Blame - README.rst - salt-formulas/neutron

blob: 86afc25cae23ac7441fa81a90f0cc49a808494cb [file] [log] [blame]

OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1	=====
				2	Usage
				3	=====
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	4
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	5	Neutron is an OpenStack project to provide networking as a service between
Jakub Pavlik	9ecf026	2016-05-20 11:20:58 +0200	[diff] [blame]	6	interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
				7	nova).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	8
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	9	Starting with the Folsom release, Neutron is a core and supported part of the
				10	OpenStack platform (for Essex, we were an incubated project, which means use
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	11	is suggested only for those who really know what they're doing with Neutron).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	12
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	13	Sample Pillars
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	14	==============
				15
				16	Neutron Server on the controller node
				17
				18	.. code-block:: yaml
				19
				20	neutron:
				21	server:
				22	enabled: true
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	23	version: mitaka
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	24	allow_pagination: true
				25	pagination_max_limit: 100
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	26	api_workers: 2
				27	rpc_workers: 2
				28	rpc_state_report_workers: 2
Michael Polenchuk	1ff8865	2018-03-06 16:15:57 +0400	[diff] [blame]	29	root_helper_daemon: false
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	30	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	31	firewall_driver: iptables_hybrid
Oleg Bondarev	bc2dfee	2018-10-17 18:41:51 +0400	[diff] [blame]	32	agent_boot_time: 180
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	33	bind:
				34	address: 172.20.0.1
				35	port: 9696
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	36	database:
				37	engine: mysql
				38	host: 127.0.0.1
				39	port: 3306
				40	name: neutron
				41	user: neutron
				42	password: pwd
				43	identity:
				44	engine: keystone
				45	host: 127.0.0.1
				46	port: 35357
				47	user: neutron
				48	password: pwd
				49	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	50	endpoint_type: internal
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	51	message_queue:
				52	engine: rabbitmq
				53	host: 127.0.0.1
				54	port: 5672
				55	user: openstack
				56	password: pwd
				57	virtual_host: '/openstack'
				58	metadata:
				59	host: 127.0.0.1
				60	port: 8775
Dzmitry Stremkouski	ea47018	2018-10-24 15:33:35 +0200	[diff] [blame]	61	insecure: true
				62	proto: https
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	63	password: pass
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	64	workers: 2
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	65	audit:
				66	enabled: false
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	67
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	68	.. note:: The pagination is useful to retrieve a large bunch of resources,
				69	because a single request may fail (timeout). This is enabled with both
				70	parameters allow_pagination and pagination_max_limit as shown above.
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	71
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	72	Configuration of policy.json file:
Dmitry Ukov	596ddcf	2017-05-04 18:16:16 +0400	[diff] [blame]	73
				74	.. code-block:: yaml
				75
				76	neutron:
				77	server:
				78	....
				79	policy:
				80	create_subnet: 'rule:admin_or_network_owner'
				81	'get_network:queue_id': 'rule:admin_only'
				82	# Add key without value to remove line from policy.json
				83	'create_network:shared':
				84
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	85	Neutron LBaaSv2 enablement
				86	--------------------------
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	87
				88	.. code-block:: yaml
				89
				90	neutron:
				91	server:
				92	lbaas:
				93	enabled: true
				94	providers:
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	95	octavia:
				96	engine: octavia
				97	driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
				98	base_url: 'http://127.0.0.1:9876'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	99	avi_adc:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	100	engine: avinetworks
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	101	driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	102	controller_address: 10.182.129.239
				103	controller_user: admin
				104	controller_password: Cloudlab2016
				105	controller_cloud_name: Default-Cloud
				106	avi_adc2:
				107	engine: avinetworks
				108	...
				109
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	110	.. note:: If the Contrail backend is set, Opencontrail loadbalancer
				111	would be enabled automatically. In this case lbaas should disabled
				112	in pillar:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	113
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	114	.. code-block:: yaml
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	115
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	116	neutron:
				117	server:
				118	lbaas:
				119	enabled: false
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	120
				121	Neutron FWaaSv1 enablement
				122	--------------------------
				123
				124	.. code-block:: yaml
				125
				126	neutron:
				127	fwaas:
				128	enabled: true
				129	version: ocata
				130	api_version: v1
				131
				132
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	133	Enable CORS parameters
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	134	----------------------
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	135
				136	.. code-block:: yaml
				137
				138	neutron:
				139	server:
				140	cors:
				141	allowed_origin: https:localhost.local,http:localhost.local
				142	expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				143	allow_methods: GET,PUT,POST,DELETE,PATCH
				144	allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				145	allow_credentials: True
				146	max_age: 86400
				147
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	148	Neutron VXLAN tenant networks with Network nodes
				149	------------------------------------------------
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	150
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	151	With DVR for East-West and Network node for North-South.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	152
				153	This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	154	routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	155	infrastructure and that remains encapsulated. External traffic will be
				156	routed to via the network nodes.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	157
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	158	The intention is that each tenant will require at least two (2) vrouters
				159	one to be utilised
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	160
