Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / neutron / 009feac061c45acbb1ac948e27d873777505a363 / . / README.rst
blob: 5c60cc25bf7b554da4a64428cb0303ed5b501626 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]5Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]8
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]9Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]12
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]13Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]23 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]24 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +0200[diff] [blame]26 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]29 bind:
30 address: 172.20.0.1
31 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]32 database:
33 engine: mysql
34 host: 127.0.0.1
35 port: 3306
36 name: neutron
37 user: neutron
38 password: pwd
39 identity:
40 engine: keystone
41 host: 127.0.0.1
42 port: 35357
43 user: neutron
44 password: pwd
45 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]46 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]47 message_queue:
48 engine: rabbitmq
49 host: 127.0.0.1
50 port: 5672
51 user: openstack
52 password: pwd
53 virtual_host: '/openstack'
54 metadata:
55 host: 127.0.0.1
56 port: 8775
57 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +0200[diff] [blame]58 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]59 audit:
60 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]61
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]62Note: The pagination is useful to retrieve a large bunch of resources,
63because a single request may fail (timeout). This is enabled with both
64parameters *allow_pagination* and *pagination_max_limit* as shown above.
65
Dmitry Ukov596ddcf2017-05-04 18:16:16 +0400[diff] [blame]66
67Configuration of policy.json file
68
69.. code-block:: yaml
70
71 neutron:
72 server:
73 ....
74 policy:
75 create_subnet: 'rule:admin_or_network_owner'
76 'get_network:queue_id': 'rule:admin_only'
77 # Add key without value to remove line from policy.json
78 'create_network:shared':
79
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]80Neutron LBaaSv2 enablement
81--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]82
83.. code-block:: yaml
84
85 neutron:
86 server:
87 lbaas:
88 enabled: true
89 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]90 octavia:
91 engine: octavia
92 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
93 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]94 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]95 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]96 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]97 controller_address: 10.182.129.239
98 controller_user: admin
99 controller_password: Cloudlab2016
100 controller_cloud_name: Default-Cloud
101 avi_adc2:
102 engine: avinetworks
103 ...
104
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]105Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
106automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]107
108.. code-block:: yaml
109
110 neutron:
111 server:
112 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]113 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]114
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]115
116Neutron FWaaSv1 enablement
117--------------------------
118
119.. code-block:: yaml
120
121 neutron:
122 fwaas:
123 enabled: true
124 version: ocata
125 api_version: v1
126
127
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]128Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]129----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]130
131.. code-block:: yaml
132
133 neutron:
134 server:
135 cors:
136 allowed_origin: https:localhost.local,http:localhost.local
137 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
138 allow_methods: GET,PUT,POST,DELETE,PATCH
139 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
140 allow_credentials: True
141 max_age: 86400
142
143
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]144Neutron VXLAN tenant networks with Network nodes
145------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]146
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]147With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]148
149This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]150routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]151infrastructure and that remains encapsulated. External traffic will be
152routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]153
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]154The intention is that each tenant will require at least two (2) vrouters
155one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]156
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]157Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]158
159.. code-block:: yaml
160
161 neutron:
162 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]163 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300[diff] [blame]164 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]165 bind:
166 address: 172.20.0.1
167 port: 9696
168 database:
169 engine: mysql
170 host: 127.0.0.1
171 port: 3306
172 name: neutron
173 user: neutron
174 password: pwd
175 identity:
176 engine: keystone
177 host: 127.0.0.1
178 port: 35357
179 user: neutron
180 password: pwd
181 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]182 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]183 message_queue:
184 engine: rabbitmq
185 host: 127.0.0.1
186 port: 5672
187 user: openstack
188 password: pwd
189 virtual_host: '/openstack'
190 global_physnet_mtu: 9000
191 l3_ha: False # Which type of router will be created by default
192 dvr: True # disabled for non DVR use case
193 backend:
194 engine: ml2
195 tenant_network_types: "flat,vxlan"
196 external_mtu: 9000
197 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]198 ovs:
199 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]200
