blob: 1d039779c8515bf0a98a552450050bb47ec31c58 [file] [log] [blame]
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001=====
2Usage
3=====
Filip Pytlouncd028e42015-10-06 16:28:32 +02004
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03005Neutron is an OpenStack project to provide *networking as a service* between
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02006interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +02008
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03009Starting with the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an *incubated* project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +030011is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +020012
Aleš Komárek41e82312017-04-11 13:37:44 +020013Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +020014==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +010023 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +010024 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +020026 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Michael Polenchuk1ff88652018-03-06 16:15:57 +040029 root_helper_daemon: false
Michael Polenchuk2151b272018-06-19 18:32:31 +040030 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +040031 firewall_driver: iptables_hybrid
Oleg Bondarevbc2dfee2018-10-17 18:41:51 +040032 agent_boot_time: 180
Filip Pytlouncd028e42015-10-06 16:28:32 +020033 bind:
34 address: 172.20.0.1
35 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +020036 database:
37 engine: mysql
38 host: 127.0.0.1
39 port: 3306
40 name: neutron
41 user: neutron
42 password: pwd
43 identity:
44 engine: keystone
45 host: 127.0.0.1
46 port: 35357
47 user: neutron
48 password: pwd
49 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +020050 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +020051 message_queue:
52 engine: rabbitmq
53 host: 127.0.0.1
54 port: 5672
55 user: openstack
56 password: pwd
57 virtual_host: '/openstack'
58 metadata:
59 host: 127.0.0.1
60 port: 8775
Dzmitry Stremkouskiea470182018-10-24 15:33:35 +020061 insecure: true
62 proto: https
Filip Pytlouncd028e42015-10-06 16:28:32 +020063 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +020064 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +010065 audit:
66 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +020067
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030068.. note:: The pagination is useful to retrieve a large bunch of resources,
69 because a single request may fail (timeout). This is enabled with both
70 parameters *allow_pagination* and *pagination_max_limit* as shown above.
Swann Croiset9407daf2017-02-02 15:27:56 +010071
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030072Configuration of policy.json file:
Dmitry Ukov596ddcf2017-05-04 18:16:16 +040073
74.. code-block:: yaml
75
76 neutron:
77 server:
78 ....
79 policy:
80 create_subnet: 'rule:admin_or_network_owner'
81 'get_network:queue_id': 'rule:admin_only'
82 # Add key without value to remove line from policy.json
83 'create_network:shared':
84
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040085Neutron LBaaSv2 enablement
86--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +010087
88.. code-block:: yaml
89
90 neutron:
91 server:
92 lbaas:
93 enabled: true
94 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040095 octavia:
96 engine: octavia
97 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
98 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +010099 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100100 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400101 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100102 controller_address: 10.182.129.239
103 controller_user: admin
104 controller_password: Cloudlab2016
105 controller_cloud_name: Default-Cloud
106 avi_adc2:
107 engine: avinetworks
108 ...
109
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300110.. note:: If the Contrail backend is set, Opencontrail loadbalancer
111 would be enabled automatically. In this case lbaas should disabled
112 in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100113
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300114 .. code-block:: yaml
Ondrej Smola314eee22017-03-08 21:21:16 +0100115
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300116 neutron:
117 server:
118 lbaas:
119 enabled: false
Elena Ezhova166d4012017-08-17 12:53:52 +0400120
121Neutron FWaaSv1 enablement
122--------------------------
123
124.. code-block:: yaml
125
126 neutron:
127 fwaas:
128 enabled: true
129 version: ocata
130 api_version: v1
131
132
Ondrej Smola12ff8192017-04-28 12:39:11 +0200133Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400134----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200135
136.. code-block:: yaml
137
138 neutron:
139 server:
140 cors:
141 allowed_origin: https:localhost.local,http:localhost.local
142 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
143 allow_methods: GET,PUT,POST,DELETE,PATCH
144 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
145 allow_credentials: True
146 max_age: 86400
147
Aleš Komárek41e82312017-04-11 13:37:44 +0200148Neutron VXLAN tenant networks with Network nodes
149------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100150
Aleš Komárek41e82312017-04-11 13:37:44 +0200151With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100152
153This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200154routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300155infrastructure and that remains encapsulated. External traffic will be
156routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100157
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300158The intention is that each tenant will require at least two (2) vrouters
159one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100160
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300161Neutron Server:
marcoa4428a32016-06-10 11:50:16 +0200162
163.. code-block:: yaml
164
165 neutron:
166 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100167 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300168 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100169 bind:
170 address: 172.20.0.1
171 port: 9696
172 database:
173 engine: mysql
174 host: 127.0.0.1
175 port: 3306
176 name: neutron
177 user: neutron
178 password: pwd
179 identity:
180 engine: keystone
181 host: 127.0.0.1
182 port: 35357
183 user: neutron
184 password: pwd
185 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200186 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100187 message_queue:
188 engine: rabbitmq
189 host: 127.0.0.1
190 port: 5672
191 user: openstack
192 password: pwd
193 virtual_host: '/openstack'
194 global_physnet_mtu: 9000
195 l3_ha: False # Which type of router will be created by default
196 dvr: True # disabled for non DVR use case
197 backend:
198 engine: ml2
199 tenant_network_types: "flat,vxlan"
200 external_mtu: 9000
201 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400202 ovs:
203 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100204
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300205Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100206
207.. code-block:: yaml
208
209 neutron:
210 gateway:
211 enabled: True
212 version: mitaka
Michael Polenchuk2151b272018-06-19 18:32:31 +0400213 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +0400214 firewall_driver: iptables_hybrid
Jiri Broulik74f61112016-11-21 20:23:47 +0100215 message_queue:
216 engine: rabbitmq
217 host: 127.0.0.1
218 port: 5672
219 user: openstack
220 password: pwd
221 virtual_host: '/openstack'
222 local_ip: 192.168.20.20 # br-mesh ip address
223 dvr: True # disabled for non DVR use case
224 agent_mode: dvr_snat
225 metadata:
226 host: 127.0.0.1
227 password: pass
228 backend:
229 engine: ml2
230 tenant_network_types: "flat,vxlan"
231 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400232 ovs:
233 driver: openvswitch
Vasyl Saienko4bd2d922018-07-27 09:56:38 +0000234 agents:
235 dhcp:
236 ovs_use_veth: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100237
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300238Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100239
240.. code-block:: yaml
241
242 neutron:
243 compute:
244 enabled: True
245 version: mitaka
246 message_queue:
247 engine: rabbitmq
248 host: 127.0.0.1
249 port: 5672
250 user: openstack
251 password: pwd
252 virtual_host: '/openstack'
253 local_ip: 192.168.20.20 # br-mesh ip address
254 dvr: True # disabled for non DVR use case
255 agent_mode: dvr
256 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
257 metadata:
258 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300259 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100260 backend:
261 engine: ml2
262 tenant_network_types: "flat,vxlan"
263 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400264 ovs:
265 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100266 audit:
267 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100268
Aleš Komárek41e82312017-04-11 13:37:44 +0200269
Dzmitry Stremkouskid5e89e52018-09-25 10:01:54 +0200270Setting mac base address
271------------------------
272
273By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
274One can set it's own mac base both for dvr and nondvr cases.
275
276NOTE: dvr_base_mac and base_mac SHOULD differ.
277
278.. code-block:: yaml
279
280 neutron:
281 server:
282 base_mac: fa:16:3f:00:00:00
283 dvr_base_mac: fa:16:3f:a0:00:00
284
285gateways:
286
287.. code-block:: yaml
288
289 neutron:
290 gateway:
291 base_mac: fa:16:3f:00:00:00
292 dvr_base_mac: fa:16:3f:a0:00:00
293
294compute nodes:
295
296.. code-block:: yaml
297
298 neutron:
299 compute:
300 base_mac: fa:16:3f:00:00:00
301 dvr_base_mac: fa:16:3f:a0:00:00
302
303
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300304Disable physnet1 bridge
305-----------------------
306
307By default we have external access turned on, so among any physnets in
308your reclass there would be additional one: physnet1, which is mapped to
309br-floating
310
311If you need internal nets only without this bridge, remove br-floating
312and configurations mappings. Disable mappings for this bridge on
313neutron-servers:
314
315.. code-block:: yaml
316
317 neutron:
318 server:
319 external_access: false
320
321gateways:
322
323.. code-block:: yaml
324
325 neutron:
326 gateway:
327 external_access: false
328
329compute nodes:
330
331.. code-block:: yaml
332
333 neutron:
334 compute:
335 external_access: false
336
337
Marcin Iwinskic50137a2018-01-22 14:18:24 +0100338Add additional bridge mappings for OVS bridges
339----------------------------------------------
340
341By default we have external access turned on, so among any physnets in
342your reclass there would be additional one: physnet1, which is mapped to
343br-floating
344
345If you need to add extra non-default bridge mappings they can be defined
346separately for both gateways and compute nodes:
347
348gateways:
349
350.. code-block:: yaml
351
352 neutron:
353 gateway:
354 bridge_mappings:
355 physnet4: br-floating-internet
356
357compute nodes:
358
359.. code-block:: yaml
360
361 neutron:
362 compute:
363 bridge_mappings:
364 physnet4: br-floating-internet
365
366
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300367Specify different mtu values for different physnets
368---------------------------------------------------
369
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300370Neutron Server:
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300371
372.. code-block:: yaml
373
374 neutron:
375 server:
376 version: mitaka
377 backend:
378 external_mtu: 1500
379 tenant_net_mtu: 9000
380 ironic_net_mtu: 9000
381
Jiri Broulik74f61112016-11-21 20:23:47 +0100382Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200383----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100384
385This section describes a network solution that utilises VxLAN overlay
386 networks without DVR with all routers being managed on the network nodes.
