blob: 0fe54e537b30fae73ef439262803262f6151ccac [file] [log] [blame]
Filip Pytlouncd028e42015-10-06 16:28:32 +02001=======================
2Neutron Network Service
3=======================
4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02005Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +02008
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02009Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +020012
Filip Pytlouncd028e42015-10-06 16:28:32 +020013Sample pillars
14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +010023 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +010024 allow_pagination: true
25 pagination_max_limit: 100
Filip Pytlouncd028e42015-10-06 16:28:32 +020026 bind:
27 address: 172.20.0.1
28 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +020029 database:
30 engine: mysql
31 host: 127.0.0.1
32 port: 3306
33 name: neutron
34 user: neutron
35 password: pwd
36 identity:
37 engine: keystone
38 host: 127.0.0.1
39 port: 35357
40 user: neutron
41 password: pwd
42 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +020043 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +020044 message_queue:
45 engine: rabbitmq
46 host: 127.0.0.1
47 port: 5672
48 user: openstack
49 password: pwd
50 virtual_host: '/openstack'
51 metadata:
52 host: 127.0.0.1
53 port: 8775
54 password: pass
Petr Michalec61f7ab22016-11-29 16:29:09 +010055 audit:
56 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +020057
Swann Croiset9407daf2017-02-02 15:27:56 +010058Note: The pagination is useful to retrieve a large bunch of resources,
59because a single request may fail (timeout). This is enabled with both
60parameters *allow_pagination* and *pagination_max_limit* as shown above.
61
62
Jiri Broulik74f61112016-11-21 20:23:47 +010063Neutron VXLAN tenant networks with Network Nodes (with DVR for East-West
64 and Network node for North-South)
65=========================================================================
66===================================
67
68This use case describes a model utilising VxLAN overlay with DVR. The DVR
69 routers will only be utilized for traffic that is router within the cloud
70 infrastructure and that remains encapsulated. External traffic will be
71 routed to via the network nodes.
72
73The intention is that each tenant will require at least two (2) vrouters
74one to be utilised
75
76Neutron Server only
77-------------------
marcoa4428a32016-06-10 11:50:16 +020078
79.. code-block:: yaml
80
81 neutron:
82 server:
Jiri Broulik74f61112016-11-21 20:23:47 +010083 version: mitaka
84 plugin: ml2
85 bind:
86 address: 172.20.0.1
87 port: 9696
88 database:
89 engine: mysql
90 host: 127.0.0.1
91 port: 3306
92 name: neutron
93 user: neutron
94 password: pwd
95 identity:
96 engine: keystone
97 host: 127.0.0.1
98 port: 35357
99 user: neutron
100 password: pwd
101 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200102 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100103 message_queue:
104 engine: rabbitmq
105 host: 127.0.0.1
106 port: 5672
107 user: openstack
108 password: pwd
109 virtual_host: '/openstack'
110 global_physnet_mtu: 9000
111 l3_ha: False # Which type of router will be created by default
112 dvr: True # disabled for non DVR use case
113 backend:
114 engine: ml2
115 tenant_network_types: "flat,vxlan"
116 external_mtu: 9000
117 mechanism:
118 ovs:
119 driver: openvswitch
120
121Network Node only
122-----------------
123
124.. code-block:: yaml
125
126 neutron:
127 gateway:
128 enabled: True
129 version: mitaka
130 message_queue:
131 engine: rabbitmq
132 host: 127.0.0.1
133 port: 5672
134 user: openstack
135 password: pwd
136 virtual_host: '/openstack'
137 local_ip: 192.168.20.20 # br-mesh ip address
138 dvr: True # disabled for non DVR use case
139 agent_mode: dvr_snat
140 metadata:
141 host: 127.0.0.1
142 password: pass
143 backend:
144 engine: ml2
145 tenant_network_types: "flat,vxlan"
146 mechanism:
147 ovs:
148 driver: openvswitch
149
150Compute Node
151-------------
152
153.. code-block:: yaml
154
155 neutron:
156 compute:
157 enabled: True
158 version: mitaka
159 message_queue:
160 engine: rabbitmq
161 host: 127.0.0.1
162 port: 5672
163 user: openstack
164 password: pwd
165 virtual_host: '/openstack'
166 local_ip: 192.168.20.20 # br-mesh ip address
167 dvr: True # disabled for non DVR use case
168 agent_mode: dvr
169 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
170 metadata:
171 host: 127.0.0.1
172 password: pass
173 backend:
174 engine: ml2
175 tenant_network_types: "flat,vxlan"
176 mechanism:
177 ovs:
178 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100179 audit:
180 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100181
182Neutron VXLAN tenant networks with Network Nodes (non DVR)
183==========================================================
184
185This section describes a network solution that utilises VxLAN overlay
186 networks without DVR with all routers being managed on the network nodes.
