Blame - README.rst - salt-formulas/neutron

blob: 281b7100890974762b2997863bb0612707cc5249 [file] [log] [blame]

OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1	=====
				2	Usage
				3	=====
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	4
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	5	Neutron is an OpenStack project to provide networking as a service between
Jakub Pavlik	9ecf026	2016-05-20 11:20:58 +0200	[diff] [blame]	6	interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
				7	nova).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	8
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	9	Starting with the Folsom release, Neutron is a core and supported part of the
				10	OpenStack platform (for Essex, we were an incubated project, which means use
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	11	is suggested only for those who really know what they're doing with Neutron).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	12
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	13	Sample Pillars
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	14	==============
				15
				16	Neutron Server on the controller node
				17
				18	.. code-block:: yaml
				19
				20	neutron:
				21	server:
				22	enabled: true
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	23	version: mitaka
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	24	allow_pagination: true
				25	pagination_max_limit: 100
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	26	api_workers: 2
				27	rpc_workers: 2
				28	rpc_state_report_workers: 2
Michael Polenchuk	1ff8865	2018-03-06 16:15:57 +0400	[diff] [blame]	29	root_helper_daemon: false
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	30	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	31	firewall_driver: iptables_hybrid
Oleg Bondarev	bc2dfee	2018-10-17 18:41:51 +0400	[diff] [blame]	32	agent_boot_time: 180
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	33	agent_down_time: 30
				34	dhcp_agents_per_network: 2
				35	allow_automatic_dhcp_failover: true
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	36	bind:
				37	address: 172.20.0.1
				38	port: 9696
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	39	database:
				40	engine: mysql
				41	host: 127.0.0.1
				42	port: 3306
				43	name: neutron
				44	user: neutron
				45	password: pwd
				46	identity:
				47	engine: keystone
				48	host: 127.0.0.1
				49	port: 35357
				50	user: neutron
				51	password: pwd
				52	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	53	endpoint_type: internal
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	54	message_queue:
				55	engine: rabbitmq
				56	host: 127.0.0.1
				57	port: 5672
				58	user: openstack
				59	password: pwd
				60	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	61	rpc_conn_pool_size: 30
				62	rpc_thread_pool_size: 100
				63	rpc_response_timeout: 120
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	64	metadata:
				65	host: 127.0.0.1
				66	port: 8775
Dzmitry Stremkouski	ea47018	2018-10-24 15:33:35 +0200	[diff] [blame]	67	insecure: true
				68	proto: https
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	69	password: pass
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	70	workers: 2
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	71	audit:
				72	enabled: false
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	73
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	74	.. note:: The pagination is useful to retrieve a large bunch of resources,
				75	because a single request may fail (timeout). This is enabled with both
				76	parameters allow_pagination and pagination_max_limit as shown above.
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	77
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	78	Configuration of policy.json file:
Dmitry Ukov	596ddcf	2017-05-04 18:16:16 +0400	[diff] [blame]	79
				80	.. code-block:: yaml
				81
				82	neutron:
				83	server:
				84	....
				85	policy:
				86	create_subnet: 'rule:admin_or_network_owner'
				87	'get_network:queue_id': 'rule:admin_only'
				88	# Add key without value to remove line from policy.json
				89	'create_network:shared':
				90
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	91	Neutron LBaaSv2 enablement
				92	--------------------------
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	93
				94	.. code-block:: yaml
				95
				96	neutron:
				97	server:
				98	lbaas:
				99	enabled: true
				100	providers:
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	101	octavia:
				102	engine: octavia
				103	driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
				104	base_url: 'http://127.0.0.1:9876'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	105	avi_adc:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	106	engine: avinetworks
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	107	driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	108	controller_address: 10.182.129.239
				109	controller_user: admin
				110	controller_password: Cloudlab2016
				111	controller_cloud_name: Default-Cloud
				112	avi_adc2:
				113	engine: avinetworks
				114	...
				115
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	116	.. note:: If the Contrail backend is set, Opencontrail loadbalancer
				117	would be enabled automatically. In this case lbaas should disabled
				118	in pillar:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	119
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	120	.. code-block:: yaml
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	121
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	122	neutron:
				123	server:
				124	lbaas:
				125	enabled: false
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	126
				127	Neutron FWaaSv1 enablement
				128	--------------------------
				129
				130	.. code-block:: yaml
				131
				132	neutron:
				133	fwaas:
				134	enabled: true
				135	version: ocata
				136	api_version: v1
				137
				138
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	139	Enable CORS parameters
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	140	----------------------
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	141
				142	.. code-block:: yaml
				143
				144	neutron:
				145	server:
				146	cors:
				147	allowed_origin: https:localhost.local,http:localhost.local
				148	expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				149	allow_methods: GET,PUT,POST,DELETE,PATCH
				150	allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				151	allow_credentials: True
				152	max_age: 86400
				153
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	154	Neutron VXLAN tenant networks with Network nodes
				155	------------------------------------------------
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	156
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	157	With DVR for East-West and Network node for North-South.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	158
				159	This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	160	routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	161	infrastructure and that remains encapsulated. External traffic will be
				162	routed to via the network nodes.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	163
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	164	The intention is that each tenant will require at least two (2) vrouters
				165	one to be utilised
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	166
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	167	Neutron Server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	168
				169	.. code-block:: yaml
