OpenStack Yoga : Configure Neutron #22022/05/31

Configure OpenStack Network Service (Neutron).

This example is based on the environment like follows.
If you'd like to install Neutron services on another Host, refer to here.

Configure Neutron services with Open Virtual Network (OVN).

        eth0|10.0.0.30 
+-----------+-----------+
|   [ dlp.srv.world ]   |
|     (Control Node)    |
|                       |
|  MariaDB    RabbitMQ  |
|  Memcached  httpd     |
|  Keystone   Glance    |
|  Nova API/Compute     |
|    Neutron Server     |
|    Open vSwitch       |
|  OVN Metadata Agent   |
|    OVN-Controller     |
+-----------------------+

[1]	Install Neutron services.

# install from Yoga, EPEL, PowerTools

[root@dlp ~(keystone)]#

dnf --enablerepo=centos-openstack-yoga,powertools,epel -y install openstack-neutron openstack-neutron-ml2 ovn-2021-central openstack-neutron-ovn-metadata-agent ovn-2021-host

[2]	Configure Neutron services.

[root@dlp ~(keystone)]#

mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.org

[root@dlp ~(keystone)]#

vi /etc/neutron/neutron.conf

# create new

[DEFAULT]
bind_host = 127.0.0.1
bind_port = 9696
core_plugin = ml2
service_plugins = ovn-router
auth_strategy = keystone
state_path = /var/lib/neutron
allow_overlapping_ips = True
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
# RabbitMQ connection info
transport_url = rabbit://openstack:password@dlp.srv.world

# Keystone auth info
[keystone_authtoken]
www_authenticate_uri = https://dlp.srv.world:5000
auth_url = https://dlp.srv.world:5000
memcached_servers = dlp.srv.world:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword
# if using self-signed certs on Apache httpd Keystone, turn to [true]
insecure = false

# MariaDB connection info
[database]
connection = mysql+pymysql://neutron:password@dlp.srv.world/neutron_ml2

# Nova connection info
[nova]
auth_url = https://dlp.srv.world:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = servicepassword
# if using self-signed certs on Apache httpd Keystone, turn to [true]
insecure = false

[oslo_concurrency]
lock_path = $state_path/tmp

[root@dlp ~(keystone)]#

chmod 640 /etc/neutron/neutron.conf

[root@dlp ~(keystone)]#

chgrp neutron /etc/neutron/neutron.conf

[root@dlp ~(keystone)]#

mv /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini.org

[root@dlp ~(keystone)]#

vi /etc/neutron/plugins/ml2/ml2_conf.ini

# create new

[DEFAULT]
debug = false

[ml2]
type_drivers = flat,geneve
tenant_network_types = geneve
mechanism_drivers = ovn
extension_drivers = port_security
overlay_ip_version = 4

[ml2_type_geneve]
vni_ranges = 1:65536
max_header_size = 38

[ml2_type_flat]
flat_networks = *

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

[ovn]
ovn_nb_connection = tcp:10.0.0.30:6641
ovn_sb_connection = tcp:10.0.0.30:6642
ovn_l3_scheduler = leastloaded
ovn_metadata_enabled = True

[root@dlp ~(keystone)]#

chmod 640 /etc/neutron/plugins/ml2/ml2_conf.ini

[root@dlp ~(keystone)]#

chgrp neutron /etc/neutron/plugins/ml2/ml2_conf.ini

[root@dlp ~(keystone)]#

vi /etc/neutron/neutron_ovn_metadata_agent.ini

[DEFAULT]
# line 2 : add to specify Nova API host
nova_metadata_host = dlp.srv.world
nova_metadata_protocol = https
# specify any secret key you like
metadata_proxy_shared_secret = metadata_secret

# add to the end
[agent]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

[ovs]
ovsdb_connection = tcp:127.0.0.1:6640

[ovn]
ovn_sb_connection = tcp:10.0.0.30:6642

[root@dlp ~(keystone)]#

vi /etc/sysconfig/openvswitch

# line 28 : add

OPTIONS="

--ovsdb-server-options='--remote=ptcp:6640:127.0.0.1'

[root@dlp ~(keystone)]#

vi /etc/nova/nova.conf

# add follows into the [DEFAULT] section

vif_plugging_is_fatal = True
vif_plugging_timeout = 300

# add follows to the end : Neutron auth info
# the value of [metadata_proxy_shared_secret] is the same with the one in [metadata_agent.ini]
[neutron]
auth_url = https://dlp.srv.world:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = servicepassword
service_metadata_proxy = True
metadata_proxy_shared_secret = metadata_secret
insecure = false

[3]	If SELinux is enabled, change policy.

