Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / neutron / bfd769dd0100efd5770914e76d7aa5dc7429f017 / . / README.rst
blob: c8ff89076e373fee5383d28cf0af03da315ccc03 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]5Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]8
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]9Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]12
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]13Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]23 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]24 allow_pagination: true
25 pagination_max_limit: 100
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]26 bind:
27 address: 172.20.0.1
28 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]29 database:
30 engine: mysql
31 host: 127.0.0.1
32 port: 3306
33 name: neutron
34 user: neutron
35 password: pwd
36 identity:
37 engine: keystone
38 host: 127.0.0.1
39 port: 35357
40 user: neutron
41 password: pwd
42 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]43 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]44 message_queue:
45 engine: rabbitmq
46 host: 127.0.0.1
47 port: 5672
48 user: openstack
49 password: pwd
50 virtual_host: '/openstack'
51 metadata:
52 host: 127.0.0.1
53 port: 8775
54 password: pass
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]55 audit:
56 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]57
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]58Note: The pagination is useful to retrieve a large bunch of resources,
59because a single request may fail (timeout). This is enabled with both
60parameters *allow_pagination* and *pagination_max_limit* as shown above.
61
Dmitry Ukov596ddcf2017-05-04 18:16:16 +0400[diff] [blame]62
63Configuration of policy.json file
64
65.. code-block:: yaml
66
67 neutron:
68 server:
69 ....
70 policy:
71 create_subnet: 'rule:admin_or_network_owner'
72 'get_network:queue_id': 'rule:admin_only'
73 # Add key without value to remove line from policy.json
74 'create_network:shared':
75
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]76Neutron LBaaSv2 enablement
77--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]78
79.. code-block:: yaml
80
81 neutron:
82 server:
83 lbaas:
84 enabled: true
85 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]86 octavia:
87 engine: octavia
88 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
89 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]90 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]91 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]92 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]93 controller_address: 10.182.129.239
94 controller_user: admin
95 controller_password: Cloudlab2016
96 controller_cloud_name: Default-Cloud
97 avi_adc2:
98 engine: avinetworks
99 ...
100
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]101Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
102automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]103
104.. code-block:: yaml
105
106 neutron:
107 server:
108 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]109 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]110
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]111
112Neutron FWaaSv1 enablement
113--------------------------
114
115.. code-block:: yaml
116
117 neutron:
118 fwaas:
119 enabled: true
120 version: ocata
121 api_version: v1
122
123
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]124Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]125----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]126
127.. code-block:: yaml
128
129 neutron:
130 server:
131 cors:
132 allowed_origin: https:localhost.local,http:localhost.local
133 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
134 allow_methods: GET,PUT,POST,DELETE,PATCH
135 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
136 allow_credentials: True
137 max_age: 86400
138
139
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]140Neutron VXLAN tenant networks with Network nodes
141------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]142
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]143With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]144
145This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]146routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]147infrastructure and that remains encapsulated. External traffic will be
148routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]149
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]150The intention is that each tenant will require at least two (2) vrouters
151one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]152
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]153Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]154
155.. code-block:: yaml
156
157 neutron:
158 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]159 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300[diff] [blame]160 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]161 bind:
162 address: 172.20.0.1
163 port: 9696
164 database:
165 engine: mysql
166 host: 127.0.0.1
167 port: 3306
168 name: neutron
169 user: neutron
170 password: pwd
171 identity:
172 engine: keystone
173 host: 127.0.0.1
174 port: 35357
175 user: neutron
176 password: pwd
177 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]178 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]179 message_queue:
180 engine: rabbitmq
181 host: 127.0.0.1
182 port: 5672
183 user: openstack
184 password: pwd
185 virtual_host: '/openstack'
186 global_physnet_mtu: 9000
187 l3_ha: False # Which type of router will be created by default
188 dvr: True # disabled for non DVR use case
189 backend:
190 engine: ml2
191 tenant_network_types: "flat,vxlan"
192 external_mtu: 9000
193 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]194 ovs:
195 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]196
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]197Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]198