				170
				171	neutron:
				172	server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	173	version: mitaka
Dmitry Stremkouski	3c1be3e	2017-11-18 11:04:20 +0300	[diff] [blame]	174	path_mtu: 1500
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	175	bind:
				176	address: 172.20.0.1
				177	port: 9696
				178	database:
				179	engine: mysql
				180	host: 127.0.0.1
				181	port: 3306
				182	name: neutron
				183	user: neutron
				184	password: pwd
				185	identity:
				186	engine: keystone
				187	host: 127.0.0.1
				188	port: 35357
				189	user: neutron
				190	password: pwd
				191	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	192	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	193	message_queue:
				194	engine: rabbitmq
				195	host: 127.0.0.1
				196	port: 5672
				197	user: openstack
				198	password: pwd
				199	virtual_host: '/openstack'
				200	global_physnet_mtu: 9000
				201	l3_ha: False # Which type of router will be created by default
				202	dvr: True # disabled for non DVR use case
				203	backend:
				204	engine: ml2
				205	tenant_network_types: "flat,vxlan"
				206	external_mtu: 9000
				207	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	208	ovs:
				209	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	210
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	211	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	212
				213	.. code-block:: yaml
				214
				215	neutron:
				216	gateway:
				217	enabled: True
				218	version: mitaka
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	219	report_interval: 10
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	220	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	221	firewall_driver: iptables_hybrid
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	222	message_queue:
				223	engine: rabbitmq
				224	host: 127.0.0.1
				225	port: 5672
				226	user: openstack
				227	password: pwd
				228	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	229	rpc_conn_pool_size: 300
				230	rpc_thread_pool_size: 2048
				231	rpc_response_timeout: 3600
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	232	local_ip: 192.168.20.20 # br-mesh ip address
				233	dvr: True # disabled for non DVR use case
				234	agent_mode: dvr_snat
				235	metadata:
				236	host: 127.0.0.1
				237	password: pass
				238	backend:
				239	engine: ml2
				240	tenant_network_types: "flat,vxlan"
				241	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	242	ovs:
				243	driver: openvswitch
Vasyl Saienko	4bd2d92	2018-07-27 09:56:38 +0000	[diff] [blame]	244	agents:
				245	dhcp:
				246	ovs_use_veth: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	247
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	248	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	249
				250	.. code-block:: yaml
				251
				252	neutron:
				253	compute:
				254	enabled: True
				255	version: mitaka
				256	message_queue:
				257	engine: rabbitmq
				258	host: 127.0.0.1
				259	port: 5672
				260	user: openstack
				261	password: pwd
				262	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	263	rpc_conn_pool_size: 300
				264	rpc_thread_pool_size: 2048
				265	rpc_response_timeout: 3600
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	266	local_ip: 192.168.20.20 # br-mesh ip address
				267	dvr: True # disabled for non DVR use case
				268	agent_mode: dvr
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	269	report_interval: 10
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	270	external_access: false # Compute node with DVR for east-west only, Network Node has True as default
				271	metadata:
				272	host: 127.0.0.1
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	273	password: pass
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	274	backend:
				275	engine: ml2
				276	tenant_network_types: "flat,vxlan"
				277	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	278	ovs:
				279	driver: openvswitch
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	280	audit:
				281	enabled: false
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	282
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	283
Dzmitry Stremkouski	d5e89e5	2018-09-25 10:01:54 +0200	[diff] [blame]	284	Setting mac base address
				285	------------------------
				286
				287	By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
				288	One can set it's own mac base both for dvr and nondvr cases.
				289
				290	NOTE: dvr_base_mac and base_mac SHOULD differ.
				291
				292	.. code-block:: yaml
				293
				294	neutron:
				295	server:
				296	base_mac: fa:16:3f:00:00:00
				297	dvr_base_mac: fa:16:3f:a0:00:00
				298
				299	gateways:
				300
				301	.. code-block:: yaml
				302
				303	neutron:
				304	gateway:
				305	base_mac: fa:16:3f:00:00:00
				306	dvr_base_mac: fa:16:3f:a0:00:00
				307
				308	compute nodes:
				309
				310	.. code-block:: yaml
				311
				312	neutron:
				313	compute:
				314	base_mac: fa:16:3f:00:00:00
				315	dvr_base_mac: fa:16:3f:a0:00:00
				316
				317
Dmitry Stremkouski	a3a4ab4	2017-10-23 17:37:12 +0300	[diff] [blame]	318	Disable physnet1 bridge
				319	-----------------------
				320
				321	By default we have external access turned on, so among any physnets in
				322	your reclass there would be additional one: physnet1, which is mapped to
				323	br-floating
				324
				325	If you need internal nets only without this bridge, remove br-floating
				326	and configurations mappings. Disable mappings for this bridge on
				327	neutron-servers:
				328
				329	.. code-block:: yaml
				330
				331	neutron:
				332	server:
				333	external_access: false
				334
				335	gateways:
				336
				337	.. code-block:: yaml
				338
				339	neutron:
				340	gateway:
				341	external_access: false
				342
				343	compute nodes:
				344
				345	.. code-block:: yaml
				346
				347	neutron:
				348	compute:
				349	external_access: false
				350
				351
Marcin Iwinski	c50137a	2018-01-22 14:18:24 +0100	[diff] [blame]	352	Add additional bridge mappings for OVS bridges
				353	----------------------------------------------
				354
				355	By default we have external access turned on, so among any physnets in
				356	your reclass there would be additional one: physnet1, which is mapped to
				357	br-floating
				358
				359	If you need to add extra non-default bridge mappings they can be defined
				360	separately for both gateways and compute nodes:
				361
				362	gateways:
				363
				364	.. code-block:: yaml
				365
				366	neutron:
				367	gateway:
				368	bridge_mappings:
				369	physnet4: br-floating-internet
				370
				371	compute nodes:
				372
				373	.. code-block:: yaml
				374
				375	neutron:
				376	compute:
				377	bridge_mappings:
				378	physnet4: br-floating-internet
				379
				380
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	381	Specify different mtu values for different physnets
				382	---------------------------------------------------
				383
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	384	Neutron Server:
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	385
				386	.. code-block:: yaml
				387
				388	neutron:
				389	server:
				390	version: mitaka
				391	backend:
				392	external_mtu: 1500
				393	tenant_net_mtu: 9000
				394	ironic_net_mtu: 9000
				395
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	396	Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	397	----------------------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	398
				399	This section describes a network solution that utilises VxLAN overlay
				400	networks without DVR with all routers being managed on the network nodes.