[root@dlp ~(keystone)]#

dnf --enablerepo=centos-openstack-yoga -y install openstack-selinux

[root@dlp ~(keystone)]#

setsebool -P neutron_can_network on

[root@dlp ~(keystone)]#

setsebool -P haproxy_connect_any on

[root@dlp ~(keystone)]#

setsebool -P daemons_enable_cluster_mode on

[root@dlp ~(keystone)]#

vi ovsofctl.te

# create new

module ovsofctl 1.0;

require {
        type neutron_t;
        type neutron_exec_t;
        type neutron_t;
        type dnsmasq_t;
        type openvswitch_load_module_t;
        type tracefs_t;
        type var_run_t;
        type openvswitch_t;
        class sock_file write;
        class file execute_no_trans;
        class dir search;
        class capability { dac_override sys_rawio };
}

#============= neutron_t ==============
allow neutron_t self:capability { dac_override sys_rawio };
allow neutron_t neutron_exec_t:file execute_no_trans;

#============= openvswitch_t ==============
allow openvswitch_t var_run_t:sock_file write;

#============= openvswitch_load_module_t ==============
allow openvswitch_load_module_t tracefs_t:dir search;

#============= dnsmasq_t ==============
allow dnsmasq_t self:capability dac_override;

[root@dlp ~(keystone)]#

checkmodule -m -M -o ovsofctl.mod ovsofctl.te

[root@dlp ~(keystone)]#

semodule_package --outfile ovsofctl.pp --module ovsofctl.mod

[root@dlp ~(keystone)]#

semodule -i ovsofctl.pp

[4]	If Firewalld is enabled, allow service ports.

[root@dlp ~(keystone)]#

firewall-cmd --add-port=9696/tcp

success
[root@dlp ~(keystone)]#

firewall-cmd --runtime-to-permanent

success

[5]	Configure Nginx for proxy settings.

[root@dlp ~(keystone)]#

vi /etc/nginx/nginx.conf

# add into the [stream] section

stream {
    upstream glance-api {
        server 127.0.0.1:9292;
    }
    server {
        listen 10.0.0.30:9292 ssl;
        proxy_pass glance-api;
    }
    upstream nova-api {
        server 127.0.0.1:8774;
    }
    server {
        listen 10.0.0.30:8774 ssl;
        proxy_pass nova-api;
    }
    upstream nova-metadata-api {
        server 127.0.0.1:8775;
    }
    server {
        listen 10.0.0.30:8775 ssl;
        proxy_pass nova-metadata-api;
    }
    upstream placement-api {
        server 127.0.0.1:8778;
    }
    server {
        listen 10.0.0.30:8778 ssl;
        proxy_pass placement-api;
    }
    upstream novncproxy {
        server 127.0.0.1:6080;
    }
    server {
        listen 10.0.0.30:6080 ssl;
        proxy_pass novncproxy;
    }
    upstream neutron-api {
        server 127.0.0.1:9696;
    }
    server {
        listen 10.0.0.30:9696 ssl;
        proxy_pass neutron-api;
    }
    ssl_certificate "/etc/letsencrypt/live/dlp.srv.world/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/dlp.srv.world/privkey.pem";
}

[6]	Start Neutron services.

[root@dlp ~(keystone)]#

systemctl enable --now openvswitch

[root@dlp ~(keystone)]#

ovs-vsctl add-br br-int

[root@dlp ~(keystone)]#

ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

[root@dlp ~(keystone)]#

su -s /bin/bash neutron -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head"

[root@dlp ~(keystone)]#

systemctl enable --now ovn-northd ovn-controller

[root@dlp ~(keystone)]#

ovn-nbctl set-connection ptcp:6641:10.0.0.30 -- set connection . inactivity_probe=60000

[root@dlp ~(keystone)]#

ovn-sbctl set-connection ptcp:6642:10.0.0.30 -- set connection . inactivity_probe=60000

[root@dlp ~(keystone)]#

ovs-vsctl set open . external-ids:ovn-remote=tcp:10.0.0.30:6642

[root@dlp ~(keystone)]#

ovs-vsctl set open . external-ids:ovn-encap-type=geneve

[root@dlp ~(keystone)]#

ovs-vsctl set open . external-ids:ovn-encap-ip=10.0.0.30

[root@dlp ~(keystone)]#

systemctl enable --now neutron-server neutron-ovn-metadata-agent

[root@dlp ~(keystone)]#

systemctl restart openstack-nova-api openstack-nova-compute nginx

# show status

[root@dlp ~(keystone)]#

openstack network agent list

+--------------------------------------+----------------------+---------------+-------------------+-------+-------+----------------------------+
| ID                                   | Agent Type           | Host          | Availability Zone | Alive | State | Binary                     |
+--------------------------------------+----------------------+---------------+-------------------+-------+-------+----------------------------+
| ca9995b2-d1c0-43fe-83ab-df8d4a407ccb | OVN Controller agent | dlp.srv.world |                   | :-)   | UP    | ovn-controller             |
| 4395710d-01ad-5900-86a9-7fff266a3389 | OVN Metadata agent   | dlp.srv.world |                   | :-)   | UP    | neutron-ovn-metadata-agent |
+--------------------------------------+----------------------+---------------+-------------------+-------+-------+----------------------------+

Matched Content