message_queue:
394 engine: rabbitmq
395 host: 127.0.0.1
396 port: 5672
397 user: openstack
398 password: pwd
399 virtual_host: '/openstack'
400 global_physnet_mtu: 9000
401 l3_ha: False
402 dvr: True
403 backend:
404 engine: ml2
405 tenant_network_types= "flat,vxlan"
406 external_mtu: 9000
407 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]408 ovs:
409 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]410
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]411Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]412
413.. code-block:: yaml
414
415 neutron:
416 gateway:
417 enabled: True
418 version: mitaka
419 message_queue:
420 engine: rabbitmq
421 host: 127.0.0.1
422 port: 5672
423 user: openstack
424 password: pwd
425 virtual_host: '/openstack'
426 local_ip: 192.168.20.20 # br-mesh ip address
427 dvr: True
428 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]429 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]430 metadata:
431 host: 127.0.0.1
432 password: pass
433 backend:
434 engine: ml2
435 tenant_network_types: "flat,vxlan"
436 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]437 ovs:
438 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]439
440Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]441
442.. code-block:: yaml
443
444 neutron:
445 compute:
446 enabled: True
447 version: mitaka
448 message_queue:
449 engine: rabbitmq
450 host: 127.0.0.1
451 port: 5672
452 user: openstack
453 password: pwd
454 virtual_host: '/openstack'
455 local_ip: 192.168.20.20 # br-mesh ip address
456 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]457 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]458 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]459 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]460 metadata:
461 host: 127.0.0.1
462 password: pass
463 backend:
464 engine: ml2
465 tenant_network_types: "flat,vxlan"
466 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]467 ovs:
468 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]469
470Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]471
472.. code-block:: yaml
473
474 linux:
475 network:
476 bridge: openvswitch
477 interface:
478 eth1:
479 enabled: true
480 type: eth
481 mtu: 9000
482 proto: manual
483 eth2:
484 enabled: true
485 type: eth
486 mtu: 9000
487 proto: manual
488 eth3:
489 enabled: true
490 type: eth
491 mtu: 9000
492 proto: manual
493 br-int:
494 enabled: true
495 mtu: 9000
496 type: ovs_bridge
497 br-floating:
498 enabled: true
499 mtu: 9000
500 type: ovs_bridge
501 float-to-ex:
502 enabled: true
503 type: ovs_port
504 mtu: 65000
505 bridge: br-floating
506 br-mgmt:
507 enabled: true
508 type: bridge
509 mtu: 9000
510 address: ${_param:single_address}
511 netmask: 255.255.255.0
512 use_interfaces:
513 - eth1
514 br-mesh:
515 enabled: true
516 type: bridge
517 mtu: 9000
518 address: ${_param:tenant_address}
519 netmask: 255.255.255.0
520 use_interfaces:
521 - eth2
522 br-ex:
523 enabled: true
524 type: bridge
525 mtu: 9000
526 address: ${_param:external_address}
527 netmask: 255.255.255.0
528 use_interfaces:
529 - eth3
530 use_ovs_ports:
531 - float-to-ex
532
Thom Gerdes3282d072017-05-30 22:06:04 +0000[diff] [blame]533Additonal VXLAN tenant network settings
534---------------------------------------
535
536The default multicast group of 224.0.0.1 only multicasts to a single subnet.
537Allow overriding it to allow larger underlay network topologies.
538
539Neutron Server
540
541.. code-block:: yaml
542
543 neutron:
544 server:
545 vxlan:
546 group: 239.0.0.0/8
547 vni_ranges: "2:65535"
548
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]549Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]550-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]551
552VLAN tenant provider
553
554Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]555
556.. code-block:: yaml
557
558 neutron:
559 server:
560 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]561 ...
562 global_physnet_mtu: 9000
563 l3_ha: False
564 dvr: True
565 backend:
566 engine: ml2
567 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
568 tenant_vlan_range: "1000:2000"
569 external_vlan_range: "100:200" # Does not have to be defined.
570 external_mtu: 9000
571 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]572 ovs:
573 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]574
575Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]576
577.. code-block:: yaml
578
579 neutron:
580 compute:
581 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]582 ...
583 dvr: True
584 agent_mode: dvr
585 external_access: False
586 backend:
587 engine: ml2
588 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
589 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]590 ovs:
591 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]592
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]593Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame^]594----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]595
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]596Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]597
598Enable datapath netdev for neutron openvswitch agent
599
600.. code-block:: yaml
601
602 neutron:
603 server:
604 version: mitaka
605 ...
