Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / neutron / ee7e83097a67c49beabf80fabd66c3850525eee0 / . / README.rst
blob: 0a06ec454e9966527dc38d9b70b73e840c072794 [file] [log] [blame]
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]1===============
2Neutron Formula
3===============
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]4
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]5Neutron is an OpenStack project to provide "networking as a service" between
6interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]8
Jakub Pavlik9ecf0262016-05-20 11:20:58 +0200[diff] [blame]9Starting in the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an "incubated" project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]11is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]12
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]13Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]14==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]23 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]24 allow_pagination: true
25 pagination_max_limit: 100
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]26 bind:
27 address: 172.20.0.1
28 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]29 database:
30 engine: mysql
31 host: 127.0.0.1
32 port: 3306
33 name: neutron
34 user: neutron
35 password: pwd
36 identity:
37 engine: keystone
38 host: 127.0.0.1
39 port: 35357
40 user: neutron
41 password: pwd
42 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]43 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]44 message_queue:
45 engine: rabbitmq
46 host: 127.0.0.1
47 port: 5672
48 user: openstack
49 password: pwd
50 virtual_host: '/openstack'
51 metadata:
52 host: 127.0.0.1
53 port: 8775
54 password: pass
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]55 audit:
56 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +0200[diff] [blame]57
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]58Note: The pagination is useful to retrieve a large bunch of resources,
59because a single request may fail (timeout). This is enabled with both
60parameters *allow_pagination* and *pagination_max_limit* as shown above.
61
Dmitry Ukov596ddcf2017-05-04 18:16:16 +0400[diff] [blame]62
63Configuration of policy.json file
64
65.. code-block:: yaml
66
67 neutron:
68 server:
69 ....
70 policy:
71 create_subnet: 'rule:admin_or_network_owner'
72 'get_network:queue_id': 'rule:admin_only'
73 # Add key without value to remove line from policy.json
74 'create_network:shared':
75
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]76Neutron LBaaSv2 enablement
77--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]78
79.. code-block:: yaml
80
81 neutron:
82 server:
83 lbaas:
84 enabled: true
85 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]86 octavia:
87 engine: octavia
88 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
89 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]90 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]91 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]92 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]93 controller_address: 10.182.129.239
94 controller_user: admin
95 controller_password: Cloudlab2016
96 controller_cloud_name: Default-Cloud
97 avi_adc2:
98 engine: avinetworks
99 ...
100
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]101Note: If the Contrail backend is set, Opencontrail loadbalancer would be enabled
102automatically. In this case lbaas should disabled in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]103
104.. code-block:: yaml
105
106 neutron:
107 server:
108 lbaas:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400[diff] [blame]109 enabled: false
Ondrej Smola314eee22017-03-08 21:21:16 +0100[diff] [blame]110
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]111
112Neutron FWaaSv1 enablement
113--------------------------
114
115.. code-block:: yaml
116
117 neutron:
118 fwaas:
119 enabled: true
120 version: ocata
121 api_version: v1
122
123
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]124Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400[diff] [blame]125----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200[diff] [blame]126
127.. code-block:: yaml
128
129 neutron:
130 server:
131 cors:
132 allowed_origin: https:localhost.local,http:localhost.local
133 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
134 allow_methods: GET,PUT,POST,DELETE,PATCH
135 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
136 allow_credentials: True
137 max_age: 86400
138
139
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]140Neutron VXLAN tenant networks with Network nodes
141------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100[diff] [blame]142
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]143With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]144
145This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]146routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]147infrastructure and that remains encapsulated. External traffic will be
148routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]149
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]150The intention is that each tenant will require at least two (2) vrouters
151one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]152
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]153Neutron Server
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]154
155.. code-block:: yaml
156
157 neutron:
158 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]159 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300[diff] [blame]160 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]161 bind:
162 address: 172.20.0.1
163 port: 9696
164 database:
165 engine: mysql
166 host: 127.0.0.1
167 port: 3306
168 name: neutron
169 user: neutron
170 password: pwd
171 identity:
172 engine: keystone
173 host: 127.0.0.1
174 port: 35357
175 user: neutron
176 password: pwd
177 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]178 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]179 message_queue:
180 engine: rabbitmq
181 host: 127.0.0.1
182 port: 5672
183 user: openstack
184 password: pwd
185 virtual_host: '/openstack'
186 global_physnet_mtu: 9000
187 l3_ha: False # Which type of router will be created by default
188 dvr: True # disabled for non DVR use case
