Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / neutron / 87d2b74e7c65b292e6b54fd46a77788f1090e863 / . / README.rst
blob: 7f48637afef774d6ea4647461a731277f845aff9 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]5Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]8
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]9Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]12
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]13Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]23 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]24 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +0200[diff] [blame]26 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]29 bind:
30 address: 172.20.0.1
31 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]32 database:
33 engine: mysql
34 host: 127.0.0.1
35 port: 3306
36 name: neutron
37 user: neutron
38 password: pwd
39 identity:
40 engine: keystone
41 host: 127.0.0.1
42 port: 35357
43 user: neutron
44 password: pwd
45 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]46 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]47 message_queue:
48 engine: rabbitmq
49 host: 127.0.0.1
50 port: 5672
51 user: openstack
52 password: pwd
53 virtual_host: '/openstack'
54 metadata:
55 host: 127.0.0.1
56 port: 8775
57 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +0200[diff] [blame]58 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]59 audit:
60 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]61
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]62Note: The pagination is useful to retrieve a large bunch of resources,
63because a single request may fail (timeout). This is enabled with both
64parameters *allow_pagination* and *pagination_max_limit* as shown above.
65
Dmitry Ukov596ddcf2017-05-04 18:16:16 +0400[diff] [blame]66
67Configuration of policy.json file
68
69.. code-block:: yaml
70
71 neutron:
72 server:
73 ....
74 policy:
75 create_subnet: 'rule:admin_or_network_owner'
76 'get_network:queue_id': 'rule:admin_only'
77 # Add key without value to remove line from policy.json
78 'create_network:shared':
79
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]80Neutron LBaaSv2 enablement
81--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]82
83.. code-block:: yaml
84
85 neutron:
86 server:
87 lbaas:
88 enabled: true
89 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]90 octavia:
91 engine: octavia
92 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
93 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]94 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]95 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]96 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]97 controller_address: 10.182.129.239
98 controller_user: admin
99 controller_password: Cloudlab2016
100 controller_cloud_name: Default-Cloud
101 avi_adc2:
102 engine: avinetworks
103 ...
104
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]105Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
106automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]107
108.. code-block:: yaml
109
110 neutron:
111 server:
112 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]113 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]114
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]115
116Neutron FWaaSv1 enablement
117--------------------------
118
119.. code-block:: yaml
120
121 neutron:
122 fwaas:
123 enabled: true
124 version: ocata
125 api_version: v1
126
127
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]128Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]129----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]130
131.. code-block:: yaml
132
133 neutron:
134 server:
135 cors:
136 allowed_origin: https:localhost.local,http:localhost.local
137 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
138 allow_methods: GET,PUT,POST,DELETE,PATCH
139 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
140 allow_credentials: True
141 max_age: 86400
142
143
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]144Neutron VXLAN tenant networks with Network nodes
145------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]146
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]147With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]148
149This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]150routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]151infrastructure and that remains encapsulated. External traffic will be
152routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]153
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]154The intention is that each tenant will require at least two (2) vrouters
155one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]156
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]157Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]158
159.. code-block:: yaml
160
161 neutron:
