blob: dfd3de0cace69b6be57fd99c7c3398d7317a64d0 [file] [log] [blame]
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001=====
2Usage
3=====
Filip Pytlouncd028e42015-10-06 16:28:32 +02004
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03005Neutron is an OpenStack project to provide *networking as a service* between
Jakub Pavlik9ecf0262016-05-20 11:20:58 +02006interface devices (e.g., vNICs) managed by other Openstack services (e.g.,
7nova).
Filip Pytlouncd028e42015-10-06 16:28:32 +02008
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03009Starting with the Folsom release, Neutron is a core and supported part of the
10OpenStack platform (for Essex, we were an *incubated* project, which means use
Vasyl Saienko2fffc842017-06-14 10:35:26 +030011is suggested only for those who really know what they're doing with Neutron).
Filip Pytlouncd028e42015-10-06 16:28:32 +020012
Aleš Komárek41e82312017-04-11 13:37:44 +020013Sample Pillars
Filip Pytlouncd028e42015-10-06 16:28:32 +020014==============
15
16Neutron Server on the controller node
17
18.. code-block:: yaml
19
20 neutron:
21 server:
22 enabled: true
Jiri Broulik74f61112016-11-21 20:23:47 +010023 version: mitaka
Swann Croiset9407daf2017-02-02 15:27:56 +010024 allow_pagination: true
25 pagination_max_limit: 100
Mykyta Karpin253406d2017-12-08 17:01:37 +020026 api_workers: 2
27 rpc_workers: 2
28 rpc_state_report_workers: 2
Michael Polenchuk1ff88652018-03-06 16:15:57 +040029 root_helper_daemon: false
Michael Polenchuk2151b272018-06-19 18:32:31 +040030 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +040031 firewall_driver: iptables_hybrid
Oleg Bondarevbc2dfee2018-10-17 18:41:51 +040032 agent_boot_time: 180
William Konitzer81a89982019-01-07 12:49:15 -060033 agent_down_time: 30
34 dhcp_agents_per_network: 2
35 allow_automatic_dhcp_failover: true
Filip Pytlouncd028e42015-10-06 16:28:32 +020036 bind:
37 address: 172.20.0.1
38 port: 9696
Filip Pytlouncd028e42015-10-06 16:28:32 +020039 database:
40 engine: mysql
41 host: 127.0.0.1
42 port: 3306
43 name: neutron
44 user: neutron
45 password: pwd
46 identity:
47 engine: keystone
48 host: 127.0.0.1
49 port: 35357
50 user: neutron
51 password: pwd
52 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +020053 endpoint_type: internal
Filip Pytlouncd028e42015-10-06 16:28:32 +020054 message_queue:
55 engine: rabbitmq
56 host: 127.0.0.1
57 port: 5672
58 user: openstack
59 password: pwd
60 virtual_host: '/openstack'
William Konitzer81a89982019-01-07 12:49:15 -060061 rpc_conn_pool_size: 30
62 rpc_thread_pool_size: 100
63 rpc_response_timeout: 120
Filip Pytlouncd028e42015-10-06 16:28:32 +020064 metadata:
65 host: 127.0.0.1
66 port: 8775
Dzmitry Stremkouskiea470182018-10-24 15:33:35 +020067 insecure: true
68 proto: https
Filip Pytlouncd028e42015-10-06 16:28:32 +020069 password: pass
Mykyta Karpin253406d2017-12-08 17:01:37 +020070 workers: 2
Petr Michalec61f7ab22016-11-29 16:29:09 +010071 audit:
72 enabled: false
Filip Pytlouncd028e42015-10-06 16:28:32 +020073
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030074.. note:: The pagination is useful to retrieve a large bunch of resources,
75 because a single request may fail (timeout). This is enabled with both
76 parameters *allow_pagination* and *pagination_max_limit* as shown above.
Swann Croiset9407daf2017-02-02 15:27:56 +010077
OlgaGusarenko838c9fd2018-07-31 00:22:44 +030078Configuration of policy.json file:
Dmitry Ukov596ddcf2017-05-04 18:16:16 +040079
80.. code-block:: yaml
81
82 neutron:
83 server:
84 ....
85 policy:
86 create_subnet: 'rule:admin_or_network_owner'
87 'get_network:queue_id': 'rule:admin_only'
88 # Add key without value to remove line from policy.json
89 'create_network:shared':
90
Elena Ezhovacd67cfe2017-06-16 23:35:07 +040091Neutron LBaaSv2 enablement
92--------------------------
Ondrej Smola314eee22017-03-08 21:21:16 +010093
94.. code-block:: yaml
95
96 neutron:
97 server:
98 lbaas:
99 enabled: true
100 providers:
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400101 octavia:
102 engine: octavia
103 driver_path: 'neutron_lbaas.drivers.octavia.driver.OctaviaDriver'
104 base_url: 'http://127.0.0.1:9876'
Ondrej Smola314eee22017-03-08 21:21:16 +0100105 avi_adc:
Ondrej Smola314eee22017-03-08 21:21:16 +0100106 engine: avinetworks
Elena Ezhovacd67cfe2017-06-16 23:35:07 +0400107 driver_path: 'avi_lbaasv2.avi_driver.AviDriver'
Ondrej Smola314eee22017-03-08 21:21:16 +0100108 controller_address: 10.182.129.239
109 controller_user: admin
110 controller_password: Cloudlab2016
111 controller_cloud_name: Default-Cloud
112 avi_adc2:
113 engine: avinetworks
114 ...
115
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300116.. note:: If the Contrail backend is set, Opencontrail loadbalancer
117 would be enabled automatically. In this case lbaas should disabled
118 in pillar:
Ondrej Smola314eee22017-03-08 21:21:16 +0100119
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300120 .. code-block:: yaml
Ondrej Smola314eee22017-03-08 21:21:16 +0100121
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300122 neutron:
123 server:
124 lbaas:
125 enabled: false
Elena Ezhova166d4012017-08-17 12:53:52 +0400126
127Neutron FWaaSv1 enablement
128--------------------------
129
130.. code-block:: yaml
131
132 neutron:
133 fwaas:
134 enabled: true
135 version: ocata
136 api_version: v1
137
138
Ondrej Smola12ff8192017-04-28 12:39:11 +0200139Enable CORS parameters
Elena Ezhova166d4012017-08-17 12:53:52 +0400140----------------------
Ondrej Smola12ff8192017-04-28 12:39:11 +0200141
142.. code-block:: yaml
143
144 neutron:
145 server:
146 cors:
147 allowed_origin: https:localhost.local,http:localhost.local
148 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
149 allow_methods: GET,PUT,POST,DELETE,PATCH
150 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
151 allow_credentials: True
152 max_age: 86400
153
Aleš Komárek41e82312017-04-11 13:37:44 +0200154Neutron VXLAN tenant networks with Network nodes
155------------------------------------------------
Swann Croiset9407daf2017-02-02 15:27:56 +0100156
Aleš Komárek41e82312017-04-11 13:37:44 +0200157With DVR for East-West and Network node for North-South.
