Blame - README.rst - salt-formulas/neutron

blob: 2812d40d811a18da8b7c70366340ada5f0293c55 [file] [log] [blame]

OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1	=====
				2	Usage
				3	=====
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	4
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	5	Neutron is an OpenStack project to provide networking as a service between
Jakub Pavlik	9ecf026	2016-05-20 11:20:58 +0200	[diff] [blame]	6	interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
				7	nova).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	8
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	9	Starting with the Folsom release, Neutron is a core and supported part of the
				10	OpenStack platform (for Essex, we were an incubated project, which means use
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	11	is suggested only for those who really know what they're doing with Neutron).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	12
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	13	Sample Pillars
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	14	==============
				15
				16	Neutron Server on the controller node
				17
				18	.. code-block:: yaml
				19
				20	neutron:
				21	server:
				22	enabled: true
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	23	version: mitaka
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	24	allow_pagination: true
				25	pagination_max_limit: 100
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	26	api_workers: 2
				27	rpc_workers: 2
				28	rpc_state_report_workers: 2
Michael Polenchuk	1ff8865	2018-03-06 16:15:57 +0400	[diff] [blame]	29	root_helper_daemon: false
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	30	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	31	firewall_driver: iptables_hybrid
Oleg Bondarev	bc2dfee	2018-10-17 18:41:51 +0400	[diff] [blame]	32	agent_boot_time: 180
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	33	bind:
				34	address: 172.20.0.1
				35	port: 9696
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	36	database:
				37	engine: mysql
				38	host: 127.0.0.1
				39	port: 3306
				40	name: neutron
				41	user: neutron
				42	password: pwd
				43	identity:
				44	engine: keystone
				45	host: 127.0.0.1
				46	port: 35357
				47	user: neutron
				48	password: pwd
				49	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	50	endpoint_type: internal
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	51	message_queue:
				52	engine: rabbitmq
				53	host: 127.0.0.1
				54	port: 5672
				55	user: openstack
				56	password: pwd
				57	virtual_host: '/openstack'
				58	metadata:
				59	host: 127.0.0.1
				60	port: 8775
Dzmitry Stremkouski	ea47018	2018-10-24 15:33:35 +0200	[diff] [blame]	61	insecure: true
				62	proto: https
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	63	password: pass
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	64	workers: 2
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	65	audit:
				66	enabled: false
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	67
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	68	.. note:: The pagination is useful to retrieve a large bunch of resources,
				69	because a single request may fail (timeout). This is enabled with both
				70	parameters allow_pagination and pagination_max_limit as shown above.
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	71
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	72	Configuration of policy.json file:
Dmitry Ukov	596ddcf	2017-05-04 18:16:16 +0400	[diff] [blame]	73
				74	.. code-block:: yaml
				75
				76	neutron:
				77	server:
				78	....
				79	policy:
				80	create_subnet: 'rule:admin_or_network_owner'
				81	'get_network:queue_id': 'rule:admin_only'
				82	# Add key without value to remove line from policy.json
				83	'create_network:shared':
				84
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	85	Neutron LBaaSv2 enablement
				86	--------------------------
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	87
				88	.. code-block:: yaml
				89
				90	neutron:
				91	server:
				92	lbaas:
				93	enabled: true
				94	providers:
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	95	octavia:
				96	engine: octavia
				97	driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
				98	base_url: 'http://127.0.0.1:9876'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	99	avi_adc:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	100	engine: avinetworks
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	101	driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	102	controller_address: 10.182.129.239
				103	controller_user: admin
				104	controller_password: Cloudlab2016
				105	controller_cloud_name: Default-Cloud
				106	avi_adc2:
				107	engine: avinetworks
				108	...
				109
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	110	.. note:: If the Contrail backend is set, Opencontrail loadbalancer
				111	would be enabled automatically. In this case lbaas should disabled
				112	in pillar:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	113
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	114	.. code-block:: yaml
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	115
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	116	neutron:
				117	server:
				118	lbaas:
				119	enabled: false
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	120
				121	Neutron FWaaSv1 enablement
				122	--------------------------
				123
				124	.. code-block:: yaml
				125
				126	neutron:
				127	fwaas:
				128	enabled: true
				129	version: ocata
				130	api_version: v1
				131
				132
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	133	Enable CORS parameters
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	134	----------------------
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	135
				136	.. code-block:: yaml
				137
				138	neutron:
				139	server:
				140	cors:
				141	allowed_origin: https:localhost.local,http:localhost.local
				142	expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				143	allow_methods: GET,PUT,POST,DELETE,PATCH
				144	allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				145	allow_credentials: True
				146	max_age: 86400
				147
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	148	Neutron VXLAN tenant networks with Network nodes
				149	------------------------------------------------
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	150
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	151	With DVR for East-West and Network node for North-South.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	152
				153	This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	154	routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	155	infrastructure and that remains encapsulated. External traffic will be
				156	routed to via the network nodes.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	157
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	158	The intention is that each tenant will require at least two (2) vrouters
				159	one to be utilised
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	160
