Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / neutron / a9814a46d823ecd083f79fd3d063ff28f48dc94b / . / README.rst
blob: 416f93b41a98c832eeb2afdb2d57f52888166422 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]5Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]8
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]9Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]12
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]13Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]23 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]24 allow_pagination: true
25 pagination_max_limit: 100
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]26 bind:
27 address: 172.20.0.1
28 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]29 database:
30 engine: mysql
31 host: 127.0.0.1
32 port: 3306
33 name: neutron
34 user: neutron
35 password: pwd
36 identity:
37 engine: keystone
38 host: 127.0.0.1
39 port: 35357
40 user: neutron
41 password: pwd
42 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]43 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]44 message_queue:
45 engine: rabbitmq
46 host: 127.0.0.1
47 port: 5672
48 user: openstack
49 password: pwd
50 virtual_host: '/openstack'
51 metadata:
52 host: 127.0.0.1
53 port: 8775
54 password: pass
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]55 audit:
56 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]57
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]58Note: The pagination is useful to retrieve a large bunch of resources,
59because a single request may fail (timeout). This is enabled with both
60parameters *allow_pagination* and *pagination_max_limit* as shown above.
61
Dmitry Ukov596ddcf2017-05-04 18:16:16 +0400[diff] [blame]62
63Configuration of policy.json file
64
65.. code-block:: yaml
66
67 neutron:
68 server:
69 ....
70 policy:
71 create_subnet: 'rule:admin_or_network_owner'
72 'get_network:queue_id': 'rule:admin_only'
73 # Add key without value to remove line from policy.json
74 'create_network:shared':
75
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]76Neutron LBaaSv2 enablement
77--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]78
79.. code-block:: yaml
80
81 neutron:
82 server:
83 lbaas:
84 enabled: true
85 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]86 octavia:
87 engine: octavia
88 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
89 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]90 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]91 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]92 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]93 controller_address: 10.182.129.239
94 controller_user: admin
95 controller_password: Cloudlab2016
96 controller_cloud_name: Default-Cloud
97 avi_adc2:
98 engine: avinetworks
99 ...
100
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]101Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
102automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]103
104.. code-block:: yaml
105
106 neutron:
107 server:
108 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]109 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]110
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]111
112Neutron FWaaSv1 enablement
113--------------------------
114
115.. code-block:: yaml
116
117 neutron:
118 fwaas:
119 enabled: true
120 version: ocata
121 api_version: v1
122
123
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]124Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]125----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]126
127.. code-block:: yaml
128
129 neutron:
130 server:
131 cors:
132 allowed_origin: https:localhost.local,http:localhost.local
133 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
134 allow_methods: GET,PUT,POST,DELETE,PATCH
135 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
136 allow_credentials: True
137 max_age: 86400
138
139
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]140Neutron VXLAN tenant networks with Network nodes
141------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]142
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]143With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]144
145This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]146routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]147infrastructure and that remains encapsulated. External traffic will be
148routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]149
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]150The intention is that each tenant will require at least two (2) vrouters
151one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]152
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]153Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]154
155.. code-block:: yaml
156
157 neutron:
158 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]159 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]160 bind:
161 address: 172.20.0.1
162 port: 9696
163 database:
164 engine: mysql
165 host: 127.0.0.1
166 port: 3306
167 name: neutron
168 user: neutron
169 password: pwd
170 identity:
171 engine: keystone
172 host: 127.0.0.1
173 port: 35357
174 user: neutron
175 password: pwd
176 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]177 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]178 message_queue:
179 engine: rabbitmq
180 host: 127.0.0.1
181 port: 5672
182 user: openstack
183 password: pwd
184 virtual_host: '/openstack'
185 global_physnet_mtu: 9000
186 l3_ha: False # Which type of router will be created by default
187 dvr: True # disabled for non DVR use case
188 backend:
189 engine: ml2
190 tenant_network_types: "flat,vxlan"
191 external_mtu: 9000
192 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]193 ovs:
194 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]195
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]196Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]197
198.. code-block:: yaml
199
200 neutron:
201 gateway:
202 enabled: True
203 version: mitaka
204 message_queue:
205 engine: rabbitmq
206 host: 127.0.0.1
207 port: 5672
208 user: openstack
209 password: pwd
210 virtual_host: '/openstack'
211 local_ip: 192.168.20.20 # br-mesh ip address
212 dvr: True # disabled for non DVR use case
213 agent_mode: dvr_snat
214 metadata:
215 host: 127.0.0.1
216 password: pass
217 backend:
218 engine: ml2
219 tenant_network_types: "flat,vxlan"
220 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]221 ovs:
222 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]223
224Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]225
226.. code-block:: yaml
227
228 neutron:
229 compute:
230 enabled: True
231 version: mitaka
232 message_queue:
233 engine: rabbitmq
234 host: 127.0.0.1
235 port: 5672
236 user: openstack
237 password: pwd
238 virtual_host: '/openstack'
239 local_ip: 192.168.20.20 # br-mesh ip address
240 dvr: True # disabled for non DVR use case
241 agent_mode: dvr
242 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
243 metadata:
244 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]245 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]246 backend:
247 engine: ml2
248 tenant_network_types: "flat,vxlan"
249 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]250 ovs:
251 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]252 audit:
253 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]254
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]255
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300[diff] [blame]256Disable physnet1 bridge
257-----------------------
258
259By default we have external access turned on, so among any physnets in
260your reclass there would be additional one: physnet1, which is mapped to
261br-floating
262
263If you need internal nets only without this bridge, remove br-floating
264and configurations mappings. Disable mappings for this bridge on
265neutron-servers:
266
267.. code-block:: yaml
268
269 neutron:
270 server:
271 external_access: false
272
273gateways:
274
275.. code-block:: yaml
276
277 neutron:
278 gateway:
279 external_access: false
280
281compute nodes:
282
283.. code-block:: yaml
284
285 neutron:
286 compute:
287 external_access: false
288
289
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]290Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]291----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]292
293This section describes a network solution that utilises VxLAN overlay
294 networks without DVR with all routers being managed on the network nodes.
295
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]296Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]297
298.. code-block:: yaml
299
300 neutron:
301 server:
302 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]303 bind:
304 address: 172.20.0.1
305 port: 9696
306 database:
307 engine: mysql
308 host: 127.0.0.1
309 port: 3306
310 name: neutron
311 user: neutron
312 password: pwd
313 identity:
314 engine: keystone
315 host: 127.0.0.1
316 port: 35357
317 user: neutron
318 password: pwd
319 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]320 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]321 message_queue:
322 engine: rabbitmq
323 host: 127.0.0.1
324 port: 5672
325 user: openstack
326 password: pwd
327 virtual_host: '/openstack'
328 global_physnet_mtu: 9000
329 l3_ha: True
330 dvr: False
331 backend:
332 engine: ml2
333 tenant_network_types= "flat,vxlan"
334 external_mtu: 9000
335 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]336 ovs:
337 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]338
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]339Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]340
341.. code-block:: yaml
342
343 neutron:
344 gateway:
345 enabled: True
346 version: mitaka
347 message_queue:
348 engine: rabbitmq
349 host: 127.0.0.1
350 port: 5672
351 user: openstack
352 password: pwd
353 virtual_host: '/openstack'
354 local_ip: 192.168.20.20 # br-mesh ip address
355 dvr: False
356 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]357 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]358 metadata:
359 host: 127.0.0.1
360 password: pass
361 backend:
362 engine: ml2
363 tenant_network_types: "flat,vxlan"
364 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]365 ovs:
366 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]367
368Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]369
370.. code-block:: yaml
371
372 neutron:
373 compute:
374 enabled: True
375 version: mitaka
376 message_queue:
377 engine: rabbitmq
378 host: 127.0.0.1
379 port: 5672
380 user: openstack
381 password: pwd
382 virtual_host: '/openstack'
383 local_ip: 192.168.20.20 # br-mesh ip address
384 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]385 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]386 backend:
387 engine: ml2
388 tenant_network_types: "flat,vxlan"
389 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]390 ovs:
391 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]392
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]393Neutron VXLAN tenant networks with Network Nodes with DVR
394---------------------------------------------------------
395
396With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]397
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]398This section describes a network solution that utilises VxLAN
399overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]400Node is used only for SNAT.