Jiri Broulik74f61112016-11-21 20:23:47 +0100158
159This use case describes a model utilising VxLAN overlay with DVR. The DVR
Aleš Komárek41e82312017-04-11 13:37:44 +0200160routers will only be utilized for traffic that is router within the cloud
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300161infrastructure and that remains encapsulated. External traffic will be
162routed to via the network nodes.
Jiri Broulik74f61112016-11-21 20:23:47 +0100163
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300164The intention is that each tenant will require at least two (2) vrouters
165one to be utilised
Jiri Broulik74f61112016-11-21 20:23:47 +0100166
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300167Neutron Server:
marcoa4428a32016-06-10 11:50:16 +0200168
169.. code-block:: yaml
170
171 neutron:
172 server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100173 version: mitaka
Dmitry Stremkouski3c1be3e2017-11-18 11:04:20 +0300174 path_mtu: 1500
Jiri Broulik74f61112016-11-21 20:23:47 +0100175 bind:
176 address: 172.20.0.1
177 port: 9696
178 database:
179 engine: mysql
180 host: 127.0.0.1
181 port: 3306
182 name: neutron
183 user: neutron
184 password: pwd
185 identity:
186 engine: keystone
187 host: 127.0.0.1
188 port: 35357
189 user: neutron
190 password: pwd
191 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200192 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100193 message_queue:
194 engine: rabbitmq
195 host: 127.0.0.1
196 port: 5672
197 user: openstack
198 password: pwd
199 virtual_host: '/openstack'
200 global_physnet_mtu: 9000
201 l3_ha: False # Which type of router will be created by default
202 dvr: True # disabled for non DVR use case
203 backend:
204 engine: ml2
205 tenant_network_types: "flat,vxlan"
206 external_mtu: 9000
207 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400208 ovs:
209 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100210
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300211Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100212
213.. code-block:: yaml
214
215 neutron:
216 gateway:
217 enabled: True
218 version: mitaka
William Konitzer81a89982019-01-07 12:49:15 -0600219 report_interval: 10
Michael Polenchuk2151b272018-06-19 18:32:31 +0400220 dhcp_lease_duration: 600
Michael Polenchukcece76d2018-06-21 14:56:17 +0400221 firewall_driver: iptables_hybrid
Jiri Broulik74f61112016-11-21 20:23:47 +0100222 message_queue:
223 engine: rabbitmq
224 host: 127.0.0.1
225 port: 5672
226 user: openstack
227 password: pwd
228 virtual_host: '/openstack'
William Konitzer81a89982019-01-07 12:49:15 -0600229 rpc_conn_pool_size: 300
230 rpc_thread_pool_size: 2048
231 rpc_response_timeout: 3600
Jiri Broulik74f61112016-11-21 20:23:47 +0100232 local_ip: 192.168.20.20 # br-mesh ip address
233 dvr: True # disabled for non DVR use case
234 agent_mode: dvr_snat
235 metadata:
236 host: 127.0.0.1
237 password: pass
238 backend:
239 engine: ml2
240 tenant_network_types: "flat,vxlan"
241 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400242 ovs:
243 driver: openvswitch
Vasyl Saienko4bd2d922018-07-27 09:56:38 +0000244 agents:
245 dhcp:
246 ovs_use_veth: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100247
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300248Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100249
250.. code-block:: yaml
251
252 neutron:
253 compute:
254 enabled: True
255 version: mitaka
256 message_queue:
257 engine: rabbitmq
258 host: 127.0.0.1
259 port: 5672
260 user: openstack
261 password: pwd
262 virtual_host: '/openstack'
William Konitzer81a89982019-01-07 12:49:15 -0600263 rpc_conn_pool_size: 300
264 rpc_thread_pool_size: 2048
265 rpc_response_timeout: 3600
Jiri Broulik74f61112016-11-21 20:23:47 +0100266 local_ip: 192.168.20.20 # br-mesh ip address
267 dvr: True # disabled for non DVR use case
268 agent_mode: dvr
William Konitzer81a89982019-01-07 12:49:15 -0600269 report_interval: 10
Jiri Broulik74f61112016-11-21 20:23:47 +0100270 external_access: false # Compute node with DVR for east-west only, Network Node has True as default
271 metadata:
272 host: 127.0.0.1
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300273 password: pass
Jiri Broulik74f61112016-11-21 20:23:47 +0100274 backend:
275 engine: ml2
276 tenant_network_types: "flat,vxlan"
277 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400278 ovs:
279 driver: openvswitch
Petr Michalec61f7ab22016-11-29 16:29:09 +0100280 audit:
281 enabled: false
Jiri Broulik74f61112016-11-21 20:23:47 +0100282
Aleš Komárek41e82312017-04-11 13:37:44 +0200283
Dzmitry Stremkouskid5e89e52018-09-25 10:01:54 +0200284Setting mac base address
285------------------------
286
287By default neutron uses fa:16:3f:00:00:00 basement for mac generator.
288One can set it's own mac base both for dvr and nondvr cases.
289
290NOTE: dvr_base_mac and base_mac SHOULD differ.
291
292.. code-block:: yaml
293
294 neutron:
295 server:
296 base_mac: fa:16:3f:00:00:00
297 dvr_base_mac: fa:16:3f:a0:00:00
298
299gateways:
300
301.. code-block:: yaml
302
303 neutron:
304 gateway:
305 base_mac: fa:16:3f:00:00:00
306 dvr_base_mac: fa:16:3f:a0:00:00
307
308compute nodes:
309
310.. code-block:: yaml
311
312 neutron:
313 compute:
314 base_mac: fa:16:3f:00:00:00
315 dvr_base_mac: fa:16:3f:a0:00:00
316
317
Dmitry Stremkouskia3a4ab42017-10-23 17:37:12 +0300318Disable physnet1 bridge
319-----------------------
320
321By default we have external access turned on, so among any physnets in
322your reclass there would be additional one: physnet1, which is mapped to
323br-floating
324
325If you need internal nets only without this bridge, remove br-floating
326and configurations mappings. Disable mappings for this bridge on
327neutron-servers:
328
329.. code-block:: yaml
330
331 neutron:
332 server:
333 external_access: false
334
335gateways:
336
337.. code-block:: yaml
338
339 neutron:
340 gateway:
341 external_access: false
342
343compute nodes:
344
345.. code-block:: yaml
346
347 neutron:
348 compute:
349 external_access: false
350
351
Marcin Iwinskic50137a2018-01-22 14:18:24 +0100352Add additional bridge mappings for OVS bridges
353----------------------------------------------
354
355By default we have external access turned on, so among any physnets in
356your reclass there would be additional one: physnet1, which is mapped to
357br-floating
358
359If you need to add extra non-default bridge mappings they can be defined
360separately for both gateways and compute nodes:
361
362gateways:
363
364.. code-block:: yaml
365
366 neutron:
367 gateway:
368 bridge_mappings:
369 physnet4: br-floating-internet
370
371compute nodes:
372
373.. code-block:: yaml
374
375 neutron:
376 compute:
377 bridge_mappings:
378 physnet4: br-floating-internet
379
380
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300381Specify different mtu values for different physnets
382---------------------------------------------------
383
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300384Neutron Server:
Dmitry Stremkouski4b410222017-11-18 11:29:55 +0300385
386.. code-block:: yaml
387
388 neutron:
389 server:
390 version: mitaka
391 backend:
392 external_mtu: 1500
393 tenant_net_mtu: 9000
394 ironic_net_mtu: 9000
395
Jiri Broulik74f61112016-11-21 20:23:47 +0100396Neutron VXLAN tenant networks with Network Nodes (non DVR)
Aleš Komárek41e82312017-04-11 13:37:44 +0200397----------------------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100398
399This section describes a network solution that utilises VxLAN overlay
400 networks without DVR with all routers being managed on the network nodes.