387
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300388Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100389
390.. code-block:: yaml
391
392 neutron:
393 server:
394 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100395 bind:
396 address: 172.20.0.1
397 port: 9696
398 database:
399 engine: mysql
400 host: 127.0.0.1
401 port: 3306
402 name: neutron
403 user: neutron
404 password: pwd
405 identity:
406 engine: keystone
407 host: 127.0.0.1
408 port: 35357
409 user: neutron
410 password: pwd
411 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200412 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100413 message_queue:
414 engine: rabbitmq
415 host: 127.0.0.1
416 port: 5672
417 user: openstack
418 password: pwd
419 virtual_host: '/openstack'
420 global_physnet_mtu: 9000
421 l3_ha: True
422 dvr: False
423 backend:
424 engine: ml2
425 tenant_network_types= "flat,vxlan"
426 external_mtu: 9000
427 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400428 ovs:
429 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100430
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300431Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100432
433.. code-block:: yaml
434
435 neutron:
436 gateway:
437 enabled: True
438 version: mitaka
439 message_queue:
440 engine: rabbitmq
441 host: 127.0.0.1
442 port: 5672
443 user: openstack
444 password: pwd
445 virtual_host: '/openstack'
446 local_ip: 192.168.20.20 # br-mesh ip address
447 dvr: False
448 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200449 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100450 metadata:
451 host: 127.0.0.1
452 password: pass
453 backend:
454 engine: ml2
455 tenant_network_types: "flat,vxlan"
456 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400457 ovs:
458 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100459
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300460Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100461
462.. code-block:: yaml
463
464 neutron:
465 compute:
466 enabled: True
467 version: mitaka
468 message_queue:
469 engine: rabbitmq
470 host: 127.0.0.1
471 port: 5672
472 user: openstack
473 password: pwd
474 virtual_host: '/openstack'
475 local_ip: 192.168.20.20 # br-mesh ip address
476 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300477 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100478 backend:
479 engine: ml2
480 tenant_network_types: "flat,vxlan"
481 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400482 ovs:
483 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100484
Aleš Komárek41e82312017-04-11 13:37:44 +0200485Neutron VXLAN tenant networks with Network Nodes with DVR
486---------------------------------------------------------
487
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300488With DVR for East-West and North-South, DVR everywhere, Network
489node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100490
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300491This section describes a network solution that utilises VxLAN
492overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100493Node is used only for SNAT.
494
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300495Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100496
497.. code-block:: yaml
498
499 neutron:
500 server:
501 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100502 bind:
503 address: 172.20.0.1
504 port: 9696
505 database:
506 engine: mysql
507 host: 127.0.0.1
508 port: 3306
509 name: neutron
510 user: neutron
511 password: pwd
512 identity:
513 engine: keystone
514 host: 127.0.0.1
515 port: 35357
516 user: neutron
517 password: pwd
518 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200519 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100520 message_queue:
521 engine: rabbitmq
522 host: 127.0.0.1
523 port: 5672
524 user: openstack
525 password: pwd
526 virtual_host: '/openstack'
527 global_physnet_mtu: 9000
528 l3_ha: False
529 dvr: True
530 backend:
531 engine: ml2
532 tenant_network_types= "flat,vxlan"
533 external_mtu: 9000
534 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400535 ovs:
536 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100537
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300538Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100539
540.. code-block:: yaml
541
542 neutron:
543 gateway:
544 enabled: True
545 version: mitaka
546 message_queue:
547 engine: rabbitmq
548 host: 127.0.0.1
549 port: 5672
550 user: openstack
551 password: pwd
552 virtual_host: '/openstack'
553 local_ip: 192.168.20.20 # br-mesh ip address
554 dvr: True
555 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200556 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100557 metadata:
558 host: 127.0.0.1
559 password: pass
560 backend:
561 engine: ml2
562 tenant_network_types: "flat,vxlan"
563 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400564 ovs:
565 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100566
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300567Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100568
569.. code-block:: yaml
570
571 neutron:
572 compute:
573 enabled: True
574 version: mitaka
575 message_queue:
576 engine: rabbitmq
577 host: 127.0.0.1
578 port: 5672
579 user: openstack
580 password: pwd
581 virtual_host: '/openstack'
582 local_ip: 192.168.20.20 # br-mesh ip address
583 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300584 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100585 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200586 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100587 metadata:
588 host: 127.0.0.1
589 password: pass
590 backend:
591 engine: ml2
592 tenant_network_types: "flat,vxlan"
593 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400594 ovs:
595 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100596
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300597Sample Linux network configuration for DVR:
Jiri Broulik74f61112016-11-21 20:23:47 +0100598
599.. code-block:: yaml
600
601 linux:
602 network:
603 bridge: openvswitch
604 interface:
605 eth1:
606 enabled: true
607 type: eth
608 mtu: 9000
609 proto: manual
610 eth2:
611 enabled: true
612 type: eth
613 mtu: 9000
614 proto: manual
615 eth3:
616 enabled: true
617 type: eth
618 mtu: 9000
619 proto: manual
620 br-int:
621 enabled: true
622 mtu: 9000
623 type: ovs_bridge
624 br-floating:
625 enabled: true
626 mtu: 9000
627 type: ovs_bridge
628 float-to-ex:
629 enabled: true
630 type: ovs_port
631 mtu: 65000
632 bridge: br-floating
633 br-mgmt:
634 enabled: true
635 type: bridge
636 mtu: 9000
637 address: ${_param:single_address}
638 netmask: 255.255.255.0
639 use_interfaces:
640 - eth1
641 br-mesh:
642 enabled: true
643 type: bridge
644 mtu: 9000
645 address: ${_param:tenant_address}
646 netmask: 255.255.255.0
647 use_interfaces:
648 - eth2
649 br-ex:
650 enabled: true
651 type: bridge
652 mtu: 9000
653 address: ${_param:external_address}
654 netmask: 255.255.255.0
655 use_interfaces:
656 - eth3
657 use_ovs_ports:
658 - float-to-ex
659
Thom Gerdes3282d072017-05-30 22:06:04 +0000660Additonal VXLAN tenant network settings
661---------------------------------------
662
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300663The default multicast group of ``224.0.0.1`` only multicasts
664to a single subnet. Allow overriding it to allow larger underlay
665network topologies.