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]201Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]202
203.. code-block:: yaml
204
205 neutron:
206 gateway:
207 enabled: True
208 version: mitaka
209 message_queue:
210 engine: rabbitmq
211 host: 127.0.0.1
212 port: 5672
213 user: openstack
214 password: pwd
215 virtual_host: '/openstack'
216 local_ip: 192.168.20.20 # br-mesh ip address
217 dvr: True # disabled for non DVR use case
218 agent_mode: dvr_snat
219 metadata:
220 host: 127.0.0.1
221 password: pass
222 backend:
223 engine: ml2
224 tenant_network_types: "flat,vxlan"
225 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]226 ovs:
227 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]228
229Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]230
231.. code-block:: yaml
232
233 neutron:
234 compute:
235 enabled: True
236 version: mitaka
237 message_queue:
238 engine: rabbitmq
239 host: 127.0.0.1
240 port: 5672
241 user: openstack
242 password: pwd
243 virtual_host: '/openstack'
244 local_ip: 192.168.20.20 # br-mesh ip address
245 dvr: True # disabled for non DVR use case
246 agent_mode: dvr
247 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
248 metadata:
249 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]250 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]251 backend:
252 engine: ml2
253 tenant_network_types: "flat,vxlan"
254 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]255 ovs:
256 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]257 audit:
258 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]259
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]260
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300[diff] [blame]261Disable physnet1 bridge
262-----------------------
263
264By default we have external access turned on, so among any physnets in
265your reclass there would be additional one: physnet1, which is mapped to
266br-floating
267
268If you need internal nets only without this bridge, remove br-floating
269and configurations mappings. Disable mappings for this bridge on
270neutron-servers:
271
272.. code-block:: yaml
273
274 neutron:
275 server:
276 external_access: false
277
278gateways:
279
280.. code-block:: yaml
281
282 neutron:
283 gateway:
284 external_access: false
285
286compute nodes:
287
288.. code-block:: yaml
289
290 neutron:
291 compute:
292 external_access: false
293
294
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300[diff] [blame]295Specify different mtu values for different physnets
296---------------------------------------------------
297
298Neutron Server
299
300.. code-block:: yaml
301
302 neutron:
303 server:
304 version: mitaka
305 backend:
306 external_mtu: 1500
307 tenant_net_mtu: 9000
308 ironic_net_mtu: 9000
309
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]310Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]311----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]312
313This section describes a network solution that utilises VxLAN overlay
314 networks without DVR with all routers being managed on the network nodes.
315
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]316Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]317
318.. code-block:: yaml
319
320 neutron:
321 server:
322 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]323 bind:
324 address: 172.20.0.1
325 port: 9696
326 database:
327 engine: mysql
328 host: 127.0.0.1
329 port: 3306
330 name: neutron
331 user: neutron
332 password: pwd
333 identity:
334 engine: keystone
335 host: 127.0.0.1
336 port: 35357
337 user: neutron
338 password: pwd
339 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]340 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]341 message_queue:
342 engine: rabbitmq
343 host: 127.0.0.1
344 port: 5672
345 user: openstack
346 password: pwd
347 virtual_host: '/openstack'
348 global_physnet_mtu: 9000
349 l3_ha: True
350 dvr: False
351 backend:
352 engine: ml2
353 tenant_network_types= "flat,vxlan"
354 external_mtu: 9000
355 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]356 ovs:
357 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]358
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]359Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]360
361.. code-block:: yaml
362
363 neutron:
364 gateway:
365 enabled: True
366 version: mitaka
367 message_queue:
368 engine: rabbitmq
369 host: 127.0.0.1
370 port: 5672
371 user: openstack
372 password: pwd
373 virtual_host: '/openstack'
374 local_ip: 192.168.20.20 # br-mesh ip address
375 dvr: False
376 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]377 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]378 metadata:
379 host: 127.0.0.1
380 password: pass
381 backend:
382 engine: ml2
383 tenant_network_types: "flat,vxlan"
384 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]385 ovs:
386 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]387
388Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]389
390.. code-block:: yaml
391
392 neutron:
393 compute:
394 enabled: True
395 version: mitaka
396 message_queue:
397 engine: rabbitmq
398 host: 127.0.0.1
399 port: 5672
400 user: openstack
401 password: pwd
402 virtual_host: '/openstack'
403 local_ip: 192.168.20.20 # br-mesh ip address
404 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]405 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]406 backend:
407 engine: ml2
408 tenant_network_types: "flat,vxlan"
409 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]410 ovs:
411 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]412
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]413Neutron VXLAN tenant networks with Network Nodes with DVR
414---------------------------------------------------------
415
416With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]417
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]418This section describes a network solution that utilises VxLAN
419overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]420Node is used only for SNAT.