401
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300402Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100403
404.. code-block:: yaml
405
406 neutron:
407 server:
408 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100409 bind:
410 address: 172.20.0.1
411 port: 9696
412 database:
413 engine: mysql
414 host: 127.0.0.1
415 port: 3306
416 name: neutron
417 user: neutron
418 password: pwd
419 identity:
420 engine: keystone
421 host: 127.0.0.1
422 port: 35357
423 user: neutron
424 password: pwd
425 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200426 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100427 message_queue:
428 engine: rabbitmq
429 host: 127.0.0.1
430 port: 5672
431 user: openstack
432 password: pwd
433 virtual_host: '/openstack'
434 global_physnet_mtu: 9000
435 l3_ha: True
436 dvr: False
437 backend:
438 engine: ml2
439 tenant_network_types= "flat,vxlan"
440 external_mtu: 9000
441 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400442 ovs:
443 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100444
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300445Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100446
447.. code-block:: yaml
448
449 neutron:
450 gateway:
451 enabled: True
452 version: mitaka
453 message_queue:
454 engine: rabbitmq
455 host: 127.0.0.1
456 port: 5672
457 user: openstack
458 password: pwd
459 virtual_host: '/openstack'
460 local_ip: 192.168.20.20 # br-mesh ip address
461 dvr: False
462 agent_mode: legacy
Simon Pasquierc03af112017-04-10 10:35:14 +0200463 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100464 metadata:
465 host: 127.0.0.1
466 password: pass
467 backend:
468 engine: ml2
469 tenant_network_types: "flat,vxlan"
470 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400471 ovs:
472 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100473
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300474Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100475
476.. code-block:: yaml
477
478 neutron:
479 compute:
480 enabled: True
481 version: mitaka
482 message_queue:
483 engine: rabbitmq
484 host: 127.0.0.1
485 port: 5672
486 user: openstack
487 password: pwd
488 virtual_host: '/openstack'
489 local_ip: 192.168.20.20 # br-mesh ip address
490 external_access: False
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300491 dvr: False
Jiri Broulik74f61112016-11-21 20:23:47 +0100492 backend:
493 engine: ml2
494 tenant_network_types: "flat,vxlan"
495 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400496 ovs:
497 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100498
Aleš Komárek41e82312017-04-11 13:37:44 +0200499Neutron VXLAN tenant networks with Network Nodes with DVR
500---------------------------------------------------------
501
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300502With DVR for East-West and North-South, DVR everywhere, Network
503node for SNAT.
Jiri Broulik74f61112016-11-21 20:23:47 +0100504
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300505This section describes a network solution that utilises VxLAN
506overlay networks with DVR with North-South and East-West. Network
Jiri Broulik74f61112016-11-21 20:23:47 +0100507Node is used only for SNAT.
508
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300509Neutron Server:
Jiri Broulik74f61112016-11-21 20:23:47 +0100510
511.. code-block:: yaml
512
513 neutron:
514 server:
515 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100516 bind:
517 address: 172.20.0.1
518 port: 9696
519 database:
520 engine: mysql
521 host: 127.0.0.1
522 port: 3306
523 name: neutron
524 user: neutron
525 password: pwd
526 identity:
527 engine: keystone
528 host: 127.0.0.1
529 port: 35357
530 user: neutron
531 password: pwd
532 tenant: service
Dennis Dmitriev37114722017-03-06 16:52:26 +0200533 endpoint_type: internal
Jiri Broulik74f61112016-11-21 20:23:47 +0100534 message_queue:
535 engine: rabbitmq
536 host: 127.0.0.1
537 port: 5672
538 user: openstack
539 password: pwd
540 virtual_host: '/openstack'
541 global_physnet_mtu: 9000
542 l3_ha: False
543 dvr: True
544 backend:
545 engine: ml2
546 tenant_network_types= "flat,vxlan"
547 external_mtu: 9000
548 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400549 ovs:
550 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100551
Vasyl Saienko0b2451b2018-12-16 19:38:38 +0000552Configuring networking-generic-switch ml2 plugin used for
553baremetal integration:
554
555.. code-block:: yaml
556
557 neutron:
558 server:
559 backend:
560 mechanism:
561 ngs:
562 driver: genericswitch
563 n_g_s:
564 enabled: true
565 coordination:
566 enabled: true
567 backend_url: "etcd3+http://1.2.3.4:2379"
568 devices:
569 s1brbm:
570 options:
571 device_type:
572 value: netmiko_ovs_linux
573 ip:
574 value: 1.2.3.4
575 username:
576 value: ngs_ovs_manager
577 password:
578 value: password
579
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300580Network Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100581
582.. code-block:: yaml
583
584 neutron:
585 gateway:
586 enabled: True
587 version: mitaka
588 message_queue:
589 engine: rabbitmq
590 host: 127.0.0.1
591 port: 5672
592 user: openstack
593 password: pwd
594 virtual_host: '/openstack'
595 local_ip: 192.168.20.20 # br-mesh ip address
596 dvr: True
597 agent_mode: dvr_snat
Simon Pasquierc03af112017-04-10 10:35:14 +0200598 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100599 metadata:
600 host: 127.0.0.1
601 password: pass
602 backend:
603 engine: ml2
604 tenant_network_types: "flat,vxlan"
605 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400606 ovs:
607 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100608
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300609Compute Node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100610
611.. code-block:: yaml
612
613 neutron:
614 compute:
615 enabled: True
616 version: mitaka
617 message_queue:
618 engine: rabbitmq
619 host: 127.0.0.1
620 port: 5672
621 user: openstack
622 password: pwd
623 virtual_host: '/openstack'
624 local_ip: 192.168.20.20 # br-mesh ip address
625 dvr: True
Vasyl Saienko2fffc842017-06-14 10:35:26 +0300626 external_access: True
Jiri Broulik74f61112016-11-21 20:23:47 +0100627 agent_mode: dvr
Simon Pasquierc03af112017-04-10 10:35:14 +0200628 availability_zone: az1
Jiri Broulik74f61112016-11-21 20:23:47 +0100629 metadata:
630 host: 127.0.0.1
631 password: pass
632 backend:
633 engine: ml2
634 tenant_network_types: "flat,vxlan"
635 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400636 ovs:
637 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100638
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300639Sample Linux network configuration for DVR:
Jiri Broulik74f61112016-11-21 20:23:47 +0100640
641.. code-block:: yaml
642
643 linux:
644 network:
645 bridge: openvswitch
646 interface:
647 eth1:
648 enabled: true
649 type: eth
650 mtu: 9000
651 proto: manual
652 eth2:
653 enabled: true
654 type: eth
655 mtu: 9000
656 proto: manual
657 eth3:
658 enabled: true
659 type: eth
660 mtu: 9000
661 proto: manual
662 br-int:
663 enabled: true
664 mtu: 9000
665 type: ovs_bridge
666 br-floating:
667 enabled: true
668 mtu: 9000
669 type: ovs_bridge
670 float-to-ex:
671 enabled: true
672 type: ovs_port
673 mtu: 65000
674 bridge: br-floating
675 br-mgmt:
676 enabled: true
677 type: bridge
678 mtu: 9000
679 address: ${_param:single_address}
680 netmask: 255.255.255.0
681 use_interfaces:
682 - eth1
683 br-mesh:
684 enabled: true
685 type: bridge
686 mtu: 9000
687 address: ${_param:tenant_address}
688 netmask: 255.255.255.0
689 use_interfaces:
690 - eth2
691 br-ex:
692 enabled: true
693 type: bridge
694 mtu: 9000
695 address: ${_param:external_address}
696 netmask: 255.255.255.0
697 use_interfaces:
698 - eth3
699 use_ovs_ports:
700 - float-to-ex
701
Thom Gerdes3282d072017-05-30 22:06:04 +0000702Additonal VXLAN tenant network settings
703---------------------------------------
704
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300705The default multicast group of ``224.0.0.1`` only multicasts
706to a single subnet. Allow overriding it to allow larger underlay
707network topologies.
