Blame - README.rst - salt-formulas/neutron

blob: 7ee2ea3ba56f613e6ae141b5e996664b954c9f81 [file] [log] [blame]

OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1	=====
				2	Usage
				3	=====
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	4
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	5	Neutron is an OpenStack project to provide networking as a service between
Jakub Pavlik	9ecf026	2016-05-20 11:20:58 +0200	[diff] [blame]	6	interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
				7	nova).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	8
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	9	Starting with the Folsom release, Neutron is a core and supported part of the
				10	OpenStack platform (for Essex, we were an incubated project, which means use
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	11	is suggested only for those who really know what they're doing with Neutron).
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	12
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	13	Sample Pillars
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	14	==============
				15
				16	Neutron Server on the controller node
				17
				18	.. code-block:: yaml
				19
				20	neutron:
				21	server:
				22	enabled: true
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	23	version: mitaka
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	24	allow_pagination: true
				25	pagination_max_limit: 100
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	26	api_workers: 2
				27	rpc_workers: 2
				28	rpc_state_report_workers: 2
Michael Polenchuk	1ff8865	2018-03-06 16:15:57 +0400	[diff] [blame]	29	root_helper_daemon: false
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	30	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	31	firewall_driver: iptables_hybrid
Oleg Bondarev	bc2dfee	2018-10-17 18:41:51 +0400	[diff] [blame]	32	agent_boot_time: 180
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	33	agent_down_time: 30
				34	dhcp_agents_per_network: 2
				35	allow_automatic_dhcp_failover: true
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	36	bind:
				37	address: 172.20.0.1
				38	port: 9696
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	39	database:
				40	engine: mysql
				41	host: 127.0.0.1
				42	port: 3306
				43	name: neutron
				44	user: neutron
				45	password: pwd
				46	identity:
				47	engine: keystone
				48	host: 127.0.0.1
				49	port: 35357
				50	user: neutron
				51	password: pwd
				52	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	53	endpoint_type: internal
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	54	message_queue:
				55	engine: rabbitmq
				56	host: 127.0.0.1
				57	port: 5672
				58	user: openstack
				59	password: pwd
				60	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	61	rpc_conn_pool_size: 30
				62	rpc_thread_pool_size: 100
				63	rpc_response_timeout: 120
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	64	metadata:
				65	host: 127.0.0.1
				66	port: 8775
Dzmitry Stremkouski	ea47018	2018-10-24 15:33:35 +0200	[diff] [blame]	67	insecure: true
				68	proto: https
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	69	password: pass
Mykyta Karpin	253406d	2017-12-08 17:01:37 +0200	[diff] [blame]	70	workers: 2
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	71	audit:
				72	enabled: false
Filip Pytloun	cd028e4	2015-10-06 16:28:32 +0200	[diff] [blame]	73
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	74	.. note:: The pagination is useful to retrieve a large bunch of resources,
				75	because a single request may fail (timeout). This is enabled with both
				76	parameters allow_pagination and pagination_max_limit as shown above.
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	77
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	78	Configuration of policy.json file:
Dmitry Ukov	596ddcf	2017-05-04 18:16:16 +0400	[diff] [blame]	79
				80	.. code-block:: yaml
				81
				82	neutron:
				83	server:
				84	....
				85	policy:
				86	create_subnet: 'rule:admin_or_network_owner'
				87	'get_network:queue_id': 'rule:admin_only'
				88	# Add key without value to remove line from policy.json
				89	'create_network:shared':
				90
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	91	Neutron LBaaSv2 enablement
				92	--------------------------
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	93
				94	.. code-block:: yaml
				95
				96	neutron:
				97	server:
				98	lbaas:
				99	enabled: true
				100	providers:
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	101	octavia:
				102	engine: octavia
				103	driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
				104	base_url: 'http://127.0.0.1:9876'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	105	avi_adc:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	106	engine: avinetworks
Elena Ezhova	cd67cfe	2017-06-16 23:35:07 +0400	[diff] [blame]	107	driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	108	controller_address: 10.182.129.239
				109	controller_user: admin
				110	controller_password: Cloudlab2016
				111	controller_cloud_name: Default-Cloud
				112	avi_adc2:
				113	engine: avinetworks
				114	...
				115
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	116	.. note:: If the Contrail backend is set, Opencontrail loadbalancer
				117	would be enabled automatically. In this case lbaas should disabled
				118	in pillar:
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	119
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	120	.. code-block:: yaml
Ondrej Smola	314eee2	2017-03-08 21:21:16 +0100	[diff] [blame]	121
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	122	neutron:
				123	server:
				124	lbaas:
				125	enabled: false
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	126
				127	Neutron FWaaSv1 enablement
				128	--------------------------
				129
				130	.. code-block:: yaml
				131
				132	neutron:
				133	fwaas:
				134	enabled: true
				135	version: ocata
				136	api_version: v1
				137
				138
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	139	Enable CORS parameters
Elena Ezhova	166d401	2017-08-17 12:53:52 +0400	[diff] [blame]	140	----------------------
Ondrej Smola	12ff819	2017-04-28 12:39:11 +0200	[diff] [blame]	141
				142	.. code-block:: yaml
				143
				144	neutron:
				145	server:
				146	cors:
				147	allowed_origin: https:localhost.local,http:localhost.local
				148	expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				149	allow_methods: GET,PUT,POST,DELETE,PATCH
				150	allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
				151	allow_credentials: True
				152	max_age: 86400
				153
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	154	Neutron VXLAN tenant networks with Network nodes
				155	------------------------------------------------
Swann Croiset	9407daf	2017-02-02 15:27:56 +0100	[diff] [blame]	156
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	157	With DVR for East-West and Network node for North-South.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	158
				159	This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	160	routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	161	infrastructure and that remains encapsulated. External traffic will be
				162	routed to via the network nodes.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	163
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	164	The intention is that each tenant will require at least two (2) vrouters
				165	one to be utilised
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	166
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	167	Neutron Server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	168
				169	.. code-block:: yaml
				170
