blob: e9f63d0cf831ddaa4f359a3839c1cd97b1a2caf8 [file] [log] [blame]
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001=====
2Usage
3=====
Filip Pytlouncd028e42015-10-06 16:28:32 +02004
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03005Neutron is an OpenStack project to provide *networking as a service* between
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02006interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +02008
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03009Starting with the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an *incubated* project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +030011is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +020012
Aleš Komárek41e82312017-04-11 13:37:44 +020013Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +020014==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +010023 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +010024 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +020026 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Michael Polenchuk1ff88652018-03-06 16:15:57 +040029 root_helper_daemon: false
Michael Polenchuk2151b272018-06-19 18:32:31 +040030 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +040031 firewall_driver: iptables_hybrid
Oleg Bondarevbc2dfee2018-10-17 18:41:51 +040032 agent_boot_time: 180
Filip Pytlouncd028e42015-10-06 16:28:32 +020033 bind:
34 address: 172.20.0.1
35 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +020036 database:
37 engine: mysql
38 host: 127.0.0.1
39 port: 3306
40 name: neutron
41 user: neutron
42 password: pwd
43 identity:
44 engine: keystone
45 host: 127.0.0.1
46 port: 35357
47 user: neutron
48 password: pwd
49 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +020050 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +020051 message_queue:
52 engine: rabbitmq
53 host: 127.0.0.1
54 port: 5672
55 user: openstack
56 password: pwd
57 virtual_host: '/openstack'
58 metadata:
59 host: 127.0.0.1
60 port: 8775
61 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +020062 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +010063 audit:
64 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +020065
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030066.. note:: The pagination is useful to retrieve a large bunch of resources,
67 because a single request may fail (timeout). This is enabled with both
68 parameters *allow_pagination* and *pagination_max_limit* as shown above.
Swann Croiset9407daf2017-02-02 15:27:56 +010069
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030070Configuration of policy.json file:
Dmitry Ukov596ddcf2017-05-04 18:16:16 +040071
72.. code-block:: yaml
73
74 neutron:
75 server:
76 ....
77 policy:
78 create_subnet: 'rule:admin_or_network_owner'
79 'get_network:queue_id': 'rule:admin_only'
80 # Add key without value to remove line from policy.json
81 'create_network:shared':
82
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040083Neutron LBaaSv2 enablement
84--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +010085
86.. code-block:: yaml
87
88 neutron:
89 server:
90 lbaas:
91 enabled: true
92 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040093 octavia:
94 engine: octavia
95 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
96 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +010097 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +010098 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040099 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100100 controller_address: 10.182.129.239
101 controller_user: admin
102 controller_password: Cloudlab2016
103 controller_cloud_name: Default-Cloud
104 avi_adc2:
105 engine: avinetworks
106 ...
107
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300108.. note:: If the Contrail backend is set, Opencontrail loadbalancer
109 would be enabled automatically. In this case lbaas should disabled
110 in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100111
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300112 .. code-block:: yaml
Ondrej Smola314eee22017-03-08 21:21:16 +0100113
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300114 neutron:
115 server:
116 lbaas:
117 enabled: false
Elena Ezhova166d4012017-08-17 12:53:52 +0400118
119Neutron FWaaSv1 enablement
120--------------------------
121
122.. code-block:: yaml
123
124 neutron:
125 fwaas:
126 enabled: true
127 version: ocata
128 api_version: v1
129
130
Ondrej Smola12ff8192017-04-28 12:39:11 +0200131Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400132----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200133
134.. code-block:: yaml
135
136 neutron:
137 server:
138 cors:
139 allowed_origin: https:localhost.local,http:localhost.local
140 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
141 allow_methods: GET,PUT,POST,DELETE,PATCH
142 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
143 allow_credentials: True
144 max_age: 86400
145
Aleš Komárek41e82312017-04-11 13:37:44 +0200146Neutron VXLAN tenant networks with Network nodes
147------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100148
Aleš Komárek41e82312017-04-11 13:37:44 +0200149With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100150
151This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200152routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300153infrastructure and that remains encapsulated. External traffic will be
154routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100155
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300156The intention is that each tenant will require at least two (2) vrouters
157one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100158
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300159Neutron Server:
marcoa4428a32016-06-10 11:50:16 +0200160
161.. code-block:: yaml
162
163 neutron:
