blob: 620e100d11a1dffecfd7d2bc7b09be9c9524bab4 [file] [log] [blame]
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001=====
2Usage
3=====
Filip Pytlouncd028e42015-10-06 16:28:32 +02004
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03005Neutron is an OpenStack project to provide *networking as a service* between
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02006interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +02008
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03009Starting with the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an *incubated* project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +030011is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +020012
Aleš Komárek41e82312017-04-11 13:37:44 +020013Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +020014==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +010023 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +010024 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +020026 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Michael Polenchuk1ff88652018-03-06 16:15:57 +040029 root_helper_daemon: false
Michael Polenchuk2151b272018-06-19 18:32:31 +040030 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +040031 firewall_driver: iptables_hybrid
Filip Pytlouncd028e42015-10-06 16:28:32 +020032 bind:
33 address: 172.20.0.1
34 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +020035 database:
36 engine: mysql
37 host: 127.0.0.1
38 port: 3306
39 name: neutron
40 user: neutron
41 password: pwd
42 identity:
43 engine: keystone
44 host: 127.0.0.1
45 port: 35357
46 user: neutron
47 password: pwd
48 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +020049 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +020050 message_queue:
51 engine: rabbitmq
52 host: 127.0.0.1
53 port: 5672
54 user: openstack
55 password: pwd
56 virtual_host: '/openstack'
57 metadata:
58 host: 127.0.0.1
59 port: 8775
60 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +020061 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +010062 audit:
63 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +020064
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030065.. note:: The pagination is useful to retrieve a large bunch of resources,
66 because a single request may fail (timeout). This is enabled with both
67 parameters *allow_pagination* and *pagination_max_limit* as shown above.
Swann Croiset9407daf2017-02-02 15:27:56 +010068
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030069Configuration of policy.json file:
Dmitry Ukov596ddcf2017-05-04 18:16:16 +040070
71.. code-block:: yaml
72
73 neutron:
74 server:
75 ....
76 policy:
77 create_subnet: 'rule:admin_or_network_owner'
78 'get_network:queue_id': 'rule:admin_only'
79 # Add key without value to remove line from policy.json
80 'create_network:shared':
81
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040082Neutron LBaaSv2 enablement
83--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +010084
85.. code-block:: yaml
86
87 neutron:
88 server:
89 lbaas:
90 enabled: true
91 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040092 octavia:
93 engine: octavia
94 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
95 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +010096 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +010097 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040098 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +010099 controller_address: 10.182.129.239
100 controller_user: admin
101 controller_password: Cloudlab2016
102 controller_cloud_name: Default-Cloud
103 avi_adc2:
104 engine: avinetworks
105 ...
106
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300107.. note:: If the Contrail backend is set, Opencontrail loadbalancer
108 would be enabled automatically. In this case lbaas should disabled
109 in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100110
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300111 .. code-block:: yaml
Ondrej Smola314eee22017-03-08 21:21:16 +0100112
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300113 neutron:
114 server:
115 lbaas:
116 enabled: false
Elena Ezhova166d4012017-08-17 12:53:52 +0400117
118Neutron FWaaSv1 enablement
119--------------------------
120
121.. code-block:: yaml
122
123 neutron:
124 fwaas:
125 enabled: true
126 version: ocata
127 api_version: v1
128
129
Ondrej Smola12ff8192017-04-28 12:39:11 +0200130Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400131----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200132
133.. code-block:: yaml
134
135 neutron:
136 server:
137 cors:
138 allowed_origin: https:localhost.local,http:localhost.local
139 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
140 allow_methods: GET,PUT,POST,DELETE,PATCH
141 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
142 allow_credentials: True
143 max_age: 86400
144
Aleš Komárek41e82312017-04-11 13:37:44 +0200145Neutron VXLAN tenant networks with Network nodes
146------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100147
Aleš Komárek41e82312017-04-11 13:37:44 +0200148With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100149
150This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200151routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300152infrastructure and that remains encapsulated. External traffic will be
153routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100154
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300155The intention is that each tenant will require at least two (2) vrouters