				401
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	402	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	403
				404	.. code-block:: yaml
				405
				406	neutron:
				407	server:
				408	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	409	bind:
				410	address: 172.20.0.1
				411	port: 9696
				412	database:
				413	engine: mysql
				414	host: 127.0.0.1
				415	port: 3306
				416	name: neutron
				417	user: neutron
				418	password: pwd
				419	identity:
				420	engine: keystone
				421	host: 127.0.0.1
				422	port: 35357
				423	user: neutron
				424	password: pwd
				425	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	426	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	427	message_queue:
				428	engine: rabbitmq
				429	host: 127.0.0.1
				430	port: 5672
				431	user: openstack
				432	password: pwd
				433	virtual_host: '/openstack'
				434	global_physnet_mtu: 9000
				435	l3_ha: True
				436	dvr: False
				437	backend:
				438	engine: ml2
				439	tenant_network_types= "flat,vxlan"
				440	external_mtu: 9000
				441	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	442	ovs:
				443	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	444
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	445	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	446
				447	.. code-block:: yaml
				448
				449	neutron:
				450	gateway:
				451	enabled: True
				452	version: mitaka
				453	message_queue:
				454	engine: rabbitmq
				455	host: 127.0.0.1
				456	port: 5672
				457	user: openstack
				458	password: pwd
				459	virtual_host: '/openstack'
				460	local_ip: 192.168.20.20 # br-mesh ip address
				461	dvr: False
				462	agent_mode: legacy
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	463	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	464	metadata:
				465	host: 127.0.0.1
				466	password: pass
				467	backend:
				468	engine: ml2
				469	tenant_network_types: "flat,vxlan"
				470	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	471	ovs:
				472	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	473
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	474	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	475
				476	.. code-block:: yaml
				477
				478	neutron:
				479	compute:
				480	enabled: True
				481	version: mitaka
				482	message_queue:
				483	engine: rabbitmq
				484	host: 127.0.0.1
				485	port: 5672
				486	user: openstack
				487	password: pwd
				488	virtual_host: '/openstack'
				489	local_ip: 192.168.20.20 # br-mesh ip address
				490	external_access: False
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	491	dvr: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	492	backend:
				493	engine: ml2
				494	tenant_network_types: "flat,vxlan"
				495	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	496	ovs:
				497	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	498
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	499	Neutron VXLAN tenant networks with Network Nodes with DVR
				500	---------------------------------------------------------
				501
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	502	With DVR for East-West and North-South, DVR everywhere, Network
				503	node for SNAT.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	504
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	505	This section describes a network solution that utilises VxLAN
				506	overlay networks with DVR with North-South and East-West. Network
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	507	Node is used only for SNAT.
				508
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	509	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	510
				511	.. code-block:: yaml
				512
				513	neutron:
				514	server:
				515	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	516	bind:
				517	address: 172.20.0.1
				518	port: 9696
				519	database:
				520	engine: mysql
				521	host: 127.0.0.1
				522	port: 3306
				523	name: neutron
				524	user: neutron
				525	password: pwd
				526	identity:
				527	engine: keystone
				528	host: 127.0.0.1
				529	port: 35357
				530	user: neutron
				531	password: pwd
				532	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	533	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	534	message_queue:
				535	engine: rabbitmq
				536	host: 127.0.0.1
				537	port: 5672
				538	user: openstack
				539	password: pwd
				540	virtual_host: '/openstack'
				541	global_physnet_mtu: 9000
				542	l3_ha: False
				543	dvr: True
				544	backend:
				545	engine: ml2
				546	tenant_network_types= "flat,vxlan"
				547	external_mtu: 9000
				548	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	549	ovs:
				550	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	551
Vasyl Saienko	0b2451b	2018-12-16 19:38:38 +0000	[diff] [blame]	552	Configuring networking-generic-switch ml2 plugin used for
				553	baremetal integration:
				554
				555	.. code-block:: yaml
				556
				557	neutron:
				558	server:
				559	backend:
				560	mechanism:
				561	ngs:
				562	driver: genericswitch
				563	n_g_s:
				564	enabled: true
				565	coordination:
				566	enabled: true
				567	backend_url: "etcd3+http://1.2.3.4:2379"
				568	devices:
				569	s1brbm:
				570	options:
				571	device_type:
				572	value: netmiko_ovs_linux
				573	ip:
				574	value: 1.2.3.4
				575	username:
				576	value: ngs_ovs_manager
				577	password:
				578	value: password
				579
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	580	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	581
				582	.. code-block:: yaml
				583
				584	neutron:
				585	gateway:
				586	enabled: True
				587	version: mitaka
				588	message_queue:
				589	engine: rabbitmq
				590	host: 127.0.0.1
				591	port: 5672
				592	user: openstack
				593	password: pwd
				594	virtual_host: '/openstack'
				595	local_ip: 192.168.20.20 # br-mesh ip address
				596	dvr: True
				597	agent_mode: dvr_snat
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	598	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	599	metadata:
				600	host: 127.0.0.1
				601	password: pass
				602	backend:
				603	engine: ml2
				604	tenant_network_types: "flat,vxlan"
				605	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	606	ovs:
				607	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	608
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	609	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	610
				611	.. code-block:: yaml
				612
				613	neutron:
				614	compute:
				615	enabled: True
				616	version: mitaka
				617	message_queue:
				618	engine: rabbitmq
				619	host: 127.0.0.1
				620	port: 5672
				621	user: openstack
				622	password: pwd
				623	virtual_host: '/openstack'
				624	local_ip: 192.168.20.20 # br-mesh ip address
				625	dvr: True
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	626	external_access: True
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	627	agent_mode: dvr
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	628	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	629	metadata:
				630	host: 127.0.0.1
				631	password: pass
				632	backend:
				633	engine: ml2
				634	tenant_network_types: "flat,vxlan"
				635	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	636	ovs:
				637	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	638
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	639	Sample Linux network configuration for DVR:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	640