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	161	Neutron Server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	162
				163	.. code-block:: yaml
				164
				165	neutron:
				166	server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	167	version: mitaka
Dmitry Stremkouski	3c1be3e	2017-11-18 11:04:20 +0300	[diff] [blame]	168	path_mtu: 1500
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	169	bind:
				170	address: 172.20.0.1
				171	port: 9696
				172	database:
				173	engine: mysql
				174	host: 127.0.0.1
				175	port: 3306
				176	name: neutron
				177	user: neutron
				178	password: pwd
				179	identity:
				180	engine: keystone
				181	host: 127.0.0.1
				182	port: 35357
				183	user: neutron
				184	password: pwd
				185	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	186	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	187	message_queue:
				188	engine: rabbitmq
				189	host: 127.0.0.1
				190	port: 5672
				191	user: openstack
				192	password: pwd
				193	virtual_host: '/openstack'
				194	global_physnet_mtu: 9000
				195	l3_ha: False # Which type of router will be created by default
				196	dvr: True # disabled for non DVR use case
				197	backend:
				198	engine: ml2
				199	tenant_network_types: "flat,vxlan"
				200	external_mtu: 9000
				201	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	202	ovs:
				203	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	204
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	205	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	206
				207	.. code-block:: yaml
				208
				209	neutron:
				210	gateway:
				211	enabled: True
				212	version: mitaka
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	213	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	214	firewall_driver: iptables_hybrid
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	215	message_queue:
				216	engine: rabbitmq
				217	host: 127.0.0.1
				218	port: 5672
				219	user: openstack
				220	password: pwd
				221	virtual_host: '/openstack'
				222	local_ip: 192.168.20.20 # br-mesh ip address
				223	dvr: True # disabled for non DVR use case
				224	agent_mode: dvr_snat
				225	metadata:
				226	host: 127.0.0.1
				227	password: pass
				228	backend:
				229	engine: ml2
				230	tenant_network_types: "flat,vxlan"
				231	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	232	ovs:
				233	driver: openvswitch
Vasyl Saienko	4bd2d92	2018-07-27 09:56:38 +0000	[diff] [blame]	234	agents:
				235	dhcp:
				236	ovs_use_veth: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	237
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	238	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	239
				240	.. code-block:: yaml
				241
				242	neutron:
				243	compute:
				244	enabled: True
				245	version: mitaka
				246	message_queue:
				247	engine: rabbitmq
				248	host: 127.0.0.1
				249	port: 5672
				250	user: openstack
				251	password: pwd
				252	virtual_host: '/openstack'
				253	local_ip: 192.168.20.20 # br-mesh ip address
				254	dvr: True # disabled for non DVR use case
				255	agent_mode: dvr
				256	external_access: false # Compute node with DVR for east-west only, Network Node has True as default
				257	metadata:
				258	host: 127.0.0.1
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	259	password: pass
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	260	backend:
				261	engine: ml2
				262	tenant_network_types: "flat,vxlan"
				263	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	264	ovs:
				265	driver: openvswitch
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	266	audit:
				267	enabled: false
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	268
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	269
Dzmitry Stremkouski	d5e89e5	2018-09-25 10:01:54 +0200	[diff] [blame]	270	Setting mac base address
				271	------------------------
				272
				273	By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
				274	One can set it's own mac base both for dvr and nondvr cases.
				275
				276	NOTE: dvr_base_mac and base_mac SHOULD differ.
				277
				278	.. code-block:: yaml
				279
				280	neutron:
				281	server:
				282	base_mac: fa:16:3f:00:00:00
				283	dvr_base_mac: fa:16:3f:a0:00:00
				284
				285	gateways:
				286
				287	.. code-block:: yaml
				288
				289	neutron:
				290	gateway:
				291	base_mac: fa:16:3f:00:00:00
				292	dvr_base_mac: fa:16:3f:a0:00:00
				293
				294	compute nodes:
				295
				296	.. code-block:: yaml
				297
				298	neutron:
				299	compute:
				300	base_mac: fa:16:3f:00:00:00
				301	dvr_base_mac: fa:16:3f:a0:00:00
				302
				303
Dmitry Stremkouski	a3a4ab4	2017-10-23 17:37:12 +0300	[diff] [blame]	304	Disable physnet1 bridge
				305	-----------------------
				306
				307	By default we have external access turned on, so among any physnets in
				308	your reclass there would be additional one: physnet1, which is mapped to
				309	br-floating
				310
				311	If you need internal nets only without this bridge, remove br-floating
				312	and configurations mappings. Disable mappings for this bridge on
				313	neutron-servers:
				314
				315	.. code-block:: yaml
				316
				317	neutron:
				318	server:
				319	external_access: false
				320
				321	gateways:
				322
				323	.. code-block:: yaml
				324
				325	neutron:
				326	gateway:
				327	external_access: false
				328
				329	compute nodes:
				330
				331	.. code-block:: yaml
				332
				333	neutron:
				334	compute:
				335	external_access: false
				336
				337
Marcin Iwinski	c50137a	2018-01-22 14:18:24 +0100	[diff] [blame]	338	Add additional bridge mappings for OVS bridges
				339	----------------------------------------------
				340
				341	By default we have external access turned on, so among any physnets in
				342	your reclass there would be additional one: physnet1, which is mapped to
				343	br-floating
				344
				345	If you need to add extra non-default bridge mappings they can be defined
				346	separately for both gateways and compute nodes:
				347
				348	gateways:
				349
				350	.. code-block:: yaml
				351
				352	neutron:
				353	gateway:
				354	bridge_mappings:
				355	physnet4: br-floating-internet
				356
				357	compute nodes:
				358
				359	.. code-block:: yaml
				360
				361	neutron:
				362	compute:
				363	bridge_mappings:
				364	physnet4: br-floating-internet
				365
				366
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	367	Specify different mtu values for different physnets
				368	---------------------------------------------------
				369
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	370	Neutron Server:
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	371
				372	.. code-block:: yaml
				373
				374	neutron:
				375	server:
				376	version: mitaka
				377	backend:
				378	external_mtu: 1500
				379	tenant_net_mtu: 9000
				380	ironic_net_mtu: 9000
				381
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	382	Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	383	----------------------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	384
				385	This section describes a network solution that utilises VxLAN overlay
				386	networks without DVR with all routers being managed on the network nodes.