				171	neutron:
				172	server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	173	version: mitaka
Dmitry Stremkouski	3c1be3e	2017-11-18 11:04:20 +0300	[diff] [blame]	174	path_mtu: 1500
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	175	bind:
				176	address: 172.20.0.1
				177	port: 9696
				178	database:
				179	engine: mysql
				180	host: 127.0.0.1
				181	port: 3306
				182	name: neutron
				183	user: neutron
				184	password: pwd
				185	identity:
				186	engine: keystone
				187	host: 127.0.0.1
				188	port: 35357
				189	user: neutron
				190	password: pwd
				191	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	192	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	193	message_queue:
				194	engine: rabbitmq
				195	host: 127.0.0.1
				196	port: 5672
				197	user: openstack
				198	password: pwd
				199	virtual_host: '/openstack'
				200	global_physnet_mtu: 9000
				201	l3_ha: False # Which type of router will be created by default
				202	dvr: True # disabled for non DVR use case
				203	backend:
				204	engine: ml2
				205	tenant_network_types: "flat,vxlan"
				206	external_mtu: 9000
				207	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	208	ovs:
				209	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	210
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	211	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	212
				213	.. code-block:: yaml
				214
				215	neutron:
				216	gateway:
				217	enabled: True
				218	version: mitaka
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	219	report_interval: 10
Michael Polenchuk	2151b27	2018-06-19 18:32:31 +0400	[diff] [blame]	220	dhcp_lease_duration: 600
Michael Polenchuk	cece76d	2018-06-21 14:56:17 +0400	[diff] [blame]	221	firewall_driver: iptables_hybrid
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	222	message_queue:
				223	engine: rabbitmq
				224	host: 127.0.0.1
				225	port: 5672
				226	user: openstack
				227	password: pwd
				228	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	229	rpc_conn_pool_size: 300
				230	rpc_thread_pool_size: 2048
				231	rpc_response_timeout: 3600
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	232	local_ip: 192.168.20.20 # br-mesh ip address
				233	dvr: True # disabled for non DVR use case
				234	agent_mode: dvr_snat
				235	metadata:
				236	host: 127.0.0.1
				237	password: pass
				238	backend:
				239	engine: ml2
				240	tenant_network_types: "flat,vxlan"
				241	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	242	ovs:
				243	driver: openvswitch
Vasyl Saienko	4bd2d92	2018-07-27 09:56:38 +0000	[diff] [blame]	244	agents:
				245	dhcp:
				246	ovs_use_veth: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	247
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	248	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	249
				250	.. code-block:: yaml
				251
				252	neutron:
				253	compute:
				254	enabled: True
				255	version: mitaka
				256	message_queue:
				257	engine: rabbitmq
				258	host: 127.0.0.1
				259	port: 5672
				260	user: openstack
				261	password: pwd
				262	virtual_host: '/openstack'
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	263	rpc_conn_pool_size: 300
				264	rpc_thread_pool_size: 2048
				265	rpc_response_timeout: 3600
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	266	local_ip: 192.168.20.20 # br-mesh ip address
				267	dvr: True # disabled for non DVR use case
				268	agent_mode: dvr
William Konitzer	81a8998	2019-01-07 12:49:15 -0600	[diff] [blame]	269	report_interval: 10
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	270	external_access: false # Compute node with DVR for east-west only, Network Node has True as default
				271	metadata:
				272	host: 127.0.0.1
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	273	password: pass
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	274	backend:
				275	engine: ml2
				276	tenant_network_types: "flat,vxlan"
				277	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	278	ovs:
				279	driver: openvswitch
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	280	audit:
				281	enabled: false
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	282
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	283
Dzmitry Stremkouski	d5e89e5	2018-09-25 10:01:54 +0200	[diff] [blame]	284	Setting mac base address
				285	------------------------
				286
				287	By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
				288	One can set it's own mac base both for dvr and nondvr cases.
				289
				290	NOTE: dvr_base_mac and base_mac SHOULD differ.
				291
				292	.. code-block:: yaml
				293
				294	neutron:
				295	server:
				296	base_mac: fa:16:3f:00:00:00
				297	dvr_base_mac: fa:16:3f:a0:00:00
				298
				299	gateways:
				300
				301	.. code-block:: yaml
				302
				303	neutron:
				304	gateway:
				305	base_mac: fa:16:3f:00:00:00
				306	dvr_base_mac: fa:16:3f:a0:00:00
				307
				308	compute nodes:
				309
				310	.. code-block:: yaml
				311
				312	neutron:
				313	compute:
				314	base_mac: fa:16:3f:00:00:00
				315	dvr_base_mac: fa:16:3f:a0:00:00
				316
				317
Dmitry Stremkouski	a3a4ab4	2017-10-23 17:37:12 +0300	[diff] [blame]	318	Disable physnet1 bridge
				319	-----------------------
				320
				321	By default we have external access turned on, so among any physnets in
				322	your reclass there would be additional one: physnet1, which is mapped to
				323	br-floating
				324
				325	If you need internal nets only without this bridge, remove br-floating
				326	and configurations mappings. Disable mappings for this bridge on
				327	neutron-servers:
				328
				329	.. code-block:: yaml
				330
				331	neutron:
				332	server:
				333	external_access: false
				334
				335	gateways:
				336
				337	.. code-block:: yaml
				338
				339	neutron:
				340	gateway:
				341	external_access: false
				342
				343	compute nodes:
				344
				345	.. code-block:: yaml
				346
				347	neutron:
				348	compute:
				349	external_access: false
				350
				351
Marcin Iwinski	c50137a	2018-01-22 14:18:24 +0100	[diff] [blame]	352	Add additional bridge mappings for OVS bridges
				353	----------------------------------------------
				354
				355	By default we have external access turned on, so among any physnets in
				356	your reclass there would be additional one: physnet1, which is mapped to
				357	br-floating
				358
				359	If you need to add extra non-default bridge mappings they can be defined
				360	separately for both gateways and compute nodes:
				361
				362	gateways:
				363
				364	.. code-block:: yaml
				365
				366	neutron:
				367	gateway:
				368	bridge_mappings:
				369	physnet4: br-floating-internet
				370
				371	compute nodes:
				372
				373	.. code-block:: yaml
				374
				375	neutron:
				376	compute:
				377	bridge_mappings:
				378	physnet4: br-floating-internet
				379
				380
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	381	Specify different mtu values for different physnets
				382	---------------------------------------------------
				383
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	384	Neutron Server:
Dmitry Stremkouski	4b41022	2017-11-18 11:29:55 +0300	[diff] [blame]	385
				386	.. code-block:: yaml
				387
				388	neutron:
				389	server:
				390	version: mitaka
				391	backend:
				392	external_mtu: 1500
				393	tenant_net_mtu: 9000
				394	ironic_net_mtu: 9000
				395
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	396	Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	397	----------------------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	398
				399	This section describes a network solution that utilises VxLAN overlay
				400	networks without DVR with all routers being managed on the network nodes.
