openstack - neutron service - tetratutorials blog · “openstack networking (neutron) allows you...

What You Need to Know: Cloud Computing

• Network as-a-service, which is responsible for providing networkingto running instances within OpenStack

• Provides an API for defining, configuring, and using networks

• Presents a logical API and a corresponding plug-in architecturethat separates the description of network connectivity from its

implementation.

• ML2 Plugin is a framework allowing OpenStack Networking tosimultaneously utilize the variety of layer 2 networking

technologies found in complex real-world datacenters.

• ML2 was designed to ease the burden of adding new L2networking technologies into OpenStack Networking.

• ML2 will deprecate the Open vSwitch, LinuxBridge, and Hyper-V

Neutron Plugins It works with each of their existing L2 agentssimultaneously

Modular Layer 2

( ML2 )

NEUTRON

“OpenStack Networking (Neutron) allows you to create and attach interface devices

managed by other OpenStack services to networks.”

OPENSTACK -

NEUTRON SERVICE

• Neutron-server accepts API requests and then routes them to the appropriate neutron plugin for action.

• Neutron ships with plugins and agents for:

• Open vSwitch• Linux bridging


Networking

Technologies

ML2 Drivers



OPENSTACK -NEUTRON SERVICE

!The D H C P service agent is com patib le w ith a ll existing p lug-ins and is required for a ll deploym ents w here V M s should autom atically receive IP addresses through D H C P .

DHCP agent

!The O penStack N etw orking service has a w idely used A P I extension to a llow adm inistrators and tenants to create routers to interconnect L2 netw orks, and floating IP s to m ake ports on private netw orks public ly accessib le.

L3 agent

!The Linux bridge agent builds layer-2 (bridg ing and sw itching) virtual netw orking infrastructure for instances including V X LA N tunnels for private netw orks and handles security groups.

Linux bridge agent


Neutron

Networking

Options - Provider

Networks

Networking

Technologies



OPENSTACK -

NEUTRON SERVICE

Networking

Concepts

• Provider network is a public network• simplest possible architecture that only supports attaching instances

to public (provider) networks.

• Provider network includes a DHCP server that provides IP addressesto instances

• No private networks

• No routers• No floating IP addresses• Only the admin or other privileged user can manage provider networks


Self Service

Network Flow

Provider

Network Flow



OPENSTACK -

NEUTRON SERVICE

Neutron

Networking

Options - Self-

service

Networks

• Self-service networks is a private network

• Private project virtual network connects to the physical network

infrastructure via layer-3 (routing) and NAT

• Includes a DHCP server that provides IP addresses to instances

• Instance on this network can automatically access external networks

Access to an instance on this network fromexternal networks

• Support attaching instances to private and public networks

• Routers and Floating IP addresses

• Unprivileged users can manage self-service networks


Assigning

Floating IPs



OPENSTACK -

NEUTRON SERVICE

Floating IPs

• A security group acts as a virtual firewall for your compute instances

to control inbound and outbound traffic

• Security group is a named collection of network access rules

• User can select multiple security groups during VMcreation

• If no security groups specified - default is selected

• Security groups are applied on the host node

• Shared pool of public IP addresses

• Each user gets a quota of how many IPs to use

• Managed by admin

• OpenStack Admin

• Dedicate floating IPs to cluster

• OpenStack User

• Allocate public IP for tenant within given quota

• Associate public IP with VM

• Find host

• Add IP address to public network interface of the host


OPENSTACK -

NEUTRON SERVICE

NEUTRON SERVICE MANUAL INSTALLATION AND

CONFIGURATION

Before you configure the OpenStack Networking (neutron) service, you must create a database,

service credentials, and API endpoints.

mysql -u root -p

CREATE DATABASE neutron;

GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'openstack';

GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'openstack’;

. admin-openrc

Create the user

openstack user create --domain default --password-prompt neutron

openstack role add --project service --user neutron admin

openstack service create --name neutron --description "OpenStack Networking" network

openstack endpoint create --region RegionOne network public http://controller:9696

openstack endpoint create --region RegionOne network internal http://controller:9696

openstack endpoint create --region RegionOne network admin http://controller:9696

Configure networking options

You can deploy the Networking service using one of two architectures represented by options 1 and 2.

