Prerequisites
Before you configure OpenStack Networking (neutron), you must create a database and Identity service credentials including a user and service.
Connect to the database as the root user, create the
neutron
database, and grant the proper access to it:Replace
NEUTRON_DBPASS
with a suitable password.$ mysql -u root -p mysql> CREATE DATABASE neutron; mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ IDENTIFIED BY '
NEUTRON_DBPASS
'; mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ IDENTIFIED BY 'NEUTRON_DBPASS
';Create Identity service credentials for Networking:
Create the
neutron
user:Replace
NEUTRON_PASS
with a suitable password and[email protected]
with a suitable e-mail address.$ keystone user-create --name neutron --pass
NEUTRON_PASS
--email[email protected]
Link the
neutron
user to theservice
tenant andadmin
role:$ keystone user-role-add --user neutron --tenant service --role admin
Create the
neutron
service:$ keystone service-create --name neutron --type network --description "OpenStack Networking"
Create the service endpoint:
$ keystone endpoint-create \ --service-id $(keystone service-list | awk '/ network / {print $2}') \ --publicurl http://
controller
:9696 \ --adminurl http://controller
:9696 \ --internalurl http://controller
:9696
To configure the Networking server component
The Networking server component configuration includes the database, authentication mechanism, message broker, topology change notifier, and plug-in.
Configure Networking to use the database:
Edit the
/etc/neutron/neutron.conf
file and add the following key to the[database]
section:Replace
NEUTRON_DBPASS
with the password you chose for the database.[database] ... connection = mysql://neutron:
NEUTRON_DBPASS
@controller
/neutron
Configure Networking to use the Identity service for authentication:
Edit the
/etc/neutron/neutron.conf
file and add the following key to the[DEFAULT]
section:[DEFAULT] ... auth_strategy = keystone
Add the following keys to the
[keystone_authtoken]
section:Replace
NEUTRON_PASS
with the password you chose for theneutron
user in the Identity service.[keystone_authtoken] ... auth_uri = http://
controller
:5000 auth_host =controller
auth_protocol = http auth_port = 35357 admin_tenant_name = service admin_user = neutron admin_password =NEUTRON_PASS
Configure Networking to use the message broker:
Edit the
/etc/neutron/neutron.conf
file and add the following keys to the[DEFAULT]
section:Replace
RABBIT_PASS
with the password you chose for theguest
account in RabbitMQ.[DEFAULT] ... rpc_backend = neutron.openstack.common.rpc.impl_kombu rabbit_host =
controller
rabbit_password =RABBIT_PASS
Configure Networking to notify Compute about network topology changes:
Replace
SERVICE_TENANT_ID
with theservice
tenant identifier (id) in the Identity service andNOVA_PASS
with the password you chose for thenova
user in the Identity service.Edit the
/etc/neutron/neutron.conf
file and add the following keys to the[DEFAULT]
section:[DEFAULT] ... notify_nova_on_port_status_changes = True notify_nova_on_port_data_changes = True nova_url = http://
controller
:8774/v2 nova_admin_username = nova nova_admin_tenant_id =SERVICE_TENANT_ID
nova_admin_password =NOVA_PASS
nova_admin_auth_url = http://controller
:35357/v2.0
Note To obtain the
service
tenant identifier (id):$ source admin-openrc.sh $ keystone tenant-get service +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | f727b5ec2ceb4d71bad86dfc414449bf | | name | service | +-------------+----------------------------------+
Configure Networking to use the Modular Layer 2 (ML2) plug-in and associated services:
Edit the
/etc/neutron/neutron.conf
file and add the following keys to the[DEFAULT]
section:[DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True
Note We recommend adding
verbose = True
to the[DEFAULT]
section in/etc/neutron/neutron.conf
to assist with troubleshooting.
Comment out any lines in the
[service_providers]
section.
To configure the Modular Layer 2 (ML2) plug-in
The ML2 plug-in uses the Open vSwitch (OVS) mechanism (agent) to build the virtual networking framework for instances. However, the controller node does not need the OVS agent or service because it does not handle instance network traffic.
Edit the
/etc/neutron/plugins/ml2/ml2_conf.ini
file:Add the following keys to the
[ml2]
section:[ml2] ... type_drivers = gre tenant_network_types = gre mechanism_drivers = openvswitch
Add the following key to the
[ml2_type_gre]
section:[ml2_type_gre] ... tunnel_id_ranges = 1:1000
Add the
[securitygroup]
section and the following keys to it:[securitygroup] ... firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver enable_security_group = True
To configure Compute to use Networking
By default, most distributions configure Compute to use legacy networking. You must reconfigure Compute to manage networks through Networking.
Edit the
/etc/nova/nova.conf
and add the following keys to the[DEFAULT]
section:Replace
NEUTRON_PASS
with the password you chose for theneutron
user in the Identity service.[DEFAULT] ... network_api_class = nova.network.neutronv2.api.API neutron_url = http://
controller
:9696 neutron_auth_strategy = keystone neutron_admin_tenant_name = service neutron_admin_username = neutron neutron_admin_password =NEUTRON_PASS
neutron_admin_auth_url = http://controller
:35357/v2.0 linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver security_group_api = neutronNote By default, Compute uses an internal firewall service. Since Networking includes a firewall service, you must disable the Compute firewall service by using the
nova.virt.firewall.NoopFirewallDriver
firewall driver.