421
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]422Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]423
424.. code-block:: yaml
425
426 neutron:
427 server:
428 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]429 bind:
430 address: 172.20.0.1
431 port: 9696
432 database:
433 engine: mysql
434 host: 127.0.0.1
435 port: 3306
436 name: neutron
437 user: neutron
438 password: pwd
439 identity:
440 engine: keystone
441 host: 127.0.0.1
442 port: 35357
443 user: neutron
444 password: pwd
445 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]446 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]447 message_queue:
448 engine: rabbitmq
449 host: 127.0.0.1
450 port: 5672
451 user: openstack
452 password: pwd
453 virtual_host: '/openstack'
454 global_physnet_mtu: 9000
455 l3_ha: False
456 dvr: True
457 backend:
458 engine: ml2
459 tenant_network_types= "flat,vxlan"
460 external_mtu: 9000
461 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]462 ovs:
463 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]464
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]465Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]466
467.. code-block:: yaml
468
469 neutron:
470 gateway:
471 enabled: True
472 version: mitaka
473 message_queue:
474 engine: rabbitmq
475 host: 127.0.0.1
476 port: 5672
477 user: openstack
478 password: pwd
479 virtual_host: '/openstack'
480 local_ip: 192.168.20.20 # br-mesh ip address
481 dvr: True
482 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]483 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]484 metadata:
485 host: 127.0.0.1
486 password: pass
487 backend:
488 engine: ml2
489 tenant_network_types: "flat,vxlan"
490 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]491 ovs:
492 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]493
494Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]495
496.. code-block:: yaml
497
498 neutron:
499 compute:
500 enabled: True
501 version: mitaka
502 message_queue:
503 engine: rabbitmq
504 host: 127.0.0.1
505 port: 5672
506 user: openstack
507 password: pwd
508 virtual_host: '/openstack'
509 local_ip: 192.168.20.20 # br-mesh ip address
510 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]511 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]512 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]513 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]514 metadata:
515 host: 127.0.0.1
516 password: pass
517 backend:
518 engine: ml2
519 tenant_network_types: "flat,vxlan"
520 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]521 ovs:
522 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]523
524Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]525
526.. code-block:: yaml
527
528 linux:
529 network:
530 bridge: openvswitch
531 interface:
532 eth1:
533 enabled: true
534 type: eth
535 mtu: 9000
536 proto: manual
537 eth2:
538 enabled: true
539 type: eth
540 mtu: 9000
541 proto: manual
542 eth3:
543 enabled: true
544 type: eth
545 mtu: 9000
546 proto: manual
547 br-int:
548 enabled: true
549 mtu: 9000
550 type: ovs_bridge
551 br-floating:
552 enabled: true
553 mtu: 9000
554 type: ovs_bridge
555 float-to-ex:
556 enabled: true
557 type: ovs_port
558 mtu: 65000
559 bridge: br-floating
560 br-mgmt:
561 enabled: true
562 type: bridge
563 mtu: 9000
564 address: ${_param:single_address}
565 netmask: 255.255.255.0
566 use_interfaces:
567 - eth1
568 br-mesh:
569 enabled: true
570 type: bridge
571 mtu: 9000
572 address: ${_param:tenant_address}
573 netmask: 255.255.255.0
574 use_interfaces:
575 - eth2
576 br-ex:
577 enabled: true
578 type: bridge
579 mtu: 9000
580 address: ${_param:external_address}
581 netmask: 255.255.255.0
582 use_interfaces:
583 - eth3
584 use_ovs_ports:
585 - float-to-ex
586
Thom Gerdes3282d072017-05-30 22:06:04 +0000[diff] [blame]587Additonal VXLAN tenant network settings
588---------------------------------------
589
590The default multicast group of 224.0.0.1 only multicasts to a single subnet.
591Allow overriding it to allow larger underlay network topologies.
592
593Neutron Server
594
595.. code-block:: yaml
596
597 neutron:
598 server:
599 vxlan:
600 group: 239.0.0.0/8
601 vni_ranges: "2:65535"
602
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]603Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]604-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]605
606VLAN tenant provider
607
608Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]609
610.. code-block:: yaml
611
612 neutron:
613 server:
614 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]615 ...
616 global_physnet_mtu: 9000
617 l3_ha: False
618 dvr: True
619 backend:
620 engine: ml2
621 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
622 tenant_vlan_range: "1000:2000"
623 external_vlan_range: "100:200" # Does not have to be defined.
624 external_mtu: 9000
625 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]626 ovs:
627 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]628
629Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]630
631.. code-block:: yaml
632
633 neutron:
634 compute:
635 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]636 ...
637 dvr: True
638 agent_mode: dvr
639 external_access: False
640 backend:
641 engine: ml2
642 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
643 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]644 ovs:
645 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]646
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]647Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]648----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]649
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]650Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]651
652Enable datapath netdev for neutron openvswitch agent
653
654.. code-block:: yaml
655
656 neutron:
657 server:
658 version: mitaka
659 ...
660 dpdk: True
661 ...
