CentOS Stream 8
Sponsored Link

OpenStack Yoga : Configure Neutron OVN (Network Node)2022/05/31
 
Configure OpenStack Network Service (Neutron).
This example is based on the environment like follows.
Configure Neutron services with Open Virtual Network (OVN). 
------------+-----------------------------+-----------------------------+------------
            |                             |                             |
        eth0|10.0.0.30                eth0|10.0.0.50                eth0|10.0.0.51
+-----------+-----------+     +-----------+-----------+     +-----------+-----------+
|   [ dlp.srv.world ]   |     | [ network.srv.world ] |     |  [ node01.srv.world ] |
|     (Control Node)    |     |     (Network Node)    |     |     (Compute Node)    |
|                       |     |                       |     |                       |
|  MariaDB    RabbitMQ  |     |      Open vSwitch     |     |        Libvirt        |
|  Memcached  httpd     |     |     Neutron Server    |     |      Nova Compute     |
|  Keystone   Glance    |     |      OVN-Northd       |     |      Open vSwitch     |
|  Nova API             |     |                       |     |   OVN Metadata Agent  |
|                       |     |                       |     |     OVN-Controller    |
+-----------------------+     +-----------------------+     +-----------------------+
[1]
Create a user or endpoints and Database for Neutron on Control Node, refer to here.
On the example of the link, Neutron Server (API) is installed on Control Node,
but on this example, Neutron Server is installed on Network Node,
so replace the Endpoints of Neutron to [10.0.0.50].
[2] Install Neutron Server on Network Node.
# install from Yoga, EPEL, PowerTools

[root@network ~]#
dnf --enablerepo=centos-openstack-yoga,powertools,epel -y install openstack-neutron openstack-neutron-ml2 ovn-2021-central nginx nginx-mod-stream
[3] Configure Neutron Server.
[root@network ~]#
mv /etc/neutron/neutron.conf /etc/neutron/neutron.conf.org

[root@network ~]#
vi /etc/neutron/neutron.conf
# create new

[DEFAULT]
bind_host = 127.0.0.1
bind_port = 9696
core_plugin = ml2
service_plugins = ovn-router
auth_strategy = keystone
state_path = /var/lib/neutron
allow_overlapping_ips = True
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
# RabbitMQ connection info
transport_url = rabbit://openstack:password@dlp.srv.world

# Keystone auth info
[keystone_authtoken]
www_authenticate_uri = https://dlp.srv.world:5000
auth_url = https://dlp.srv.world:5000
memcached_servers = dlp.srv.world:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = servicepassword
# if using self-signed certs on Apache httpd Keystone, turn to [true]
insecure = false

[database]
connection = mysql+pymysql://neutron:password@dlp.srv.world/neutron_ml2

[nova]
auth_url = https://dlp.srv.world:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = servicepassword
# if using self-signed certs on Apache httpd Keystone, turn to [true]
insecure = false

[oslo_concurrency]
lock_path = $state_path/tmp
[root@network ~]#
chmod 640 /etc/neutron/neutron.conf

[root@network ~]#
chgrp neutron /etc/neutron/neutron.conf
[root@network ~]#
vi /etc/neutron/plugins/ml2/ml2_conf.ini
# add to the end

[ml2]
type_drivers = flat,geneve
tenant_network_types = geneve
mechanism_drivers = ovn
extension_drivers = port_security
overlay_ip_version = 4

[ml2_type_geneve]
vni_ranges = 1:65536
max_header_size = 38

[ml2_type_flat]
flat_networks = *

[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

[ovn]
# IP address of this Network node
ovn_nb_connection = tcp:10.0.0.50:6641
ovn_sb_connection = tcp:10.0.0.50:6642
ovn_l3_scheduler = leastloaded
ovn_metadata_enabled = True
[root@network ~]#
vi /etc/sysconfig/openvswitch
# line 28 : add

OPTIONS="
--ovsdb-server-options='--remote=ptcp:6640:127.0.0.1'
"
[4] Get valid SSL/TLS certificate or Create self-signed certificate for Network Node and configure Nginx for proxy settings.
[root@network ~]#
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.org

[root@network ~]#
vi /etc/nginx/nginx.conf
# create new

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
}

stream {
    upstream neutron-api {
        server 127.0.0.1:9696;
    }
    server {
        listen 10.0.0.50:9696 ssl;
        proxy_pass neutron-api;
    }
    ssl_certificate "/etc/letsencrypt/live/network.srv.world/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/network.srv.world/privkey.pem";
}
[5] If SELinux is enabled, change policy.
[root@network ~]#
dnf --enablerepo=centos-openstack-yoga -y install openstack-selinux

[root@network ~]#
setsebool -P neutron_can_network on

[root@network ~]#
setsebool -P haproxy_connect_any on

[root@network ~]#
setsebool -P daemons_enable_cluster_mode on

[root@network ~]#
vi ovsofctl.te
# create new

module ovsofctl 1.0;

require {
        type neutron_t;
        type neutron_exec_t;
        type neutron_t;
        type dnsmasq_t;
        type tracefs_t;
        type openvswitch_load_module_t;
        type var_run_t;
        type openvswitch_t;
        class sock_file write;
        class file execute_no_trans;
        class dir search;
        class capability { dac_override sys_rawio };
}

#============= neutron_t ==============
allow neutron_t self:capability { dac_override sys_rawio };
allow neutron_t neutron_exec_t:file execute_no_trans;

#============= openvswitch_t ==============
allow openvswitch_t var_run_t:sock_file write;

#============= openvswitch_load_module_t ==============
allow openvswitch_load_module_t tracefs_t:dir search;

#============= dnsmasq_t ==============
allow dnsmasq_t self:capability dac_override;
[root@network ~]#
checkmodule -m -M -o ovsofctl.mod ovsofctl.te

[root@network ~]#
semodule_package --outfile ovsofctl.pp --module ovsofctl.mod

[root@network ~]#
semodule -i ovsofctl.pp

[6] If Firewalld is running, allow service ports.
[root@network ~]#
firewall-cmd --add-port={9696/tcp,6641/tcp,6642/tcp}

success
[root@network ~]#
firewall-cmd --runtime-to-permanent

success
[7] Start Neutron services.
[root@network ~]#
systemctl enable --now openvswitch

[root@network ~]#
ovs-vsctl add-br br-int
[root@network ~]#
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

[root@network ~]#
su -s /bin/bash neutron -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head"
[root@network ~]#
systemctl enable --now ovn-northd

[root@network ~]#
ovn-nbctl set-connection ptcp:6641:10.0.0.50 -- set connection . inactivity_probe=60000

[root@network ~]#
ovn-sbctl set-connection ptcp:6642:10.0.0.50 -- set connection . inactivity_probe=60000
[root@network ~]#
systemctl enable --now neutron-server nginx
Matched Content