187
188Neutron Server only
189-------------------
190
191.. code-block:: yaml
192
193 neutron:
194 server:
195 version: mitaka
196 plugin: ml2
197 bind:
198 address: 172.20.0.1
199 port: 9696
200 database:
201 engine: mysql
202 host: 127.0.0.1
203 port: 3306
204 name: neutron
205 user: neutron
206 password: pwd
207 identity:
208 engine: keystone
209 host: 127.0.0.1
210 port: 35357
211 user: neutron
212 password: pwd
213 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200214 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100215 message_queue:
216 engine: rabbitmq
217 host: 127.0.0.1
218 port: 5672
219 user: openstack
220 password: pwd
221 virtual_host: '/openstack'
222 global_physnet_mtu: 9000
223 l3_ha: True
224 dvr: False
225 backend:
226 engine: ml2
227 tenant_network_types= "flat,vxlan"
228 external_mtu: 9000
229 mechanism:
230 ovs:
231 driver: openvswitch
232
233Network Node only
234-----------------
235
236.. code-block:: yaml
237
238 neutron:
239 gateway:
240 enabled: True
241 version: mitaka
242 message_queue:
243 engine: rabbitmq
244 host: 127.0.0.1
245 port: 5672
246 user: openstack
247 password: pwd
248 virtual_host: '/openstack'
249 local_ip: 192.168.20.20 # br-mesh ip address
250 dvr: False
251 agent_mode: legacy
252 metadata:
253 host: 127.0.0.1
254 password: pass
255 backend:
256 engine: ml2
257 tenant_network_types: "flat,vxlan"
258 mechanism:
259 ovs:
260 driver: openvswitch
261
262Compute Node
263-------------
264
265.. code-block:: yaml
266
267 neutron:
268 compute:
269 enabled: True
270 version: mitaka
271 message_queue:
272 engine: rabbitmq
273 host: 127.0.0.1
274 port: 5672
275 user: openstack
276 password: pwd
277 virtual_host: '/openstack'
278 local_ip: 192.168.20.20 # br-mesh ip address
279 external_access: False
280 dvr: False
281 backend:
282 engine: ml2
283 tenant_network_types: "flat,vxlan"
284 mechanism:
285 ovs:
286 driver: openvswitch
287
288Neutron VXLAN tenant networks with Network Nodes (with DVR for
289East-West and North-South, DVR everywhere, Network node for SNAT)
290==============================================================
291========================================================
292
293This section describes a network solution that utilises VxLAN
294overlay networks with DVR with North-South and East-West. Network
295Node is used only for SNAT.
