CentOS Stream 9
Sponsored Link

OpenStack Bobcat : Configure Neutron #22023/10/24

 
Configure OpenStack Network Service (Neutron).
This example is based on the environment like follows.
If you'd like to install Neutron services on another Host, refer to here.
Configure Neutron services with Open Virtual Network (OVN).
        eth0|10.0.0.30 
+-----------+-----------+
|   [ dlp.srv.world ]   |
|     (Control Node)    |
|                       |
|  MariaDB    RabbitMQ  |
|  Memcached  Nginx     |
|  Keystone   httpd     |
|  Glance     Nova API  |
|  Nova Compute         |
|    Neutron Server     |
|    Open vSwitch       |
|  OVN Metadata Agent   |
|    OVN-Controller     |
+-----------------------+

[1] Install Neutron services.
# install from Bobcat, EPEL, CRB

[root@dlp ~(keystone)]#
dnf --enablerepo=centos-openstack-bobcat,epel,crb -y install openstack-neutron openstack-neutron-ml2 ovn23.06-central openstack-neutron-ovn-metadata-agent ovn23.06-host.x86_64
[2] Configure Neutron services.
[root@dlp ~(keystone)]#
mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.org

[root@dlp ~(keystone)]#
vi /etc/neutron/neutron.conf
# create new

[DEFAULT]
bind_host = 127.0.0.1
bind_port = 9696
core_plugin = ml2
service_plugins = ovn-router
auth_strategy = keystone
state_path = /var/lib/neutron
allow_overlapping_ips = True
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
# RabbitMQ connection info
transport_url = rabbit://openstack:password@dlp.srv.world

# Keystone auth info
[keystone_authtoken]
www_authenticate_uri = https://dlp.srv.world:5000
auth_url = https://dlp.srv.world:5000
memcached_servers = dlp.srv.world:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword
# if using self-signed certs on httpd Keystone, turn to [true]
insecure = false

# MariaDB connection info
[database]
connection = mysql+pymysql://neutron:password@dlp.srv.world/neutron_ml2

# Nova connection info
[nova]
auth_url = https://dlp.srv.world:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = servicepassword
# if using self-signed certs on httpd Keystone, turn to [true]
insecure = false

[oslo_concurrency]
lock_path = $state_path/tmp

[oslo_policy]
enforce_new_defaults = true

[root@dlp ~(keystone)]#
chmod 640 /etc/neutron/neutron.conf

[root@dlp ~(keystone)]#
chgrp neutron /etc/neutron/neutron.conf
[root@dlp ~(keystone)]#
mv /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugins/ml2/ml2_conf.ini.org

[root@dlp ~(keystone)]#
vi /etc/neutron/plugins/ml2/ml2_conf.ini
# create new

[DEFAULT]
debug = false

[ml2]
type_drivers = flat,geneve
tenant_network_types = geneve
mechanism_drivers = ovn
extension_drivers = port_security,qos
overlay_ip_version = 4

[ml2_type_geneve]
vni_ranges = 1:65536
max_header_size = 38

[ml2_type_flat]
flat_networks = *

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

[ovn]
ovn_nb_connection = tcp:10.0.0.30:6641
ovn_sb_connection = tcp:10.0.0.30:6642
ovn_l3_scheduler = leastloaded
ovn_metadata_enabled = True

[root@dlp ~(keystone)]#
chmod 640 /etc/neutron/plugins/ml2/ml2_conf.ini

[root@dlp ~(keystone)]#
chgrp neutron /etc/neutron/plugins/ml2/ml2_conf.ini
[root@dlp ~(keystone)]#
vi /etc/neutron/neutron_ovn_metadata_agent.ini
[DEFAULT]
# line 2 : add to specify Nova API host
nova_metadata_host = dlp.srv.world
nova_metadata_protocol = https
# specify any secret key you like
metadata_proxy_shared_secret = metadata_secret

