blob: d61d0f2cc9834ecb3f6fa52d8ef1da55cf2796a9 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +02001===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +02004
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02005Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +02008
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02009Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +030011is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +020012
Aleš Komárek41e82312017-04-11 13:37:44 +020013Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +020014==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +010023 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +010024 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +020026 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Michael Polenchuk1ff88652018-03-06 16:15:57 +040029 root_helper_daemon: false
Michael Polenchuk2151b272018-06-19 18:32:31 +040030 dhcp_lease_duration: 600
Filip Pytlouncd028e42015-10-06 16:28:32 +020031 bind:
32 address: 172.20.0.1
33 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +020034 database:
35 engine: mysql
36 host: 127.0.0.1
37 port: 3306
38 name: neutron
39 user: neutron
40 password: pwd
41 identity:
42 engine: keystone
43 host: 127.0.0.1
44 port: 35357
45 user: neutron
46 password: pwd
47 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +020048 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +020049 message_queue:
50 engine: rabbitmq
51 host: 127.0.0.1
52 port: 5672
53 user: openstack
54 password: pwd
55 virtual_host: '/openstack'
56 metadata:
57 host: 127.0.0.1
58 port: 8775
59 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +020060 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +010061 audit:
62 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +020063
Swann Croiset9407daf2017-02-02 15:27:56 +010064Note: The pagination is useful to retrieve a large bunch of resources,
65because a single request may fail (timeout). This is enabled with both
66parameters *allow_pagination* and *pagination_max_limit* as shown above.
67
Dmitry Ukov596ddcf2017-05-04 18:16:16 +040068
69Configuration of policy.json file
70
71.. code-block:: yaml
72
73 neutron:
74 server:
75 ....
76 policy:
77 create_subnet: 'rule:admin_or_network_owner'
78 'get_network:queue_id': 'rule:admin_only'
79 # Add key without value to remove line from policy.json
80 'create_network:shared':
81
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040082Neutron LBaaSv2 enablement
83--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +010084
85.. code-block:: yaml
86
87 neutron:
88 server:
89 lbaas:
90 enabled: true
91 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040092 octavia:
93 engine: octavia
94 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
95 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +010096 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +010097 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040098 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +010099 controller_address: 10.182.129.239
100 controller_user: admin
101 controller_password: Cloudlab2016
102 controller_cloud_name: Default-Cloud
103 avi_adc2:
104 engine: avinetworks
105 ...
106
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400107Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
108automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100109
110.. code-block:: yaml
111
112 neutron:
113 server:
114 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400115 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100116
Elena Ezhova166d4012017-08-17 12:53:52 +0400117
118Neutron FWaaSv1 enablement
119--------------------------
120
121.. code-block:: yaml
122
123 neutron:
124 fwaas:
125 enabled: true
126 version: ocata
127 api_version: v1
128
129
Ondrej Smola12ff8192017-04-28 12:39:11 +0200130Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400131----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200132
133.. code-block:: yaml
134
135 neutron:
136 server:
137 cors:
138 allowed_origin: https:localhost.local,http:localhost.local
139 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
140 allow_methods: GET,PUT,POST,DELETE,PATCH
141 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
142 allow_credentials: True
143 max_age: 86400
144
145
Aleš Komárek41e82312017-04-11 13:37:44 +0200146Neutron VXLAN tenant networks with Network nodes
147------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100148
Aleš Komárek41e82312017-04-11 13:37:44 +0200149With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100150
151This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200152routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300153infrastructure and that remains encapsulated. External traffic will be
154routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100155
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300156The intention is that each tenant will require at least two (2) vrouters
157one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100158