296
297Neutron Server only
298-------------------
299
300.. code-block:: yaml
301
302 neutron:
303 server:
304 version: mitaka
305 plugin: ml2
306 bind:
307 address: 172.20.0.1
308 port: 9696
309 database:
310 engine: mysql
311 host: 127.0.0.1
312 port: 3306
313 name: neutron
314 user: neutron
315 password: pwd
316 identity:
317 engine: keystone
318 host: 127.0.0.1
319 port: 35357
320 user: neutron
321 password: pwd
322 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200323 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100324 message_queue:
325 engine: rabbitmq
326 host: 127.0.0.1
327 port: 5672
328 user: openstack
329 password: pwd
330 virtual_host: '/openstack'
331 global_physnet_mtu: 9000
332 l3_ha: False
333 dvr: True
334 backend:
335 engine: ml2
336 tenant_network_types= "flat,vxlan"
337 external_mtu: 9000
338 mechanism:
339 ovs:
340 driver: openvswitch
341
342Network Node only
343-----------------
344
345.. code-block:: yaml
346
347 neutron:
348 gateway:
349 enabled: True
350 version: mitaka
351 message_queue:
352 engine: rabbitmq
353 host: 127.0.0.1
354 port: 5672
355 user: openstack
356 password: pwd
357 virtual_host: '/openstack'
358 local_ip: 192.168.20.20 # br-mesh ip address
359 dvr: True
360 agent_mode: dvr_snat
361 metadata:
362 host: 127.0.0.1
363 password: pass
364 backend:
365 engine: ml2
366 tenant_network_types: "flat,vxlan"
367 mechanism:
368 ovs:
369 driver: openvswitch
370
371Compute Node
372-------------
373
374.. code-block:: yaml
375
376 neutron:
377 compute:
378 enabled: True
379 version: mitaka
380 message_queue:
381 engine: rabbitmq
382 host: 127.0.0.1
383 port: 5672
384 user: openstack
385 password: pwd
386 virtual_host: '/openstack'
387 local_ip: 192.168.20.20 # br-mesh ip address
388 dvr: True
389 external_access: True
390 agent_mode: dvr
391 metadata:
392 host: 127.0.0.1
393 password: pass
394 backend:
395 engine: ml2
396 tenant_network_types: "flat,vxlan"
397 mechanism:
398 ovs:
399 driver: openvswitch
400
401Sample Linux network configuration for DVR
402--------------------------------------------
403
404.. code-block:: yaml
405
406 linux:
407 network:
408 bridge: openvswitch
409 interface:
410 eth1:
411 enabled: true
412 type: eth
413 mtu: 9000
414 proto: manual
415 eth2:
416 enabled: true
417 type: eth
418 mtu: 9000
419 proto: manual
420 eth3:
421 enabled: true
422 type: eth
423 mtu: 9000
424 proto: manual
425 br-int:
426 enabled: true
427 mtu: 9000
428 type: ovs_bridge
429 br-floating:
430 enabled: true
431 mtu: 9000
432 type: ovs_bridge
433 float-to-ex:
434 enabled: true
435 type: ovs_port
436 mtu: 65000
437 bridge: br-floating
438 br-mgmt:
439 enabled: true
440 type: bridge
441 mtu: 9000
442 address: ${_param:single_address}
443 netmask: 255.255.255.0
444 use_interfaces:
445 - eth1
446 br-mesh:
447 enabled: true
448 type: bridge
449 mtu: 9000
450 address: ${_param:tenant_address}
451 netmask: 255.255.255.0
452 use_interfaces:
453 - eth2
454 br-ex:
455 enabled: true
456 type: bridge
457 mtu: 9000
458 address: ${_param:external_address}
459 netmask: 255.255.255.0
460 use_interfaces:
461 - eth3
462 use_ovs_ports:
463 - float-to-ex
464
465Neutron VLAN tenant networks with Network Nodes
466===============================================
467
468VLAN tenant provider
469
470Neutron Server only
471-------------------
472
473.. code-block:: yaml
474
475 neutron:
476 server:
477 version: mitaka
478 plugin: ml2
479 ...
480 global_physnet_mtu: 9000
481 l3_ha: False
482 dvr: True
483 backend:
484 engine: ml2
485 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
486 tenant_vlan_range: "1000:2000"
487 external_vlan_range: "100:200" # Does not have to be defined.
488 external_mtu: 9000
489 mechanism:
490 ovs:
491 driver: openvswitch
492
493Compute node
494-------------------
495
496.. code-block:: yaml
497
498 neutron:
499 compute:
500 version: mitaka
501 plugin: ml2
502 ...
503 dvr: True
504 agent_mode: dvr
505 external_access: False
506 backend:
507 engine: ml2
508 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
509 mechanism:
510 ovs:
511 driver: openvswitch
512
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100513Neutron OVS DPDK
514==================
515
516Enable datapath netdev for neutron openvswitch agent
517
518.. code-block:: yaml
519
520 neutron:
521 server:
522 version: mitaka
523 ...