Thom Gerdes3282d072017-05-30 22:06:04 +0000708
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300709Neutron Server:
Thom Gerdes3282d072017-05-30 22:06:04 +0000710
711.. code-block:: yaml
712
713 neutron:
714 server:
715 vxlan:
716 group: 239.0.0.0/8
717 vni_ranges: "2:65535"
718
Jiri Broulik74f61112016-11-21 20:23:47 +0100719Neutron VLAN tenant networks with Network Nodes
Aleš Komárek41e82312017-04-11 13:37:44 +0200720-----------------------------------------------
Jiri Broulik74f61112016-11-21 20:23:47 +0100721
722VLAN tenant provider
723
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300724Neutron Server only:
Jiri Broulik74f61112016-11-21 20:23:47 +0100725
726.. code-block:: yaml
727
728 neutron:
729 server:
730 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100731 ...
732 global_physnet_mtu: 9000
733 l3_ha: False
734 dvr: True
735 backend:
736 engine: ml2
737 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
738 tenant_vlan_range: "1000:2000"
739 external_vlan_range: "100:200" # Does not have to be defined.
740 external_mtu: 9000
741 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400742 ovs:
743 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100744
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300745Compute node:
Jiri Broulik74f61112016-11-21 20:23:47 +0100746
747.. code-block:: yaml
748
749 neutron:
750 compute:
751 version: mitaka
Jiri Broulik74f61112016-11-21 20:23:47 +0100752 ...
753 dvr: True
754 agent_mode: dvr
755 external_access: False
756 backend:
757 engine: ml2
758 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
759 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400760 ovs:
761 driver: openvswitch
Jiri Broulik74f61112016-11-21 20:23:47 +0100762
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400763Neutron with explicit physical networks
764---------------------------------------
Oleg Bondarevada324f2018-06-04 14:55:38 +0400765
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300766Neutron Server only:
Oleg Bondarevada324f2018-06-04 14:55:38 +0400767
768.. code-block:: yaml
769
770 neutron:
771 server:
772 version: ocata
773 ...
774 backend:
775 engine: ml2
776 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
777 ...
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400778 # also need to configure corresponding bridge_mappings on
Oleg Bondarevada324f2018-06-04 14:55:38 +0400779 # compute and gateway nodes
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400780 flat_networks_default: '*' # '*' to allow arbitrary names or '' to disable
Oleg Bondarevddb9af12018-07-02 19:07:57 +0400781 physnets: # only listed physnets will be configured (overrides physnet1/2/3)
782 external:
783 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400784 types:
785 - flat # possible values - 'flat' or 'vlan'
Oleg Bondarevada324f2018-06-04 14:55:38 +0400786 sriov_net:
787 mtu: 9000 # Optional, defaults to 1500
Oleg Bondarevab324112018-11-19 17:56:57 +0400788 vlan_range: '100:200,300:400' # Optional
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400789 types:
790 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400791 ext_net2:
792 mtu: 1500
Oleg Bondarev47d9e2d2018-07-03 13:22:26 +0400793 types:
794 - flat
795 - vlan
Oleg Bondarevada324f2018-06-04 14:55:38 +0400796 mechanism:
797 ovs:
798 driver: openvswitch
799
Aleš Komárek41e82312017-04-11 13:37:44 +0200800Advanced Neutron Features (DPDK, SR-IOV)
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400801----------------------------------------
Aleš Komárek41e82312017-04-11 13:37:44 +0200802
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100803Neutron OVS DPDK
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100804
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300805Enable datapath netdev for neutron openvswitch agent:
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100806
807.. code-block:: yaml
808
809 neutron:
810 server:
811 version: mitaka
812 ...
813 dpdk: True
814 ...
815
816 neutron:
817 compute:
818 version: mitaka
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100819 dpdk: True
Michael Polenchuk52911652018-04-12 22:09:49 +0400820 vhost_mode: client # options: client|server (default)
Oleg Bondarevee7e8302017-10-16 17:20:38 +0400821 vhost_socket_dir: /var/run/openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100822 backend:
823 engine: ml2
824 ...
825 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400826 ovs:
827 driver: openvswitch
Jakub Pavlik8f83ccc2017-02-27 11:15:39 +0100828
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300829Neutron OVS SR-IOV:
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100830
831.. code-block:: yaml
832
833 neutron:
834 server:
835 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100836 backend:
837 engine: ml2
838 ...
839 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400840 ovs:
841 driver: openvswitch
842 sriov:
843 driver: sriovnicswitch
Michael Polenchuk0bf59a72018-06-19 18:06:56 +0400844 # Driver w/ highest number will be placed ahead in the list (default is 0).
845 # It's recommended for SR-IOV driver to set an order >0 to get it
846 # before (for example) the opendaylight one.
847 order: 9
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100848
849 neutron:
850 compute:
851 version: mitaka
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100852 ...
853 backend:
854 engine: ml2
855 tenant_network_types: "flat,vlan" # Can be mixed flat,vlan,vxlan
856 sriov:
857 nic_one:
858 devname: eth1
859 physical_network: physnet3
860 mechanism:
Elena Ezhovad6a080c2017-10-09 15:25:16 +0400861 ovs:
862 driver: openvswitch
Jakub Pavlik70555cb2017-02-26 18:48:02 +0100863
cdoddac35c9eb2018-11-07 23:18:10 -0600864Neutron with LinuxBridge Agents
865-------------------------------
866
867.. code-block:: yaml
868
869 neutron:
870 server:
871 firewall_driver: iptables
872 backend:
873 mechanism:
874 lb:
875 driver: linuxbridge
876 ....
877 compute:
878 backend:
879 mechanism:
880 lb:
881 driver: linuxbridge
882 ....