Aleš Komárek41e82312017-04-11 13:37:44 +0200159Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200160
161.. code-block:: yaml
162
163 neutron:
164 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100165 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300166 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100167 bind:
168 address: 172.20.0.1
169 port: 9696
170 database:
171 engine: mysql
172 host: 127.0.0.1
173 port: 3306
174 name: neutron
175 user: neutron
176 password: pwd
177 identity:
178 engine: keystone
179 host: 127.0.0.1
180 port: 35357
181 user: neutron
182 password: pwd
183 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200184 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100185 message_queue:
186 engine: rabbitmq
187 host: 127.0.0.1
188 port: 5672
189 user: openstack
190 password: pwd
191 virtual_host: '/openstack'
192 global_physnet_mtu: 9000
193 l3_ha: False # Which type of router will be created by default
194 dvr: True # disabled for non DVR use case
195 backend:
196 engine: ml2
197 tenant_network_types: "flat,vxlan"
198 external_mtu: 9000
199 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400200 ovs:
201 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100202
Aleš Komárek41e82312017-04-11 13:37:44 +0200203Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100204
205.. code-block:: yaml
206
207 neutron:
208 gateway:
209 enabled: True
210 version: mitaka
Michael Polenchuk2151b272018-06-19 18:32:31 +0400211 dhcp_lease_duration: 600
Jiri Broulik74f61112016-11-21 20:23:47 +0100212 message_queue:
213 engine: rabbitmq
214 host: 127.0.0.1
215 port: 5672
216 user: openstack
217 password: pwd
218 virtual_host: '/openstack'
219 local_ip: 192.168.20.20 # br-mesh ip address
220 dvr: True # disabled for non DVR use case
221 agent_mode: dvr_snat
222 metadata:
223 host: 127.0.0.1
224 password: pass
225 backend:
226 engine: ml2
227 tenant_network_types: "flat,vxlan"
228 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400229 ovs:
230 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100231
232Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100233
234.. code-block:: yaml
235
236 neutron:
237 compute:
238 enabled: True
239 version: mitaka
240 message_queue:
241 engine: rabbitmq
242 host: 127.0.0.1
243 port: 5672
244 user: openstack
245 password: pwd
246 virtual_host: '/openstack'
247 local_ip: 192.168.20.20 # br-mesh ip address
248 dvr: True # disabled for non DVR use case
249 agent_mode: dvr
250 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
251 metadata:
252 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300253 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100254 backend:
255 engine: ml2
256 tenant_network_types: "flat,vxlan"
257 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400258 ovs:
259 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100260 audit:
261 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100262
Aleš Komárek41e82312017-04-11 13:37:44 +0200263
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300264Disable physnet1 bridge
265-----------------------
266
267By default we have external access turned on, so among any physnets in
268your reclass there would be additional one: physnet1, which is mapped to
269br-floating
270
271If you need internal nets only without this bridge, remove br-floating
272and configurations mappings. Disable mappings for this bridge on
273neutron-servers:
274
275.. code-block:: yaml
276
277 neutron:
278 server:
279 external_access: false
280
281gateways:
282
283.. code-block:: yaml
284
285 neutron:
286 gateway:
287 external_access: false
288
289compute nodes:
290
291.. code-block:: yaml
292
293 neutron:
294 compute:
295 external_access: false
296
297
Marcin Iwinskic50137a2018-01-22 14:18:24 +0100298Add additional bridge mappings for OVS bridges
299----------------------------------------------
300
301By default we have external access turned on, so among any physnets in
302your reclass there would be additional one: physnet1, which is mapped to
303br-floating
304
305If you need to add extra non-default bridge mappings they can be defined
306separately for both gateways and compute nodes:
307
308gateways:
309
310.. code-block:: yaml
311
312 neutron:
313 gateway:
314 bridge_mappings:
315 physnet4: br-floating-internet
316
317compute nodes:
318
319.. code-block:: yaml
320
321 neutron:
322 compute:
323 bridge_mappings:
324 physnet4: br-floating-internet
325
326
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300327Specify different mtu values for different physnets
328---------------------------------------------------
329
330Neutron Server
331
332.. code-block:: yaml
333
334 neutron:
335 server:
336 version: mitaka
337 backend:
338 external_mtu: 1500
339 tenant_net_mtu: 9000
340 ironic_net_mtu: 9000
341
Jiri Broulik74f61112016-11-21 20:23:47 +0100342Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200343----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100344
345This section describes a network solution that utilises VxLAN overlay
346 networks without DVR with all routers being managed on the network nodes.