189 backend:
190 engine: ml2
191 tenant_network_types: "flat,vxlan"
192 external_mtu: 9000
193 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]194 ovs:
195 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]196
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]197Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]198
199.. code-block:: yaml
200
201 neutron:
202 gateway:
203 enabled: True
204 version: mitaka
205 message_queue:
206 engine: rabbitmq
207 host: 127.0.0.1
208 port: 5672
209 user: openstack
210 password: pwd
211 virtual_host: '/openstack'
212 local_ip: 192.168.20.20 # br-mesh ip address
213 dvr: True # disabled for non DVR use case
214 agent_mode: dvr_snat
215 metadata:
216 host: 127.0.0.1
217 password: pass
218 backend:
219 engine: ml2
220 tenant_network_types: "flat,vxlan"
221 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]222 ovs:
223 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]224
225Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]226
227.. code-block:: yaml
228
229 neutron:
230 compute:
231 enabled: True
232 version: mitaka
233 message_queue:
234 engine: rabbitmq
235 host: 127.0.0.1
236 port: 5672
237 user: openstack
238 password: pwd
239 virtual_host: '/openstack'
240 local_ip: 192.168.20.20 # br-mesh ip address
241 dvr: True # disabled for non DVR use case
242 agent_mode: dvr
243 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
244 metadata:
245 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]246 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]247 backend:
248 engine: ml2
249 tenant_network_types: "flat,vxlan"
250 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]251 ovs:
252 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]253 audit:
254 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]255
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]256
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300[diff] [blame]257Disable physnet1 bridge
258-----------------------
259
260By default we have external access turned on, so among any physnets in
261your reclass there would be additional one: physnet1, which is mapped to
262br-floating
263
264If you need internal nets only without this bridge, remove br-floating
265and configurations mappings. Disable mappings for this bridge on
266neutron-servers:
267
268.. code-block:: yaml
269
270 neutron:
271 server:
272 external_access: false
273
274gateways:
275
276.. code-block:: yaml
277
278 neutron:
279 gateway:
280 external_access: false
281
282compute nodes:
283
284.. code-block:: yaml
285
286 neutron:
287 compute:
288 external_access: false
289
290
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300[diff] [blame]291Specify different mtu values for different physnets
292---------------------------------------------------
293
294Neutron Server
295
296.. code-block:: yaml
297
298 neutron:
299 server:
300 version: mitaka
301 backend:
302 external_mtu: 1500
303 tenant_net_mtu: 9000
304 ironic_net_mtu: 9000
305
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]306Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]307----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]308
309This section describes a network solution that utilises VxLAN overlay
310 networks without DVR with all routers being managed on the network nodes.
311
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]312Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]313
314.. code-block:: yaml
315
316 neutron:
317 server:
318 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]319 bind:
320 address: 172.20.0.1
321 port: 9696
322 database:
323 engine: mysql
324 host: 127.0.0.1
325 port: 3306
326 name: neutron
327 user: neutron
328 password: pwd
329 identity:
330 engine: keystone
331 host: 127.0.0.1
332 port: 35357
333 user: neutron
334 password: pwd
335 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]336 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]337 message_queue:
338 engine: rabbitmq
339 host: 127.0.0.1
340 port: 5672
341 user: openstack
342 password: pwd
343 virtual_host: '/openstack'
344 global_physnet_mtu: 9000
345 l3_ha: True
346 dvr: False
347 backend:
348 engine: ml2
349 tenant_network_types= "flat,vxlan"
350 external_mtu: 9000
351 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]352 ovs:
353 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]354
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]355Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]356
357.. code-block:: yaml
358
359 neutron:
360 gateway:
361 enabled: True
362 version: mitaka
363 message_queue:
364 engine: rabbitmq
365 host: 127.0.0.1
366 port: 5672
367 user: openstack
368 password: pwd
369 virtual_host: '/openstack'
370 local_ip: 192.168.20.20 # br-mesh ip address
371 dvr: False
372 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]373 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]374 metadata:
375 host: 127.0.0.1
376 password: pass
377 backend:
378 engine: ml2
379 tenant_network_types: "flat,vxlan"
380 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]381 ovs:
382 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]383
384Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]385
386.. code-block:: yaml
387
388 neutron:
389 compute:
390 enabled: True
391 version: mitaka
392 message_queue:
393 engine: rabbitmq
394 host: 127.0.0.1
395 port: 5672
396 user: openstack
397 password: pwd
398 virtual_host: '/openstack'
399 local_ip: 192.168.20.20 # br-mesh ip address
400 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]401 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]402 backend:
403 engine: ml2
404 tenant_network_types: "flat,vxlan"
405 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]406 ovs:
407 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]408
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]409Neutron VXLAN tenant networks with Network Nodes with DVR
410---------------------------------------------------------
411
412With DVR for East-West and North-South, DVR everywhere, Network node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]413
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]414This section describes a network solution that utilises VxLAN
415overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]416Node is used only for SNAT.
