blob: 188b19f805a072088554b4eeeb7301d8c0288ca2 [file] [log] [blame]
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001=====
2Usage
3=====
Filip Pytlouncd028e42015-10-06 16:28:32 +02004
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03005Neutron is an OpenStack project to provide *networking as a service* between
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02006interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +02008
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03009Starting with the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an *incubated* project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +030011is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +020012
Aleš Komárek41e82312017-04-11 13:37:44 +020013Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +020014==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +010023 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +010024 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +020026 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Michael Polenchuk1ff88652018-03-06 16:15:57 +040029 root_helper_daemon: false
Michael Polenchuk2151b272018-06-19 18:32:31 +040030 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +040031 firewall_driver: iptables_hybrid
Oleg Bondarevbc2dfee2018-10-17 18:41:51 +040032 agent_boot_time: 180
William Konitzer81a89982019-01-07 12:49:15 -060033 agent_down_time: 30
34 dhcp_agents_per_network: 2
35 allow_automatic_dhcp_failover: true
Dzmitry Stremkouskib6dd3712019-10-21 20:56:55 +020036 host: myhostname.example.com
Filip Pytlouncd028e42015-10-06 16:28:32 +020037 bind:
38 address: 172.20.0.1
39 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +020040 database:
41 engine: mysql
42 host: 127.0.0.1
43 port: 3306
44 name: neutron
45 user: neutron
46 password: pwd
47 identity:
48 engine: keystone
49 host: 127.0.0.1
50 port: 35357
51 user: neutron
52 password: pwd
53 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +020054 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +020055 message_queue:
56 engine: rabbitmq
57 host: 127.0.0.1
58 port: 5672
59 user: openstack
60 password: pwd
61 virtual_host: '/openstack'
William Konitzer81a89982019-01-07 12:49:15 -060062 rpc_conn_pool_size: 30
63 rpc_thread_pool_size: 100
64 rpc_response_timeout: 120
Filip Pytlouncd028e42015-10-06 16:28:32 +020065 metadata:
66 host: 127.0.0.1
67 port: 8775
Dzmitry Stremkouskiea470182018-10-24 15:33:35 +020068 insecure: true
69 proto: https
Filip Pytlouncd028e42015-10-06 16:28:32 +020070 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +020071 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +010072 audit:
73 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +020074
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030075.. note:: The pagination is useful to retrieve a large bunch of resources,
76 because a single request may fail (timeout). This is enabled with both
77 parameters *allow_pagination* and *pagination_max_limit* as shown above.
Swann Croiset9407daf2017-02-02 15:27:56 +010078
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030079Configuration of policy.json file:
Dmitry Ukov596ddcf2017-05-04 18:16:16 +040080
81.. code-block:: yaml
82
83 neutron:
84 server:
85 ....
86 policy:
87 create_subnet: 'rule:admin_or_network_owner'
88 'get_network:queue_id': 'rule:admin_only'
89 # Add key without value to remove line from policy.json
90 'create_network:shared':
91
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040092Neutron LBaaSv2 enablement
93--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +010094
95.. code-block:: yaml
96
97 neutron:
98 server:
99 lbaas:
100 enabled: true
101 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400102 octavia:
103 engine: octavia
104 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
105 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100106 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100107 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400108 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100109 controller_address: 10.182.129.239
110 controller_user: admin
111 controller_password: Cloudlab2016
112 controller_cloud_name: Default-Cloud
113 avi_adc2:
114 engine: avinetworks
115 ...
116
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300117.. note:: If the Contrail backend is set, Opencontrail loadbalancer
118 would be enabled automatically. In this case lbaas should disabled
119 in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100120
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300121 .. code-block:: yaml
Ondrej Smola314eee22017-03-08 21:21:16 +0100122
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300123 neutron:
124 server:
125 lbaas:
126 enabled: false
Elena Ezhova166d4012017-08-17 12:53:52 +0400127
128Neutron FWaaSv1 enablement
129--------------------------
130
131.. code-block:: yaml
132
133 neutron:
134 fwaas:
135 enabled: true
136 version: ocata
137 api_version: v1
138
139
Ondrej Smola12ff8192017-04-28 12:39:11 +0200140Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400141----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200142
143.. code-block:: yaml
144
145 neutron:
146 server:
147 cors:
148 allowed_origin: https:localhost.local,http:localhost.local
149 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
150 allow_methods: GET,PUT,POST,DELETE,PATCH
151 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
152 allow_credentials: True
153 max_age: 86400
154
Aleš Komárek41e82312017-04-11 13:37:44 +0200155Neutron VXLAN tenant networks with Network nodes
156------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100157
Aleš Komárek41e82312017-04-11 13:37:44 +0200158With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100159
160This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200161routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300162infrastructure and that remains encapsulated. External traffic will be
163routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100164
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300165The intention is that each tenant will require at least two (2) vrouters
166one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100167
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300168Neutron Server:
marcoa4428a32016-06-10 11:50:16 +0200169
170.. code-block:: yaml
171
172 neutron:
173 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100174 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300175 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100176 bind:
177 address: 172.20.0.1
178 port: 9696
179 database:
180 engine: mysql
181 host: 127.0.0.1
182 port: 3306
183 name: neutron
184 user: neutron
185 password: pwd
186 identity:
187 engine: keystone
188 host: 127.0.0.1
189 port: 35357
190 user: neutron
191 password: pwd
192 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200193 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100194 message_queue:
195 engine: rabbitmq
196 host: 127.0.0.1
197 port: 5672
198 user: openstack
199 password: pwd
200 virtual_host: '/openstack'
201 global_physnet_mtu: 9000
202 l3_ha: False # Which type of router will be created by default
203 dvr: True # disabled for non DVR use case
204 backend:
205 engine: ml2
206 tenant_network_types: "flat,vxlan"
207 external_mtu: 9000
208 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400209 ovs:
210 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100211
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300212Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100213
214.. code-block:: yaml
215
216 neutron:
217 gateway:
218 enabled: True
219 version: mitaka
William Konitzer81a89982019-01-07 12:49:15 -0600220 report_interval: 10
Michael Polenchuk2151b272018-06-19 18:32:31 +0400221 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +0400222 firewall_driver: iptables_hybrid
Dzmitry Stremkouskib6dd3712019-10-21 20:56:55 +0200223 host: gtw01.example.com
Jiri Broulik74f61112016-11-21 20:23:47 +0100224 message_queue:
225 engine: rabbitmq
226 host: 127.0.0.1
227 port: 5672
228 user: openstack
229 password: pwd
230 virtual_host: '/openstack'
William Konitzer81a89982019-01-07 12:49:15 -0600231 rpc_conn_pool_size: 300
232 rpc_thread_pool_size: 2048
233 rpc_response_timeout: 3600
Jiri Broulik74f61112016-11-21 20:23:47 +0100234 local_ip: 192.168.20.20 # br-mesh ip address
235 dvr: True # disabled for non DVR use case
236 agent_mode: dvr_snat
237 metadata:
238 host: 127.0.0.1
239 password: pass
240 backend:
241 engine: ml2
242 tenant_network_types: "flat,vxlan"
243 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400244 ovs:
245 driver: openvswitch
Vasyl Saienko4bd2d922018-07-27 09:56:38 +0000246 agents:
247 dhcp:
248 ovs_use_veth: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100249
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300250Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100251
252.. code-block:: yaml
253
254 neutron:
255 compute:
256 enabled: True
257 version: mitaka
Dzmitry Stremkouskib6dd3712019-10-21 20:56:55 +0200258 host: cmp001.example.com
Jiri Broulik74f61112016-11-21 20:23:47 +0100259 message_queue:
260 engine: rabbitmq
261 host: 127.0.0.1
262 port: 5672
263 user: openstack
264 password: pwd
265 virtual_host: '/openstack'
William Konitzer81a89982019-01-07 12:49:15 -0600266 rpc_conn_pool_size: 300
267 rpc_thread_pool_size: 2048
268 rpc_response_timeout: 3600
Jiri Broulik74f61112016-11-21 20:23:47 +0100269 local_ip: 192.168.20.20 # br-mesh ip address
270 dvr: True # disabled for non DVR use case
271 agent_mode: dvr
William Konitzer81a89982019-01-07 12:49:15 -0600272 report_interval: 10
Jiri Broulik74f61112016-11-21 20:23:47 +0100273 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
274 metadata:
275 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300276 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100277 backend:
278 engine: ml2
279 tenant_network_types: "flat,vxlan"
280 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400281 ovs:
282 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100283 audit:
284 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100285
Aleš Komárek41e82312017-04-11 13:37:44 +0200286
Dzmitry Stremkouskid5e89e52018-09-25 10:01:54 +0200287Setting mac base address
288------------------------
289
290By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
291One can set it's own mac base both for dvr and nondvr cases.
292
293NOTE: dvr_base_mac and base_mac SHOULD differ.
294
295.. code-block:: yaml
296
297 neutron:
298 server:
299 base_mac: fa:16:3f:00:00:00
300 dvr_base_mac: fa:16:3f:a0:00:00
301
302gateways:
303
304.. code-block:: yaml
305
306 neutron:
307 gateway:
308 base_mac: fa:16:3f:00:00:00
309 dvr_base_mac: fa:16:3f:a0:00:00
310
311compute nodes:
312
313.. code-block:: yaml
314
315 neutron:
316 compute:
317 base_mac: fa:16:3f:00:00:00
318 dvr_base_mac: fa:16:3f:a0:00:00
319
320
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300321Disable physnet1 bridge
322-----------------------
323
324By default we have external access turned on, so among any physnets in
325your reclass there would be additional one: physnet1, which is mapped to
326br-floating
327
328If you need internal nets only without this bridge, remove br-floating
329and configurations mappings. Disable mappings for this bridge on
330neutron-servers:
331
332.. code-block:: yaml
333
334 neutron:
335 server:
336 external_access: false
337
338gateways:
339
340.. code-block:: yaml
341
342 neutron:
343 gateway:
344 external_access: false
345
346compute nodes:
347
348.. code-block:: yaml
349
350 neutron:
351 compute:
352 external_access: false
353
354
Marcin Iwinskic50137a2018-01-22 14:18:24 +0100355Add additional bridge mappings for OVS bridges
356----------------------------------------------
357
358By default we have external access turned on, so among any physnets in
359your reclass there would be additional one: physnet1, which is mapped to
360br-floating
361
362If you need to add extra non-default bridge mappings they can be defined
363separately for both gateways and compute nodes:
364
365gateways:
366
367.. code-block:: yaml
368
369 neutron:
370 gateway:
371 bridge_mappings:
372 physnet4: br-floating-internet
373
374compute nodes:
375
376.. code-block:: yaml
377
378 neutron:
379 compute:
380 bridge_mappings:
381 physnet4: br-floating-internet
382
383
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300384Specify different mtu values for different physnets
385---------------------------------------------------
386
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300387Neutron Server:
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300388
389.. code-block:: yaml
390
391 neutron:
392 server:
393 version: mitaka
394 backend:
395 external_mtu: 1500
396 tenant_net_mtu: 9000
397 ironic_net_mtu: 9000
398
Jiri Broulik74f61112016-11-21 20:23:47 +0100399Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200400----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100401
402This section describes a network solution that utilises VxLAN overlay
403 networks without DVR with all routers being managed on the network nodes.