199.. code-block:: yaml
200
201 neutron:
202 gateway:
203 enabled: True
204 version: mitaka
205 message_queue:
206 engine: rabbitmq
207 host: 127.0.0.1
208 port: 5672
209 user: openstack
210 password: pwd
211 virtual_host: '/openstack'
212 local_ip: 192.168.20.20 # br-mesh ip address
213 dvr: True # disabled for non DVR use case
214 agent_mode: dvr_snat
215 metadata:
216 host: 127.0.0.1
217 password: pass
218 backend:
219 engine: ml2
220 tenant_network_types: "flat,vxlan"
221 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]222 ovs:
223 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]224
225Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]226
227.. code-block:: yaml
228
229 neutron:
230 compute:
231 enabled: True
232 version: mitaka
233 message_queue:
234 engine: rabbitmq
235 host: 127.0.0.1
236 port: 5672
237 user: openstack
238 password: pwd
239 virtual_host: '/openstack'
240 local_ip: 192.168.20.20 # br-mesh ip address
241 dvr: True # disabled for non DVR use case
242 agent_mode: dvr
243 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
244 metadata:
245 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]246 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]247 backend:
248 engine: ml2
249 tenant_network_types: "flat,vxlan"
250 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]251 ovs:
252 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]253 audit:
254 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]255
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]256
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300[diff] [blame]257Disable physnet1 bridge
258-----------------------
259
260By default we have external access turned on, so among any physnets in
261your reclass there would be additional one: physnet1, which is mapped to
262br-floating
263
264If you need internal nets only without this bridge, remove br-floating
265and configurations mappings. Disable mappings for this bridge on
266neutron-servers:
267
268.. code-block:: yaml
269
270 neutron:
271 server:
272 external_access: false
273
274gateways:
275
276.. code-block:: yaml
277
278 neutron:
279 gateway:
280 external_access: false
281
282compute nodes:
283
284.. code-block:: yaml
285
286 neutron:
287 compute:
288 external_access: false
289
290
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300[diff] [blame]291Specify different mtu values for different physnets
292---------------------------------------------------
293
294Neutron Server
295
296.. code-block:: yaml
297
298 neutron:
299 server:
300 version: mitaka
301 backend:
302 external_mtu: 1500
303 tenant_net_mtu: 9000
304 ironic_net_mtu: 9000
305
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]306Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]307----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]308
309This section describes a network solution that utilises VxLAN overlay
310 networks without DVR with all routers being managed on the network nodes.
311
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]312Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]313
314.. code-block:: yaml
315
316 neutron:
317 server:
318 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]319 bind:
320 address: 172.20.0.1
321 port: 9696
322 database:
323 engine: mysql
324 host: 127.0.0.1
325 port: 3306
326 name: neutron
327 user: neutron
328 password: pwd
329 identity:
330 engine: keystone
331 host: 127.0.0.1
332 port: 35357
333 user: neutron
334 password: pwd
335 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]336 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]337 message_queue:
338 engine: rabbitmq
339 host: 127.0.0.1
340 port: 5672
341 user: openstack
342 password: pwd
343 virtual_host: '/openstack'
344 global_physnet_mtu: 9000
345 l3_ha: True
346 dvr: False
347 backend:
348 engine: ml2
349 tenant_network_types= "flat,vxlan"
350 external_mtu: 9000
351 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]352 ovs:
353 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]354
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]355Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]356
357.. code-block:: yaml
358
359 neutron:
360 gateway:
361 enabled: True
362 version: mitaka
363 message_queue:
364 engine: rabbitmq
365 host: 127.0.0.1
366 port: 5672
367 user: openstack
368 password: pwd
369 virtual_host: '/openstack'
370 local_ip: 192.168.20.20 # br-mesh ip address
371 dvr: False
372 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]373 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]374 metadata:
375 host: 127.0.0.1
376 password: pass
377 backend:
378 engine: ml2
379 tenant_network_types: "flat,vxlan"
380 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]381 ovs:
382 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]383
384Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]385
386.. code-block:: yaml
387
388 neutron:
389 compute:
390 enabled: True
391 version: mitaka
392 message_queue:
393 engine: rabbitmq
394 host: 127.0.0.1
395 port: 5672
396 user: openstack
397 password: pwd
398 virtual_host: '/openstack'
399 local_ip: 192.168.20.20 # br-mesh ip address
400 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]401 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]402 backend:
403 engine: ml2
404 tenant_network_types: "flat,vxlan"
405 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]406 ovs:
407 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]408
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]409Neutron VXLAN tenant networks with Network Nodes with DVR
410---------------------------------------------------------
411
412With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]413
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]414This section describes a network solution that utilises VxLAN
415overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]416Node is used only for SNAT.