				641	.. code-block:: yaml
				642
				643	linux:
				644	network:
				645	bridge: openvswitch
				646	interface:
				647	eth1:
				648	enabled: true
				649	type: eth
				650	mtu: 9000
				651	proto: manual
				652	eth2:
				653	enabled: true
				654	type: eth
				655	mtu: 9000
				656	proto: manual
				657	eth3:
				658	enabled: true
				659	type: eth
				660	mtu: 9000
				661	proto: manual
				662	br-int:
				663	enabled: true
				664	mtu: 9000
				665	type: ovs_bridge
				666	br-floating:
				667	enabled: true
				668	mtu: 9000
				669	type: ovs_bridge
				670	float-to-ex:
				671	enabled: true
				672	type: ovs_port
				673	mtu: 65000
				674	bridge: br-floating
				675	br-mgmt:
				676	enabled: true
				677	type: bridge
				678	mtu: 9000
				679	address: ${_param:single_address}
				680	netmask: 255.255.255.0
				681	use_interfaces:
				682	- eth1
				683	br-mesh:
				684	enabled: true
				685	type: bridge
				686	mtu: 9000
				687	address: ${_param:tenant_address}
				688	netmask: 255.255.255.0
				689	use_interfaces:
				690	- eth2
				691	br-ex:
				692	enabled: true
				693	type: bridge
				694	mtu: 9000
				695	address: ${_param:external_address}
				696	netmask: 255.255.255.0
				697	use_interfaces:
				698	- eth3
				699	use_ovs_ports:
				700	- float-to-ex
				701
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	702	Additonal VXLAN tenant network settings
				703	---------------------------------------
				704
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	705	The default multicast group of ``224.0.0.1`` only multicasts
				706	to a single subnet. Allow overriding it to allow larger underlay
				707	network topologies.
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	708
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	709	Neutron Server:
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	710
				711	.. code-block:: yaml
				712
				713	neutron:
				714	server:
				715	vxlan:
				716	group: 239.0.0.0/8
				717	vni_ranges: "2:65535"
				718
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	719	Neutron VLAN tenant networks with Network Nodes
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	720	-----------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	721
				722	VLAN tenant provider
				723
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	724	Neutron Server only:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	725
				726	.. code-block:: yaml
				727
				728	neutron:
				729	server:
				730	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	731	...
				732	global_physnet_mtu: 9000
				733	l3_ha: False
				734	dvr: True
				735	backend:
				736	engine: ml2
				737	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				738	tenant_vlan_range: "1000:2000"
				739	external_vlan_range: "100:200" # Does not have to be defined.
				740	external_mtu: 9000
				741	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	742	ovs:
				743	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	744
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	745	Compute node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	746
				747	.. code-block:: yaml
				748
				749	neutron:
				750	compute:
				751	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	752	...
				753	dvr: True
				754	agent_mode: dvr
				755	external_access: False
				756	backend:
				757	engine: ml2
				758	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				759	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	760	ovs:
				761	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	762
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	763	Neutron with explicit physical networks
				764	---------------------------------------
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	765
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	766	Neutron Server only:
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	767
				768	.. code-block:: yaml
				769
				770	neutron:
				771	server:
				772	version: ocata
				773	...
				774	backend:
				775	engine: ml2
				776	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				777	...
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	778	# also need to configure corresponding bridge_mappings on
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	779	# compute and gateway nodes
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	780	flat_networks_default: '' # '' to allow arbitrary names or '' to disable
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	781	physnets: # only listed physnets will be configured (overrides physnet1/2/3)
				782	external:
				783	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	784	types:
				785	- flat # possible values - 'flat' or 'vlan'
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	786	sriov_net:
				787	mtu: 9000 # Optional, defaults to 1500
Oleg Bondarev	ab32411	2018-11-19 17:56:57 +0400	[diff] [blame]	788	vlan_range: '100:200,300:400' # Optional
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	789	types:
				790	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	791	ext_net2:
				792	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	793	types:
				794	- flat
				795	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	796	mechanism:
				797	ovs:
				798	driver: openvswitch
				799
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	800	Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	801	----------------------------------------
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	802
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	803	Neutron OVS DPDK
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	804
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	805	Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	806
				807	.. code-block:: yaml
				808
				809	neutron:
				810	server:
				811	version: mitaka
				812	...
				813	dpdk: True
				814	...
				815
				816	neutron:
				817	compute:
				818	version: mitaka
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	819	dpdk: True
Michael Polenchuk	5291165	2018-04-12 22:09:49 +0400	[diff] [blame]	820	vhost_mode: client # options: client\|server (default)
Oleg Bondarev	ee7e830	2017-10-16 17:20:38 +0400	[diff] [blame]	821	vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	822	backend:
				823	engine: ml2
				824	...
				825	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	826	ovs:
				827	driver: openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	828
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	829	Neutron OVS SR-IOV:
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	830
				831	.. code-block:: yaml
				832
				833	neutron:
				834	server:
				835	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	836	backend:
				837	engine: ml2
				838	...
				839	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	840	ovs:
				841	driver: openvswitch
				842	sriov:
				843	driver: sriovnicswitch
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	844	# Driver w/ highest number will be placed ahead in the list (default is 0).
				845	# It's recommended for SR-IOV driver to set an order >0 to get it
				846	# before (for example) the opendaylight one.
				847	order: 9
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	848
				849	neutron:
				850	compute:
				851	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	852	...