524 dpdk: True
525 ...
526
527 neutron:
528 compute:
529 version: mitaka
530 plugin: ml2
531 dpdk: True
532 backend:
533 engine: ml2
534 ...
535 mechanism:
536 ovs:
537 driver: openvswitch
538
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100539Neutron OVS SR-IOV
540==================
541
542.. code-block:: yaml
543
544 neutron:
545 server:
546 version: mitaka
547 plugin: ml2
548 backend:
549 engine: ml2
550 ...
551 mechanism:
552 ovs:
553 driver: openvswitch
554 sriov:
555 driver: sriovnicswitch
556
557 neutron:
558 compute:
559 version: mitaka
560 plugin: ml2
561 ...
562 backend:
563 engine: ml2
564 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
565 sriov:
566 nic_one:
567 devname: eth1
568 physical_network: physnet3
569 mechanism:
570 ovs:
571 driver: openvswitch
572
Jiri Broulik74f61112016-11-21 20:23:47 +0100573Neutron Server with OpenContrail
574==================================
575
576.. code-block:: yaml
577
578 neutron:
579 server:
580 plugin: contrail
marcoa4428a32016-06-10 11:50:16 +0200581 backend:
582 engine: contrail
583 host: contrail_discovery_host
584 port: 8082
585 user: admin
586 password: password
587 tenant: admin
588 token: token
589
590Neutron Server with Midonet
Jiri Broulik74f61112016-11-21 20:23:47 +0100591===========================
marcoa4428a32016-06-10 11:50:16 +0200592
593.. code-block:: yaml
594
595 neutron:
596 server:
597 backend:
598 engine: midonet
599 host: midonet_api_host
600 port: 8181
601 user: admin
602 password: password
603
Jiri Broulik74f61112016-11-21 20:23:47 +0100604Other
605=====
Filip Pytlouncd028e42015-10-06 16:28:32 +0200606
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100607Neutron Keystone region
608
609.. code-block:: yaml
610
611 neutron:
612 server:
613 enabled: true
614 version: kilo
615 ...
616 identity:
617 region: RegionTwo
618 ...
619 compute:
620 region: RegionTwo
621 ...
622
Jiri Konecny93b19992016-04-12 11:15:39 +0200623
624Client-side RabbitMQ HA setup
625
626.. code-block:: yaml
627
628 neutron:
629 server:
630 ....
631 message_queue:
632 engine: rabbitmq
633 members:
634 - host: 10.0.16.1
635 - host: 10.0.16.2
636 - host: 10.0.16.3
637 user: openstack
638 password: pwd
639 virtual_host: '/openstack'
640 ....
641
Petr Michalec61f7ab22016-11-29 16:29:09 +0100642Enable auditing filter, ie: CADF
643
644.. code-block:: yaml
645
646 neutron:
647 server:
648 audit:
649 enabled: true
650 ....
651 filter_factory: 'keystonemiddleware.audit:filter_factory'
652 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
653 ....
654 compute:
655 audit:
656 enabled: true
657 ....
658 filter_factory: 'keystonemiddleware.audit:filter_factory'
659 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
660 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200661
662
Jiri Broulik5368cc52017-02-08 18:53:59 +0100663Client role
664-----------
665
666Neutron networks
667
668.. code-block:: yaml
669
670 neutron:
671 client:
672 enabled: true
673 server:
674 identity:
675 network:
676 inet1:
677 tenant: demo
678 shared: False
679 admin_state_up: True
680 router_external: True
681 provider_physical_network: inet
682 provider_network_type: flat
683 provider_segmentation_id: 2
684 subnet:
685 inet1-subnet1:
686 cidr: 192.168.90.0/24
687 enable_dhcp: False
688 inet2:
689 tenant: admin
690 shared: False
691 router_external: True
692 provider_network_type: "vlan"
693 subnet:
694 inet2-subnet1:
695 cidr: 192.168.92.0/24
696 enable_dhcp: False
697 inet2-subnet2:
698 cidr: 192.168.94.0/24
699 enable_dhcp: True
700 identity1:
701 network:
702 ...