164 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100165 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300166 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100167 bind:
168 address: 172.20.0.1
169 port: 9696
170 database:
171 engine: mysql
172 host: 127.0.0.1
173 port: 3306
174 name: neutron
175 user: neutron
176 password: pwd
177 identity:
178 engine: keystone
179 host: 127.0.0.1
180 port: 35357
181 user: neutron
182 password: pwd
183 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200184 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100185 message_queue:
186 engine: rabbitmq
187 host: 127.0.0.1
188 port: 5672
189 user: openstack
190 password: pwd
191 virtual_host: '/openstack'
192 global_physnet_mtu: 9000
193 l3_ha: False # Which type of router will be created by default
194 dvr: True # disabled for non DVR use case
195 backend:
196 engine: ml2
197 tenant_network_types: "flat,vxlan"
198 external_mtu: 9000
199 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400200 ovs:
201 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100202
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300203Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100204
205.. code-block:: yaml
206
207 neutron:
208 gateway:
209 enabled: True
210 version: mitaka
Michael Polenchuk2151b272018-06-19 18:32:31 +0400211 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +0400212 firewall_driver: iptables_hybrid
Jiri Broulik74f61112016-11-21 20:23:47 +0100213 message_queue:
214 engine: rabbitmq
215 host: 127.0.0.1
216 port: 5672
217 user: openstack
218 password: pwd
219 virtual_host: '/openstack'
220 local_ip: 192.168.20.20 # br-mesh ip address
221 dvr: True # disabled for non DVR use case
222 agent_mode: dvr_snat
223 metadata:
224 host: 127.0.0.1
225 password: pass
226 backend:
227 engine: ml2
228 tenant_network_types: "flat,vxlan"
229 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400230 ovs:
231 driver: openvswitch
Vasyl Saienko4bd2d922018-07-27 09:56:38 +0000232 agents:
233 dhcp:
234 ovs_use_veth: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100235
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300236Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100237
238.. code-block:: yaml
239
240 neutron:
241 compute:
242 enabled: True
243 version: mitaka
244 message_queue:
245 engine: rabbitmq
246 host: 127.0.0.1
247 port: 5672
248 user: openstack
249 password: pwd
250 virtual_host: '/openstack'
251 local_ip: 192.168.20.20 # br-mesh ip address
252 dvr: True # disabled for non DVR use case
253 agent_mode: dvr
254 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
255 metadata:
256 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300257 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100258 backend:
259 engine: ml2
260 tenant_network_types: "flat,vxlan"
261 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400262 ovs:
263 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100264 audit:
265 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100266
Aleš Komárek41e82312017-04-11 13:37:44 +0200267
Dzmitry Stremkouskid5e89e52018-09-25 10:01:54 +0200268Setting mac base address
269------------------------
270
271By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
272One can set it's own mac base both for dvr and nondvr cases.
273
274NOTE: dvr_base_mac and base_mac SHOULD differ.
275
276.. code-block:: yaml
277
278 neutron:
279 server:
280 base_mac: fa:16:3f:00:00:00
281 dvr_base_mac: fa:16:3f:a0:00:00
282
283gateways:
284
285.. code-block:: yaml
286
287 neutron:
288 gateway:
289 base_mac: fa:16:3f:00:00:00
290 dvr_base_mac: fa:16:3f:a0:00:00
291
292compute nodes:
293
294.. code-block:: yaml
295
296 neutron:
297 compute:
298 base_mac: fa:16:3f:00:00:00
299 dvr_base_mac: fa:16:3f:a0:00:00
300
301
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300302Disable physnet1 bridge
303-----------------------
304
305By default we have external access turned on, so among any physnets in
306your reclass there would be additional one: physnet1, which is mapped to
307br-floating
308
309If you need internal nets only without this bridge, remove br-floating
310and configurations mappings. Disable mappings for this bridge on
311neutron-servers:
312
313.. code-block:: yaml
314
315 neutron:
316 server:
317 external_access: false
318
319gateways:
320
321.. code-block:: yaml
322
323 neutron:
324 gateway:
325 external_access: false
326
327compute nodes:
328
329.. code-block:: yaml
330
331 neutron:
332 compute:
333 external_access: false
334
335
Marcin Iwinskic50137a2018-01-22 14:18:24 +0100336Add additional bridge mappings for OVS bridges
337----------------------------------------------
338
339By default we have external access turned on, so among any physnets in
340your reclass there would be additional one: physnet1, which is mapped to
341br-floating
342
343If you need to add extra non-default bridge mappings they can be defined
344separately for both gateways and compute nodes:
345
346gateways:
347
348.. code-block:: yaml
349
350 neutron:
351 gateway:
352 bridge_mappings:
353 physnet4: br-floating-internet
354
355compute nodes:
356
357.. code-block:: yaml
358
359 neutron:
360 compute:
361 bridge_mappings:
362 physnet4: br-floating-internet
363
364
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300365Specify different mtu values for different physnets
366---------------------------------------------------
367
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300368Neutron Server:
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300369
370.. code-block:: yaml
371
372 neutron:
373 server:
374 version: mitaka
375 backend:
376 external_mtu: 1500
377 tenant_net_mtu: 9000
378 ironic_net_mtu: 9000
379
Jiri Broulik74f61112016-11-21 20:23:47 +0100380Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200381----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100382
383This section describes a network solution that utilises VxLAN overlay
384 networks without DVR with all routers being managed on the network nodes.