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	161	Neutron Server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	162
				163	.. code-block:: yaml
				164
				165	neutron:
				166	server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	167	version: mitaka
Dmitry Stremkouski	3c1be3e	2017-11-18 11:04:20 +0300	[diff] [blame]	168	path_mtu: 1500
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	169	bind:
				170	address: 172.20.0.1
				171	port: 9696
				172	database:
				173	engine: mysql
				174	host: 127.0.0.1
				175	port: 3306
				176	name: neutron
				177	user: neutron
				178	password: pwd
				179	identity:
				180	engine: keystone
				181	host: 127.0.0.1
				182	port: 35357
				183	user: neutron
				184	password: pwd
				185	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	186	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	187	message_queue:
				188	engine: rabbitmq
				189	host: 127.0.0.1
				190	port: 5672
				191	user: openstack
				192	password: pwd
				193	virtual_host: '/openstack'
				194	global_physnet_mtu: 9000
				195	l3_ha: False # Which type of router will be created by default
				196	dvr: True # disabled for non DVR use case
				197	backend:
				198	engine: ml2
				199	tenant_network_types: "flat,vxlan"
				200	external_mtu: 9000
				201	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	202	ovs:
				203	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	204
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	205	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	206
				207	.. code-block:: yaml
				208
				209	neutron:
				210	gateway:
				211	enabled: True
				212	version: mitaka
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	213	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	214	firewall_driver: iptables_hybrid
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	215	message_queue:
				216	engine: rabbitmq
				217	host: 127.0.0.1
				218	port: 5672
				219	user: openstack
				220	password: pwd
				221	virtual_host: '/openstack'
				222	local_ip: 192.168.20.20 # br-mesh ip address
				223	dvr: True # disabled for non DVR use case
				224	agent_mode: dvr_snat
				225	metadata:
				226	host: 127.0.0.1
				227	password: pass
				228	backend:
				229	engine: ml2
				230	tenant_network_types: "flat,vxlan"
				231	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	232	ovs:
				233	driver: openvswitch
Vasyl Saienko	4bd2d92	2018-07-27 09:56:38 +0000	[diff] [blame]	234	agents:
				235	dhcp:
				236	ovs_use_veth: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	237
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	238	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	239
				240	.. code-block:: yaml
				241
				242	neutron:
				243	compute:
				244	enabled: True
				245	version: mitaka
				246	message_queue:
				247	engine: rabbitmq
				248	host: 127.0.0.1
				249	port: 5672
				250	user: openstack
				251	password: pwd
				252	virtual_host: '/openstack'
				253	local_ip: 192.168.20.20 # br-mesh ip address
				254	dvr: True # disabled for non DVR use case
				255	agent_mode: dvr
				256	external_access: false # Compute node with DVR for east-west only, Network Node has True as default
				257	metadata:
				258	host: 127.0.0.1
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	259	password: pass
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	260	backend:
				261	engine: ml2
				262	tenant_network_types: "flat,vxlan"
				263	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	264	ovs:
				265	driver: openvswitch
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	266	audit:
				267	enabled: false
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	268
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	269
Dzmitry Stremkouski	d5e89e5	2018-09-25 10:01:54 +0200	[diff] [blame]	270	Setting mac base address
				271	------------------------
				272
				273	By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
				274	One can set it's own mac base both for dvr and nondvr cases.
				275
				276	NOTE: dvr_base_mac and base_mac SHOULD differ.
				277
				278	.. code-block:: yaml
				279
				280	neutron:
				281	server:
				282	base_mac: fa:16:3f:00:00:00
				283	dvr_base_mac: fa:16:3f:a0:00:00
				284
				285	gateways:
				286
				287	.. code-block:: yaml
				288
				289	neutron:
				290	gateway:
				291	base_mac: fa:16:3f:00:00:00
				292	dvr_base_mac: fa:16:3f:a0:00:00
				293
				294	compute nodes:
				295
				296	.. code-block:: yaml
				297
				298	neutron:
				299	compute:
				300	base_mac: fa:16:3f:00:00:00
				301	dvr_base_mac: fa:16:3f:a0:00:00
				302
				303
Dmitry Stremkouski	a3a4ab4	2017-10-23 17:37:12 +0300	[diff] [blame]	304	Disable physnet1 bridge
				305	-----------------------
				306
				307	By default we have external access turned on, so among any physnets in
				308	your reclass there would be additional one: physnet1, which is mapped to
				309	br-floating
				310
				311	If you need internal nets only without this bridge, remove br-floating
				312	and configurations mappings. Disable mappings for this bridge on
				313	neutron-servers:
				314
				315	.. code-block:: yaml
				316
				317	neutron:
				318	server:
				319	external_access: false
				320
				321	gateways:
				322
				323	.. code-block:: yaml
				324
				325	neutron:
				326	gateway:
				327	external_access: false
				328
				329	compute nodes:
				330
				331	.. code-block:: yaml
				332
				333	neutron:
				334	compute:
				335	external_access: false
				336
				337
Marcin Iwinski	c50137a	2018-01-22 14:18:24 +0100	[diff] [blame]	338	Add additional bridge mappings for OVS bridges
				339	----------------------------------------------
				340
				341	By default we have external access turned on, so among any physnets in
				342	your reclass there would be additional one: physnet1, which is mapped to
				343	br-floating
				344
				345	If you need to add extra non-default bridge mappings they can be defined
				346	separately for both gateways and compute nodes:
				347
				348	gateways:
				349
				350	.. code-block:: yaml
				351
				352	neutron:
				353	gateway:
				354	bridge_mappings:
				355	physnet4: br-floating-internet
				356
				357	compute nodes:
				358
				359	.. code-block:: yaml
				360
				361	neutron:
				362	compute:
				363	bridge_mappings:
				364	physnet4: br-floating-internet
				365
				366
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	367	Specify different mtu values for different physnets
				368	---------------------------------------------------
				369
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	370	Neutron Server:
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	371
				372	.. code-block:: yaml
				373
				374	neutron:
				375	server:
				376	version: mitaka
				377	backend:
				378	external_mtu: 1500
				379	tenant_net_mtu: 9000
				380	ironic_net_mtu: 9000
				381
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	382	Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	383	----------------------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	384
				385	This section describes a network solution that utilises VxLAN overlay
				386	networks without DVR with all routers being managed on the network nodes.
