Blame - README.rst - salt-formulas/neutron

blob: 961e8db83031d73ddddcc617be1251bb4f091bed [file] [log] [blame]

OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1	=====
				2	Usage
				3	=====
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	4
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	5	Neutron is an OpenStack project to provide networking as a service between
Jakub Pavlik	9ecf026	2016-05-20 11:20:58 +0200	[diff] [blame]	6	interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
				7	nova).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	8
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	9	Starting with the Folsom release, Neutron is a core and supported part of the
				10	OpenStack platform (for Essex, we were an incubated project, which means use
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	11	is suggested only for those who really know what they're doing with Neutron).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	12
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	13	Sample Pillars
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	14	==============
				15
				16	Neutron Server on the controller node
				17
				18	.. code-block:: yaml
				19
				20	neutron:
				21	server:
				22	enabled: true
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	23	version: mitaka
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	24	allow_pagination: true
				25	pagination_max_limit: 100
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	26	api_workers: 2
				27	rpc_workers: 2
				28	rpc_state_report_workers: 2
Michael Polenchuk	1ff8865	2018-03-06 16:15:57 +0400	[diff] [blame]	29	root_helper_daemon: false
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	30	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	31	firewall_driver: iptables_hybrid
Oleg Bondarev	bc2dfee	2018-10-17 18:41:51 +0400	[diff] [blame]	32	agent_boot_time: 180
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	33	agent_down_time: 30
				34	dhcp_agents_per_network: 2
				35	allow_automatic_dhcp_failover: true
Dzmitry Stremkouski	b6dd371	2019-10-21 20:56:55 +0200	[diff] [blame]	36	host: myhostname.example.com
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	37	bind:
				38	address: 172.20.0.1
				39	port: 9696
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	40	database:
				41	engine: mysql
				42	host: 127.0.0.1
				43	port: 3306
				44	name: neutron
				45	user: neutron
				46	password: pwd
				47	identity:
				48	engine: keystone
				49	host: 127.0.0.1
				50	port: 35357
				51	user: neutron
				52	password: pwd
				53	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	54	endpoint_type: internal
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	55	message_queue:
				56	engine: rabbitmq
				57	host: 127.0.0.1
				58	port: 5672
				59	user: openstack
				60	password: pwd
				61	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	62	rpc_conn_pool_size: 30
				63	rpc_thread_pool_size: 100
				64	rpc_response_timeout: 120
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	65	metadata:
				66	host: 127.0.0.1
				67	port: 8775
Dzmitry Stremkouski	ea47018	2018-10-24 15:33:35 +0200	[diff] [blame]	68	insecure: true
				69	proto: https
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	70	password: pass
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	71	workers: 2
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	72	audit:
				73	enabled: false
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	74
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	75	.. note:: The pagination is useful to retrieve a large bunch of resources,
				76	because a single request may fail (timeout). This is enabled with both
				77	parameters allow_pagination and pagination_max_limit as shown above.
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	78
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	79	Configuration of policy.json file:
Dmitry Ukov	596ddcf	2017-05-04 18:16:16 +0400	[diff] [blame]	80
				81	.. code-block:: yaml
				82
				83	neutron:
				84	server:
				85	....
				86	policy:
				87	create_subnet: 'rule:admin_or_network_owner'
				88	'get_network:queue_id': 'rule:admin_only'
				89	# Add key without value to remove line from policy.json
				90	'create_network:shared':
				91
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	92	Neutron LBaaSv2 enablement
				93	--------------------------
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	94
				95	.. code-block:: yaml
				96
				97	neutron:
				98	server:
				99	lbaas:
				100	enabled: true
				101	providers:
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	102	octavia:
				103	engine: octavia
				104	driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
				105	base_url: 'http://127.0.0.1:9876'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	106	avi_adc:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	107	engine: avinetworks
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	108	driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	109	controller_address: 10.182.129.239
				110	controller_user: admin
				111	controller_password: Cloudlab2016
				112	controller_cloud_name: Default-Cloud
				113	avi_adc2:
				114	engine: avinetworks
				115	...
				116
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	117	.. note:: If the Contrail backend is set, Opencontrail loadbalancer
				118	would be enabled automatically. In this case lbaas should disabled
				119	in pillar:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	120
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	121	.. code-block:: yaml
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	122
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	123	neutron:
				124	server:
				125	lbaas:
				126	enabled: false
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	127
				128	Neutron FWaaSv1 enablement
				129	--------------------------
				130
				131	.. code-block:: yaml
				132
				133	neutron:
				134	fwaas:
				135	enabled: true
				136	version: ocata
				137	api_version: v1
				138
				139
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	140	Enable CORS parameters
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	141	----------------------
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	142
				143	.. code-block:: yaml
				144
				145	neutron:
				146	server:
				147	cors:
				148	allowed_origin: https:localhost.local,http:localhost.local
				149	expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				150	allow_methods: GET,PUT,POST,DELETE,PATCH
				151	allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				152	allow_credentials: True
				153	max_age: 86400
				154
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	155	Neutron VXLAN tenant networks with Network nodes
				156	------------------------------------------------
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	157
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	158	With DVR for East-West and Network node for North-South.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	159
				160	This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	161	routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	162	infrastructure and that remains encapsulated. External traffic will be
				163	routed to via the network nodes.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	164
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	165	The intention is that each tenant will require at least two (2) vrouters
				166	one to be utilised
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	167
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	168	Neutron Server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	169
				170	.. code-block:: yaml
				171
				172	neutron:
				173	server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	174	version: mitaka
Dmitry Stremkouski	3c1be3e	2017-11-18 11:04:20 +0300	[diff] [blame]	175	path_mtu: 1500
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	176	bind:
				177	address: 172.20.0.1
				178	port: 9696
				179	database:
				180	engine: mysql
				181	host: 127.0.0.1
				182	port: 3306
				183	name: neutron
				184	user: neutron
				185	password: pwd
				186	identity:
				187	engine: keystone
				188	host: 127.0.0.1
				189	port: 35357
				190	user: neutron
				191	password: pwd
				192	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	193	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	194	message_queue:
				195	engine: rabbitmq
				196	host: 127.0.0.1
				197	port: 5672
				198	user: openstack
				199	password: pwd
				200	virtual_host: '/openstack'
				201	global_physnet_mtu: 9000
				202	l3_ha: False # Which type of router will be created by default
				203	dvr: True # disabled for non DVR use case
				204	backend:
				205	engine: ml2
				206	tenant_network_types: "flat,vxlan"
				207	external_mtu: 9000
				208	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	209	ovs:
				210	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	211
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	212	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	213
				214	.. code-block:: yaml
				215
				216	neutron:
				217	gateway:
				218	enabled: True
				219	version: mitaka
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	220	report_interval: 10
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	221	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	222	firewall_driver: iptables_hybrid
Dzmitry Stremkouski	b6dd371	2019-10-21 20:56:55 +0200	[diff] [blame]	223	host: gtw01.example.com
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	224	message_queue:
				225	engine: rabbitmq
				226	host: 127.0.0.1
				227	port: 5672
				228	user: openstack
				229	password: pwd
				230	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	231	rpc_conn_pool_size: 300
				232	rpc_thread_pool_size: 2048
				233	rpc_response_timeout: 3600
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	234	local_ip: 192.168.20.20 # br-mesh ip address
				235	dvr: True # disabled for non DVR use case
				236	agent_mode: dvr_snat
				237	metadata:
				238	host: 127.0.0.1
				239	password: pass
				240	backend:
				241	engine: ml2
				242	tenant_network_types: "flat,vxlan"
				243	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	244	ovs:
				245	driver: openvswitch
Vasyl Saienko	4bd2d92	2018-07-27 09:56:38 +0000	[diff] [blame]	246	agents:
				247	dhcp:
				248	ovs_use_veth: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	249
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	250	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	251
				252	.. code-block:: yaml
				253
				254	neutron:
				255	compute:
				256	enabled: True
				257	version: mitaka
Dzmitry Stremkouski	b6dd371	2019-10-21 20:56:55 +0200	[diff] [blame]	258	host: cmp001.example.com
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	259	message_queue:
				260	engine: rabbitmq
				261	host: 127.0.0.1
				262	port: 5672
				263	user: openstack
				264	password: pwd
				265	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	266	rpc_conn_pool_size: 300
				267	rpc_thread_pool_size: 2048
				268	rpc_response_timeout: 3600
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	269	local_ip: 192.168.20.20 # br-mesh ip address
				270	dvr: True # disabled for non DVR use case
				271	agent_mode: dvr
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	272	report_interval: 10
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	273	external_access: false # Compute node with DVR for east-west only, Network Node has True as default
				274	metadata:
				275	host: 127.0.0.1
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	276	password: pass
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	277	backend:
				278	engine: ml2
				279	tenant_network_types: "flat,vxlan"
				280	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	281	ovs:
				282	driver: openvswitch
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	283	audit:
				284	enabled: false
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	285
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	286
Dzmitry Stremkouski	d5e89e5	2018-09-25 10:01:54 +0200	[diff] [blame]	287	Setting mac base address