162 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]163 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300[diff] [blame]164 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]165 bind:
166 address: 172.20.0.1
167 port: 9696
168 database:
169 engine: mysql
170 host: 127.0.0.1
171 port: 3306
172 name: neutron
173 user: neutron
174 password: pwd
175 identity:
176 engine: keystone
177 host: 127.0.0.1
178 port: 35357
179 user: neutron
180 password: pwd
181 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]182 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]183 message_queue:
184 engine: rabbitmq
185 host: 127.0.0.1
186 port: 5672
187 user: openstack
188 password: pwd
189 virtual_host: '/openstack'
190 global_physnet_mtu: 9000
191 l3_ha: False # Which type of router will be created by default
192 dvr: True # disabled for non DVR use case
193 backend:
194 engine: ml2
195 tenant_network_types: "flat,vxlan"
196 external_mtu: 9000
197 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]198 ovs:
199 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]200
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]201Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]202
203.. code-block:: yaml
204
205 neutron:
206 gateway:
207 enabled: True
208 version: mitaka
209 message_queue:
210 engine: rabbitmq
211 host: 127.0.0.1
212 port: 5672
213 user: openstack
214 password: pwd
215 virtual_host: '/openstack'
216 local_ip: 192.168.20.20 # br-mesh ip address
217 dvr: True # disabled for non DVR use case
218 agent_mode: dvr_snat
219 metadata:
220 host: 127.0.0.1
221 password: pass
222 backend:
223 engine: ml2
224 tenant_network_types: "flat,vxlan"
225 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]226 ovs:
227 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]228
229Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]230
231.. code-block:: yaml
232
233 neutron:
234 compute:
235 enabled: True
236 version: mitaka
237 message_queue:
238 engine: rabbitmq
239 host: 127.0.0.1
240 port: 5672
241 user: openstack
242 password: pwd
243 virtual_host: '/openstack'
244 local_ip: 192.168.20.20 # br-mesh ip address
245 dvr: True # disabled for non DVR use case
246 agent_mode: dvr
247 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
248 metadata:
249 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]250 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]251 backend:
252 engine: ml2
253 tenant_network_types: "flat,vxlan"
254 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]255 ovs:
256 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]257 audit:
258 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]259
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]260
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300[diff] [blame]261Disable physnet1 bridge
262-----------------------
263
264By default we have external access turned on, so among any physnets in
265your reclass there would be additional one: physnet1, which is mapped to
266br-floating
267
268If you need internal nets only without this bridge, remove br-floating
269and configurations mappings. Disable mappings for this bridge on
270neutron-servers:
271
272.. code-block:: yaml
273
274 neutron:
275 server:
276 external_access: false
277
278gateways:
279
280.. code-block:: yaml
281
282 neutron:
283 gateway:
284 external_access: false
285
286compute nodes:
287
288.. code-block:: yaml
289
290 neutron:
291 compute:
292 external_access: false
293
294
Marcin Iwinskic50137a2018-01-22 14:18:24 +0100[diff] [blame]295Add additional bridge mappings for OVS bridges
296----------------------------------------------
297
298By default we have external access turned on, so among any physnets in
299your reclass there would be additional one: physnet1, which is mapped to
300br-floating
301
302If you need to add extra non-default bridge mappings they can be defined
303separately for both gateways and compute nodes:
304
305gateways:
306
307.. code-block:: yaml
308
309 neutron:
310 gateway:
311 bridge_mappings:
312 physnet4: br-floating-internet
313
314compute nodes:
315
316.. code-block:: yaml
317
318 neutron:
319 compute:
320 bridge_mappings:
321 physnet4: br-floating-internet
322
323
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300[diff] [blame]324Specify different mtu values for different physnets
325---------------------------------------------------
326
327Neutron Server
328
329.. code-block:: yaml
330
331 neutron:
332 server:
333 version: mitaka
334 backend:
335 external_mtu: 1500
336 tenant_net_mtu: 9000
337 ironic_net_mtu: 9000
338
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]339Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]340----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]341
342This section describes a network solution that utilises VxLAN overlay
343 networks without DVR with all routers being managed on the network nodes.