				387
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	388	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	389
				390	.. code-block:: yaml
				391
				392	neutron:
				393	server:
				394	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	395	bind:
				396	address: 172.20.0.1
				397	port: 9696
				398	database:
				399	engine: mysql
				400	host: 127.0.0.1
				401	port: 3306
				402	name: neutron
				403	user: neutron
				404	password: pwd
				405	identity:
				406	engine: keystone
				407	host: 127.0.0.1
				408	port: 35357
				409	user: neutron
				410	password: pwd
				411	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	412	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	413	message_queue:
				414	engine: rabbitmq
				415	host: 127.0.0.1
				416	port: 5672
				417	user: openstack
				418	password: pwd
				419	virtual_host: '/openstack'
				420	global_physnet_mtu: 9000
				421	l3_ha: True
				422	dvr: False
				423	backend:
				424	engine: ml2
				425	tenant_network_types= "flat,vxlan"
				426	external_mtu: 9000
				427	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	428	ovs:
				429	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	430
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	431	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	432
				433	.. code-block:: yaml
				434
				435	neutron:
				436	gateway:
				437	enabled: True
				438	version: mitaka
				439	message_queue:
				440	engine: rabbitmq
				441	host: 127.0.0.1
				442	port: 5672
				443	user: openstack
				444	password: pwd
				445	virtual_host: '/openstack'
				446	local_ip: 192.168.20.20 # br-mesh ip address
				447	dvr: False
				448	agent_mode: legacy
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	449	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	450	metadata:
				451	host: 127.0.0.1
				452	password: pass
				453	backend:
				454	engine: ml2
				455	tenant_network_types: "flat,vxlan"
				456	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	457	ovs:
				458	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	459
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	460	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	461
				462	.. code-block:: yaml
				463
				464	neutron:
				465	compute:
				466	enabled: True
				467	version: mitaka
				468	message_queue:
				469	engine: rabbitmq
				470	host: 127.0.0.1
				471	port: 5672
				472	user: openstack
				473	password: pwd
				474	virtual_host: '/openstack'
				475	local_ip: 192.168.20.20 # br-mesh ip address
				476	external_access: False
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	477	dvr: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	478	backend:
				479	engine: ml2
				480	tenant_network_types: "flat,vxlan"
				481	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	482	ovs:
				483	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	484
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	485	Neutron VXLAN tenant networks with Network Nodes with DVR
				486	---------------------------------------------------------
				487
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	488	With DVR for East-West and North-South, DVR everywhere, Network
				489	node for SNAT.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	490
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	491	This section describes a network solution that utilises VxLAN
				492	overlay networks with DVR with North-South and East-West. Network
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	493	Node is used only for SNAT.
				494
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	495	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	496
				497	.. code-block:: yaml
				498
				499	neutron:
				500	server:
				501	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	502	bind:
				503	address: 172.20.0.1
				504	port: 9696
				505	database:
				506	engine: mysql
				507	host: 127.0.0.1
				508	port: 3306
				509	name: neutron
				510	user: neutron
				511	password: pwd
				512	identity:
				513	engine: keystone
				514	host: 127.0.0.1
				515	port: 35357
				516	user: neutron
				517	password: pwd
				518	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	519	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	520	message_queue:
				521	engine: rabbitmq
				522	host: 127.0.0.1
				523	port: 5672
				524	user: openstack
				525	password: pwd
				526	virtual_host: '/openstack'
				527	global_physnet_mtu: 9000
				528	l3_ha: False
				529	dvr: True
				530	backend:
				531	engine: ml2
				532	tenant_network_types= "flat,vxlan"
				533	external_mtu: 9000
				534	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	535	ovs:
				536	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	537
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	538	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	539
				540	.. code-block:: yaml
				541
				542	neutron:
				543	gateway:
				544	enabled: True
				545	version: mitaka
				546	message_queue:
				547	engine: rabbitmq
				548	host: 127.0.0.1
				549	port: 5672
				550	user: openstack
				551	password: pwd
				552	virtual_host: '/openstack'
				553	local_ip: 192.168.20.20 # br-mesh ip address
				554	dvr: True
				555	agent_mode: dvr_snat
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	556	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	557	metadata:
				558	host: 127.0.0.1
				559	password: pass
				560	backend:
				561	engine: ml2
				562	tenant_network_types: "flat,vxlan"
				563	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	564	ovs:
				565	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	566
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	567	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	568
				569	.. code-block:: yaml
				570
				571	neutron:
				572	compute:
				573	enabled: True
				574	version: mitaka
				575	message_queue:
				576	engine: rabbitmq
				577	host: 127.0.0.1
				578	port: 5672
				579	user: openstack
				580	password: pwd
				581	virtual_host: '/openstack'
				582	local_ip: 192.168.20.20 # br-mesh ip address
				583	dvr: True
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	584	external_access: True
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	585	agent_mode: dvr
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	586	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	587	metadata:
				588	host: 127.0.0.1
				589	password: pass
				590	backend:
				591	engine: ml2
				592	tenant_network_types: "flat,vxlan"
				593	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	594	ovs:
				595	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	596
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	597	Sample Linux network configuration for DVR:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	598
				599	.. code-block:: yaml
				600
				601	linux:
				602	network:
				603	bridge: openvswitch
				604	interface:
				605	eth1:
				606	enabled: true
				607	type: eth
				608	mtu: 9000
				609	proto: manual
				610	eth2:
				611	enabled: true
				612	type: eth
				613	mtu: 9000
				614	proto: manual
				615	eth3:
				616	enabled: true
				617	type: eth
				618	mtu: 9000
				619	proto: manual
				620	br-int:
				621	enabled: true
				622	mtu: 9000
				623	type: ovs_bridge
				624	br-floating:
				625	enabled: true
				626	mtu: 9000
				627	type: ovs_bridge
				628	float-to-ex:
				629	enabled: true
				630	type: ovs_port
				631	mtu: 65000
				632	bridge: br-floating
				633	br-mgmt:
				634	enabled: true
				635	type: bridge
				636	mtu: 9000
				637	address: ${_param:single_address}
				638	netmask: 255.255.255.0
				639	use_interfaces:
				640	- eth1
				641	br-mesh:
				642	enabled: true
				643	type: bridge
				644	mtu: 9000
				645	address: ${_param:tenant_address}
				646	netmask: 255.255.255.0
				647	use_interfaces:
				648	- eth2
				649	br-ex:
				650	enabled: true
				651	type: bridge
				652	mtu: 9000
				653	address: ${_param:external_address}
				654	netmask: 255.255.255.0
				655	use_interfaces:
				656	- eth3
				657	use_ovs_ports:
				658	- float-to-ex
				659
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	660	Additonal VXLAN tenant network settings
				661	---------------------------------------
				662
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	663	The default multicast group of ``224.0.0.1`` only multicasts
				664	to a single subnet. Allow overriding it to allow larger underlay
				665	network topologies.