Option 1 deploys the simplest possible architecture that only supports attaching instances to provider

(external) networks. No self-service (private) networks, routers, or floating IP addresses. Only the admin or

other privileged user can manage provider networks.

Option 2 augments option 1 with layer-3 services that support attaching instances to self-service networks.

The demo or other unprivileged user can manage self-service networks including routers that provide

connectivity between self-service and provider networks. Additionally, floating IP addresses provide

connectivity to instances using self-service networks fromexternal networks such as the Internet.


OPENSTACK -

NEUTRON SERVICE


CONFIGURATION

In the [DEFAULT] and [oslo_messaging_rabbit] sections, configure RabbitMQ message queue access

openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_host controller

openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_userid openstackopenstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_password openstack

In the [DEFAULT] and [keystone_authtoken] sections, configure Identity service access:

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri http://controller:5000openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://controller:35357

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers

controller:11211openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type password

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name defaultopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name service

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password openstack

Networking Option 2: Self-service networks

yuminstall openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables -y

Update /etc/neutron/neutron.conf file

openstack-config --set /etc/neutron/neutron.conf database connectionmysql+pymysql://neutron:openstack@controller/neutron

openstack-config --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2openstack-config --set /etc/neutron/neutron.conf DEFAULT service_plugins routeropenstack-config --set /etc/neutron/neutron.conf DEFAULT allow_overlapping_ips True

openstack-config --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit

openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystoneopenstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_status_changes True

openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_data_changes True


OPENSTACK -

NEUTRON SERVICE


CONFIGURATION

Configure the lock path:

openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp

The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging and switching) virtual

networking infrastructure for instances.

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers flat,vlan,vxlan

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types vxlan

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 mechanism_drivers

linuxbridge,l2population

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers port_security

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat flat_networks provider

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vxlan vni_ranges 1:1000

Enable ipset to increase efficiency of security group rules:

openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset True

Configure Networking to notify Compute of network topology changes:

openstack-config --set /etc/neutron/neutron.conf nova auth_url http://controller:35357

openstack-config --set /etc/neutron/neutron.conf nova auth_type password

openstack-config --set /etc/neutron/neutron.conf nova project_domain_name default

openstack-config --set /etc/neutron/neutron.conf nova user_domain_name default

openstack-config --set /etc/neutron/neutron.conf nova region_name RegionOne

openstack-config --set /etc/neutron/neutron.conf nova project_name service

openstack-config --set /etc/neutron/neutron.conf nova username nova

openstack-config --set /etc/neutron/neutron.conf nova password openstack


OPENSTACK -NEUTRON SERVICE


CONFIGURATION

The Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure forinstances and handles security groups.openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge

physical_interface_mappings provider:eth1

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan True

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 10.0.2.10

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan l2_population True

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup

enable_security_group True

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver

neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

Configure the layer-3 agent: The Layer-3 (L3) agent provides routing and NAT services for self-servicevirtual networks.

Update /etc/neutron/l3_agent.ini file and complete the following actions:

openstack-config --set /etc/neutron/l3_agent.ini DEFAULT interface_driver

neutron.agent.linux.interface.BridgeInterfaceDriver

openstack-config --set /etc/neutron/l3_agent.ini DEFAULT external_network_bridge

The external_network_bridge option intentionally lacks a value to enable multiple external networkson a single agent.

Configure the DHCP agent¶The DHCP agent provides DHCP services for virtual networks.

Update /etc/neutron/dhcp_agent.ini

In the [DEFAULT] section, configure the Linux bridge interface driver, Dnsmasq DHCP driver, andenable isolated metadata so instances on provider networks can access metadata over the network:

openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver

neutron.agent.linux.interface.BridgeInterfaceDriver

openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver

neutron.agent.linux.dhcp.Dnsmasq

openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT enable_isolated_metadata True


OPENSTACK -

NEUTRON SERVICE


CONFIGURATION

Configure the metadata agent:

The metadata agent provides configuration information such as credentials to instances.