344
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]345Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]346
347.. code-block:: yaml
348
349 neutron:
350 server:
351 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]352 bind:
353 address: 172.20.0.1
354 port: 9696
355 database:
356 engine: mysql
357 host: 127.0.0.1
358 port: 3306
359 name: neutron
360 user: neutron
361 password: pwd
362 identity:
363 engine: keystone
364 host: 127.0.0.1
365 port: 35357
366 user: neutron
367 password: pwd
368 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]369 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]370 message_queue:
371 engine: rabbitmq
372 host: 127.0.0.1
373 port: 5672
374 user: openstack
375 password: pwd
376 virtual_host: '/openstack'
377 global_physnet_mtu: 9000
378 l3_ha: True
379 dvr: False
380 backend:
381 engine: ml2
382 tenant_network_types= "flat,vxlan"
383 external_mtu: 9000
384 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]385 ovs:
386 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]387
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]388Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]389
390.. code-block:: yaml
391
392 neutron:
393 gateway:
394 enabled: True
395 version: mitaka
396 message_queue:
397 engine: rabbitmq
398 host: 127.0.0.1
399 port: 5672
400 user: openstack
401 password: pwd
402 virtual_host: '/openstack'
403 local_ip: 192.168.20.20 # br-mesh ip address
404 dvr: False
405 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]406 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]407 metadata:
408 host: 127.0.0.1
409 password: pass
410 backend:
411 engine: ml2
412 tenant_network_types: "flat,vxlan"
413 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]414 ovs:
415 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]416
417Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]418
419.. code-block:: yaml
420
421 neutron:
422 compute:
423 enabled: True
424 version: mitaka
425 message_queue:
426 engine: rabbitmq
427 host: 127.0.0.1
428 port: 5672
429 user: openstack
430 password: pwd
431 virtual_host: '/openstack'
432 local_ip: 192.168.20.20 # br-mesh ip address
433 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]434 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]435 backend:
436 engine: ml2
437 tenant_network_types: "flat,vxlan"
438 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]439 ovs:
440 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]441
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]442Neutron VXLAN tenant networks with Network Nodes with DVR
443---------------------------------------------------------
444
445With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]446
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]447This section describes a network solution that utilises VxLAN
448overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]449Node is used only for SNAT.
450
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]451Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]452
453.. code-block:: yaml
454
455 neutron:
456 server:
457 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]458 bind:
459 address: 172.20.0.1
460 port: 9696
461 database:
462 engine: mysql
463 host: 127.0.0.1
464 port: 3306
465 name: neutron
466 user: neutron
467 password: pwd
468 identity:
469 engine: keystone
470 host: 127.0.0.1
471 port: 35357
472 user: neutron
473 password: pwd
474 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]475 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]476 message_queue:
477 engine: rabbitmq
478 host: 127.0.0.1
479 port: 5672
480 user: openstack
481 password: pwd
482 virtual_host: '/openstack'
483 global_physnet_mtu: 9000
484 l3_ha: False
485 dvr: True
486 backend:
487 engine: ml2
488 tenant_network_types= "flat,vxlan"
489 external_mtu: 9000
490 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]491 ovs:
492 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]493
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]494Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]495
496.. code-block:: yaml
497
498 neutron:
499 gateway:
500 enabled: True
501 version: mitaka
502 message_queue:
503 engine: rabbitmq
504 host: 127.0.0.1
505 port: 5672
506 user: openstack
507 password: pwd
508 virtual_host: '/openstack'
509 local_ip: 192.168.20.20 # br-mesh ip address
510 dvr: True
511 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]512 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]513 metadata:
514 host: 127.0.0.1
515 password: pass
516 backend:
517 engine: ml2
518 tenant_network_types: "flat,vxlan"
519 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]520 ovs:
521 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]522
523Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]524
525.. code-block:: yaml
526
527 neutron:
528 compute:
529 enabled: True
530 version: mitaka
531 message_queue:
532 engine: rabbitmq
533 host: 127.0.0.1
534 port: 5672
535 user: openstack
536 password: pwd
537 virtual_host: '/openstack'
538 local_ip: 192.168.20.20 # br-mesh ip address
539 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]540 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]541 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]542 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]543 metadata:
544 host: 127.0.0.1
545 password: pass
546 backend:
547 engine: ml2
548 tenant_network_types: "flat,vxlan"
549 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]550 ovs:
551 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]552
553Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]554
555.. code-block:: yaml
556
557 linux:
558 network:
559 bridge: openvswitch
560 interface:
561 eth1:
562 enabled: true
563 type: eth
564 mtu: 9000
565 proto: manual
566 eth2:
567 enabled: true
568 type: eth
569 mtu: 9000
570 proto: manual
571 eth3:
572 enabled: true
573 type: eth
574 mtu: 9000
575 proto: manual
576 br-int:
577 enabled: true
578 mtu: 9000
579 type: ovs_bridge
580 br-floating:
581 enabled: true
582 mtu: 9000
583 type: ovs_bridge
584 float-to-ex:
585 enabled: true
586 type: ovs_port
587 mtu: 65000
588 bridge: br-floating
589 br-mgmt:
590 enabled: true
591 type: bridge
592 mtu: 9000
593 address: ${_param:single_address}
594 netmask: 255.255.255.0
595 use_interfaces:
596 - eth1
597 br-mesh:
598 enabled: true
599 type: bridge
600 mtu: 9000
601 address: ${_param:tenant_address}
602 netmask: 255.255.255.0
603 use_interfaces:
604 - eth2
605 br-ex:
606 enabled: true
607 type: bridge
608 mtu: 9000
609 address: ${_param:external_address}
610 netmask: 255.255.255.0
611 use_interfaces:
612 - eth3
613 use_ovs_ports:
614 - float-to-ex
615
Thom Gerdes3282d072017-05-30 22:06:04 +0000[diff] [blame]616Additonal VXLAN tenant network settings
617---------------------------------------
618
619The default multicast group of 224.0.0.1 only multicasts to a single subnet.