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	666
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	667	Neutron Server:
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	668
				669	.. code-block:: yaml
				670
				671	neutron:
				672	server:
				673	vxlan:
				674	group: 239.0.0.0/8
				675	vni_ranges: "2:65535"
				676
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	677	Neutron VLAN tenant networks with Network Nodes
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	678	-----------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	679
				680	VLAN tenant provider
				681
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	682	Neutron Server only:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	683
				684	.. code-block:: yaml
				685
				686	neutron:
				687	server:
				688	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	689	...
				690	global_physnet_mtu: 9000
				691	l3_ha: False
				692	dvr: True
				693	backend:
				694	engine: ml2
				695	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				696	tenant_vlan_range: "1000:2000"
				697	external_vlan_range: "100:200" # Does not have to be defined.
				698	external_mtu: 9000
				699	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	700	ovs:
				701	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	702
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	703	Compute node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	704
				705	.. code-block:: yaml
				706
				707	neutron:
				708	compute:
				709	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	710	...
				711	dvr: True
				712	agent_mode: dvr
				713	external_access: False
				714	backend:
				715	engine: ml2
				716	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				717	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	718	ovs:
				719	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	720
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	721	Neutron with explicit physical networks
				722	---------------------------------------
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	723
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	724	Neutron Server only:
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	725
				726	.. code-block:: yaml
				727
				728	neutron:
				729	server:
				730	version: ocata
				731	...
				732	backend:
				733	engine: ml2
				734	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				735	...
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	736	# also need to configure corresponding bridge_mappings on
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	737	# compute and gateway nodes
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	738	flat_networks_default: '' # '' to allow arbitrary names or '' to disable
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	739	physnets: # only listed physnets will be configured (overrides physnet1/2/3)
				740	external:
				741	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	742	types:
				743	- flat # possible values - 'flat' or 'vlan'
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	744	sriov_net:
				745	mtu: 9000 # Optional, defaults to 1500
Oleg Bondarev	ab32411	2018-11-19 17:56:57 +0400	[diff] [blame]	746	vlan_range: '100:200,300:400' # Optional
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	747	types:
				748	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	749	ext_net2:
				750	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	751	types:
				752	- flat
				753	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	754	mechanism:
				755	ovs:
				756	driver: openvswitch
				757
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	758	Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	759	----------------------------------------
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	760
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	761	Neutron OVS DPDK
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	762
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	763	Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	764
				765	.. code-block:: yaml
				766
				767	neutron:
				768	server:
				769	version: mitaka
				770	...
				771	dpdk: True
				772	...
				773
				774	neutron:
				775	compute:
				776	version: mitaka
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	777	dpdk: True
Michael Polenchuk	5291165	2018-04-12 22:09:49 +0400	[diff] [blame]	778	vhost_mode: client # options: client\|server (default)
Oleg Bondarev	ee7e830	2017-10-16 17:20:38 +0400	[diff] [blame]	779	vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	780	backend:
				781	engine: ml2
				782	...
				783	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	784	ovs:
				785	driver: openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	786
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	787	Neutron OVS SR-IOV:
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	788
				789	.. code-block:: yaml
				790
				791	neutron:
				792	server:
				793	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	794	backend:
				795	engine: ml2
				796	...
				797	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	798	ovs:
				799	driver: openvswitch
				800	sriov:
				801	driver: sriovnicswitch
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	802	# Driver w/ highest number will be placed ahead in the list (default is 0).
				803	# It's recommended for SR-IOV driver to set an order >0 to get it
				804	# before (for example) the opendaylight one.
				805	order: 9
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	806
				807	neutron:
				808	compute:
				809	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	810	...
				811	backend:
				812	engine: ml2
				813	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				814	sriov:
				815	nic_one:
				816	devname: eth1
				817	physical_network: physnet3
				818	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	819	ovs:
				820	driver: openvswitch
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	821
cdodda	c35c9eb	2018-11-07 23:18:10 -0600	[diff] [blame]	822	Neutron with LinuxBridge Agents
				823	-------------------------------
				824
				825	.. code-block:: yaml
				826
				827	neutron:
				828	server:
				829	firewall_driver: iptables
				830	backend:
				831	mechanism:
				832	lb:
				833	driver: linuxbridge
				834	....