385
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300386Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100387
388.. code-block:: yaml
389
390 neutron:
391 server:
392 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100393 bind:
394 address: 172.20.0.1
395 port: 9696
396 database:
397 engine: mysql
398 host: 127.0.0.1
399 port: 3306
400 name: neutron
401 user: neutron
402 password: pwd
403 identity:
404 engine: keystone
405 host: 127.0.0.1
406 port: 35357
407 user: neutron
408 password: pwd
409 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200410 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100411 message_queue:
412 engine: rabbitmq
413 host: 127.0.0.1
414 port: 5672
415 user: openstack
416 password: pwd
417 virtual_host: '/openstack'
418 global_physnet_mtu: 9000
419 l3_ha: True
420 dvr: False
421 backend:
422 engine: ml2
423 tenant_network_types= "flat,vxlan"
424 external_mtu: 9000
425 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400426 ovs:
427 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100428
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300429Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100430
431.. code-block:: yaml
432
433 neutron:
434 gateway:
435 enabled: True
436 version: mitaka
437 message_queue:
438 engine: rabbitmq
439 host: 127.0.0.1
440 port: 5672
441 user: openstack
442 password: pwd
443 virtual_host: '/openstack'
444 local_ip: 192.168.20.20 # br-mesh ip address
445 dvr: False
446 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200447 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100448 metadata:
449 host: 127.0.0.1
450 password: pass
451 backend:
452 engine: ml2
453 tenant_network_types: "flat,vxlan"
454 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400455 ovs:
456 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100457
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300458Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100459
460.. code-block:: yaml
461
462 neutron:
463 compute:
464 enabled: True
465 version: mitaka
466 message_queue:
467 engine: rabbitmq
468 host: 127.0.0.1
469 port: 5672
470 user: openstack
471 password: pwd
472 virtual_host: '/openstack'
473 local_ip: 192.168.20.20 # br-mesh ip address
474 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300475 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100476 backend:
477 engine: ml2
478 tenant_network_types: "flat,vxlan"
479 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400480 ovs:
481 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100482
Aleš Komárek41e82312017-04-11 13:37:44 +0200483Neutron VXLAN tenant networks with Network Nodes with DVR
484---------------------------------------------------------
485
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300486With DVR for East-West and North-South, DVR everywhere, Network
487node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100488
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300489This section describes a network solution that utilises VxLAN
490overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100491Node is used only for SNAT.
492
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300493Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100494
495.. code-block:: yaml
496
497 neutron:
498 server:
499 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100500 bind:
501 address: 172.20.0.1
502 port: 9696
503 database:
504 engine: mysql
505 host: 127.0.0.1
506 port: 3306
507 name: neutron
508 user: neutron
509 password: pwd
510 identity:
511 engine: keystone
512 host: 127.0.0.1
513 port: 35357
514 user: neutron
515 password: pwd
516 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200517 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100518 message_queue:
519 engine: rabbitmq
520 host: 127.0.0.1
521 port: 5672
522 user: openstack
523 password: pwd
524 virtual_host: '/openstack'
525 global_physnet_mtu: 9000
526 l3_ha: False
527 dvr: True
528 backend:
529 engine: ml2
530 tenant_network_types= "flat,vxlan"
531 external_mtu: 9000
532 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400533 ovs:
534 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100535
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300536Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100537
538.. code-block:: yaml
539
540 neutron:
541 gateway:
542 enabled: True
543 version: mitaka
544 message_queue:
545 engine: rabbitmq
546 host: 127.0.0.1
547 port: 5672
548 user: openstack
549 password: pwd
550 virtual_host: '/openstack'
551 local_ip: 192.168.20.20 # br-mesh ip address
552 dvr: True
553 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200554 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100555 metadata:
556 host: 127.0.0.1
557 password: pass
558 backend:
559 engine: ml2
560 tenant_network_types: "flat,vxlan"
561 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400562 ovs:
563 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100564
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300565Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100566
567.. code-block:: yaml
568
569 neutron:
570 compute:
571 enabled: True
572 version: mitaka
573 message_queue:
574 engine: rabbitmq
575 host: 127.0.0.1
576 port: 5672
577 user: openstack
578 password: pwd
579 virtual_host: '/openstack'
580 local_ip: 192.168.20.20 # br-mesh ip address
581 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300582 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100583 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200584 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100585 metadata:
586 host: 127.0.0.1
587 password: pass
588 backend:
589 engine: ml2
590 tenant_network_types: "flat,vxlan"
591 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400592 ovs:
593 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100594
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300595Sample Linux network configuration for DVR:
Jiri Broulik74f61112016-11-21 20:23:47 +0100596
597.. code-block:: yaml
598
599 linux:
600 network:
601 bridge: openvswitch
602 interface:
603 eth1:
604 enabled: true
605 type: eth
606 mtu: 9000
607 proto: manual
608 eth2:
609 enabled: true
610 type: eth
611 mtu: 9000
612 proto: manual
613 eth3:
614 enabled: true
615 type: eth
616 mtu: 9000
617 proto: manual
618 br-int:
619 enabled: true
620 mtu: 9000
621 type: ovs_bridge
622 br-floating:
623 enabled: true
624 mtu: 9000
625 type: ovs_bridge
626 float-to-ex:
627 enabled: true
628 type: ovs_port
629 mtu: 65000
630 bridge: br-floating
631 br-mgmt:
632 enabled: true
633 type: bridge
634 mtu: 9000
635 address: ${_param:single_address}
636 netmask: 255.255.255.0
637 use_interfaces:
638 - eth1
639 br-mesh:
640 enabled: true
641 type: bridge
642 mtu: 9000
643 address: ${_param:tenant_address}
644 netmask: 255.255.255.0
645 use_interfaces:
646 - eth2
647 br-ex:
648 enabled: true
649 type: bridge
650 mtu: 9000
651 address: ${_param:external_address}
652 netmask: 255.255.255.0
653 use_interfaces:
654 - eth3
655 use_ovs_ports:
656 - float-to-ex
657
Thom Gerdes3282d072017-05-30 22:06:04 +0000658Additonal VXLAN tenant network settings
659---------------------------------------
660
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300661The default multicast group of ``224.0.0.1`` only multicasts
662to a single subnet. Allow overriding it to allow larger underlay
663network topologies.