417
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]418Neutron Server
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]419
420.. code-block:: yaml
421
422 neutron:
423 server:
424 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]425 bind:
426 address: 172.20.0.1
427 port: 9696
428 database:
429 engine: mysql
430 host: 127.0.0.1
431 port: 3306
432 name: neutron
433 user: neutron
434 password: pwd
435 identity:
436 engine: keystone
437 host: 127.0.0.1
438 port: 35357
439 user: neutron
440 password: pwd
441 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200[diff] [blame]442 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]443 message_queue:
444 engine: rabbitmq
445 host: 127.0.0.1
446 port: 5672
447 user: openstack
448 password: pwd
449 virtual_host: '/openstack'
450 global_physnet_mtu: 9000
451 l3_ha: False
452 dvr: True
453 backend:
454 engine: ml2
455 tenant_network_types= "flat,vxlan"
456 external_mtu: 9000
457 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]458 ovs:
459 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]460
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]461Network Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]462
463.. code-block:: yaml
464
465 neutron:
466 gateway:
467 enabled: True
468 version: mitaka
469 message_queue:
470 engine: rabbitmq
471 host: 127.0.0.1
472 port: 5672
473 user: openstack
474 password: pwd
475 virtual_host: '/openstack'
476 local_ip: 192.168.20.20 # br-mesh ip address
477 dvr: True
478 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]479 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]480 metadata:
481 host: 127.0.0.1
482 password: pass
483 backend:
484 engine: ml2
485 tenant_network_types: "flat,vxlan"
486 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]487 ovs:
488 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]489
490Compute Node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]491
492.. code-block:: yaml
493
494 neutron:
495 compute:
496 enabled: True
497 version: mitaka
498 message_queue:
499 engine: rabbitmq
500 host: 127.0.0.1
501 port: 5672
502 user: openstack
503 password: pwd
504 virtual_host: '/openstack'
505 local_ip: 192.168.20.20 # br-mesh ip address
506 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300[diff] [blame]507 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]508 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200[diff] [blame]509 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]510 metadata:
511 host: 127.0.0.1
512 password: pass
513 backend:
514 engine: ml2
515 tenant_network_types: "flat,vxlan"
516 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]517 ovs:
518 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]519
520Sample Linux network configuration for DVR
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]521
522.. code-block:: yaml
523
524 linux:
525 network:
526 bridge: openvswitch
527 interface:
528 eth1:
529 enabled: true
530 type: eth
531 mtu: 9000
532 proto: manual
533 eth2:
534 enabled: true
535 type: eth
536 mtu: 9000
537 proto: manual
538 eth3:
539 enabled: true
540 type: eth
541 mtu: 9000
542 proto: manual
543 br-int:
544 enabled: true
545 mtu: 9000
546 type: ovs_bridge
547 br-floating:
548 enabled: true
549 mtu: 9000
550 type: ovs_bridge
551 float-to-ex:
552 enabled: true
553 type: ovs_port
554 mtu: 65000
555 bridge: br-floating
556 br-mgmt:
557 enabled: true
558 type: bridge
559 mtu: 9000
560 address: ${_param:single_address}
561 netmask: 255.255.255.0
562 use_interfaces:
563 - eth1
564 br-mesh:
565 enabled: true
566 type: bridge
567 mtu: 9000
568 address: ${_param:tenant_address}
569 netmask: 255.255.255.0
570 use_interfaces:
571 - eth2
572 br-ex:
573 enabled: true
574 type: bridge
575 mtu: 9000
576 address: ${_param:external_address}
577 netmask: 255.255.255.0
578 use_interfaces:
579 - eth3
580 use_ovs_ports:
581 - float-to-ex
582
Thom Gerdes3282d072017-05-30 22:06:04 +0000[diff] [blame]583Additonal VXLAN tenant network settings
584---------------------------------------
585
586The default multicast group of 224.0.0.1 only multicasts to a single subnet.