				288	------------------------
				289
				290	By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
				291	One can set it's own mac base both for dvr and nondvr cases.
				292
				293	NOTE: dvr_base_mac and base_mac SHOULD differ.
				294
				295	.. code-block:: yaml
				296
				297	neutron:
				298	server:
				299	base_mac: fa:16:3f:00:00:00
				300	dvr_base_mac: fa:16:3f:a0:00:00
				301
				302	gateways:
				303
				304	.. code-block:: yaml
				305
				306	neutron:
				307	gateway:
				308	base_mac: fa:16:3f:00:00:00
				309	dvr_base_mac: fa:16:3f:a0:00:00
				310
				311	compute nodes:
				312
				313	.. code-block:: yaml
				314
				315	neutron:
				316	compute:
				317	base_mac: fa:16:3f:00:00:00
				318	dvr_base_mac: fa:16:3f:a0:00:00
				319
				320
Dmitry Stremkouski	a3a4ab4	2017-10-23 17:37:12 +0300	[diff] [blame]	321	Disable physnet1 bridge
				322	-----------------------
				323
				324	By default we have external access turned on, so among any physnets in
				325	your reclass there would be additional one: physnet1, which is mapped to
				326	br-floating
				327
				328	If you need internal nets only without this bridge, remove br-floating
				329	and configurations mappings. Disable mappings for this bridge on
				330	neutron-servers:
				331
				332	.. code-block:: yaml
				333
				334	neutron:
				335	server:
				336	external_access: false
				337
				338	gateways:
				339
				340	.. code-block:: yaml
				341
				342	neutron:
				343	gateway:
				344	external_access: false
				345
				346	compute nodes:
				347
				348	.. code-block:: yaml
				349
				350	neutron:
				351	compute:
				352	external_access: false
				353
				354
Marcin Iwinski	c50137a	2018-01-22 14:18:24 +0100	[diff] [blame]	355	Add additional bridge mappings for OVS bridges
				356	----------------------------------------------
				357
				358	By default we have external access turned on, so among any physnets in
				359	your reclass there would be additional one: physnet1, which is mapped to
				360	br-floating
				361
				362	If you need to add extra non-default bridge mappings they can be defined
				363	separately for both gateways and compute nodes:
				364
				365	gateways:
				366
				367	.. code-block:: yaml
				368
				369	neutron:
				370	gateway:
				371	bridge_mappings:
				372	physnet4: br-floating-internet
				373
				374	compute nodes:
				375
				376	.. code-block:: yaml
				377
				378	neutron:
				379	compute:
				380	bridge_mappings:
				381	physnet4: br-floating-internet
				382
				383
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	384	Specify different mtu values for different physnets
				385	---------------------------------------------------
				386
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	387	Neutron Server:
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	388
				389	.. code-block:: yaml
				390
				391	neutron:
				392	server:
				393	version: mitaka
				394	backend:
				395	external_mtu: 1500
				396	tenant_net_mtu: 9000
				397	ironic_net_mtu: 9000
				398
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	399	Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	400	----------------------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	401
				402	This section describes a network solution that utilises VxLAN overlay
				403	networks without DVR with all routers being managed on the network nodes.
				404
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	405	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	406
				407	.. code-block:: yaml
				408
				409	neutron:
				410	server:
				411	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	412	bind:
				413	address: 172.20.0.1
				414	port: 9696
				415	database:
				416	engine: mysql
				417	host: 127.0.0.1
				418	port: 3306
				419	name: neutron
				420	user: neutron
				421	password: pwd
				422	identity:
				423	engine: keystone
				424	host: 127.0.0.1
				425	port: 35357
				426	user: neutron
				427	password: pwd
				428	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	429	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	430	message_queue:
				431	engine: rabbitmq
				432	host: 127.0.0.1
				433	port: 5672
				434	user: openstack
				435	password: pwd
				436	virtual_host: '/openstack'
				437	global_physnet_mtu: 9000
				438	l3_ha: True
				439	dvr: False
				440	backend:
				441	engine: ml2
				442	tenant_network_types= "flat,vxlan"
				443	external_mtu: 9000
				444	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	445	ovs:
				446	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	447
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	448	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	449
				450	.. code-block:: yaml
				451
				452	neutron:
				453	gateway:
				454	enabled: True
				455	version: mitaka
				456	message_queue:
				457	engine: rabbitmq
				458	host: 127.0.0.1
				459	port: 5672
				460	user: openstack
				461	password: pwd
				462	virtual_host: '/openstack'
				463	local_ip: 192.168.20.20 # br-mesh ip address
				464	dvr: False
				465	agent_mode: legacy
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	466	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	467	metadata:
				468	host: 127.0.0.1
				469	password: pass
				470	backend:
				471	engine: ml2
				472	tenant_network_types: "flat,vxlan"
				473	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	474	ovs:
				475	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	476
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	477	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	478
				479	.. code-block:: yaml
				480
				481	neutron:
				482	compute:
				483	enabled: True
				484	version: mitaka
				485	message_queue:
				486	engine: rabbitmq
				487	host: 127.0.0.1
				488	port: 5672
				489	user: openstack
				490	password: pwd
				491	virtual_host: '/openstack'
				492	local_ip: 192.168.20.20 # br-mesh ip address
				493	external_access: False
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	494	dvr: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	495	backend:
				496	engine: ml2
				497	tenant_network_types: "flat,vxlan"
				498	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	499	ovs:
				500	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	501
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	502	Neutron VXLAN tenant networks with Network Nodes with DVR
				503	---------------------------------------------------------
				504
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	505	With DVR for East-West and North-South, DVR everywhere, Network
				506	node for SNAT.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	507
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	508	This section describes a network solution that utilises VxLAN
				509	overlay networks with DVR with North-South and East-West. Network
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	510	Node is used only for SNAT.