Thom Gerdes3282d072017-05-30 22:06:04 +0000666
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300667Neutron Server:
Thom Gerdes3282d072017-05-30 22:06:04 +0000668
669.. code-block:: yaml
670
671 neutron:
672 server:
673 vxlan:
674 group: 239.0.0.0/8
675 vni_ranges: "2:65535"
676
Jiri Broulik74f61112016-11-21 20:23:47 +0100677Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200678-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100679
680VLAN tenant provider
681
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300682Neutron Server only:
Jiri Broulik74f61112016-11-21 20:23:47 +0100683
684.. code-block:: yaml
685
686 neutron:
687 server:
688 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100689 ...
690 global_physnet_mtu: 9000
691 l3_ha: False
692 dvr: True
693 backend:
694 engine: ml2
695 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
696 tenant_vlan_range: "1000:2000"
697 external_vlan_range: "100:200" # Does not have to be defined.
698 external_mtu: 9000
699 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400700 ovs:
701 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100702
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300703Compute node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100704
705.. code-block:: yaml
706
707 neutron:
708 compute:
709 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100710 ...
711 dvr: True
712 agent_mode: dvr
713 external_access: False
714 backend:
715 engine: ml2
716 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
717 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400718 ovs:
719 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100720
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400721Neutron with explicit physical networks
722---------------------------------------
Oleg Bondarevada324f2018-06-04 14:55:38 +0400723
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300724Neutron Server only:
Oleg Bondarevada324f2018-06-04 14:55:38 +0400725
726.. code-block:: yaml
727
728 neutron:
729 server:
730 version: ocata
731 ...
732 backend:
733 engine: ml2
734 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
735 ...
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400736 # also need to configure corresponding bridge_mappings on
Oleg Bondarevada324f2018-06-04 14:55:38 +0400737 # compute and gateway nodes
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400738 flat_networks_default: '*' # '*' to allow arbitrary names or '' to disable
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400739 physnets: # only listed physnets will be configured (overrides physnet1/2/3)
740 external:
741 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400742 types:
743 - flat # possible values - 'flat' or 'vlan'
Oleg Bondarevada324f2018-06-04 14:55:38 +0400744 sriov_net:
745 mtu: 9000 # Optional, defaults to 1500
Oleg Bondarevab324112018-11-19 17:56:57 +0400746 vlan_range: '100:200,300:400' # Optional
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400747 types:
748 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400749 ext_net2:
750 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400751 types:
752 - flat
753 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400754 mechanism:
755 ovs:
756 driver: openvswitch
757
Aleš Komárek41e82312017-04-11 13:37:44 +0200758Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400759----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200760
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100761Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100762
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300763Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100764
765.. code-block:: yaml
766
767 neutron:
768 server:
769 version: mitaka
770 ...
771 dpdk: True
772 ...
773
774 neutron:
775 compute:
776 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100777 dpdk: True
Michael Polenchuk52911652018-04-12 22:09:49 +0400778 vhost_mode: client # options: client|server (default)
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400779 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100780 backend:
781 engine: ml2
782 ...
783 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400784 ovs:
785 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100786
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300787Neutron OVS SR-IOV:
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100788
789.. code-block:: yaml
790
791 neutron:
792 server:
793 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100794 backend:
795 engine: ml2
796 ...
797 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400798 ovs:
799 driver: openvswitch
800 sriov:
801 driver: sriovnicswitch
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400802 # Driver w/ highest number will be placed ahead in the list (default is 0).
803 # It's recommended for SR-IOV driver to set an order >0 to get it
804 # before (for example) the opendaylight one.
805 order: 9
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100806
807 neutron:
808 compute:
809 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100810 ...
811 backend:
812 engine: ml2
813 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
814 sriov:
815 nic_one:
816 devname: eth1
817 physical_network: physnet3
818 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400819 ovs:
820 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100821
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300822Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400823---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300824
825.. code-block:: yaml
826
827 neutron:
828 server:
829 vlan_aware_vms: true
830 ....
831 compute:
832 vlan_aware_vms: true
833 ....
834 gateway:
835 vlan_aware_vms: true
836
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400837Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300838-------------------------------------
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400839
840.. code-block:: yaml
841
842 neutron:
843 server:
844 version: pike
845 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400846 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400847 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400848 ....
849 compute:
850 version: pike
851 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400852 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400853 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400854 bagpipe:
855 local_address: 192.168.20.20 # IP address for mpls/gre tunnels
856 peers: 192.168.20.30 # IP addresses of BGP peers
857 autonomous_system: 64512 # Autonomous System number
858 enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400859 backend:
Oleg Bondarev878ac462018-04-23 17:48:15 +0400860 ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400861 bagpipe_bgpvpn:
862 enabled: True
863
Oleksii Chupryn16cb4e02018-02-26 14:20:39 +0200864Neutron with DHCP agent on compute node
865---------------------------------------
866
867.. code-block:: yaml
868
869 neutron:
870 ....