				401
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	402	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	403
				404	.. code-block:: yaml
				405
				406	neutron:
				407	server:
				408	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	409	bind:
				410	address: 172.20.0.1
				411	port: 9696
				412	database:
				413	engine: mysql
				414	host: 127.0.0.1
				415	port: 3306
				416	name: neutron
				417	user: neutron
				418	password: pwd
				419	identity:
				420	engine: keystone
				421	host: 127.0.0.1
				422	port: 35357
				423	user: neutron
				424	password: pwd
				425	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	426	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	427	message_queue:
				428	engine: rabbitmq
				429	host: 127.0.0.1
				430	port: 5672
				431	user: openstack
				432	password: pwd
				433	virtual_host: '/openstack'
				434	global_physnet_mtu: 9000
				435	l3_ha: True
				436	dvr: False
				437	backend:
				438	engine: ml2
				439	tenant_network_types= "flat,vxlan"
				440	external_mtu: 9000
				441	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	442	ovs:
				443	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	444
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	445	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	446
				447	.. code-block:: yaml
				448
				449	neutron:
				450	gateway:
				451	enabled: True
				452	version: mitaka
				453	message_queue:
				454	engine: rabbitmq
				455	host: 127.0.0.1
				456	port: 5672
				457	user: openstack
				458	password: pwd
				459	virtual_host: '/openstack'
				460	local_ip: 192.168.20.20 # br-mesh ip address
				461	dvr: False
				462	agent_mode: legacy
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	463	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	464	metadata:
				465	host: 127.0.0.1
				466	password: pass
				467	backend:
				468	engine: ml2
				469	tenant_network_types: "flat,vxlan"
				470	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	471	ovs:
				472	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	473
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	474	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	475
				476	.. code-block:: yaml
				477
				478	neutron:
				479	compute:
				480	enabled: True
				481	version: mitaka
				482	message_queue:
				483	engine: rabbitmq
				484	host: 127.0.0.1
				485	port: 5672
				486	user: openstack
				487	password: pwd
				488	virtual_host: '/openstack'
				489	local_ip: 192.168.20.20 # br-mesh ip address
				490	external_access: False
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	491	dvr: False
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	492	backend:
				493	engine: ml2
				494	tenant_network_types: "flat,vxlan"
				495	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	496	ovs:
				497	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	498
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	499	Neutron VXLAN tenant networks with Network Nodes with DVR
				500	---------------------------------------------------------
				501
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	502	With DVR for East-West and North-South, DVR everywhere, Network
				503	node for SNAT.
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	504
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	505	This section describes a network solution that utilises VxLAN
				506	overlay networks with DVR with North-South and East-West. Network
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	507	Node is used only for SNAT.
				508
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	509	Neutron Server:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	510
				511	.. code-block:: yaml
				512
				513	neutron:
				514	server:
				515	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	516	bind:
				517	address: 172.20.0.1
				518	port: 9696
				519	database:
				520	engine: mysql
				521	host: 127.0.0.1
				522	port: 3306
				523	name: neutron
				524	user: neutron
				525	password: pwd
				526	identity:
				527	engine: keystone
				528	host: 127.0.0.1
				529	port: 35357
				530	user: neutron
				531	password: pwd
				532	tenant: service
Dennis Dmitriev	3711472	2017-03-06 16:52:26 +0200	[diff] [blame]	533	endpoint_type: internal
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	534	message_queue:
				535	engine: rabbitmq
				536	host: 127.0.0.1
				537	port: 5672
				538	user: openstack
				539	password: pwd
				540	virtual_host: '/openstack'
				541	global_physnet_mtu: 9000
				542	l3_ha: False
				543	dvr: True
				544	backend:
				545	engine: ml2
				546	tenant_network_types= "flat,vxlan"
				547	external_mtu: 9000
				548	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	549	ovs:
				550	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	551
Vasyl Saienko	0b2451b	2018-12-16 19:38:38 +0000	[diff] [blame]	552	Configuring networking-generic-switch ml2 plugin used for
				553	baremetal integration:
				554
				555	.. code-block:: yaml
				556
				557	neutron:
				558	server:
				559	backend:
				560	mechanism:
				561	ngs:
				562	driver: genericswitch
				563	n_g_s:
				564	enabled: true
				565	coordination:
				566	enabled: true
				567	backend_url: "etcd3+http://1.2.3.4:2379"
				568	devices:
				569	s1brbm:
				570	options:
				571	device_type:
				572	value: netmiko_ovs_linux
				573	ip:
				574	value: 1.2.3.4
				575	username:
				576	value: ngs_ovs_manager
				577	password:
				578	value: password
				579
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	580	Network Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	581
				582	.. code-block:: yaml
				583
				584	neutron:
				585	gateway:
				586	enabled: True
				587	version: mitaka
				588	message_queue:
				589	engine: rabbitmq
				590	host: 127.0.0.1
				591	port: 5672
				592	user: openstack
				593	password: pwd
				594	virtual_host: '/openstack'
				595	local_ip: 192.168.20.20 # br-mesh ip address
				596	dvr: True
				597	agent_mode: dvr_snat
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	598	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	599	metadata:
				600	host: 127.0.0.1
				601	password: pass
				602	backend:
				603	engine: ml2
				604	tenant_network_types: "flat,vxlan"
				605	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	606	ovs:
				607	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	608
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	609	Compute Node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	610
				611	.. code-block:: yaml
				612
				613	neutron:
				614	compute:
				615	enabled: True
				616	version: mitaka
				617	message_queue:
				618	engine: rabbitmq
				619	host: 127.0.0.1
				620	port: 5672
				621	user: openstack
				622	password: pwd
				623	virtual_host: '/openstack'
				624	local_ip: 192.168.20.20 # br-mesh ip address
				625	dvr: True
Vasyl Saienko	2fffc84	2017-06-14 10:35:26 +0300	[diff] [blame]	626	external_access: True
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	627	agent_mode: dvr
Simon Pasquier	c03af11	2017-04-10 10:35:14 +0200	[diff] [blame]	628	availability_zone: az1
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	629	metadata:
				630	host: 127.0.0.1
				631	password: pass
				632	backend:
				633	engine: ml2
				634	tenant_network_types: "flat,vxlan"
				635	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	636	ovs:
				637	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	638
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	639	Sample Linux network configuration for DVR:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	640
				641	.. code-block:: yaml
				642
				643	linux:
				644	network:
				645	bridge: openvswitch
				646	interface:
				647	eth1:
				648	enabled: true
				649	type: eth
				650	mtu: 9000
				651	proto: manual
				652	eth2:
				653	enabled: true
				654	type: eth
				655	mtu: 9000
				656	proto: manual
				657	eth3:
				658	enabled: true
				659	type: eth
				660	mtu: 9000
				661	proto: manual
				662	br-int:
				663	enabled: true
				664	mtu: 9000
				665	type: ovs_bridge
				666	br-floating:
				667	enabled: true
				668	mtu: 9000
				669	type: ovs_bridge
				670	float-to-ex:
				671	enabled: true
				672	type: ovs_port
				673	mtu: 65000
				674	bridge: br-floating
				675	br-mgmt:
				676	enabled: true
				677	type: bridge
				678	mtu: 9000
				679	address: ${_param:single_address}
				680	netmask: 255.255.255.0
				681	use_interfaces:
				682	- eth1
				683	br-mesh:
				684	enabled: true
				685	type: bridge
				686	mtu: 9000
				687	address: ${_param:tenant_address}
				688	netmask: 255.255.255.0
				689	use_interfaces:
				690	- eth2
				691	br-ex:
				692	enabled: true
				693	type: bridge
				694	mtu: 9000
				695	address: ${_param:external_address}
				696	netmask: 255.255.255.0
				697	use_interfaces:
				698	- eth3
				699	use_ovs_ports:
				700	- float-to-ex
				701
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	702	Additonal VXLAN tenant network settings
				703	---------------------------------------
				704
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	705	The default multicast group of ``224.0.0.1`` only multicasts
				706	to a single subnet. Allow overriding it to allow larger underlay
				707	network topologies.