883 gateway:
884 backend:
885 mechanism:
886 lb:
887 driver: linuxbridge
888 agents:
889 dhcp:
890 interface_driver: linuxbridge
891 l3:
892 interface_driver: linuxbridge
893
894
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300895Neutron with VLAN-aware-VMs
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400896---------------------------
Ilya Chukhnakovf4c2bb32017-06-08 02:03:15 +0300897
898.. code-block:: yaml
899
900 neutron:
901 server:
902 vlan_aware_vms: true
903 ....
904 compute:
905 vlan_aware_vms: true
906 ....
907 gateway:
908 vlan_aware_vms: true
909
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400910Neutron with BGP VPN (BaGPipe driver)
OlgaGusarenko838c9fd2018-07-31 00:22:44 +0300911-------------------------------------
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400912
913.. code-block:: yaml
914
915 neutron:
916 server:
917 version: pike
918 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400919 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400920 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400921 ....
922 compute:
923 version: pike
924 bgp_vpn:
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400925 enabled: true
Michael Polenchuk0b3c5dd2018-06-27 12:04:32 +0400926 driver: bagpipe # Options: bagpipe/opencontrail/opendaylight[_v2]
Oleg Bondarevacb2e532018-03-06 10:43:59 +0400927 bagpipe:
928 local_address: 192.168.20.20 # IP address for mpls/gre tunnels
929 peers: 192.168.20.30 # IP addresses of BGP peers
930 autonomous_system: 64512 # Autonomous System number
931 enable_rtc: True # Enable RT Constraint (RFC4684)
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400932 backend:
Oleg Bondarev878ac462018-04-23 17:48:15 +0400933 ovs_extension: # for OVS agent only, not supported in SRIOV agent
Oleg Bondarevb63d27f2018-02-14 19:21:06 +0400934 bagpipe_bgpvpn:
935 enabled: True
936
Oleksii Chupryn16cb4e02018-02-26 14:20:39 +0200937Neutron with DHCP agent on compute node
938---------------------------------------
939
940.. code-block:: yaml
941
942 neutron:
943 ....
944 compute:
945 dhcp_agent_enabled: true
946 ....
947
Machi Hoshino0ba88052019-05-08 11:44:04 +0900948Neutron with DHCP agent disabled on gateway node
949------------------------------------------------
950
951.. code-block:: yaml
952
953 neutron:
954 ....
955 gateway:
956 dhcp_agent_enabled: false
957 ....
958
Dzmitry Stremkouski48df2a72018-10-12 16:38:11 +0200959Neutron with metadata agent on compute node
960-------------------------------------------
961
962.. code-block:: yaml
963
964 neutron:
965 ....
966 compute:
967 metadata_agent_enabled: true
968 ....
969
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400970Neutron with OVN
971----------------
972
973Control node:
974
975.. code-block:: yaml
976
977 neutron:
978 server:
979 backend:
980 engine: ovn
981 mechanism:
982 ovn:
983 driver: ovn
984 tenant_network_types: "geneve,flat"
Michael Polenchukf59229b2018-06-19 16:24:49 +0400985 ovn:
986 ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
987 neutron_sync_mode: repair # valid options: log, off, repair
Michael Polenchuk58161ef2018-05-15 18:04:09 +0400988 metadata_enabled: True
Michael Polenchuka3d492b2017-12-27 15:49:43 +0400989 ovn_ctl_opts:
990 db-nb-create-insecure-remote: 'yes'
991 db-sb-create-insecure-remote: 'yes'
Oleg Bondarev0575ae42017-07-28 16:36:25 +0400992
993Compute node:
994
995.. code-block:: yaml
996
997 neutron:
998 compute:
999 local_ip: 10.2.0.105
1000 controller_vip: 10.1.0.101
1001 external_access: false
1002 backend:
1003 engine: ovn
Michael Polenchuk58161ef2018-05-15 18:04:09 +04001004 ovsdb_connection: tcp:127.0.0.1:6640
Michael Polenchukbe3cb9a2019-02-08 17:56:49 +04001005 mac_table_size: 16384
Michael Polenchuk58161ef2018-05-15 18:04:09 +04001006 metadata:
1007 enabled: true
1008 ovsdb_server_iface: ptcp:6640:127.0.0.1
1009 host: 10.1.0.101
1010 password: unsegreto
1011
Oleg Bondarev0575ae42017-07-28 16:36:25 +04001012
Michael Polenchukcccd1a52018-02-02 17:41:16 +04001013Neutron L2 Gateway
1014----------------
1015
1016Control node:
1017
1018.. code-block:: yaml
1019
1020 neutron:
1021 server:
1022 version: pike
1023 l2gw:
1024 enabled: true
1025 periodic_monitoring_interval: 5
1026 quota_l2_gateway: 20
1027 # service_provider=<service_type>:<name>:<driver>[:default]
1028 service_provider: L2GW:OpenDaylight:networking_odl.l2gateway.driver.OpenDaylightL2gwDriver:default
1029 backend:
1030 engine: ml2
1031
1032Network/Gateway node:
1033
1034.. code-block:: yaml
1035
1036 neutron:
1037 gateway:
1038 version: pike
1039 l2gw:
1040 enabled: true
1041 debug: true
1042 socket_timeout: 20
1043 ovsdb_hosts:
1044 # <ovsdb_name>: <ip address>:<port>
1045 # - ovsdb_name: a user defined symbolic identifier of physical switch
1046 # - ip address: the address or dns name for the OVSDB server (i.e. pointer to the switch)
1047 ovsdb1: 10.164.5.33:6632
1048 ovsdb2: 10.164.4.33:6632
1049
1050
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001051OpenDaylight integration
1052------------------------
1053
1054Control node:
1055
1056.. code-block:: yaml
1057
1058 neutron:
1059 server:
1060 backend:
1061 opendaylight: true
1062 router: odl-router_v2
1063 host: 10.20.0.77
1064 rest_api_port: 8282
1065 user: admin
1066 password: admin
1067 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +03001068 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001069 enable_websocket: true
1070 enable_dhcp_service: false
1071 mechanism:
1072 ovs:
1073 driver: opendaylight_v2
Michael Polenchuk0bf59a72018-06-19 18:06:56 +04001074 order: 1
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001075
1076Network/Gateway node:
1077
1078.. code-block:: yaml
1079
1080 neutron:
1081 gateway:
1082 backend:
1083 router: odl-router_v2
1084 ovsdb_connection: tcp:127.0.0.1:6639
Oleksii Chuprynfed79572018-07-20 14:11:35 +03001085 ovsdb_interface: native
Michael Polenchuk87d2b742017-06-29 12:05:25 +04001086 opendaylight:
1087 ovsdb_server_iface: ptcp:6639:127.0.0.1
1088 ovsdb_odl_iface: tcp:10.20.0.77:6640
1089 tunnel_ip: 10.1.0.110
1090 provider_mappings: physnet1:br-floating
1091
1092Compute node:
1093
1094.. code-block:: yaml
1095
1096 neutron:
1097 compute:
1098 opendaylight:
1099 ovsdb_server_iface: ptcp:6639:127.0.0.1
1100 ovsdb_odl_iface: tcp:10.20.0.77:6640
1101 tunnel_ip: 10.1.0.105
1102 provider_mappings: physnet1:br-floating
1103
1104
Michael Polenchuk9cccecc2018-09-14 14:54:18 +04001105Service Function Chaining Extension (SFC)
1106----------------
1107
1108.. code-block:: yaml
1109
1110 neutron:
1111 server:
1112 sfc:
1113 enabled: true
1114 sfc_drivers:
1115 - ovs # valid options: ovs, odl, ovn (not implemented yet)
1116 flow_classifier_drivers:
1117 - ovs # valid options: see above
1118 ....