				511
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	512	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	513
				514	.. code-block:: yaml
				515
				516	neutron:
				517	server:
				518	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	519	bind:
				520	address: 172.20.0.1
				521	port: 9696
Ivan Berezovskiy	53c3c08	2019-11-19 14:14:27 +0400	[diff] [blame]	522	concurrency:
				523	lock_path: '/var/lib/neutron/lock'
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	524	database:
				525	engine: mysql
				526	host: 127.0.0.1
				527	port: 3306
				528	name: neutron
				529	user: neutron
				530	password: pwd
				531	identity:
				532	engine: keystone
				533	host: 127.0.0.1
				534	port: 35357
				535	user: neutron
				536	password: pwd
				537	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	538	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	539	message_queue:
				540	engine: rabbitmq
				541	host: 127.0.0.1
				542	port: 5672
				543	user: openstack
				544	password: pwd
				545	virtual_host: '/openstack'
				546	global_physnet_mtu: 9000
				547	l3_ha: False
				548	dvr: True
				549	backend:
				550	engine: ml2
				551	tenant_network_types= "flat,vxlan"
				552	external_mtu: 9000
				553	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	554	ovs:
				555	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	556
Vasyl Saienko	0b2451b	2018-12-16 19:38:38 +0000	[diff] [blame]	557	Configuring networking-generic-switch ml2 plugin used for
				558	baremetal integration:
				559
				560	.. code-block:: yaml
				561
				562	neutron:
				563	server:
				564	backend:
				565	mechanism:
				566	ngs:
				567	driver: genericswitch
				568	n_g_s:
				569	enabled: true
				570	coordination:
				571	enabled: true
				572	backend_url: "etcd3+http://1.2.3.4:2379"
				573	devices:
				574	s1brbm:
				575	options:
				576	device_type:
				577	value: netmiko_ovs_linux
				578	ip:
				579	value: 1.2.3.4
				580	username:
				581	value: ngs_ovs_manager
				582	password:
				583	value: password
				584
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	585	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	586
				587	.. code-block:: yaml
				588
				589	neutron:
				590	gateway:
				591	enabled: True
				592	version: mitaka
				593	message_queue:
				594	engine: rabbitmq
				595	host: 127.0.0.1
				596	port: 5672
				597	user: openstack
				598	password: pwd
				599	virtual_host: '/openstack'
				600	local_ip: 192.168.20.20 # br-mesh ip address
				601	dvr: True
				602	agent_mode: dvr_snat
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	603	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	604	metadata:
				605	host: 127.0.0.1
				606	password: pass
				607	backend:
				608	engine: ml2
				609	tenant_network_types: "flat,vxlan"
				610	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	611	ovs:
				612	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	613
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	614	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	615
				616	.. code-block:: yaml
				617
				618	neutron:
				619	compute:
				620	enabled: True
				621	version: mitaka
				622	message_queue:
				623	engine: rabbitmq
				624	host: 127.0.0.1
				625	port: 5672
				626	user: openstack
				627	password: pwd
				628	virtual_host: '/openstack'
				629	local_ip: 192.168.20.20 # br-mesh ip address
				630	dvr: True
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	631	external_access: True
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	632	agent_mode: dvr
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	633	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	634	metadata:
				635	host: 127.0.0.1
				636	password: pass
				637	backend:
				638	engine: ml2
				639	tenant_network_types: "flat,vxlan"
				640	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	641	ovs:
				642	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	643
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	644	Sample Linux network configuration for DVR:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	645
				646	.. code-block:: yaml
				647
				648	linux:
				649	network:
				650	bridge: openvswitch
				651	interface:
				652	eth1:
				653	enabled: true
				654	type: eth
				655	mtu: 9000
				656	proto: manual
				657	eth2:
				658	enabled: true
				659	type: eth
				660	mtu: 9000
				661	proto: manual
				662	eth3:
				663	enabled: true
				664	type: eth
				665	mtu: 9000
				666	proto: manual
				667	br-int:
				668	enabled: true
				669	mtu: 9000
				670	type: ovs_bridge
				671	br-floating:
				672	enabled: true
				673	mtu: 9000
				674	type: ovs_bridge
				675	float-to-ex:
				676	enabled: true
				677	type: ovs_port
				678	mtu: 65000
				679	bridge: br-floating
				680	br-mgmt:
				681	enabled: true
				682	type: bridge
				683	mtu: 9000
				684	address: ${_param:single_address}
				685	netmask: 255.255.255.0
				686	use_interfaces:
				687	- eth1
				688	br-mesh:
				689	enabled: true
				690	type: bridge
				691	mtu: 9000
				692	address: ${_param:tenant_address}
				693	netmask: 255.255.255.0
				694	use_interfaces:
				695	- eth2
				696	br-ex:
				697	enabled: true
				698	type: bridge
				699	mtu: 9000
				700	address: ${_param:external_address}
				701	netmask: 255.255.255.0
				702	use_interfaces:
				703	- eth3
				704	use_ovs_ports:
				705	- float-to-ex
				706
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	707	Additonal VXLAN tenant network settings
				708	---------------------------------------
				709
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	710	The default multicast group of ``224.0.0.1`` only multicasts
				711	to a single subnet. Allow overriding it to allow larger underlay
				712	network topologies.
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	713
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	714	Neutron Server:
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	715
				716	.. code-block:: yaml
				717
				718	neutron:
				719	server:
				720	vxlan:
				721	group: 239.0.0.0/8
				722	vni_ranges: "2:65535"
				723
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	724	Neutron VLAN tenant networks with Network Nodes
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	725	-----------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	726
				727	VLAN tenant provider
				728
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	729	Neutron Server only:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	730
				731	.. code-block:: yaml
				732
				733	neutron:
				734	server:
				735	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	736	...
				737	global_physnet_mtu: 9000
				738	l3_ha: False
				739	dvr: True
				740	backend:
				741	engine: ml2
				742	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				743	tenant_vlan_range: "1000:2000"
Oleksii Molchanov	c1a7da1	2020-11-09 15:01:06 +0200	[diff] [blame]	744	external_vlan_range: "100:200" # Does not have to be defined. Use "0:4096" for accepting all vlans.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	745	external_mtu: 9000
				746	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	747	ovs:
				748	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	749
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	750	Compute node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	751
				752	.. code-block:: yaml
				753
				754	neutron:
				755	compute:
				756	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	757	...
				758	dvr: True
				759	agent_mode: dvr
				760	external_access: False
				761	backend:
				762	engine: ml2
				763	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				764	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	765	ovs:
				766	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	767
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	768	Neutron with explicit physical networks
				769	---------------------------------------
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	770
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	771	Neutron Server only:
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	772
				773	.. code-block:: yaml
				774
				775	neutron:
				776	server:
				777	version: ocata
				778	...
				779	backend:
				780	engine: ml2
				781	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				782	...
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	783	# also need to configure corresponding bridge_mappings on
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	784	# compute and gateway nodes
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	785	flat_networks_default: '' # '' to allow arbitrary names or '' to disable
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	786	physnets: # only listed physnets will be configured (overrides physnet1/2/3)
				787	external:
				788	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	789	types:
				790	- flat # possible values - 'flat' or 'vlan'
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	791	sriov_net:
				792	mtu: 9000 # Optional, defaults to 1500
Oleg Bondarev	ab32411	2018-11-19 17:56:57 +0400	[diff] [blame]	793	vlan_range: '100:200,300:400' # Optional
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	794	types:
				795	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	796	ext_net2:
				797	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	798	types:
				799	- flat
				800	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	801	mechanism:
				802	ovs:
				803	driver: openvswitch
				804
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	805	Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	806	----------------------------------------
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	807
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	808	Neutron OVS DPDK
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	809
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	810	Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	811
				812	.. code-block:: yaml
				813
				814	neutron:
				815	server:
				816	version: mitaka
				817	...