401
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]402Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]403
404.. code-block:: yaml
405
406 neutron:
407 server:
408 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]409 bind:
410 address: 172.20.0.1
411 port: 9696
412 database:
413 engine: mysql
414 host: 127.0.0.1
415 port: 3306
416 name: neutron
417 user: neutron
418 password: pwd
419 identity:
420 engine: keystone
421 host: 127.0.0.1
422 port: 35357
423 user: neutron
424 password: pwd
425 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]426 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]427 message_queue:
428 engine: rabbitmq
429 host: 127.0.0.1
430 port: 5672
431 user: openstack
432 password: pwd
433 virtual_host: '/openstack'
434 global_physnet_mtu: 9000
435 l3_ha: False
436 dvr: True
437 backend:
438 engine: ml2
439 tenant_network_types= "flat,vxlan"
440 external_mtu: 9000
441 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]442 ovs:
443 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]444
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]445Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]446
447.. code-block:: yaml
448
449 neutron:
450 gateway:
451 enabled: True
452 version: mitaka
453 message_queue:
454 engine: rabbitmq
455 host: 127.0.0.1
456 port: 5672
457 user: openstack
458 password: pwd
459 virtual_host: '/openstack'
460 local_ip: 192.168.20.20 # br-mesh ip address
461 dvr: True
462 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]463 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]464 metadata:
465 host: 127.0.0.1
466 password: pass
467 backend:
468 engine: ml2
469 tenant_network_types: "flat,vxlan"
470 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]471 ovs:
472 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]473
474Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]475
476.. code-block:: yaml
477
478 neutron:
479 compute:
480 enabled: True
481 version: mitaka
482 message_queue:
483 engine: rabbitmq
484 host: 127.0.0.1
485 port: 5672
486 user: openstack
487 password: pwd
488 virtual_host: '/openstack'
489 local_ip: 192.168.20.20 # br-mesh ip address
490 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]491 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]492 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]493 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]494 metadata:
495 host: 127.0.0.1
496 password: pass
497 backend:
498 engine: ml2
499 tenant_network_types: "flat,vxlan"
500 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]501 ovs:
502 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]503
504Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]505
506.. code-block:: yaml
507
508 linux:
509 network:
510 bridge: openvswitch
511 interface:
512 eth1:
513 enabled: true
514 type: eth
515 mtu: 9000
516 proto: manual
517 eth2:
518 enabled: true
519 type: eth
520 mtu: 9000
521 proto: manual
522 eth3:
523 enabled: true
524 type: eth
525 mtu: 9000
526 proto: manual
527 br-int:
528 enabled: true
529 mtu: 9000
530 type: ovs_bridge
531 br-floating:
532 enabled: true
533 mtu: 9000
534 type: ovs_bridge
535 float-to-ex:
536 enabled: true
537 type: ovs_port
538 mtu: 65000
539 bridge: br-floating
540 br-mgmt:
541 enabled: true
542 type: bridge
543 mtu: 9000
544 address: ${_param:single_address}
545 netmask: 255.255.255.0
546 use_interfaces:
547 - eth1
548 br-mesh:
549 enabled: true
550 type: bridge
551 mtu: 9000
552 address: ${_param:tenant_address}
553 netmask: 255.255.255.0
554 use_interfaces:
555 - eth2
556 br-ex:
557 enabled: true
558 type: bridge
559 mtu: 9000
560 address: ${_param:external_address}
561 netmask: 255.255.255.0
562 use_interfaces:
563 - eth3
564 use_ovs_ports:
565 - float-to-ex
566
Thom Gerdes3282d072017-05-30 22:06:04 +0000[diff] [blame]567Additonal VXLAN tenant network settings
568---------------------------------------
569
570The default multicast group of 224.0.0.1 only multicasts to a single subnet.
571Allow overriding it to allow larger underlay network topologies.
572
573Neutron Server
574
575.. code-block:: yaml
576
577 neutron:
578 server:
579 vxlan:
580 group: 239.0.0.0/8
581 vni_ranges: "2:65535"
582
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]583Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]584-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]585
586VLAN tenant provider
587
588Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]589
590.. code-block:: yaml
591
592 neutron:
593 server:
594 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]595 ...
596 global_physnet_mtu: 9000
597 l3_ha: False
598 dvr: True
599 backend:
600 engine: ml2
601 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
602 tenant_vlan_range: "1000:2000"
603 external_vlan_range: "100:200" # Does not have to be defined.
604 external_mtu: 9000
605 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]606 ovs:
607 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]608
609Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]610
611.. code-block:: yaml
612
613 neutron:
614 compute:
615 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]616 ...
617 dvr: True
618 agent_mode: dvr
619 external_access: False
620 backend:
621 engine: ml2
622 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
623 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]624 ovs:
625 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]626
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]627Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]628----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]629
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]630Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]631
632Enable datapath netdev for neutron openvswitch agent
633
634.. code-block:: yaml
635
636 neutron:
637 server:
638 version: mitaka
639 ...
640 dpdk: True
641 ...
642
643 neutron:
644 compute:
645 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]646 dpdk: True
647 backend:
648 engine: ml2
649 ...
