Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / neutron / 3138fd2b2dd0f5bb139ac7926032f4bf58833140 / . / README.rst
blob: 2047af9a62038fcc12e41125b44e1c25b46d2f55 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]5Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]8
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]9Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]12
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]13Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]23 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]24 allow_pagination: true
25 pagination_max_limit: 100
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]26 bind:
27 address: 172.20.0.1
28 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]29 database:
30 engine: mysql
31 host: 127.0.0.1
32 port: 3306
33 name: neutron
34 user: neutron
35 password: pwd
36 identity:
37 engine: keystone
38 host: 127.0.0.1
39 port: 35357
40 user: neutron
41 password: pwd
42 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]43 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]44 message_queue:
45 engine: rabbitmq
46 host: 127.0.0.1
47 port: 5672
48 user: openstack
49 password: pwd
50 virtual_host: '/openstack'
51 metadata:
52 host: 127.0.0.1
53 port: 8775
54 password: pass
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]55 audit:
56 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]57
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]58Note: The pagination is useful to retrieve a large bunch of resources,
59because a single request may fail (timeout). This is enabled with both
60parameters *allow_pagination* and *pagination_max_limit* as shown above.
61
Dmitry Ukov596ddcf2017-05-04 18:16:16 +0400[diff] [blame]62
63Configuration of policy.json file
64
65.. code-block:: yaml
66
67 neutron:
68 server:
69 ....
70 policy:
71 create_subnet: 'rule:admin_or_network_owner'
72 'get_network:queue_id': 'rule:admin_only'
73 # Add key without value to remove line from policy.json
74 'create_network:shared':
75
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]76Neutron LBaaSv2 enablement
77--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]78
79.. code-block:: yaml
80
81 neutron:
82 server:
83 lbaas:
84 enabled: true
85 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]86 octavia:
87 engine: octavia
88 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
89 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]90 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]91 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]92 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]93 controller_address: 10.182.129.239
94 controller_user: admin
95 controller_password: Cloudlab2016
96 controller_cloud_name: Default-Cloud
97 avi_adc2:
98 engine: avinetworks
99 ...
100
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]101Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
102automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]103
104.. code-block:: yaml
105
106 neutron:
107 server:
108 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]109 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]110
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]111
112Neutron FWaaSv1 enablement
113--------------------------
114
115.. code-block:: yaml
116
117 neutron:
118 fwaas:
119 enabled: true
120 version: ocata
121 api_version: v1
122
123
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]124Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]125----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]126
127.. code-block:: yaml
128
129 neutron:
130 server:
131 cors:
132 allowed_origin: https:localhost.local,http:localhost.local
133 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
134 allow_methods: GET,PUT,POST,DELETE,PATCH
135 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
136 allow_credentials: True
137 max_age: 86400
138
139
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]140Neutron VXLAN tenant networks with Network nodes
141------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]142
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]143With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]144
145This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]146routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]147infrastructure and that remains encapsulated. External traffic will be
148routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]149
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]150The intention is that each tenant will require at least two (2) vrouters
151one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]152
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]153Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]154
155.. code-block:: yaml
156
157 neutron:
158 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]159 version: mitaka
160 plugin: ml2
161 bind:
162 address: 172.20.0.1
163 port: 9696
164 database:
165 engine: mysql
166 host: 127.0.0.1
167 port: 3306
168 name: neutron
169 user: neutron
170 password: pwd
171 identity:
172 engine: keystone
173 host: 127.0.0.1
174 port: 35357
175 user: neutron
176 password: pwd