				818	dpdk: True
				819	...
				820
				821	neutron:
				822	compute:
				823	version: mitaka
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	824	dpdk: True
Michael Polenchuk	5291165	2018-04-12 22:09:49 +0400	[diff] [blame]	825	vhost_mode: client # options: client\|server (default)
Oleg Bondarev	ee7e830	2017-10-16 17:20:38 +0400	[diff] [blame]	826	vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	827	backend:
				828	engine: ml2
				829	...
				830	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	831	ovs:
				832	driver: openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	833
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	834	Neutron OVS SR-IOV:
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	835
				836	.. code-block:: yaml
				837
				838	neutron:
				839	server:
				840	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	841	backend:
				842	engine: ml2
				843	...
				844	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	845	ovs:
				846	driver: openvswitch
				847	sriov:
				848	driver: sriovnicswitch
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	849	# Driver w/ highest number will be placed ahead in the list (default is 0).
				850	# It's recommended for SR-IOV driver to set an order >0 to get it
				851	# before (for example) the opendaylight one.
				852	order: 9
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	853
				854	neutron:
				855	compute:
				856	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	857	...
				858	backend:
				859	engine: ml2
				860	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				861	sriov:
				862	nic_one:
				863	devname: eth1
				864	physical_network: physnet3
				865	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	866	ovs:
				867	driver: openvswitch
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	868
cdodda	c35c9eb	2018-11-07 23:18:10 -0600	[diff] [blame]	869	Neutron with LinuxBridge Agents
				870	-------------------------------
				871
				872	.. code-block:: yaml
				873
				874	neutron:
				875	server:
				876	firewall_driver: iptables
				877	backend:
				878	mechanism:
				879	lb:
				880	driver: linuxbridge
				881	....
				882	compute:
				883	backend:
				884	mechanism:
				885	lb:
				886	driver: linuxbridge
				887	....
				888	gateway:
				889	backend:
				890	mechanism:
				891	lb:
				892	driver: linuxbridge
				893	agents:
				894	dhcp:
				895	interface_driver: linuxbridge
				896	l3:
				897	interface_driver: linuxbridge
				898
				899
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	900	Neutron with VLAN-aware-VMs
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	901	---------------------------
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	902
				903	.. code-block:: yaml
				904
				905	neutron:
				906	server:
				907	vlan_aware_vms: true
				908	....
				909	compute:
				910	vlan_aware_vms: true
				911	....
				912	gateway:
				913	vlan_aware_vms: true
				914
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	915	Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	916	-------------------------------------
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	917
				918	.. code-block:: yaml
				919
				920	neutron:
				921	server:
				922	version: pike
				923	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	924	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	925	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	926	....
				927	compute:
				928	version: pike
				929	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	930	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	931	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	932	bagpipe:
				933	local_address: 192.168.20.20 # IP address for mpls/gre tunnels
				934	peers: 192.168.20.30 # IP addresses of BGP peers
				935	autonomous_system: 64512 # Autonomous System number
				936	enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	937	backend:
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	938	ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	939	bagpipe_bgpvpn:
				940	enabled: True
				941
Oleksii Chupryn	16cb4e0	2018-02-26 14:20:39 +0200	[diff] [blame]	942	Neutron with DHCP agent on compute node
				943	---------------------------------------
				944
				945	.. code-block:: yaml
				946
				947	neutron:
				948	....
				949	compute:
				950	dhcp_agent_enabled: true
				951	....
				952
Machi Hoshino	0ba8805	2019-05-08 11:44:04 +0900	[diff] [blame]	953	Neutron with DHCP agent disabled on gateway node
				954	------------------------------------------------
				955
				956	.. code-block:: yaml
				957
				958	neutron:
				959	....
				960	gateway:
				961	dhcp_agent_enabled: false
				962	....
				963
Dzmitry Stremkouski	48df2a7	2018-10-12 16:38:11 +0200	[diff] [blame]	964	Neutron with metadata agent on compute node
				965	-------------------------------------------
				966
				967	.. code-block:: yaml
				968
				969	neutron:
				970	....
				971	compute:
				972	metadata_agent_enabled: true
				973	....
				974
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	975	Neutron with OVN
				976	----------------
				977
				978	Control node:
				979
				980	.. code-block:: yaml
				981
				982	neutron:
				983	server:
				984	backend:
				985	engine: ovn
				986	mechanism:
				987	ovn:
				988	driver: ovn
				989	tenant_network_types: "geneve,flat"
Michael Polenchuk	f59229b	2018-06-19 16:24:49 +0400	[diff] [blame]	990	ovn:
				991	ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
				992	neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	993	metadata_enabled: True
Michael Polenchuk	a3d492b	2017-12-27 15:49:43 +0400	[diff] [blame]	994	ovn_ctl_opts:
				995	db-nb-create-insecure-remote: 'yes'
				996	db-sb-create-insecure-remote: 'yes'
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	997
				998	Compute node:
				999
				1000	.. code-block:: yaml
				1001
				1002	neutron:
				1003	compute:
				1004	local_ip: 10.2.0.105
				1005	controller_vip: 10.1.0.101
				1006	external_access: false
				1007	backend:
				1008	engine: ovn
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	1009	ovsdb_connection: tcp:127.0.0.1:6640
Michael Polenchuk	be3cb9a	2019-02-08 17:56:49 +0400	[diff] [blame]	1010	mac_table_size: 16384
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	1011	metadata:
				1012	enabled: true
				1013	ovsdb_server_iface: ptcp:6640:127.0.0.1
				1014	host: 10.1.0.101
				1015	password: unsegreto
				1016
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	1017
Michael Polenchuk	cccd1a5	2018-02-02 17:41:16 +0400	[diff] [blame]	1018	Neutron L2 Gateway
				1019	----------------
				1020
				1021	Control node:
				1022
				1023	.. code-block:: yaml
				1024
				1025	neutron:
				1026	server:
				1027	version: pike
				1028	l2gw:
				1029	enabled: true
				1030	periodic_monitoring_interval: 5
				1031	quota_l2_gateway: 20
				1032	# service_provider=<service_type>:<name>:<driver>[:default]
				1033	service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
				1034	backend:
				1035	engine: ml2
				1036
				1037	Network/Gateway node:
				1038
				1039	.. code-block:: yaml
				1040
				1041	neutron:
				1042	gateway:
				1043	version: pike
				1044	l2gw:
				1045	enabled: true
				1046	debug: true
				1047	socket_timeout: 20
				1048	ovsdb_hosts:
				1049	# <ovsdb_name>: <ip address>:<port>
				1050	# - ovsdb_name: a user defined symbolic identifier of physical switch
				1051	# - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
				1052	ovsdb1: 10.164.5.33:6632
				1053	ovsdb2: 10.164.4.33:6632
				1054
				1055
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1056	OpenDaylight integration
				1057	------------------------
				1058
				1059	Control node:
				1060
				1061	.. code-block:: yaml
				1062
				1063	neutron:
				1064	server:
				1065	backend:
				1066	opendaylight: true
				1067	router: odl-router_v2
				1068	host: 10.20.0.77
				1069	rest_api_port: 8282
				1070	user: admin
				1071	password: admin
				1072	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1073	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1074	enable_websocket: true
				1075	enable_dhcp_service: false
				1076	mechanism:
				1077	ovs:
				1078	driver: opendaylight_v2
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	1079	order: 1
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1080
				1081	Network/Gateway node:
				1082
				1083	.. code-block:: yaml
				1084
				1085	neutron:
				1086	gateway:
				1087	backend:
				1088	router: odl-router_v2
				1089	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1090	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1091	opendaylight:
				1092	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1093	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1094	tunnel_ip: 10.1.0.110
				1095	provider_mappings: physnet1:br-floating
				1096
				1097	Compute node:
				1098
				1099	.. code-block:: yaml
				1100
				1101	neutron:
				1102	compute:
				1103	opendaylight:
				1104	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1105	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1106	tunnel_ip: 10.1.0.105
				1107	provider_mappings: physnet1:br-floating
				1108
				1109
Michael Polenchuk	9cccecc	2018-09-14 14:54:18 +0400	[diff] [blame]	1110	Service Function Chaining Extension (SFC)
				1111	----------------
				1112
				1113	.. code-block:: yaml
				1114
				1115	neutron:
				1116	server:
				1117	sfc:
				1118	enabled: true
				1119	sfc_drivers:
				1120	- ovs # valid options: ovs, odl, ovn (not implemented yet)
				1121	flow_classifier_drivers:
				1122	- ovs # valid options: see above
				1123	....