650 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]651 ovs:
652 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]653
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]654Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]655
656.. code-block:: yaml
657
658 neutron:
659 server:
660 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]661 backend:
662 engine: ml2
663 ...
664 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]665 ovs:
666 driver: openvswitch
667 sriov:
668 driver: sriovnicswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]669
670 neutron:
671 compute:
672 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]673 ...
674 backend:
675 engine: ml2
676 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
677 sriov:
678 nic_one:
679 devname: eth1
680 physical_network: physnet3
681 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]682 ovs:
683 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]684
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]685Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]686---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]687
688.. code-block:: yaml
689
690 neutron:
691 server:
692 vlan_aware_vms: true
693 ....
694 compute:
695 vlan_aware_vms: true
696 ....
697 gateway:
698 vlan_aware_vms: true
699
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]700Neutron with OVN
701----------------
702
703Control node:
704
705.. code-block:: yaml
706
707 neutron:
708 server:
709 backend:
710 engine: ovn
711 mechanism:
712 ovn:
713 driver: ovn
714 tenant_network_types: "geneve,flat"
715
716Compute node:
717
718.. code-block:: yaml
719
720 neutron:
721 compute:
722 local_ip: 10.2.0.105
723 controller_vip: 10.1.0.101
724 external_access: false
725 backend:
726 engine: ovn
727
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]728Neutron Server
729--------------
730
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]731Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]732
733.. code-block:: yaml
734
735 neutron:
736 server:
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]737 backend:
738 engine: contrail
739 host: contrail_discovery_host
740 port: 8082
741 user: admin
742 password: password
743 tenant: admin
744 token: token
745
746Neutron Server with Midonet
747
748.. code-block:: yaml
749
750 neutron:
751 server:
752 backend:
753 engine: midonet
754 host: midonet_api_host
755 port: 8181
756 user: admin
757 password: password
758
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100[diff] [blame]759Neutron Keystone region
760
761.. code-block:: yaml
762
763 neutron:
764 server:
765 enabled: true
766 version: kilo
767 ...
768 identity:
769 region: RegionTwo
770 ...
771 compute:
772 region: RegionTwo
773 ...
774
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]775Client-side RabbitMQ HA setup
776
777.. code-block:: yaml
778
779 neutron:
780 server:
781 ....
782 message_queue:
783 engine: rabbitmq
784 members:
785 - host: 10.0.16.1
786 - host: 10.0.16.2
787 - host: 10.0.16.3
788 user: openstack
789 password: pwd
790 virtual_host: '/openstack'
791 ....
792
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]793Client-side RabbitMQ TLS configuration:
794
795|
796
797To enable TLS for oslo.messaging you need to provide the CA certificate.
798
799By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
800
801.. code-block:: yaml
802
803 neutron:
804 server, gateway, compute:
805 ....
806 message_queue:
807 ssl:
808 enabled: True
809
810
811
812Use `cacert_file` option to specify the CA-cert file path explicitly:
813
814.. code-block:: yaml
815
816 neutron:
817 server, gateway, compute:
818 ....
819 message_queue:
820 ssl:
821 enabled: True
822 cacert_file: /etc/ssl/rabbitmq-ca.pem
823
824To manage content of the `cacert_file` use the `cacert` option:
825
826.. code-block:: yaml
827
828 neutron:
829 server, gateway, compute:
830 ....
831 message_queue:
832 ssl:
833 enabled: True
834 cacert: |
835
836 -----BEGIN CERTIFICATE-----
837 ...
838 -----END CERTIFICATE-------
839
840 cacert_file: /etc/openstack/rabbitmq-ca.pem
841
842
843Notice:
844 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
845 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
846
847
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]848Enable auditing filter, ie: CADF
849
850.. code-block:: yaml
851
852 neutron:
853 server:
854 audit:
855 enabled: true
856 ....
857 filter_factory: 'keystonemiddleware.audit:filter_factory'
858 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
859 ....
860 compute:
861 audit:
862 enabled: true
863 ....
864 filter_factory: 'keystonemiddleware.audit:filter_factory'
865 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
866 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]867
Oleg Bondarev98870a32017-05-29 16:53:19 +0400[diff] [blame]868Neutron with security groups disabled
869
870.. code-block:: yaml
871
872 neutron:
873 server:
874 security_groups_enabled: False
875 ....
876 compute:
877 security_groups_enabled: False
878 ....