177 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]178 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]179 message_queue:
180 engine: rabbitmq
181 host: 127.0.0.1
182 port: 5672
183 user: openstack
184 password: pwd
185 virtual_host: '/openstack'
186 global_physnet_mtu: 9000
187 l3_ha: False # Which type of router will be created by default
188 dvr: True # disabled for non DVR use case
189 backend:
190 engine: ml2
191 tenant_network_types: "flat,vxlan"
192 external_mtu: 9000
193 mechanism:
194 ovs:
195 driver: openvswitch
196
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]197Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]198
199.. code-block:: yaml
200
201 neutron:
202 gateway:
203 enabled: True
204 version: mitaka
205 message_queue:
206 engine: rabbitmq
207 host: 127.0.0.1
208 port: 5672
209 user: openstack
210 password: pwd
211 virtual_host: '/openstack'
212 local_ip: 192.168.20.20 # br-mesh ip address
213 dvr: True # disabled for non DVR use case
214 agent_mode: dvr_snat
215 metadata:
216 host: 127.0.0.1
217 password: pass
218 backend:
219 engine: ml2
220 tenant_network_types: "flat,vxlan"
221 mechanism:
222 ovs:
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]223 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]224
225Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]226
227.. code-block:: yaml
228
229 neutron:
230 compute:
231 enabled: True
232 version: mitaka
233 message_queue:
234 engine: rabbitmq
235 host: 127.0.0.1
236 port: 5672
237 user: openstack
238 password: pwd
239 virtual_host: '/openstack'
240 local_ip: 192.168.20.20 # br-mesh ip address
241 dvr: True # disabled for non DVR use case
242 agent_mode: dvr
243 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
244 metadata:
245 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]246 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]247 backend:
248 engine: ml2
249 tenant_network_types: "flat,vxlan"
250 mechanism:
251 ovs:
252 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]253 audit:
254 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]255
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]256
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]257Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]258----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]259
260This section describes a network solution that utilises VxLAN overlay
261 networks without DVR with all routers being managed on the network nodes.
262
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]263Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]264
265.. code-block:: yaml
266
267 neutron:
268 server:
269 version: mitaka
270 plugin: ml2
271 bind:
272 address: 172.20.0.1
273 port: 9696
274 database:
275 engine: mysql
276 host: 127.0.0.1
277 port: 3306
278 name: neutron
279 user: neutron
280 password: pwd
281 identity:
282 engine: keystone
283 host: 127.0.0.1
284 port: 35357
285 user: neutron
286 password: pwd
287 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]288 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]289 message_queue:
290 engine: rabbitmq
291 host: 127.0.0.1
292 port: 5672
293 user: openstack
294 password: pwd
295 virtual_host: '/openstack'
296 global_physnet_mtu: 9000
297 l3_ha: True
298 dvr: False
299 backend:
300 engine: ml2
301 tenant_network_types= "flat,vxlan"
302 external_mtu: 9000
303 mechanism:
304 ovs:
305 driver: openvswitch
306
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]307Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]308
309.. code-block:: yaml
310
311 neutron:
312 gateway:
313 enabled: True
314 version: mitaka
315 message_queue:
316 engine: rabbitmq
317 host: 127.0.0.1
318 port: 5672
319 user: openstack
320 password: pwd
321 virtual_host: '/openstack'
322 local_ip: 192.168.20.20 # br-mesh ip address
323 dvr: False
324 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]325 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]326 metadata:
327 host: 127.0.0.1
328 password: pass
329 backend:
330 engine: ml2
331 tenant_network_types: "flat,vxlan"
332 mechanism:
333 ovs:
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]334 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]335
336Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]337
338.. code-block:: yaml
339
340 neutron:
341 compute:
342 enabled: True
343 version: mitaka
344 message_queue:
345 engine: rabbitmq
346 host: 127.0.0.1
347 port: 5672
348 user: openstack
349 password: pwd
350 virtual_host: '/openstack'
351 local_ip: 192.168.20.20 # br-mesh ip address
352 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]353 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]354 backend:
355 engine: ml2
356 tenant_network_types: "flat,vxlan"
357 mechanism:
358 ovs:
359 driver: openvswitch
360
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]361Neutron VXLAN tenant networks with Network Nodes with DVR
362---------------------------------------------------------
363
364With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]365
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]366This section describes a network solution that utilises VxLAN
367overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]368Node is used only for SNAT.