				1124	compute:
				1125	backend:
				1126	ovs_extension:
				1127	sfc:
				1128	enabled: True
				1129
				1130
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1131	Neutron Server
				1132	--------------
				1133
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1134	Neutron Server with OpenContrail:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	1135
				1136	.. code-block:: yaml
				1137
				1138	neutron:
				1139	server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1140	backend:
				1141	engine: contrail
				1142	host: contrail_discovery_host
				1143	port: 8082
				1144	user: admin
				1145	password: password
				1146	tenant: admin
				1147	token: token
				1148
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1149	Neutron Server with Midonet:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1150
				1151	.. code-block:: yaml
				1152
				1153	neutron:
				1154	server:
				1155	backend:
				1156	engine: midonet
				1157	host: midonet_api_host
				1158	port: 8181
				1159	user: admin
				1160	password: password
				1161
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1162	Neutron Server with NSX:
Vasyl Saienko	4549efe	2018-07-26 16:06:04 +0000	[diff] [blame]	1163
				1164	.. code-block:: yaml
				1165
				1166	neutron:
				1167	server:
				1168	backend:
				1169	engine: vmware
				1170	core_plugin: vmware_nsxv3
				1171	vmware:
				1172	nsx:
				1173	extension_drivers:
				1174	- vmware_nsxv3_dns
				1175	v3:
				1176	api_password: nsx_password
				1177	api_user: nsx_username
				1178	api_managers:
				1179	01:
				1180	scheme: https
				1181	host: 192.168.10.120
				1182	port: '443'
				1183	insecure: true
				1184
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1185	Neutron Keystone region:
Jakub Pavlik	6dd5c0a	2016-03-09 14:18:15 +0100	[diff] [blame]	1186
				1187	.. code-block:: yaml
				1188
				1189	neutron:
				1190	server:
				1191	enabled: true
				1192	version: kilo
				1193	...
				1194	identity:
				1195	region: RegionTwo
				1196	...
				1197	compute:
				1198	region: RegionTwo
				1199	...
				1200
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1201	Client-side RabbitMQ HA setup:
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1202
				1203	.. code-block:: yaml
				1204
				1205	neutron:
				1206	server:
				1207	....
				1208	message_queue:
				1209	engine: rabbitmq
				1210	members:
				1211	- host: 10.0.16.1
				1212	- host: 10.0.16.2
				1213	- host: 10.0.16.3
				1214	user: openstack
				1215	password: pwd
				1216	virtual_host: '/openstack'
				1217	....
				1218
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1219	Configuring TLS communications
				1220	------------------------------
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1221
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1222	.. note:: By default, system-wide installed CA certs are used,
				1223	so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1224
				1225	- RabbitMQ TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1226
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1227	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1228
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1229	neutron:
				1230	server, gateway, compute:
				1231	message_queue:
				1232	port: 5671
				1233	ssl:
				1234	enabled: True
				1235	(optional) cacert: cert body if the cacert_file does not exists
				1236	(optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
				1237	(optional) version: TLSv1_2
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1238
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1239	- MySQL TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1240
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1241	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1242
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1243	neutron:
				1244	server:
				1245	database:
				1246	ssl:
				1247	enabled: True
				1248	(optional) cacert: cert body if the cacert_file does not exists
				1249	(optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1250
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1251	- Openstack HTTPS API
				1252
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1253	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1254
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1255	neutron:
				1256	server:
				1257	identity:
				1258	protocol: https
				1259	(optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1260
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1261	Enable auditing filter, ie: CADF:
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	1262
				1263	.. code-block:: yaml
				1264
				1265	neutron:
				1266	server:
				1267	audit:
				1268	enabled: true
				1269	....
				1270	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1271	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1272	....
				1273	compute:
				1274	audit:
				1275	enabled: true
				1276	....
				1277	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1278	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1279	....
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1280
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1281	Neutron with security groups disabled:
Oleg Bondarev	98870a3	2017-05-29 16:53:19 +0400	[diff] [blame]	1282
				1283	.. code-block:: yaml
				1284
				1285	neutron:
				1286	server:
				1287	security_groups_enabled: False
				1288	....
				1289	compute:
				1290	security_groups_enabled: False
				1291	....
				1292	gateway:
				1293	security_groups_enabled: False
				1294
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1295
Dzmitry Stremkouski	daea5f4	2020-09-11 11:01:48 +0200	[diff] [blame]	1296	Neutron Client Resources
				1297	------------------------
				1298
				1299	Neutron network:
				1300
				1301	.. code-block:: yaml
				1302
				1303	parameters:
				1304	neutron:
				1305	client:
				1306	enabled: true
				1307	resources:
				1308	v2:
				1309	admin_identity:
				1310	network:
				1311	corporate:
				1312	shared: False
				1313	router_external: True
				1314	subnet:
				1315	corporate:
				1316	cidr: ${_param:fip_corporate_subnet_cidr}
				1317	enable_dhcp: False
				1318	ip_version: 4
				1319	allocation_pools:
				1320	- start: ${_param:fip_corporate_allocation_start}
				1321	end: ${_param:fip_corporate_allocation_end}
				1322
				1323	Neutron Client (deprecated)
				1324	---------------------------
				1325
				1326	Neutron client is deprecated. Please use neutron client resources definitions
				1327	instead.