347
Aleš Komárek41e82312017-04-11 13:37:44 +0200348Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100349
350.. code-block:: yaml
351
352 neutron:
353 server:
354 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100355 bind:
356 address: 172.20.0.1
357 port: 9696
358 database:
359 engine: mysql
360 host: 127.0.0.1
361 port: 3306
362 name: neutron
363 user: neutron
364 password: pwd
365 identity:
366 engine: keystone
367 host: 127.0.0.1
368 port: 35357
369 user: neutron
370 password: pwd
371 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200372 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100373 message_queue:
374 engine: rabbitmq
375 host: 127.0.0.1
376 port: 5672
377 user: openstack
378 password: pwd
379 virtual_host: '/openstack'
380 global_physnet_mtu: 9000
381 l3_ha: True
382 dvr: False
383 backend:
384 engine: ml2
385 tenant_network_types= "flat,vxlan"
386 external_mtu: 9000
387 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400388 ovs:
389 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100390
Aleš Komárek41e82312017-04-11 13:37:44 +0200391Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100392
393.. code-block:: yaml
394
395 neutron:
396 gateway:
397 enabled: True
398 version: mitaka
399 message_queue:
400 engine: rabbitmq
401 host: 127.0.0.1
402 port: 5672
403 user: openstack
404 password: pwd
405 virtual_host: '/openstack'
406 local_ip: 192.168.20.20 # br-mesh ip address
407 dvr: False
408 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200409 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100410 metadata:
411 host: 127.0.0.1
412 password: pass
413 backend:
414 engine: ml2
415 tenant_network_types: "flat,vxlan"
416 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400417 ovs:
418 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100419
420Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100421
422.. code-block:: yaml
423
424 neutron:
425 compute:
426 enabled: True
427 version: mitaka
428 message_queue:
429 engine: rabbitmq
430 host: 127.0.0.1
431 port: 5672
432 user: openstack
433 password: pwd
434 virtual_host: '/openstack'
435 local_ip: 192.168.20.20 # br-mesh ip address
436 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300437 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100438 backend:
439 engine: ml2
440 tenant_network_types: "flat,vxlan"
441 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400442 ovs:
443 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100444
Aleš Komárek41e82312017-04-11 13:37:44 +0200445Neutron VXLAN tenant networks with Network Nodes with DVR
446---------------------------------------------------------
447
448With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100449
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300450This section describes a network solution that utilises VxLAN
451overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100452Node is used only for SNAT.
453
Aleš Komárek41e82312017-04-11 13:37:44 +0200454Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100455
456.. code-block:: yaml
457
458 neutron:
459 server:
460 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100461 bind:
462 address: 172.20.0.1
463 port: 9696
464 database:
465 engine: mysql
466 host: 127.0.0.1
467 port: 3306
468 name: neutron
469 user: neutron
470 password: pwd
471 identity:
472 engine: keystone
473 host: 127.0.0.1
474 port: 35357
475 user: neutron
476 password: pwd
477 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200478 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100479 message_queue:
480 engine: rabbitmq
481 host: 127.0.0.1
482 port: 5672
483 user: openstack
484 password: pwd
485 virtual_host: '/openstack'
486 global_physnet_mtu: 9000
487 l3_ha: False
488 dvr: True
489 backend:
490 engine: ml2
491 tenant_network_types= "flat,vxlan"
492 external_mtu: 9000
493 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400494 ovs:
495 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100496
Aleš Komárek41e82312017-04-11 13:37:44 +0200497Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100498
499.. code-block:: yaml
500
501 neutron:
502 gateway:
503 enabled: True
504 version: mitaka
505 message_queue:
506 engine: rabbitmq
507 host: 127.0.0.1
508 port: 5672
509 user: openstack
510 password: pwd
511 virtual_host: '/openstack'
512 local_ip: 192.168.20.20 # br-mesh ip address
513 dvr: True
514 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200515 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100516 metadata:
517 host: 127.0.0.1
518 password: pass
519 backend:
520 engine: ml2
521 tenant_network_types: "flat,vxlan"
522 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400523 ovs:
524 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100525
526Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100527
528.. code-block:: yaml
529
530 neutron:
531 compute:
532 enabled: True
533 version: mitaka
534 message_queue:
535 engine: rabbitmq
536 host: 127.0.0.1
537 port: 5672
538 user: openstack
539 password: pwd
540 virtual_host: '/openstack'
541 local_ip: 192.168.20.20 # br-mesh ip address
542 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300543 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100544 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200545 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100546 metadata:
547 host: 127.0.0.1
548 password: pass
549 backend:
550 engine: ml2
551 tenant_network_types: "flat,vxlan"
552 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400553 ovs:
554 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100555
556Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100557
558.. code-block:: yaml
559
560 linux:
561 network:
562 bridge: openvswitch
563 interface:
564 eth1:
565 enabled: true
566 type: eth
567 mtu: 9000
568 proto: manual
569 eth2:
570 enabled: true
571 type: eth
572 mtu: 9000
573 proto: manual
574 eth3:
575 enabled: true
576 type: eth
577 mtu: 9000
578 proto: manual
579 br-int:
580 enabled: true
581 mtu: 9000
582 type: ovs_bridge
583 br-floating:
584 enabled: true
585 mtu: 9000
586 type: ovs_bridge
587 float-to-ex:
588 enabled: true
589 type: ovs_port
590 mtu: 65000
591 bridge: br-floating
592 br-mgmt:
593 enabled: true
594 type: bridge
595 mtu: 9000
596 address: ${_param:single_address}
597 netmask: 255.255.255.0
598 use_interfaces:
599 - eth1
600 br-mesh:
601 enabled: true
602 type: bridge
603 mtu: 9000
604 address: ${_param:tenant_address}
605 netmask: 255.255.255.0
606 use_interfaces:
607 - eth2
608 br-ex:
609 enabled: true
610 type: bridge
611 mtu: 9000
612 address: ${_param:external_address}
613 netmask: 255.255.255.0
614 use_interfaces:
615 - eth3
616 use_ovs_ports:
617 - float-to-ex
618
Thom Gerdes3282d072017-05-30 22:06:04 +0000619Additonal VXLAN tenant network settings
620---------------------------------------
621
622The default multicast group of 224.0.0.1 only multicasts to a single subnet.
623Allow overriding it to allow larger underlay network topologies.
624
625Neutron Server
626
627.. code-block:: yaml
628
629 neutron:
630 server:
631 vxlan:
632 group: 239.0.0.0/8
633 vni_ranges: "2:65535"
634
Jiri Broulik74f61112016-11-21 20:23:47 +0100635Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200636-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100637
638VLAN tenant provider
639
640Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100641
642.. code-block:: yaml
643
644 neutron:
645 server:
646 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100647 ...
648 global_physnet_mtu: 9000
649 l3_ha: False
650 dvr: True
651 backend:
652 engine: ml2
653 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
654 tenant_vlan_range: "1000:2000"
655 external_vlan_range: "100:200" # Does not have to be defined.
656 external_mtu: 9000
657 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400658 ovs:
659 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100660
661Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100662
663.. code-block:: yaml
664
665 neutron:
666 compute:
667 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100668 ...
669 dvr: True
670 agent_mode: dvr
671 external_access: False
672 backend:
673 engine: ml2
674 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
675 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400676 ovs:
677 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100678
Oleg Bondarevada324f2018-06-04 14:55:38 +0400679Neutron with additional physical networks
680-----------------------------------------
681
682Neutron Server only
683
684.. code-block:: yaml
685
686 neutron:
687 server:
688 version: ocata
689 ...
690 backend:
691 engine: ml2
692 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
693 ...
694 # also need to configure corresponding additional bridge_mappings on
695 # compute and gateway nodes
696 physnets:
697 sriov_net:
698 mtu: 9000 # Optional, defaults to 1500
699 vlan_range: '100:200' # Optional
700 ext_net2:
701 mtu: 1500
702 mechanism:
703 ovs:
704 driver: openvswitch
705
Aleš Komárek41e82312017-04-11 13:37:44 +0200706Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400707----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200708
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100709Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100710
711Enable datapath netdev for neutron openvswitch agent
712
713.. code-block:: yaml
714
715 neutron:
716 server:
717 version: mitaka
718 ...