871 compute:
872 dhcp_agent_enabled: true
873 ....
874
Dzmitry Stremkouski48df2a72018-10-12 16:38:11 +0200875Neutron with metadata agent on compute node
876-------------------------------------------
877
878.. code-block:: yaml
879
880 neutron:
881 ....
882 compute:
883 metadata_agent_enabled: true
884 ....
885
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400886Neutron with OVN
887----------------
888
889Control node:
890
891.. code-block:: yaml
892
893 neutron:
894 server:
895 backend:
896 engine: ovn
897 mechanism:
898 ovn:
899 driver: ovn
900 tenant_network_types: "geneve,flat"
Michael Polenchukf59229b2018-06-19 16:24:49 +0400901 ovn:
902 ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
903 neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk58161ef2018-05-15 18:04:09 +0400904 metadata_enabled: True
Michael Polenchuka3d492b2017-12-27 15:49:43 +0400905 ovn_ctl_opts:
906 db-nb-create-insecure-remote: 'yes'
907 db-sb-create-insecure-remote: 'yes'
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400908
909Compute node:
910
911.. code-block:: yaml
912
913 neutron:
914 compute:
915 local_ip: 10.2.0.105
916 controller_vip: 10.1.0.101
917 external_access: false
918 backend:
919 engine: ovn
Michael Polenchuk58161ef2018-05-15 18:04:09 +0400920 ovsdb_connection: tcp:127.0.0.1:6640
921 metadata:
922 enabled: true
923 ovsdb_server_iface: ptcp:6640:127.0.0.1
924 host: 10.1.0.101
925 password: unsegreto
926
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400927
Michael Polenchukcccd1a52018-02-02 17:41:16 +0400928Neutron L2 Gateway
929----------------
930
931Control node:
932
933.. code-block:: yaml
934
935 neutron:
936 server:
937 version: pike
938 l2gw:
939 enabled: true
940 periodic_monitoring_interval: 5
941 quota_l2_gateway: 20
942 # service_provider=<service_type>:<name>:<driver>[:default]
943 service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
944 backend:
945 engine: ml2
946
947Network/Gateway node:
948
949.. code-block:: yaml
950
951 neutron:
952 gateway:
953 version: pike
954 l2gw:
955 enabled: true
956 debug: true
957 socket_timeout: 20
958 ovsdb_hosts:
959 # <ovsdb_name>: <ip address>:<port>
960 # - ovsdb_name: a user defined symbolic identifier of physical switch
961 # - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
962 ovsdb1: 10.164.5.33:6632
963 ovsdb2: 10.164.4.33:6632
964
965
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400966OpenDaylight integration
967------------------------
968
969Control node:
970
971.. code-block:: yaml
972
973 neutron:
974 server:
975 backend:
976 opendaylight: true
977 router: odl-router_v2
978 host: 10.20.0.77
979 rest_api_port: 8282
980 user: admin
981 password: admin
982 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +0300983 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400984 enable_websocket: true
985 enable_dhcp_service: false
986 mechanism:
987 ovs:
988 driver: opendaylight_v2
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400989 order: 1
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400990
991Network/Gateway node:
992
993.. code-block:: yaml
994
995 neutron:
996 gateway:
997 backend:
998 router: odl-router_v2
999 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +03001000 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001001 opendaylight:
1002 ovsdb_server_iface: ptcp:6639:127.0.0.1
1003 ovsdb_odl_iface: tcp:10.20.0.77:6640
1004 tunnel_ip: 10.1.0.110
1005 provider_mappings: physnet1:br-floating
1006
1007Compute node:
1008
1009.. code-block:: yaml
1010
1011 neutron:
1012 compute:
1013 opendaylight:
1014 ovsdb_server_iface: ptcp:6639:127.0.0.1
1015 ovsdb_odl_iface: tcp:10.20.0.77:6640
1016 tunnel_ip: 10.1.0.105
1017 provider_mappings: physnet1:br-floating
1018
1019
Michael Polenchuk9cccecc2018-09-14 14:54:18 +04001020Service Function Chaining Extension (SFC)
1021----------------
1022
1023.. code-block:: yaml
1024
1025 neutron:
1026 server:
1027 sfc:
1028 enabled: true
1029 sfc_drivers:
1030 - ovs # valid options: ovs, odl, ovn (not implemented yet)
1031 flow_classifier_drivers:
1032 - ovs # valid options: see above
1033 ....