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1328
Vyacheslav Struk	3f529d4	2019-06-13 13:37:25 +0300	[diff] [blame]	1329	Neutron networks and RBAC:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1330
				1331	.. code-block:: yaml
				1332
				1333	neutron:
				1334	client:
				1335	enabled: true
				1336	server:
				1337	identity:
Vyacheslav Struk	3f529d4	2019-06-13 13:37:25 +0300	[diff] [blame]	1338	rbac:
				1339	network:
				1340	rule1:
				1341	absent: True
				1342	target_tenant: admin
				1343	action: access_as_shared
				1344	network: public
				1345	rule2:
				1346	absent: False
				1347	target_tenant: service
				1348	action: access_as_external
				1349	network: public
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1350	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1351	network:
				1352	inet1:
				1353	tenant: demo
				1354	shared: False
				1355	admin_state_up: True
				1356	router_external: True
				1357	provider_physical_network: inet
				1358	provider_network_type: flat
				1359	provider_segmentation_id: 2
				1360	subnet:
				1361	inet1-subnet1:
				1362	cidr: 192.168.90.0/24
				1363	enable_dhcp: False
				1364	inet2:
				1365	tenant: admin
				1366	shared: False
				1367	router_external: True
				1368	provider_network_type: "vlan"
				1369	subnet:
				1370	inet2-subnet1:
				1371	cidr: 192.168.92.0/24
				1372	enable_dhcp: False
				1373	inet2-subnet2:
				1374	cidr: 192.168.94.0/24
				1375	enable_dhcp: True
				1376	identity1:
				1377	network:
				1378	...
				1379
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1380	Neutron routers:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1381
				1382	.. code-block:: yaml
				1383
				1384	neutron:
				1385	client:
				1386	enabled: true
				1387	server:
				1388	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1389	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1390	router:
				1391	inet1-router:
				1392	tenant: demo
				1393	admin_state_up: True
				1394	gateway_network: inet
				1395	interfaces:
				1396	- inet1-subnet1
				1397	- inet1-subnet2
				1398	identity1:
				1399	router:
				1400	...
				1401
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1402	.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1403
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1404	Neutron security groups:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1405
				1406	.. code-block:: yaml
				1407
				1408	neutron:
				1409	client:
				1410	enabled: true
				1411	server:
				1412	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1413	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1414	security_group:
				1415	security_group1:
				1416	tenant: demo
				1417	description: security group 1
				1418	rules:
				1419	- direction: ingress
				1420	ethertype: IPv4
				1421	protocol: TCP
				1422	port_range_min: 1
				1423	port_range_max: 65535
				1424	remote_ip_prefix: 0.0.0.0/0
				1425	- direction: ingress
				1426	ethertype: IPv4
				1427	protocol: UDP
				1428	port_range_min: 1
				1429	port_range_max: 65535
				1430	remote_ip_prefix: 0.0.0.0/0
				1431	- direction: ingress
				1432	protocol: ICMP
				1433	remote_ip_prefix: 0.0.0.0/0
				1434	identity1:
				1435	security_group:
				1436	...
				1437
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1438	.. TODO: implement updating existing security rules (now it adds new rule if
				1439	trying to update existing one)
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1440
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1441	Floating IP addresses:
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1442
				1443	.. code-block:: yaml
				1444
				1445	neutron:
				1446	client:
				1447	enabled: true
				1448	server:
				1449	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1450	endpoint_type: internalURL
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1451	floating_ip:
				1452	prx01-instance:
				1453	server: prx01.mk22-lab-basic.local
				1454	subnet: private-subnet1
				1455	network: public-net1
				1456	tenant: demo
				1457	gtw01-instance:
				1458	...
				1459
				1460	.. note:: The network must have flag router:external set to True.
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1461	Instance port in the stated subnet will be associated
				1462	with the dynamically generated floating IP.
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1463
				1464	Enable Neutron extensions (QoS, DNS, etc.)
				1465	------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1466
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1467	.. code-block:: yaml
				1468
				1469	neutron:
				1470	server:
				1471	backend:
				1472	extension:
Oleg Iurchenko	ac17f4f	2017-10-06 11:24:27 +0300	[diff] [blame]	1473	dns:
				1474	enabled: True
				1475	host: 127.0.0.1
				1476	port: 9001
				1477	protocol: http
				1478	....
				1479	qos
				1480	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1481
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1482	Different Neutron extensions for different agents
				1483	-------------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1484
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1485	.. code-block:: yaml
				1486
				1487	neutron:
				1488	server:
				1489	backend:
				1490	extension: # common extensions for OVS and SRIOV agents
				1491	dns:
				1492	enabled: True
				1493	...
				1494	qos
				1495	enabled: True
				1496	ovs_extension: # OVS specific extensions
				1497	bagpipe_bgpvpn:
				1498	enabled: True
				1499	sriov_extension: # SRIOV specific extensions
				1500	dummy:
				1501	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1502
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1503	Neutron with Designate
				1504	-----------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1505
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1506	.. code-block:: yaml
				1507
				1508	neutron:
				1509	server:
				1510	backend:
				1511	extension:
				1512	dns:
				1513	enabled: True
				1514	host: 127.0.0.1
				1515	port: 9001
				1516	protocol: http
				1517
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1518	Enable RBAC for OpenContrail engine
				1519	-----------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1520
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1521	.. code-block:: yaml
				1522
				1523	neutron:
				1524	server:
				1525	backend:
				1526	engine: contrail
				1527	rbac:
				1528	enabled: True
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1529
Kostiantyn Kalynovskyi	7cc5904	2019-03-14 16:30:14 +0300	[diff] [blame]	1530	Increase maximum number of allowed address pairs per instance
				1531	-----------------------------------
				1532
				1533	Neutron Server:
				1534
				1535	.. code-block:: yaml
				1536
				1537	neutron:
				1538	server:
				1539	max_allowed_address_pair: 20
				1540
				1541	Neutron generic node (compute or gateway):
				1542
				1543	.. code-block:: yaml
				1544
				1545	neutron:
				1546	max_allowed_address_pair: 20
				1547
Oleg Bondarev	a0940cc	2019-03-27 16:24:00 +0400	[diff] [blame]	1548	Increase OVS timeouts for loaded nodes
				1549	--------------------------------------
				1550
				1551	Network node:
				1552
				1553	.. code-block:: yaml
				1554
				1555	neutron:
				1556	gateway:
				1557	of_connect_timeout: 60
				1558	of_request_timeout: 30
Oleg Bondarev	13a8730	2019-06-11 18:20:29 +0400	[diff] [blame]	1559	of_inactivity_probe: 30
Oleg Bondarev	a0940cc	2019-03-27 16:24:00 +0400	[diff] [blame]	1560	ovs_vsctl_timeout: 30 # Pike
				1561	ovsdb_timeout: 30 # Queens and beyond
				1562	bridge_mac_table_size: 100000
				1563
Oleg Bondarev	e26a239	2019-04-11 18:27:27 +0400	[diff] [blame]	1564	Change default resource quotas
				1565	------------------------------
				1566
				1567	.. code-block:: yaml
				1568
				1569	neutron:
				1570	server:
				1571	quotas:
				1572	default_quota: 100
				1573	quota_network: 150
				1574	quota_subnet: 150
				1575	quota_port: 200
				1576	quota_router: 50
				1577	quota_floatingip: 30
				1578	quota_security_group: 20
				1579	quota_security_group_rule: 50
				1580
				1581
Oleg Bondarev	a0940cc	2019-03-27 16:24:00 +0400	[diff] [blame]	1582
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1583	Enhanced logging with logging.conf
				1584	----------------------------------
				1585
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1586	By default ``logging.conf`` is disabled.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1587
				1588	That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1589
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1590	* ``openstack_log_appender``
				1591	Set to true to enable ``log_config_append`` for all OpenStack services
				1592
				1593	* ``openstack_fluentd_handler_enabled``
				1594	Set to true to enable FluentHandler for all Openstack services
				1595
				1596	* ``openstack_ossyslog_handler_enabled``
				1597	Set to true to enable OSSysLogHandler for all Openstack services.
				1598
				1599	Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
				1600	are available.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1601
				1602	Also it is possible to configure this with pillar:
				1603
				1604	.. code-block:: yaml
				1605
				1606	neutron:
				1607	server:
				1608	logging:
				1609	log_appender: true
				1610	log_handlers:
				1611	watchedfile:
				1612	enabled: true
				1613	fluentd:
				1614	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1615	ossyslog:
				1616	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1617	....