369
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]370Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]371
372.. code-block:: yaml
373
374 neutron:
375 server:
376 version: mitaka
377 plugin: ml2
378 bind:
379 address: 172.20.0.1
380 port: 9696
381 database:
382 engine: mysql
383 host: 127.0.0.1
384 port: 3306
385 name: neutron
386 user: neutron
387 password: pwd
388 identity:
389 engine: keystone
390 host: 127.0.0.1
391 port: 35357
392 user: neutron
393 password: pwd
394 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]395 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]396 message_queue:
397 engine: rabbitmq
398 host: 127.0.0.1
399 port: 5672
400 user: openstack
401 password: pwd
402 virtual_host: '/openstack'
403 global_physnet_mtu: 9000
404 l3_ha: False
405 dvr: True
406 backend:
407 engine: ml2
408 tenant_network_types= "flat,vxlan"
409 external_mtu: 9000
410 mechanism:
411 ovs:
412 driver: openvswitch
413
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]414Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]415
416.. code-block:: yaml
417
418 neutron:
419 gateway:
420 enabled: True
421 version: mitaka
422 message_queue:
423 engine: rabbitmq
424 host: 127.0.0.1
425 port: 5672
426 user: openstack
427 password: pwd
428 virtual_host: '/openstack'
429 local_ip: 192.168.20.20 # br-mesh ip address
430 dvr: True
431 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]432 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]433 metadata:
434 host: 127.0.0.1
435 password: pass
436 backend:
437 engine: ml2
438 tenant_network_types: "flat,vxlan"
439 mechanism:
440 ovs:
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]441 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]442
443Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]444
445.. code-block:: yaml
446
447 neutron:
448 compute:
449 enabled: True
450 version: mitaka
451 message_queue:
452 engine: rabbitmq
453 host: 127.0.0.1
454 port: 5672
455 user: openstack
456 password: pwd
457 virtual_host: '/openstack'
458 local_ip: 192.168.20.20 # br-mesh ip address
459 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]460 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]461 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]462 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]463 metadata:
464 host: 127.0.0.1
465 password: pass
466 backend:
467 engine: ml2
468 tenant_network_types: "flat,vxlan"
469 mechanism:
470 ovs:
471 driver: openvswitch
472
473Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]474
475.. code-block:: yaml
476
477 linux:
478 network:
479 bridge: openvswitch
480 interface:
481 eth1:
482 enabled: true
483 type: eth
484 mtu: 9000
485 proto: manual
486 eth2:
487 enabled: true
488 type: eth
489 mtu: 9000
490 proto: manual
491 eth3:
492 enabled: true
493 type: eth
494 mtu: 9000
495 proto: manual
496 br-int:
497 enabled: true
498 mtu: 9000
499 type: ovs_bridge
500 br-floating:
501 enabled: true
502 mtu: 9000
503 type: ovs_bridge
504 float-to-ex:
505 enabled: true
506 type: ovs_port
507 mtu: 65000
508 bridge: br-floating
509 br-mgmt:
510 enabled: true
511 type: bridge
512 mtu: 9000
513 address: ${_param:single_address}
514 netmask: 255.255.255.0
515 use_interfaces:
516 - eth1
517 br-mesh:
518 enabled: true
519 type: bridge
520 mtu: 9000
521 address: ${_param:tenant_address}
522 netmask: 255.255.255.0
523 use_interfaces:
524 - eth2
525 br-ex:
526 enabled: true
527 type: bridge
528 mtu: 9000
529 address: ${_param:external_address}
530 netmask: 255.255.255.0
531 use_interfaces:
532 - eth3
533 use_ovs_ports:
534 - float-to-ex
535
Thom Gerdes3282d072017-05-30 22:06:04 +0000[diff] [blame]536Additonal VXLAN tenant network settings
537---------------------------------------
538
539The default multicast group of 224.0.0.1 only multicasts to a single subnet.
540Allow overriding it to allow larger underlay network topologies.
541
542Neutron Server
543
544.. code-block:: yaml
545
546 neutron:
547 server:
548 vxlan:
549 group: 239.0.0.0/8
550 vni_ranges: "2:65535"
551
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]552Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]553-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]554
555VLAN tenant provider
556
557Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]558
559.. code-block:: yaml
560
561 neutron:
562 server:
563 version: mitaka
564 plugin: ml2
565 ...
566 global_physnet_mtu: 9000
567 l3_ha: False
568 dvr: True
569 backend:
570 engine: ml2
571 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
572 tenant_vlan_range: "1000:2000"
573 external_vlan_range: "100:200" # Does not have to be defined.
574 external_mtu: 9000
575 mechanism:
576 ovs:
577 driver: openvswitch
578
579Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]580
581.. code-block:: yaml
582
583 neutron:
584 compute:
585 version: mitaka
586 plugin: ml2
587 ...