Thom Gerdes3282d072017-05-30 22:06:04 +0000664
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300665Neutron Server:
Thom Gerdes3282d072017-05-30 22:06:04 +0000666
667.. code-block:: yaml
668
669 neutron:
670 server:
671 vxlan:
672 group: 239.0.0.0/8
673 vni_ranges: "2:65535"
674
Jiri Broulik74f61112016-11-21 20:23:47 +0100675Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200676-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100677
678VLAN tenant provider
679
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300680Neutron Server only:
Jiri Broulik74f61112016-11-21 20:23:47 +0100681
682.. code-block:: yaml
683
684 neutron:
685 server:
686 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100687 ...
688 global_physnet_mtu: 9000
689 l3_ha: False
690 dvr: True
691 backend:
692 engine: ml2
693 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
694 tenant_vlan_range: "1000:2000"
695 external_vlan_range: "100:200" # Does not have to be defined.
696 external_mtu: 9000
697 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400698 ovs:
699 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100700
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300701Compute node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100702
703.. code-block:: yaml
704
705 neutron:
706 compute:
707 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100708 ...
709 dvr: True
710 agent_mode: dvr
711 external_access: False
712 backend:
713 engine: ml2
714 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
715 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400716 ovs:
717 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100718
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400719Neutron with explicit physical networks
720---------------------------------------
Oleg Bondarevada324f2018-06-04 14:55:38 +0400721
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300722Neutron Server only:
Oleg Bondarevada324f2018-06-04 14:55:38 +0400723
724.. code-block:: yaml
725
726 neutron:
727 server:
728 version: ocata
729 ...
730 backend:
731 engine: ml2
732 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
733 ...
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400734 # also need to configure corresponding bridge_mappings on
Oleg Bondarevada324f2018-06-04 14:55:38 +0400735 # compute and gateway nodes
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400736 flat_networks_default: '*' # '*' to allow arbitrary names or '' to disable
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400737 physnets: # only listed physnets will be configured (overrides physnet1/2/3)
738 external:
739 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400740 types:
741 - flat # possible values - 'flat' or 'vlan'
Oleg Bondarevada324f2018-06-04 14:55:38 +0400742 sriov_net:
743 mtu: 9000 # Optional, defaults to 1500
744 vlan_range: '100:200' # Optional
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400745 types:
746 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400747 ext_net2:
748 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400749 types:
750 - flat
751 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400752 mechanism:
753 ovs:
754 driver: openvswitch
755
Aleš Komárek41e82312017-04-11 13:37:44 +0200756Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400757----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200758
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100759Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100760
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300761Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100762
763.. code-block:: yaml
764
765 neutron:
766 server:
767 version: mitaka
768 ...
769 dpdk: True
770 ...
771
772 neutron:
773 compute:
774 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100775 dpdk: True
Michael Polenchuk52911652018-04-12 22:09:49 +0400776 vhost_mode: client # options: client|server (default)
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400777 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100778 backend:
779 engine: ml2
780 ...
781 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400782 ovs:
783 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100784
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300785Neutron OVS SR-IOV:
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100786
787.. code-block:: yaml
788
789 neutron:
790 server:
791 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100792 backend:
793 engine: ml2
794 ...
795 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400796 ovs:
797 driver: openvswitch
798 sriov:
799 driver: sriovnicswitch
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400800 # Driver w/ highest number will be placed ahead in the list (default is 0).
801 # It's recommended for SR-IOV driver to set an order >0 to get it
802 # before (for example) the opendaylight one.
803 order: 9
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100804
805 neutron:
806 compute:
807 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100808 ...
809 backend:
810 engine: ml2
811 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
812 sriov:
813 nic_one:
814 devname: eth1
815 physical_network: physnet3
816 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400817 ovs:
818 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100819
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300820Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400821---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300822
823.. code-block:: yaml
824
825 neutron:
826 server:
827 vlan_aware_vms: true
828 ....
829 compute:
830 vlan_aware_vms: true
831 ....
832 gateway:
833 vlan_aware_vms: true
834
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400835Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300836-------------------------------------
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400837
838.. code-block:: yaml
839
840 neutron:
841 server:
842 version: pike
843 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400844 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400845 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400846 ....
847 compute:
848 version: pike
849 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400850 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400851 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400852 bagpipe:
853 local_address: 192.168.20.20 # IP address for mpls/gre tunnels
854 peers: 192.168.20.30 # IP addresses of BGP peers
855 autonomous_system: 64512 # Autonomous System number
856 enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400857 backend:
Oleg Bondarev878ac462018-04-23 17:48:15 +0400858 ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400859 bagpipe_bgpvpn:
860 enabled: True
861
Oleksii Chupryn16cb4e02018-02-26 14:20:39 +0200862Neutron with DHCP agent on compute node
863---------------------------------------
864
865.. code-block:: yaml
866
867 neutron:
868 ....