587Allow overriding it to allow larger underlay network topologies.
588
589Neutron Server
590
591.. code-block:: yaml
592
593 neutron:
594 server:
595 vxlan:
596 group: 239.0.0.0/8
597 vni_ranges: "2:65535"
598
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]599Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]600-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]601
602VLAN tenant provider
603
604Neutron Server only
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]605
606.. code-block:: yaml
607
608 neutron:
609 server:
610 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]611 ...
612 global_physnet_mtu: 9000
613 l3_ha: False
614 dvr: True
615 backend:
616 engine: ml2
617 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
618 tenant_vlan_range: "1000:2000"
619 external_vlan_range: "100:200" # Does not have to be defined.
620 external_mtu: 9000
621 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]622 ovs:
623 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]624
625Compute node
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]626
627.. code-block:: yaml
628
629 neutron:
630 compute:
631 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]632 ...
633 dvr: True
634 agent_mode: dvr
635 external_access: False
636 backend:
637 engine: ml2
638 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
639 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]640 ovs:
641 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]642
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]643Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]644----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]645
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]646Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]647
648Enable datapath netdev for neutron openvswitch agent
649
650.. code-block:: yaml
651
652 neutron:
653 server:
654 version: mitaka
655 ...
656 dpdk: True
657 ...
658
659 neutron:
660 compute:
661 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]662 dpdk: True
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400[diff] [blame^]663 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]664 backend:
665 engine: ml2
666 ...
667 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]668 ovs:
669 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100[diff] [blame]670
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]671Neutron OVS SR-IOV
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]672
673.. code-block:: yaml
674
675 neutron:
676 server:
677 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]678 backend:
679 engine: ml2
680 ...
681 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]682 ovs:
683 driver: openvswitch
684 sriov:
685 driver: sriovnicswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]686
687 neutron:
688 compute:
689 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]690 ...
691 backend:
692 engine: ml2
693 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
694 sriov:
695 nic_one:
696 devname: eth1
697 physical_network: physnet3
698 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400[diff] [blame]699 ovs:
700 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100[diff] [blame]701
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]702Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]703---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300[diff] [blame]704
705.. code-block:: yaml
706
707 neutron:
708 server:
709 vlan_aware_vms: true
710 ....
711 compute:
712 vlan_aware_vms: true
713 ....
714 gateway:
715 vlan_aware_vms: true
716
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400[diff] [blame]717Neutron with OVN
718----------------
719
720Control node:
721
722.. code-block:: yaml
723
724 neutron:
725 server:
726 backend:
727 engine: ovn
728 mechanism:
729 ovn:
730 driver: ovn
731 tenant_network_types: "geneve,flat"
732
733Compute node:
734
735.. code-block:: yaml
736
737 neutron:
738 compute:
739 local_ip: 10.2.0.105
740 controller_vip: 10.1.0.101
741 external_access: false
742 backend:
743 engine: ovn
744
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]745Neutron Server
746--------------
747
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]748Neutron Server with OpenContrail
Jiri Broulik74f61112016-11-21 20:23:47 +0100[diff] [blame]749
750.. code-block:: yaml
751
752 neutron:
753 server:
marcoa4428a32016-06-10 11:50:16 +0200[diff] [blame]754 backend:
755 engine: contrail
756 host: contrail_discovery_host
757 port: 8082
758 user: admin
759 password: password
760 tenant: admin
761 token: token
762
763Neutron Server with Midonet
764
765.. code-block:: yaml
766
767 neutron:
768 server:
769 backend:
770 engine: midonet
771 host: midonet_api_host
772 port: 8181
773 user: admin
774 password: password
775
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +0100[diff] [blame]776Neutron Keystone region
777
778.. code-block:: yaml
779
780 neutron:
781 server:
782 enabled: true
783 version: kilo
784 ...