				853	backend:
				854	engine: ml2
				855	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				856	sriov:
				857	nic_one:
				858	devname: eth1
				859	physical_network: physnet3
				860	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	861	ovs:
				862	driver: openvswitch
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	863
cdodda	c35c9eb	2018-11-07 23:18:10 -0600	[diff] [blame]	864	Neutron with LinuxBridge Agents
				865	-------------------------------
				866
				867	.. code-block:: yaml
				868
				869	neutron:
				870	server:
				871	firewall_driver: iptables
				872	backend:
				873	mechanism:
				874	lb:
				875	driver: linuxbridge
				876	....
				877	compute:
				878	backend:
				879	mechanism:
				880	lb:
				881	driver: linuxbridge
				882	....
				883	gateway:
				884	backend:
				885	mechanism:
				886	lb:
				887	driver: linuxbridge
				888	agents:
				889	dhcp:
				890	interface_driver: linuxbridge
				891	l3:
				892	interface_driver: linuxbridge
				893
				894
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	895	Neutron with VLAN-aware-VMs
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	896	---------------------------
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	897
				898	.. code-block:: yaml
				899
				900	neutron:
				901	server:
				902	vlan_aware_vms: true
				903	....
				904	compute:
				905	vlan_aware_vms: true
				906	....
				907	gateway:
				908	vlan_aware_vms: true
				909
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	910	Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	911	-------------------------------------
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	912
				913	.. code-block:: yaml
				914
				915	neutron:
				916	server:
				917	version: pike
				918	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	919	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	920	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	921	....
				922	compute:
				923	version: pike
				924	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	925	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	926	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	927	bagpipe:
				928	local_address: 192.168.20.20 # IP address for mpls/gre tunnels
				929	peers: 192.168.20.30 # IP addresses of BGP peers
				930	autonomous_system: 64512 # Autonomous System number
				931	enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	932	backend:
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	933	ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	934	bagpipe_bgpvpn:
				935	enabled: True
				936
Oleksii Chupryn	16cb4e0	2018-02-26 14:20:39 +0200	[diff] [blame]	937	Neutron with DHCP agent on compute node
				938	---------------------------------------
				939
				940	.. code-block:: yaml
				941
				942	neutron:
				943	....
				944	compute:
				945	dhcp_agent_enabled: true
				946	....
				947
Dzmitry Stremkouski	48df2a7	2018-10-12 16:38:11 +0200	[diff] [blame]	948	Neutron with metadata agent on compute node
				949	-------------------------------------------
				950
				951	.. code-block:: yaml
				952
				953	neutron:
				954	....
				955	compute:
				956	metadata_agent_enabled: true
				957	....
				958
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	959	Neutron with OVN
				960	----------------
				961
				962	Control node:
				963
				964	.. code-block:: yaml
				965
				966	neutron:
				967	server:
				968	backend:
				969	engine: ovn
				970	mechanism:
				971	ovn:
				972	driver: ovn
				973	tenant_network_types: "geneve,flat"
Michael Polenchuk	f59229b	2018-06-19 16:24:49 +0400	[diff] [blame]	974	ovn:
				975	ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
				976	neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	977	metadata_enabled: True
Michael Polenchuk	a3d492b	2017-12-27 15:49:43 +0400	[diff] [blame]	978	ovn_ctl_opts:
				979	db-nb-create-insecure-remote: 'yes'
				980	db-sb-create-insecure-remote: 'yes'
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	981
				982	Compute node:
				983
				984	.. code-block:: yaml
				985
				986	neutron:
				987	compute:
				988	local_ip: 10.2.0.105
				989	controller_vip: 10.1.0.101
				990	external_access: false
				991	backend:
				992	engine: ovn
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	993	ovsdb_connection: tcp:127.0.0.1:6640
				994	metadata:
				995	enabled: true
				996	ovsdb_server_iface: ptcp:6640:127.0.0.1
				997	host: 10.1.0.101
				998	password: unsegreto
				999
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	1000
Michael Polenchuk	cccd1a5	2018-02-02 17:41:16 +0400	[diff] [blame]	1001	Neutron L2 Gateway
				1002	----------------
				1003
				1004	Control node:
				1005
				1006	.. code-block:: yaml
				1007
				1008	neutron:
				1009	server:
				1010	version: pike
				1011	l2gw:
				1012	enabled: true
				1013	periodic_monitoring_interval: 5
				1014	quota_l2_gateway: 20
				1015	# service_provider=<service_type>:<name>:<driver>[:default]
				1016	service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
				1017	backend:
				1018	engine: ml2
				1019
				1020	Network/Gateway node:
				1021
				1022	.. code-block:: yaml
				1023
				1024	neutron:
				1025	gateway:
				1026	version: pike
				1027	l2gw:
				1028	enabled: true
				1029	debug: true
				1030	socket_timeout: 20
				1031	ovsdb_hosts:
				1032	# <ovsdb_name>: <ip address>:<port>
				1033	# - ovsdb_name: a user defined symbolic identifier of physical switch
				1034	# - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
				1035	ovsdb1: 10.164.5.33:6632
				1036	ovsdb2: 10.164.4.33:6632
				1037
				1038
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1039	OpenDaylight integration
				1040	------------------------
				1041
				1042	Control node:
				1043
				1044	.. code-block:: yaml
				1045
				1046	neutron:
				1047	server:
				1048	backend:
				1049	opendaylight: true
				1050	router: odl-router_v2
				1051	host: 10.20.0.77
				1052	rest_api_port: 8282
				1053	user: admin
				1054	password: admin
				1055	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1056	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1057	enable_websocket: true
				1058	enable_dhcp_service: false
				1059	mechanism:
				1060	ovs:
				1061	driver: opendaylight_v2
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	1062	order: 1
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1063
				1064	Network/Gateway node:
				1065
				1066	.. code-block:: yaml
				1067
				1068	neutron:
				1069	gateway:
				1070	backend:
				1071	router: odl-router_v2
				1072	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1073	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1074	opendaylight:
				1075	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1076	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1077	tunnel_ip: 10.1.0.110
				1078	provider_mappings: physnet1:br-floating
				1079
				1080	Compute node:
				1081
				1082	.. code-block:: yaml
				1083
				1084	neutron:
				1085	compute:
				1086	opendaylight:
				1087	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1088	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1089	tunnel_ip: 10.1.0.105
				1090	provider_mappings: physnet1:br-floating
				1091
				1092
Michael Polenchuk	9cccecc	2018-09-14 14:54:18 +0400	[diff] [blame]	1093	Service Function Chaining Extension (SFC)
				1094	----------------
				1095
				1096	.. code-block:: yaml
				1097
				1098	neutron:
				1099	server:
				1100	sfc:
				1101	enabled: true
				1102	sfc_drivers:
				1103	- ovs # valid options: ovs, odl, ovn (not implemented yet)
				1104	flow_classifier_drivers:
				1105	- ovs # valid options: see above
				1106	....