156one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100157
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300158Neutron Server:
marcoa4428a32016-06-10 11:50:16 +0200159
160.. code-block:: yaml
161
162 neutron:
163 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100164 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300165 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100166 bind:
167 address: 172.20.0.1
168 port: 9696
169 database:
170 engine: mysql
171 host: 127.0.0.1
172 port: 3306
173 name: neutron
174 user: neutron
175 password: pwd
176 identity:
177 engine: keystone
178 host: 127.0.0.1
179 port: 35357
180 user: neutron
181 password: pwd
182 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200183 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100184 message_queue:
185 engine: rabbitmq
186 host: 127.0.0.1
187 port: 5672
188 user: openstack
189 password: pwd
190 virtual_host: '/openstack'
191 global_physnet_mtu: 9000
192 l3_ha: False # Which type of router will be created by default
193 dvr: True # disabled for non DVR use case
194 backend:
195 engine: ml2
196 tenant_network_types: "flat,vxlan"
197 external_mtu: 9000
198 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400199 ovs:
200 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100201
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300202Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100203
204.. code-block:: yaml
205
206 neutron:
207 gateway:
208 enabled: True
209 version: mitaka
Michael Polenchuk2151b272018-06-19 18:32:31 +0400210 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +0400211 firewall_driver: iptables_hybrid
Jiri Broulik74f61112016-11-21 20:23:47 +0100212 message_queue:
213 engine: rabbitmq
214 host: 127.0.0.1
215 port: 5672
216 user: openstack
217 password: pwd
218 virtual_host: '/openstack'
219 local_ip: 192.168.20.20 # br-mesh ip address
220 dvr: True # disabled for non DVR use case
221 agent_mode: dvr_snat
222 metadata:
223 host: 127.0.0.1
224 password: pass
225 backend:
226 engine: ml2
227 tenant_network_types: "flat,vxlan"
228 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400229 ovs:
230 driver: openvswitch
Vasyl Saienko4bd2d922018-07-27 09:56:38 +0000231 agents:
232 dhcp:
233 ovs_use_veth: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100234
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300235Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100236
237.. code-block:: yaml
238
239 neutron:
240 compute:
241 enabled: True
242 version: mitaka
243 message_queue:
244 engine: rabbitmq
245 host: 127.0.0.1
246 port: 5672
247 user: openstack
248 password: pwd
249 virtual_host: '/openstack'
250 local_ip: 192.168.20.20 # br-mesh ip address
251 dvr: True # disabled for non DVR use case
252 agent_mode: dvr
253 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
254 metadata:
255 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300256 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100257 backend:
258 engine: ml2
259 tenant_network_types: "flat,vxlan"
260 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400261 ovs:
262 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100263 audit:
264 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100265
Aleš Komárek41e82312017-04-11 13:37:44 +0200266
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300267Disable physnet1 bridge
268-----------------------
269
270By default we have external access turned on, so among any physnets in
271your reclass there would be additional one: physnet1, which is mapped to
272br-floating
273
274If you need internal nets only without this bridge, remove br-floating
275and configurations mappings. Disable mappings for this bridge on
276neutron-servers:
277
278.. code-block:: yaml
279
280 neutron:
281 server:
282 external_access: false
283
284gateways:
285
286.. code-block:: yaml
287
288 neutron:
289 gateway:
290 external_access: false
291
292compute nodes:
293
294.. code-block:: yaml
295
296 neutron:
297 compute:
298 external_access: false
299
300
Marcin Iwinskic50137a2018-01-22 14:18:24 +0100301Add additional bridge mappings for OVS bridges
302----------------------------------------------
303
304By default we have external access turned on, so among any physnets in
305your reclass there would be additional one: physnet1, which is mapped to
306br-floating
307
308If you need to add extra non-default bridge mappings they can be defined
309separately for both gateways and compute nodes:
310
311gateways:
312
313.. code-block:: yaml
314
315 neutron:
316 gateway:
317 bridge_mappings:
318 physnet4: br-floating-internet
319
320compute nodes:
321
322.. code-block:: yaml
323
324 neutron:
325 compute:
326 bridge_mappings:
327 physnet4: br-floating-internet
328
329
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300330Specify different mtu values for different physnets
331---------------------------------------------------
332
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300333Neutron Server:
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300334
335.. code-block:: yaml
336
337 neutron:
338 server:
339 version: mitaka
340 backend:
341 external_mtu: 1500
342 tenant_net_mtu: 9000
343 ironic_net_mtu: 9000
344
Jiri Broulik74f61112016-11-21 20:23:47 +0100345Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200346----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100347
348This section describes a network solution that utilises VxLAN overlay
349 networks without DVR with all routers being managed on the network nodes.