869 compute:
870 dhcp_agent_enabled: true
871 ....
872
Dzmitry Stremkouski48df2a72018-10-12 16:38:11 +0200873Neutron with metadata agent on compute node
874-------------------------------------------
875
876.. code-block:: yaml
877
878 neutron:
879 ....
880 compute:
881 metadata_agent_enabled: true
882 ....
883
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400884Neutron with OVN
885----------------
886
887Control node:
888
889.. code-block:: yaml
890
891 neutron:
892 server:
893 backend:
894 engine: ovn
895 mechanism:
896 ovn:
897 driver: ovn
898 tenant_network_types: "geneve,flat"
Michael Polenchukf59229b2018-06-19 16:24:49 +0400899 ovn:
900 ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
901 neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk58161ef2018-05-15 18:04:09 +0400902 metadata_enabled: True
Michael Polenchuka3d492b2017-12-27 15:49:43 +0400903 ovn_ctl_opts:
904 db-nb-create-insecure-remote: 'yes'
905 db-sb-create-insecure-remote: 'yes'
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400906
907Compute node:
908
909.. code-block:: yaml
910
911 neutron:
912 compute:
913 local_ip: 10.2.0.105
914 controller_vip: 10.1.0.101
915 external_access: false
916 backend:
917 engine: ovn
Michael Polenchuk58161ef2018-05-15 18:04:09 +0400918 ovsdb_connection: tcp:127.0.0.1:6640
919 metadata:
920 enabled: true
921 ovsdb_server_iface: ptcp:6640:127.0.0.1
922 host: 10.1.0.101
923 password: unsegreto
924
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400925
Michael Polenchukcccd1a52018-02-02 17:41:16 +0400926Neutron L2 Gateway
927----------------
928
929Control node:
930
931.. code-block:: yaml
932
933 neutron:
934 server:
935 version: pike
936 l2gw:
937 enabled: true
938 periodic_monitoring_interval: 5
939 quota_l2_gateway: 20
940 # service_provider=<service_type>:<name>:<driver>[:default]
941 service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
942 backend:
943 engine: ml2
944
945Network/Gateway node:
946
947.. code-block:: yaml
948
949 neutron:
950 gateway:
951 version: pike
952 l2gw:
953 enabled: true
954 debug: true
955 socket_timeout: 20
956 ovsdb_hosts:
957 # <ovsdb_name>: <ip address>:<port>
958 # - ovsdb_name: a user defined symbolic identifier of physical switch
959 # - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
960 ovsdb1: 10.164.5.33:6632
961 ovsdb2: 10.164.4.33:6632
962
963
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400964OpenDaylight integration
965------------------------
966
967Control node:
968
969.. code-block:: yaml
970
971 neutron:
972 server:
973 backend:
974 opendaylight: true
975 router: odl-router_v2
976 host: 10.20.0.77
977 rest_api_port: 8282
978 user: admin
979 password: admin
980 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +0300981 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400982 enable_websocket: true
983 enable_dhcp_service: false
984 mechanism:
985 ovs:
986 driver: opendaylight_v2
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400987 order: 1
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400988
989Network/Gateway node:
990
991.. code-block:: yaml
992
993 neutron:
994 gateway:
995 backend:
996 router: odl-router_v2
997 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +0300998 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +0400999 opendaylight:
1000 ovsdb_server_iface: ptcp:6639:127.0.0.1
1001 ovsdb_odl_iface: tcp:10.20.0.77:6640
1002 tunnel_ip: 10.1.0.110
1003 provider_mappings: physnet1:br-floating
1004
1005Compute node:
1006
1007.. code-block:: yaml
1008
1009 neutron:
1010 compute:
1011 opendaylight:
1012 ovsdb_server_iface: ptcp:6639:127.0.0.1
1013 ovsdb_odl_iface: tcp:10.20.0.77:6640
1014 tunnel_ip: 10.1.0.105
1015 provider_mappings: physnet1:br-floating
1016
1017
Michael Polenchuk9cccecc2018-09-14 14:54:18 +04001018Service Function Chaining Extension (SFC)
1019----------------
1020
1021.. code-block:: yaml
1022
1023 neutron:
1024 server:
1025 sfc:
1026 enabled: true
1027 sfc_drivers:
1028 - ovs # valid options: ovs, odl, ovn (not implemented yet)
1029 flow_classifier_drivers:
1030 - ovs # valid options: see above
1031 ....