1119 compute:
1120 backend:
1121 ovs_extension:
1122 sfc:
1123 enabled: True
1124
1125
Aleš Komárek41e82312017-04-11 13:37:44 +02001126Neutron Server
1127--------------
1128
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001129Neutron Server with OpenContrail:
Jiri Broulik74f61112016-11-21 20:23:47 +01001130
1131.. code-block:: yaml
1132
1133 neutron:
1134 server:
marcoa4428a32016-06-10 11:50:16 +02001135 backend:
1136 engine: contrail
1137 host: contrail_discovery_host
1138 port: 8082
1139 user: admin
1140 password: password
1141 tenant: admin
1142 token: token
1143
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001144Neutron Server with Midonet:
marcoa4428a32016-06-10 11:50:16 +02001145
1146.. code-block:: yaml
1147
1148 neutron:
1149 server:
1150 backend:
1151 engine: midonet
1152 host: midonet_api_host
1153 port: 8181
1154 user: admin
1155 password: password
1156
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001157Neutron Server with NSX:
Vasyl Saienko4549efe2018-07-26 16:06:04 +00001158
1159.. code-block:: yaml
1160
1161 neutron:
1162 server:
1163 backend:
1164 engine: vmware
1165 core_plugin: vmware_nsxv3
1166 vmware:
1167 nsx:
1168 extension_drivers:
1169 - vmware_nsxv3_dns
1170 v3:
1171 api_password: nsx_password
1172 api_user: nsx_username
1173 api_managers:
1174 01:
1175 scheme: https
1176 host: 192.168.10.120
1177 port: '443'
1178 insecure: true
1179
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001180Neutron Keystone region:
Jakub Pavlik6dd5c0a2016-03-09 14:18:15 +01001181
1182.. code-block:: yaml
1183
1184 neutron:
1185 server:
1186 enabled: true
1187 version: kilo
1188 ...
1189 identity:
1190 region: RegionTwo
1191 ...
1192 compute:
1193 region: RegionTwo
1194 ...
1195
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001196Client-side RabbitMQ HA setup:
Jiri Konecny93b19992016-04-12 11:15:39 +02001197
1198.. code-block:: yaml
1199
1200 neutron:
1201 server:
1202 ....
1203 message_queue:
1204 engine: rabbitmq
1205 members:
1206 - host: 10.0.16.1
1207 - host: 10.0.16.2
1208 - host: 10.0.16.3
1209 user: openstack
1210 password: pwd
1211 virtual_host: '/openstack'
1212 ....
1213
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001214Configuring TLS communications
1215------------------------------
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001216
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001217.. note:: By default, system-wide installed CA certs are used,
1218 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001219
1220- **RabbitMQ TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001221
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001222 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001223
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001224 neutron:
1225 server, gateway, compute:
1226 message_queue:
1227 port: 5671
1228 ssl:
1229 enabled: True
1230 (optional) cacert: cert body if the cacert_file does not exists
1231 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
1232 (optional) version: TLSv1_2
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001233
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001234- **MySQL TLS**
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001235
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001236 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001237
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001238 neutron:
1239 server:
1240 database:
1241 ssl:
1242 enabled: True
1243 (optional) cacert: cert body if the cacert_file does not exists
1244 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001245
Kirill Bespalovdd748b62017-11-21 10:42:57 +03001246- **Openstack HTTPS API**
1247
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001248 .. code-block:: yaml
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001249
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001250 neutron:
1251 server:
1252 identity:
1253 protocol: https
1254 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov8fffe022017-08-03 17:55:02 +03001255
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001256Enable auditing filter, ie: CADF:
Petr Michalec61f7ab22016-11-29 16:29:09 +01001257
1258.. code-block:: yaml
1259
1260 neutron:
1261 server:
1262 audit:
1263 enabled: true
1264 ....
1265 filter_factory: 'keystonemiddleware.audit:filter_factory'
1266 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1267 ....
1268 compute:
1269 audit:
1270 enabled: true
1271 ....
1272 filter_factory: 'keystonemiddleware.audit:filter_factory'
1273 map_file: '/etc/pycadf/neutron_api_audit_map.conf'
1274 ....
Jiri Konecny93b19992016-04-12 11:15:39 +02001275
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001276Neutron with security groups disabled:
Oleg Bondarev98870a32017-05-29 16:53:19 +04001277
1278.. code-block:: yaml
1279
1280 neutron:
1281 server:
1282 security_groups_enabled: False
1283 ....
1284 compute:
1285 security_groups_enabled: False
1286 ....
1287 gateway:
1288 security_groups_enabled: False
1289
Jiri Konecny93b19992016-04-12 11:15:39 +02001290
Aleš Komárek41e82312017-04-11 13:37:44 +02001291Neutron Client
1292--------------
Jiri Broulik5368cc52017-02-08 18:53:59 +01001293
Vyacheslav Struk3f529d42019-06-13 13:37:25 +03001294Neutron networks and RBAC:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001295
1296.. code-block:: yaml
1297
1298 neutron:
1299 client:
1300 enabled: true
1301 server:
1302 identity:
Vyacheslav Struk3f529d42019-06-13 13:37:25 +03001303 rbac:
1304 network:
1305 rule1:
1306 absent: True
1307 target_tenant: admin
1308 action: access_as_shared
1309 network: public
1310 rule2:
1311 absent: False
1312 target_tenant: service
1313 action: access_as_external
1314 network: public
Richard Felklaac256a2017-03-23 15:43:49 +01001315 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001316 network:
1317 inet1:
1318 tenant: demo
1319 shared: False
1320 admin_state_up: True
1321 router_external: True
1322 provider_physical_network: inet
1323 provider_network_type: flat
1324 provider_segmentation_id: 2
1325 subnet:
1326 inet1-subnet1:
1327 cidr: 192.168.90.0/24
1328 enable_dhcp: False
1329 inet2:
1330 tenant: admin
1331 shared: False
1332 router_external: True
1333 provider_network_type: "vlan"
1334 subnet:
1335 inet2-subnet1:
1336 cidr: 192.168.92.0/24
1337 enable_dhcp: False
1338 inet2-subnet2:
1339 cidr: 192.168.94.0/24
1340 enable_dhcp: True
1341 identity1:
1342 network:
1343 ...
1344
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001345Neutron routers:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001346
1347.. code-block:: yaml
1348
1349 neutron:
1350 client:
1351 enabled: true
1352 server:
1353 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001354 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001355 router:
1356 inet1-router:
1357 tenant: demo
1358 admin_state_up: True
1359 gateway_network: inet
1360 interfaces:
1361 - inet1-subnet1
1362 - inet1-subnet2
1363 identity1:
1364 router:
1365 ...