				835	compute:
				836	backend:
				837	mechanism:
				838	lb:
				839	driver: linuxbridge
				840	....
				841	gateway:
				842	backend:
				843	mechanism:
				844	lb:
				845	driver: linuxbridge
				846	agents:
				847	dhcp:
				848	interface_driver: linuxbridge
				849	l3:
				850	interface_driver: linuxbridge
				851
				852
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	853	Neutron with VLAN-aware-VMs
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	854	---------------------------
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	855
				856	.. code-block:: yaml
				857
				858	neutron:
				859	server:
				860	vlan_aware_vms: true
				861	....
				862	compute:
				863	vlan_aware_vms: true
				864	....
				865	gateway:
				866	vlan_aware_vms: true
				867
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	868	Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	869	-------------------------------------
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	870
				871	.. code-block:: yaml
				872
				873	neutron:
				874	server:
				875	version: pike
				876	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	877	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	878	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	879	....
				880	compute:
				881	version: pike
				882	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	883	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	884	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	885	bagpipe:
				886	local_address: 192.168.20.20 # IP address for mpls/gre tunnels
				887	peers: 192.168.20.30 # IP addresses of BGP peers
				888	autonomous_system: 64512 # Autonomous System number
				889	enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	890	backend:
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	891	ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	892	bagpipe_bgpvpn:
				893	enabled: True
				894
Oleksii Chupryn	16cb4e0	2018-02-26 14:20:39 +0200	[diff] [blame]	895	Neutron with DHCP agent on compute node
				896	---------------------------------------
				897
				898	.. code-block:: yaml
				899
				900	neutron:
				901	....
				902	compute:
				903	dhcp_agent_enabled: true
				904	....
				905
Dzmitry Stremkouski	48df2a7	2018-10-12 16:38:11 +0200	[diff] [blame]	906	Neutron with metadata agent on compute node
				907	-------------------------------------------
				908
				909	.. code-block:: yaml
				910
				911	neutron:
				912	....
				913	compute:
				914	metadata_agent_enabled: true
				915	....
				916
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	917	Neutron with OVN
				918	----------------
				919
				920	Control node:
				921
				922	.. code-block:: yaml
				923
				924	neutron:
				925	server:
				926	backend:
				927	engine: ovn
				928	mechanism:
				929	ovn:
				930	driver: ovn
				931	tenant_network_types: "geneve,flat"
Michael Polenchuk	f59229b	2018-06-19 16:24:49 +0400	[diff] [blame]	932	ovn:
				933	ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
				934	neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	935	metadata_enabled: True
Michael Polenchuk	a3d492b	2017-12-27 15:49:43 +0400	[diff] [blame]	936	ovn_ctl_opts:
				937	db-nb-create-insecure-remote: 'yes'
				938	db-sb-create-insecure-remote: 'yes'
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	939
				940	Compute node:
				941
				942	.. code-block:: yaml
				943
				944	neutron:
				945	compute:
				946	local_ip: 10.2.0.105
				947	controller_vip: 10.1.0.101
				948	external_access: false
				949	backend:
				950	engine: ovn
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	951	ovsdb_connection: tcp:127.0.0.1:6640
				952	metadata:
				953	enabled: true
				954	ovsdb_server_iface: ptcp:6640:127.0.0.1
				955	host: 10.1.0.101
				956	password: unsegreto
				957
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	958
Michael Polenchuk	cccd1a5	2018-02-02 17:41:16 +0400	[diff] [blame]	959	Neutron L2 Gateway
				960	----------------
				961
				962	Control node:
				963
				964	.. code-block:: yaml
				965
				966	neutron:
				967	server:
				968	version: pike
				969	l2gw:
				970	enabled: true
				971	periodic_monitoring_interval: 5
				972	quota_l2_gateway: 20
				973	# service_provider=<service_type>:<name>:<driver>[:default]
				974	service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
				975	backend:
				976	engine: ml2
				977
				978	Network/Gateway node:
				979
				980	.. code-block:: yaml
				981
				982	neutron:
				983	gateway:
				984	version: pike
				985	l2gw:
				986	enabled: true
				987	debug: true
				988	socket_timeout: 20
				989	ovsdb_hosts:
				990	# <ovsdb_name>: <ip address>:<port>
				991	# - ovsdb_name: a user defined symbolic identifier of physical switch
				992	# - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
				993	ovsdb1: 10.164.5.33:6632
				994	ovsdb2: 10.164.4.33:6632
				995
				996
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	997	OpenDaylight integration
				998	------------------------
				999
				1000	Control node:
				1001
				1002	.. code-block:: yaml
				1003
				1004	neutron:
				1005	server:
				1006	backend:
				1007	opendaylight: true
				1008	router: odl-router_v2
				1009	host: 10.20.0.77
				1010	rest_api_port: 8282
				1011	user: admin
				1012	password: admin
				1013	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1014	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1015	enable_websocket: true
				1016	enable_dhcp_service: false
				1017	mechanism:
				1018	ovs:
				1019	driver: opendaylight_v2
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	1020	order: 1
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1021
				1022	Network/Gateway node:
				1023
				1024	.. code-block:: yaml
				1025
				1026	neutron:
				1027	gateway:
				1028	backend:
				1029	router: odl-router_v2
				1030	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1031	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1032	opendaylight:
				1033	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1034	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1035	tunnel_ip: 10.1.0.110
				1036	provider_mappings: physnet1:br-floating
				1037
				1038	Compute node:
				1039
				1040	.. code-block:: yaml
				1041
				1042	neutron:
				1043	compute:
				1044	opendaylight:
				1045	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1046	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1047	tunnel_ip: 10.1.0.105
				1048	provider_mappings: physnet1:br-floating
				1049
				1050
Michael Polenchuk	9cccecc	2018-09-14 14:54:18 +0400	[diff] [blame]	1051	Service Function Chaining Extension (SFC)
				1052	----------------
				1053
				1054	.. code-block:: yaml
				1055
				1056	neutron:
				1057	server:
				1058	sfc:
				1059	enabled: true
				1060	sfc_drivers:
				1061	- ovs # valid options: ovs, odl, ovn (not implemented yet)
				1062	flow_classifier_drivers:
				1063	- ovs # valid options: see above
				1064	....