Update /etc/neutron/metadata_agent.ini file

openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT nova_metadata_ip controller

openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT metadata_proxy_shared_secretopenstack

Configure Compute to use Networking:Update /etc/nova/nova.conf file

openstack-config --set /etc/nova/nova.conf neutron url http://controller:9696

openstack-config --set /etc/nova/nova.conf neutron auth_url http://controller:35357

openstack-config --set /etc/nova/nova.conf neutron auth_type password

openstack-config --set /etc/nova/nova.conf neutron project_domain_name default

openstack-config --set /etc/nova/nova.conf neutron user_domain_name default

openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne

openstack-config --set /etc/nova/nova.conf neutron project_name service

openstack-config --set /etc/nova/nova.conf neutron username neutron

openstack-config --set /etc/nova/nova.conf neutron password openstack

openstack-config --set /etc/nova/nova.conf neutron service_metadata_proxy True

openstack-config --set /etc/nova/nova.conf neutron metadata_proxy_shared_secret openstack

The Networking service initialization scripts expect a symbolic link /etc/neutron/plugin.ini pointing to theML2 plug-in configuration file, /etc/neutron/plugins/ml2/ml2_conf.ini. If this symbolic link does not exist,

create it using the following command:

ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini


OPENSTACK -

NEUTRON SERVICE


CONFIGURATION

Populate the database:

su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file

/etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron

Restart the Compute API service:

systemctl restart openstack-nova-api.service

Start the Networking services and configure themto start when the systemboots.

systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service

neutron-metadata-agent.service

systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.serviceneutron-metadata-agent.service

systemctl status neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service

neutron-metadata-agent.servicesystemctl enable neutron-l3-agent.service;systemctl start neutron-l3-agent.service

Install and configure compute nodeThe compute node handles connectivity and security groups for instances.

yuminstall openstack-neutron-linuxbridge ebtables ipset -y


OPENSTACK -

NEUTRON SERVICE


CONFIGURATION

Configure the common component:

openstack-config --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit

openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystoneopenstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_host controller

openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_userid openstack

openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_password openstackopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri http://controller:5000

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url

http://controller:35357openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_serverscontroller:11211

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type passwordopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name serviceopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron

openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password openstack

openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmpopenstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridgephysical_interface_mappings provider:eth1

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan Trueopenstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 10.0.2.11

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan l2_population True

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroupenable_security_group True

openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver

neutron.agent.linux.iptables_firewall.IptablesFirewallDriver


OPENSTACK -

NEUTRON SERVICE


CONFIGURATION

openstack-config --set /etc/nova/nova.conf neutron url http://controller:9696

openstack-config --set /etc/nova/nova.conf neutron auth_url http://controller:35357

openstack-config --set /etc/nova/nova.conf neutron auth_type password

openstack-config --set /etc/nova/nova.conf neutron project_domain_name default

openstack-config --set /etc/nova/nova.conf neutron user_domain_name default

openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne

openstack-config --set /etc/nova/nova.conf neutron project_name service

openstack-config --set /etc/nova/nova.conf neutron username neutron

openstack-config --set /etc/nova/nova.conf neutron password openstack

Restart the Compute service:

systemctl restart openstack-nova-compute.service

systemctl enable neutron-linuxbridge-agent.service;

systemctl start neutron-linuxbridge-agent.service;

systemctl status neutron-linuxbridge-agent.service

Source the admin credentials to gain access to admin-only CLI commands:. admin-openrc

List loaded extensions to verify successful launch of the neutron-server process:

neutron ext-list

List agents to verify successful launch of the neutron agents:

neutron agent-listThe output should indicate four agents on the controller node and one agent on each compute node.

openstack - neutron service - tetratutorials blog · “openstack networking (neutron) allows you...

Documents