				387
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	388	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	389
				390	.. code-block:: yaml
				391
				392	neutron:
				393	server:
				394	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	395	bind:
				396	address: 172.20.0.1
				397	port: 9696
				398	database:
				399	engine: mysql
				400	host: 127.0.0.1
				401	port: 3306
				402	name: neutron
				403	user: neutron
				404	password: pwd
				405	identity:
				406	engine: keystone
				407	host: 127.0.0.1
				408	port: 35357
				409	user: neutron
				410	password: pwd
				411	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	412	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	413	message_queue:
				414	engine: rabbitmq
				415	host: 127.0.0.1
				416	port: 5672
				417	user: openstack
				418	password: pwd
				419	virtual_host: '/openstack'
				420	global_physnet_mtu: 9000
				421	l3_ha: True
				422	dvr: False
				423	backend:
				424	engine: ml2
				425	tenant_network_types= "flat,vxlan"
				426	external_mtu: 9000
				427	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	428	ovs:
				429	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	430
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	431	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	432
				433	.. code-block:: yaml
				434
				435	neutron:
				436	gateway:
				437	enabled: True
				438	version: mitaka
				439	message_queue:
				440	engine: rabbitmq
				441	host: 127.0.0.1
				442	port: 5672
				443	user: openstack
				444	password: pwd
				445	virtual_host: '/openstack'
				446	local_ip: 192.168.20.20 # br-mesh ip address
				447	dvr: False
				448	agent_mode: legacy
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	449	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	450	metadata:
				451	host: 127.0.0.1
				452	password: pass
				453	backend:
				454	engine: ml2
				455	tenant_network_types: "flat,vxlan"
				456	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	457	ovs:
				458	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	459
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	460	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	461
				462	.. code-block:: yaml
				463
				464	neutron:
				465	compute:
				466	enabled: True
				467	version: mitaka
				468	message_queue:
				469	engine: rabbitmq
				470	host: 127.0.0.1
				471	port: 5672
				472	user: openstack
				473	password: pwd
				474	virtual_host: '/openstack'
				475	local_ip: 192.168.20.20 # br-mesh ip address
				476	external_access: False
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	477	dvr: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	478	backend:
				479	engine: ml2
				480	tenant_network_types: "flat,vxlan"
				481	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	482	ovs:
				483	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	484
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	485	Neutron VXLAN tenant networks with Network Nodes with DVR
				486	---------------------------------------------------------
				487
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	488	With DVR for East-West and North-South, DVR everywhere, Network
				489	node for SNAT.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	490
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	491	This section describes a network solution that utilises VxLAN
				492	overlay networks with DVR with North-South and East-West. Network
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	493	Node is used only for SNAT.
				494
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	495	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	496
				497	.. code-block:: yaml
				498
				499	neutron:
				500	server:
				501	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	502	bind:
				503	address: 172.20.0.1
				504	port: 9696
				505	database:
				506	engine: mysql
				507	host: 127.0.0.1
				508	port: 3306
				509	name: neutron
				510	user: neutron
				511	password: pwd
				512	identity:
				513	engine: keystone
				514	host: 127.0.0.1
				515	port: 35357
				516	user: neutron
				517	password: pwd
				518	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	519	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	520	message_queue:
				521	engine: rabbitmq
				522	host: 127.0.0.1
				523	port: 5672
				524	user: openstack
				525	password: pwd
				526	virtual_host: '/openstack'
				527	global_physnet_mtu: 9000
				528	l3_ha: False
				529	dvr: True
				530	backend:
				531	engine: ml2
				532	tenant_network_types= "flat,vxlan"
				533	external_mtu: 9000
				534	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	535	ovs:
				536	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	537
Vasyl Saienko	0b2451b	2018-12-16 19:38:38 +0000	[diff] [blame^]	538	Configuring networking-generic-switch ml2 plugin used for
				539	baremetal integration:
				540
				541	.. code-block:: yaml
				542
				543	neutron:
				544	server:
				545	backend:
				546	mechanism:
				547	ngs:
				548	driver: genericswitch
				549	n_g_s:
				550	enabled: true
				551	coordination:
				552	enabled: true
				553	backend_url: "etcd3+http://1.2.3.4:2379"
				554	devices:
				555	s1brbm:
				556	options:
				557	device_type:
				558	value: netmiko_ovs_linux
				559	ip:
				560	value: 1.2.3.4
				561	username:
				562	value: ngs_ovs_manager
				563	password:
				564	value: password
				565
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	566	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	567
				568	.. code-block:: yaml
				569
				570	neutron:
				571	gateway:
				572	enabled: True
				573	version: mitaka
				574	message_queue:
				575	engine: rabbitmq
				576	host: 127.0.0.1
				577	port: 5672
				578	user: openstack
				579	password: pwd
				580	virtual_host: '/openstack'
				581	local_ip: 192.168.20.20 # br-mesh ip address
				582	dvr: True
				583	agent_mode: dvr_snat
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	584	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	585	metadata:
				586	host: 127.0.0.1
				587	password: pass
				588	backend:
				589	engine: ml2
				590	tenant_network_types: "flat,vxlan"
				591	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	592	ovs:
				593	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	594
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	595	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	596
				597	.. code-block:: yaml
				598
				599	neutron:
				600	compute:
				601	enabled: True
				602	version: mitaka
				603	message_queue:
				604	engine: rabbitmq
				605	host: 127.0.0.1
				606	port: 5672
				607	user: openstack
				608	password: pwd
				609	virtual_host: '/openstack'
				610	local_ip: 192.168.20.20 # br-mesh ip address
				611	dvr: True
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	612	external_access: True
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	613	agent_mode: dvr
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	614	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	615	metadata:
				616	host: 127.0.0.1
				617	password: pass
				618	backend:
				619	engine: ml2
				620	tenant_network_types: "flat,vxlan"
				621	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	622	ovs:
				623	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	624
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	625	Sample Linux network configuration for DVR:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	626