719 dpdk: True
720 ...
721
722 neutron:
723 compute:
724 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100725 dpdk: True
Michael Polenchuk52911652018-04-12 22:09:49 +0400726 vhost_mode: client # options: client|server (default)
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400727 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100728 backend:
729 engine: ml2
730 ...
731 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400732 ovs:
733 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100734
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100735Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100736
737.. code-block:: yaml
738
739 neutron:
740 server:
741 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100742 backend:
743 engine: ml2
744 ...
745 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400746 ovs:
747 driver: openvswitch
748 sriov:
749 driver: sriovnicswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100750
751 neutron:
752 compute:
753 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100754 ...
755 backend:
756 engine: ml2
757 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
758 sriov:
759 nic_one:
760 devname: eth1
761 physical_network: physnet3
762 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400763 ovs:
764 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100765
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300766Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400767---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300768
769.. code-block:: yaml
770
771 neutron:
772 server:
773 vlan_aware_vms: true
774 ....
775 compute:
776 vlan_aware_vms: true
777 ....
778 gateway:
779 vlan_aware_vms: true
780
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400781Neutron with BGP VPN (BaGPipe driver)
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400782---------------------------
783
784.. code-block:: yaml
785
786 neutron:
787 server:
788 version: pike
789 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400790 enabled: true
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400791 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight
792 ....
793 compute:
794 version: pike
795 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400796 enabled: true
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400797 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400798 bagpipe:
799 local_address: 192.168.20.20 # IP address for mpls/gre tunnels
800 peers: 192.168.20.30 # IP addresses of BGP peers
801 autonomous_system: 64512 # Autonomous System number
802 enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400803 backend:
Oleg Bondarev878ac462018-04-23 17:48:15 +0400804 ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400805 bagpipe_bgpvpn:
806 enabled: True
807
Oleksii Chupryn16cb4e02018-02-26 14:20:39 +0200808Neutron with DHCP agent on compute node
809---------------------------------------
810
811.. code-block:: yaml
812
813 neutron:
814 ....
815 compute:
816 dhcp_agent_enabled: true
817 ....
818
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400819Neutron with OVN
820----------------
821
822Control node:
823
824.. code-block:: yaml
825
826 neutron:
827 server:
828 backend:
829 engine: ovn
830 mechanism:
831 ovn:
832 driver: ovn
833 tenant_network_types: "geneve,flat"
Michael Polenchuka3d492b2017-12-27 15:49:43 +0400834 ovn_ctl_opts:
835 db-nb-create-insecure-remote: 'yes'
836 db-sb-create-insecure-remote: 'yes'
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400837
838Compute node:
839
840.. code-block:: yaml
841
842 neutron:
843 compute:
844 local_ip: 10.2.0.105
845 controller_vip: 10.1.0.101
846 external_access: false
847 backend:
848 engine: ovn
849
Michael Polenchukcccd1a52018-02-02 17:41:16 +0400850
851Neutron L2 Gateway
852----------------
853
854Control node:
855
856.. code-block:: yaml
857
858 neutron:
859 server:
860 version: pike
861 l2gw:
862 enabled: true
863 periodic_monitoring_interval: 5
864 quota_l2_gateway: 20
865 # service_provider=<service_type>:<name>:<driver>[:default]
866 service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
867 backend:
868 engine: ml2
869
870Network/Gateway node:
871
872.. code-block:: yaml
873
874 neutron:
875 gateway:
876 version: pike
877 l2gw:
878 enabled: true
879 debug: true
880 socket_timeout: 20
881 ovsdb_hosts:
882 # <ovsdb_name>: <ip address>:<port>
883 # - ovsdb_name: a user defined symbolic identifier of physical switch
884 # - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
885 ovsdb1: 10.164.5.33:6632
886 ovsdb2: 10.164.4.33:6632
887
888
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400889OpenDaylight integration
890------------------------
891
892Control node:
893