1366
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001367.. TODO implement adding new interfaces to a router while updating it
Jiri Broulik5368cc52017-02-08 18:53:59 +01001368
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001369Neutron security groups:
Jiri Broulik5368cc52017-02-08 18:53:59 +01001370
1371.. code-block:: yaml
1372
1373 neutron:
1374 client:
1375 enabled: true
1376 server:
1377 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001378 endpoint_type: internalURL
Jiri Broulik5368cc52017-02-08 18:53:59 +01001379 security_group:
1380 security_group1:
1381 tenant: demo
1382 description: security group 1
1383 rules:
1384 - direction: ingress
1385 ethertype: IPv4
1386 protocol: TCP
1387 port_range_min: 1
1388 port_range_max: 65535
1389 remote_ip_prefix: 0.0.0.0/0
1390 - direction: ingress
1391 ethertype: IPv4
1392 protocol: UDP
1393 port_range_min: 1
1394 port_range_max: 65535
1395 remote_ip_prefix: 0.0.0.0/0
1396 - direction: ingress
1397 protocol: ICMP
1398 remote_ip_prefix: 0.0.0.0/0
1399 identity1:
1400 security_group:
1401 ...
1402
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001403.. TODO: implement updating existing security rules (now it adds new rule if
1404 trying to update existing one)
Jiri Broulik5368cc52017-02-08 18:53:59 +01001405
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001406Floating IP addresses:
Jiri Broulikde2e2902017-02-13 15:03:47 +01001407
1408.. code-block:: yaml
1409
1410 neutron:
1411 client:
1412 enabled: true
1413 server:
1414 identity:
Richard Felklaac256a2017-03-23 15:43:49 +01001415 endpoint_type: internalURL
Jiri Broulikde2e2902017-02-13 15:03:47 +01001416 floating_ip:
1417 prx01-instance:
1418 server: prx01.mk22-lab-basic.local
1419 subnet: private-subnet1
1420 network: public-net1
1421 tenant: demo
1422 gtw01-instance:
1423 ...
1424
1425.. note:: The network must have flag router:external set to True.
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001426 Instance port in the stated subnet will be associated
1427 with the dynamically generated floating IP.
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001428
1429Enable Neutron extensions (QoS, DNS, etc.)
1430------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001431
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001432.. code-block:: yaml
1433
1434 neutron:
1435 server:
1436 backend:
1437 extension:
Oleg Iurchenkoac17f4f2017-10-06 11:24:27 +03001438 dns:
1439 enabled: True
1440 host: 127.0.0.1
1441 port: 9001
1442 protocol: http
1443 ....
1444 qos
1445 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001446
Oleg Bondarev878ac462018-04-23 17:48:15 +04001447Different Neutron extensions for different agents
1448-------------------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001449
Oleg Bondarev878ac462018-04-23 17:48:15 +04001450.. code-block:: yaml
1451
1452 neutron:
1453 server:
1454 backend:
1455 extension: # common extensions for OVS and SRIOV agents
1456 dns:
1457 enabled: True
1458 ...
1459 qos
1460 enabled: True
1461 ovs_extension: # OVS specific extensions
1462 bagpipe_bgpvpn:
1463 enabled: True
1464 sriov_extension: # SRIOV specific extensions
1465 dummy:
1466 enabled: True
Oleg Iurchenkode71cc22017-09-18 17:58:56 +03001467
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001468Neutron with Designate
1469-----------------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001470
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001471.. code-block:: yaml
1472
1473 neutron:
1474 server:
1475 backend:
1476 extension:
1477 dns:
1478 enabled: True
1479 host: 127.0.0.1
1480 port: 9001
1481 protocol: http
1482
Marek Celoud67ce2062018-01-31 13:44:55 +01001483Enable RBAC for OpenContrail engine
1484-----------------------------------
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001485
Marek Celoud67ce2062018-01-31 13:44:55 +01001486.. code-block:: yaml
1487
1488 neutron:
1489 server:
1490 backend:
1491 engine: contrail
1492 rbac:
1493 enabled: True
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001494
Kostiantyn Kalynovskyi7cc59042019-03-14 16:30:14 +03001495Increase maximum number of allowed address pairs per instance
1496-----------------------------------
1497
1498Neutron Server:
1499
1500.. code-block:: yaml
1501
1502 neutron:
1503 server:
1504 max_allowed_address_pair: 20
1505
1506Neutron generic node (compute or gateway):
1507
1508.. code-block:: yaml
1509
1510 neutron:
1511 max_allowed_address_pair: 20
1512
Oleg Bondareva0940cc2019-03-27 16:24:00 +04001513Increase OVS timeouts for loaded nodes
1514--------------------------------------
1515
1516Network node:
1517
1518.. code-block:: yaml
1519
1520 neutron:
1521 gateway:
1522 of_connect_timeout: 60
1523 of_request_timeout: 30
Oleg Bondarev13a87302019-06-11 18:20:29 +04001524 of_inactivity_probe: 30
Oleg Bondareva0940cc2019-03-27 16:24:00 +04001525 ovs_vsctl_timeout: 30 # Pike
1526 ovsdb_timeout: 30 # Queens and beyond
1527 bridge_mac_table_size: 100000
1528
Oleg Bondareve26a2392019-04-11 18:27:27 +04001529Change default resource quotas
1530------------------------------
1531
1532.. code-block:: yaml
1533
1534 neutron:
1535 server:
1536 quotas:
1537 default_quota: 100
1538 quota_network: 150
1539 quota_subnet: 150
1540 quota_port: 200
1541 quota_router: 50
1542 quota_floatingip: 30
1543 quota_security_group: 20
1544 quota_security_group_rule: 50
1545
1546
Oleg Bondareva0940cc2019-03-27 16:24:00 +04001547
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001548Enhanced logging with logging.conf
1549----------------------------------
1550
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001551By default ``logging.conf`` is disabled.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001552
1553That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001554
OlgaGusarenko838c9fd2018-07-31 00:22:44 +03001555* ``openstack_log_appender``
1556 Set to true to enable ``log_config_append`` for all OpenStack services
1557
1558* ``openstack_fluentd_handler_enabled``
1559 Set to true to enable FluentHandler for all Openstack services
1560
1561* ``openstack_ossyslog_handler_enabled``
1562 Set to true to enable OSSysLogHandler for all Openstack services.
1563
1564Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
1565are available.
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001566
1567Also it is possible to configure this with pillar:
1568
1569.. code-block:: yaml
1570
1571 neutron:
1572 server:
1573 logging:
1574 log_appender: true
1575 log_handlers:
1576 watchedfile:
1577 enabled: true
1578 fluentd:
1579 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001580 ossyslog:
1581 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001582 ....
1583 compute:
1584 logging:
1585 log_appender: true
1586 log_handlers:
1587 watchedfile:
1588 enabled: true
1589 fluentd:
1590 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001591 ossyslog:
1592 enabled: true
Dmitry Kalashnik35dd0e02017-12-07 14:16:25 +04001593 ....