# add to the end
[agent]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

[ovs]
ovsdb_connection = tcp:127.0.0.1:6640

[ovn]
ovn_sb_connection = tcp:10.0.0.30:6642

[root@dlp ~(keystone)]#
vi /etc/sysconfig/openvswitch
# line 28 : add

OPTIONS="
--ovsdb-server-options='--remote=ptcp:6640:127.0.0.1'
"
[root@dlp ~(keystone)]#
vi /etc/nova/nova.conf
# add follows into the [DEFAULT] section

vif_plugging_is_fatal = True
vif_plugging_timeout = 300

# add follows to the end : Neutron auth info
# the value of [metadata_proxy_shared_secret] is the same with the one in [metadata_agent.ini]
[neutron]
auth_url = https://dlp.srv.world:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = servicepassword
service_metadata_proxy = True
metadata_proxy_shared_secret = metadata_secret
insecure = false
[3] If SELinux is enabled, change policy.
[root@dlp ~(keystone)]#
dnf --enablerepo=centos-openstack-bobcat -y install openstack-selinux

[root@dlp ~(keystone)]#
setsebool -P neutron_can_network on

[root@dlp ~(keystone)]#
setsebool -P haproxy_connect_any on

[root@dlp ~(keystone)]#
setsebool -P daemons_enable_cluster_mode on

[root@dlp ~(keystone)]#
vi ovsofctl.te
# create new

module ovsofctl 1.0;

require {
        type neutron_t;
        type neutron_exec_t;
        type pasta_exec_t;
        type tmpfs_t;
        type dnsmasq_t;
        type openvswitch_load_module_t;
        type tracefs_t;
        type var_run_t;
        type openvswitch_t;
        type ovsdb_port_t;
        type kdumpctl_exec_t;
        type devicekit_exec_t;
        type lsmd_exec_t;
        type lsmd_plugin_exec_t;
        type locate_exec_t;
        type glance_scrubber_exec_t;
        type gpg_agent_exec_t;
        type mount_exec_t;
        type rsync_exec_t;
        type journalctl_exec_t;
        type virt_qemu_ga_exec_t;
        type httpd_config_t;
        type chfn_exec_t;
        type glance_api_exec_t;
        type ssh_exec_t;
        type ssh_agent_exec_t;
        type systemd_hwdb_exec_t;
        type checkpolicy_exec_t;
        type chronyc_exec_t;
        type groupadd_exec_t;
        type loadkeys_exec_t;
        type fusermount_exec_t;
        type dmesg_exec_t;
        type rpmdb_exec_t;
        type memcached_exec_t;
        type conmon_exec_t;
        type systemd_tmpfiles_exec_t;
        type passwd_exec_t;
        type ssh_keygen_exec_t;
        type NetworkManager_exec_t;
        type su_exec_t;
        type dbusd_exec_t;
        type numad_exec_t;
        type container_runtime_exec_t;
        type ping_exec_t;
        type rpcbind_exec_t;
        type virtd_exec_t;
        type policykit_auth_exec_t;
        type systemd_systemctl_exec_t;
        type plymouth_exec_t;
        type keepalived_exec_t;
        type mandb_exec_t;
        type systemd_passwd_agent_exec_t;
        type traceroute_exec_t;
        type fsadm_exec_t;
        type thumb_exec_t;
        type mysqld_exec_t;
        type nova_exec_t;
        type crontab_exec_t;
        type swtpm_exec_t;
        type virsh_exec_t;
        type mysqld_safe_exec_t;
        type systemd_notify_exec_t;
        type vlock_exec_t;
        type gpg_exec_t;
        type login_exec_t;
        type hostname_exec_t;
        class sock_file write;
        class file { create execute_no_trans getattr link open read unlink write };
        class dir search;
        class lnk_file read;
        class tcp_socket name_bind;
        class capability { dac_override sys_rawio };
}