1032 compute:
1033 backend:
1034 ovs_extension:
1035 sfc:
1036 enabled: True
1037
1038
Aleš Komárek41e82312017-04-11 13:37:44 +02001039Neutron Server
1040--------------
1041
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001042Neutron Server with OpenContrail:
Jiri Broulik74f61112016-11-21 20:23:47 +01001043
1044.. code-block:: yaml
1045
1046 neutron:
1047 server:
marcoa4428a32016-06-10 11:50:16 +02001048 backend:
1049 engine: contrail
1050 host: contrail_discovery_host
1051 port: 8082
1052 user: admin
1053 password: password
1054 tenant: admin
1055 token: token
1056
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001057Neutron Server with Midonet:
marcoa4428a32016-06-10 11:50:16 +02001058
1059.. code-block:: yaml
1060
1061 neutron:
1062 server:
1063 backend:
1064 engine: midonet
1065 host: midonet_api_host
1066 port: 8181
1067 user: admin
1068 password: password
1069
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001070Neutron Server with NSX:
Vasyl Saienko4549efe2018-07-26 16:06:04 +00001071
1072.. code-block:: yaml
1073
1074 neutron:
1075 server:
1076 backend:
1077 engine: vmware
1078 core_plugin: vmware_nsxv3
1079 vmware:
1080 nsx:
1081 extension_drivers:
1082 - vmware_nsxv3_dns
1083 v3:
1084 api_password: nsx_password
1085 api_user: nsx_username
1086 api_managers:
1087 01:
1088 scheme: https
1089 host: 192.168.10.120
1090 port: '443'
1091 insecure: true
1092
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001093Neutron Keystone region:
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +01001094
1095.. code-block:: yaml
1096
1097 neutron:
1098 server:
1099 enabled: true
1100 version: kilo
1101 ...
1102 identity:
1103 region: RegionTwo
1104 ...
1105 compute:
1106 region: RegionTwo
1107 ...
1108
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001109Client-side RabbitMQ HA setup:
Jiri Konecny93b19992016-04-12 11:15:39 +02001110
1111.. code-block:: yaml
1112
1113 neutron:
1114 server:
1115 ....
1116 message_queue:
1117 engine: rabbitmq
1118 members:
1119 - host: 10.0.16.1
1120 - host: 10.0.16.2
1121 - host: 10.0.16.3
1122 user: openstack
1123 password: pwd
1124 virtual_host: '/openstack'
1125 ....
1126
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001127Configuring TLS communications
1128------------------------------
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001129
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001130.. note:: By default, system-wide installed CA certs are used,
1131 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001132
1133- **RabbitMQ TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001134
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001135 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001136
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001137 neutron:
1138 server, gateway, compute:
1139 message_queue:
1140 port: 5671
1141 ssl:
1142 enabled: True
1143 (optional) cacert: cert body if the cacert_file does not exists
1144 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
1145 (optional) version: TLSv1_2
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001146
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001147- **MySQL TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001148
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001149 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001150
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001151 neutron:
1152 server:
1153 database:
1154 ssl:
1155 enabled: True
1156 (optional) cacert: cert body if the cacert_file does not exists
1157 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001158
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001159- **Openstack HTTPS API**
1160
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001161 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001162
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001163 neutron:
1164 server:
1165 identity:
1166 protocol: https
1167 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001168
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001169Enable auditing filter, ie: CADF:
Petr Michalec61f7ab22016-11-29 16:29:09 +01001170
1171.. code-block:: yaml
1172
1173 neutron:
1174 server:
1175 audit:
1176 enabled: true
1177 ....
1178 filter_factory: 'keystonemiddleware.audit:filter_factory'
1179 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1180 ....
1181 compute:
1182 audit:
1183 enabled: true
1184 ....
1185 filter_factory: 'keystonemiddleware.audit:filter_factory'
1186 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1187 ....
Jiri Konecny93b19992016-04-12 11:15:39 +02001188
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001189Neutron with security groups disabled:
Oleg Bondarev98870a32017-05-29 16:53:19 +04001190
1191.. code-block:: yaml
1192
1193 neutron:
1194 server:
1195 security_groups_enabled: False
1196 ....
1197 compute:
1198 security_groups_enabled: False
1199 ....
1200 gateway:
1201 security_groups_enabled: False
1202
Jiri Konecny93b19992016-04-12 11:15:39 +02001203
Aleš Komárek41e82312017-04-11 13:37:44 +02001204Neutron Client
1205--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +01001206
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001207Neutron networks:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001208
1209.. code-block:: yaml
1210
1211 neutron:
1212 client:
1213 enabled: true
1214 server:
1215 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001216 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001217 network:
1218 inet1:
1219 tenant: demo
1220 shared: False
1221 admin_state_up: True
1222 router_external: True
1223 provider_physical_network: inet
1224 provider_network_type: flat
1225 provider_segmentation_id: 2
1226 subnet:
1227 inet1-subnet1:
1228 cidr: 192.168.90.0/24
1229 enable_dhcp: False
1230 inet2:
1231 tenant: admin
1232 shared: False
1233 router_external: True
1234 provider_network_type: "vlan"
1235 subnet:
1236 inet2-subnet1:
1237 cidr: 192.168.92.0/24
1238 enable_dhcp: False
1239 inet2-subnet2:
1240 cidr: 192.168.94.0/24
1241 enable_dhcp: True
1242 identity1:
1243 network:
1244 ...
1245
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001246Neutron routers:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001247
1248.. code-block:: yaml
1249
1250 neutron:
1251 client:
1252 enabled: true
1253 server:
1254 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001255 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001256 router:
1257 inet1-router:
1258 tenant: demo
1259 admin_state_up: True
1260 gateway_network: inet
1261 interfaces:
1262 - inet1-subnet1
1263 - inet1-subnet2
1264 identity1:
1265 router:
1266 ...