894.. code-block:: yaml
895
896 neutron:
897 server:
898 backend:
899 opendaylight: true
900 router: odl-router_v2
901 host: 10.20.0.77
902 rest_api_port: 8282
903 user: admin
904 password: admin
905 ovsdb_connection: tcp:127.0.0.1:6639
906 enable_websocket: true
907 enable_dhcp_service: false
908 mechanism:
909 ovs:
910 driver: opendaylight_v2
911
912Network/Gateway node:
913
914.. code-block:: yaml
915
916 neutron:
917 gateway:
918 backend:
919 router: odl-router_v2
920 ovsdb_connection: tcp:127.0.0.1:6639
921 opendaylight:
922 ovsdb_server_iface: ptcp:6639:127.0.0.1
923 ovsdb_odl_iface: tcp:10.20.0.77:6640
924 tunnel_ip: 10.1.0.110
925 provider_mappings: physnet1:br-floating
926
927Compute node:
928
929.. code-block:: yaml
930
931 neutron:
932 compute:
933 opendaylight:
934 ovsdb_server_iface: ptcp:6639:127.0.0.1
935 ovsdb_odl_iface: tcp:10.20.0.77:6640
936 tunnel_ip: 10.1.0.105
937 provider_mappings: physnet1:br-floating
938
939
Aleš Komárek41e82312017-04-11 13:37:44 +0200940Neutron Server
941--------------
942
Jiri Broulik74f61112016-11-21 20:23:47 +0100943Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100944
945.. code-block:: yaml
946
947 neutron:
948 server:
marcoa4428a32016-06-10 11:50:16 +0200949 backend:
950 engine: contrail
951 host: contrail_discovery_host
952 port: 8082
953 user: admin
954 password: password
955 tenant: admin
956 token: token
957
958Neutron Server with Midonet
959
960.. code-block:: yaml
961
962 neutron:
963 server:
964 backend:
965 engine: midonet
966 host: midonet_api_host
967 port: 8181
968 user: admin
969 password: password
970
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100971Neutron Keystone region
972
973.. code-block:: yaml
974
975 neutron:
976 server:
977 enabled: true
978 version: kilo
979 ...
980 identity:
981 region: RegionTwo
982 ...
983 compute:
984 region: RegionTwo
985 ...
986
Jiri Konecny93b19992016-04-12 11:15:39 +0200987Client-side RabbitMQ HA setup
988
989.. code-block:: yaml
990
991 neutron:
992 server:
993 ....
994 message_queue:
995 engine: rabbitmq
996 members:
997 - host: 10.0.16.1
998 - host: 10.0.16.2
999 - host: 10.0.16.3
1000 user: openstack
1001 password: pwd
1002 virtual_host: '/openstack'
1003 ....
1004
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001005
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001006Configuring TLS communications
1007------------------------------
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001008
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001009
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001010**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
1011
1012
1013- **RabbitMQ TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001014
1015.. code-block:: yaml
1016
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001017 neutron:
1018 server, gateway, compute:
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001019 message_queue:
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001020 port: 5671
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001021 ssl:
1022 enabled: True
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001023 (optional) cacert: cert body if the cacert_file does not exists
1024 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
1025 (optional) version: TLSv1_2
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001026
1027
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001028- **MySQL TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001029
1030.. code-block:: yaml
1031
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001032 neutron:
1033 server:
1034 database:
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001035 ssl:
1036 enabled: True
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001037 (optional) cacert: cert body if the cacert_file does not exists
1038 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001039
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001040- **Openstack HTTPS API**
1041
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001042
1043.. code-block:: yaml
1044
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001045 neutron:
1046 server:
1047 identity:
1048 protocol: https
1049 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001050
1051
Petr Michalec61f7ab22016-11-29 16:29:09 +01001052Enable auditing filter, ie: CADF
1053
1054.. code-block:: yaml
1055
1056 neutron:
1057 server:
1058 audit:
1059 enabled: true
1060 ....
1061 filter_factory: 'keystonemiddleware.audit:filter_factory'
1062 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1063 ....
1064 compute:
1065 audit:
1066 enabled: true
1067 ....
1068 filter_factory: 'keystonemiddleware.audit:filter_factory'
1069 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1070 ....