785 identity:
786 region: RegionTwo
787 ...
788 compute:
789 region: RegionTwo
790 ...
791
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]792Client-side RabbitMQ HA setup
793
794.. code-block:: yaml
795
796 neutron:
797 server:
798 ....
799 message_queue:
800 engine: rabbitmq
801 members:
802 - host: 10.0.16.1
803 - host: 10.0.16.2
804 - host: 10.0.16.3
805 user: openstack
806 password: pwd
807 virtual_host: '/openstack'
808 ....
809
Kirill Bespalov8fffe022017-08-03 17:55:02 +0300[diff] [blame]810Client-side RabbitMQ TLS configuration:
811
812|
813
814To enable TLS for oslo.messaging you need to provide the CA certificate.
815
816By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
817
818.. code-block:: yaml
819
820 neutron:
821 server, gateway, compute:
822 ....
823 message_queue:
824 ssl:
825 enabled: True
826
827
828
829Use `cacert_file` option to specify the CA-cert file path explicitly:
830
831.. code-block:: yaml
832
833 neutron:
834 server, gateway, compute:
835 ....
836 message_queue:
837 ssl:
838 enabled: True
839 cacert_file: /etc/ssl/rabbitmq-ca.pem
840
841To manage content of the `cacert_file` use the `cacert` option:
842
843.. code-block:: yaml
844
845 neutron:
846 server, gateway, compute:
847 ....
848 message_queue:
849 ssl:
850 enabled: True
851 cacert: |
852
853 -----BEGIN CERTIFICATE-----
854 ...
855 -----END CERTIFICATE-------
856
857 cacert_file: /etc/openstack/rabbitmq-ca.pem
858
859
860Notice:
861 * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
862 * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
863
864
Petr Michalec61f7ab22016-11-29 16:29:09 +0100[diff] [blame]865Enable auditing filter, ie: CADF
866
867.. code-block:: yaml
868
869 neutron:
870 server:
871 audit:
872 enabled: true
873 ....
874 filter_factory: 'keystonemiddleware.audit:filter_factory'
875 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
876 ....
877 compute:
878 audit:
879 enabled: true
880 ....
881 filter_factory: 'keystonemiddleware.audit:filter_factory'
882 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
883 ....
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]884
Oleg Bondarev98870a32017-05-29 16:53:19 +0400[diff] [blame]885Neutron with security groups disabled
886
887.. code-block:: yaml
888
889 neutron:
890 server:
891 security_groups_enabled: False
892 ....
893 compute:
894 security_groups_enabled: False
895 ....
896 gateway:
897 security_groups_enabled: False
898
Jiri Konecny93b19992016-04-12 11:15:39 +0200[diff] [blame]899
Aleš Komárek41e82312017-04-11 13:37:44 +0200[diff] [blame]900Neutron Client
901--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]902
903Neutron networks
904
905.. code-block:: yaml
906
907 neutron:
908 client:
909 enabled: true
910 server:
911 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]912 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]913 network:
914 inet1:
915 tenant: demo
916 shared: False
917 admin_state_up: True
918 router_external: True
919 provider_physical_network: inet
920 provider_network_type: flat
921 provider_segmentation_id: 2
922 subnet:
923 inet1-subnet1:
924 cidr: 192.168.90.0/24
925 enable_dhcp: False
926 inet2:
927 tenant: admin
928 shared: False
929 router_external: True
930 provider_network_type: "vlan"
931 subnet:
932 inet2-subnet1:
933 cidr: 192.168.92.0/24
934 enable_dhcp: False
935 inet2-subnet2:
936 cidr: 192.168.94.0/24
937 enable_dhcp: True
938 identity1:
939 network:
940 ...