1034 compute:
1035 backend:
1036 ovs_extension:
1037 sfc:
1038 enabled: True
1039
1040
Aleš Komárek41e82312017-04-11 13:37:44 +02001041Neutron Server
1042--------------
1043
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001044Neutron Server with OpenContrail:
Jiri Broulik74f61112016-11-21 20:23:47 +01001045
1046.. code-block:: yaml
1047
1048 neutron:
1049 server:
marcoa4428a32016-06-10 11:50:16 +02001050 backend:
1051 engine: contrail
1052 host: contrail_discovery_host
1053 port: 8082
1054 user: admin
1055 password: password
1056 tenant: admin
1057 token: token
1058
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001059Neutron Server with Midonet:
marcoa4428a32016-06-10 11:50:16 +02001060
1061.. code-block:: yaml
1062
1063 neutron:
1064 server:
1065 backend:
1066 engine: midonet
1067 host: midonet_api_host
1068 port: 8181
1069 user: admin
1070 password: password
1071
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001072Neutron Server with NSX:
Vasyl Saienko4549efe2018-07-26 16:06:04 +00001073
1074.. code-block:: yaml
1075
1076 neutron:
1077 server:
1078 backend:
1079 engine: vmware
1080 core_plugin: vmware_nsxv3
1081 vmware:
1082 nsx:
1083 extension_drivers:
1084 - vmware_nsxv3_dns
1085 v3:
1086 api_password: nsx_password
1087 api_user: nsx_username
1088 api_managers:
1089 01:
1090 scheme: https
1091 host: 192.168.10.120
1092 port: '443'
1093 insecure: true
1094
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001095Neutron Keystone region:
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +01001096
1097.. code-block:: yaml
1098
1099 neutron:
1100 server:
1101 enabled: true
1102 version: kilo
1103 ...
1104 identity:
1105 region: RegionTwo
1106 ...
1107 compute:
1108 region: RegionTwo
1109 ...
1110
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001111Client-side RabbitMQ HA setup:
Jiri Konecny93b19992016-04-12 11:15:39 +02001112
1113.. code-block:: yaml
1114
1115 neutron:
1116 server:
1117 ....
1118 message_queue:
1119 engine: rabbitmq
1120 members:
1121 - host: 10.0.16.1
1122 - host: 10.0.16.2
1123 - host: 10.0.16.3
1124 user: openstack
1125 password: pwd
1126 virtual_host: '/openstack'
1127 ....
1128
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001129Configuring TLS communications
1130------------------------------
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001131
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001132.. note:: By default, system-wide installed CA certs are used,
1133 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001134
1135- **RabbitMQ TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001136
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001137 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001138
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001139 neutron:
1140 server, gateway, compute:
1141 message_queue:
1142 port: 5671
1143 ssl:
1144 enabled: True
1145 (optional) cacert: cert body if the cacert_file does not exists
1146 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
1147 (optional) version: TLSv1_2
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001148
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001149- **MySQL TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001150
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001151 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001152
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001153 neutron:
1154 server:
1155 database:
1156 ssl:
1157 enabled: True
1158 (optional) cacert: cert body if the cacert_file does not exists
1159 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001160
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001161- **Openstack HTTPS API**
1162
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001163 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001164
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001165 neutron:
1166 server:
1167 identity:
1168 protocol: https
1169 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001170
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001171Enable auditing filter, ie: CADF:
Petr Michalec61f7ab22016-11-29 16:29:09 +01001172
1173.. code-block:: yaml
1174
1175 neutron:
1176 server:
1177 audit:
1178 enabled: true
1179 ....
1180 filter_factory: 'keystonemiddleware.audit:filter_factory'
1181 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1182 ....
1183 compute:
1184 audit:
1185 enabled: true
1186 ....
1187 filter_factory: 'keystonemiddleware.audit:filter_factory'
1188 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1189 ....
Jiri Konecny93b19992016-04-12 11:15:39 +02001190
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001191Neutron with security groups disabled:
Oleg Bondarev98870a32017-05-29 16:53:19 +04001192
1193.. code-block:: yaml
1194
1195 neutron:
1196 server:
1197 security_groups_enabled: False
1198 ....
1199 compute:
1200 security_groups_enabled: False
1201 ....
1202 gateway:
1203 security_groups_enabled: False
1204
Jiri Konecny93b19992016-04-12 11:15:39 +02001205
Aleš Komárek41e82312017-04-11 13:37:44 +02001206Neutron Client
1207--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +01001208
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001209Neutron networks:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001210
1211.. code-block:: yaml
1212
1213 neutron:
1214 client:
1215 enabled: true
1216 server:
1217 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001218 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001219 network:
1220 inet1:
1221 tenant: demo
1222 shared: False
1223 admin_state_up: True
1224 router_external: True
1225 provider_physical_network: inet
1226 provider_network_type: flat
1227 provider_segmentation_id: 2
1228 subnet:
1229 inet1-subnet1:
1230 cidr: 192.168.90.0/24
1231 enable_dhcp: False
1232 inet2:
1233 tenant: admin
1234 shared: False
1235 router_external: True
1236 provider_network_type: "vlan"
1237 subnet:
1238 inet2-subnet1:
1239 cidr: 192.168.92.0/24
1240 enable_dhcp: False
1241 inet2-subnet2:
1242 cidr: 192.168.94.0/24
1243 enable_dhcp: True
1244 identity1:
1245 network:
1246 ...
1247
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001248Neutron routers:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001249
1250.. code-block:: yaml
1251
1252 neutron:
1253 client:
1254 enabled: true
1255 server:
1256 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001257 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001258 router:
1259 inet1-router:
1260 tenant: demo
1261 admin_state_up: True
1262 gateway_network: inet
1263 interfaces:
1264 - inet1-subnet1
1265 - inet1-subnet2
1266 identity1:
1267 router:
1268 ...