620Allow overriding it to allow larger underlay network topologies.
621
622Neutron Server
623
624.. code-block:: yaml
625
626 neutron:
627 server:
628 vxlan:
629 group: 239.0.0.0/8
630 vni_ranges: "2:65535"
631
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]632Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]633-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]634
635VLAN tenant provider
636
637Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]638
639.. code-block:: yaml
640
641 neutron:
642 server:
643 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]644 ...
645 global_physnet_mtu: 9000
646 l3_ha: False
647 dvr: True
648 backend:
649 engine: ml2
650 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
651 tenant_vlan_range: "1000:2000"
652 external_vlan_range: "100:200" # Does not have to be defined.
653 external_mtu: 9000
654 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]655 ovs:
656 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]657
658Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]659
660.. code-block:: yaml
661
662 neutron:
663 compute:
664 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]665 ...
666 dvr: True
667 agent_mode: dvr
668 external_access: False
669 backend:
670 engine: ml2
671 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
672 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]673 ovs:
674 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]675
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]676Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]677----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]678
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]679Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]680
681Enable datapath netdev for neutron openvswitch agent
682
683.. code-block:: yaml
684
685 neutron:
686 server:
687 version: mitaka
688 ...
689 dpdk: True
690 ...
691
692 neutron:
693 compute:
694 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]695 dpdk: True
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400[diff] [blame]696 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]697 backend:
698 engine: ml2
699 ...
700 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]701 ovs:
702 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]703
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]704Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]705
706.. code-block:: yaml
707
708 neutron:
709 server:
710 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]711 backend:
712 engine: ml2
713 ...
714 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]715 ovs:
716 driver: openvswitch
717 sriov:
718 driver: sriovnicswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]719
720 neutron:
721 compute:
722 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]723 ...
724 backend:
725 engine: ml2
726 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
727 sriov:
728 nic_one:
729 devname: eth1
730 physical_network: physnet3
731 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]732 ovs:
733 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]734
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]735Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]736---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]737
738.. code-block:: yaml
739
740 neutron:
741 server:
742 vlan_aware_vms: true
743 ....
744 compute:
745 vlan_aware_vms: true
746 ....
747 gateway:
748 vlan_aware_vms: true
749
Oleksii Chupryn16cb4e02018-02-26 14:20:39 +0200[diff] [blame]750Neutron with DHCP agent on compute node
751---------------------------------------
752
753.. code-block:: yaml
754
755 neutron:
756 ....
757 compute:
758 dhcp_agent_enabled: true
759 ....