404
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300405Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100406
407.. code-block:: yaml
408
409 neutron:
410 server:
411 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100412 bind:
413 address: 172.20.0.1
414 port: 9696
415 database:
416 engine: mysql
417 host: 127.0.0.1
418 port: 3306
419 name: neutron
420 user: neutron
421 password: pwd
422 identity:
423 engine: keystone
424 host: 127.0.0.1
425 port: 35357
426 user: neutron
427 password: pwd
428 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200429 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100430 message_queue:
431 engine: rabbitmq
432 host: 127.0.0.1
433 port: 5672
434 user: openstack
435 password: pwd
436 virtual_host: '/openstack'
437 global_physnet_mtu: 9000
438 l3_ha: True
439 dvr: False
440 backend:
441 engine: ml2
442 tenant_network_types= "flat,vxlan"
443 external_mtu: 9000
444 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400445 ovs:
446 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100447
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300448Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100449
450.. code-block:: yaml
451
452 neutron:
453 gateway:
454 enabled: True
455 version: mitaka
456 message_queue:
457 engine: rabbitmq
458 host: 127.0.0.1
459 port: 5672
460 user: openstack
461 password: pwd
462 virtual_host: '/openstack'
463 local_ip: 192.168.20.20 # br-mesh ip address
464 dvr: False
465 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200466 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100467 metadata:
468 host: 127.0.0.1
469 password: pass
470 backend:
471 engine: ml2
472 tenant_network_types: "flat,vxlan"
473 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400474 ovs:
475 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100476
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300477Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100478
479.. code-block:: yaml
480
481 neutron:
482 compute:
483 enabled: True
484 version: mitaka
485 message_queue:
486 engine: rabbitmq
487 host: 127.0.0.1
488 port: 5672
489 user: openstack
490 password: pwd
491 virtual_host: '/openstack'
492 local_ip: 192.168.20.20 # br-mesh ip address
493 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300494 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100495 backend:
496 engine: ml2
497 tenant_network_types: "flat,vxlan"
498 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400499 ovs:
500 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100501
Aleš Komárek41e82312017-04-11 13:37:44 +0200502Neutron VXLAN tenant networks with Network Nodes with DVR
503---------------------------------------------------------
504
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300505With DVR for East-West and North-South, DVR everywhere, Network
506node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100507
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300508This section describes a network solution that utilises VxLAN
509overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100510Node is used only for SNAT.
511
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300512Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100513
514.. code-block:: yaml
515
516 neutron:
517 server:
518 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100519 bind:
520 address: 172.20.0.1
521 port: 9696
Ivan Berezovskiy53c3c082019-11-19 14:14:27 +0400522 concurrency:
523 lock_path: '/var/lib/neutron/lock'
Jiri Broulik74f61112016-11-21 20:23:47 +0100524 database:
525 engine: mysql
526 host: 127.0.0.1
527 port: 3306
528 name: neutron
529 user: neutron
530 password: pwd
531 identity:
532 engine: keystone
533 host: 127.0.0.1
534 port: 35357
535 user: neutron
536 password: pwd
537 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200538 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100539 message_queue:
540 engine: rabbitmq
541 host: 127.0.0.1
542 port: 5672
543 user: openstack
544 password: pwd
545 virtual_host: '/openstack'
546 global_physnet_mtu: 9000
547 l3_ha: False
548 dvr: True
549 backend:
550 engine: ml2
551 tenant_network_types= "flat,vxlan"
552 external_mtu: 9000
553 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400554 ovs:
555 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100556
Vasyl Saienko0b2451b2018-12-16 19:38:38 +0000557Configuring networking-generic-switch ml2 plugin used for
558baremetal integration:
559
560.. code-block:: yaml
561
562 neutron:
563 server:
564 backend:
565 mechanism:
566 ngs:
567 driver: genericswitch
568 n_g_s:
569 enabled: true
570 coordination:
571 enabled: true
572 backend_url: "etcd3+http://1.2.3.4:2379"
573 devices:
574 s1brbm:
575 options:
576 device_type:
577 value: netmiko_ovs_linux
578 ip:
579 value: 1.2.3.4
580 username:
581 value: ngs_ovs_manager
582 password:
583 value: password
584
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300585Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100586
587.. code-block:: yaml
588
589 neutron:
590 gateway:
591 enabled: True
592 version: mitaka
593 message_queue:
594 engine: rabbitmq
595 host: 127.0.0.1
596 port: 5672
597 user: openstack
598 password: pwd
599 virtual_host: '/openstack'
600 local_ip: 192.168.20.20 # br-mesh ip address
601 dvr: True
602 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200603 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100604 metadata:
605 host: 127.0.0.1
606 password: pass
607 backend:
608 engine: ml2
609 tenant_network_types: "flat,vxlan"
610 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400611 ovs:
612 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100613
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300614Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100615
616.. code-block:: yaml
617
618 neutron:
619 compute:
620 enabled: True
621 version: mitaka
622 message_queue:
623 engine: rabbitmq
624 host: 127.0.0.1
625 port: 5672
626 user: openstack
627 password: pwd
628 virtual_host: '/openstack'
629 local_ip: 192.168.20.20 # br-mesh ip address
630 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300631 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100632 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200633 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100634 metadata:
635 host: 127.0.0.1
636 password: pass
637 backend:
638 engine: ml2
639 tenant_network_types: "flat,vxlan"
640 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400641 ovs:
642 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100643
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300644Sample Linux network configuration for DVR:
Jiri Broulik74f61112016-11-21 20:23:47 +0100645
646.. code-block:: yaml
647
648 linux:
649 network:
650 bridge: openvswitch
651 interface:
652 eth1:
653 enabled: true
654 type: eth
655 mtu: 9000
656 proto: manual
657 eth2:
658 enabled: true
659 type: eth
660 mtu: 9000
661 proto: manual
662 eth3:
663 enabled: true
664 type: eth
665 mtu: 9000
666 proto: manual
667 br-int:
668 enabled: true
669 mtu: 9000
670 type: ovs_bridge
671 br-floating:
672 enabled: true
673 mtu: 9000
674 type: ovs_bridge
675 float-to-ex:
676 enabled: true
677 type: ovs_port
678 mtu: 65000
679 bridge: br-floating
680 br-mgmt:
681 enabled: true
682 type: bridge
683 mtu: 9000
684 address: ${_param:single_address}
685 netmask: 255.255.255.0
686 use_interfaces:
687 - eth1
688 br-mesh:
689 enabled: true
690 type: bridge
691 mtu: 9000
692 address: ${_param:tenant_address}
693 netmask: 255.255.255.0
694 use_interfaces:
695 - eth2
696 br-ex:
697 enabled: true
698 type: bridge
699 mtu: 9000
700 address: ${_param:external_address}
701 netmask: 255.255.255.0
702 use_interfaces:
703 - eth3
704 use_ovs_ports:
705 - float-to-ex
706
Thom Gerdes3282d072017-05-30 22:06:04 +0000707Additonal VXLAN tenant network settings
708---------------------------------------
709
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300710The default multicast group of ``224.0.0.1`` only multicasts
711to a single subnet. Allow overriding it to allow larger underlay
712network topologies.