				627	.. code-block:: yaml
				628
				629	linux:
				630	network:
				631	bridge: openvswitch
				632	interface:
				633	eth1:
				634	enabled: true
				635	type: eth
				636	mtu: 9000
				637	proto: manual
				638	eth2:
				639	enabled: true
				640	type: eth
				641	mtu: 9000
				642	proto: manual
				643	eth3:
				644	enabled: true
				645	type: eth
				646	mtu: 9000
				647	proto: manual
				648	br-int:
				649	enabled: true
				650	mtu: 9000
				651	type: ovs_bridge
				652	br-floating:
				653	enabled: true
				654	mtu: 9000
				655	type: ovs_bridge
				656	float-to-ex:
				657	enabled: true
				658	type: ovs_port
				659	mtu: 65000
				660	bridge: br-floating
				661	br-mgmt:
				662	enabled: true
				663	type: bridge
				664	mtu: 9000
				665	address: ${_param:single_address}
				666	netmask: 255.255.255.0
				667	use_interfaces:
				668	- eth1
				669	br-mesh:
				670	enabled: true
				671	type: bridge
				672	mtu: 9000
				673	address: ${_param:tenant_address}
				674	netmask: 255.255.255.0
				675	use_interfaces:
				676	- eth2
				677	br-ex:
				678	enabled: true
				679	type: bridge
				680	mtu: 9000
				681	address: ${_param:external_address}
				682	netmask: 255.255.255.0
				683	use_interfaces:
				684	- eth3
				685	use_ovs_ports:
				686	- float-to-ex
				687
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	688	Additonal VXLAN tenant network settings
				689	---------------------------------------
				690
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	691	The default multicast group of ``224.0.0.1`` only multicasts
				692	to a single subnet. Allow overriding it to allow larger underlay
				693	network topologies.
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	694
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	695	Neutron Server:
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	696
				697	.. code-block:: yaml
				698
				699	neutron:
				700	server:
				701	vxlan:
				702	group: 239.0.0.0/8
				703	vni_ranges: "2:65535"
				704
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	705	Neutron VLAN tenant networks with Network Nodes
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	706	-----------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	707
				708	VLAN tenant provider
				709
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	710	Neutron Server only:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	711
				712	.. code-block:: yaml
				713
				714	neutron:
				715	server:
				716	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	717	...
				718	global_physnet_mtu: 9000
				719	l3_ha: False
				720	dvr: True
				721	backend:
				722	engine: ml2
				723	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				724	tenant_vlan_range: "1000:2000"
				725	external_vlan_range: "100:200" # Does not have to be defined.
				726	external_mtu: 9000
				727	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	728	ovs:
				729	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	730
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	731	Compute node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	732
				733	.. code-block:: yaml
				734
				735	neutron:
				736	compute:
				737	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	738	...
				739	dvr: True
				740	agent_mode: dvr
				741	external_access: False
				742	backend:
				743	engine: ml2
				744	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				745	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	746	ovs:
				747	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	748
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	749	Neutron with explicit physical networks
				750	---------------------------------------
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	751
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	752	Neutron Server only:
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	753
				754	.. code-block:: yaml
				755
				756	neutron:
				757	server:
				758	version: ocata
				759	...
				760	backend:
				761	engine: ml2
				762	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				763	...
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	764	# also need to configure corresponding bridge_mappings on
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	765	# compute and gateway nodes
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	766	flat_networks_default: '' # '' to allow arbitrary names or '' to disable
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	767	physnets: # only listed physnets will be configured (overrides physnet1/2/3)
				768	external:
				769	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	770	types:
				771	- flat # possible values - 'flat' or 'vlan'
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	772	sriov_net:
				773	mtu: 9000 # Optional, defaults to 1500
Oleg Bondarev	ab32411	2018-11-19 17:56:57 +0400	[diff] [blame]	774	vlan_range: '100:200,300:400' # Optional
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	775	types:
				776	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	777	ext_net2:
				778	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	779	types:
				780	- flat
				781	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	782	mechanism:
				783	ovs:
				784	driver: openvswitch
				785
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	786	Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	787	----------------------------------------
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	788
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	789	Neutron OVS DPDK
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	790
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	791	Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	792
				793	.. code-block:: yaml
				794
				795	neutron:
				796	server:
				797	version: mitaka
				798	...
				799	dpdk: True
				800	...
				801
				802	neutron:
				803	compute:
				804	version: mitaka
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	805	dpdk: True
Michael Polenchuk	5291165	2018-04-12 22:09:49 +0400	[diff] [blame]	806	vhost_mode: client # options: client\|server (default)
Oleg Bondarev	ee7e830	2017-10-16 17:20:38 +0400	[diff] [blame]	807	vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	808	backend:
				809	engine: ml2
				810	...
				811	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	812	ovs:
				813	driver: openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	814
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	815	Neutron OVS SR-IOV:
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	816
				817	.. code-block:: yaml
				818
				819	neutron:
				820	server:
				821	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	822	backend:
				823	engine: ml2
				824	...
				825	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	826	ovs:
				827	driver: openvswitch
				828	sriov:
				829	driver: sriovnicswitch
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	830	# Driver w/ highest number will be placed ahead in the list (default is 0).
				831	# It's recommended for SR-IOV driver to set an order >0 to get it
				832	# before (for example) the opendaylight one.
				833	order: 9
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	834
				835	neutron:
				836	compute:
				837	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	838	...