350
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300351Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100352
353.. code-block:: yaml
354
355 neutron:
356 server:
357 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100358 bind:
359 address: 172.20.0.1
360 port: 9696
361 database:
362 engine: mysql
363 host: 127.0.0.1
364 port: 3306
365 name: neutron
366 user: neutron
367 password: pwd
368 identity:
369 engine: keystone
370 host: 127.0.0.1
371 port: 35357
372 user: neutron
373 password: pwd
374 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200375 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100376 message_queue:
377 engine: rabbitmq
378 host: 127.0.0.1
379 port: 5672
380 user: openstack
381 password: pwd
382 virtual_host: '/openstack'
383 global_physnet_mtu: 9000
384 l3_ha: True
385 dvr: False
386 backend:
387 engine: ml2
388 tenant_network_types= "flat,vxlan"
389 external_mtu: 9000
390 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400391 ovs:
392 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100393
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300394Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100395
396.. code-block:: yaml
397
398 neutron:
399 gateway:
400 enabled: True
401 version: mitaka
402 message_queue:
403 engine: rabbitmq
404 host: 127.0.0.1
405 port: 5672
406 user: openstack
407 password: pwd
408 virtual_host: '/openstack'
409 local_ip: 192.168.20.20 # br-mesh ip address
410 dvr: False
411 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200412 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100413 metadata:
414 host: 127.0.0.1
415 password: pass
416 backend:
417 engine: ml2
418 tenant_network_types: "flat,vxlan"
419 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400420 ovs:
421 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100422
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300423Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100424
425.. code-block:: yaml
426
427 neutron:
428 compute:
429 enabled: True
430 version: mitaka
431 message_queue:
432 engine: rabbitmq
433 host: 127.0.0.1
434 port: 5672
435 user: openstack
436 password: pwd
437 virtual_host: '/openstack'
438 local_ip: 192.168.20.20 # br-mesh ip address
439 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300440 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100441 backend:
442 engine: ml2
443 tenant_network_types: "flat,vxlan"
444 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400445 ovs:
446 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100447
Aleš Komárek41e82312017-04-11 13:37:44 +0200448Neutron VXLAN tenant networks with Network Nodes with DVR
449---------------------------------------------------------
450
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300451With DVR for East-West and North-South, DVR everywhere, Network
452node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100453
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300454This section describes a network solution that utilises VxLAN
455overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100456Node is used only for SNAT.
457
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300458Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100459
460.. code-block:: yaml
461
462 neutron:
463 server:
464 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100465 bind:
466 address: 172.20.0.1
467 port: 9696
468 database:
469 engine: mysql
470 host: 127.0.0.1
471 port: 3306
472 name: neutron
473 user: neutron
474 password: pwd
475 identity:
476 engine: keystone
477 host: 127.0.0.1
478 port: 35357
479 user: neutron
480 password: pwd
481 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200482 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100483 message_queue:
484 engine: rabbitmq
485 host: 127.0.0.1
486 port: 5672
487 user: openstack
488 password: pwd
489 virtual_host: '/openstack'
490 global_physnet_mtu: 9000
491 l3_ha: False
492 dvr: True
493 backend:
494 engine: ml2
495 tenant_network_types= "flat,vxlan"
496 external_mtu: 9000
497 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400498 ovs:
499 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100500
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300501Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100502
503.. code-block:: yaml
504
505 neutron:
506 gateway:
507 enabled: True
508 version: mitaka
509 message_queue:
510 engine: rabbitmq
511 host: 127.0.0.1
512 port: 5672
513 user: openstack
514 password: pwd
515 virtual_host: '/openstack'
516 local_ip: 192.168.20.20 # br-mesh ip address
517 dvr: True
518 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200519 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100520 metadata:
521 host: 127.0.0.1
522 password: pass
523 backend:
524 engine: ml2
525 tenant_network_types: "flat,vxlan"
526 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400527 ovs:
528 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100529
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300530Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100531
532.. code-block:: yaml
533
534 neutron:
535 compute:
536 enabled: True
537 version: mitaka
538 message_queue:
539 engine: rabbitmq
540 host: 127.0.0.1
541 port: 5672
542 user: openstack
543 password: pwd
544 virtual_host: '/openstack'
545 local_ip: 192.168.20.20 # br-mesh ip address
546 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300547 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100548 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200549 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100550 metadata:
551 host: 127.0.0.1
552 password: pass
553 backend:
554 engine: ml2
555 tenant_network_types: "flat,vxlan"
556 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400557 ovs:
558 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100559
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300560Sample Linux network configuration for DVR:
Jiri Broulik74f61112016-11-21 20:23:47 +0100561
562.. code-block:: yaml
563
564 linux:
565 network:
566 bridge: openvswitch
567 interface:
568 eth1:
569 enabled: true
570 type: eth
571 mtu: 9000
572 proto: manual
573 eth2:
574 enabled: true
575 type: eth
576 mtu: 9000
577 proto: manual
578 eth3:
579 enabled: true
580 type: eth
581 mtu: 9000
582 proto: manual
583 br-int:
584 enabled: true
585 mtu: 9000
586 type: ovs_bridge
587 br-floating:
588 enabled: true
589 mtu: 9000
590 type: ovs_bridge
591 float-to-ex:
592 enabled: true
593 type: ovs_port
594 mtu: 65000
595 bridge: br-floating
596 br-mgmt:
597 enabled: true
598 type: bridge
599 mtu: 9000
600 address: ${_param:single_address}
601 netmask: 255.255.255.0
602 use_interfaces:
603 - eth1
604 br-mesh:
605 enabled: true
606 type: bridge
607 mtu: 9000
608 address: ${_param:tenant_address}
609 netmask: 255.255.255.0
610 use_interfaces:
611 - eth2
612 br-ex:
613 enabled: true
614 type: bridge
615 mtu: 9000
616 address: ${_param:external_address}
617 netmask: 255.255.255.0
618 use_interfaces:
619 - eth3
620 use_ovs_ports:
621 - float-to-ex
622
Thom Gerdes3282d072017-05-30 22:06:04 +0000623Additonal VXLAN tenant network settings
624---------------------------------------
625
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300626The default multicast group of ``224.0.0.1`` only multicasts
627to a single subnet. Allow overriding it to allow larger underlay
628network topologies.
