Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 1 | ====================================== |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 2 | Using DevStack with neutron Networking |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 3 | ====================================== |
| 4 | |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 5 | This guide will walk you through using OpenStack neutron with the ML2 |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 6 | plugin and the Open vSwitch mechanism driver. |
| 7 | |
| 8 | Network Interface Configuration |
| 9 | =============================== |
| 10 | |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 11 | To use neutron, it is suggested that two network interfaces be present |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 12 | in the host operating system. |
| 13 | |
| 14 | The first interface, eth0 is used for the OpenStack management (API, |
| 15 | message bus, etc) as well as for ssh for an administrator to access |
| 16 | the machine. |
| 17 | |
| 18 | :: |
| 19 | |
| 20 | stack@compute:~$ ifconfig eth0 |
| 21 | eth0 Link encap:Ethernet HWaddr bc:16:65:20:af:fc |
| 22 | inet addr:192.168.1.18 |
| 23 | |
| 24 | eth1 is manually configured at boot to not have an IP address. |
| 25 | Consult your operating system documentation for the appropriate |
Juan Antonio Osorio Robles | b7c1ce4 | 2014-11-28 14:19:19 +0200 | [diff] [blame] | 26 | technique. For Ubuntu, the contents of `/etc/network/interfaces` |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 27 | contains: |
| 28 | |
| 29 | :: |
| 30 | |
| 31 | auto eth1 |
| 32 | iface eth1 inet manual |
| 33 | up ifconfig $IFACE 0.0.0.0 up |
| 34 | down ifconfig $IFACE 0.0.0.0 down |
| 35 | |
| 36 | The second physical interface, eth1 is added to a bridge (in this case |
| 37 | named br-ex), which is used to forward network traffic from guest VMs. |
| 38 | Network traffic from eth1 on the compute nodes is then NAT'd by the |
| 39 | controller node that runs Neutron's `neutron-l3-agent` and provides L3 |
| 40 | connectivity. |
| 41 | |
| 42 | :: |
| 43 | |
| 44 | stack@compute:~$ sudo ovs-vsctl add-br br-ex |
| 45 | stack@compute:~$ sudo ovs-vsctl add-port br-ex eth1 |
| 46 | stack@compute:~$ sudo ovs-vsctl show |
| 47 | 9a25c837-32ab-45f6-b9f2-1dd888abcf0f |
| 48 | Bridge br-ex |
| 49 | Port br-ex |
| 50 | Interface br-ex |
| 51 | type: internal |
| 52 | Port phy-br-ex |
| 53 | Interface phy-br-ex |
| 54 | type: patch |
| 55 | options: {peer=int-br-ex} |
| 56 | Port "eth1" |
| 57 | Interface "eth1" |
| 58 | |
| 59 | |
| 60 | |
| 61 | |
Steven Dake | 3a6b128 | 2014-12-31 14:27:22 -0700 | [diff] [blame] | 62 | Disabling Next Generation Firewall Tools |
| 63 | ======================================== |
| 64 | |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 65 | DevStack does not properly operate with modern firewall tools. Specifically |
Steven Dake | 3a6b128 | 2014-12-31 14:27:22 -0700 | [diff] [blame] | 66 | it will appear as if the guest VM can access the external network via ICMP, |
| 67 | but UDP and TCP packets will not be delivered to the guest VM. The root cause |
| 68 | of the issue is that both ufw (Uncomplicated Firewall) and firewalld (Fedora's |
| 69 | firewall manager) apply firewall rules to all interfaces in the system, rather |
| 70 | then per-device. One solution to this problem is to revert to iptables |
| 71 | functionality. |
| 72 | |
| 73 | To get a functional firewall configuration for Fedora do the following: |
| 74 | |
| 75 | :: |
| 76 | |
| 77 | sudo service iptables save |
| 78 | sudo systemctl disable firewalld |
| 79 | sudo systemctl enable iptables |
| 80 | sudo systemctl stop firewalld |
| 81 | sudo systemctl start iptables |
| 82 | |
| 83 | |
| 84 | To get a functional firewall configuration for distributions containing ufw, |
| 85 | disable ufw. Note ufw is generally not enabled by default in Ubuntu. To |
| 86 | disable ufw if it was enabled, do the following: |
| 87 | |
| 88 | :: |
| 89 | |
| 90 | sudo service iptables save |
| 91 | sudo ufw disable |
| 92 | |
| 93 | |
| 94 | |
| 95 | |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 96 | Neutron Networking with Open vSwitch |
| 97 | ==================================== |
| 98 | |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 99 | Configuring neutron, OpenStack Networking in DevStack is very similar to |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 100 | configuring `nova-network` - many of the same configuration variables |
| 101 | (like `FIXED_RANGE` and `FLOATING_RANGE`) used by `nova-network` are |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 102 | used by neutron, which is intentional. |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 103 | |
| 104 | The only difference is the disabling of `nova-network` in your |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 105 | local.conf, and the enabling of the neutron components. |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 106 | |
| 107 | |
| 108 | Configuration |
| 109 | ------------- |
| 110 | |
| 111 | :: |