588 dvr: True
589 agent_mode: dvr
590 external_access: False
591 backend:
592 engine: ml2
593 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
594 mechanism:
595 ovs:
596 driver: openvswitch
597
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]598Advanced Neutron Features (DPDK, SR-IOV)
599
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]600Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]601
602Enable datapath netdev for neutron openvswitch agent
603
604.. code-block:: yaml
605
606 neutron:
607 server:
608 version: mitaka
609 ...
610 dpdk: True
611 ...
612
613 neutron:
614 compute:
615 version: mitaka
616 plugin: ml2
617 dpdk: True
618 backend:
619 engine: ml2
620 ...
621 mechanism:
622 ovs:
623 driver: openvswitch
624
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]625Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]626
627.. code-block:: yaml
628
629 neutron:
630 server:
631 version: mitaka
632 plugin: ml2
633 backend:
634 engine: ml2
635 ...
636 mechanism:
637 ovs:
638 driver: openvswitch
639 sriov:
640 driver: sriovnicswitch
641
642 neutron:
643 compute:
644 version: mitaka
645 plugin: ml2
646 ...
647 backend:
648 engine: ml2
649 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
650 sriov:
651 nic_one:
652 devname: eth1
653 physical_network: physnet3
654 mechanism:
655 ovs:
656 driver: openvswitch
657
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]658Neutron with VLAN-aware-VMs
659
660.. code-block:: yaml
661
662 neutron:
663 server:
664 vlan_aware_vms: true
665 ....
666 compute:
667 vlan_aware_vms: true
668 ....
669 gateway:
670 vlan_aware_vms: true
671
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]672Neutron Server
673--------------
674
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]675Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]676
677.. code-block:: yaml
678
679 neutron:
680 server:
681 plugin: contrail
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]682 backend:
683 engine: contrail
684 host: contrail_discovery_host
685 port: 8082
686 user: admin
687 password: password
688 tenant: admin
689 token: token
690
691Neutron Server with Midonet
692
693.. code-block:: yaml
694
695 neutron:
696 server:
697 backend:
698 engine: midonet
699 host: midonet_api_host
700 port: 8181
701 user: admin
702 password: password
703
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]704
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100[diff] [blame]705Neutron Keystone region
706
707.. code-block:: yaml
708
709 neutron:
710 server:
711 enabled: true
712 version: kilo
713 ...
714 identity:
715 region: RegionTwo
716 ...
717 compute:
718 region: RegionTwo
719 ...
720
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]721Client-side RabbitMQ HA setup
722
723.. code-block:: yaml
724
725 neutron:
726 server:
727 ....
728 message_queue:
729 engine: rabbitmq
730 members:
731 - host: 10.0.16.1
732 - host: 10.0.16.2
733 - host: 10.0.16.3
734 user: openstack
735 password: pwd
736 virtual_host: '/openstack'
737 ....
738
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]739Client-side RabbitMQ TLS configuration:
740
741|
742
743To enable TLS for oslo.messaging you need to provide the CA certificate.
744
745By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
746
747.. code-block:: yaml
748
749 neutron:
750 server, gateway, compute:
751 ....
752 message_queue:
753 ssl:
754 enabled: True
755
756
757
758Use `cacert_file` option to specify the CA-cert file path explicitly:
759
760.. code-block:: yaml
761
762 neutron:
763 server, gateway, compute:
764 ....
765 message_queue:
766 ssl:
767 enabled: True
768 cacert_file: /etc/ssl/rabbitmq-ca.pem
769
770To manage content of the `cacert_file` use the `cacert` option:
771
772.. code-block:: yaml
773
774 neutron:
775 server, gateway, compute:
776 ....
777 message_queue:
778 ssl:
779 enabled: True
780 cacert: |
781
782 -----BEGIN CERTIFICATE-----
783 ...
784 -----END CERTIFICATE-------
785
786 cacert_file: /etc/openstack/rabbitmq-ca.pem
787
788
789Notice:
790 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
791 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
792
793
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]794Enable auditing filter, ie: CADF
795
796.. code-block:: yaml
797
798 neutron:
799 server:
800 audit:
801 enabled: true
802 ....
803 filter_factory: 'keystonemiddleware.audit:filter_factory'
804 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
805 ....