				1065	compute:
				1066	backend:
				1067	ovs_extension:
				1068	sfc:
				1069	enabled: True
				1070
				1071
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1072	Neutron Server
				1073	--------------
				1074
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1075	Neutron Server with OpenContrail:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	1076
				1077	.. code-block:: yaml
				1078
				1079	neutron:
				1080	server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1081	backend:
				1082	engine: contrail
				1083	host: contrail_discovery_host
				1084	port: 8082
				1085	user: admin
				1086	password: password
				1087	tenant: admin
				1088	token: token
				1089
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1090	Neutron Server with Midonet:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1091
				1092	.. code-block:: yaml
				1093
				1094	neutron:
				1095	server:
				1096	backend:
				1097	engine: midonet
				1098	host: midonet_api_host
				1099	port: 8181
				1100	user: admin
				1101	password: password
				1102
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1103	Neutron Server with NSX:
Vasyl Saienko	4549efe	2018-07-26 16:06:04 +0000	[diff] [blame]	1104
				1105	.. code-block:: yaml
				1106
				1107	neutron:
				1108	server:
				1109	backend:
				1110	engine: vmware
				1111	core_plugin: vmware_nsxv3
				1112	vmware:
				1113	nsx:
				1114	extension_drivers:
				1115	- vmware_nsxv3_dns
				1116	v3:
				1117	api_password: nsx_password
				1118	api_user: nsx_username
				1119	api_managers:
				1120	01:
				1121	scheme: https
				1122	host: 192.168.10.120
				1123	port: '443'
				1124	insecure: true
				1125
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1126	Neutron Keystone region:
Jakub Pavlik	6dd5c0a	2016-03-09 14:18:15 +0100	[diff] [blame]	1127
				1128	.. code-block:: yaml
				1129
				1130	neutron:
				1131	server:
				1132	enabled: true
				1133	version: kilo
				1134	...
				1135	identity:
				1136	region: RegionTwo
				1137	...
				1138	compute:
				1139	region: RegionTwo
				1140	...
				1141
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1142	Client-side RabbitMQ HA setup:
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1143
				1144	.. code-block:: yaml
				1145
				1146	neutron:
				1147	server:
				1148	....
				1149	message_queue:
				1150	engine: rabbitmq
				1151	members:
				1152	- host: 10.0.16.1
				1153	- host: 10.0.16.2
				1154	- host: 10.0.16.3
				1155	user: openstack
				1156	password: pwd
				1157	virtual_host: '/openstack'
				1158	....
				1159
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1160	Configuring TLS communications
				1161	------------------------------
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1162
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1163	.. note:: By default, system-wide installed CA certs are used,
				1164	so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1165
				1166	- RabbitMQ TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1167
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1168	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1169
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1170	neutron:
				1171	server, gateway, compute:
				1172	message_queue:
				1173	port: 5671
				1174	ssl:
				1175	enabled: True
				1176	(optional) cacert: cert body if the cacert_file does not exists
				1177	(optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
				1178	(optional) version: TLSv1_2
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1179
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1180	- MySQL TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1181
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1182	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1183
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1184	neutron:
				1185	server:
				1186	database:
				1187	ssl:
				1188	enabled: True
				1189	(optional) cacert: cert body if the cacert_file does not exists
				1190	(optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1191
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1192	- Openstack HTTPS API
				1193
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1194	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1195
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1196	neutron:
				1197	server:
				1198	identity:
				1199	protocol: https
				1200	(optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1201
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1202	Enable auditing filter, ie: CADF:
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	1203
				1204	.. code-block:: yaml
				1205
				1206	neutron:
				1207	server:
				1208	audit:
				1209	enabled: true
				1210	....
				1211	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1212	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1213	....
				1214	compute:
				1215	audit:
				1216	enabled: true
				1217	....
				1218	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1219	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1220	....
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1221
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1222	Neutron with security groups disabled:
Oleg Bondarev	98870a3	2017-05-29 16:53:19 +0400	[diff] [blame]	1223
				1224	.. code-block:: yaml
				1225
				1226	neutron:
				1227	server:
				1228	security_groups_enabled: False
				1229	....
				1230	compute:
				1231	security_groups_enabled: False
				1232	....
				1233	gateway:
				1234	security_groups_enabled: False
				1235
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1236
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1237	Neutron Client
				1238	--------------
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1239
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1240	Neutron networks:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1241
				1242	.. code-block:: yaml
				1243
				1244	neutron:
				1245	client:
				1246	enabled: true
				1247	server:
				1248	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1249	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1250	network:
				1251	inet1:
				1252	tenant: demo
				1253	shared: False
				1254	admin_state_up: True
				1255	router_external: True
				1256	provider_physical_network: inet
				1257	provider_network_type: flat
				1258	provider_segmentation_id: 2
				1259	subnet:
				1260	inet1-subnet1:
				1261	cidr: 192.168.90.0/24
				1262	enable_dhcp: False
				1263	inet2:
				1264	tenant: admin
				1265	shared: False
				1266	router_external: True
				1267	provider_network_type: "vlan"
				1268	subnet:
				1269	inet2-subnet1:
				1270	cidr: 192.168.92.0/24
				1271	enable_dhcp: False
				1272	inet2-subnet2:
				1273	cidr: 192.168.94.0/24
				1274	enable_dhcp: True
				1275	identity1:
				1276	network:
				1277	...