662
663 neutron:
664 compute:
665 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]666 dpdk: True
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400[diff] [blame]667 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]668 backend:
669 engine: ml2
670 ...
671 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]672 ovs:
673 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]674
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]675Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]676
677.. code-block:: yaml
678
679 neutron:
680 server:
681 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]682 backend:
683 engine: ml2
684 ...
685 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]686 ovs:
687 driver: openvswitch
688 sriov:
689 driver: sriovnicswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]690
691 neutron:
692 compute:
693 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]694 ...
695 backend:
696 engine: ml2
697 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
698 sriov:
699 nic_one:
700 devname: eth1
701 physical_network: physnet3
702 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]703 ovs:
704 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]705
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]706Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]707---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]708
709.. code-block:: yaml
710
711 neutron:
712 server:
713 vlan_aware_vms: true
714 ....
715 compute:
716 vlan_aware_vms: true
717 ....
718 gateway:
719 vlan_aware_vms: true
720
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]721Neutron with OVN
722----------------
723
724Control node:
725
726.. code-block:: yaml
727
728 neutron:
729 server:
730 backend:
731 engine: ovn
732 mechanism:
733 ovn:
734 driver: ovn
735 tenant_network_types: "geneve,flat"
736
737Compute node:
738
739.. code-block:: yaml
740
741 neutron:
742 compute:
743 local_ip: 10.2.0.105
744 controller_vip: 10.1.0.101
745 external_access: false
746 backend:
747 engine: ovn
748
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]749Neutron Server
750--------------
751
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]752Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]753
754.. code-block:: yaml
755
756 neutron:
757 server:
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]758 backend:
759 engine: contrail
760 host: contrail_discovery_host
761 port: 8082
762 user: admin
763 password: password
764 tenant: admin
765 token: token
766
767Neutron Server with Midonet
768
769.. code-block:: yaml
770
771 neutron:
772 server:
773 backend:
774 engine: midonet
775 host: midonet_api_host
776 port: 8181
777 user: admin
778 password: password
779
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100[diff] [blame]780Neutron Keystone region
781
782.. code-block:: yaml
783
784 neutron:
785 server:
786 enabled: true
787 version: kilo
788 ...
789 identity:
790 region: RegionTwo
791 ...
792 compute:
793 region: RegionTwo
794 ...
795
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]796Client-side RabbitMQ HA setup
797
798.. code-block:: yaml
799
800 neutron:
801 server:
802 ....
803 message_queue:
804 engine: rabbitmq
805 members:
806 - host: 10.0.16.1
807 - host: 10.0.16.2
808 - host: 10.0.16.3
809 user: openstack
810 password: pwd
811 virtual_host: '/openstack'
812 ....
813
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]814Client-side RabbitMQ TLS configuration:
815
816|
817
818To enable TLS for oslo.messaging you need to provide the CA certificate.
819
820By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
821
822.. code-block:: yaml
823
824 neutron:
825 server, gateway, compute:
826 ....
827 message_queue:
828 ssl:
829 enabled: True
830
831
832
833Use `cacert_file` option to specify the CA-cert file path explicitly:
834
835.. code-block:: yaml
836
837 neutron:
838 server, gateway, compute:
839 ....
840 message_queue:
841 ssl:
842 enabled: True
843 cacert_file: /etc/ssl/rabbitmq-ca.pem
844
845To manage content of the `cacert_file` use the `cacert` option:
846
847.. code-block:: yaml
848
849 neutron:
850 server, gateway, compute:
851 ....
852 message_queue:
853 ssl:
854 enabled: True
855 cacert: |
856
857 -----BEGIN CERTIFICATE-----
858 ...
859 -----END CERTIFICATE-------
860
861 cacert_file: /etc/openstack/rabbitmq-ca.pem
862
863
864Notice:
865 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
866 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
867
868
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]869Enable auditing filter, ie: CADF
870
871.. code-block:: yaml
872
873 neutron:
874 server:
875 audit:
876 enabled: true
877 ....
878 filter_factory: 'keystonemiddleware.audit:filter_factory'
879 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
880 ....
881 compute:
882 audit:
883 enabled: true
884 ....
885 filter_factory: 'keystonemiddleware.audit:filter_factory'
886 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
887 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]888
Oleg Bondarev98870a32017-05-29 16:53:19 +0400[diff] [blame]889Neutron with security groups disabled
890
891.. code-block:: yaml
892
893 neutron:
894 server:
895 security_groups_enabled: False
896 ....
897 compute:
898 security_groups_enabled: False
899 ....