#============= neutron_t ==============
allow neutron_t self:capability { dac_override sys_rawio };
allow neutron_t neutron_exec_t:file execute_no_trans;
allow neutron_t NetworkManager_exec_t:file getattr;
allow neutron_t checkpolicy_exec_t:file getattr;
allow neutron_t chfn_exec_t:file getattr;
allow neutron_t chronyc_exec_t:file getattr;
allow neutron_t conmon_exec_t:file getattr;
allow neutron_t container_runtime_exec_t:file getattr;
allow neutron_t crontab_exec_t:file getattr;
allow neutron_t dbusd_exec_t:file getattr;
allow neutron_t devicekit_exec_t:file getattr;
allow neutron_t dmesg_exec_t:file getattr;
allow neutron_t fsadm_exec_t:file getattr;
allow neutron_t fusermount_exec_t:file getattr;
allow neutron_t glance_api_exec_t:file getattr;
allow neutron_t glance_scrubber_exec_t:file getattr;
allow neutron_t gpg_agent_exec_t:file getattr;
allow neutron_t gpg_exec_t:file getattr;
allow neutron_t groupadd_exec_t:file getattr;
allow neutron_t hostname_exec_t:file getattr;
allow neutron_t httpd_config_t:dir search;
allow neutron_t journalctl_exec_t:file getattr;
allow neutron_t kdumpctl_exec_t:file getattr;
allow neutron_t keepalived_exec_t:file getattr;
allow neutron_t loadkeys_exec_t:file getattr;
allow neutron_t locate_exec_t:file getattr;
allow neutron_t login_exec_t:file getattr;
allow neutron_t lsmd_exec_t:file getattr;
allow neutron_t lsmd_plugin_exec_t:file getattr;
allow neutron_t mandb_exec_t:file getattr;
allow neutron_t memcached_exec_t:file getattr;
allow neutron_t mount_exec_t:file getattr;
allow neutron_t mysqld_exec_t:file getattr;
allow neutron_t mysqld_safe_exec_t:file getattr;
allow neutron_t nova_exec_t:file getattr;
allow neutron_t numad_exec_t:file getattr;
allow neutron_t passwd_exec_t:file getattr;
allow neutron_t ping_exec_t:file getattr;
allow neutron_t plymouth_exec_t:file getattr;
allow neutron_t policykit_auth_exec_t:file getattr;
allow neutron_t rpcbind_exec_t:file getattr;
allow neutron_t rpmdb_exec_t:file getattr;
allow neutron_t rsync_exec_t:file getattr;
allow neutron_t ssh_agent_exec_t:file getattr;
allow neutron_t ssh_exec_t:file getattr;
allow neutron_t ssh_keygen_exec_t:file getattr;
allow neutron_t su_exec_t:file getattr;
allow neutron_t swtpm_exec_t:file getattr;
allow neutron_t systemd_hwdb_exec_t:file getattr;
allow neutron_t systemd_notify_exec_t:file getattr;
allow neutron_t systemd_passwd_agent_exec_t:file getattr;
allow neutron_t systemd_systemctl_exec_t:file getattr;
allow neutron_t systemd_tmpfiles_exec_t:file getattr;
allow neutron_t thumb_exec_t:file getattr;
allow neutron_t traceroute_exec_t:file getattr;
allow neutron_t virsh_exec_t:file getattr;
allow neutron_t virt_qemu_ga_exec_t:file getattr;
allow neutron_t virtd_exec_t:file getattr;
allow neutron_t vlock_exec_t:file getattr;
allow neutron_t pasta_exec_t:lnk_file read;
allow neutron_t tmpfs_t:file { create getattr link open read unlink write };

#============= openvswitch_t ==============
allow openvswitch_t var_run_t:sock_file write;
allow openvswitch_t ovsdb_port_t:tcp_socket name_bind;

#============= openvswitch_load_module_t ==============
allow openvswitch_load_module_t tracefs_t:dir search;

#============= dnsmasq_t ==============
allow dnsmasq_t self:capability dac_override;