				839	backend:
				840	engine: ml2
				841	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				842	sriov:
				843	nic_one:
				844	devname: eth1
				845	physical_network: physnet3
				846	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	847	ovs:
				848	driver: openvswitch
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	849
cdodda	c35c9eb	2018-11-07 23:18:10 -0600	[diff] [blame]	850	Neutron with LinuxBridge Agents
				851	-------------------------------
				852
				853	.. code-block:: yaml
				854
				855	neutron:
				856	server:
				857	firewall_driver: iptables
				858	backend:
				859	mechanism:
				860	lb:
				861	driver: linuxbridge
				862	....
				863	compute:
				864	backend:
				865	mechanism:
				866	lb:
				867	driver: linuxbridge
				868	....
				869	gateway:
				870	backend:
				871	mechanism:
				872	lb:
				873	driver: linuxbridge
				874	agents:
				875	dhcp:
				876	interface_driver: linuxbridge
				877	l3:
				878	interface_driver: linuxbridge
				879
				880
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	881	Neutron with VLAN-aware-VMs
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	882	---------------------------
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	883
				884	.. code-block:: yaml
				885
				886	neutron:
				887	server:
				888	vlan_aware_vms: true
				889	....
				890	compute:
				891	vlan_aware_vms: true
				892	....
				893	gateway:
				894	vlan_aware_vms: true
				895
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	896	Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	897	-------------------------------------
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	898
				899	.. code-block:: yaml
				900
				901	neutron:
				902	server:
				903	version: pike
				904	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	905	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	906	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	907	....
				908	compute:
				909	version: pike
				910	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	911	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	912	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	913	bagpipe:
				914	local_address: 192.168.20.20 # IP address for mpls/gre tunnels
				915	peers: 192.168.20.30 # IP addresses of BGP peers
				916	autonomous_system: 64512 # Autonomous System number
				917	enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	918	backend:
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	919	ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	920	bagpipe_bgpvpn:
				921	enabled: True
				922
Oleksii Chupryn	16cb4e0	2018-02-26 14:20:39 +0200	[diff] [blame]	923	Neutron with DHCP agent on compute node
				924	---------------------------------------
				925
				926	.. code-block:: yaml
				927
				928	neutron:
				929	....
				930	compute:
				931	dhcp_agent_enabled: true
				932	....
				933
Dzmitry Stremkouski	48df2a7	2018-10-12 16:38:11 +0200	[diff] [blame]	934	Neutron with metadata agent on compute node
				935	-------------------------------------------
				936
				937	.. code-block:: yaml
				938
				939	neutron:
				940	....
				941	compute:
				942	metadata_agent_enabled: true
				943	....
				944
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	945	Neutron with OVN
				946	----------------
				947
				948	Control node:
				949
				950	.. code-block:: yaml
				951
				952	neutron:
				953	server:
				954	backend:
				955	engine: ovn
				956	mechanism:
				957	ovn:
				958	driver: ovn
				959	tenant_network_types: "geneve,flat"
Michael Polenchuk	f59229b	2018-06-19 16:24:49 +0400	[diff] [blame]	960	ovn:
				961	ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
				962	neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	963	metadata_enabled: True
Michael Polenchuk	a3d492b	2017-12-27 15:49:43 +0400	[diff] [blame]	964	ovn_ctl_opts:
				965	db-nb-create-insecure-remote: 'yes'
				966	db-sb-create-insecure-remote: 'yes'
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	967
				968	Compute node:
				969
				970	.. code-block:: yaml
				971
				972	neutron:
				973	compute:
				974	local_ip: 10.2.0.105
				975	controller_vip: 10.1.0.101
				976	external_access: false
				977	backend:
				978	engine: ovn
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	979	ovsdb_connection: tcp:127.0.0.1:6640
				980	metadata:
				981	enabled: true
				982	ovsdb_server_iface: ptcp:6640:127.0.0.1
				983	host: 10.1.0.101
				984	password: unsegreto
				985
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	986
Michael Polenchuk	cccd1a5	2018-02-02 17:41:16 +0400	[diff] [blame]	987	Neutron L2 Gateway
				988	----------------
				989
				990	Control node:
				991
				992	.. code-block:: yaml
				993
				994	neutron:
				995	server:
				996	version: pike
				997	l2gw:
				998	enabled: true
				999	periodic_monitoring_interval: 5
				1000	quota_l2_gateway: 20
				1001	# service_provider=<service_type>:<name>:<driver>[:default]
				1002	service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
				1003	backend:
				1004	engine: ml2
				1005
				1006	Network/Gateway node:
				1007
				1008	.. code-block:: yaml
				1009
				1010	neutron:
				1011	gateway:
				1012	version: pike
				1013	l2gw:
				1014	enabled: true
				1015	debug: true
				1016	socket_timeout: 20
				1017	ovsdb_hosts:
				1018	# <ovsdb_name>: <ip address>:<port>
				1019	# - ovsdb_name: a user defined symbolic identifier of physical switch
				1020	# - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
				1021	ovsdb1: 10.164.5.33:6632
				1022	ovsdb2: 10.164.4.33:6632
				1023
				1024
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1025	OpenDaylight integration
				1026	------------------------
				1027
				1028	Control node:
				1029
				1030	.. code-block:: yaml
				1031
				1032	neutron:
				1033	server:
				1034	backend:
				1035	opendaylight: true
				1036	router: odl-router_v2
				1037	host: 10.20.0.77
				1038	rest_api_port: 8282
				1039	user: admin
				1040	password: admin
				1041	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1042	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1043	enable_websocket: true
				1044	enable_dhcp_service: false
				1045	mechanism:
				1046	ovs:
				1047	driver: opendaylight_v2
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	1048	order: 1
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1049
				1050	Network/Gateway node:
				1051
				1052	.. code-block:: yaml
				1053
				1054	neutron:
				1055	gateway:
				1056	backend:
				1057	router: odl-router_v2
				1058	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1059	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1060	opendaylight:
				1061	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1062	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1063	tunnel_ip: 10.1.0.110
				1064	provider_mappings: physnet1:br-floating
				1065
				1066	Compute node:
				1067
				1068	.. code-block:: yaml
				1069
				1070	neutron:
				1071	compute:
				1072	opendaylight:
				1073	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1074	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1075	tunnel_ip: 10.1.0.105
				1076	provider_mappings: physnet1:br-floating
				1077
				1078
Michael Polenchuk	9cccecc	2018-09-14 14:54:18 +0400	[diff] [blame]	1079	Service Function Chaining Extension (SFC)
				1080	----------------
				1081
				1082	.. code-block:: yaml
				1083
				1084	neutron:
				1085	server:
				1086	sfc:
				1087	enabled: true
				1088	sfc_drivers:
				1089	- ovs # valid options: ovs, odl, ovn (not implemented yet)
				1090	flow_classifier_drivers:
				1091	- ovs # valid options: see above
				1092	....