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	708
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	709	Neutron Server:
Thom Gerdes	3282d07	2017-05-30 22:06:04 +0000	[diff] [blame]	710
				711	.. code-block:: yaml
				712
				713	neutron:
				714	server:
				715	vxlan:
				716	group: 239.0.0.0/8
				717	vni_ranges: "2:65535"
				718
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	719	Neutron VLAN tenant networks with Network Nodes
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	720	-----------------------------------------------
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	721
				722	VLAN tenant provider
				723
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	724	Neutron Server only:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	725
				726	.. code-block:: yaml
				727
				728	neutron:
				729	server:
				730	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	731	...
				732	global_physnet_mtu: 9000
				733	l3_ha: False
				734	dvr: True
				735	backend:
				736	engine: ml2
				737	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				738	tenant_vlan_range: "1000:2000"
				739	external_vlan_range: "100:200" # Does not have to be defined.
				740	external_mtu: 9000
				741	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	742	ovs:
				743	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	744
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	745	Compute node:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	746
				747	.. code-block:: yaml
				748
				749	neutron:
				750	compute:
				751	version: mitaka
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	752	...
				753	dvr: True
				754	agent_mode: dvr
				755	external_access: False
				756	backend:
				757	engine: ml2
				758	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				759	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	760	ovs:
				761	driver: openvswitch
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	762
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	763	Neutron with explicit physical networks
				764	---------------------------------------
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	765
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	766	Neutron Server only:
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	767
				768	.. code-block:: yaml
				769
				770	neutron:
				771	server:
				772	version: ocata
				773	...
				774	backend:
				775	engine: ml2
				776	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				777	...
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	778	# also need to configure corresponding bridge_mappings on
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	779	# compute and gateway nodes
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	780	flat_networks_default: '' # '' to allow arbitrary names or '' to disable
Oleg Bondarev	ddb9af1	2018-07-02 19:07:57 +0400	[diff] [blame]	781	physnets: # only listed physnets will be configured (overrides physnet1/2/3)
				782	external:
				783	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	784	types:
				785	- flat # possible values - 'flat' or 'vlan'
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	786	sriov_net:
				787	mtu: 9000 # Optional, defaults to 1500
Oleg Bondarev	ab32411	2018-11-19 17:56:57 +0400	[diff] [blame]	788	vlan_range: '100:200,300:400' # Optional
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	789	types:
				790	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	791	ext_net2:
				792	mtu: 1500
Oleg Bondarev	47d9e2d	2018-07-03 13:22:26 +0400	[diff] [blame]	793	types:
				794	- flat
				795	- vlan
Oleg Bondarev	ada324f	2018-06-04 14:55:38 +0400	[diff] [blame]	796	mechanism:
				797	ovs:
				798	driver: openvswitch
				799
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	800	Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	801	----------------------------------------
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	802
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	803	Neutron OVS DPDK
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	804
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	805	Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	806
				807	.. code-block:: yaml
				808
				809	neutron:
				810	server:
				811	version: mitaka
				812	...
				813	dpdk: True
				814	...
				815
				816	neutron:
				817	compute:
				818	version: mitaka
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	819	dpdk: True
Michael Polenchuk	5291165	2018-04-12 22:09:49 +0400	[diff] [blame]	820	vhost_mode: client # options: client\|server (default)
Oleg Bondarev	ee7e830	2017-10-16 17:20:38 +0400	[diff] [blame]	821	vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	822	backend:
				823	engine: ml2
				824	...
				825	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	826	ovs:
				827	driver: openvswitch
Jakub Pavlik	8f83ccc	2017-02-27 11:15:39 +0100	[diff] [blame]	828
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	829	Neutron OVS SR-IOV:
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	830
				831	.. code-block:: yaml
				832
				833	neutron:
				834	server:
				835	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	836	backend:
				837	engine: ml2
				838	...
				839	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	840	ovs:
				841	driver: openvswitch
				842	sriov:
				843	driver: sriovnicswitch
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	844	# Driver w/ highest number will be placed ahead in the list (default is 0).
				845	# It's recommended for SR-IOV driver to set an order >0 to get it
				846	# before (for example) the opendaylight one.
				847	order: 9
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	848
				849	neutron:
				850	compute:
				851	version: mitaka
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	852	...
				853	backend:
				854	engine: ml2
				855	tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
				856	sriov:
				857	nic_one:
				858	devname: eth1
				859	physical_network: physnet3
				860	mechanism:
Elena Ezhova	d6a080c	2017-10-09 15:25:16 +0400	[diff] [blame]	861	ovs:
				862	driver: openvswitch
Jakub Pavlik	70555cb	2017-02-26 18:48:02 +0100	[diff] [blame]	863
cdodda	c35c9eb	2018-11-07 23:18:10 -0600	[diff] [blame]	864	Neutron with LinuxBridge Agents
				865	-------------------------------
				866
				867	.. code-block:: yaml
				868
				869	neutron:
				870	server:
				871	firewall_driver: iptables
				872	backend:
				873	mechanism:
				874	lb:
				875	driver: linuxbridge
				876	....
				877	compute:
				878	backend:
				879	mechanism:
				880	lb:
				881	driver: linuxbridge
				882	....
				883	gateway:
				884	backend:
				885	mechanism:
				886	lb:
				887	driver: linuxbridge
				888	agents:
				889	dhcp:
				890	interface_driver: linuxbridge
				891	l3:
				892	interface_driver: linuxbridge
				893
				894
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	895	Neutron with VLAN-aware-VMs
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	896	---------------------------
Ilya Chukhnakov	f4c2bb3	2017-06-08 02:03:15 +0300	[diff] [blame]	897
				898	.. code-block:: yaml
				899
				900	neutron:
				901	server:
				902	vlan_aware_vms: true
				903	....
				904	compute:
				905	vlan_aware_vms: true
				906	....