				1107	compute:
				1108	backend:
				1109	ovs_extension:
				1110	sfc:
				1111	enabled: True
				1112
				1113
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1114	Neutron Server
				1115	--------------
				1116
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1117	Neutron Server with OpenContrail:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	1118
				1119	.. code-block:: yaml
				1120
				1121	neutron:
				1122	server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1123	backend:
				1124	engine: contrail
				1125	host: contrail_discovery_host
				1126	port: 8082
				1127	user: admin
				1128	password: password
				1129	tenant: admin
				1130	token: token
				1131
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1132	Neutron Server with Midonet:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1133
				1134	.. code-block:: yaml
				1135
				1136	neutron:
				1137	server:
				1138	backend:
				1139	engine: midonet
				1140	host: midonet_api_host
				1141	port: 8181
				1142	user: admin
				1143	password: password
				1144
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1145	Neutron Server with NSX:
Vasyl Saienko	4549efe	2018-07-26 16:06:04 +0000	[diff] [blame]	1146
				1147	.. code-block:: yaml
				1148
				1149	neutron:
				1150	server:
				1151	backend:
				1152	engine: vmware
				1153	core_plugin: vmware_nsxv3
				1154	vmware:
				1155	nsx:
				1156	extension_drivers:
				1157	- vmware_nsxv3_dns
				1158	v3:
				1159	api_password: nsx_password
				1160	api_user: nsx_username
				1161	api_managers:
				1162	01:
				1163	scheme: https
				1164	host: 192.168.10.120
				1165	port: '443'
				1166	insecure: true
				1167
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1168	Neutron Keystone region:
Jakub Pavlik	6dd5c0a	2016-03-09 14:18:15 +0100	[diff] [blame]	1169
				1170	.. code-block:: yaml
				1171
				1172	neutron:
				1173	server:
				1174	enabled: true
				1175	version: kilo
				1176	...
				1177	identity:
				1178	region: RegionTwo
				1179	...
				1180	compute:
				1181	region: RegionTwo
				1182	...
				1183
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1184	Client-side RabbitMQ HA setup:
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1185
				1186	.. code-block:: yaml
				1187
				1188	neutron:
				1189	server:
				1190	....
				1191	message_queue:
				1192	engine: rabbitmq
				1193	members:
				1194	- host: 10.0.16.1
				1195	- host: 10.0.16.2
				1196	- host: 10.0.16.3
				1197	user: openstack
				1198	password: pwd
				1199	virtual_host: '/openstack'
				1200	....
				1201
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1202	Configuring TLS communications
				1203	------------------------------
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1204
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1205	.. note:: By default, system-wide installed CA certs are used,
				1206	so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1207
				1208	- RabbitMQ TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1209
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1210	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1211
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1212	neutron:
				1213	server, gateway, compute:
				1214	message_queue:
				1215	port: 5671
				1216	ssl:
				1217	enabled: True
				1218	(optional) cacert: cert body if the cacert_file does not exists
				1219	(optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
				1220	(optional) version: TLSv1_2
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1221
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1222	- MySQL TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1223
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1224	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1225
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1226	neutron:
				1227	server:
				1228	database:
				1229	ssl:
				1230	enabled: True
				1231	(optional) cacert: cert body if the cacert_file does not exists
				1232	(optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1233
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1234	- Openstack HTTPS API
				1235
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1236	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1237
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1238	neutron:
				1239	server:
				1240	identity:
				1241	protocol: https
				1242	(optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1243
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1244	Enable auditing filter, ie: CADF:
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	1245
				1246	.. code-block:: yaml
				1247
				1248	neutron:
				1249	server:
				1250	audit:
				1251	enabled: true
				1252	....
				1253	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1254	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1255	....
				1256	compute:
				1257	audit:
				1258	enabled: true
				1259	....
				1260	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1261	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1262	....
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1263
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1264	Neutron with security groups disabled:
Oleg Bondarev	98870a3	2017-05-29 16:53:19 +0400	[diff] [blame]	1265
				1266	.. code-block:: yaml
				1267
				1268	neutron:
				1269	server:
				1270	security_groups_enabled: False
				1271	....
				1272	compute:
				1273	security_groups_enabled: False
				1274	....