				1093	compute:
				1094	backend:
				1095	ovs_extension:
				1096	sfc:
				1097	enabled: True
				1098
				1099
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1100	Neutron Server
				1101	--------------
				1102
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1103	Neutron Server with OpenContrail:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	1104
				1105	.. code-block:: yaml
				1106
				1107	neutron:
				1108	server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1109	backend:
				1110	engine: contrail
				1111	host: contrail_discovery_host
				1112	port: 8082
				1113	user: admin
				1114	password: password
				1115	tenant: admin
				1116	token: token
				1117
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1118	Neutron Server with Midonet:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1119
				1120	.. code-block:: yaml
				1121
				1122	neutron:
				1123	server:
				1124	backend:
				1125	engine: midonet
				1126	host: midonet_api_host
				1127	port: 8181
				1128	user: admin
				1129	password: password
				1130
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1131	Neutron Server with NSX:
Vasyl Saienko	4549efe	2018-07-26 16:06:04 +0000	[diff] [blame]	1132
				1133	.. code-block:: yaml
				1134
				1135	neutron:
				1136	server:
				1137	backend:
				1138	engine: vmware
				1139	core_plugin: vmware_nsxv3
				1140	vmware:
				1141	nsx:
				1142	extension_drivers:
				1143	- vmware_nsxv3_dns
				1144	v3:
				1145	api_password: nsx_password
				1146	api_user: nsx_username
				1147	api_managers:
				1148	01:
				1149	scheme: https
				1150	host: 192.168.10.120
				1151	port: '443'
				1152	insecure: true
				1153
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1154	Neutron Keystone region:
Jakub Pavlik	6dd5c0a	2016-03-09 14:18:15 +0100	[diff] [blame]	1155
				1156	.. code-block:: yaml
				1157
				1158	neutron:
				1159	server:
				1160	enabled: true
				1161	version: kilo
				1162	...
				1163	identity:
				1164	region: RegionTwo
				1165	...
				1166	compute:
				1167	region: RegionTwo
				1168	...
				1169
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1170	Client-side RabbitMQ HA setup:
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1171
				1172	.. code-block:: yaml
				1173
				1174	neutron:
				1175	server:
				1176	....
				1177	message_queue:
				1178	engine: rabbitmq
				1179	members:
				1180	- host: 10.0.16.1
				1181	- host: 10.0.16.2
				1182	- host: 10.0.16.3
				1183	user: openstack
				1184	password: pwd
				1185	virtual_host: '/openstack'
				1186	....
				1187
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1188	Configuring TLS communications
				1189	------------------------------
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1190
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1191	.. note:: By default, system-wide installed CA certs are used,
				1192	so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1193
				1194	- RabbitMQ TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1195
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1196	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1197
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1198	neutron:
				1199	server, gateway, compute:
				1200	message_queue:
				1201	port: 5671
				1202	ssl:
				1203	enabled: True
				1204	(optional) cacert: cert body if the cacert_file does not exists
				1205	(optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
				1206	(optional) version: TLSv1_2
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1207
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1208	- MySQL TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1209
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1210	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1211
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1212	neutron:
				1213	server:
				1214	database:
				1215	ssl:
				1216	enabled: True
				1217	(optional) cacert: cert body if the cacert_file does not exists
				1218	(optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1219
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1220	- Openstack HTTPS API
				1221
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1222	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1223
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1224	neutron:
				1225	server:
				1226	identity:
				1227	protocol: https
				1228	(optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1229
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1230	Enable auditing filter, ie: CADF:
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	1231
				1232	.. code-block:: yaml
				1233
				1234	neutron:
				1235	server:
				1236	audit:
				1237	enabled: true
				1238	....
				1239	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1240	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1241	....
				1242	compute:
				1243	audit:
				1244	enabled: true
				1245	....
				1246	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1247	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1248	....
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1249
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1250	Neutron with security groups disabled:
Oleg Bondarev	98870a3	2017-05-29 16:53:19 +0400	[diff] [blame]	1251
				1252	.. code-block:: yaml
				1253
				1254	neutron:
				1255	server:
				1256	security_groups_enabled: False
				1257	....
				1258	compute:
				1259	security_groups_enabled: False
				1260	....
				1261	gateway:
				1262	security_groups_enabled: False
				1263
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1264
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1265	Neutron Client
				1266	--------------
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1267
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1268	Neutron networks:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1269
				1270	.. code-block:: yaml
				1271
				1272	neutron:
				1273	client:
				1274	enabled: true
				1275	server:
				1276	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1277	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1278	network:
				1279	inet1:
				1280	tenant: demo
				1281	shared: False
				1282	admin_state_up: True
				1283	router_external: True
				1284	provider_physical_network: inet
				1285	provider_network_type: flat
				1286	provider_segmentation_id: 2
				1287	subnet:
				1288	inet1-subnet1:
				1289	cidr: 192.168.90.0/24
				1290	enable_dhcp: False
				1291	inet2:
				1292	tenant: admin
				1293	shared: False
				1294	router_external: True
				1295	provider_network_type: "vlan"
				1296	subnet:
				1297	inet2-subnet1:
				1298	cidr: 192.168.92.0/24
				1299	enable_dhcp: False
				1300	inet2-subnet2:
				1301	cidr: 192.168.94.0/24
				1302	enable_dhcp: True
				1303	identity1:
				1304	network:
				1305	...