417
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]418Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]419
420.. code-block:: yaml
421
422 neutron:
423 server:
424 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]425 bind:
426 address: 172.20.0.1
427 port: 9696
428 database:
429 engine: mysql
430 host: 127.0.0.1
431 port: 3306
432 name: neutron
433 user: neutron
434 password: pwd
435 identity:
436 engine: keystone
437 host: 127.0.0.1
438 port: 35357
439 user: neutron
440 password: pwd
441 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]442 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]443 message_queue:
444 engine: rabbitmq
445 host: 127.0.0.1
446 port: 5672
447 user: openstack
448 password: pwd
449 virtual_host: '/openstack'
450 global_physnet_mtu: 9000
451 l3_ha: False
452 dvr: True
453 backend:
454 engine: ml2
455 tenant_network_types= "flat,vxlan"
456 external_mtu: 9000
457 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]458 ovs:
459 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]460
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]461Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]462
463.. code-block:: yaml
464
465 neutron:
466 gateway:
467 enabled: True
468 version: mitaka
469 message_queue:
470 engine: rabbitmq
471 host: 127.0.0.1
472 port: 5672
473 user: openstack
474 password: pwd
475 virtual_host: '/openstack'
476 local_ip: 192.168.20.20 # br-mesh ip address
477 dvr: True
478 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]479 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]480 metadata:
481 host: 127.0.0.1
482 password: pass
483 backend:
484 engine: ml2
485 tenant_network_types: "flat,vxlan"
486 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]487 ovs:
488 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]489
490Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]491
492.. code-block:: yaml
493
494 neutron:
495 compute:
496 enabled: True
497 version: mitaka
498 message_queue:
499 engine: rabbitmq
500 host: 127.0.0.1
501 port: 5672
502 user: openstack
503 password: pwd
504 virtual_host: '/openstack'
505 local_ip: 192.168.20.20 # br-mesh ip address
506 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]507 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]508 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]509 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]510 metadata:
511 host: 127.0.0.1
512 password: pass
513 backend:
514 engine: ml2
515 tenant_network_types: "flat,vxlan"
516 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]517 ovs:
518 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]519
520Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]521
522.. code-block:: yaml
523
524 linux:
525 network:
526 bridge: openvswitch
527 interface:
528 eth1:
529 enabled: true
530 type: eth
531 mtu: 9000
532 proto: manual
533 eth2:
534 enabled: true
535 type: eth
536 mtu: 9000
537 proto: manual
538 eth3:
539 enabled: true
540 type: eth
541 mtu: 9000
542 proto: manual
543 br-int:
544 enabled: true
545 mtu: 9000
546 type: ovs_bridge
547 br-floating:
548 enabled: true
549 mtu: 9000
550 type: ovs_bridge
551 float-to-ex:
552 enabled: true
553 type: ovs_port
554 mtu: 65000
555 bridge: br-floating
556 br-mgmt:
557 enabled: true
558 type: bridge
559 mtu: 9000
560 address: ${_param:single_address}
561 netmask: 255.255.255.0
562 use_interfaces:
563 - eth1
564 br-mesh:
565 enabled: true
566 type: bridge
567 mtu: 9000
568 address: ${_param:tenant_address}
569 netmask: 255.255.255.0
570 use_interfaces:
571 - eth2
572 br-ex:
573 enabled: true
574 type: bridge
575 mtu: 9000
576 address: ${_param:external_address}
577 netmask: 255.255.255.0
578 use_interfaces:
579 - eth3
580 use_ovs_ports:
581 - float-to-ex
582
Thom Gerdes3282d072017-05-30 22:06:04 +0000[diff] [blame]583Additonal VXLAN tenant network settings
584---------------------------------------
585
586The default multicast group of 224.0.0.1 only multicasts to a single subnet.
587Allow overriding it to allow larger underlay network topologies.
588
589Neutron Server
590
591.. code-block:: yaml
592
593 neutron:
594 server:
595 vxlan:
596 group: 239.0.0.0/8
597 vni_ranges: "2:65535"
598
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]599Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]600-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]601
602VLAN tenant provider
603
604Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]605
606.. code-block:: yaml
607
608 neutron:
609 server:
610 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]611 ...
612 global_physnet_mtu: 9000
613 l3_ha: False
614 dvr: True
615 backend:
616 engine: ml2
617 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
618 tenant_vlan_range: "1000:2000"
619 external_vlan_range: "100:200" # Does not have to be defined.
620 external_mtu: 9000
621 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]622 ovs:
623 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]624
625Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]626
627.. code-block:: yaml
628
629 neutron:
630 compute:
631 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]632 ...
633 dvr: True
634 agent_mode: dvr
635 external_access: False
636 backend:
637 engine: ml2
638 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
639 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]640 ovs:
641 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]642
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]643Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]644----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]645
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]646Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]647
648Enable datapath netdev for neutron openvswitch agent
649
650.. code-block:: yaml
651
652 neutron:
653 server:
654 version: mitaka
655 ...
656 dpdk: True
657 ...
