openstack - neutron service - tetratutorials blog · “openstack networking (neutron) allows you...
TRANSCRIPT
What You Need to Know: Cloud Computing
• Network as-a-service, which is responsible for providing networkingto running instances within OpenStack
• Provides an API for defining, configuring, and using networks
• Presents a logical API and a corresponding plug-in architecturethat separates the description of network connectivity from its
implementation.
• ML2 Plugin is a framework allowing OpenStack Networking tosimultaneously utilize the variety of layer 2 networking
technologies found in complex real-world datacenters.
• ML2 was designed to ease the burden of adding new L2networking technologies into OpenStack Networking.
• ML2 will deprecate the Open vSwitch, LinuxBridge, and Hyper-V
Neutron Plugins It works with each of their existing L2 agentssimultaneously
Modular Layer 2
( ML2 )
NEUTRON
“OpenStack Networking (Neutron) allows you to create and attach interface devices
managed by other OpenStack services to networks.”
OPENSTACK -
NEUTRON SERVICE
• Neutron-server accepts API requests and then routes them to the appropriate neutron plugin for action.
• Neutron ships with plugins and agents for:
• Open vSwitch• Linux bridging
What You Need to Know: Cloud Computing
Networking
Technologies
ML2 Drivers
“OpenStack Networking (Neutron) allows you to create and attach interface devices
managed by other OpenStack services to networks.”
OPENSTACK -NEUTRON SERVICE
!The D H C P service agent is com patib le w ith a ll existing p lug-ins and is required for a ll deploym ents w here V M s should autom atically receive IP addresses through D H C P .
DHCP agent
!The O penStack N etw orking service has a w idely used A P I extension to a llow adm inistrators and tenants to create routers to interconnect L2 netw orks, and floating IP s to m ake ports on private netw orks public ly accessib le.
L3 agent
!The Linux bridge agent builds layer-2 (bridg ing and sw itching) virtual netw orking infrastructure for instances including V X LA N tunnels for private netw orks and handles security groups.
Linux bridge agent
What You Need to Know: Cloud Computing
Neutron
Networking
Options - Provider
Networks
Networking
Technologies
“OpenStack Networking (Neutron) allows you to create and attach interface devices
managed by other OpenStack services to networks.”
OPENSTACK -
NEUTRON SERVICE
Networking
Concepts
• Provider network is a public network• simplest possible architecture that only supports attaching instances
to public (provider) networks.
• Provider network includes a DHCP server that provides IP addressesto instances
• No private networks
• No routers• No floating IP addresses• Only the admin or other privileged user can manage provider networks
What You Need to Know: Cloud Computing
Self Service
Network Flow
Provider
Network Flow
“OpenStack Networking (Neutron) allows you to create and attach interface devices
managed by other OpenStack services to networks.”
OPENSTACK -
NEUTRON SERVICE
Neutron
Networking
Options - Self-
service
Networks
• Self-service networks is a private network
• Private project virtual network connects to the physical network
infrastructure via layer-3 (routing) and NAT
• Includes a DHCP server that provides IP addresses to instances
• Instance on this network can automatically access external networks
Access to an instance on this network fromexternal networks
• Support attaching instances to private and public networks
• Routers and Floating IP addresses
• Unprivileged users can manage self-service networks
What You Need to Know: Cloud Computing
Assigning
Floating IPs
“OpenStack Networking (Neutron) allows you to create and attach interface devices
managed by other OpenStack services to networks.”
OPENSTACK -
NEUTRON SERVICE
Floating IPs
• A security group acts as a virtual firewall for your compute instances
to control inbound and outbound traffic
• Security group is a named collection of network access rules
• User can select multiple security groups during VMcreation
• If no security groups specified - default is selected
• Security groups are applied on the host node
• Shared pool of public IP addresses
• Each user gets a quota of how many IPs to use
• Managed by admin
• OpenStack Admin
• Dedicate floating IPs to cluster
• OpenStack User
• Allocate public IP for tenant within given quota
• Associate public IP with VM
• Find host
• Add IP address to public network interface of the host
What You Need to Know: Cloud Computing
OPENSTACK -
NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
Before you configure the OpenStack Networking (neutron) service, you must create a database,
service credentials, and API endpoints.
mysql -u root -p
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'openstack';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'openstack’;
. admin-openrc
Create the user
openstack user create --domain default --password-prompt neutron
openstack role add --project service --user neutron admin
openstack service create --name neutron --description "OpenStack Networking" network
openstack endpoint create --region RegionOne network public http://controller:9696
openstack endpoint create --region RegionOne network internal http://controller:9696
openstack endpoint create --region RegionOne network admin http://controller:9696
Configure networking options
You can deploy the Networking service using one of two architectures represented by options 1 and 2.
