Install the Open vSwitch (OVS) plug-in - OpenStack Installation Guide for Ubuntu 12.04 (LTS)

Install the Open vSwitch plug-in and its dependencies:

# apt-get install neutron-plugin-openvswitch-agent

Note

	Note
On Ubuntu 12.04 LTS with GRE you must install openvswitch-datapath-dkms and restart the service to enable the GRE flow so that OVS 1.10 and higher is used. Make sure you are running the OVS 1.10 kernel module in addition to the OVS 1.10 user space. Both the kernel module and user space are required for VXLAN support. The error you see in the `/var/log/openvswitchovs-vswitchd.log` log file is "Stderr: 'ovs-ofctl: -1: negative values not supported for in_port\n'". If you see this error, make sure modinfo openvswitch shows the right version. Also check the output from dmesg for the version of the OVS module being loaded.

On Ubuntu 12.04 LTS with GRE you must install openvswitch-datapath-dkms and restart the service to enable the GRE flow so that OVS 1.10 and higher is used. Make sure you are running the OVS 1.10 kernel module in addition to the OVS 1.10 user space. Both the kernel module and user space are required for VXLAN support. The error you see in the /var/log/openvswitchovs-vswitchd.log log file is "Stderr: 'ovs-ofctl: -1: negative values not supported for in_port\n'". If you see this error, make sure modinfo openvswitch shows the right version. Also check the output from dmesg for the version of the OVS module being loaded.

Start Open vSwitch:

# service openvswitch-switch restart

No matter which networking technology you use, you must add the br-int integration bridge, which connects to the VMs, and the br-ex external bridge, which connects to the outside world.

# ovs-vsctl add-br br-int
# ovs-vsctl add-br br-ex

Add a port (connection) from the EXTERNAL_INTERFACE interface to br-ex interface:

# ovs-vsctl add-port br-ex EXTERNAL_INTERFACE

Configure the EXTERNAL_INTERFACE without an IP address and in promiscuous mode. Additionally, you must set the newly created br-ex interface to have the IP address that formerly belonged to EXTERNAL_INTERFACE.

	Warning
	Generic Receive Offload (GRO) should not be enabled on this interface as it can cause severe performance problems. It can be disabled with the ethtool utility.

You must set some common configuration options no matter which networking technology you choose to use with Open vSwitch. Configure the L3 and DHCP agents to use OVS and namespaces. Edit the /etc/neutron/l3_agent.ini and /etc/neutron/dhcp_agent.ini files, respectively:

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
use_namespaces = True

Similarly, you must also tell Neutron core to use OVS. Edit the /etc/neutron/neutron.conf file:

core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2

Choose a networking technology to create the virtual networks. Neutron supports GRE tunneling, VLANs, and VXLANs. This guide shows how to configure GRE tunneling and VLANs.

GRE tunneling is simpler to set up because it does not require any special configuration from any physical network hardware. However, its protocol makes it difficult to filter traffic on the physical network. Additionally, this configuration does not use namespaces. You can have only one router for each network node. However, you can enable namespacing, and potentially veth, as described in the section detailing how to use VLANs with OVS).

On the other hand, VLAN tagging modifies the ethernet header of packets. You can filter packets on the physical network through normal methods. However, not all NICs handle the increased packet size of VLAN-tagged packets well, and you might need to complete additional configuration on physical network hardware to ensure that your Neutron VLANs do not interfere with any other VLANs on your network and that any physical network hardware between nodes does not strip VLAN tags.

Note

	Note
While the examples in this guide enable network namespaces by default, you can disable them if issues occur or your kernel does not support them. Edit the `/etc/neutron/l3_agent.ini` and `/etc/neutron/dhcp_agent.ini` files, respectively: use_namespaces = False Edit the `/etc/neutron/neutron.conf` file to disable overlapping IP addresses: allow_overlapping_ips = False Note that when network namespaces are disabled, you can have only one router for each network node and overlapping IP addresses are not supported. You must complete additional steps after you create the initial Neutron virtual networks and router.

While the examples in this guide enable network namespaces by default, you can disable them if issues occur or your kernel does not support them. Edit the /etc/neutron/l3_agent.ini and /etc/neutron/dhcp_agent.ini files, respectively:

use_namespaces = False

Edit the /etc/neutron/neutron.conf file to disable overlapping IP addresses:

allow_overlapping_ips = False

Note that when network namespaces are disabled, you can have only one router for each network node and overlapping IP addresses are not supported.

You must complete additional steps after you create the initial Neutron virtual networks and router.

Configure a firewall plug-in. If you do not wish to enforce firewall rules, called security groups by OpenStack, you can use neutron.agent.firewall.NoopFirewall. Otherwise, you can choose one of the Networking firewall plug-ins. The most common choice is the Hybrid OVS-IPTables driver, but you can also use the Firewall-as-a-Service driver. Edit the /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini file:

[securitygroup]
# Firewall driver for realizing neutron security group function.
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

	Warning
	You must use at least the No-Op firewall. Otherwise, Horizon and other OpenStack services cannot get and set required VM boot options.

Now, return to the general OVS instructions.