760
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]761Neutron with OVN
762----------------
763
764Control node:
765
766.. code-block:: yaml
767
768 neutron:
769 server:
770 backend:
771 engine: ovn
772 mechanism:
773 ovn:
774 driver: ovn
775 tenant_network_types: "geneve,flat"
Michael Polenchuka3d492b2017-12-27 15:49:43 +0400[diff] [blame]776 ovn_ctl_opts:
777 db-nb-create-insecure-remote: 'yes'
778 db-sb-create-insecure-remote: 'yes'
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]779
780Compute node:
781
782.. code-block:: yaml
783
784 neutron:
785 compute:
786 local_ip: 10.2.0.105
787 controller_vip: 10.1.0.101
788 external_access: false
789 backend:
790 engine: ovn
791
Michael Polenchukcccd1a52018-02-02 17:41:16 +0400[diff] [blame]792
793Neutron L2 Gateway
794----------------
795
796Control node:
797
798.. code-block:: yaml
799
800 neutron:
801 server:
802 version: pike
803 l2gw:
804 enabled: true
805 periodic_monitoring_interval: 5
806 quota_l2_gateway: 20
807 # service_provider=<service_type>:<name>:<driver>[:default]
808 service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
809 backend:
810 engine: ml2
811
812Network/Gateway node:
813
814.. code-block:: yaml
815
816 neutron:
817 gateway:
818 version: pike
819 l2gw:
820 enabled: true
821 debug: true
822 socket_timeout: 20
823 ovsdb_hosts:
824 # <ovsdb_name>: <ip address>:<port>
825 # - ovsdb_name: a user defined symbolic identifier of physical switch
826 # - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
827 ovsdb1: 10.164.5.33:6632
828 ovsdb2: 10.164.4.33:6632
829
830
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400[diff] [blame^]831OpenDaylight integration
832------------------------
833
834Control node:
835
836.. code-block:: yaml
837
838 neutron:
839 server:
840 backend:
841 opendaylight: true
842 router: odl-router_v2
843 host: 10.20.0.77
844 rest_api_port: 8282
845 user: admin
846 password: admin
847 ovsdb_connection: tcp:127.0.0.1:6639
848 enable_websocket: true
849 enable_dhcp_service: false
850 mechanism:
851 ovs:
852 driver: opendaylight_v2
853
854Network/Gateway node:
855
856.. code-block:: yaml
857
858 neutron:
859 gateway:
860 backend:
861 router: odl-router_v2
862 ovsdb_connection: tcp:127.0.0.1:6639
863 opendaylight:
864 ovsdb_server_iface: ptcp:6639:127.0.0.1
865 ovsdb_odl_iface: tcp:10.20.0.77:6640
866 tunnel_ip: 10.1.0.110
867 provider_mappings: physnet1:br-floating
868
869Compute node:
870
871.. code-block:: yaml
872
873 neutron:
874 compute:
875 opendaylight:
876 ovsdb_server_iface: ptcp:6639:127.0.0.1
877 ovsdb_odl_iface: tcp:10.20.0.77:6640
878 tunnel_ip: 10.1.0.105
879 provider_mappings: physnet1:br-floating
880
881
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]882Neutron Server
883--------------
884
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]885Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]886
887.. code-block:: yaml
888
889 neutron:
890 server:
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]891 backend:
892 engine: contrail
893 host: contrail_discovery_host
894 port: 8082
895 user: admin
896 password: password
897 tenant: admin
898 token: token
899
900Neutron Server with Midonet
901
902.. code-block:: yaml
903
904 neutron:
905 server:
906 backend:
907 engine: midonet
908 host: midonet_api_host
909 port: 8181
910 user: admin
911 password: password
912
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100[diff] [blame]913Neutron Keystone region
914
915.. code-block:: yaml
916
917 neutron:
918 server:
919 enabled: true
920 version: kilo
921 ...
922 identity:
923 region: RegionTwo
924 ...
925 compute:
926 region: RegionTwo
927 ...
928
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]929Client-side RabbitMQ HA setup
930
931.. code-block:: yaml
932
933 neutron:
934 server:
935 ....
936 message_queue:
937 engine: rabbitmq
938 members:
939 - host: 10.0.16.1
940 - host: 10.0.16.2
941 - host: 10.0.16.3
942 user: openstack
943 password: pwd
944 virtual_host: '/openstack'
945 ....
946
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]947
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]948Configuring TLS communications
949------------------------------
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]950
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]951
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]952**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
953
954
955- **RabbitMQ TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]956
957.. code-block:: yaml
958
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]959 neutron:
960 server, gateway, compute:
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]961 message_queue:
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]962 port: 5671
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]963 ssl:
964 enabled: True
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]965 (optional) cacert: cert body if the cacert_file does not exists
966 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
967 (optional) version: TLSv1_2
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]968
969
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]970- **MySQL TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]971
972.. code-block:: yaml
973
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]974 neutron:
975 server:
976 database:
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]977 ssl:
978 enabled: True
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]979 (optional) cacert: cert body if the cacert_file does not exists
980 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]981
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]982- **Openstack HTTPS API**
983
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]984
985.. code-block:: yaml
986
Kirill Bespalovdd748b62017-11-21 10:42:57 +0300[diff] [blame]987 neutron:
988 server:
989 identity:
990 protocol: https
991 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]992
993
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]994Enable auditing filter, ie: CADF
995
996.. code-block:: yaml
997
998 neutron:
999 server:
1000 audit:
1001 enabled: true
1002 ....