				907	gateway:
				908	vlan_aware_vms: true
				909
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	910	Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	911	-------------------------------------
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	912
				913	.. code-block:: yaml
				914
				915	neutron:
				916	server:
				917	version: pike
				918	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	919	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	920	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	921	....
				922	compute:
				923	version: pike
				924	bgp_vpn:
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	925	enabled: true
Michael Polenchuk	0b3c5dd	2018-06-27 12:04:32 +0400	[diff] [blame]	926	driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarev	acb2e53	2018-03-06 10:43:59 +0400	[diff] [blame]	927	bagpipe:
				928	local_address: 192.168.20.20 # IP address for mpls/gre tunnels
				929	peers: 192.168.20.30 # IP addresses of BGP peers
				930	autonomous_system: 64512 # Autonomous System number
				931	enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	932	backend:
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	933	ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarev	b63d27f	2018-02-14 19:21:06 +0400	[diff] [blame]	934	bagpipe_bgpvpn:
				935	enabled: True
				936
Oleksii Chupryn	16cb4e0	2018-02-26 14:20:39 +0200	[diff] [blame]	937	Neutron with DHCP agent on compute node
				938	---------------------------------------
				939
				940	.. code-block:: yaml
				941
				942	neutron:
				943	....
				944	compute:
				945	dhcp_agent_enabled: true
				946	....
				947
Dzmitry Stremkouski	48df2a7	2018-10-12 16:38:11 +0200	[diff] [blame]	948	Neutron with metadata agent on compute node
				949	-------------------------------------------
				950
				951	.. code-block:: yaml
				952
				953	neutron:
				954	....
				955	compute:
				956	metadata_agent_enabled: true
				957	....
				958
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	959	Neutron with OVN
				960	----------------
				961
				962	Control node:
				963
				964	.. code-block:: yaml
				965
				966	neutron:
				967	server:
				968	backend:
				969	engine: ovn
				970	mechanism:
				971	ovn:
				972	driver: ovn
				973	tenant_network_types: "geneve,flat"
Michael Polenchuk	f59229b	2018-06-19 16:24:49 +0400	[diff] [blame]	974	ovn:
				975	ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
				976	neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	977	metadata_enabled: True
Michael Polenchuk	a3d492b	2017-12-27 15:49:43 +0400	[diff] [blame]	978	ovn_ctl_opts:
				979	db-nb-create-insecure-remote: 'yes'
				980	db-sb-create-insecure-remote: 'yes'
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	981
				982	Compute node:
				983
				984	.. code-block:: yaml
				985
				986	neutron:
				987	compute:
				988	local_ip: 10.2.0.105
				989	controller_vip: 10.1.0.101
				990	external_access: false
				991	backend:
				992	engine: ovn
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	993	ovsdb_connection: tcp:127.0.0.1:6640
Michael Polenchuk	be3cb9a	2019-02-08 17:56:49 +0400	[diff] [blame]	994	mac_table_size: 16384
Michael Polenchuk	58161ef	2018-05-15 18:04:09 +0400	[diff] [blame]	995	metadata:
				996	enabled: true
				997	ovsdb_server_iface: ptcp:6640:127.0.0.1
				998	host: 10.1.0.101
				999	password: unsegreto
				1000
Oleg Bondarev	0575ae4	2017-07-28 16:36:25 +0400	[diff] [blame]	1001
Michael Polenchuk	cccd1a5	2018-02-02 17:41:16 +0400	[diff] [blame]	1002	Neutron L2 Gateway
				1003	----------------
				1004
				1005	Control node:
				1006
				1007	.. code-block:: yaml
				1008
				1009	neutron:
				1010	server:
				1011	version: pike
				1012	l2gw:
				1013	enabled: true
				1014	periodic_monitoring_interval: 5
				1015	quota_l2_gateway: 20
				1016	# service_provider=<service_type>:<name>:<driver>[:default]
				1017	service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
				1018	backend:
				1019	engine: ml2
				1020
				1021	Network/Gateway node:
				1022
				1023	.. code-block:: yaml
				1024
				1025	neutron:
				1026	gateway:
				1027	version: pike
				1028	l2gw:
				1029	enabled: true
				1030	debug: true
				1031	socket_timeout: 20
				1032	ovsdb_hosts:
				1033	# <ovsdb_name>: <ip address>:<port>
				1034	# - ovsdb_name: a user defined symbolic identifier of physical switch
				1035	# - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
				1036	ovsdb1: 10.164.5.33:6632
				1037	ovsdb2: 10.164.4.33:6632
				1038
				1039
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1040	OpenDaylight integration
				1041	------------------------
				1042
				1043	Control node:
				1044
				1045	.. code-block:: yaml
				1046
				1047	neutron:
				1048	server:
				1049	backend:
				1050	opendaylight: true
				1051	router: odl-router_v2
				1052	host: 10.20.0.77
				1053	rest_api_port: 8282
				1054	user: admin
				1055	password: admin
				1056	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1057	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1058	enable_websocket: true
				1059	enable_dhcp_service: false
				1060	mechanism:
				1061	ovs:
				1062	driver: opendaylight_v2
Michael Polenchuk	0bf59a7	2018-06-19 18:06:56 +0400	[diff] [blame]	1063	order: 1
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1064
				1065	Network/Gateway node:
				1066
				1067	.. code-block:: yaml
				1068
				1069	neutron:
				1070	gateway:
				1071	backend:
				1072	router: odl-router_v2
				1073	ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chupryn	fed7957	2018-07-20 14:11:35 +0300	[diff] [blame]	1074	ovsdb_interface: native
Michael Polenchuk	87d2b74	2017-06-29 12:05:25 +0400	[diff] [blame]	1075	opendaylight:
				1076	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1077	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1078	tunnel_ip: 10.1.0.110
				1079	provider_mappings: physnet1:br-floating
				1080
				1081	Compute node:
				1082
				1083	.. code-block:: yaml
				1084
				1085	neutron:
				1086	compute:
				1087	opendaylight:
				1088	ovsdb_server_iface: ptcp:6639:127.0.0.1
				1089	ovsdb_odl_iface: tcp:10.20.0.77:6640
				1090	tunnel_ip: 10.1.0.105
				1091	provider_mappings: physnet1:br-floating
				1092
				1093
Michael Polenchuk	9cccecc	2018-09-14 14:54:18 +0400	[diff] [blame]	1094	Service Function Chaining Extension (SFC)
				1095	----------------
				1096
				1097	.. code-block:: yaml
				1098
				1099	neutron:
				1100	server:
				1101	sfc:
				1102	enabled: true
				1103	sfc_drivers:
				1104	- ovs # valid options: ovs, odl, ovn (not implemented yet)
				1105	flow_classifier_drivers:
				1106	- ovs # valid options: see above
				1107	....