1269
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001270.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik5368cc52017-02-08 18:53:59 +01001271
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001272Neutron security groups:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001273
1274.. code-block:: yaml
1275
1276 neutron:
1277 client:
1278 enabled: true
1279 server:
1280 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001281 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001282 security_group:
1283 security_group1:
1284 tenant: demo
1285 description: security group 1
1286 rules:
1287 - direction: ingress
1288 ethertype: IPv4
1289 protocol: TCP
1290 port_range_min: 1
1291 port_range_max: 65535
1292 remote_ip_prefix: 0.0.0.0/0
1293 - direction: ingress
1294 ethertype: IPv4
1295 protocol: UDP
1296 port_range_min: 1
1297 port_range_max: 65535
1298 remote_ip_prefix: 0.0.0.0/0
1299 - direction: ingress
1300 protocol: ICMP
1301 remote_ip_prefix: 0.0.0.0/0
1302 identity1:
1303 security_group:
1304 ...
1305
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001306.. TODO: implement updating existing security rules (now it adds new rule if
1307 trying to update existing one)
Jiri Broulik5368cc52017-02-08 18:53:59 +01001308
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001309Floating IP addresses:
Jiri Broulikde2e2902017-02-13 15:03:47 +01001310
1311.. code-block:: yaml
1312
1313 neutron:
1314 client:
1315 enabled: true
1316 server:
1317 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001318 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +01001319 floating_ip:
1320 prx01-instance:
1321 server: prx01.mk22-lab-basic.local
1322 subnet: private-subnet1
1323 network: public-net1
1324 tenant: demo
1325 gtw01-instance:
1326 ...
1327
1328.. note:: The network must have flag router:external set to True.
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001329 Instance port in the stated subnet will be associated
1330 with the dynamically generated floating IP.
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001331
1332Enable Neutron extensions (QoS, DNS, etc.)
1333------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001334
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001335.. code-block:: yaml
1336
1337 neutron:
1338 server:
1339 backend:
1340 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +03001341 dns:
1342 enabled: True
1343 host: 127.0.0.1
1344 port: 9001
1345 protocol: http
1346 ....
1347 qos
1348 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001349
Oleg Bondarev878ac462018-04-23 17:48:15 +04001350Different Neutron extensions for different agents
1351-------------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001352
Oleg Bondarev878ac462018-04-23 17:48:15 +04001353.. code-block:: yaml
1354
1355 neutron:
1356 server:
1357 backend:
1358 extension: # common extensions for OVS and SRIOV agents
1359 dns:
1360 enabled: True
1361 ...
1362 qos
1363 enabled: True
1364 ovs_extension: # OVS specific extensions
1365 bagpipe_bgpvpn:
1366 enabled: True
1367 sriov_extension: # SRIOV specific extensions
1368 dummy:
1369 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001370
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001371Neutron with Designate
1372-----------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001373
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001374.. code-block:: yaml
1375
1376 neutron:
1377 server:
1378 backend:
1379 extension:
1380 dns:
1381 enabled: True
1382 host: 127.0.0.1
1383 port: 9001
1384 protocol: http
1385
Marek Celoud67ce2062018-01-31 13:44:55 +01001386Enable RBAC for OpenContrail engine
1387-----------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001388
Marek Celoud67ce2062018-01-31 13:44:55 +01001389.. code-block:: yaml
1390
1391 neutron:
1392 server:
1393 backend:
1394 engine: contrail
1395 rbac:
1396 enabled: True
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001397
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001398Enhanced logging with logging.conf
1399----------------------------------
1400
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001401By default ``logging.conf`` is disabled.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001402
1403That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001404
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001405* ``openstack_log_appender``
1406 Set to true to enable ``log_config_append`` for all OpenStack services
1407
1408* ``openstack_fluentd_handler_enabled``
1409 Set to true to enable FluentHandler for all Openstack services
1410
1411* ``openstack_ossyslog_handler_enabled``
1412 Set to true to enable OSSysLogHandler for all Openstack services.
1413
1414Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
1415are available.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001416
1417Also it is possible to configure this with pillar:
1418
1419.. code-block:: yaml
1420
1421 neutron:
1422 server:
1423 logging:
1424 log_appender: true
1425 log_handlers:
1426 watchedfile:
1427 enabled: true
1428 fluentd:
1429 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001430 ossyslog:
1431 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001432 ....
1433 compute:
1434 logging:
1435 log_appender: true
1436 log_handlers:
1437 watchedfile:
1438 enabled: true
1439 fluentd:
1440 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001441 ossyslog:
1442 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001443 ....
1444 gateway:
1445 logging:
1446 log_appender: true
1447 log_handlers:
1448 watchedfile:
1449 enabled: true
1450 fluentd:
1451 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001452 ossyslog:
1453 enabled: true
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001454
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001455Logging levels pillar example:
1456
1457.. code-block:: yaml
1458
1459 neutron:
1460 server:
1461 logging:
1462 log_appender: true
1463 loggers:
1464 root:
1465 level: 'DEBUG'
1466 neutron:
1467 level: 'DEBUG'
1468 amqplib:
1469 level: 'DEBUG'
1470 sqlalchemy:
1471 level: 'DEBUG'
1472 boto:
1473 level: 'DEBUG'
1474 suds:
1475 level: 'DEBUG'
1476 eventletwsgi:
1477 level: 'DEBUG'
1478 ......