				1306
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1307	Neutron routers:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1308
				1309	.. code-block:: yaml
				1310
				1311	neutron:
				1312	client:
				1313	enabled: true
				1314	server:
				1315	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1316	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1317	router:
				1318	inet1-router:
				1319	tenant: demo
				1320	admin_state_up: True
				1321	gateway_network: inet
				1322	interfaces:
				1323	- inet1-subnet1
				1324	- inet1-subnet2
				1325	identity1:
				1326	router:
				1327	...
				1328
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1329	.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1330
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1331	Neutron security groups:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1332
				1333	.. code-block:: yaml
				1334
				1335	neutron:
				1336	client:
				1337	enabled: true
				1338	server:
				1339	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1340	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1341	security_group:
				1342	security_group1:
				1343	tenant: demo
				1344	description: security group 1
				1345	rules:
				1346	- direction: ingress
				1347	ethertype: IPv4
				1348	protocol: TCP
				1349	port_range_min: 1
				1350	port_range_max: 65535
				1351	remote_ip_prefix: 0.0.0.0/0
				1352	- direction: ingress
				1353	ethertype: IPv4
				1354	protocol: UDP
				1355	port_range_min: 1
				1356	port_range_max: 65535
				1357	remote_ip_prefix: 0.0.0.0/0
				1358	- direction: ingress
				1359	protocol: ICMP
				1360	remote_ip_prefix: 0.0.0.0/0
				1361	identity1:
				1362	security_group:
				1363	...
				1364
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1365	.. TODO: implement updating existing security rules (now it adds new rule if
				1366	trying to update existing one)
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1367
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1368	Floating IP addresses:
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1369
				1370	.. code-block:: yaml
				1371
				1372	neutron:
				1373	client:
				1374	enabled: true
				1375	server:
				1376	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1377	endpoint_type: internalURL
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1378	floating_ip:
				1379	prx01-instance:
				1380	server: prx01.mk22-lab-basic.local
				1381	subnet: private-subnet1
				1382	network: public-net1
				1383	tenant: demo
				1384	gtw01-instance:
				1385	...
				1386
				1387	.. note:: The network must have flag router:external set to True.
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1388	Instance port in the stated subnet will be associated
				1389	with the dynamically generated floating IP.
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1390
				1391	Enable Neutron extensions (QoS, DNS, etc.)
				1392	------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1393
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1394	.. code-block:: yaml
				1395
				1396	neutron:
				1397	server:
				1398	backend:
				1399	extension:
Oleg Iurchenko	ac17f4f	2017-10-06 11:24:27 +0300	[diff] [blame]	1400	dns:
				1401	enabled: True
				1402	host: 127.0.0.1
				1403	port: 9001
				1404	protocol: http
				1405	....
				1406	qos
				1407	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1408
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1409	Different Neutron extensions for different agents
				1410	-------------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1411
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1412	.. code-block:: yaml
				1413
				1414	neutron:
				1415	server:
				1416	backend:
				1417	extension: # common extensions for OVS and SRIOV agents
				1418	dns:
				1419	enabled: True
				1420	...
				1421	qos
				1422	enabled: True
				1423	ovs_extension: # OVS specific extensions
				1424	bagpipe_bgpvpn:
				1425	enabled: True
				1426	sriov_extension: # SRIOV specific extensions
				1427	dummy:
				1428	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1429
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1430	Neutron with Designate
				1431	-----------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1432
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1433	.. code-block:: yaml
				1434
				1435	neutron:
				1436	server:
				1437	backend:
				1438	extension:
				1439	dns:
				1440	enabled: True
				1441	host: 127.0.0.1
				1442	port: 9001
				1443	protocol: http
				1444
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1445	Enable RBAC for OpenContrail engine
				1446	-----------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1447
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1448	.. code-block:: yaml
				1449
				1450	neutron:
				1451	server:
				1452	backend:
				1453	engine: contrail
				1454	rbac:
				1455	enabled: True
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1456
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1457	Enhanced logging with logging.conf
				1458	----------------------------------
				1459
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1460	By default ``logging.conf`` is disabled.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1461
				1462	That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1463
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1464	* ``openstack_log_appender``
				1465	Set to true to enable ``log_config_append`` for all OpenStack services
				1466
				1467	* ``openstack_fluentd_handler_enabled``
				1468	Set to true to enable FluentHandler for all Openstack services
				1469
				1470	* ``openstack_ossyslog_handler_enabled``
				1471	Set to true to enable OSSysLogHandler for all Openstack services.
				1472
				1473	Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
				1474	are available.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1475
				1476	Also it is possible to configure this with pillar:
				1477
				1478	.. code-block:: yaml
				1479
				1480	neutron:
				1481	server:
				1482	logging:
				1483	log_appender: true
				1484	log_handlers:
				1485	watchedfile:
				1486	enabled: true
				1487	fluentd:
				1488	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1489	ossyslog:
				1490	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1491	....
				1492	compute:
				1493	logging:
				1494	log_appender: true
				1495	log_handlers:
				1496	watchedfile:
				1497	enabled: true
				1498	fluentd:
				1499	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1500	ossyslog:
				1501	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1502	....