[root@dlp ~(keystone)]#
checkmodule -m -M -o ovsofctl.mod ovsofctl.te

[root@dlp ~(keystone)]#
semodule_package --outfile ovsofctl.pp --module ovsofctl.mod

[root@dlp ~(keystone)]#
semodule -i ovsofctl.pp

[4] If Firewalld is enabled, allow service ports.
[root@dlp ~(keystone)]#
firewall-cmd --add-port=9696/tcp

success
[root@dlp ~(keystone)]#
firewall-cmd --runtime-to-permanent

success
[5] Configure Nginx for proxy settings.
[root@dlp ~(keystone)]#
vi /etc/nginx/nginx.conf
# add into the [stream] section

stream {
    upstream glance-api {
        server 127.0.0.1:9292;
    }
    server {
        listen 10.0.0.30:9292 ssl;
        proxy_pass glance-api;
    }
    upstream nova-api {
        server 127.0.0.1:8774;
    }
    server {
        listen 10.0.0.30:8774 ssl;
        proxy_pass nova-api;
    }
    upstream nova-metadata-api {
        server 127.0.0.1:8775;
    }
    server {
        listen 10.0.0.30:8775 ssl;
        proxy_pass nova-metadata-api;
    }
    upstream placement-api {
        server 127.0.0.1:8778;
    }
    server {
        listen 10.0.0.30:8778 ssl;
        proxy_pass placement-api;
    }
    upstream novncproxy {
        server 127.0.0.1:6080;
    }
    server {
        listen 10.0.0.30:6080 ssl;
        proxy_pass novncproxy;
    }
    upstream neutron-api {
        server 127.0.0.1:9696;
    }
    server {
        listen 10.0.0.30:9696 ssl;
        proxy_pass neutron-api;
    }
    ssl_certificate "/etc/letsencrypt/live/dlp.srv.world/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/dlp.srv.world/privkey.pem";
}
[6] Start Neutron services.
[root@dlp ~(keystone)]#
systemctl enable --now openvswitch

[root@dlp ~(keystone)]#
ovs-vsctl add-br br-int
[root@dlp ~(keystone)]#
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

[root@dlp ~(keystone)]#
su -s /bin/bash neutron -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head"
[root@dlp ~(keystone)]#
systemctl enable --now ovn-northd ovn-controller

[root@dlp ~(keystone)]#
ovn-nbctl set-connection ptcp:6641:10.0.0.30 -- set connection . inactivity_probe=60000

[root@dlp ~(keystone)]#
ovn-sbctl set-connection ptcp:6642:10.0.0.30 -- set connection . inactivity_probe=60000

[root@dlp ~(keystone)]#
ovs-vsctl set open . external-ids:ovn-remote=tcp:10.0.0.30:6642

[root@dlp ~(keystone)]#
ovs-vsctl set open . external-ids:ovn-encap-type=geneve

[root@dlp ~(keystone)]#
ovs-vsctl set open . external-ids:ovn-encap-ip=10.0.0.30

[root@dlp ~(keystone)]#
systemctl enable --now neutron-server neutron-ovn-metadata-agent

[root@dlp ~(keystone)]#
systemctl restart openstack-nova-api openstack-nova-compute nginx
# show status

[root@dlp ~(keystone)]#
openstack network agent list

+--------------------------------------+----------------------+---------------+-------------------+-------+-------+----------------------------+
| ID                                   | Agent Type           | Host          | Availability Zone | Alive | State | Binary                     |
+--------------------------------------+----------------------+---------------+-------------------+-------+-------+----------------------------+
| 939f5016-46df-566c-95b1-cd40bee73d9d | OVN Metadata agent   | dlp.srv.world |                   | :-)   | UP    | neutron-ovn-metadata-agent |
| 710cac87-fdc5-4d33-bb76-93e256532cd5 | OVN Controller agent | dlp.srv.world |                   | :-)   | UP    | ovn-controller             |
+--------------------------------------+----------------------+---------------+-------------------+-------+-------+----------------------------+
Matched Content