941
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]942Neutron routers
943
944.. code-block:: yaml
945
946 neutron:
947 client:
948 enabled: true
949 server:
950 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]951 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]952 router:
953 inet1-router:
954 tenant: demo
955 admin_state_up: True
956 gateway_network: inet
957 interfaces:
958 - inet1-subnet1
959 - inet1-subnet2
960 identity1:
961 router:
962 ...
963
964 TODO: implement adding new interfaces to a router while updating it
965
966
967Neutron security groups
968
969.. code-block:: yaml
970
971 neutron:
972 client:
973 enabled: true
974 server:
975 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]976 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +0100[diff] [blame]977 security_group:
978 security_group1:
979 tenant: demo
980 description: security group 1
981 rules:
982 - direction: ingress
983 ethertype: IPv4
984 protocol: TCP
985 port_range_min: 1
986 port_range_max: 65535
987 remote_ip_prefix: 0.0.0.0/0
988 - direction: ingress
989 ethertype: IPv4
990 protocol: UDP
991 port_range_min: 1
992 port_range_max: 65535
993 remote_ip_prefix: 0.0.0.0/0
994 - direction: ingress
995 protocol: ICMP
996 remote_ip_prefix: 0.0.0.0/0
997 identity1:
998 security_group:
999 ...
1000
1001 TODO: implement updating existing security rules (now it adds new rule if trying to update existing one)
1002
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1003
1004Floating IP addresses
1005
1006.. code-block:: yaml
1007
1008 neutron:
1009 client:
1010 enabled: true
1011 server:
1012 identity:
Richard Felklaac256a2017-03-23 15:43:49 +0100[diff] [blame]1013 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +0100[diff] [blame]1014 floating_ip:
1015 prx01-instance:
1016 server: prx01.mk22-lab-basic.local
1017 subnet: private-subnet1
1018 network: public-net1
1019 tenant: demo
1020 gtw01-instance:
1021 ...
1022
1023.. note:: The network must have flag router:external set to True.
1024 Instance port in the stated subnet will be associated with the dynamically generated floating IP.
1025
1026
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1027
1028Enable Neutron extensions (QoS, DNS, etc.)
1029------------------------------------------
1030.. code-block:: yaml
1031
1032 neutron:
1033 server:
1034 backend:
1035 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +0300[diff] [blame]1036 dns:
1037 enabled: True
1038 host: 127.0.0.1
1039 port: 9001
1040 protocol: http
1041 ....
1042 qos
1043 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +0300[diff] [blame]1044
1045
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +0300[diff] [blame]1046
1047Neutron with Designate
1048-----------------------------------------
1049.. code-block:: yaml
1050
1051 neutron:
1052 server:
1053 backend:
1054 extension:
1055 dns:
1056 enabled: True
1057 host: 127.0.0.1
1058 port: 9001
1059 protocol: http
1060
1061
1062
Filip Pytloun20c0a442017-02-02 13:05:13 +0100[diff] [blame]1063Documentation and Bugs
1064======================
1065
1066To learn how to install and update salt-formulas, consult the documentation
1067available online at:
1068
1069 http://salt-formulas.readthedocs.io/
1070
1071In the unfortunate event that bugs are discovered, they should be reported to
1072the appropriate issue tracker. Use Github issue tracker for specific salt
1073formula:
1074
1075 https://github.com/salt-formulas/salt-formula-neutron/issues
1076
1077For feature requests, bug reports or blueprints affecting entire ecosystem,
1078use Launchpad salt-formulas project:
1079
1080 https://launchpad.net/salt-formulas
1081
1082You can also join salt-formulas-users team and subscribe to mailing list:
1083
1084 https://launchpad.net/~salt-formulas-users
1085
1086Developers wishing to work on the salt-formulas projects should always base
1087their work on master branch and submit pull request against specific formula.
1088
1089 https://github.com/salt-formulas/salt-formula-neutron
1090
1091Any questions or feedback is always welcome so feel free to join our IRC
1092channel:
1093
1094 #salt-formulas @ irc.freenode.net