658
659 neutron:
660 compute:
661 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]662 dpdk: True
663 backend:
664 engine: ml2
665 ...
666 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]667 ovs:
668 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]669
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]670Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]671
672.. code-block:: yaml
673
674 neutron:
675 server:
676 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]677 backend:
678 engine: ml2
679 ...
680 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]681 ovs:
682 driver: openvswitch
683 sriov:
684 driver: sriovnicswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]685
686 neutron:
687 compute:
688 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]689 ...
690 backend:
691 engine: ml2
692 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
693 sriov:
694 nic_one:
695 devname: eth1
696 physical_network: physnet3
697 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]698 ovs:
699 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]700
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]701Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]702---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]703
704.. code-block:: yaml
705
706 neutron:
707 server:
708 vlan_aware_vms: true
709 ....
710 compute:
711 vlan_aware_vms: true
712 ....
713 gateway:
714 vlan_aware_vms: true
715
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]716Neutron with OVN
717----------------
718
719Control node:
720
721.. code-block:: yaml
722
723 neutron:
724 server:
725 backend:
726 engine: ovn
727 mechanism:
728 ovn:
729 driver: ovn
730 tenant_network_types: "geneve,flat"
731
732Compute node:
733
734.. code-block:: yaml
735
736 neutron:
737 compute:
738 local_ip: 10.2.0.105
739 controller_vip: 10.1.0.101
740 external_access: false
741 backend:
742 engine: ovn
743
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]744Neutron Server
745--------------
746
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]747Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]748
749.. code-block:: yaml
750
751 neutron:
752 server:
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]753 backend:
754 engine: contrail
755 host: contrail_discovery_host
756 port: 8082
757 user: admin
758 password: password
759 tenant: admin
760 token: token
761
762Neutron Server with Midonet
763
764.. code-block:: yaml
765
766 neutron:
767 server:
768 backend:
769 engine: midonet
770 host: midonet_api_host
771 port: 8181
772 user: admin
773 password: password
774
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100[diff] [blame]775Neutron Keystone region
776
777.. code-block:: yaml
778
779 neutron:
780 server:
781 enabled: true
782 version: kilo
783 ...
784 identity:
785 region: RegionTwo
786 ...
787 compute:
788 region: RegionTwo
789 ...
790
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]791Client-side RabbitMQ HA setup
792
793.. code-block:: yaml
794
795 neutron:
796 server:
797 ....
798 message_queue:
799 engine: rabbitmq
800 members:
801 - host: 10.0.16.1
802 - host: 10.0.16.2
803 - host: 10.0.16.3
804 user: openstack
805 password: pwd
806 virtual_host: '/openstack'
807 ....
808
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]809Client-side RabbitMQ TLS configuration:
810
811|
812
813To enable TLS for oslo.messaging you need to provide the CA certificate.
814
815By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
816
817.. code-block:: yaml
818
819 neutron:
820 server, gateway, compute:
821 ....
822 message_queue:
823 ssl:
824 enabled: True
825
826
827
828Use `cacert_file` option to specify the CA-cert file path explicitly:
829
830.. code-block:: yaml
831
832 neutron:
833 server, gateway, compute:
834 ....
835 message_queue:
836 ssl:
837 enabled: True
838 cacert_file: /etc/ssl/rabbitmq-ca.pem
839
840To manage content of the `cacert_file` use the `cacert` option:
841
842.. code-block:: yaml
843
844 neutron:
845 server, gateway, compute:
846 ....
847 message_queue:
848 ssl:
849 enabled: True
850 cacert: |
851
852 -----BEGIN CERTIFICATE-----
853 ...
854 -----END CERTIFICATE-------
855
856 cacert_file: /etc/openstack/rabbitmq-ca.pem
857
858
859Notice:
860 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
861 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
862
863
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]864Enable auditing filter, ie: CADF
865
866.. code-block:: yaml
867
868 neutron:
869 server:
870 audit:
871 enabled: true
872 ....
873 filter_factory: 'keystonemiddleware.audit:filter_factory'
874 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
875 ....
876 compute:
877 audit:
878 enabled: true
879 ....
880 filter_factory: 'keystonemiddleware.audit:filter_factory'
881 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
882 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]883
Oleg Bondarev98870a32017-05-29 16:53:19 +0400[diff] [blame]884Neutron with security groups disabled
885
886.. code-block:: yaml
887
888 neutron:
889 server:
890 security_groups_enabled: False
891 ....
892 compute:
893 security_groups_enabled: False
894 ....