1003 filter_factory: 'keystonemiddleware.audit:filter_factory'
1004 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1005 ....
1006 compute:
1007 audit:
1008 enabled: true
1009 ....
1010 filter_factory: 'keystonemiddleware.audit:filter_factory'
1011 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1012 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]1013
Oleg Bondarev98870a32017-05-29 16:53:19 +0400[diff] [blame]1014Neutron with security groups disabled
1015
1016.. code-block:: yaml
1017
1018 neutron:
1019 server:
1020 security_groups_enabled: False
1021 ....
1022 compute:
1023 security_groups_enabled: False
1024 ....
1025 gateway:
1026 security_groups_enabled: False
1027
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]1028
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1029Neutron Client
1030--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]1031
1032Neutron networks
1033
1034.. code-block:: yaml
1035
1036 neutron:
1037 client:
1038 enabled: true
1039 server:
1040 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]1041 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]1042 network:
1043 inet1:
1044 tenant: demo
1045 shared: False
1046 admin_state_up: True
1047 router_external: True
1048 provider_physical_network: inet
1049 provider_network_type: flat
1050 provider_segmentation_id: 2
1051 subnet:
1052 inet1-subnet1:
1053 cidr: 192.168.90.0/24
1054 enable_dhcp: False
1055 inet2:
1056 tenant: admin
1057 shared: False
1058 router_external: True
1059 provider_network_type: "vlan"
1060 subnet:
1061 inet2-subnet1:
1062 cidr: 192.168.92.0/24
1063 enable_dhcp: False
1064 inet2-subnet2:
1065 cidr: 192.168.94.0/24
1066 enable_dhcp: True
1067 identity1:
1068 network:
1069 ...
1070
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]1071Neutron routers
1072
1073.. code-block:: yaml
1074
1075 neutron:
1076 client:
1077 enabled: true
1078 server:
1079 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]1080 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]1081 router:
1082 inet1-router:
1083 tenant: demo
1084 admin_state_up: True
1085 gateway_network: inet
1086 interfaces:
1087 - inet1-subnet1
1088 - inet1-subnet2
1089 identity1:
1090 router:
1091 ...
1092
1093 TODO: implement adding new interfaces to a router while updating it
1094
1095
1096Neutron security groups
1097
1098.. code-block:: yaml
1099
1100 neutron:
1101 client:
1102 enabled: true
1103 server:
1104 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]1105 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]1106 security_group:
1107 security_group1:
1108 tenant: demo
1109 description: security group 1
1110 rules:
1111 - direction: ingress
1112 ethertype: IPv4
1113 protocol: TCP
1114 port_range_min: 1
1115 port_range_max: 65535
1116 remote_ip_prefix: 0.0.0.0/0
1117 - direction: ingress
1118 ethertype: IPv4
1119 protocol: UDP
1120 port_range_min: 1
1121 port_range_max: 65535
1122 remote_ip_prefix: 0.0.0.0/0
1123 - direction: ingress
1124 protocol: ICMP
1125 remote_ip_prefix: 0.0.0.0/0
1126 identity1:
1127 security_group:
1128 ...
1129
1130 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
1131
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1132
1133Floating IP addresses
1134
1135.. code-block:: yaml
1136
1137 neutron:
1138 client:
1139 enabled: true
1140 server:
1141 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]1142 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1143 floating_ip:
1144 prx01-instance:
1145 server: prx01.mk22-lab-basic.local
1146 subnet: private-subnet1
1147 network: public-net1
1148 tenant: demo
1149 gtw01-instance:
1150 ...