				1503	gateway:
				1504	logging:
				1505	log_appender: true
				1506	log_handlers:
				1507	watchedfile:
				1508	enabled: true
				1509	fluentd:
				1510	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1511	ossyslog:
				1512	enabled: true
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1513
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1514	Logging levels pillar example:
				1515
				1516	.. code-block:: yaml
				1517
				1518	neutron:
				1519	server:
				1520	logging:
				1521	log_appender: true
				1522	loggers:
				1523	root:
				1524	level: 'DEBUG'
				1525	neutron:
				1526	level: 'DEBUG'
				1527	amqplib:
				1528	level: 'DEBUG'
				1529	sqlalchemy:
				1530	level: 'DEBUG'
				1531	boto:
				1532	level: 'DEBUG'
				1533	suds:
				1534	level: 'DEBUG'
				1535	eventletwsgi:
				1536	level: 'DEBUG'
				1537	......
Oleksandr Bryndzii	3b0ac2c	2018-10-04 11:06:24 +0300	[diff] [blame]	1538	Neutron server with memcached caching and security strategy:
				1539
				1540	.. code-block:: yaml
				1541
				1542	neutron:
				1543	server:
				1544	enabled: true
				1545	...
				1546	cache:
				1547	engine: memcached
				1548	members:
				1549	- host: 127.0.0.1
				1550	port: 11211
				1551	- host: 127.0.0.1
				1552	port: 11211
				1553	security:
				1554	enabled: true
				1555	strategy: ENCRYPT
				1556	secret_key: secret
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1557
Vasyl Saienko	ba42073	2018-09-07 10:19:32 +0000	[diff] [blame]	1558	Upgrades
				1559	========
				1560
				1561	Each openstack formula provide set of phases (logical bloks) that will help to
				1562	build flexible upgrade orchestration logic for particular components. The list
				1563	of phases might and theirs descriptions are listed in table below:
				1564
				1565	+-------------------------------+------------------------------------------------------+
				1566	\| State \| Description \|
				1567	+===============================+======================================================+
				1568	\| <app>.upgrade.service_running \| Ensure that all services for particular application \|
				1569	\| \| are enabled for autostart and running \|
				1570	+-------------------------------+------------------------------------------------------+
				1571	\| <app>.upgrade.service_stopped \| Ensure that all services for particular application \|
				1572	\| \| disabled for autostart and dead \|
				1573	+-------------------------------+------------------------------------------------------+
				1574	\| <app>.upgrade.pkg_latest \| Ensure that packages used by particular application \|
				1575	\| \| are installed to latest available version. \|
				1576	\| \| This will not upgrade data plane packages like qemu \|
				1577	\| \| and openvswitch as usually minimal required version \|
				1578	\| \| in openstack services is really old. The data plane \|
				1579	\| \| packages should be upgraded separately by `apt-get \|
				1580	\| \| upgrade` or `apt-get dist-upgrade` \|
				1581	\| \| Applying this state will not autostart service. \|
				1582	+-------------------------------+------------------------------------------------------+
				1583	\| <app>.upgrade.render_config \| Ensure configuration is rendered actual version. +
				1584	+-------------------------------+------------------------------------------------------+
				1585	\| <app>.upgrade.pre \| We assume this state is applied on all nodes in the \|
				1586	\| \| cloud before running upgrade. \|
				1587	\| \| Only non destructive actions will be applied during \|
				1588	\| \| this phase. Perform service built in service check \|
				1589	\| \| like (keystone-manage doctor and nova-status upgrade)\|
				1590	+-------------------------------+------------------------------------------------------+
				1591	\| <app>.upgrade.upgrade.pre \| Mostly applicable for data plane nodes. During this \|
				1592	\| \| phase resources will be gracefully removed from \|
				1593	\| \| current node if it is allowed. Services for upgraded \|
				1594	\| \| application will be set to admin disabled state to \|
				1595	\| \| make sure node will not participate in resources \|
				1596	\| \| scheduling. For example on gtw nodes this will set \|
				1597	\| \| all agents to admin disable state and will move all \|
				1598	\| \| routers to other agents. \|
				1599	+-------------------------------+------------------------------------------------------+
				1600	\| <app>.upgrade.upgrade \| This state will basically upgrade application on \|
				1601	\| \| particular target. Stop services, render \|
				1602	\| \| configuration, install new packages, run offline \|
				1603	\| \| dbsync (for ctl), start services. Data plane should \|
				1604	\| \| not be affected, only OpenStack python services. \|
				1605	+-------------------------------+------------------------------------------------------+
				1606	\| <app>.upgrade.upgrade.post \| Add services back to scheduling. \|
				1607	+-------------------------------+------------------------------------------------------+
				1608	\| <app>.upgrade.post \| This phase should be launched only when upgrade of \|
				1609	\| \| the cloud is completed. \|
				1610	+-------------------------------+------------------------------------------------------+
				1611	\| <app>.upgrade.verify \| Here we will do basic health checks (API CRUD \|
				1612	\| \| operations, verify do not have dead network \|
				1613	\| \| agents/compute services) \|
				1614	+-------------------------------+------------------------------------------------------+
				1615
				1616
Oleksandr Shyshko	f51b94c	2018-08-31 16:05:27 +0300	[diff] [blame]	1617	Enable x509 and ssl communication between Neutron and Galera cluster.
				1618	---------------------
				1619	By default communication between Neutron and Galera is unsecure.
				1620
				1621	neutron:
				1622	server:
				1623	database:
				1624	x509:
				1625	enabled: True
				1626
				1627	You able to set custom certificates in pillar:
				1628
				1629	neutron:
				1630	server:
				1631	database:
				1632	x509:
				1633	cacert: (certificate content)
				1634	cert: (certificate content)
				1635	key: (certificate content)
				1636
				1637	You can read more about it here:
				1638	https://docs.openstack.org/security-guide/databases/database-access-control.html