806 compute:
807 audit:
808 enabled: true
809 ....
810 filter_factory: 'keystonemiddleware.audit:filter_factory'
811 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
812 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]813
Oleg Bondarev98870a32017-05-29 16:53:19 +0400[diff] [blame]814Neutron with security groups disabled
815
816.. code-block:: yaml
817
818 neutron:
819 server:
820 security_groups_enabled: False
821 ....
822 compute:
823 security_groups_enabled: False
824 ....
825 gateway:
826 security_groups_enabled: False
827
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]828
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]829Neutron Client
830--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]831
832Neutron networks
833
834.. code-block:: yaml
835
836 neutron:
837 client:
838 enabled: true
839 server:
840 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]841 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]842 network:
843 inet1:
844 tenant: demo
845 shared: False
846 admin_state_up: True
847 router_external: True
848 provider_physical_network: inet
849 provider_network_type: flat
850 provider_segmentation_id: 2
851 subnet:
852 inet1-subnet1:
853 cidr: 192.168.90.0/24
854 enable_dhcp: False
855 inet2:
856 tenant: admin
857 shared: False
858 router_external: True
859 provider_network_type: "vlan"
860 subnet:
861 inet2-subnet1:
862 cidr: 192.168.92.0/24
863 enable_dhcp: False
864 inet2-subnet2:
865 cidr: 192.168.94.0/24
866 enable_dhcp: True
867 identity1:
868 network:
869 ...
870
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]871Neutron routers
872
873.. code-block:: yaml
874
875 neutron:
876 client:
877 enabled: true
878 server:
879 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]880 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]881 router:
882 inet1-router:
883 tenant: demo
884 admin_state_up: True
885 gateway_network: inet
886 interfaces:
887 - inet1-subnet1
888 - inet1-subnet2
889 identity1:
890 router:
891 ...
892
893 TODO: implement adding new interfaces to a router while updating it
894
895
896Neutron security groups
897
898.. code-block:: yaml
899
900 neutron:
901 client:
902 enabled: true
903 server:
904 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]905 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]906 security_group:
907 security_group1:
908 tenant: demo
909 description: security group 1
910 rules:
911 - direction: ingress
912 ethertype: IPv4
913 protocol: TCP
914 port_range_min: 1
915 port_range_max: 65535
916 remote_ip_prefix: 0.0.0.0/0
917 - direction: ingress
918 ethertype: IPv4
919 protocol: UDP
920 port_range_min: 1
921 port_range_max: 65535
922 remote_ip_prefix: 0.0.0.0/0
923 - direction: ingress
924 protocol: ICMP
925 remote_ip_prefix: 0.0.0.0/0
926 identity1:
927 security_group:
928 ...
929
930 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
931
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]932
933Floating IP addresses
934
935.. code-block:: yaml
936
937 neutron:
938 client:
939 enabled: true
940 server:
941 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]942 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]943 floating_ip:
944 prx01-instance:
945 server: prx01.mk22-lab-basic.local
946 subnet: private-subnet1
947 network: public-net1
948 tenant: demo
949 gtw01-instance:
950 ...
951
952.. note:: The network must have flag router:external set to True.
953 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
954
955
Filip Pytloun20c0a442017-02-02 13:05:13 +0100[diff] [blame]956Documentation and Bugs
957======================
958
959To learn how to install and update salt-formulas, consult the documentation
960available online at:
961
962 http://salt-formulas.readthedocs.io/
963
964In the unfortunate event that bugs are discovered, they should be reported to
965the appropriate issue tracker. Use Github issue tracker for specific salt
966formula:
967
968 https://github.com/salt-formulas/salt-formula-neutron/issues
969
970For feature requests, bug reports or blueprints affecting entire ecosystem,
971use Launchpad salt-formulas project:
972
973 https://launchpad.net/salt-formulas
974
975You can also join salt-formulas-users team and subscribe to mailing list:
976
977 https://launchpad.net/~salt-formulas-users
978
979Developers wishing to work on the salt-formulas projects should always base
980their work on master branch and submit pull request against specific formula.
981
982 https://github.com/salt-formulas/salt-formula-neutron
983
984Any questions or feedback is always welcome so feel free to join our IRC
985channel:
986
987 #salt-formulas @ irc.freenode.net