				1618	compute:
				1619	logging:
				1620	log_appender: true
				1621	log_handlers:
				1622	watchedfile:
				1623	enabled: true
				1624	fluentd:
				1625	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1626	ossyslog:
				1627	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1628	....
				1629	gateway:
				1630	logging:
				1631	log_appender: true
				1632	log_handlers:
				1633	watchedfile:
				1634	enabled: true
				1635	fluentd:
				1636	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1637	ossyslog:
				1638	enabled: true
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1639
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1640	Logging levels pillar example:
				1641
				1642	.. code-block:: yaml
				1643
				1644	neutron:
				1645	server:
				1646	logging:
				1647	log_appender: true
				1648	loggers:
				1649	root:
				1650	level: 'DEBUG'
				1651	neutron:
				1652	level: 'DEBUG'
				1653	amqplib:
				1654	level: 'DEBUG'
				1655	sqlalchemy:
				1656	level: 'DEBUG'
				1657	boto:
				1658	level: 'DEBUG'
				1659	suds:
				1660	level: 'DEBUG'
				1661	eventletwsgi:
				1662	level: 'DEBUG'
				1663	......
Michael Polenchuk	5fb5c57	2019-03-13 11:54:26 +0400	[diff] [blame]	1664
				1665	Neutron server with memcached caching and security strategy
				1666	-----------------------------------------------------------
Oleksandr Bryndzii	3b0ac2c	2018-10-04 11:06:24 +0300	[diff] [blame]	1667
				1668	.. code-block:: yaml
				1669
				1670	neutron:
				1671	server:
				1672	enabled: true
				1673	...
				1674	cache:
				1675	engine: memcached
				1676	members:
				1677	- host: 127.0.0.1
				1678	port: 11211
				1679	- host: 127.0.0.1
				1680	port: 11211
				1681	security:
				1682	enabled: true
				1683	strategy: ENCRYPT
				1684	secret_key: secret
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1685
Michael Polenchuk	5fb5c57	2019-03-13 11:54:26 +0400	[diff] [blame]	1686
				1687	Neutron API behind uWSGI (experimental)
				1688	---------------------------------------
				1689
				1690	.. code-block:: yaml
				1691
				1692	neutron:
				1693	server:
				1694	wsgi:
				1695	enabled: true
				1696	threads: 32
				1697	workers: 64
				1698	logto: /var/log/neutron/neutron-server.log
				1699
Oleksandr Bryndzii	b9d02af	2019-05-10 16:59:14 +0300	[diff] [blame]	1700	Setup hardcoded configuration values
				1701	------------------------------------
				1702
				1703	.. code-block:: yaml
				1704
				1705	neutron:
				1706	server:
				1707	configmap:
				1708	neutron_server:
				1709	DEFAULT:
				1710	max_subnet_host_routes: 30
				1711	max_routes: 60
				1712	debug_iptables_rules: True
				1713	quotas:
				1714	quota_network: 20
				1715	quota_subnet: 10
				1716	quota_port: 100
				1717	matchmaker_redis:
				1718	host: 127.0.0.1
				1719	port: 6379
				1720	password: pswd
				1721	gateway:
				1722	configmap:
				1723	metadata_agent:
				1724	DEFAULT:
				1725	metadata_workers: 10
				1726	debug: True
				1727	agent:
				1728	report_interval: 30
				1729	l3_agent:
				1730	DEFAULT:
				1731	agent_mode : dvr
				1732	agent:
				1733	report_interval: 40
				1734	dhcp_agent:
				1735	DEFAULT:
				1736	ovs_vsctl_timeout: 12
				1737	resync_interval: 60
				1738	agent:
				1739	report_interval: 60
Michael Polenchuk	5fb5c57	2019-03-13 11:54:26 +0400	[diff] [blame]	1740
Martin Polreich	7f077d4	2019-12-12 14:58:43 +0100	[diff] [blame]	1741
				1742	Change default service policy configuration:
				1743	--------------------------------------------
				1744
				1745	.. code-block:: yaml
				1746
				1747	neutron:
				1748	server:
				1749	policy:
				1750	create_subnet: 'rule:admin_or_network_owner'
				1751	create_subnet:segment_id: 'rule:admin_only'
				1752	# Add key without value to remove line from policy.json
				1753	get_subnet:
				1754	bgpvpn_policy:
				1755	create_bgpvpn: 'rule:admin_only'
				1756	get_bgpvpn: 'rule:admin_or_owner'
				1757	# Add key without value to remove line from policy.json
				1758	get_bgpvpn:tenant_id:
				1759
Oleksii Molchanov	05e8721	2020-03-17 18:14:38 +0200	[diff] [blame]	1760	High-available cross-az DHCP agents:
				1761	------------------------------------
				1762
				1763	Control node:
				1764
				1765	.. code-block:: yaml
				1766
				1767	neutron:
				1768	....
				1769	server:
				1770	dhcp_load_type: networks
				1771	network_scheduler_driver: neutron.scheduler.dhcp_agent_scheduler.AZAwareWeightScheduler
				1772	....
				1773
				1774	Network/Gateway node:
				1775
				1776	.. code-block:: yaml
				1777
				1778	neutron:
				1779	....
				1780	gateway:
				1781	availability_zone: nova
				1782	....
				1783
				1784	Compute node:
				1785
				1786	.. code-block:: yaml
				1787
				1788	neutron:
				1789	....
				1790	compute:
				1791	availability_zone: nova
				1792	....
Martin Polreich	7f077d4	2019-12-12 14:58:43 +0100	[diff] [blame]	1793
Oleksii Molchanov	0156b0c	2020-03-25 17:22:47 +0200	[diff] [blame]	1794	High-available cross-az L3 routers:
				1795	-----------------------------------
				1796
				1797	Control node:
				1798
				1799	.. code-block:: yaml
				1800
				1801	neutron:
				1802	....
				1803	server:
				1804	router_scheduler_driver: neutron.scheduler.l3_agent_scheduler.AZLeastRoutersScheduler
				1805	max_l3_agents_per_router: '3'
				1806	....
				1807
				1808	Network/Gateway node:
				1809
				1810	.. code-block:: yaml
				1811
				1812	neutron:
				1813	....
				1814	gateway:
				1815	availability_zone: nova
				1816	....
				1817
				1818	Compute node:
				1819
				1820	.. code-block:: yaml
				1821
				1822	neutron:
				1823	....
				1824	compute:
				1825	availability_zone: nova
				1826	....
				1827
				1828
Oleksii Molchanov	cd33b84	2020-04-22 14:16:19 +0300	[diff] [blame]	1829	Defining default_availability_zones:
				1830	------------------------------------
				1831
				1832	Control node:
				1833
				1834	.. code-block:: yaml
				1835
				1836	neutron:
				1837	....
				1838	server:
				1839	default_availability_zones: 'custom_az1, custom_az2'
				1840	....