703
704
705Neutron routers
706
707.. code-block:: yaml
708
709 neutron:
710 client:
711 enabled: true
712 server:
713 identity:
714 router:
715 inet1-router:
716 tenant: demo
717 admin_state_up: True
718 gateway_network: inet
719 interfaces:
720 - inet1-subnet1
721 - inet1-subnet2
722 identity1:
723 router:
724 ...
725
726 TODO: implement adding new interfaces to a router while updating it
727
728
729Neutron security groups
730
731.. code-block:: yaml
732
733 neutron:
734 client:
735 enabled: true
736 server:
737 identity:
738 security_group:
739 security_group1:
740 tenant: demo
741 description: security group 1
742 rules:
743 - direction: ingress
744 ethertype: IPv4
745 protocol: TCP
746 port_range_min: 1
747 port_range_max: 65535
748 remote_ip_prefix: 0.0.0.0/0
749 - direction: ingress
750 ethertype: IPv4
751 protocol: UDP
752 port_range_min: 1
753 port_range_max: 65535
754 remote_ip_prefix: 0.0.0.0/0
755 - direction: ingress
756 protocol: ICMP
757 remote_ip_prefix: 0.0.0.0/0
758 identity1:
759 security_group:
760 ...
761
762 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
763
Jiri Broulikde2e2902017-02-13 15:03:47 +0100764
765Floating IP addresses
766
767.. code-block:: yaml
768
769 neutron:
770 client:
771 enabled: true
772 server:
773 identity:
774 floating_ip:
775 prx01-instance:
776 server: prx01.mk22-lab-basic.local
777 subnet: private-subnet1
778 network: public-net1
779 tenant: demo
780 gtw01-instance:
781 ...
782
783.. note:: The network must have flag router:external set to True.
784 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
785
786
Filip Pytlouncd028e42015-10-06 16:28:32 +0200787Usage
788=====
789
790Fix RDO Neutron installation
791
792.. code-block:: yaml
793
794 neutron-db-manage --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini stamp havana
795
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200796Documentation and Bugs
797============================
Filip Pytlouncd028e42015-10-06 16:28:32 +0200798
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200799To learn how to deploy OpenStack Salt, consult the documentation available
800online at:
801
802 https://wiki.openstack.org/wiki/OpenStackSalt
803
804In the unfortunate event that bugs are discovered, they should be reported to
805the appropriate bug tracker. If you obtained the software from a 3rd party
806operating system vendor, it is often wise to use their own bug tracker for
807reporting problems. In all other cases use the master OpenStack bug tracker,
808available at:
809
810 http://bugs.launchpad.net/openstack-salt
811
812Developers wishing to work on the OpenStack Salt project should always base
813their work on the latest formulas code, available from the master GIT
814repository at:
815
816 https://git.openstack.org/cgit/openstack/salt-formula-neutron
817
818Developers should also join the discussion on the IRC list, at:
819
820 https://wiki.openstack.org/wiki/Meetings/openstack-salt
Filip Pytloun20c0a442017-02-02 13:05:13 +0100821
822Documentation and Bugs
823======================
824
825To learn how to install and update salt-formulas, consult the documentation
826available online at:
827
828 http://salt-formulas.readthedocs.io/
829
830In the unfortunate event that bugs are discovered, they should be reported to
831the appropriate issue tracker. Use Github issue tracker for specific salt
832formula:
833
834 https://github.com/salt-formulas/salt-formula-neutron/issues
835
836For feature requests, bug reports or blueprints affecting entire ecosystem,
837use Launchpad salt-formulas project:
838
839 https://launchpad.net/salt-formulas
840
841You can also join salt-formulas-users team and subscribe to mailing list:
842
843 https://launchpad.net/~salt-formulas-users
844
845Developers wishing to work on the salt-formulas projects should always base
846their work on master branch and submit pull request against specific formula.
847
848 https://github.com/salt-formulas/salt-formula-neutron
849
850Any questions or feedback is always welcome so feel free to join our IRC
851channel:
852
853 #salt-formulas @ irc.freenode.net