Thom Gerdes3282d072017-05-30 22:06:04 +0000629
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300630Neutron Server:
Thom Gerdes3282d072017-05-30 22:06:04 +0000631
632.. code-block:: yaml
633
634 neutron:
635 server:
636 vxlan:
637 group: 239.0.0.0/8
638 vni_ranges: "2:65535"
639
Jiri Broulik74f61112016-11-21 20:23:47 +0100640Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200641-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100642
643VLAN tenant provider
644
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300645Neutron Server only:
Jiri Broulik74f61112016-11-21 20:23:47 +0100646
647.. code-block:: yaml
648
649 neutron:
650 server:
651 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100652 ...
653 global_physnet_mtu: 9000
654 l3_ha: False
655 dvr: True
656 backend:
657 engine: ml2
658 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
659 tenant_vlan_range: "1000:2000"
660 external_vlan_range: "100:200" # Does not have to be defined.
661 external_mtu: 9000
662 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400663 ovs:
664 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100665
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300666Compute node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100667
668.. code-block:: yaml
669
670 neutron:
671 compute:
672 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100673 ...
674 dvr: True
675 agent_mode: dvr
676 external_access: False
677 backend:
678 engine: ml2
679 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
680 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400681 ovs:
682 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100683
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400684Neutron with explicit physical networks
685---------------------------------------
Oleg Bondarevada324f2018-06-04 14:55:38 +0400686
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300687Neutron Server only:
Oleg Bondarevada324f2018-06-04 14:55:38 +0400688
689.. code-block:: yaml
690
691 neutron:
692 server:
693 version: ocata
694 ...
695 backend:
696 engine: ml2
697 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
698 ...
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400699 # also need to configure corresponding bridge_mappings on
Oleg Bondarevada324f2018-06-04 14:55:38 +0400700 # compute and gateway nodes
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400701 flat_networks_default: '*' # '*' to allow arbitrary names or '' to disable
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400702 physnets: # only listed physnets will be configured (overrides physnet1/2/3)
703 external:
704 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400705 types:
706 - flat # possible values - 'flat' or 'vlan'
Oleg Bondarevada324f2018-06-04 14:55:38 +0400707 sriov_net:
708 mtu: 9000 # Optional, defaults to 1500
709 vlan_range: '100:200' # Optional
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400710 types:
711 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400712 ext_net2:
713 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400714 types:
715 - flat
716 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400717 mechanism:
718 ovs:
719 driver: openvswitch
720
Aleš Komárek41e82312017-04-11 13:37:44 +0200721Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400722----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200723
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100724Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100725
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300726Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100727
728.. code-block:: yaml
729
730 neutron:
731 server:
732 version: mitaka
733 ...
734 dpdk: True
735 ...
736
737 neutron:
738 compute:
739 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100740 dpdk: True
Michael Polenchuk52911652018-04-12 22:09:49 +0400741 vhost_mode: client # options: client|server (default)
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400742 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100743 backend:
744 engine: ml2
745 ...
746 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400747 ovs:
748 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100749
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300750Neutron OVS SR-IOV:
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100751
752.. code-block:: yaml
753
754 neutron:
755 server:
756 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100757 backend:
758 engine: ml2
759 ...
760 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400761 ovs:
762 driver: openvswitch
763 sriov:
764 driver: sriovnicswitch
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400765 # Driver w/ highest number will be placed ahead in the list (default is 0).
766 # It's recommended for SR-IOV driver to set an order >0 to get it
767 # before (for example) the opendaylight one.
768 order: 9
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100769
770 neutron:
771 compute:
772 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100773 ...
774 backend:
775 engine: ml2
776 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
777 sriov:
778 nic_one:
779 devname: eth1
780 physical_network: physnet3
781 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400782 ovs:
783 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100784
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300785Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400786---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300787
788.. code-block:: yaml
789
790 neutron:
791 server:
792 vlan_aware_vms: true
793 ....
794 compute:
795 vlan_aware_vms: true
796 ....
797 gateway:
798 vlan_aware_vms: true
799
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400800Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300801-------------------------------------
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400802
803.. code-block:: yaml
804
805 neutron:
806 server:
807 version: pike
808 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400809 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400810 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400811 ....