				1278
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1279	Neutron routers:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1280
				1281	.. code-block:: yaml
				1282
				1283	neutron:
				1284	client:
				1285	enabled: true
				1286	server:
				1287	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1288	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1289	router:
				1290	inet1-router:
				1291	tenant: demo
				1292	admin_state_up: True
				1293	gateway_network: inet
				1294	interfaces:
				1295	- inet1-subnet1
				1296	- inet1-subnet2
				1297	identity1:
				1298	router:
				1299	...
				1300
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1301	.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1302
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1303	Neutron security groups:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1304
				1305	.. code-block:: yaml
				1306
				1307	neutron:
				1308	client:
				1309	enabled: true
				1310	server:
				1311	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1312	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1313	security_group:
				1314	security_group1:
				1315	tenant: demo
				1316	description: security group 1
				1317	rules:
				1318	- direction: ingress
				1319	ethertype: IPv4
				1320	protocol: TCP
				1321	port_range_min: 1
				1322	port_range_max: 65535
				1323	remote_ip_prefix: 0.0.0.0/0
				1324	- direction: ingress
				1325	ethertype: IPv4
				1326	protocol: UDP
				1327	port_range_min: 1
				1328	port_range_max: 65535
				1329	remote_ip_prefix: 0.0.0.0/0
				1330	- direction: ingress
				1331	protocol: ICMP
				1332	remote_ip_prefix: 0.0.0.0/0
				1333	identity1:
				1334	security_group:
				1335	...
				1336
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1337	.. TODO: implement updating existing security rules (now it adds new rule if
				1338	trying to update existing one)
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1339
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1340	Floating IP addresses:
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1341
				1342	.. code-block:: yaml
				1343
				1344	neutron:
				1345	client:
				1346	enabled: true
				1347	server:
				1348	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1349	endpoint_type: internalURL
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1350	floating_ip:
				1351	prx01-instance:
				1352	server: prx01.mk22-lab-basic.local
				1353	subnet: private-subnet1
				1354	network: public-net1
				1355	tenant: demo
				1356	gtw01-instance:
				1357	...
				1358
				1359	.. note:: The network must have flag router:external set to True.
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1360	Instance port in the stated subnet will be associated
				1361	with the dynamically generated floating IP.
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1362
				1363	Enable Neutron extensions (QoS, DNS, etc.)
				1364	------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1365
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1366	.. code-block:: yaml
				1367
				1368	neutron:
				1369	server:
				1370	backend:
				1371	extension:
Oleg Iurchenko	ac17f4f	2017-10-06 11:24:27 +0300	[diff] [blame]	1372	dns:
				1373	enabled: True
				1374	host: 127.0.0.1
				1375	port: 9001
				1376	protocol: http
				1377	....
				1378	qos
				1379	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1380
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1381	Different Neutron extensions for different agents
				1382	-------------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1383
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1384	.. code-block:: yaml
				1385
				1386	neutron:
				1387	server:
				1388	backend:
				1389	extension: # common extensions for OVS and SRIOV agents
				1390	dns:
				1391	enabled: True
				1392	...
				1393	qos
				1394	enabled: True
				1395	ovs_extension: # OVS specific extensions
				1396	bagpipe_bgpvpn:
				1397	enabled: True
				1398	sriov_extension: # SRIOV specific extensions
				1399	dummy:
				1400	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1401
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1402	Neutron with Designate
				1403	-----------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1404
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1405	.. code-block:: yaml
				1406
				1407	neutron:
				1408	server:
				1409	backend:
				1410	extension:
				1411	dns:
				1412	enabled: True
				1413	host: 127.0.0.1
				1414	port: 9001
				1415	protocol: http
				1416
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1417	Enable RBAC for OpenContrail engine
				1418	-----------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1419
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1420	.. code-block:: yaml
				1421
				1422	neutron:
				1423	server:
				1424	backend:
				1425	engine: contrail
				1426	rbac:
				1427	enabled: True
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1428
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1429	Enhanced logging with logging.conf
				1430	----------------------------------
				1431
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1432	By default ``logging.conf`` is disabled.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1433
				1434	That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1435
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1436	* ``openstack_log_appender``
				1437	Set to true to enable ``log_config_append`` for all OpenStack services
				1438
				1439	* ``openstack_fluentd_handler_enabled``
				1440	Set to true to enable FluentHandler for all Openstack services
				1441
				1442	* ``openstack_ossyslog_handler_enabled``
				1443	Set to true to enable OSSysLogHandler for all Openstack services.
				1444
				1445	Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
				1446	are available.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1447
				1448	Also it is possible to configure this with pillar:
				1449
				1450	.. code-block:: yaml
				1451
				1452	neutron:
				1453	server:
				1454	logging:
				1455	log_appender: true
				1456	log_handlers:
				1457	watchedfile:
				1458	enabled: true
				1459	fluentd:
				1460	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1461	ossyslog:
				1462	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1463	....
				1464	compute:
				1465	logging:
				1466	log_appender: true
				1467	log_handlers:
				1468	watchedfile:
				1469	enabled: true
				1470	fluentd:
				1471	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1472	ossyslog:
				1473	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1474	....