1267
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001268.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik5368cc52017-02-08 18:53:59 +01001269
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001270Neutron security groups:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001271
1272.. code-block:: yaml
1273
1274 neutron:
1275 client:
1276 enabled: true
1277 server:
1278 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001279 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001280 security_group:
1281 security_group1:
1282 tenant: demo
1283 description: security group 1
1284 rules:
1285 - direction: ingress
1286 ethertype: IPv4
1287 protocol: TCP
1288 port_range_min: 1
1289 port_range_max: 65535
1290 remote_ip_prefix: 0.0.0.0/0
1291 - direction: ingress
1292 ethertype: IPv4
1293 protocol: UDP
1294 port_range_min: 1
1295 port_range_max: 65535
1296 remote_ip_prefix: 0.0.0.0/0
1297 - direction: ingress
1298 protocol: ICMP
1299 remote_ip_prefix: 0.0.0.0/0
1300 identity1:
1301 security_group:
1302 ...
1303
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001304.. TODO: implement updating existing security rules (now it adds new rule if
1305 trying to update existing one)
Jiri Broulik5368cc52017-02-08 18:53:59 +01001306
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001307Floating IP addresses:
Jiri Broulikde2e2902017-02-13 15:03:47 +01001308
1309.. code-block:: yaml
1310
1311 neutron:
1312 client:
1313 enabled: true
1314 server:
1315 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001316 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +01001317 floating_ip:
1318 prx01-instance:
1319 server: prx01.mk22-lab-basic.local
1320 subnet: private-subnet1
1321 network: public-net1
1322 tenant: demo
1323 gtw01-instance:
1324 ...
1325
1326.. note:: The network must have flag router:external set to True.
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001327 Instance port in the stated subnet will be associated
1328 with the dynamically generated floating IP.
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001329
1330Enable Neutron extensions (QoS, DNS, etc.)
1331------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001332
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001333.. code-block:: yaml
1334
1335 neutron:
1336 server:
1337 backend:
1338 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +03001339 dns:
1340 enabled: True
1341 host: 127.0.0.1
1342 port: 9001
1343 protocol: http
1344 ....
1345 qos
1346 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001347
Oleg Bondarev878ac462018-04-23 17:48:15 +04001348Different Neutron extensions for different agents
1349-------------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001350
Oleg Bondarev878ac462018-04-23 17:48:15 +04001351.. code-block:: yaml
1352
1353 neutron:
1354 server:
1355 backend:
1356 extension: # common extensions for OVS and SRIOV agents
1357 dns:
1358 enabled: True
1359 ...
1360 qos
1361 enabled: True
1362 ovs_extension: # OVS specific extensions
1363 bagpipe_bgpvpn:
1364 enabled: True
1365 sriov_extension: # SRIOV specific extensions
1366 dummy:
1367 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001368
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001369Neutron with Designate
1370-----------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001371
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001372.. code-block:: yaml
1373
1374 neutron:
1375 server:
1376 backend:
1377 extension:
1378 dns:
1379 enabled: True
1380 host: 127.0.0.1
1381 port: 9001
1382 protocol: http
1383
Marek Celoud67ce2062018-01-31 13:44:55 +01001384Enable RBAC for OpenContrail engine
1385-----------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001386
Marek Celoud67ce2062018-01-31 13:44:55 +01001387.. code-block:: yaml
1388
1389 neutron:
1390 server:
1391 backend:
1392 engine: contrail
1393 rbac:
1394 enabled: True
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001395
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001396Enhanced logging with logging.conf
1397----------------------------------
1398
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001399By default ``logging.conf`` is disabled.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001400
1401That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001402
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001403* ``openstack_log_appender``
1404 Set to true to enable ``log_config_append`` for all OpenStack services
1405
1406* ``openstack_fluentd_handler_enabled``
1407 Set to true to enable FluentHandler for all Openstack services
1408
1409* ``openstack_ossyslog_handler_enabled``
1410 Set to true to enable OSSysLogHandler for all Openstack services.
1411
1412Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
1413are available.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001414
1415Also it is possible to configure this with pillar:
1416
1417.. code-block:: yaml
1418
1419 neutron:
1420 server:
1421 logging:
1422 log_appender: true
1423 log_handlers:
1424 watchedfile:
1425 enabled: true
1426 fluentd:
1427 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001428 ossyslog:
1429 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001430 ....
1431 compute:
1432 logging:
1433 log_appender: true
1434 log_handlers:
1435 watchedfile:
1436 enabled: true
1437 fluentd:
1438 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001439 ossyslog:
1440 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001441 ....
1442 gateway:
1443 logging:
1444 log_appender: true
1445 log_handlers:
1446 watchedfile:
1447 enabled: true
1448 fluentd:
1449 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001450 ossyslog:
1451 enabled: true
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001452
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001453Logging levels pillar example:
1454
1455.. code-block:: yaml
1456
1457 neutron:
1458 server:
1459 logging:
1460 log_appender: true
1461 loggers:
1462 root:
1463 level: 'DEBUG'
1464 neutron:
1465 level: 'DEBUG'
1466 amqplib:
1467 level: 'DEBUG'
1468 sqlalchemy:
1469 level: 'DEBUG'
1470 boto:
1471 level: 'DEBUG'
1472 suds:
1473 level: 'DEBUG'
1474 eventletwsgi:
1475 level: 'DEBUG'
1476 ......