812 compute:
813 version: pike
814 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400815 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400816 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400817 bagpipe:
818 local_address: 192.168.20.20 # IP address for mpls/gre tunnels
819 peers: 192.168.20.30 # IP addresses of BGP peers
820 autonomous_system: 64512 # Autonomous System number
821 enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400822 backend:
Oleg Bondarev878ac462018-04-23 17:48:15 +0400823 ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400824 bagpipe_bgpvpn:
825 enabled: True
826
Oleksii Chupryn16cb4e02018-02-26 14:20:39 +0200827Neutron with DHCP agent on compute node
828---------------------------------------
829
830.. code-block:: yaml
831
832 neutron:
833 ....
834 compute:
835 dhcp_agent_enabled: true
836 ....
837
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400838Neutron with OVN
839----------------
840
841Control node:
842
843.. code-block:: yaml
844
845 neutron:
846 server:
847 backend:
848 engine: ovn
849 mechanism:
850 ovn:
851 driver: ovn
852 tenant_network_types: "geneve,flat"
Michael Polenchukf59229b2018-06-19 16:24:49 +0400853 ovn:
854 ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
855 neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuka3d492b2017-12-27 15:49:43 +0400856 ovn_ctl_opts:
857 db-nb-create-insecure-remote: 'yes'
858 db-sb-create-insecure-remote: 'yes'
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400859
860Compute node:
861
862.. code-block:: yaml
863
864 neutron:
865 compute:
866 local_ip: 10.2.0.105
867 controller_vip: 10.1.0.101
868 external_access: false
869 backend:
870 engine: ovn
871
Michael Polenchukcccd1a52018-02-02 17:41:16 +0400872Neutron L2 Gateway
873----------------
874
875Control node:
876
877.. code-block:: yaml
878
879 neutron:
880 server:
881 version: pike
882 l2gw:
883 enabled: true
884 periodic_monitoring_interval: 5
885 quota_l2_gateway: 20
886 # service_provider=<service_type>:<name>:<driver>[:default]
887 service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
888 backend:
889 engine: ml2
890
891Network/Gateway node:
892
893.. code-block:: yaml
894
895 neutron:
896 gateway:
897 version: pike
898 l2gw:
899 enabled: true
900 debug: true
901 socket_timeout: 20
902 ovsdb_hosts:
903 # <ovsdb_name>: <ip address>:<port>
904 # - ovsdb_name: a user defined symbolic identifier of physical switch
905 # - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
906 ovsdb1: 10.164.5.33:6632
907 ovsdb2: 10.164.4.33:6632
908
909
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400910OpenDaylight integration
911------------------------
912
913Control node:
914
915.. code-block:: yaml
916
917 neutron:
918 server:
919 backend:
920 opendaylight: true
921 router: odl-router_v2
922 host: 10.20.0.77
923 rest_api_port: 8282
924 user: admin
925 password: admin
926 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +0300927 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400928 enable_websocket: true
929 enable_dhcp_service: false
930 mechanism:
931 ovs:
932 driver: opendaylight_v2
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400933 order: 1
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400934
935Network/Gateway node:
936
937.. code-block:: yaml
938
939 neutron:
940 gateway:
941 backend:
942 router: odl-router_v2
943 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +0300944 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400945 opendaylight:
946 ovsdb_server_iface: ptcp:6639:127.0.0.1
947 ovsdb_odl_iface: tcp:10.20.0.77:6640
948 tunnel_ip: 10.1.0.110
949 provider_mappings: physnet1:br-floating
950
951Compute node:
952
953.. code-block:: yaml
954
955 neutron:
956 compute:
957 opendaylight:
958 ovsdb_server_iface: ptcp:6639:127.0.0.1
959 ovsdb_odl_iface: tcp:10.20.0.77:6640
960 tunnel_ip: 10.1.0.105
961 provider_mappings: physnet1:br-floating
962
963
Aleš Komárek41e82312017-04-11 13:37:44 +0200964Neutron Server
965--------------
966
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300967Neutron Server with OpenContrail:
Jiri Broulik74f61112016-11-21 20:23:47 +0100968
969.. code-block:: yaml
970
971 neutron:
972 server:
marcoa4428a32016-06-10 11:50:16 +0200973 backend:
974 engine: contrail
975 host: contrail_discovery_host
976 port: 8082
977 user: admin
978 password: password
979 tenant: admin
980 token: token
981
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300982Neutron Server with Midonet:
marcoa4428a32016-06-10 11:50:16 +0200983
984.. code-block:: yaml
985
986 neutron:
987 server:
988 backend:
989 engine: midonet
990 host: midonet_api_host
991 port: 8181
992 user: admin
993 password: password
994
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300995Neutron Server with NSX:
Vasyl Saienko4549efe2018-07-26 16:06:04 +0000996
997.. code-block:: yaml
998
999 neutron:
1000 server:
1001 backend:
1002 engine: vmware
1003 core_plugin: vmware_nsxv3
1004 vmware:
1005 nsx:
1006 extension_drivers:
1007 - vmware_nsxv3_dns
1008 v3:
1009 api_password: nsx_password
1010 api_user: nsx_username
1011 api_managers:
1012 01:
1013 scheme: https
1014 host: 192.168.10.120
1015 port: '443'
1016 insecure: true
1017
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001018Neutron Keystone region:
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +01001019
1020.. code-block:: yaml
1021
1022 neutron:
1023 server:
1024 enabled: true
1025 version: kilo
1026 ...