879 gateway:
880 security_groups_enabled: False
881
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]882
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]883Neutron Client
884--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]885
886Neutron networks
887
888.. code-block:: yaml
889
890 neutron:
891 client:
892 enabled: true
893 server:
894 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]895 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]896 network:
897 inet1:
898 tenant: demo
899 shared: False
900 admin_state_up: True
901 router_external: True
902 provider_physical_network: inet
903 provider_network_type: flat
904 provider_segmentation_id: 2
905 subnet:
906 inet1-subnet1:
907 cidr: 192.168.90.0/24
908 enable_dhcp: False
909 inet2:
910 tenant: admin
911 shared: False
912 router_external: True
913 provider_network_type: "vlan"
914 subnet:
915 inet2-subnet1:
916 cidr: 192.168.92.0/24
917 enable_dhcp: False
918 inet2-subnet2:
919 cidr: 192.168.94.0/24
920 enable_dhcp: True
921 identity1:
922 network:
923 ...
924
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]925Neutron routers
926
927.. code-block:: yaml
928
929 neutron:
930 client:
931 enabled: true
932 server:
933 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]934 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]935 router:
936 inet1-router:
937 tenant: demo
938 admin_state_up: True
939 gateway_network: inet
940 interfaces:
941 - inet1-subnet1
942 - inet1-subnet2
943 identity1:
944 router:
945 ...
946
947 TODO: implement adding new interfaces to a router while updating it
948
949
950Neutron security groups
951
952.. code-block:: yaml
953
954 neutron:
955 client:
956 enabled: true
957 server:
958 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]959 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]960 security_group:
961 security_group1:
962 tenant: demo
963 description: security group 1
964 rules:
965 - direction: ingress
966 ethertype: IPv4
967 protocol: TCP
968 port_range_min: 1
969 port_range_max: 65535
970 remote_ip_prefix: 0.0.0.0/0
971 - direction: ingress
972 ethertype: IPv4
973 protocol: UDP
974 port_range_min: 1
975 port_range_max: 65535
976 remote_ip_prefix: 0.0.0.0/0
977 - direction: ingress
978 protocol: ICMP
979 remote_ip_prefix: 0.0.0.0/0
980 identity1:
981 security_group:
982 ...
983
984 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
985
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]986
987Floating IP addresses
988
989.. code-block:: yaml
990
991 neutron:
992 client:
993 enabled: true
994 server:
995 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]996 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]997 floating_ip:
998 prx01-instance:
999 server: prx01.mk22-lab-basic.local
1000 subnet: private-subnet1
1001 network: public-net1
1002 tenant: demo
1003 gtw01-instance:
1004 ...
1005
1006.. note:: The network must have flag router:external set to True.
1007 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
1008
1009
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1010
1011Enable Neutron extensions (QoS, DNS, etc.)
1012------------------------------------------
1013.. code-block:: yaml
1014
1015 neutron:
1016 server:
1017 backend:
1018 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +0300[diff] [blame]1019 dns:
1020 enabled: True
1021 host: 127.0.0.1
1022 port: 9001
1023 protocol: http
1024 ....
1025 qos
1026 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1027
1028
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +0300[diff] [blame]1029
1030Neutron with Designate
1031-----------------------------------------
1032.. code-block:: yaml
1033
1034 neutron:
1035 server:
1036 backend:
1037 extension:
1038 dns:
1039 enabled: True
1040 host: 127.0.0.1
1041 port: 9001
1042 protocol: http
1043
1044
1045
Filip Pytloun20c0a442017-02-02 13:05:13 +0100[diff] [blame]1046Documentation and Bugs
1047======================
1048
1049To learn how to install and update salt-formulas, consult the documentation
1050available online at:
1051
1052 http://salt-formulas.readthedocs.io/
1053
1054In the unfortunate event that bugs are discovered, they should be reported to
1055the appropriate issue tracker. Use Github issue tracker for specific salt
1056formula:
1057
1058 https://github.com/salt-formulas/salt-formula-neutron/issues
1059
1060For feature requests, bug reports or blueprints affecting entire ecosystem,
1061use Launchpad salt-formulas project:
1062
1063 https://launchpad.net/salt-formulas
1064
1065You can also join salt-formulas-users team and subscribe to mailing list:
1066
1067 https://launchpad.net/~salt-formulas-users
1068
1069Developers wishing to work on the salt-formulas projects should always base
1070their work on master branch and submit pull request against specific formula.
1071
1072 https://github.com/salt-formulas/salt-formula-neutron
1073
1074Any questions or feedback is always welcome so feel free to join our IRC
1075channel:
1076
1077 #salt-formulas @ irc.freenode.net