606 dpdk: True
607 ...
608
609 neutron:
610 compute:
611 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]612 dpdk: True
613 backend:
614 engine: ml2
615 ...
616 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]617 ovs:
618 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]619
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]620Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]621
622.. code-block:: yaml
623
624 neutron:
625 server:
626 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]627 backend:
628 engine: ml2
629 ...
630 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]631 ovs:
632 driver: openvswitch
633 sriov:
634 driver: sriovnicswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]635
636 neutron:
637 compute:
638 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]639 ...
640 backend:
641 engine: ml2
642 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
643 sriov:
644 nic_one:
645 devname: eth1
646 physical_network: physnet3
647 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]648 ovs:
649 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]650
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]651Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame^]652---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]653
654.. code-block:: yaml
655
656 neutron:
657 server:
658 vlan_aware_vms: true
659 ....
660 compute:
661 vlan_aware_vms: true
662 ....
663 gateway:
664 vlan_aware_vms: true
665
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame^]666Neutron with OVN
667----------------
668
669Control node:
670
671.. code-block:: yaml
672
673 neutron:
674 server:
675 backend:
676 engine: ovn
677 mechanism:
678 ovn:
679 driver: ovn
680 tenant_network_types: "geneve,flat"
681
682Compute node:
683
684.. code-block:: yaml
685
686 neutron:
687 compute:
688 local_ip: 10.2.0.105
689 controller_vip: 10.1.0.101
690 external_access: false
691 backend:
692 engine: ovn
693
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]694Neutron Server
695--------------
696
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]697Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]698
699.. code-block:: yaml
700
701 neutron:
702 server:
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]703 backend:
704 engine: contrail
705 host: contrail_discovery_host
706 port: 8082
707 user: admin
708 password: password
709 tenant: admin
710 token: token
711
712Neutron Server with Midonet
713
714.. code-block:: yaml
715
716 neutron:
717 server:
718 backend:
719 engine: midonet
720 host: midonet_api_host
721 port: 8181
722 user: admin
723 password: password
724
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100[diff] [blame]725Neutron Keystone region
726
727.. code-block:: yaml
728
729 neutron:
730 server:
731 enabled: true
732 version: kilo
733 ...
734 identity:
735 region: RegionTwo
736 ...
737 compute:
738 region: RegionTwo
739 ...
740
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]741Client-side RabbitMQ HA setup
742
743.. code-block:: yaml
744
745 neutron:
746 server:
747 ....
748 message_queue:
749 engine: rabbitmq
750 members:
751 - host: 10.0.16.1
752 - host: 10.0.16.2
753 - host: 10.0.16.3
754 user: openstack
755 password: pwd
756 virtual_host: '/openstack'
757 ....
758
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]759Client-side RabbitMQ TLS configuration:
760
761|
762
763To enable TLS for oslo.messaging you need to provide the CA certificate.
764
765By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
766
767.. code-block:: yaml
768
769 neutron:
770 server, gateway, compute:
771 ....
772 message_queue:
773 ssl:
774 enabled: True
775
776
777
778Use `cacert_file` option to specify the CA-cert file path explicitly:
779
780.. code-block:: yaml
781
782 neutron:
783 server, gateway, compute:
784 ....
785 message_queue:
786 ssl:
787 enabled: True
788 cacert_file: /etc/ssl/rabbitmq-ca.pem
789
790To manage content of the `cacert_file` use the `cacert` option:
791
792.. code-block:: yaml
793
794 neutron:
795 server, gateway, compute:
796 ....
797 message_queue:
798 ssl:
799 enabled: True
800 cacert: |
801
802 -----BEGIN CERTIFICATE-----
803 ...
804 -----END CERTIFICATE-------
805
806 cacert_file: /etc/openstack/rabbitmq-ca.pem
807
808
809Notice:
810 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
811 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
812
813
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]814Enable auditing filter, ie: CADF
815
816.. code-block:: yaml
817
818 neutron:
819 server:
820 audit:
821 enabled: true
822 ....
823 filter_factory: 'keystonemiddleware.audit:filter_factory'
824 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
825 ....
826 compute:
827 audit:
828 enabled: true
829 ....
830 filter_factory: 'keystonemiddleware.audit:filter_factory'
831 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
832 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]833
Oleg Bondarev98870a32017-05-29 16:53:19 +0400[diff] [blame]834Neutron with security groups disabled
835
836.. code-block:: yaml
837
838 neutron:
839 server:
840 security_groups_enabled: False
841 ....