Oleksandr Bryndzii3b0ac2c2018-10-04 11:06:24 +03001477Neutron server with memcached caching and security strategy:
1478
1479.. code-block:: yaml
1480
1481 neutron:
1482 server:
1483 enabled: true
1484 ...
1485 cache:
1486 engine: memcached
1487 members:
1488 - host: 127.0.0.1
1489 port: 11211
1490 - host: 127.0.0.1
1491 port: 11211
1492 security:
1493 enabled: true
1494 strategy: ENCRYPT
1495 secret_key: secret
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001496
Vasyl Saienkoba420732018-09-07 10:19:32 +00001497Upgrades
1498========
1499
1500Each openstack formula provide set of phases (logical bloks) that will help to
1501build flexible upgrade orchestration logic for particular components. The list
1502of phases might and theirs descriptions are listed in table below:
1503
1504+-------------------------------+------------------------------------------------------+
1505| State | Description |
1506+===============================+======================================================+
1507| <app>.upgrade.service_running | Ensure that all services for particular application |
1508| | are enabled for autostart and running |
1509+-------------------------------+------------------------------------------------------+
1510| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1511| | disabled for autostart and dead |
1512+-------------------------------+------------------------------------------------------+
1513| <app>.upgrade.pkg_latest | Ensure that packages used by particular application |
1514| | are installed to latest available version. |
1515| | This will not upgrade data plane packages like qemu |
1516| | and openvswitch as usually minimal required version |
1517| | in openstack services is really old. The data plane |
1518| | packages should be upgraded separately by `apt-get |
1519| | upgrade` or `apt-get dist-upgrade` |
1520| | Applying this state will not autostart service. |
1521+-------------------------------+------------------------------------------------------+
1522| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1523+-------------------------------+------------------------------------------------------+
1524| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1525| | cloud before running upgrade. |
1526| | Only non destructive actions will be applied during |
1527| | this phase. Perform service built in service check |
1528| | like (keystone-manage doctor and nova-status upgrade)|
1529+-------------------------------+------------------------------------------------------+
1530| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1531| | phase resources will be gracefully removed from |
1532| | current node if it is allowed. Services for upgraded |
1533| | application will be set to admin disabled state to |
1534| | make sure node will not participate in resources |
1535| | scheduling. For example on gtw nodes this will set |
1536| | all agents to admin disable state and will move all |
1537| | routers to other agents. |
1538+-------------------------------+------------------------------------------------------+
1539| <app>.upgrade.upgrade | This state will basically upgrade application on |
1540| | particular target. Stop services, render |
1541| | configuration, install new packages, run offline |
1542| | dbsync (for ctl), start services. Data plane should |
1543| | not be affected, only OpenStack python services. |
1544+-------------------------------+------------------------------------------------------+
1545| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1546+-------------------------------+------------------------------------------------------+
1547| <app>.upgrade.post | This phase should be launched only when upgrade of |
1548| | the cloud is completed. |
1549+-------------------------------+------------------------------------------------------+
1550| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1551| | operations, verify do not have dead network |
1552| | agents/compute services) |
1553+-------------------------------+------------------------------------------------------+
1554
1555
Oleksandr Shyshkof51b94c2018-08-31 16:05:27 +03001556Enable x509 and ssl communication between Neutron and Galera cluster.
1557---------------------
1558By default communication between Neutron and Galera is unsecure.
1559
1560neutron:
1561 server:
1562 database:
1563 x509:
1564 enabled: True
1565
1566You able to set custom certificates in pillar:
1567
1568neutron:
1569 server:
1570 database:
1571 x509:
1572 cacert: (certificate content)
1573 cert: (certificate content)
1574 key: (certificate content)
1575
1576You can read more about it here:
1577 https://docs.openstack.org/security-guide/databases/database-access-control.html
1578
Filip Pytloun20c0a442017-02-02 13:05:13 +01001579Documentation and Bugs
1580======================
1581
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001582* http://salt-formulas.readthedocs.io/
1583 Learn how to install and update salt-formulas
Filip Pytloun20c0a442017-02-02 13:05:13 +01001584
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001585* https://github.com/salt-formulas/salt-formula-neutron/issues
1586 In the unfortunate event that bugs are discovered, report the issue to the
1587 appropriate issue tracker. Use the Github issue tracker for a specific salt
1588 formula
Filip Pytloun20c0a442017-02-02 13:05:13 +01001589
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001590* https://launchpad.net/salt-formulas
1591 For feature requests, bug reports, or blueprints affecting the entire
1592 ecosystem, use the Launchpad salt-formulas project
Filip Pytloun20c0a442017-02-02 13:05:13 +01001593
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001594* https://launchpad.net/~salt-formulas-users
1595 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloun20c0a442017-02-02 13:05:13 +01001596
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001597* https://github.com/salt-formulas/salt-formula-neutron
1598 Develop the salt-formulas projects in the master branch and then submit pull
1599 requests against a specific formula
Filip Pytloun20c0a442017-02-02 13:05:13 +01001600
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001601* #salt-formulas @ irc.freenode.net
1602 Use this IRC channel in case of any questions or feedback which is always
1603 welcome
Filip Pytloun20c0a442017-02-02 13:05:13 +01001604