				1108	compute:
				1109	backend:
				1110	ovs_extension:
				1111	sfc:
				1112	enabled: True
				1113
				1114
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1115	Neutron Server
				1116	--------------
				1117
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1118	Neutron Server with OpenContrail:
Jiri Broulik	74f6111	2016-11-21 20:23:47 +0100	[diff] [blame]	1119
				1120	.. code-block:: yaml
				1121
				1122	neutron:
				1123	server:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1124	backend:
				1125	engine: contrail
				1126	host: contrail_discovery_host
				1127	port: 8082
				1128	user: admin
				1129	password: password
				1130	tenant: admin
				1131	token: token
				1132
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1133	Neutron Server with Midonet:
marco	a4428a3	2016-06-10 11:50:16 +0200	[diff] [blame]	1134
				1135	.. code-block:: yaml
				1136
				1137	neutron:
				1138	server:
				1139	backend:
				1140	engine: midonet
				1141	host: midonet_api_host
				1142	port: 8181
				1143	user: admin
				1144	password: password
				1145
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1146	Neutron Server with NSX:
Vasyl Saienko	4549efe	2018-07-26 16:06:04 +0000	[diff] [blame]	1147
				1148	.. code-block:: yaml
				1149
				1150	neutron:
				1151	server:
				1152	backend:
				1153	engine: vmware
				1154	core_plugin: vmware_nsxv3
				1155	vmware:
				1156	nsx:
				1157	extension_drivers:
				1158	- vmware_nsxv3_dns
				1159	v3:
				1160	api_password: nsx_password
				1161	api_user: nsx_username
				1162	api_managers:
				1163	01:
				1164	scheme: https
				1165	host: 192.168.10.120
				1166	port: '443'
				1167	insecure: true
				1168
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1169	Neutron Keystone region:
Jakub Pavlik	6dd5c0a	2016-03-09 14:18:15 +0100	[diff] [blame]	1170
				1171	.. code-block:: yaml
				1172
				1173	neutron:
				1174	server:
				1175	enabled: true
				1176	version: kilo
				1177	...
				1178	identity:
				1179	region: RegionTwo
				1180	...
				1181	compute:
				1182	region: RegionTwo
				1183	...
				1184
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1185	Client-side RabbitMQ HA setup:
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1186
				1187	.. code-block:: yaml
				1188
				1189	neutron:
				1190	server:
				1191	....
				1192	message_queue:
				1193	engine: rabbitmq
				1194	members:
				1195	- host: 10.0.16.1
				1196	- host: 10.0.16.2
				1197	- host: 10.0.16.3
				1198	user: openstack
				1199	password: pwd
				1200	virtual_host: '/openstack'
				1201	....
				1202
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1203	Configuring TLS communications
				1204	------------------------------
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1205
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1206	.. note:: By default, system-wide installed CA certs are used,
				1207	so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1208
				1209	- RabbitMQ TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1210
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1211	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1212
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1213	neutron:
				1214	server, gateway, compute:
				1215	message_queue:
				1216	port: 5671
				1217	ssl:
				1218	enabled: True
				1219	(optional) cacert: cert body if the cacert_file does not exists
				1220	(optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
				1221	(optional) version: TLSv1_2
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1222
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1223	- MySQL TLS
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1224
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1225	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1226
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1227	neutron:
				1228	server:
				1229	database:
				1230	ssl:
				1231	enabled: True
				1232	(optional) cacert: cert body if the cacert_file does not exists
				1233	(optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1234
Kirill Bespalov	dd748b6	2017-11-21 10:42:57 +0300	[diff] [blame]	1235	- Openstack HTTPS API
				1236
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1237	.. code-block:: yaml
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1238
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1239	neutron:
				1240	server:
				1241	identity:
				1242	protocol: https
				1243	(optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov	8fffe02	2017-08-03 17:55:02 +0300	[diff] [blame]	1244
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1245	Enable auditing filter, ie: CADF:
Petr Michalec	61f7ab2	2016-11-29 16:29:09 +0100	[diff] [blame]	1246
				1247	.. code-block:: yaml
				1248
				1249	neutron:
				1250	server:
				1251	audit:
				1252	enabled: true
				1253	....
				1254	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1255	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1256	....
				1257	compute:
				1258	audit:
				1259	enabled: true
				1260	....
				1261	filter_factory: 'keystonemiddleware.audit:filter_factory'
				1262	map_file: '/etc/pycadf/neutron_api_audit_map.conf'
				1263	....
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1264
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1265	Neutron with security groups disabled:
Oleg Bondarev	98870a3	2017-05-29 16:53:19 +0400	[diff] [blame]	1266
				1267	.. code-block:: yaml
				1268
				1269	neutron:
				1270	server:
				1271	security_groups_enabled: False
				1272	....
				1273	compute:
				1274	security_groups_enabled: False
				1275	....
				1276	gateway:
				1277	security_groups_enabled: False
				1278
Jiri Konecny	93b1999	2016-04-12 11:15:39 +0200	[diff] [blame]	1279
Aleš Komárek	41e8231	2017-04-11 13:37:44 +0200	[diff] [blame]	1280	Neutron Client
				1281	--------------
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1282
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1283	Neutron networks:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1284
				1285	.. code-block:: yaml
				1286
				1287	neutron:
				1288	client:
				1289	enabled: true
				1290	server:
				1291	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1292	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1293	network:
				1294	inet1:
				1295	tenant: demo
				1296	shared: False
				1297	admin_state_up: True
				1298	router_external: True
				1299	provider_physical_network: inet
				1300	provider_network_type: flat
				1301	provider_segmentation_id: 2
				1302	subnet:
				1303	inet1-subnet1:
				1304	cidr: 192.168.90.0/24
				1305	enable_dhcp: False
				1306	inet2:
				1307	tenant: admin
				1308	shared: False
				1309	router_external: True
				1310	provider_network_type: "vlan"
				1311	subnet:
				1312	inet2-subnet1:
				1313	cidr: 192.168.92.0/24
				1314	enable_dhcp: False
				1315	inet2-subnet2:
				1316	cidr: 192.168.94.0/24
				1317	enable_dhcp: True
				1318	identity1:
				1319	network:
				1320	...
				1321
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1322	Neutron routers:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1323
				1324	.. code-block:: yaml
				1325
				1326	neutron:
				1327	client:
				1328	enabled: true
				1329	server:
				1330	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1331	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1332	router:
				1333	inet1-router:
				1334	tenant: demo
				1335	admin_state_up: True
				1336	gateway_network: inet
				1337	interfaces:
				1338	- inet1-subnet1
				1339	- inet1-subnet2
				1340	identity1:
				1341	router:
				1342	...