1027 identity:
1028 region: RegionTwo
1029 ...
1030 compute:
1031 region: RegionTwo
1032 ...
1033
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001034Client-side RabbitMQ HA setup:
Jiri Konecny93b19992016-04-12 11:15:39 +02001035
1036.. code-block:: yaml
1037
1038 neutron:
1039 server:
1040 ....
1041 message_queue:
1042 engine: rabbitmq
1043 members:
1044 - host: 10.0.16.1
1045 - host: 10.0.16.2
1046 - host: 10.0.16.3
1047 user: openstack
1048 password: pwd
1049 virtual_host: '/openstack'
1050 ....
1051
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001052Configuring TLS communications
1053------------------------------
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001054
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001055.. note:: By default, system-wide installed CA certs are used,
1056 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001057
1058- **RabbitMQ TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001059
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001060 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001061
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001062 neutron:
1063 server, gateway, compute:
1064 message_queue:
1065 port: 5671
1066 ssl:
1067 enabled: True
1068 (optional) cacert: cert body if the cacert_file does not exists
1069 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
1070 (optional) version: TLSv1_2
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001071
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001072- **MySQL TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001073
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001074 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001075
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001076 neutron:
1077 server:
1078 database:
1079 ssl:
1080 enabled: True
1081 (optional) cacert: cert body if the cacert_file does not exists
1082 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001083
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001084- **Openstack HTTPS API**
1085
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001086 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001087
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001088 neutron:
1089 server:
1090 identity:
1091 protocol: https
1092 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001093
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001094Enable auditing filter, ie: CADF:
Petr Michalec61f7ab22016-11-29 16:29:09 +01001095
1096.. code-block:: yaml
1097
1098 neutron:
1099 server:
1100 audit:
1101 enabled: true
1102 ....
1103 filter_factory: 'keystonemiddleware.audit:filter_factory'
1104 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1105 ....
1106 compute:
1107 audit:
1108 enabled: true
1109 ....
1110 filter_factory: 'keystonemiddleware.audit:filter_factory'
1111 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1112 ....
Jiri Konecny93b19992016-04-12 11:15:39 +02001113
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001114Neutron with security groups disabled:
Oleg Bondarev98870a32017-05-29 16:53:19 +04001115
1116.. code-block:: yaml
1117
1118 neutron:
1119 server:
1120 security_groups_enabled: False
1121 ....
1122 compute:
1123 security_groups_enabled: False
1124 ....
1125 gateway:
1126 security_groups_enabled: False
1127
Jiri Konecny93b19992016-04-12 11:15:39 +02001128
Aleš Komárek41e82312017-04-11 13:37:44 +02001129Neutron Client
1130--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +01001131
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001132Neutron networks:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001133
1134.. code-block:: yaml
1135
1136 neutron:
1137 client:
1138 enabled: true
1139 server:
1140 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001141 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001142 network:
1143 inet1:
1144 tenant: demo
1145 shared: False
1146 admin_state_up: True
1147 router_external: True
1148 provider_physical_network: inet
1149 provider_network_type: flat
1150 provider_segmentation_id: 2
1151 subnet:
1152 inet1-subnet1:
1153 cidr: 192.168.90.0/24
1154 enable_dhcp: False
1155 inet2:
1156 tenant: admin
1157 shared: False
1158 router_external: True
1159 provider_network_type: "vlan"
1160 subnet:
1161 inet2-subnet1:
1162 cidr: 192.168.92.0/24
1163 enable_dhcp: False
1164 inet2-subnet2:
1165 cidr: 192.168.94.0/24
1166 enable_dhcp: True
1167 identity1:
1168 network:
1169 ...
1170
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001171Neutron routers:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001172
1173.. code-block:: yaml
1174
1175 neutron:
1176 client:
1177 enabled: true
1178 server:
1179 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001180 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001181 router:
1182 inet1-router:
1183 tenant: demo
1184 admin_state_up: True
1185 gateway_network: inet
1186 interfaces:
1187 - inet1-subnet1
1188 - inet1-subnet2
1189 identity1:
1190 router:
1191 ...