Jiri Konecny93b19992016-04-12 11:15:39 +02001071
Oleg Bondarev98870a32017-05-29 16:53:19 +04001072Neutron with security groups disabled
1073
1074.. code-block:: yaml
1075
1076 neutron:
1077 server:
1078 security_groups_enabled: False
1079 ....
1080 compute:
1081 security_groups_enabled: False
1082 ....
1083 gateway:
1084 security_groups_enabled: False
1085
Jiri Konecny93b19992016-04-12 11:15:39 +02001086
Aleš Komárek41e82312017-04-11 13:37:44 +02001087Neutron Client
1088--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +01001089
1090Neutron networks
1091
1092.. code-block:: yaml
1093
1094 neutron:
1095 client:
1096 enabled: true
1097 server:
1098 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001099 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001100 network:
1101 inet1:
1102 tenant: demo
1103 shared: False
1104 admin_state_up: True
1105 router_external: True
1106 provider_physical_network: inet
1107 provider_network_type: flat
1108 provider_segmentation_id: 2
1109 subnet:
1110 inet1-subnet1:
1111 cidr: 192.168.90.0/24
1112 enable_dhcp: False
1113 inet2:
1114 tenant: admin
1115 shared: False
1116 router_external: True
1117 provider_network_type: "vlan"
1118 subnet:
1119 inet2-subnet1:
1120 cidr: 192.168.92.0/24
1121 enable_dhcp: False
1122 inet2-subnet2:
1123 cidr: 192.168.94.0/24
1124 enable_dhcp: True
1125 identity1:
1126 network:
1127 ...
1128
Jiri Broulik5368cc52017-02-08 18:53:59 +01001129Neutron routers
1130
1131.. code-block:: yaml
1132
1133 neutron:
1134 client:
1135 enabled: true
1136 server:
1137 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001138 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001139 router:
1140 inet1-router:
1141 tenant: demo
1142 admin_state_up: True
1143 gateway_network: inet
1144 interfaces:
1145 - inet1-subnet1
1146 - inet1-subnet2
1147 identity1:
1148 router:
1149 ...
1150
1151 TODO: implement adding new interfaces to a router while updating it
1152
1153
1154Neutron security groups
1155
1156.. code-block:: yaml
1157
1158 neutron:
1159 client:
1160 enabled: true
1161 server:
1162 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001163 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001164 security_group:
1165 security_group1:
1166 tenant: demo
1167 description: security group 1
1168 rules:
1169 - direction: ingress
1170 ethertype: IPv4
1171 protocol: TCP
1172 port_range_min: 1
1173 port_range_max: 65535
1174 remote_ip_prefix: 0.0.0.0/0
1175 - direction: ingress
1176 ethertype: IPv4
1177 protocol: UDP
1178 port_range_min: 1
1179 port_range_max: 65535
1180 remote_ip_prefix: 0.0.0.0/0
1181 - direction: ingress
1182 protocol: ICMP
1183 remote_ip_prefix: 0.0.0.0/0
1184 identity1:
1185 security_group:
1186 ...
1187
1188 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
1189
Jiri Broulikde2e2902017-02-13 15:03:47 +01001190
1191Floating IP addresses
1192
1193.. code-block:: yaml
1194
1195 neutron:
1196 client:
1197 enabled: true
1198 server:
1199 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001200 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +01001201 floating_ip:
1202 prx01-instance:
1203 server: prx01.mk22-lab-basic.local
1204 subnet: private-subnet1
1205 network: public-net1
1206 tenant: demo
1207 gtw01-instance:
1208 ...
1209
1210.. note:: The network must have flag router:external set to True.
1211 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
1212
1213
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001214
1215Enable Neutron extensions (QoS, DNS, etc.)
1216------------------------------------------
1217.. code-block:: yaml
1218
1219 neutron:
1220 server:
1221 backend:
1222 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +03001223 dns:
1224 enabled: True
1225 host: 127.0.0.1
1226 port: 9001
1227 protocol: http
1228 ....