| 112 | |
| 113 | FIXED_RANGE=10.0.0.0/24 |
| 114 | FLOATING_RANGE=192.168.27.0/24 |
| 115 | PUBLIC_NETWORK_GATEWAY=192.168.27.2 |
| 116 | |
| 117 | disable_service n-net |
| 118 | enable_service q-svc |
| 119 | enable_service q-agt |
| 120 | enable_service q-dhcp |
| 121 | enable_service q-meta |
| 122 | enable_service q-l3 |
| 123 | |
| 124 | Q_USE_SECGROUP=True |
| 125 | ENABLE_TENANT_VLANS=True |
| 126 | TENANT_VLAN_RANGE=1000:1999 |
| 127 | PHYSICAL_NETWORK=default |
| 128 | OVS_PHYSICAL_BRIDGE=br-ex |
| 129 | |
| 130 | In this configuration we are defining FLOATING_RANGE to be a |
| 131 | subnet that exists in the private RFC1918 address space - however in |
| 132 | in a real setup FLOATING_RANGE would be a public IP address range. |
| 133 | |
| 134 | Neutron Networking with Open vSwitch and Provider Networks |
| 135 | ========================================================== |
| 136 | |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 137 | In some instances, it is desirable to use neutron's provider |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 138 | networking extension, so that networks that are configured on an |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 139 | external router can be utilized by neutron, and instances created via |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 140 | Nova can attach to the network managed by the external router. |
| 141 | |
| 142 | For example, in some lab environments, a hardware router has been |
| 143 | pre-configured by another party, and an OpenStack developer has been |
| 144 | given a VLAN tag and IP address range, so that instances created via |
| 145 | DevStack will use the external router for L3 connectivity, as opposed |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 146 | to the neutron L3 service. |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 147 | |
| 148 | |
| 149 | Service Configuration |
| 150 | --------------------- |
| 151 | |
| 152 | **Control Node** |
| 153 | |
| 154 | In this example, the control node will run the majority of the |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 155 | OpenStack API and management services (keystone, glance, |
| 156 | nova, neutron) |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 157 | |
| 158 | |
| 159 | **Compute Nodes** |
| 160 | |
| 161 | In this example, the nodes that will host guest instances will run |
| 162 | the `neutron-openvswitch-agent` for network connectivity, as well as |
| 163 | the compute service `nova-compute`. |
| 164 | |
| 165 | DevStack Configuration |
| 166 | ---------------------- |
| 167 | |
| 168 | The following is a snippet of the DevStack configuration on the |
| 169 | controller node. |
| 170 | |
| 171 | :: |
| 172 | |
| 173 | PUBLIC_INTERFACE=eth1 |
| 174 | |
| 175 | ## Neutron options |
| 176 | Q_USE_SECGROUP=True |
| 177 | ENABLE_TENANT_VLANS=True |
| 178 | TENANT_VLAN_RANGE=3001:4000 |
| 179 | PHYSICAL_NETWORK=default |
| 180 | OVS_PHYSICAL_BRIDGE=br-ex |
| 181 | |
| 182 | Q_USE_PROVIDER_NETWORKING=True |
| 183 | Q_L3_ENABLED=False |
| 184 | |
| 185 | # Do not use Nova-Network |
| 186 | disable_service n-net |
| 187 | |
| 188 | # Neutron |
| 189 | ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-agt |
| 190 | |
| 191 | ## Neutron Networking options used to create Neutron Subnets |
| 192 | |
| 193 | FIXED_RANGE="10.1.1.0/24" |
| 194 | PROVIDER_SUBNET_NAME="provider_net" |
| 195 | PROVIDER_NETWORK_TYPE="vlan" |
| 196 | SEGMENTATION_ID=2010 |
| 197 | |
| 198 | In this configuration we are defining FIXED_RANGE to be a |
Kennan | 3566310 | 2015-01-20 16:19:49 +0800 | [diff] [blame] | 199 | subnet that exists in the private RFC1918 address space - however |
Sean M. Collins | 3429601 | 2014-10-27 11:57:20 -0400 | [diff] [blame] | 200 | in a real setup FIXED_RANGE would be a public IP address range, so |
| 201 | that you could access your instances from the public internet. |
| 202 | |
| 203 | The following is a snippet of the DevStack configuration on the |
| 204 | compute node. |
| 205 | |
| 206 | :: |
| 207 | |
| 208 | # Services that a compute node runs |
| 209 | ENABLED_SERVICES=n-cpu,rabbit,q-agt |
| 210 | |
| 211 | ## Neutron options |
| 212 | Q_USE_SECGROUP=True |
| 213 | ENABLE_TENANT_VLANS=True |
| 214 | TENANT_VLAN_RANGE=3001:4000 |
| 215 | PHYSICAL_NETWORK=default |
| 216 | OVS_PHYSICAL_BRIDGE=br-ex |
| 217 | PUBLIC_INTERFACE=eth1 |
| 218 | Q_USE_PROVIDER_NETWORKING=True |
| 219 | Q_L3_ENABLED=False |
| 220 | |
| 221 | When DevStack is configured to use provider networking (via |
| 222 | `Q_USE_PROVIDER_NETWORKING` is True and `Q_L3_ENABLED` is False) - |
| 223 | DevStack will automatically add the network interface defined in |
| 224 | `PUBLIC_INTERFACE` to the `OVS_PHYSICAL_BRIDGE` |
| 225 | |
| 226 | For example, with the above configuration, a bridge is |
| 227 | created, named `br-ex` which is managed by Open vSwitch, and the |
| 228 | second interface on the compute node, `eth1` is attached to the |
Shilla Saebi | 2ed09d8 | 2015-04-21 15:02:13 -0400 | [diff] [blame] | 229 | bridge, to forward traffic sent by guest VMs. |