1594 gateway:
1595 logging:
1596 log_appender: true
1597 log_handlers:
1598 watchedfile:
1599 enabled: true
1600 fluentd:
1601 enabled: true
Oleksii Chupryn156c5f42018-02-07 10:06:50 +02001602 ossyslog:
1603 enabled: true
Oleg Iurchenko8cf6cf52017-09-18 15:44:03 +03001604
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001605Logging levels pillar example:
1606
1607.. code-block:: yaml
1608
1609 neutron:
1610 server:
1611 logging:
1612 log_appender: true
1613 loggers:
1614 root:
1615 level: 'DEBUG'
1616 neutron:
1617 level: 'DEBUG'
1618 amqplib:
1619 level: 'DEBUG'
1620 sqlalchemy:
1621 level: 'DEBUG'
1622 boto:
1623 level: 'DEBUG'
1624 suds:
1625 level: 'DEBUG'
1626 eventletwsgi:
1627 level: 'DEBUG'
1628 ......
Michael Polenchuk5fb5c572019-03-13 11:54:26 +04001629
1630Neutron server with memcached caching and security strategy
1631-----------------------------------------------------------
Oleksandr Bryndzii3b0ac2c2018-10-04 11:06:24 +03001632
1633.. code-block:: yaml
1634
1635 neutron:
1636 server:
1637 enabled: true
1638 ...
1639 cache:
1640 engine: memcached
1641 members:
1642 - host: 127.0.0.1
1643 port: 11211
1644 - host: 127.0.0.1
1645 port: 11211
1646 security:
1647 enabled: true
1648 strategy: ENCRYPT
1649 secret_key: secret
Oleksii Grudevfe73ee52018-05-14 14:08:11 +03001650
Michael Polenchuk5fb5c572019-03-13 11:54:26 +04001651
1652Neutron API behind uWSGI (experimental)
1653---------------------------------------
1654
1655.. code-block:: yaml
1656
1657 neutron:
1658 server:
1659 wsgi:
1660 enabled: true
1661 threads: 32
1662 workers: 64
1663 logto: /var/log/neutron/neutron-server.log
1664
Oleksandr Bryndziib9d02af2019-05-10 16:59:14 +03001665Setup hardcoded configuration values
1666------------------------------------
1667
1668.. code-block:: yaml
1669
1670 neutron:
1671 server:
1672 configmap:
1673 neutron_server:
1674 DEFAULT:
1675 max_subnet_host_routes: 30
1676 max_routes: 60
1677 debug_iptables_rules: True
1678 quotas:
1679 quota_network: 20
1680 quota_subnet: 10
1681 quota_port: 100
1682 matchmaker_redis:
1683 host: 127.0.0.1
1684 port: 6379
1685 password: pswd
1686 gateway:
1687 configmap:
1688 metadata_agent:
1689 DEFAULT:
1690 metadata_workers: 10
1691 debug: True
1692 agent:
1693 report_interval: 30
1694 l3_agent:
1695 DEFAULT:
1696 agent_mode : dvr
1697 agent:
1698 report_interval: 40
1699 dhcp_agent:
1700 DEFAULT:
1701 ovs_vsctl_timeout: 12
1702 resync_interval: 60
1703 agent:
1704 report_interval: 60
Michael Polenchuk5fb5c572019-03-13 11:54:26 +04001705
Vasyl Saienkoba420732018-09-07 10:19:32 +00001706Upgrades
1707========
1708
1709Each openstack formula provide set of phases (logical bloks) that will help to
1710build flexible upgrade orchestration logic for particular components. The list
1711of phases might and theirs descriptions are listed in table below:
1712
1713+-------------------------------+------------------------------------------------------+
1714| State | Description |
1715+===============================+======================================================+
1716| <app>.upgrade.service_running | Ensure that all services for particular application |
1717| | are enabled for autostart and running |
1718+-------------------------------+------------------------------------------------------+
1719| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1720| | disabled for autostart and dead |
1721+-------------------------------+------------------------------------------------------+
1722| <app>.upgrade.pkg_latest | Ensure that packages used by particular application |
1723| | are installed to latest available version. |
1724| | This will not upgrade data plane packages like qemu |
1725| | and openvswitch as usually minimal required version |
1726| | in openstack services is really old. The data plane |
1727| | packages should be upgraded separately by `apt-get |
1728| | upgrade` or `apt-get dist-upgrade` |
1729| | Applying this state will not autostart service. |
1730+-------------------------------+------------------------------------------------------+
1731| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1732+-------------------------------+------------------------------------------------------+
1733| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1734| | cloud before running upgrade. |
1735| | Only non destructive actions will be applied during |
1736| | this phase. Perform service built in service check |
1737| | like (keystone-manage doctor and nova-status upgrade)|
1738+-------------------------------+------------------------------------------------------+
1739| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1740| | phase resources will be gracefully removed from |
1741| | current node if it is allowed. Services for upgraded |
1742| | application will be set to admin disabled state to |
1743| | make sure node will not participate in resources |
1744| | scheduling. For example on gtw nodes this will set |
1745| | all agents to admin disable state and will move all |
1746| | routers to other agents. |
1747+-------------------------------+------------------------------------------------------+
1748| <app>.upgrade.upgrade | This state will basically upgrade application on |
1749| | particular target. Stop services, render |
1750| | configuration, install new packages, run offline |
1751| | dbsync (for ctl), start services. Data plane should |
1752| | not be affected, only OpenStack python services. |
1753+-------------------------------+------------------------------------------------------+
1754| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1755+-------------------------------+------------------------------------------------------+
1756| <app>.upgrade.post | This phase should be launched only when upgrade of |
1757| | the cloud is completed. |
1758+-------------------------------+------------------------------------------------------+
1759| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1760| | operations, verify do not have dead network |
1761| | agents/compute services) |
1762+-------------------------------+------------------------------------------------------+
1763
1764
Oleksandr Pidrepnyif3f62a82019-06-10 12:17:50 +03001765Don't manage services scheduling while upgrade
1766----------------------------------------------
1767For some special cases, don't manage services scheduling both enable and disable
1768before and after upgrade procedure.
1769
1770If 'manage_service_maintenance: true' or not present - default behavior, disable services
1771before upgrade and enable it after upgrade.
1772If 'manage_service_maintenance: false' - don't disable and don't enable upgraded services
1773scheduling before and after upgrade.
1774
1775.. code-block:: yaml
1776
1777 neutron:
1778 upgrade:
1779 manage_service_maintenance: false
1780
1781
Oleksandr Shyshkof51b94c2018-08-31 16:05:27 +03001782Enable x509 and ssl communication between Neutron and Galera cluster.
1783---------------------
1784By default communication between Neutron and Galera is unsecure.
1785
1786neutron:
1787 server:
1788 database:
1789 x509:
1790 enabled: True
1791
1792You able to set custom certificates in pillar:
1793
1794neutron:
1795 server:
1796 database:
1797 x509:
1798 cacert: (certificate content)
1799 cert: (certificate content)
1800 key: (certificate content)
1801
1802You can read more about it here:
1803 https://docs.openstack.org/security-guide/databases/database-access-control.html