Thom Gerdes3282d072017-05-30 22:06:04 +0000713
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300714Neutron Server:
Thom Gerdes3282d072017-05-30 22:06:04 +0000715
716.. code-block:: yaml
717
718 neutron:
719 server:
720 vxlan:
721 group: 239.0.0.0/8
722 vni_ranges: "2:65535"
723
Jiri Broulik74f61112016-11-21 20:23:47 +0100724Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200725-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100726
727VLAN tenant provider
728
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300729Neutron Server only:
Jiri Broulik74f61112016-11-21 20:23:47 +0100730
731.. code-block:: yaml
732
733 neutron:
734 server:
735 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100736 ...
737 global_physnet_mtu: 9000
738 l3_ha: False
739 dvr: True
740 backend:
741 engine: ml2
742 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
743 tenant_vlan_range: "1000:2000"
744 external_vlan_range: "100:200" # Does not have to be defined.
745 external_mtu: 9000
746 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400747 ovs:
748 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100749
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300750Compute node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100751
752.. code-block:: yaml
753
754 neutron:
755 compute:
756 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100757 ...
758 dvr: True
759 agent_mode: dvr
760 external_access: False
761 backend:
762 engine: ml2
763 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
764 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400765 ovs:
766 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100767
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400768Neutron with explicit physical networks
769---------------------------------------
Oleg Bondarevada324f2018-06-04 14:55:38 +0400770
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300771Neutron Server only:
Oleg Bondarevada324f2018-06-04 14:55:38 +0400772
773.. code-block:: yaml
774
775 neutron:
776 server:
777 version: ocata
778 ...
779 backend:
780 engine: ml2
781 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
782 ...
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400783 # also need to configure corresponding bridge_mappings on
Oleg Bondarevada324f2018-06-04 14:55:38 +0400784 # compute and gateway nodes
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400785 flat_networks_default: '*' # '*' to allow arbitrary names or '' to disable
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400786 physnets: # only listed physnets will be configured (overrides physnet1/2/3)
787 external:
788 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400789 types:
790 - flat # possible values - 'flat' or 'vlan'
Oleg Bondarevada324f2018-06-04 14:55:38 +0400791 sriov_net:
792 mtu: 9000 # Optional, defaults to 1500
Oleg Bondarevab324112018-11-19 17:56:57 +0400793 vlan_range: '100:200,300:400' # Optional
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400794 types:
795 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400796 ext_net2:
797 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400798 types:
799 - flat
800 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400801 mechanism:
802 ovs:
803 driver: openvswitch
804
Aleš Komárek41e82312017-04-11 13:37:44 +0200805Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400806----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200807
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100808Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100809
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300810Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100811
812.. code-block:: yaml
813
814 neutron:
815 server:
816 version: mitaka
817 ...
818 dpdk: True
819 ...
820
821 neutron:
822 compute:
823 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100824 dpdk: True
Michael Polenchuk52911652018-04-12 22:09:49 +0400825 vhost_mode: client # options: client|server (default)
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400826 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100827 backend:
828 engine: ml2
829 ...
830 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400831 ovs:
832 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100833
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300834Neutron OVS SR-IOV:
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100835
836.. code-block:: yaml
837
838 neutron:
839 server:
840 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100841 backend:
842 engine: ml2
843 ...
844 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400845 ovs:
846 driver: openvswitch
847 sriov:
848 driver: sriovnicswitch
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400849 # Driver w/ highest number will be placed ahead in the list (default is 0).
850 # It's recommended for SR-IOV driver to set an order >0 to get it
851 # before (for example) the opendaylight one.
852 order: 9
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100853
854 neutron:
855 compute:
856 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100857 ...
858 backend:
859 engine: ml2
860 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
861 sriov:
862 nic_one:
863 devname: eth1
864 physical_network: physnet3
865 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400866 ovs:
867 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100868
cdoddac35c9eb2018-11-07 23:18:10 -0600869Neutron with LinuxBridge Agents
870-------------------------------
871
872.. code-block:: yaml
873
874 neutron:
875 server:
876 firewall_driver: iptables
877 backend:
878 mechanism:
879 lb:
880 driver: linuxbridge
881 ....
882 compute:
883 backend:
884 mechanism:
885 lb:
886 driver: linuxbridge
887 ....
888 gateway:
889 backend:
890 mechanism:
891 lb:
892 driver: linuxbridge
893 agents:
894 dhcp:
895 interface_driver: linuxbridge
896 l3:
897 interface_driver: linuxbridge
898
899
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300900Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400901---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300902
903.. code-block:: yaml
904
905 neutron:
906 server:
907 vlan_aware_vms: true
908 ....
909 compute:
910 vlan_aware_vms: true
911 ....
912 gateway:
913 vlan_aware_vms: true
914
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400915Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300916-------------------------------------
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400917
918.. code-block:: yaml
919
920 neutron:
921 server:
922 version: pike
923 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400924 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400925 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400926 ....
927 compute:
928 version: pike
929 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400930 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400931 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400932 bagpipe:
933 local_address: 192.168.20.20 # IP address for mpls/gre tunnels
934 peers: 192.168.20.30 # IP addresses of BGP peers
935 autonomous_system: 64512 # Autonomous System number
936 enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400937 backend:
Oleg Bondarev878ac462018-04-23 17:48:15 +0400938 ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400939 bagpipe_bgpvpn:
940 enabled: True
941
Oleksii Chupryn16cb4e02018-02-26 14:20:39 +0200942Neutron with DHCP agent on compute node
943---------------------------------------
944
945.. code-block:: yaml
946
947 neutron:
948 ....
949 compute:
950 dhcp_agent_enabled: true
951 ....
952
Machi Hoshino0ba88052019-05-08 11:44:04 +0900953Neutron with DHCP agent disabled on gateway node
954------------------------------------------------
955
956.. code-block:: yaml
957
958 neutron:
959 ....
960 gateway:
961 dhcp_agent_enabled: false
962 ....
963
Dzmitry Stremkouski48df2a72018-10-12 16:38:11 +0200964Neutron with metadata agent on compute node
965-------------------------------------------
966
967.. code-block:: yaml
968
969 neutron:
970 ....
971 compute:
972 metadata_agent_enabled: true
973 ....