1151
1152.. note:: The network must have flag router:external set to True.
1153 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
1154
1155
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1156
1157Enable Neutron extensions (QoS, DNS, etc.)
1158------------------------------------------
1159.. code-block:: yaml
1160
1161 neutron:
1162 server:
1163 backend:
1164 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +0300[diff] [blame]1165 dns:
1166 enabled: True
1167 host: 127.0.0.1
1168 port: 9001
1169 protocol: http
1170 ....
1171 qos
1172 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1173
1174
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +0300[diff] [blame]1175
1176Neutron with Designate
1177-----------------------------------------
1178.. code-block:: yaml
1179
1180 neutron:
1181 server:
1182 backend:
1183 extension:
1184 dns:
1185 enabled: True
1186 host: 127.0.0.1
1187 port: 9001
1188 protocol: http
1189
Marek Celoud67ce2062018-01-31 13:44:55 +0100[diff] [blame]1190Enable RBAC for OpenContrail engine
1191-----------------------------------
1192.. code-block:: yaml
1193
1194 neutron:
1195 server:
1196 backend:
1197 engine: contrail
1198 rbac:
1199 enabled: True
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +0300[diff] [blame]1200
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +0400[diff] [blame]1201Enhanced logging with logging.conf
1202----------------------------------
1203
1204By default logging.conf is disabled.
1205
1206That is possible to enable per-binary logging.conf with new variables:
1207 * openstack_log_appender - set it to true to enable log_config_append for all OpenStack services;
1208 * openstack_fluentd_handler_enabled - set to true to enable FluentHandler for all Openstack services.
Oleksii Chupryn156c5f42018-02-07 10:06:50 +0200[diff] [blame]1209 * openstack_ossyslog_handler_enabled - set to true to enable OSSysLogHandler for all Openstack services.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +0400[diff] [blame]1210
Oleksii Chupryn156c5f42018-02-07 10:06:50 +0200[diff] [blame]1211Only WatchedFileHandler, OSSysLogHandler and FluentHandler are available.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +0400[diff] [blame]1212
1213Also it is possible to configure this with pillar:
1214
1215.. code-block:: yaml
1216
1217 neutron:
1218 server:
1219 logging:
1220 log_appender: true
1221 log_handlers:
1222 watchedfile:
1223 enabled: true
1224 fluentd:
1225 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +0200[diff] [blame]1226 ossyslog:
1227 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +0400[diff] [blame]1228 ....
1229 compute:
1230 logging:
1231 log_appender: true
1232 log_handlers:
1233 watchedfile:
1234 enabled: true
1235 fluentd:
1236 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +0200[diff] [blame]1237 ossyslog:
1238 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +0400[diff] [blame]1239 ....
1240 gateway:
1241 logging:
1242 log_appender: true
1243 log_handlers:
1244 watchedfile:
1245 enabled: true
1246 fluentd:
1247 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +0200[diff] [blame]1248 ossyslog:
1249 enabled: true
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +0300[diff] [blame]1250
Filip Pytloun20c0a442017-02-02 13:05:13 +0100[diff] [blame]1251Documentation and Bugs
1252======================
1253
1254To learn how to install and update salt-formulas, consult the documentation
1255available online at:
1256
1257 http://salt-formulas.readthedocs.io/
1258
1259In the unfortunate event that bugs are discovered, they should be reported to
1260the appropriate issue tracker. Use Github issue tracker for specific salt
1261formula:
1262
1263 https://github.com/salt-formulas/salt-formula-neutron/issues
1264
1265For feature requests, bug reports or blueprints affecting entire ecosystem,
1266use Launchpad salt-formulas project:
1267
1268 https://launchpad.net/salt-formulas
1269
1270You can also join salt-formulas-users team and subscribe to mailing list:
1271
1272 https://launchpad.net/~salt-formulas-users
1273
1274Developers wishing to work on the salt-formulas projects should always base
1275their work on master branch and submit pull request against specific formula.
1276
1277 https://github.com/salt-formulas/salt-formula-neutron
1278
1279Any questions or feedback is always welcome so feel free to join our IRC
1280channel:
1281
1282 #salt-formulas @ irc.freenode.net