895 gateway:
896 security_groups_enabled: False
897
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]898
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]899Neutron Client
900--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]901
902Neutron networks
903
904.. code-block:: yaml
905
906 neutron:
907 client:
908 enabled: true
909 server:
910 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]911 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]912 network:
913 inet1:
914 tenant: demo
915 shared: False
916 admin_state_up: True
917 router_external: True
918 provider_physical_network: inet
919 provider_network_type: flat
920 provider_segmentation_id: 2
921 subnet:
922 inet1-subnet1:
923 cidr: 192.168.90.0/24
924 enable_dhcp: False
925 inet2:
926 tenant: admin
927 shared: False
928 router_external: True
929 provider_network_type: "vlan"
930 subnet:
931 inet2-subnet1:
932 cidr: 192.168.92.0/24
933 enable_dhcp: False
934 inet2-subnet2:
935 cidr: 192.168.94.0/24
936 enable_dhcp: True
937 identity1:
938 network:
939 ...
940
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]941Neutron routers
942
943.. code-block:: yaml
944
945 neutron:
946 client:
947 enabled: true
948 server:
949 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]950 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]951 router:
952 inet1-router:
953 tenant: demo
954 admin_state_up: True
955 gateway_network: inet
956 interfaces:
957 - inet1-subnet1
958 - inet1-subnet2
959 identity1:
960 router:
961 ...
962
963 TODO: implement adding new interfaces to a router while updating it
964
965
966Neutron security groups
967
968.. code-block:: yaml
969
970 neutron:
971 client:
972 enabled: true
973 server:
974 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]975 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]976 security_group:
977 security_group1:
978 tenant: demo
979 description: security group 1
980 rules:
981 - direction: ingress
982 ethertype: IPv4
983 protocol: TCP
984 port_range_min: 1
985 port_range_max: 65535
986 remote_ip_prefix: 0.0.0.0/0
987 - direction: ingress
988 ethertype: IPv4
989 protocol: UDP
990 port_range_min: 1
991 port_range_max: 65535
992 remote_ip_prefix: 0.0.0.0/0
993 - direction: ingress
994 protocol: ICMP
995 remote_ip_prefix: 0.0.0.0/0
996 identity1:
997 security_group:
998 ...
999
1000 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
1001
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1002
1003Floating IP addresses
1004
1005.. code-block:: yaml
1006
1007 neutron:
1008 client:
1009 enabled: true
1010 server:
1011 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]1012 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1013 floating_ip:
1014 prx01-instance:
1015 server: prx01.mk22-lab-basic.local
1016 subnet: private-subnet1
1017 network: public-net1
1018 tenant: demo
1019 gtw01-instance:
1020 ...
1021
1022.. note:: The network must have flag router:external set to True.
1023 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
1024
1025
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1026
1027Enable Neutron extensions (QoS, DNS, etc.)
1028------------------------------------------
1029.. code-block:: yaml
1030
1031 neutron:
1032 server:
1033 backend:
1034 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +0300[diff] [blame]1035 dns:
1036 enabled: True
1037 host: 127.0.0.1
1038 port: 9001
1039 protocol: http
1040 ....
1041 qos
1042 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1043
1044
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +0300[diff] [blame]1045
1046Neutron with Designate
1047-----------------------------------------
1048.. code-block:: yaml
1049
1050 neutron:
1051 server:
1052 backend:
1053 extension:
1054 dns:
1055 enabled: True
1056 host: 127.0.0.1
1057 port: 9001
1058 protocol: http
1059
1060
1061
Filip Pytloun20c0a442017-02-02 13:05:13 +0100[diff] [blame]1062Documentation and Bugs
1063======================
1064
1065To learn how to install and update salt-formulas, consult the documentation
1066available online at:
1067
1068 http://salt-formulas.readthedocs.io/
1069
1070In the unfortunate event that bugs are discovered, they should be reported to
1071the appropriate issue tracker. Use Github issue tracker for specific salt
1072formula:
1073
1074 https://github.com/salt-formulas/salt-formula-neutron/issues
1075
1076For feature requests, bug reports or blueprints affecting entire ecosystem,
1077use Launchpad salt-formulas project:
1078
1079 https://launchpad.net/salt-formulas
1080
1081You can also join salt-formulas-users team and subscribe to mailing list:
1082
1083 https://launchpad.net/~salt-formulas-users
1084
1085Developers wishing to work on the salt-formulas projects should always base
1086their work on master branch and submit pull request against specific formula.
1087
1088 https://github.com/salt-formulas/salt-formula-neutron
1089
1090Any questions or feedback is always welcome so feel free to join our IRC
1091channel:
1092
1093 #salt-formulas @ irc.freenode.net