				1475	gateway:
				1476	logging:
				1477	log_appender: true
				1478	log_handlers:
				1479	watchedfile:
				1480	enabled: true
				1481	fluentd:
				1482	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1483	ossyslog:
				1484	enabled: true
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1485
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1486	Logging levels pillar example:
				1487
				1488	.. code-block:: yaml
				1489
				1490	neutron:
				1491	server:
				1492	logging:
				1493	log_appender: true
				1494	loggers:
				1495	root:
				1496	level: 'DEBUG'
				1497	neutron:
				1498	level: 'DEBUG'
				1499	amqplib:
				1500	level: 'DEBUG'
				1501	sqlalchemy:
				1502	level: 'DEBUG'
				1503	boto:
				1504	level: 'DEBUG'
				1505	suds:
				1506	level: 'DEBUG'
				1507	eventletwsgi:
				1508	level: 'DEBUG'
				1509	......
Oleksandr Bryndzii	3b0ac2c	2018-10-04 11:06:24 +0300	[diff] [blame]	1510	Neutron server with memcached caching and security strategy:
				1511
				1512	.. code-block:: yaml
				1513
				1514	neutron:
				1515	server:
				1516	enabled: true
				1517	...
				1518	cache:
				1519	engine: memcached
				1520	members:
				1521	- host: 127.0.0.1
				1522	port: 11211
				1523	- host: 127.0.0.1
				1524	port: 11211
				1525	security:
				1526	enabled: true
				1527	strategy: ENCRYPT
				1528	secret_key: secret
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1529
Vasyl Saienko	ba42073	2018-09-07 10:19:32 +0000	[diff] [blame]	1530	Upgrades
				1531	========
				1532
				1533	Each openstack formula provide set of phases (logical bloks) that will help to
				1534	build flexible upgrade orchestration logic for particular components. The list
				1535	of phases might and theirs descriptions are listed in table below:
				1536
				1537	+-------------------------------+------------------------------------------------------+
				1538	\| State \| Description \|
				1539	+===============================+======================================================+
				1540	\| <app>.upgrade.service_running \| Ensure that all services for particular application \|
				1541	\| \| are enabled for autostart and running \|
				1542	+-------------------------------+------------------------------------------------------+
				1543	\| <app>.upgrade.service_stopped \| Ensure that all services for particular application \|
				1544	\| \| disabled for autostart and dead \|
				1545	+-------------------------------+------------------------------------------------------+
				1546	\| <app>.upgrade.pkg_latest \| Ensure that packages used by particular application \|
				1547	\| \| are installed to latest available version. \|
				1548	\| \| This will not upgrade data plane packages like qemu \|
				1549	\| \| and openvswitch as usually minimal required version \|
				1550	\| \| in openstack services is really old. The data plane \|
				1551	\| \| packages should be upgraded separately by `apt-get \|
				1552	\| \| upgrade` or `apt-get dist-upgrade` \|
				1553	\| \| Applying this state will not autostart service. \|
				1554	+-------------------------------+------------------------------------------------------+
				1555	\| <app>.upgrade.render_config \| Ensure configuration is rendered actual version. +
				1556	+-------------------------------+------------------------------------------------------+
				1557	\| <app>.upgrade.pre \| We assume this state is applied on all nodes in the \|
				1558	\| \| cloud before running upgrade. \|
				1559	\| \| Only non destructive actions will be applied during \|
				1560	\| \| this phase. Perform service built in service check \|
				1561	\| \| like (keystone-manage doctor and nova-status upgrade)\|
				1562	+-------------------------------+------------------------------------------------------+
				1563	\| <app>.upgrade.upgrade.pre \| Mostly applicable for data plane nodes. During this \|
				1564	\| \| phase resources will be gracefully removed from \|
				1565	\| \| current node if it is allowed. Services for upgraded \|
				1566	\| \| application will be set to admin disabled state to \|
				1567	\| \| make sure node will not participate in resources \|
				1568	\| \| scheduling. For example on gtw nodes this will set \|
				1569	\| \| all agents to admin disable state and will move all \|
				1570	\| \| routers to other agents. \|
				1571	+-------------------------------+------------------------------------------------------+
				1572	\| <app>.upgrade.upgrade \| This state will basically upgrade application on \|
				1573	\| \| particular target. Stop services, render \|
				1574	\| \| configuration, install new packages, run offline \|
				1575	\| \| dbsync (for ctl), start services. Data plane should \|
				1576	\| \| not be affected, only OpenStack python services. \|
				1577	+-------------------------------+------------------------------------------------------+
				1578	\| <app>.upgrade.upgrade.post \| Add services back to scheduling. \|
				1579	+-------------------------------+------------------------------------------------------+
				1580	\| <app>.upgrade.post \| This phase should be launched only when upgrade of \|
				1581	\| \| the cloud is completed. \|
				1582	+-------------------------------+------------------------------------------------------+
				1583	\| <app>.upgrade.verify \| Here we will do basic health checks (API CRUD \|
				1584	\| \| operations, verify do not have dead network \|
				1585	\| \| agents/compute services) \|
				1586	+-------------------------------+------------------------------------------------------+
				1587
				1588
Oleksandr Shyshko	f51b94c	2018-08-31 16:05:27 +0300	[diff] [blame]	1589	Enable x509 and ssl communication between Neutron and Galera cluster.
				1590	---------------------
				1591	By default communication between Neutron and Galera is unsecure.
				1592
				1593	neutron:
				1594	server:
				1595	database:
				1596	x509:
				1597	enabled: True
				1598
				1599	You able to set custom certificates in pillar:
				1600
				1601	neutron:
				1602	server:
				1603	database:
				1604	x509:
				1605	cacert: (certificate content)
				1606	cert: (certificate content)
				1607	key: (certificate content)
				1608
				1609	You can read more about it here:
				1610	https://docs.openstack.org/security-guide/databases/database-access-control.html