974
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400975Neutron with OVN
976----------------
977
978Control node:
979
980.. code-block:: yaml
981
982 neutron:
983 server:
984 backend:
985 engine: ovn
986 mechanism:
987 ovn:
988 driver: ovn
989 tenant_network_types: "geneve,flat"
Michael Polenchukf59229b2018-06-19 16:24:49 +0400990 ovn:
991 ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
992 neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk58161ef2018-05-15 18:04:09 +0400993 metadata_enabled: True
Michael Polenchuka3d492b2017-12-27 15:49:43 +0400994 ovn_ctl_opts:
995 db-nb-create-insecure-remote: 'yes'
996 db-sb-create-insecure-remote: 'yes'
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400997
998Compute node:
999
1000.. code-block:: yaml
1001
1002 neutron:
1003 compute:
1004 local_ip: 10.2.0.105
1005 controller_vip: 10.1.0.101
1006 external_access: false
1007 backend:
1008 engine: ovn
Michael Polenchuk58161ef2018-05-15 18:04:09 +04001009 ovsdb_connection: tcp:127.0.0.1:6640
Michael Polenchukbe3cb9a2019-02-08 17:56:49 +04001010 mac_table_size: 16384
Michael Polenchuk58161ef2018-05-15 18:04:09 +04001011 metadata:
1012 enabled: true
1013 ovsdb_server_iface: ptcp:6640:127.0.0.1
1014 host: 10.1.0.101
1015 password: unsegreto
1016
Oleg Bondarev0575ae42017-07-28 16:36:25 +04001017
Michael Polenchukcccd1a52018-02-02 17:41:16 +04001018Neutron L2 Gateway
1019----------------
1020
1021Control node:
1022
1023.. code-block:: yaml
1024
1025 neutron:
1026 server:
1027 version: pike
1028 l2gw:
1029 enabled: true
1030 periodic_monitoring_interval: 5
1031 quota_l2_gateway: 20
1032 # service_provider=<service_type>:<name>:<driver>[:default]
1033 service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
1034 backend:
1035 engine: ml2
1036
1037Network/Gateway node:
1038
1039.. code-block:: yaml
1040
1041 neutron:
1042 gateway:
1043 version: pike
1044 l2gw:
1045 enabled: true
1046 debug: true
1047 socket_timeout: 20
1048 ovsdb_hosts:
1049 # <ovsdb_name>: <ip address>:<port>
1050 # - ovsdb_name: a user defined symbolic identifier of physical switch
1051 # - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
1052 ovsdb1: 10.164.5.33:6632
1053 ovsdb2: 10.164.4.33:6632
1054
1055
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001056OpenDaylight integration
1057------------------------
1058
1059Control node:
1060
1061.. code-block:: yaml
1062
1063 neutron:
1064 server:
1065 backend:
1066 opendaylight: true
1067 router: odl-router_v2
1068 host: 10.20.0.77
1069 rest_api_port: 8282
1070 user: admin
1071 password: admin
1072 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +03001073 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001074 enable_websocket: true
1075 enable_dhcp_service: false
1076 mechanism:
1077 ovs:
1078 driver: opendaylight_v2
Michael Polenchuk0bf59a72018-06-19 18:06:56 +04001079 order: 1
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001080
1081Network/Gateway node:
1082
1083.. code-block:: yaml
1084
1085 neutron:
1086 gateway:
1087 backend:
1088 router: odl-router_v2
1089 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +03001090 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001091 opendaylight:
1092 ovsdb_server_iface: ptcp:6639:127.0.0.1
1093 ovsdb_odl_iface: tcp:10.20.0.77:6640
1094 tunnel_ip: 10.1.0.110
1095 provider_mappings: physnet1:br-floating
1096
1097Compute node:
1098
1099.. code-block:: yaml
1100
1101 neutron:
1102 compute:
1103 opendaylight:
1104 ovsdb_server_iface: ptcp:6639:127.0.0.1
1105 ovsdb_odl_iface: tcp:10.20.0.77:6640
1106 tunnel_ip: 10.1.0.105
1107 provider_mappings: physnet1:br-floating
1108
1109
Michael Polenchuk9cccecc2018-09-14 14:54:18 +04001110Service Function Chaining Extension (SFC)
1111----------------
1112
1113.. code-block:: yaml
1114
1115 neutron:
1116 server:
1117 sfc:
1118 enabled: true
1119 sfc_drivers:
1120 - ovs # valid options: ovs, odl, ovn (not implemented yet)
1121 flow_classifier_drivers:
1122 - ovs # valid options: see above
1123 ....
1124 compute:
1125 backend:
1126 ovs_extension:
1127 sfc:
1128 enabled: True
1129
1130
Aleš Komárek41e82312017-04-11 13:37:44 +02001131Neutron Server
1132--------------
1133
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001134Neutron Server with OpenContrail:
Jiri Broulik74f61112016-11-21 20:23:47 +01001135
1136.. code-block:: yaml
1137
1138 neutron:
1139 server:
marcoa4428a32016-06-10 11:50:16 +02001140 backend:
1141 engine: contrail
1142 host: contrail_discovery_host
1143 port: 8082
1144 user: admin
1145 password: password
1146 tenant: admin
1147 token: token
1148
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001149Neutron Server with Midonet:
marcoa4428a32016-06-10 11:50:16 +02001150
1151.. code-block:: yaml
1152
1153 neutron:
1154 server:
1155 backend:
1156 engine: midonet
1157 host: midonet_api_host
1158 port: 8181
1159 user: admin
1160 password: password
1161
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001162Neutron Server with NSX:
Vasyl Saienko4549efe2018-07-26 16:06:04 +00001163
1164.. code-block:: yaml
1165
1166 neutron:
1167 server:
1168 backend:
1169 engine: vmware
1170 core_plugin: vmware_nsxv3
1171 vmware:
1172 nsx:
1173 extension_drivers:
1174 - vmware_nsxv3_dns
1175 v3:
1176 api_password: nsx_password
1177 api_user: nsx_username
1178 api_managers:
1179 01:
1180 scheme: https
1181 host: 192.168.10.120
1182 port: '443'
1183 insecure: true
1184
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001185Neutron Keystone region:
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +01001186
1187.. code-block:: yaml
1188
1189 neutron:
1190 server:
1191 enabled: true
1192 version: kilo
1193 ...
1194 identity:
1195 region: RegionTwo
1196 ...