1229 qos
1230 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001231
Oleg Bondarev878ac462018-04-23 17:48:15 +04001232Different Neutron extensions for different agents
1233-------------------------------------------------
1234.. code-block:: yaml
1235
1236 neutron:
1237 server:
1238 backend:
1239 extension: # common extensions for OVS and SRIOV agents
1240 dns:
1241 enabled: True
1242 ...
1243 qos
1244 enabled: True
1245 ovs_extension: # OVS specific extensions
1246 bagpipe_bgpvpn:
1247 enabled: True
1248 sriov_extension: # SRIOV specific extensions
1249 dummy:
1250 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001251
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001252
1253Neutron with Designate
1254-----------------------------------------
1255.. code-block:: yaml
1256
1257 neutron:
1258 server:
1259 backend:
1260 extension:
1261 dns:
1262 enabled: True
1263 host: 127.0.0.1
1264 port: 9001
1265 protocol: http
1266
Marek Celoud67ce2062018-01-31 13:44:55 +01001267Enable RBAC for OpenContrail engine
1268-----------------------------------
1269.. code-block:: yaml
1270
1271 neutron:
1272 server:
1273 backend:
1274 engine: contrail
1275 rbac:
1276 enabled: True
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001277
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001278Enhanced logging with logging.conf
1279----------------------------------
1280
1281By default logging.conf is disabled.
1282
1283That is possible to enable per-binary logging.conf with new variables:
1284 * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
1285 * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001286 * openstack_ossyslog_handler_enabled - set to true to enable OSSysLogHandler for all Openstack services.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001287
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001288Only WatchedFileHandler, OSSysLogHandler and FluentHandler are available.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001289
1290Also it is possible to configure this with pillar:
1291
1292.. code-block:: yaml
1293
1294 neutron:
1295 server:
1296 logging:
1297 log_appender: true
1298 log_handlers:
1299 watchedfile:
1300 enabled: true
1301 fluentd:
1302 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001303 ossyslog:
1304 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001305 ....
1306 compute:
1307 logging:
1308 log_appender: true
1309 log_handlers:
1310 watchedfile:
1311 enabled: true
1312 fluentd:
1313 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001314 ossyslog:
1315 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001316 ....
1317 gateway:
1318 logging:
1319 log_appender: true
1320 log_handlers:
1321 watchedfile:
1322 enabled: true
1323 fluentd:
1324 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001325 ossyslog:
1326 enabled: true
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001327
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001328Logging levels pillar example:
1329
1330.. code-block:: yaml
1331
1332 neutron:
1333 server:
1334 logging:
1335 log_appender: true
1336 loggers:
1337 root:
1338 level: 'DEBUG'
1339 neutron:
1340 level: 'DEBUG'
1341 amqplib:
1342 level: 'DEBUG'
1343 sqlalchemy:
1344 level: 'DEBUG'
1345 boto:
1346 level: 'DEBUG'
1347 suds:
1348 level: 'DEBUG'
1349 eventletwsgi:
1350 level: 'DEBUG'
1351 ......
1352
1353
Filip Pytloun20c0a442017-02-02 13:05:13 +01001354Documentation and Bugs
1355======================
1356
1357To learn how to install and update salt-formulas, consult the documentation
1358available online at:
1359
1360 http://salt-formulas.readthedocs.io/
1361
1362In the unfortunate event that bugs are discovered, they should be reported to
1363the appropriate issue tracker. Use Github issue tracker for specific salt
1364formula:
1365
1366 https://github.com/salt-formulas/salt-formula-neutron/issues
1367
1368For feature requests, bug reports or blueprints affecting entire ecosystem,
1369use Launchpad salt-formulas project:
1370
1371 https://launchpad.net/salt-formulas
1372
1373You can also join salt-formulas-users team and subscribe to mailing list:
1374
1375 https://launchpad.net/~salt-formulas-users
1376
1377Developers wishing to work on the salt-formulas projects should always base
1378their work on master branch and submit pull request against specific formula.
1379
1380 https://github.com/salt-formulas/salt-formula-neutron
1381
1382Any questions or feedback is always welcome so feel free to join our IRC
1383channel:
1384
1385 #salt-formulas @ irc.freenode.net