Option 1 deploys the simplest possible architecture that only supports attaching instances to provider
(external) networks. No self-service (private) networks, routers, or floating IP addresses. Only the admin or
other privileged user can manage provider networks.
Option 2 augments option 1 with layer-3 services that support attaching instances to self-service networks.
The demo or other unprivileged user can manage self-service networks including routers that provide
connectivity between self-service and provider networks. Additionally, floating IP addresses provide
connectivity to instances using self-service networks fromexternal networks such as the Internet.
What You Need to Know: Cloud Computing
OPENSTACK -
NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
In the [DEFAULT] and [oslo_messaging_rabbit] sections, configure RabbitMQ message queue access
openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_host controller
openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_userid openstackopenstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_password openstack
In the [DEFAULT] and [keystone_authtoken] sections, configure Identity service access:
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri http://controller:5000openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url http://controller:35357
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_servers
controller:11211openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type password
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name defaultopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name service
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password openstack
Networking Option 2: Self-service networks
yuminstall openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables -y
Update /etc/neutron/neutron.conf file
openstack-config --set /etc/neutron/neutron.conf database connectionmysql+pymysql://neutron:openstack@controller/neutron
openstack-config --set /etc/neutron/neutron.conf DEFAULT core_plugin ml2openstack-config --set /etc/neutron/neutron.conf DEFAULT service_plugins routeropenstack-config --set /etc/neutron/neutron.conf DEFAULT allow_overlapping_ips True
openstack-config --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit
openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystoneopenstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_status_changes True
openstack-config --set /etc/neutron/neutron.conf DEFAULT notify_nova_on_port_data_changes True
What You Need to Know: Cloud Computing
OPENSTACK -
NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
Configure the lock path:
openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmp
The ML2 plug-in uses the Linux bridge mechanism to build layer-2 (bridging and switching) virtual
networking infrastructure for instances.
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers flat,vlan,vxlan
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types vxlan
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 mechanism_drivers
linuxbridge,l2population
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 extension_drivers port_security
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_flat flat_networks provider
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vxlan vni_ranges 1:1000
Enable ipset to increase efficiency of security group rules:
openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset True
Configure Networking to notify Compute of network topology changes:
openstack-config --set /etc/neutron/neutron.conf nova auth_url http://controller:35357
openstack-config --set /etc/neutron/neutron.conf nova auth_type password
openstack-config --set /etc/neutron/neutron.conf nova project_domain_name default
openstack-config --set /etc/neutron/neutron.conf nova user_domain_name default
openstack-config --set /etc/neutron/neutron.conf nova region_name RegionOne
openstack-config --set /etc/neutron/neutron.conf nova project_name service
openstack-config --set /etc/neutron/neutron.conf nova username nova
openstack-config --set /etc/neutron/neutron.conf nova password openstack
What You Need to Know: Cloud Computing
OPENSTACK -NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
The Linux bridge agent builds layer-2 (bridging and switching) virtual networking infrastructure forinstances and handles security groups.openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge
physical_interface_mappings provider:eth1
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan True
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 10.0.2.10
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan l2_population True
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup
enable_security_group True
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
Configure the layer-3 agent: The Layer-3 (L3) agent provides routing and NAT services for self-servicevirtual networks.
Update /etc/neutron/l3_agent.ini file and complete the following actions:
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT interface_driver
neutron.agent.linux.interface.BridgeInterfaceDriver
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT external_network_bridge
The external_network_bridge option intentionally lacks a value to enable multiple external networkson a single agent.
Configure the DHCP agent¶The DHCP agent provides DHCP services for virtual networks.
Update /etc/neutron/dhcp_agent.ini
In the [DEFAULT] section, configure the Linux bridge interface driver, Dnsmasq DHCP driver, andenable isolated metadata so instances on provider networks can access metadata over the network:
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver
neutron.agent.linux.interface.BridgeInterfaceDriver
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver
neutron.agent.linux.dhcp.Dnsmasq
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT enable_isolated_metadata True
What You Need to Know: Cloud Computing
OPENSTACK -
NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
Configure the metadata agent:
The metadata agent provides configuration information such as credentials to instances.