1197 compute:
1198 region: RegionTwo
1199 ...
1200
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001201Client-side RabbitMQ HA setup:
Jiri Konecny93b19992016-04-12 11:15:39 +02001202
1203.. code-block:: yaml
1204
1205 neutron:
1206 server:
1207 ....
1208 message_queue:
1209 engine: rabbitmq
1210 members:
1211 - host: 10.0.16.1
1212 - host: 10.0.16.2
1213 - host: 10.0.16.3
1214 user: openstack
1215 password: pwd
1216 virtual_host: '/openstack'
1217 ....
1218
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001219Configuring TLS communications
1220------------------------------
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001221
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001222.. note:: By default, system-wide installed CA certs are used,
1223 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001224
1225- **RabbitMQ TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001226
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001227 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001228
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001229 neutron:
1230 server, gateway, compute:
1231 message_queue:
1232 port: 5671
1233 ssl:
1234 enabled: True
1235 (optional) cacert: cert body if the cacert_file does not exists
1236 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
1237 (optional) version: TLSv1_2
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001238
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001239- **MySQL TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001240
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001241 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001242
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001243 neutron:
1244 server:
1245 database:
1246 ssl:
1247 enabled: True
1248 (optional) cacert: cert body if the cacert_file does not exists
1249 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001250
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001251- **Openstack HTTPS API**
1252
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001253 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001254
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001255 neutron:
1256 server:
1257 identity:
1258 protocol: https
1259 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001260
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001261Enable auditing filter, ie: CADF:
Petr Michalec61f7ab22016-11-29 16:29:09 +01001262
1263.. code-block:: yaml
1264
1265 neutron:
1266 server:
1267 audit:
1268 enabled: true
1269 ....
1270 filter_factory: 'keystonemiddleware.audit:filter_factory'
1271 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1272 ....
1273 compute:
1274 audit:
1275 enabled: true
1276 ....
1277 filter_factory: 'keystonemiddleware.audit:filter_factory'
1278 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1279 ....
Jiri Konecny93b19992016-04-12 11:15:39 +02001280
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001281Neutron with security groups disabled:
Oleg Bondarev98870a32017-05-29 16:53:19 +04001282
1283.. code-block:: yaml
1284
1285 neutron:
1286 server:
1287 security_groups_enabled: False
1288 ....
1289 compute:
1290 security_groups_enabled: False
1291 ....
1292 gateway:
1293 security_groups_enabled: False
1294
Jiri Konecny93b19992016-04-12 11:15:39 +02001295
Aleš Komárek41e82312017-04-11 13:37:44 +02001296Neutron Client
1297--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +01001298
Vyacheslav Struk3f529d42019-06-13 13:37:25 +03001299Neutron networks and RBAC:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001300
1301.. code-block:: yaml
1302
1303 neutron:
1304 client:
1305 enabled: true
1306 server:
1307 identity:
Vyacheslav Struk3f529d42019-06-13 13:37:25 +03001308 rbac:
1309 network:
1310 rule1:
1311 absent: True
1312 target_tenant: admin
1313 action: access_as_shared
1314 network: public
1315 rule2:
1316 absent: False
1317 target_tenant: service
1318 action: access_as_external
1319 network: public
Richard Felklaac256a2017-03-23 15:43:49 +01001320 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001321 network:
1322 inet1:
1323 tenant: demo
1324 shared: False
1325 admin_state_up: True
1326 router_external: True
1327 provider_physical_network: inet
1328 provider_network_type: flat
1329 provider_segmentation_id: 2
1330 subnet:
1331 inet1-subnet1:
1332 cidr: 192.168.90.0/24
1333 enable_dhcp: False
1334 inet2:
1335 tenant: admin
1336 shared: False
1337 router_external: True
1338 provider_network_type: "vlan"
1339 subnet:
1340 inet2-subnet1:
1341 cidr: 192.168.92.0/24
1342 enable_dhcp: False
1343 inet2-subnet2:
1344 cidr: 192.168.94.0/24
1345 enable_dhcp: True
1346 identity1:
1347 network:
1348 ...
1349
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001350Neutron routers:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001351
1352.. code-block:: yaml
1353
1354 neutron:
1355 client:
1356 enabled: true
1357 server:
1358 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001359 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001360 router:
1361 inet1-router:
1362 tenant: demo
1363 admin_state_up: True
1364 gateway_network: inet
1365 interfaces:
1366 - inet1-subnet1
1367 - inet1-subnet2
1368 identity1:
1369 router:
1370 ...
1371
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001372.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik5368cc52017-02-08 18:53:59 +01001373
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001374Neutron security groups:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001375
1376.. code-block:: yaml
1377
1378 neutron:
1379 client:
1380 enabled: true
1381 server:
1382 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001383 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001384 security_group:
1385 security_group1:
1386 tenant: demo
1387 description: security group 1
1388 rules:
1389 - direction: ingress
1390 ethertype: IPv4
1391 protocol: TCP
1392 port_range_min: 1
1393 port_range_max: 65535
1394 remote_ip_prefix: 0.0.0.0/0
1395 - direction: ingress
1396 ethertype: IPv4
1397 protocol: UDP
1398 port_range_min: 1
1399 port_range_max: 65535
1400 remote_ip_prefix: 0.0.0.0/0
1401 - direction: ingress
1402 protocol: ICMP
1403 remote_ip_prefix: 0.0.0.0/0
1404 identity1:
1405 security_group:
1406 ...
1407
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001408.. TODO: implement updating existing security rules (now it adds new rule if
1409 trying to update existing one)
Jiri Broulik5368cc52017-02-08 18:53:59 +01001410
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001411Floating IP addresses:
Jiri Broulikde2e2902017-02-13 15:03:47 +01001412
1413.. code-block:: yaml
1414
1415 neutron:
1416 client:
1417 enabled: true
1418 server:
1419 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001420 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +01001421 floating_ip:
1422 prx01-instance:
1423 server: prx01.mk22-lab-basic.local
1424 subnet: private-subnet1
1425 network: public-net1
1426 tenant: demo
1427 gtw01-instance:
1428 ...
1429
1430.. note:: The network must have flag router:external set to True.
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001431 Instance port in the stated subnet will be associated
1432 with the dynamically generated floating IP.