				1343
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1344	.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1345
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1346	Neutron security groups:
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1347
				1348	.. code-block:: yaml
				1349
				1350	neutron:
				1351	client:
				1352	enabled: true
				1353	server:
				1354	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1355	endpoint_type: internalURL
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1356	security_group:
				1357	security_group1:
				1358	tenant: demo
				1359	description: security group 1
				1360	rules:
				1361	- direction: ingress
				1362	ethertype: IPv4
				1363	protocol: TCP
				1364	port_range_min: 1
				1365	port_range_max: 65535
				1366	remote_ip_prefix: 0.0.0.0/0
				1367	- direction: ingress
				1368	ethertype: IPv4
				1369	protocol: UDP
				1370	port_range_min: 1
				1371	port_range_max: 65535
				1372	remote_ip_prefix: 0.0.0.0/0
				1373	- direction: ingress
				1374	protocol: ICMP
				1375	remote_ip_prefix: 0.0.0.0/0
				1376	identity1:
				1377	security_group:
				1378	...
				1379
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1380	.. TODO: implement updating existing security rules (now it adds new rule if
				1381	trying to update existing one)
Jiri Broulik	5368cc5	2017-02-08 18:53:59 +0100	[diff] [blame]	1382
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1383	Floating IP addresses:
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1384
				1385	.. code-block:: yaml
				1386
				1387	neutron:
				1388	client:
				1389	enabled: true
				1390	server:
				1391	identity:
Richard Felkl	aac256a	2017-03-23 15:43:49 +0100	[diff] [blame]	1392	endpoint_type: internalURL
Jiri Broulik	de2e290	2017-02-13 15:03:47 +0100	[diff] [blame]	1393	floating_ip:
				1394	prx01-instance:
				1395	server: prx01.mk22-lab-basic.local
				1396	subnet: private-subnet1
				1397	network: public-net1
				1398	tenant: demo
				1399	gtw01-instance:
				1400	...
				1401
				1402	.. note:: The network must have flag router:external set to True.
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1403	Instance port in the stated subnet will be associated
				1404	with the dynamically generated floating IP.
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1405
				1406	Enable Neutron extensions (QoS, DNS, etc.)
				1407	------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1408
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1409	.. code-block:: yaml
				1410
				1411	neutron:
				1412	server:
				1413	backend:
				1414	extension:
Oleg Iurchenko	ac17f4f	2017-10-06 11:24:27 +0300	[diff] [blame]	1415	dns:
				1416	enabled: True
				1417	host: 127.0.0.1
				1418	port: 9001
				1419	protocol: http
				1420	....
				1421	qos
				1422	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1423
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1424	Different Neutron extensions for different agents
				1425	-------------------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1426
Oleg Bondarev	878ac46	2018-04-23 17:48:15 +0400	[diff] [blame]	1427	.. code-block:: yaml
				1428
				1429	neutron:
				1430	server:
				1431	backend:
				1432	extension: # common extensions for OVS and SRIOV agents
				1433	dns:
				1434	enabled: True
				1435	...
				1436	qos
				1437	enabled: True
				1438	ovs_extension: # OVS specific extensions
				1439	bagpipe_bgpvpn:
				1440	enabled: True
				1441	sriov_extension: # SRIOV specific extensions
				1442	dummy:
				1443	enabled: True
Oleg Iurchenko	de71cc2	2017-09-18 17:58:56 +0300	[diff] [blame]	1444
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1445	Neutron with Designate
				1446	-----------------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1447
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1448	.. code-block:: yaml
				1449
				1450	neutron:
				1451	server:
				1452	backend:
				1453	extension:
				1454	dns:
				1455	enabled: True
				1456	host: 127.0.0.1
				1457	port: 9001
				1458	protocol: http
				1459
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1460	Enable RBAC for OpenContrail engine
				1461	-----------------------------------
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1462
Marek Celoud	67ce206	2018-01-31 13:44:55 +0100	[diff] [blame]	1463	.. code-block:: yaml
				1464
				1465	neutron:
				1466	server:
				1467	backend:
				1468	engine: contrail
				1469	rbac:
				1470	enabled: True
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1471
Kostiantyn Kalynovskyi	7cc5904	2019-03-14 16:30:14 +0300	[diff] [blame]	1472	Increase maximum number of allowed address pairs per instance
				1473	-----------------------------------
				1474
				1475	Neutron Server:
				1476
				1477	.. code-block:: yaml
				1478
				1479	neutron:
				1480	server:
				1481	max_allowed_address_pair: 20
				1482
				1483	Neutron generic node (compute or gateway):
				1484
				1485	.. code-block:: yaml
				1486
				1487	neutron:
				1488	max_allowed_address_pair: 20
				1489
Oleg Bondarev	a0940cc	2019-03-27 16:24:00 +0400	[diff] [blame]	1490	Increase OVS timeouts for loaded nodes
				1491	--------------------------------------
				1492
				1493	Network node:
				1494
				1495	.. code-block:: yaml
				1496
				1497	neutron:
				1498	gateway:
				1499	of_connect_timeout: 60
				1500	of_request_timeout: 30
				1501	ovs_vsctl_timeout: 30 # Pike
				1502	ovsdb_timeout: 30 # Queens and beyond
				1503	bridge_mac_table_size: 100000
				1504
Oleg Bondarev	e26a239	2019-04-11 18:27:27 +0400	[diff] [blame^]	1505	Change default resource quotas
				1506	------------------------------
				1507
				1508	.. code-block:: yaml
				1509
				1510	neutron:
				1511	server:
				1512	quotas:
				1513	default_quota: 100
				1514	quota_network: 150
				1515	quota_subnet: 150
				1516	quota_port: 200
				1517	quota_router: 50
				1518	quota_floatingip: 30
				1519	quota_security_group: 20
				1520	quota_security_group_rule: 50
				1521
				1522
Oleg Bondarev	a0940cc	2019-03-27 16:24:00 +0400	[diff] [blame]	1523
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1524	Enhanced logging with logging.conf
				1525	----------------------------------
				1526
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1527	By default ``logging.conf`` is disabled.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1528
				1529	That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1530
OlgaGusarenko	838c9fd	2018-07-31 00:22:44 +0300	[diff] [blame]	1531	* ``openstack_log_appender``
				1532	Set to true to enable ``log_config_append`` for all OpenStack services
				1533
				1534	* ``openstack_fluentd_handler_enabled``
				1535	Set to true to enable FluentHandler for all Openstack services
				1536
				1537	* ``openstack_ossyslog_handler_enabled``
				1538	Set to true to enable OSSysLogHandler for all Openstack services.
				1539
				1540	Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
				1541	are available.
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1542
				1543	Also it is possible to configure this with pillar:
				1544
				1545	.. code-block:: yaml
				1546
				1547	neutron:
				1548	server:
				1549	logging:
				1550	log_appender: true
				1551	log_handlers:
				1552	watchedfile:
				1553	enabled: true
				1554	fluentd:
				1555	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1556	ossyslog:
				1557	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1558	....