1192
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001193.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik5368cc52017-02-08 18:53:59 +01001194
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001195Neutron security groups:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001196
1197.. code-block:: yaml
1198
1199 neutron:
1200 client:
1201 enabled: true
1202 server:
1203 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001204 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001205 security_group:
1206 security_group1:
1207 tenant: demo
1208 description: security group 1
1209 rules:
1210 - direction: ingress
1211 ethertype: IPv4
1212 protocol: TCP
1213 port_range_min: 1
1214 port_range_max: 65535
1215 remote_ip_prefix: 0.0.0.0/0
1216 - direction: ingress
1217 ethertype: IPv4
1218 protocol: UDP
1219 port_range_min: 1
1220 port_range_max: 65535
1221 remote_ip_prefix: 0.0.0.0/0
1222 - direction: ingress
1223 protocol: ICMP
1224 remote_ip_prefix: 0.0.0.0/0
1225 identity1:
1226 security_group:
1227 ...
1228
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001229.. TODO: implement updating existing security rules (now it adds new rule if
1230 trying to update existing one)
Jiri Broulik5368cc52017-02-08 18:53:59 +01001231
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001232Floating IP addresses:
Jiri Broulikde2e2902017-02-13 15:03:47 +01001233
1234.. code-block:: yaml
1235
1236 neutron:
1237 client:
1238 enabled: true
1239 server:
1240 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001241 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +01001242 floating_ip:
1243 prx01-instance:
1244 server: prx01.mk22-lab-basic.local
1245 subnet: private-subnet1
1246 network: public-net1
1247 tenant: demo
1248 gtw01-instance:
1249 ...
1250
1251.. note:: The network must have flag router:external set to True.
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001252 Instance port in the stated subnet will be associated
1253 with the dynamically generated floating IP.
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001254
1255Enable Neutron extensions (QoS, DNS, etc.)
1256------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001257
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001258.. code-block:: yaml
1259
1260 neutron:
1261 server:
1262 backend:
1263 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +03001264 dns:
1265 enabled: True
1266 host: 127.0.0.1
1267 port: 9001
1268 protocol: http
1269 ....
1270 qos
1271 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001272
Oleg Bondarev878ac462018-04-23 17:48:15 +04001273Different Neutron extensions for different agents
1274-------------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001275
Oleg Bondarev878ac462018-04-23 17:48:15 +04001276.. code-block:: yaml
1277
1278 neutron:
1279 server:
1280 backend:
1281 extension: # common extensions for OVS and SRIOV agents
1282 dns:
1283 enabled: True
1284 ...
1285 qos
1286 enabled: True
1287 ovs_extension: # OVS specific extensions
1288 bagpipe_bgpvpn:
1289 enabled: True
1290 sriov_extension: # SRIOV specific extensions
1291 dummy:
1292 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001293
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001294Neutron with Designate
1295-----------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001296
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001297.. code-block:: yaml
1298
1299 neutron:
1300 server:
1301 backend:
1302 extension:
1303 dns:
1304 enabled: True
1305 host: 127.0.0.1
1306 port: 9001
1307 protocol: http
1308
Marek Celoud67ce2062018-01-31 13:44:55 +01001309Enable RBAC for OpenContrail engine
1310-----------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001311
Marek Celoud67ce2062018-01-31 13:44:55 +01001312.. code-block:: yaml
1313
1314 neutron:
1315 server:
1316 backend:
1317 engine: contrail
1318 rbac:
1319 enabled: True
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001320
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001321Enhanced logging with logging.conf
1322----------------------------------
1323
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001324By default ``logging.conf`` is disabled.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001325
1326That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001327
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001328* ``openstack_log_appender``
1329 Set to true to enable ``log_config_append`` for all OpenStack services
1330
1331* ``openstack_fluentd_handler_enabled``
1332 Set to true to enable FluentHandler for all Openstack services
1333
1334* ``openstack_ossyslog_handler_enabled``
1335 Set to true to enable OSSysLogHandler for all Openstack services.
1336
1337Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
1338are available.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001339
1340Also it is possible to configure this with pillar:
1341
1342.. code-block:: yaml
1343
1344 neutron:
1345 server:
1346 logging:
1347 log_appender: true
1348 log_handlers:
1349 watchedfile:
1350 enabled: true
1351 fluentd:
1352 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001353 ossyslog:
1354 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001355 ....
1356 compute:
1357 logging:
1358 log_appender: true
1359 log_handlers:
1360 watchedfile:
1361 enabled: true
1362 fluentd:
1363 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001364 ossyslog:
1365 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001366 ....
1367 gateway:
1368 logging:
1369 log_appender: true
1370 log_handlers:
1371 watchedfile:
1372 enabled: true
1373 fluentd:
1374 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001375 ossyslog:
1376 enabled: true
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001377
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001378Logging levels pillar example:
1379
1380.. code-block:: yaml
1381
1382 neutron:
1383 server:
1384 logging:
1385 log_appender: true
1386 loggers:
1387 root:
1388 level: 'DEBUG'
1389 neutron:
1390 level: 'DEBUG'
1391 amqplib:
1392 level: 'DEBUG'
1393 sqlalchemy:
1394 level: 'DEBUG'
1395 boto:
1396 level: 'DEBUG'
1397 suds:
1398 level: 'DEBUG'
1399 eventletwsgi:
1400 level: 'DEBUG'
1401 ......