				1841
				1842
Roman Lubianyi	a6caca9	2020-03-04 11:26:23 +0200	[diff] [blame]	1843	Set nova_metadata_protocol for Neutron
				1844	---------------------------------------
				1845
				1846	.. code-block:: yaml
				1847
				1848	neutron:
				1849	gateway:
				1850	metadata:
				1851	protocol: http
				1852	compute:
				1853	metadata:
				1854	protocol: http
				1855
				1856
Roman Lubianyi	840aec1	2020-03-31 12:07:34 +0300	[diff] [blame]	1857	Set vxlan_group with LinuxBridge Agents
				1858	-------------------------------
				1859
				1860	.. code-block:: yaml
				1861
				1862	neutron:
				1863	gateway:
				1864	vxlan:
				1865	group: 224.0.0.1
				1866	....
				1867	compute:
				1868	vxlan:
				1869	group: 224.0.0.1
				1870
				1871
Taras Khlivnyak	38f67ef	2021-08-18 13:37:17 +0300	[diff] [blame^]	1872	Change files/directories permissions for neutron service:
				1873	=======================================
				1874	In order to change file permissions the following should be set:
				1875
				1876	'files' - block to set permissions for files.
				1877	- full path to file
				1878	- user ( default value is 'root' ) this parameter is optional.
				1879	- group ( default value is 'neutron' ) this parameter is optional
				1880	- mode ( default value is '0640' ) this parameter is optional
				1881
				1882	'directories' - block to set permissions for directories.
				1883	- full path to directory
				1884	- user ( default value is 'root' ) this parameter is optional
				1885	- group ( default value is 'neutron' ) this parameter is optional
				1886	- mode ( default value is '0750' ) this parameter is optional
				1887
				1888	.. code-block:: yaml
				1889
				1890	neutron:
				1891	files:
				1892	/etc/neutron/neutron.conf:
				1893	user: 'root'
				1894	group: 'neutron'
				1895	mode: '0750'
				1896	directories:
				1897	/etc/neutron:
				1898	user: 'root'
				1899	group: 'neutron'
				1900	mode: '0750'
				1901
				1902
Vasyl Saienko	ba42073	2018-09-07 10:19:32 +0000	[diff] [blame]	1903	Upgrades
				1904	========
				1905
				1906	Each openstack formula provide set of phases (logical bloks) that will help to
				1907	build flexible upgrade orchestration logic for particular components. The list
				1908	of phases might and theirs descriptions are listed in table below:
				1909
				1910	+-------------------------------+------------------------------------------------------+
				1911	\| State \| Description \|
				1912	+===============================+======================================================+
				1913	\| <app>.upgrade.service_running \| Ensure that all services for particular application \|
				1914	\| \| are enabled for autostart and running \|
				1915	+-------------------------------+------------------------------------------------------+
				1916	\| <app>.upgrade.service_stopped \| Ensure that all services for particular application \|
				1917	\| \| disabled for autostart and dead \|
				1918	+-------------------------------+------------------------------------------------------+
				1919	\| <app>.upgrade.pkg_latest \| Ensure that packages used by particular application \|
				1920	\| \| are installed to latest available version. \|
				1921	\| \| This will not upgrade data plane packages like qemu \|
				1922	\| \| and openvswitch as usually minimal required version \|
				1923	\| \| in openstack services is really old. The data plane \|
				1924	\| \| packages should be upgraded separately by `apt-get \|
				1925	\| \| upgrade` or `apt-get dist-upgrade` \|
				1926	\| \| Applying this state will not autostart service. \|
				1927	+-------------------------------+------------------------------------------------------+
				1928	\| <app>.upgrade.render_config \| Ensure configuration is rendered actual version. +
				1929	+-------------------------------+------------------------------------------------------+
				1930	\| <app>.upgrade.pre \| We assume this state is applied on all nodes in the \|
				1931	\| \| cloud before running upgrade. \|
				1932	\| \| Only non destructive actions will be applied during \|
				1933	\| \| this phase. Perform service built in service check \|
				1934	\| \| like (keystone-manage doctor and nova-status upgrade)\|
				1935	+-------------------------------+------------------------------------------------------+
				1936	\| <app>.upgrade.upgrade.pre \| Mostly applicable for data plane nodes. During this \|
				1937	\| \| phase resources will be gracefully removed from \|
				1938	\| \| current node if it is allowed. Services for upgraded \|
				1939	\| \| application will be set to admin disabled state to \|
				1940	\| \| make sure node will not participate in resources \|
				1941	\| \| scheduling. For example on gtw nodes this will set \|
				1942	\| \| all agents to admin disable state and will move all \|
				1943	\| \| routers to other agents. \|
				1944	+-------------------------------+------------------------------------------------------+
				1945	\| <app>.upgrade.upgrade \| This state will basically upgrade application on \|
				1946	\| \| particular target. Stop services, render \|
				1947	\| \| configuration, install new packages, run offline \|
				1948	\| \| dbsync (for ctl), start services. Data plane should \|
				1949	\| \| not be affected, only OpenStack python services. \|
				1950	+-------------------------------+------------------------------------------------------+
				1951	\| <app>.upgrade.upgrade.post \| Add services back to scheduling. \|
				1952	+-------------------------------+------------------------------------------------------+
				1953	\| <app>.upgrade.post \| This phase should be launched only when upgrade of \|
				1954	\| \| the cloud is completed. \|
				1955	+-------------------------------+------------------------------------------------------+
				1956	\| <app>.upgrade.verify \| Here we will do basic health checks (API CRUD \|
				1957	\| \| operations, verify do not have dead network \|
				1958	\| \| agents/compute services) \|
				1959	+-------------------------------+------------------------------------------------------+
				1960
				1961
Oleksandr Pidrepnyi	f3f62a8	2019-06-10 12:17:50 +0300	[diff] [blame]	1962	Don't manage services scheduling while upgrade
				1963	----------------------------------------------
				1964	For some special cases, don't manage services scheduling both enable and disable
				1965	before and after upgrade procedure.
				1966
				1967	If 'manage_service_maintenance: true' or not present - default behavior, disable services
				1968	before upgrade and enable it after upgrade.
				1969	If 'manage_service_maintenance: false' - don't disable and don't enable upgraded services
				1970	scheduling before and after upgrade.
				1971
				1972	.. code-block:: yaml
				1973
				1974	neutron:
				1975	upgrade:
				1976	manage_service_maintenance: false
				1977
				1978
Oleksandr Shyshko	f51b94c	2018-08-31 16:05:27 +0300	[diff] [blame]	1979	Enable x509 and ssl communication between Neutron and Galera cluster.
				1980	---------------------
				1981	By default communication between Neutron and Galera is unsecure.
				1982
				1983	neutron:
				1984	server:
				1985	database:
				1986	x509:
				1987	enabled: True
				1988
				1989	You able to set custom certificates in pillar:
				1990
				1991	neutron:
				1992	server:
				1993	database:
				1994	x509:
				1995	cacert: (certificate content)
				1996	cert: (certificate content)
				1997	key: (certificate content)
				1998
				1999	You can read more about it here:
				2000	https://docs.openstack.org/security-guide/databases/database-access-control.html
Vladimir Khlyunev	a898767	2021-08-05 05:05:21 +0400	[diff] [blame]	2001
				2002
				2003	Disable port security for network.
				2004	----------------------------------
				2005
				2006	.. code-block:: yaml
				2007
				2008	neutron:
				2009	client:
				2010	resources:
				2011	v2:
				2012	admin_identity:
				2013	network:
				2014	NETWORK_NAME:
				2015	port_security_enabled: false