				1559	compute:
				1560	logging:
				1561	log_appender: true
				1562	log_handlers:
				1563	watchedfile:
				1564	enabled: true
				1565	fluentd:
				1566	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1567	ossyslog:
				1568	enabled: true
Dmitry Kalashnik	35dd0e0	2017-12-07 14:16:25 +0400	[diff] [blame]	1569	....
				1570	gateway:
				1571	logging:
				1572	log_appender: true
				1573	log_handlers:
				1574	watchedfile:
				1575	enabled: true
				1576	fluentd:
				1577	enabled: true
Oleksii Chupryn	156c5f4	2018-02-07 10:06:50 +0200	[diff] [blame]	1578	ossyslog:
				1579	enabled: true
Oleg Iurchenko	8cf6cf5	2017-09-18 15:44:03 +0300	[diff] [blame]	1580
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1581	Logging levels pillar example:
				1582
				1583	.. code-block:: yaml
				1584
				1585	neutron:
				1586	server:
				1587	logging:
				1588	log_appender: true
				1589	loggers:
				1590	root:
				1591	level: 'DEBUG'
				1592	neutron:
				1593	level: 'DEBUG'
				1594	amqplib:
				1595	level: 'DEBUG'
				1596	sqlalchemy:
				1597	level: 'DEBUG'
				1598	boto:
				1599	level: 'DEBUG'
				1600	suds:
				1601	level: 'DEBUG'
				1602	eventletwsgi:
				1603	level: 'DEBUG'
				1604	......
Oleksandr Bryndzii	3b0ac2c	2018-10-04 11:06:24 +0300	[diff] [blame]	1605	Neutron server with memcached caching and security strategy:
				1606
				1607	.. code-block:: yaml
				1608
				1609	neutron:
				1610	server:
				1611	enabled: true
				1612	...
				1613	cache:
				1614	engine: memcached
				1615	members:
				1616	- host: 127.0.0.1
				1617	port: 11211
				1618	- host: 127.0.0.1
				1619	port: 11211
				1620	security:
				1621	enabled: true
				1622	strategy: ENCRYPT
				1623	secret_key: secret
Oleksii Grudev	fe73ee5	2018-05-14 14:08:11 +0300	[diff] [blame]	1624
Vasyl Saienko	ba42073	2018-09-07 10:19:32 +0000	[diff] [blame]	1625	Upgrades
				1626	========
				1627
				1628	Each openstack formula provide set of phases (logical bloks) that will help to
				1629	build flexible upgrade orchestration logic for particular components. The list
				1630	of phases might and theirs descriptions are listed in table below:
				1631
				1632	+-------------------------------+------------------------------------------------------+
				1633	\| State \| Description \|
				1634	+===============================+======================================================+
				1635	\| <app>.upgrade.service_running \| Ensure that all services for particular application \|
				1636	\| \| are enabled for autostart and running \|
				1637	+-------------------------------+------------------------------------------------------+
				1638	\| <app>.upgrade.service_stopped \| Ensure that all services for particular application \|
				1639	\| \| disabled for autostart and dead \|
				1640	+-------------------------------+------------------------------------------------------+
				1641	\| <app>.upgrade.pkg_latest \| Ensure that packages used by particular application \|
				1642	\| \| are installed to latest available version. \|
				1643	\| \| This will not upgrade data plane packages like qemu \|
				1644	\| \| and openvswitch as usually minimal required version \|
				1645	\| \| in openstack services is really old. The data plane \|
				1646	\| \| packages should be upgraded separately by `apt-get \|
				1647	\| \| upgrade` or `apt-get dist-upgrade` \|
				1648	\| \| Applying this state will not autostart service. \|
				1649	+-------------------------------+------------------------------------------------------+
				1650	\| <app>.upgrade.render_config \| Ensure configuration is rendered actual version. +
				1651	+-------------------------------+------------------------------------------------------+
				1652	\| <app>.upgrade.pre \| We assume this state is applied on all nodes in the \|
				1653	\| \| cloud before running upgrade. \|
				1654	\| \| Only non destructive actions will be applied during \|
				1655	\| \| this phase. Perform service built in service check \|
				1656	\| \| like (keystone-manage doctor and nova-status upgrade)\|
				1657	+-------------------------------+------------------------------------------------------+
				1658	\| <app>.upgrade.upgrade.pre \| Mostly applicable for data plane nodes. During this \|
				1659	\| \| phase resources will be gracefully removed from \|
				1660	\| \| current node if it is allowed. Services for upgraded \|
				1661	\| \| application will be set to admin disabled state to \|
				1662	\| \| make sure node will not participate in resources \|
				1663	\| \| scheduling. For example on gtw nodes this will set \|
				1664	\| \| all agents to admin disable state and will move all \|
				1665	\| \| routers to other agents. \|
				1666	+-------------------------------+------------------------------------------------------+
				1667	\| <app>.upgrade.upgrade \| This state will basically upgrade application on \|
				1668	\| \| particular target. Stop services, render \|
				1669	\| \| configuration, install new packages, run offline \|
				1670	\| \| dbsync (for ctl), start services. Data plane should \|
				1671	\| \| not be affected, only OpenStack python services. \|
				1672	+-------------------------------+------------------------------------------------------+
				1673	\| <app>.upgrade.upgrade.post \| Add services back to scheduling. \|
				1674	+-------------------------------+------------------------------------------------------+
				1675	\| <app>.upgrade.post \| This phase should be launched only when upgrade of \|
				1676	\| \| the cloud is completed. \|
				1677	+-------------------------------+------------------------------------------------------+
				1678	\| <app>.upgrade.verify \| Here we will do basic health checks (API CRUD \|
				1679	\| \| operations, verify do not have dead network \|
				1680	\| \| agents/compute services) \|
				1681	+-------------------------------+------------------------------------------------------+
				1682
				1683
Oleksandr Shyshko	f51b94c	2018-08-31 16:05:27 +0300	[diff] [blame]	1684	Enable x509 and ssl communication between Neutron and Galera cluster.
				1685	---------------------
				1686	By default communication between Neutron and Galera is unsecure.
				1687
				1688	neutron:
				1689	server:
				1690	database:
				1691	x509:
				1692	enabled: True
				1693
				1694	You able to set custom certificates in pillar:
				1695
				1696	neutron:
				1697	server:
				1698	database:
				1699	x509:
				1700	cacert: (certificate content)
				1701	cert: (certificate content)
				1702	key: (certificate content)
				1703
				1704	You can read more about it here:
				1705	https://docs.openstack.org/security-guide/databases/database-access-control.html