1402
Vasyl Saienkoba420732018-09-07 10:19:32 +00001403Upgrades
1404========
1405
1406Each openstack formula provide set of phases (logical bloks) that will help to
1407build flexible upgrade orchestration logic for particular components. The list
1408of phases might and theirs descriptions are listed in table below:
1409
1410+-------------------------------+------------------------------------------------------+
1411| State | Description |
1412+===============================+======================================================+
1413| <app>.upgrade.service_running | Ensure that all services for particular application |
1414| | are enabled for autostart and running |
1415+-------------------------------+------------------------------------------------------+
1416| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1417| | disabled for autostart and dead |
1418+-------------------------------+------------------------------------------------------+
1419| <app>.upgrade.pkg_latest | Ensure that packages used by particular application |
1420| | are installed to latest available version. |
1421| | This will not upgrade data plane packages like qemu |
1422| | and openvswitch as usually minimal required version |
1423| | in openstack services is really old. The data plane |
1424| | packages should be upgraded separately by `apt-get |
1425| | upgrade` or `apt-get dist-upgrade` |
1426| | Applying this state will not autostart service. |
1427+-------------------------------+------------------------------------------------------+
1428| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1429+-------------------------------+------------------------------------------------------+
1430| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1431| | cloud before running upgrade. |
1432| | Only non destructive actions will be applied during |
1433| | this phase. Perform service built in service check |
1434| | like (keystone-manage doctor and nova-status upgrade)|
1435+-------------------------------+------------------------------------------------------+
1436| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1437| | phase resources will be gracefully removed from |
1438| | current node if it is allowed. Services for upgraded |
1439| | application will be set to admin disabled state to |
1440| | make sure node will not participate in resources |
1441| | scheduling. For example on gtw nodes this will set |
1442| | all agents to admin disable state and will move all |
1443| | routers to other agents. |
1444+-------------------------------+------------------------------------------------------+
1445| <app>.upgrade.upgrade | This state will basically upgrade application on |
1446| | particular target. Stop services, render |
1447| | configuration, install new packages, run offline |
1448| | dbsync (for ctl), start services. Data plane should |
1449| | not be affected, only OpenStack python services. |
1450+-------------------------------+------------------------------------------------------+
1451| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1452+-------------------------------+------------------------------------------------------+
1453| <app>.upgrade.post | This phase should be launched only when upgrade of |
1454| | the cloud is completed. |
1455+-------------------------------+------------------------------------------------------+
1456| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1457| | operations, verify do not have dead network |
1458| | agents/compute services) |
1459+-------------------------------+------------------------------------------------------+
1460
1461
Oleksandr Shyshkof51b94c2018-08-31 16:05:27 +03001462Enable x509 and ssl communication between Neutron and Galera cluster.
1463---------------------
1464By default communication between Neutron and Galera is unsecure.
1465
1466neutron:
1467 server:
1468 database:
1469 x509:
1470 enabled: True
1471
1472You able to set custom certificates in pillar:
1473
1474neutron:
1475 server:
1476 database:
1477 x509:
1478 cacert: (certificate content)
1479 cert: (certificate content)
1480 key: (certificate content)
1481
1482You can read more about it here:
1483 https://docs.openstack.org/security-guide/databases/database-access-control.html
1484
Filip Pytloun20c0a442017-02-02 13:05:13 +01001485Documentation and Bugs
1486======================
1487
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001488* http://salt-formulas.readthedocs.io/
1489 Learn how to install and update salt-formulas
Filip Pytloun20c0a442017-02-02 13:05:13 +01001490
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001491* https://github.com/salt-formulas/salt-formula-neutron/issues
1492 In the unfortunate event that bugs are discovered, report the issue to the
1493 appropriate issue tracker. Use the Github issue tracker for a specific salt
1494 formula
Filip Pytloun20c0a442017-02-02 13:05:13 +01001495
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001496* https://launchpad.net/salt-formulas
1497 For feature requests, bug reports, or blueprints affecting the entire
1498 ecosystem, use the Launchpad salt-formulas project
Filip Pytloun20c0a442017-02-02 13:05:13 +01001499
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001500* https://launchpad.net/~salt-formulas-users
1501 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloun20c0a442017-02-02 13:05:13 +01001502
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001503* https://github.com/salt-formulas/salt-formula-neutron
1504 Develop the salt-formulas projects in the master branch and then submit pull
1505 requests against a specific formula
Filip Pytloun20c0a442017-02-02 13:05:13 +01001506
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001507* #salt-formulas @ irc.freenode.net
1508 Use this IRC channel in case of any questions or feedback which is always
1509 welcome
Filip Pytloun20c0a442017-02-02 13:05:13 +01001510