Oleksandr Bryndzii3b0ac2c2018-10-04 11:06:24 +03001479Neutron server with memcached caching and security strategy:
1480
1481.. code-block:: yaml
1482
1483 neutron:
1484 server:
1485 enabled: true
1486 ...
1487 cache:
1488 engine: memcached
1489 members:
1490 - host: 127.0.0.1
1491 port: 11211
1492 - host: 127.0.0.1
1493 port: 11211
1494 security:
1495 enabled: true
1496 strategy: ENCRYPT
1497 secret_key: secret
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001498
Vasyl Saienkoba420732018-09-07 10:19:32 +00001499Upgrades
1500========
1501
1502Each openstack formula provide set of phases (logical bloks) that will help to
1503build flexible upgrade orchestration logic for particular components. The list
1504of phases might and theirs descriptions are listed in table below:
1505
1506+-------------------------------+------------------------------------------------------+
1507| State | Description |
1508+===============================+======================================================+
1509| <app>.upgrade.service_running | Ensure that all services for particular application |
1510| | are enabled for autostart and running |
1511+-------------------------------+------------------------------------------------------+
1512| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1513| | disabled for autostart and dead |
1514+-------------------------------+------------------------------------------------------+
1515| <app>.upgrade.pkg_latest | Ensure that packages used by particular application |
1516| | are installed to latest available version. |
1517| | This will not upgrade data plane packages like qemu |
1518| | and openvswitch as usually minimal required version |
1519| | in openstack services is really old. The data plane |
1520| | packages should be upgraded separately by `apt-get |
1521| | upgrade` or `apt-get dist-upgrade` |
1522| | Applying this state will not autostart service. |
1523+-------------------------------+------------------------------------------------------+
1524| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1525+-------------------------------+------------------------------------------------------+
1526| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1527| | cloud before running upgrade. |
1528| | Only non destructive actions will be applied during |
1529| | this phase. Perform service built in service check |
1530| | like (keystone-manage doctor and nova-status upgrade)|
1531+-------------------------------+------------------------------------------------------+
1532| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1533| | phase resources will be gracefully removed from |
1534| | current node if it is allowed. Services for upgraded |
1535| | application will be set to admin disabled state to |
1536| | make sure node will not participate in resources |
1537| | scheduling. For example on gtw nodes this will set |
1538| | all agents to admin disable state and will move all |
1539| | routers to other agents. |
1540+-------------------------------+------------------------------------------------------+
1541| <app>.upgrade.upgrade | This state will basically upgrade application on |
1542| | particular target. Stop services, render |
1543| | configuration, install new packages, run offline |
1544| | dbsync (for ctl), start services. Data plane should |
1545| | not be affected, only OpenStack python services. |
1546+-------------------------------+------------------------------------------------------+
1547| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1548+-------------------------------+------------------------------------------------------+
1549| <app>.upgrade.post | This phase should be launched only when upgrade of |
1550| | the cloud is completed. |
1551+-------------------------------+------------------------------------------------------+
1552| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1553| | operations, verify do not have dead network |
1554| | agents/compute services) |
1555+-------------------------------+------------------------------------------------------+
1556
1557
Oleksandr Shyshkof51b94c2018-08-31 16:05:27 +03001558Enable x509 and ssl communication between Neutron and Galera cluster.
1559---------------------
1560By default communication between Neutron and Galera is unsecure.
1561
1562neutron:
1563 server:
1564 database:
1565 x509:
1566 enabled: True
1567
1568You able to set custom certificates in pillar:
1569
1570neutron:
1571 server:
1572 database:
1573 x509:
1574 cacert: (certificate content)
1575 cert: (certificate content)
1576 key: (certificate content)
1577
1578You can read more about it here:
1579 https://docs.openstack.org/security-guide/databases/database-access-control.html
1580
Filip Pytloun20c0a442017-02-02 13:05:13 +01001581Documentation and Bugs
1582======================
1583
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001584* http://salt-formulas.readthedocs.io/
1585 Learn how to install and update salt-formulas
Filip Pytloun20c0a442017-02-02 13:05:13 +01001586
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001587* https://github.com/salt-formulas/salt-formula-neutron/issues
1588 In the unfortunate event that bugs are discovered, report the issue to the
1589 appropriate issue tracker. Use the Github issue tracker for a specific salt
1590 formula
Filip Pytloun20c0a442017-02-02 13:05:13 +01001591
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001592* https://launchpad.net/salt-formulas
1593 For feature requests, bug reports, or blueprints affecting the entire
1594 ecosystem, use the Launchpad salt-formulas project
Filip Pytloun20c0a442017-02-02 13:05:13 +01001595
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001596* https://launchpad.net/~salt-formulas-users
1597 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloun20c0a442017-02-02 13:05:13 +01001598
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001599* https://github.com/salt-formulas/salt-formula-neutron
1600 Develop the salt-formulas projects in the master branch and then submit pull
1601 requests against a specific formula
Filip Pytloun20c0a442017-02-02 13:05:13 +01001602
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001603* #salt-formulas @ irc.freenode.net
1604 Use this IRC channel in case of any questions or feedback which is always
1605 welcome
Filip Pytloun20c0a442017-02-02 13:05:13 +01001606