				1275	gateway:
				1276	security_groups_enabled: False
				1277
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1278
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1279	Neutron Client
				1280	--------------
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1281
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1282	Neutron networks:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1283
				1284	.. code-block:: yaml
				1285
				1286	neutron:
				1287	client:
				1288	enabled: true
				1289	server:
				1290	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1291	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1292	network:
				1293	inet1:
				1294	tenant: demo
				1295	shared: False
				1296	admin_state_up: True
				1297	router_external: True
				1298	provider_physical_network: inet
				1299	provider_network_type: flat
				1300	provider_segmentation_id: 2
				1301	subnet:
				1302	inet1-subnet1:
				1303	cidr: 192.168.90.0/24
				1304	enable_dhcp: False
				1305	inet2:
				1306	tenant: admin
				1307	shared: False
				1308	router_external: True
				1309	provider_network_type: "vlan"
				1310	subnet:
				1311	inet2-subnet1:
				1312	cidr: 192.168.92.0/24
				1313	enable_dhcp: False
				1314	inet2-subnet2:
				1315	cidr: 192.168.94.0/24
				1316	enable_dhcp: True
				1317	identity1:
				1318	network:
				1319	...
				1320
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1321	Neutron routers:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1322
				1323	.. code-block:: yaml
				1324
				1325	neutron:
				1326	client:
				1327	enabled: true
				1328	server:
				1329	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1330	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1331	router:
				1332	inet1-router:
				1333	tenant: demo
				1334	admin_state_up: True
				1335	gateway_network: inet
				1336	interfaces:
				1337	- inet1-subnet1
				1338	- inet1-subnet2
				1339	identity1:
				1340	router:
				1341	...
				1342
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1343	.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1344
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1345	Neutron security groups:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1346
				1347	.. code-block:: yaml
				1348
				1349	neutron:
				1350	client:
				1351	enabled: true
				1352	server:
				1353	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1354	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1355	security_group:
				1356	security_group1:
				1357	tenant: demo
				1358	description: security group 1
				1359	rules:
				1360	- direction: ingress
				1361	ethertype: IPv4
				1362	protocol: TCP
				1363	port_range_min: 1
				1364	port_range_max: 65535
				1365	remote_ip_prefix: 0.0.0.0/0
				1366	- direction: ingress
				1367	ethertype: IPv4
				1368	protocol: UDP
				1369	port_range_min: 1
				1370	port_range_max: 65535
				1371	remote_ip_prefix: 0.0.0.0/0
				1372	- direction: ingress
				1373	protocol: ICMP
				1374	remote_ip_prefix: 0.0.0.0/0
				1375	identity1:
				1376	security_group:
				1377	...
				1378
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1379	.. TODO: implement updating existing security rules (now it adds new rule if
				1380	trying to update existing one)
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1381
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1382	Floating IP addresses:
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1383
				1384	.. code-block:: yaml
				1385
				1386	neutron:
				1387	client:
				1388	enabled: true
				1389	server:
				1390	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1391	endpoint_type: internalURL
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1392	floating_ip:
				1393	prx01-instance:
				1394	server: prx01.mk22-lab-basic.local
				1395	subnet: private-subnet1
				1396	network: public-net1
				1397	tenant: demo
				1398	gtw01-instance:
				1399	...
				1400
				1401	.. note:: The network must have flag router:external set to True.
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1402	Instance port in the stated subnet will be associated
				1403	with the dynamically generated floating IP.
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1404
				1405	Enable Neutron extensions (QoS, DNS, etc.)
				1406	------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1407
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1408	.. code-block:: yaml
				1409
				1410	neutron:
				1411	server:
				1412	backend:
				1413	extension:
Oleg Iurchenko	ac17f4f	2017-10-06 11:24:27 +0300	[diff] [blame]	1414	dns:
				1415	enabled: True
				1416	host: 127.0.0.1
				1417	port: 9001
				1418	protocol: http
				1419	....
				1420	qos
				1421	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1422
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1423	Different Neutron extensions for different agents
				1424	-------------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1425
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1426	.. code-block:: yaml
				1427
				1428	neutron:
				1429	server:
				1430	backend:
				1431	extension: # common extensions for OVS and SRIOV agents
				1432	dns:
				1433	enabled: True
				1434	...
				1435	qos
				1436	enabled: True
				1437	ovs_extension: # OVS specific extensions
				1438	bagpipe_bgpvpn:
				1439	enabled: True
				1440	sriov_extension: # SRIOV specific extensions
				1441	dummy:
				1442	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1443
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1444	Neutron with Designate
				1445	-----------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1446
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1447	.. code-block:: yaml
				1448
				1449	neutron:
				1450	server:
				1451	backend:
				1452	extension:
				1453	dns:
				1454	enabled: True
				1455	host: 127.0.0.1
				1456	port: 9001
				1457	protocol: http
				1458
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1459	Enable RBAC for OpenContrail engine
				1460	-----------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1461
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1462	.. code-block:: yaml
				1463
				1464	neutron:
				1465	server:
				1466	backend:
				1467	engine: contrail
				1468	rbac:
				1469	enabled: True
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1470
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1471	Enhanced logging with logging.conf
				1472	----------------------------------
				1473
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1474	By default ``logging.conf`` is disabled.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1475
				1476	That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1477
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1478	* ``openstack_log_appender``
				1479	Set to true to enable ``log_config_append`` for all OpenStack services
				1480
				1481	* ``openstack_fluentd_handler_enabled``
				1482	Set to true to enable FluentHandler for all Openstack services
				1483
				1484	* ``openstack_ossyslog_handler_enabled``
				1485	Set to true to enable OSSysLogHandler for all Openstack services.
				1486
				1487	Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
				1488	are available.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1489
				1490	Also it is possible to configure this with pillar:
				1491
				1492	.. code-block:: yaml
				1493
				1494	neutron:
				1495	server:
				1496	logging:
				1497	log_appender: true
				1498	log_handlers:
				1499	watchedfile:
				1500	enabled: true
				1501	fluentd:
				1502	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1503	ossyslog:
				1504	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1505	....
				1506	compute:
				1507	logging:
				1508	log_appender: true
				1509	log_handlers:
				1510	watchedfile:
				1511	enabled: true
				1512	fluentd:
				1513	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1514	ossyslog:
				1515	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1516	....