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001433
1434Enable Neutron extensions (QoS, DNS, etc.)
1435------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001436
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001437.. code-block:: yaml
1438
1439 neutron:
1440 server:
1441 backend:
1442 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +03001443 dns:
1444 enabled: True
1445 host: 127.0.0.1
1446 port: 9001
1447 protocol: http
1448 ....
1449 qos
1450 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001451
Oleg Bondarev878ac462018-04-23 17:48:15 +04001452Different Neutron extensions for different agents
1453-------------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001454
Oleg Bondarev878ac462018-04-23 17:48:15 +04001455.. code-block:: yaml
1456
1457 neutron:
1458 server:
1459 backend:
1460 extension: # common extensions for OVS and SRIOV agents
1461 dns:
1462 enabled: True
1463 ...
1464 qos
1465 enabled: True
1466 ovs_extension: # OVS specific extensions
1467 bagpipe_bgpvpn:
1468 enabled: True
1469 sriov_extension: # SRIOV specific extensions
1470 dummy:
1471 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001472
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001473Neutron with Designate
1474-----------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001475
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001476.. code-block:: yaml
1477
1478 neutron:
1479 server:
1480 backend:
1481 extension:
1482 dns:
1483 enabled: True
1484 host: 127.0.0.1
1485 port: 9001
1486 protocol: http
1487
Marek Celoud67ce2062018-01-31 13:44:55 +01001488Enable RBAC for OpenContrail engine
1489-----------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001490
Marek Celoud67ce2062018-01-31 13:44:55 +01001491.. code-block:: yaml
1492
1493 neutron:
1494 server:
1495 backend:
1496 engine: contrail
1497 rbac:
1498 enabled: True
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001499
Kostiantyn Kalynovskyi7cc59042019-03-14 16:30:14 +03001500Increase maximum number of allowed address pairs per instance
1501-----------------------------------
1502
1503Neutron Server:
1504
1505.. code-block:: yaml
1506
1507 neutron:
1508 server:
1509 max_allowed_address_pair: 20
1510
1511Neutron generic node (compute or gateway):
1512
1513.. code-block:: yaml
1514
1515 neutron:
1516 max_allowed_address_pair: 20
1517
Oleg Bondareva0940cc2019-03-27 16:24:00 +04001518Increase OVS timeouts for loaded nodes
1519--------------------------------------
1520
1521Network node:
1522
1523.. code-block:: yaml
1524
1525 neutron:
1526 gateway:
1527 of_connect_timeout: 60
1528 of_request_timeout: 30
Oleg Bondarev13a87302019-06-11 18:20:29 +04001529 of_inactivity_probe: 30
Oleg Bondareva0940cc2019-03-27 16:24:00 +04001530 ovs_vsctl_timeout: 30 # Pike
1531 ovsdb_timeout: 30 # Queens and beyond
1532 bridge_mac_table_size: 100000
1533
Oleg Bondareve26a2392019-04-11 18:27:27 +04001534Change default resource quotas
1535------------------------------
1536
1537.. code-block:: yaml
1538
1539 neutron:
1540 server:
1541 quotas:
1542 default_quota: 100
1543 quota_network: 150
1544 quota_subnet: 150
1545 quota_port: 200
1546 quota_router: 50
1547 quota_floatingip: 30
1548 quota_security_group: 20
1549 quota_security_group_rule: 50
1550
1551
Oleg Bondareva0940cc2019-03-27 16:24:00 +04001552
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001553Enhanced logging with logging.conf
1554----------------------------------
1555
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001556By default ``logging.conf`` is disabled.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001557
1558That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001559
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001560* ``openstack_log_appender``
1561 Set to true to enable ``log_config_append`` for all OpenStack services
1562
1563* ``openstack_fluentd_handler_enabled``
1564 Set to true to enable FluentHandler for all Openstack services
1565
1566* ``openstack_ossyslog_handler_enabled``
1567 Set to true to enable OSSysLogHandler for all Openstack services.
1568
1569Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
1570are available.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001571
1572Also it is possible to configure this with pillar:
1573
1574.. code-block:: yaml
1575
1576 neutron:
1577 server:
1578 logging:
1579 log_appender: true
1580 log_handlers:
1581 watchedfile:
1582 enabled: true
1583 fluentd:
1584 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001585 ossyslog:
1586 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001587 ....
1588 compute:
1589 logging:
1590 log_appender: true
1591 log_handlers:
1592 watchedfile:
1593 enabled: true
1594 fluentd:
1595 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001596 ossyslog:
1597 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001598 ....
1599 gateway:
1600 logging:
1601 log_appender: true
1602 log_handlers:
1603 watchedfile:
1604 enabled: true
1605 fluentd:
1606 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001607 ossyslog:
1608 enabled: true
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001609
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001610Logging levels pillar example:
1611
1612.. code-block:: yaml
1613
1614 neutron:
1615 server:
1616 logging:
1617 log_appender: true
1618 loggers:
1619 root:
1620 level: 'DEBUG'
1621 neutron:
1622 level: 'DEBUG'
1623 amqplib:
1624 level: 'DEBUG'
1625 sqlalchemy:
1626 level: 'DEBUG'
1627 boto:
1628 level: 'DEBUG'
1629 suds:
1630 level: 'DEBUG'
1631 eventletwsgi:
1632 level: 'DEBUG'
1633 ......
Michael Polenchuk5fb5c572019-03-13 11:54:26 +04001634
1635Neutron server with memcached caching and security strategy
1636-----------------------------------------------------------
Oleksandr Bryndzii3b0ac2c2018-10-04 11:06:24 +03001637
1638.. code-block:: yaml
1639
1640 neutron:
1641 server:
1642 enabled: true
1643 ...