Update /etc/neutron/metadata_agent.ini file
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT nova_metadata_ip controller
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT metadata_proxy_shared_secretopenstack
Configure Compute to use Networking:Update /etc/nova/nova.conf file
openstack-config --set /etc/nova/nova.conf neutron url http://controller:9696
openstack-config --set /etc/nova/nova.conf neutron auth_url http://controller:35357
openstack-config --set /etc/nova/nova.conf neutron auth_type password
openstack-config --set /etc/nova/nova.conf neutron project_domain_name default
openstack-config --set /etc/nova/nova.conf neutron user_domain_name default
openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne
openstack-config --set /etc/nova/nova.conf neutron project_name service
openstack-config --set /etc/nova/nova.conf neutron username neutron
openstack-config --set /etc/nova/nova.conf neutron password openstack
openstack-config --set /etc/nova/nova.conf neutron service_metadata_proxy True
openstack-config --set /etc/nova/nova.conf neutron metadata_proxy_shared_secret openstack
The Networking service initialization scripts expect a symbolic link /etc/neutron/plugin.ini pointing to theML2 plug-in configuration file, /etc/neutron/plugins/ml2/ml2_conf.ini. If this symbolic link does not exist,
create it using the following command:
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
What You Need to Know: Cloud Computing
OPENSTACK -
NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
Populate the database:
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file
/etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
Restart the Compute API service:
systemctl restart openstack-nova-api.service
Start the Networking services and configure themto start when the systemboots.
systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service
neutron-metadata-agent.service
systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.serviceneutron-metadata-agent.service
systemctl status neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service
neutron-metadata-agent.servicesystemctl enable neutron-l3-agent.service;systemctl start neutron-l3-agent.service
Install and configure compute nodeThe compute node handles connectivity and security groups for instances.
yuminstall openstack-neutron-linuxbridge ebtables ipset -y
What You Need to Know: Cloud Computing
OPENSTACK -
NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
Configure the common component:
openstack-config --set /etc/neutron/neutron.conf DEFAULT rpc_backend rabbit
openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystoneopenstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_host controller
openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_userid openstack
openstack-config --set /etc/neutron/neutron.conf oslo_messaging_rabbit rabbit_password openstackopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri http://controller:5000
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_url
http://controller:35357openstack-config --set /etc/neutron/neutron.conf keystone_authtoken memcached_serverscontroller:11211
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_type passwordopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_domain_name default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken user_domain_name default
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken project_name serviceopenstack-config --set /etc/neutron/neutron.conf keystone_authtoken username neutron
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken password openstack
openstack-config --set /etc/neutron/neutron.conf oslo_concurrency lock_path /var/lib/neutron/tmpopenstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridgephysical_interface_mappings provider:eth1
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan Trueopenstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan local_ip 10.0.2.11
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan l2_population True
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroupenable_security_group True
openstack-config --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
What You Need to Know: Cloud Computing
OPENSTACK -
NEUTRON SERVICE
NEUTRON SERVICE MANUAL INSTALLATION AND
CONFIGURATION
openstack-config --set /etc/nova/nova.conf neutron url http://controller:9696
openstack-config --set /etc/nova/nova.conf neutron auth_url http://controller:35357
openstack-config --set /etc/nova/nova.conf neutron auth_type password
openstack-config --set /etc/nova/nova.conf neutron project_domain_name default
openstack-config --set /etc/nova/nova.conf neutron user_domain_name default
openstack-config --set /etc/nova/nova.conf neutron region_name RegionOne
openstack-config --set /etc/nova/nova.conf neutron project_name service
openstack-config --set /etc/nova/nova.conf neutron username neutron
openstack-config --set /etc/nova/nova.conf neutron password openstack
Restart the Compute service:
systemctl restart openstack-nova-compute.service
systemctl enable neutron-linuxbridge-agent.service;
systemctl start neutron-linuxbridge-agent.service;
systemctl status neutron-linuxbridge-agent.service
Source the admin credentials to gain access to admin-only CLI commands:. admin-openrc
List loaded extensions to verify successful launch of the neutron-server process:
neutron ext-list
List agents to verify successful launch of the neutron agents:
neutron agent-listThe output should indicate four agents on the controller node and one agent on each compute node.