900 gateway:
901 security_groups_enabled: False
902
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]903
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]904Neutron Client
905--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]906
907Neutron networks
908
909.. code-block:: yaml
910
911 neutron:
912 client:
913 enabled: true
914 server:
915 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]916 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]917 network:
918 inet1:
919 tenant: demo
920 shared: False
921 admin_state_up: True
922 router_external: True
923 provider_physical_network: inet
924 provider_network_type: flat
925 provider_segmentation_id: 2
926 subnet:
927 inet1-subnet1:
928 cidr: 192.168.90.0/24
929 enable_dhcp: False
930 inet2:
931 tenant: admin
932 shared: False
933 router_external: True
934 provider_network_type: "vlan"
935 subnet:
936 inet2-subnet1:
937 cidr: 192.168.92.0/24
938 enable_dhcp: False
939 inet2-subnet2:
940 cidr: 192.168.94.0/24
941 enable_dhcp: True
942 identity1:
943 network:
944 ...
945
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]946Neutron routers
947
948.. code-block:: yaml
949
950 neutron:
951 client:
952 enabled: true
953 server:
954 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]955 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]956 router:
957 inet1-router:
958 tenant: demo
959 admin_state_up: True
960 gateway_network: inet
961 interfaces:
962 - inet1-subnet1
963 - inet1-subnet2
964 identity1:
965 router:
966 ...
967
968 TODO: implement adding new interfaces to a router while updating it
969
970
971Neutron security groups
972
973.. code-block:: yaml
974
975 neutron:
976 client:
977 enabled: true
978 server:
979 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]980 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]981 security_group:
982 security_group1:
983 tenant: demo
984 description: security group 1
985 rules:
986 - direction: ingress
987 ethertype: IPv4
988 protocol: TCP
989 port_range_min: 1
990 port_range_max: 65535
991 remote_ip_prefix: 0.0.0.0/0
992 - direction: ingress
993 ethertype: IPv4
994 protocol: UDP
995 port_range_min: 1
996 port_range_max: 65535
997 remote_ip_prefix: 0.0.0.0/0
998 - direction: ingress
999 protocol: ICMP
1000 remote_ip_prefix: 0.0.0.0/0
1001 identity1:
1002 security_group:
1003 ...
1004
1005 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
1006
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1007
1008Floating IP addresses
1009
1010.. code-block:: yaml
1011
1012 neutron:
1013 client:
1014 enabled: true
1015 server:
1016 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]1017 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1018 floating_ip:
1019 prx01-instance:
1020 server: prx01.mk22-lab-basic.local
1021 subnet: private-subnet1
1022 network: public-net1
1023 tenant: demo
1024 gtw01-instance:
1025 ...
1026
1027.. note:: The network must have flag router:external set to True.
1028 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
1029
1030
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1031
1032Enable Neutron extensions (QoS, DNS, etc.)
1033------------------------------------------
1034.. code-block:: yaml
1035
1036 neutron:
1037 server:
1038 backend:
1039 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +0300[diff] [blame]1040 dns:
1041 enabled: True
1042 host: 127.0.0.1
1043 port: 9001
1044 protocol: http
1045 ....
1046 qos
1047 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1048
1049
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +0300[diff] [blame]1050
1051Neutron with Designate
1052-----------------------------------------
1053.. code-block:: yaml
1054
1055 neutron:
1056 server:
1057 backend:
1058 extension:
1059 dns:
1060 enabled: True
1061 host: 127.0.0.1
1062 port: 9001
1063 protocol: http
1064
1065
1066
Filip Pytloun20c0a442017-02-02 13:05:13 +0100[diff] [blame]1067Documentation and Bugs
1068======================
1069
1070To learn how to install and update salt-formulas, consult the documentation
1071available online at:
1072
1073 http://salt-formulas.readthedocs.io/
1074
1075In the unfortunate event that bugs are discovered, they should be reported to
1076the appropriate issue tracker. Use Github issue tracker for specific salt
1077formula:
1078
1079 https://github.com/salt-formulas/salt-formula-neutron/issues
1080
1081For feature requests, bug reports or blueprints affecting entire ecosystem,
1082use Launchpad salt-formulas project:
1083
1084 https://launchpad.net/salt-formulas
1085
1086You can also join salt-formulas-users team and subscribe to mailing list:
1087
1088 https://launchpad.net/~salt-formulas-users
1089
1090Developers wishing to work on the salt-formulas projects should always base
1091their work on master branch and submit pull request against specific formula.
1092
1093 https://github.com/salt-formulas/salt-formula-neutron
1094
1095Any questions or feedback is always welcome so feel free to join our IRC
1096channel:
1097
1098 #salt-formulas @ irc.freenode.net