				1517	gateway:
				1518	logging:
				1519	log_appender: true
				1520	log_handlers:
				1521	watchedfile:
				1522	enabled: true
				1523	fluentd:
				1524	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1525	ossyslog:
				1526	enabled: true
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1527
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1528	Logging levels pillar example:
				1529
				1530	.. code-block:: yaml
				1531
				1532	neutron:
				1533	server:
				1534	logging:
				1535	log_appender: true
				1536	loggers:
				1537	root:
				1538	level: 'DEBUG'
				1539	neutron:
				1540	level: 'DEBUG'
				1541	amqplib:
				1542	level: 'DEBUG'
				1543	sqlalchemy:
				1544	level: 'DEBUG'
				1545	boto:
				1546	level: 'DEBUG'
				1547	suds:
				1548	level: 'DEBUG'
				1549	eventletwsgi:
				1550	level: 'DEBUG'
				1551	......
Oleksandr Bryndzii	3b0ac2c	2018-10-04 11:06:24 +0300	[diff] [blame]	1552	Neutron server with memcached caching and security strategy:
				1553
				1554	.. code-block:: yaml
				1555
				1556	neutron:
				1557	server:
				1558	enabled: true
				1559	...
				1560	cache:
				1561	engine: memcached
				1562	members:
				1563	- host: 127.0.0.1
				1564	port: 11211
				1565	- host: 127.0.0.1
				1566	port: 11211
				1567	security:
				1568	enabled: true
				1569	strategy: ENCRYPT
				1570	secret_key: secret
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1571
Vasyl Saienko	ba42073	2018-09-07 10:19:32 +0000	[diff] [blame]	1572	Upgrades
				1573	========
				1574
				1575	Each openstack formula provide set of phases (logical bloks) that will help to
				1576	build flexible upgrade orchestration logic for particular components. The list
				1577	of phases might and theirs descriptions are listed in table below:
				1578
				1579	+-------------------------------+------------------------------------------------------+
				1580	\| State \| Description \|
				1581	+===============================+======================================================+
				1582	\| <app>.upgrade.service_running \| Ensure that all services for particular application \|
				1583	\| \| are enabled for autostart and running \|
				1584	+-------------------------------+------------------------------------------------------+
				1585	\| <app>.upgrade.service_stopped \| Ensure that all services for particular application \|
				1586	\| \| disabled for autostart and dead \|
				1587	+-------------------------------+------------------------------------------------------+
				1588	\| <app>.upgrade.pkg_latest \| Ensure that packages used by particular application \|
				1589	\| \| are installed to latest available version. \|
				1590	\| \| This will not upgrade data plane packages like qemu \|
				1591	\| \| and openvswitch as usually minimal required version \|
				1592	\| \| in openstack services is really old. The data plane \|
				1593	\| \| packages should be upgraded separately by `apt-get \|
				1594	\| \| upgrade` or `apt-get dist-upgrade` \|
				1595	\| \| Applying this state will not autostart service. \|
				1596	+-------------------------------+------------------------------------------------------+
				1597	\| <app>.upgrade.render_config \| Ensure configuration is rendered actual version. +
				1598	+-------------------------------+------------------------------------------------------+
				1599	\| <app>.upgrade.pre \| We assume this state is applied on all nodes in the \|
				1600	\| \| cloud before running upgrade. \|
				1601	\| \| Only non destructive actions will be applied during \|
				1602	\| \| this phase. Perform service built in service check \|
				1603	\| \| like (keystone-manage doctor and nova-status upgrade)\|
				1604	+-------------------------------+------------------------------------------------------+
				1605	\| <app>.upgrade.upgrade.pre \| Mostly applicable for data plane nodes. During this \|
				1606	\| \| phase resources will be gracefully removed from \|
				1607	\| \| current node if it is allowed. Services for upgraded \|
				1608	\| \| application will be set to admin disabled state to \|
				1609	\| \| make sure node will not participate in resources \|
				1610	\| \| scheduling. For example on gtw nodes this will set \|
				1611	\| \| all agents to admin disable state and will move all \|
				1612	\| \| routers to other agents. \|
				1613	+-------------------------------+------------------------------------------------------+
				1614	\| <app>.upgrade.upgrade \| This state will basically upgrade application on \|
				1615	\| \| particular target. Stop services, render \|
				1616	\| \| configuration, install new packages, run offline \|
				1617	\| \| dbsync (for ctl), start services. Data plane should \|
				1618	\| \| not be affected, only OpenStack python services. \|
				1619	+-------------------------------+------------------------------------------------------+
				1620	\| <app>.upgrade.upgrade.post \| Add services back to scheduling. \|
				1621	+-------------------------------+------------------------------------------------------+
				1622	\| <app>.upgrade.post \| This phase should be launched only when upgrade of \|
				1623	\| \| the cloud is completed. \|
				1624	+-------------------------------+------------------------------------------------------+
				1625	\| <app>.upgrade.verify \| Here we will do basic health checks (API CRUD \|
				1626	\| \| operations, verify do not have dead network \|
				1627	\| \| agents/compute services) \|
				1628	+-------------------------------+------------------------------------------------------+
				1629
				1630
Oleksandr Shyshko	f51b94c	2018-08-31 16:05:27 +0300	[diff] [blame]	1631	Enable x509 and ssl communication between Neutron and Galera cluster.
				1632	---------------------
				1633	By default communication between Neutron and Galera is unsecure.
				1634
				1635	neutron:
				1636	server:
				1637	database:
				1638	x509:
				1639	enabled: True
				1640
				1641	You able to set custom certificates in pillar:
				1642
				1643	neutron:
				1644	server:
				1645	database:
				1646	x509:
				1647	cacert: (certificate content)
				1648	cert: (certificate content)
				1649	key: (certificate content)
				1650
				1651	You can read more about it here:
				1652	https://docs.openstack.org/security-guide/databases/database-access-control.html