842 compute:
843 security_groups_enabled: False
844 ....
845 gateway:
846 security_groups_enabled: False
847
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]848
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]849Neutron Client
850--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]851
852Neutron networks
853
854.. code-block:: yaml
855
856 neutron:
857 client:
858 enabled: true
859 server:
860 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]861 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]862 network:
863 inet1:
864 tenant: demo
865 shared: False
866 admin_state_up: True
867 router_external: True
868 provider_physical_network: inet
869 provider_network_type: flat
870 provider_segmentation_id: 2
871 subnet:
872 inet1-subnet1:
873 cidr: 192.168.90.0/24
874 enable_dhcp: False
875 inet2:
876 tenant: admin
877 shared: False
878 router_external: True
879 provider_network_type: "vlan"
880 subnet:
881 inet2-subnet1:
882 cidr: 192.168.92.0/24
883 enable_dhcp: False
884 inet2-subnet2:
885 cidr: 192.168.94.0/24
886 enable_dhcp: True
887 identity1:
888 network:
889 ...
890
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]891Neutron routers
892
893.. code-block:: yaml
894
895 neutron:
896 client:
897 enabled: true
898 server:
899 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]900 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]901 router:
902 inet1-router:
903 tenant: demo
904 admin_state_up: True
905 gateway_network: inet
906 interfaces:
907 - inet1-subnet1
908 - inet1-subnet2
909 identity1:
910 router:
911 ...
912
913 TODO: implement adding new interfaces to a router while updating it
914
915
916Neutron security groups
917
918.. code-block:: yaml
919
920 neutron:
921 client:
922 enabled: true
923 server:
924 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]925 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]926 security_group:
927 security_group1:
928 tenant: demo
929 description: security group 1
930 rules:
931 - direction: ingress
932 ethertype: IPv4
933 protocol: TCP
934 port_range_min: 1
935 port_range_max: 65535
936 remote_ip_prefix: 0.0.0.0/0
937 - direction: ingress
938 ethertype: IPv4
939 protocol: UDP
940 port_range_min: 1
941 port_range_max: 65535
942 remote_ip_prefix: 0.0.0.0/0
943 - direction: ingress
944 protocol: ICMP
945 remote_ip_prefix: 0.0.0.0/0
946 identity1:
947 security_group:
948 ...
949
950 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
951
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]952
953Floating IP addresses
954
955.. code-block:: yaml
956
957 neutron:
958 client:
959 enabled: true
960 server:
961 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]962 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]963 floating_ip:
964 prx01-instance:
965 server: prx01.mk22-lab-basic.local
966 subnet: private-subnet1
967 network: public-net1
968 tenant: demo
969 gtw01-instance:
970 ...
971
972.. note:: The network must have flag router:external set to True.
973 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
974
975
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]976
977Enable Neutron extensions (QoS, DNS, etc.)
978------------------------------------------
979.. code-block:: yaml
980
981 neutron:
982 server:
983 backend:
984 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +0300[diff] [blame]985 dns:
986 enabled: True
987 host: 127.0.0.1
988 port: 9001
989 protocol: http
990 ....
991 qos
992 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]993
994
Filip Pytloun20c0a442017-02-02 13:05:13 +0100[diff] [blame]995Documentation and Bugs
996======================
997
998To learn how to install and update salt-formulas, consult the documentation
999available online at:
1000
1001 http://salt-formulas.readthedocs.io/
1002
1003In the unfortunate event that bugs are discovered, they should be reported to
1004the appropriate issue tracker. Use Github issue tracker for specific salt
1005formula:
1006
1007 https://github.com/salt-formulas/salt-formula-neutron/issues
1008
1009For feature requests, bug reports or blueprints affecting entire ecosystem,
1010use Launchpad salt-formulas project:
1011
1012 https://launchpad.net/salt-formulas
1013
1014You can also join salt-formulas-users team and subscribe to mailing list:
1015
1016 https://launchpad.net/~salt-formulas-users
1017
1018Developers wishing to work on the salt-formulas projects should always base
1019their work on master branch and submit pull request against specific formula.
1020
1021 https://github.com/salt-formulas/salt-formula-neutron
1022
1023Any questions or feedback is always welcome so feel free to join our IRC
1024channel:
1025
1026 #salt-formulas @ irc.freenode.net