1644 cache:
1645 engine: memcached
1646 members:
1647 - host: 127.0.0.1
1648 port: 11211
1649 - host: 127.0.0.1
1650 port: 11211
1651 security:
1652 enabled: true
1653 strategy: ENCRYPT
1654 secret_key: secret
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001655
Michael Polenchuk5fb5c572019-03-13 11:54:26 +04001656
1657Neutron API behind uWSGI (experimental)
1658---------------------------------------
1659
1660.. code-block:: yaml
1661
1662 neutron:
1663 server:
1664 wsgi:
1665 enabled: true
1666 threads: 32
1667 workers: 64
1668 logto: /var/log/neutron/neutron-server.log
1669
Oleksandr Bryndziib9d02af2019-05-10 16:59:14 +03001670Setup hardcoded configuration values
1671------------------------------------
1672
1673.. code-block:: yaml
1674
1675 neutron:
1676 server:
1677 configmap:
1678 neutron_server:
1679 DEFAULT:
1680 max_subnet_host_routes: 30
1681 max_routes: 60
1682 debug_iptables_rules: True
1683 quotas:
1684 quota_network: 20
1685 quota_subnet: 10
1686 quota_port: 100
1687 matchmaker_redis:
1688 host: 127.0.0.1
1689 port: 6379
1690 password: pswd
1691 gateway:
1692 configmap:
1693 metadata_agent:
1694 DEFAULT:
1695 metadata_workers: 10
1696 debug: True
1697 agent:
1698 report_interval: 30
1699 l3_agent:
1700 DEFAULT:
1701 agent_mode : dvr
1702 agent:
1703 report_interval: 40
1704 dhcp_agent:
1705 DEFAULT:
1706 ovs_vsctl_timeout: 12
1707 resync_interval: 60
1708 agent:
1709 report_interval: 60
Michael Polenchuk5fb5c572019-03-13 11:54:26 +04001710
Martin Polreich7f077d42019-12-12 14:58:43 +01001711
1712Change default service policy configuration:
1713--------------------------------------------
1714
1715.. code-block:: yaml
1716
1717 neutron:
1718 server:
1719 policy:
1720 create_subnet: 'rule:admin_or_network_owner'
1721 create_subnet:segment_id: 'rule:admin_only'
1722 # Add key without value to remove line from policy.json
1723 get_subnet:
1724 bgpvpn_policy:
1725 create_bgpvpn: 'rule:admin_only'
1726 get_bgpvpn: 'rule:admin_or_owner'
1727 # Add key without value to remove line from policy.json
1728 get_bgpvpn:tenant_id:
1729
1730
Roman Lubianyia6caca92020-03-04 11:26:23 +02001731Set nova_metadata_protocol for Neutron
1732---------------------------------------
1733
1734.. code-block:: yaml
1735
1736 neutron:
1737 gateway:
1738 metadata:
1739 protocol: http
1740 compute:
1741 metadata:
1742 protocol: http
1743
1744
Vasyl Saienkoba420732018-09-07 10:19:32 +00001745Upgrades
1746========
1747
1748Each openstack formula provide set of phases (logical bloks) that will help to
1749build flexible upgrade orchestration logic for particular components. The list
1750of phases might and theirs descriptions are listed in table below:
1751
1752+-------------------------------+------------------------------------------------------+
1753| State | Description |
1754+===============================+======================================================+
1755| <app>.upgrade.service_running | Ensure that all services for particular application |
1756| | are enabled for autostart and running |
1757+-------------------------------+------------------------------------------------------+
1758| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1759| | disabled for autostart and dead |
1760+-------------------------------+------------------------------------------------------+
1761| <app>.upgrade.pkg_latest | Ensure that packages used by particular application |
1762| | are installed to latest available version. |
1763| | This will not upgrade data plane packages like qemu |
1764| | and openvswitch as usually minimal required version |
1765| | in openstack services is really old. The data plane |
1766| | packages should be upgraded separately by `apt-get |
1767| | upgrade` or `apt-get dist-upgrade` |
1768| | Applying this state will not autostart service. |
1769+-------------------------------+------------------------------------------------------+
1770| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1771+-------------------------------+------------------------------------------------------+
1772| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1773| | cloud before running upgrade. |
1774| | Only non destructive actions will be applied during |
1775| | this phase. Perform service built in service check |
1776| | like (keystone-manage doctor and nova-status upgrade)|
1777+-------------------------------+------------------------------------------------------+
1778| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1779| | phase resources will be gracefully removed from |
1780| | current node if it is allowed. Services for upgraded |
1781| | application will be set to admin disabled state to |
1782| | make sure node will not participate in resources |
1783| | scheduling. For example on gtw nodes this will set |
1784| | all agents to admin disable state and will move all |
1785| | routers to other agents. |
1786+-------------------------------+------------------------------------------------------+
1787| <app>.upgrade.upgrade | This state will basically upgrade application on |
1788| | particular target. Stop services, render |
1789| | configuration, install new packages, run offline |
1790| | dbsync (for ctl), start services. Data plane should |
1791| | not be affected, only OpenStack python services. |
1792+-------------------------------+------------------------------------------------------+
1793| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1794+-------------------------------+------------------------------------------------------+
1795| <app>.upgrade.post | This phase should be launched only when upgrade of |
1796| | the cloud is completed. |
1797+-------------------------------+------------------------------------------------------+
1798| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1799| | operations, verify do not have dead network |
1800| | agents/compute services) |
1801+-------------------------------+------------------------------------------------------+
1802
1803
Oleksandr Pidrepnyif3f62a82019-06-10 12:17:50 +03001804Don't manage services scheduling while upgrade
1805----------------------------------------------
1806For some special cases, don't manage services scheduling both enable and disable
1807before and after upgrade procedure.
1808
1809If 'manage_service_maintenance: true' or not present - default behavior, disable services
1810before upgrade and enable it after upgrade.
1811If 'manage_service_maintenance: false' - don't disable and don't enable upgraded services
1812scheduling before and after upgrade.
1813
1814.. code-block:: yaml
1815
1816 neutron:
1817 upgrade:
1818 manage_service_maintenance: false
1819
1820
Oleksandr Shyshkof51b94c2018-08-31 16:05:27 +03001821Enable x509 and ssl communication between Neutron and Galera cluster.
1822---------------------
1823By default communication between Neutron and Galera is unsecure.
1824
1825neutron:
1826 server:
1827 database:
1828 x509:
1829 enabled: True
1830
1831You able to set custom certificates in pillar:
1832
1833neutron:
1834 server:
1835 database:
1836 x509:
1837 cacert: (certificate content)
1838 cert: (certificate content)
1839 key: (certificate content)
1840
1841You can read more about it here:
1842 https://docs.openstack.org/security-guide/databases/database-access-control.html