======= Configure Network nodes =======

Authors:
   * Paolo E. Mazzon (DEI)
   * Matteo Menguzzato (INFN Padova)
   * Gianpietro Sella (DISC)

===== Naming conventions and networking assumptions =====
In our setup both controller nodes also act as network nodes so we assume that they have a second network interface em2 for data network:

   * **Data network** : ''192.168.61.0/24''

and 2 NIC connected with external network:

   * **em3** : 2 vlan tagged with 401 and 402
   * **em4** : 1 vlan tagged with 303
==== Further pre-requisite on data network interface ====
In the net-interface configuration script for data network (something like ''/etc/sysconfig/network-scripts/ifcfg-XYZ'') put the following parameter:
<code bash>
MTU="9000"
</code>
===== Considerations for High Availability =====
To make the Neutron agents highly available, just repeat this procedure on another network node, changing the value for the only relevant parameter ''local_ip'' (the private IP on the data network)
===== Install OpenStack software (both nodes) =====
We assume RDO yum repository is already installed, so:
<code bash>
yum -y install openstack-neutron-ml2
</code>
===== Configure system's networking properties (both nodes) =====
<code bash>
sed -i 's+^net\.ipv4.ip_forward+#net\.ipv4.ip_forward+' /etc/sysctl.conf
sed -i 's+^net\.ipv4\.conf\.default\.rp_filter+#net\.ipv4\.conf\.default\.rp_filter+' /etc/sysctl.conf
sed -i 's+^net\.ipv4\.conf\.all\.rp_filter+#net\.ipv4\.conf\.all\.rp_filter+' /etc/sysctl.conf
cat << EOF >> /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
EOF
sysctl -p
service network restart
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
</code>
===== Configure Neutron agent services (both nodes) =====
In this section we customize several configuration files related to Neutron's agents.

**api-paste.ini**
<code bash>
while read i
do
   openstack-config --set /etc/neutron/api-paste.ini ${i}
done << EOF
filter:authtoken auth_host 192.168.60.180
filter:authtoken auth_uri http://192.168.60.180:5000
EOF
</code>
**l3-agent.ini**
<code bash>
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.OVSInterfaceDriver
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT use_namespaces True
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT router_delete_namespaces True
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT gateway_external_network_id   
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT external_network_bridge   
</code>
**dhcp_agent.ini**
<code bash>
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.OVSInterfaceDriver
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT use_namespaces True
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver neutron.agent.linux.dhcp.Dnsmasq
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_delete_namespaces True
</code>
**metadata_agent.ini**
<code bash>
while read i
do
   openstack-config --set /etc/neutron/metadata_agent.ini ${i}
done << EOF
DEFAULT auth_url http://192.168.60.180:5000/v2.0
DEFAULT auth_region regionOne
DEFAULT admin_tenant_name services
DEFAULT admin_user neutron
DEFAULT admin_password NEUTRON_PASS
DEFAULT nova_metadata_ip 192.168.60.180
DEFAULT metadata_proxy_shared_secret METADATA_PASS
EOF
</code>
**ml2_conf.ini**
<code bash>
while read i
do
   openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ${i}
done << EOF
ml2_type_vlan network_vlan_ranges physnet1:401:402,physnet2:303:303
ovs tenant_network_type gre
ovs tunnel_id_ranges 1:1000
ovs local_ip 192.168.61.152
ovs enable_tunneling True
ovs integration_bridge br-int
ovs tunnel_bridge br-tun
ovs bridge_mappings physnet1:br-ex,physnet2:br-ex2
ovs network_vlan_ranges physnet1:401:402,physnet2:303:303
EOF

ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
</code>
=== Optional ===
When using GRE the virtual instances can experience low network performances measured by iperf. This is because the ethernet packet is greatly used for GRE overhead information. To solve this problem you can increase to 9000 (this is a good value we've experienced) the MTU of the data network's switch, or do the following additional configuration:
<code bash>
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dnsmasq_config_file /etc/neutron/dnsmasq-neutron.conf
</code>
Create the dnsmasq's config file:
<code bash>
cat << EOF >> /etc/neutron/dnsmasq-neutron.conf
dhcp-option-force=26,1400
EOF
</code>
===== Configure Open vSwitch network bridging (both nodes) =====
Turn the ''openvswitch'' ON:
<code bash>
systemctl start openvswitch
systemctl enable openvswitch
</code>
Create the bridges:
<code bash>
ovs-vsctl add-br br-int
ovs-vsctl add-br br-ex
ovs-vsctl add-br br-ex2
ovs-vsctl add-port br-ex em3
ovs-vsctl add-port br-ex2 em4
</code>
Let's assume ''em3'' and ''em4'' are the NIC attached to the external (public) network:
<code bash>
cd /etc/sysconfig/network-scripts
mv ifcfg-em3 em3.orig
cat << EOF >> ifcfg-em3
TYPE=Ethernet
BOOTPROTO=none
DEVICE=em3
ONBOOT=yes
PROMISC=yes
EOF

mv ifcfg-em4 em4.orig
cat << EOF >> ifcfg-em4
TYPE=Ethernet
BOOTPROTO=none
DEVICE=em4
ONBOOT=yes
PROMISC=yes
EOF

systemctl restart network
cd -
</code>

Start and enable the Neutron agents:
<code bash>
sed -i 's,plugins/openvswitch/ovs_neutron_plugin.ini,plugin.ini,g' /usr/lib/systemd/system/neutron-openvswitch-agent.service
systemctl start neutron-dhcp-agent
systemctl start neutron-l3-agent
systemctl start neutron-metadata-agent
systemctl start neutron-openvswitch-agent

systemctl enable neutron-dhcp-agent 
systemctl enable neutron-l3-agent 
systemctl enable neutron-metadata-agent 
systemctl enable neutron-openvswitch-agent 
</code>

===== Check agents' redundancy =====
When you've done, you should be able to see all the agents running on all network nodes where you've applied this procedure. Execute the following command while logged into the controller node, or wherever you've installed the Openstack CLI and copied the ''keystone_admin.sh'' created in the guide for the [[http://wiki.infn.it/progetti/cloud-areapd/keystone-glance_high_availability/openstack_ha/controller_node|controller node]]:
<code bash>
[root@cld-blu-03 ~]# neutron agent-list
+--------------------------------------+--------------------+-----------------------------+-------+----------------+
| id                                   | agent_type         | host                        | alive | admin_state_up |
+--------------------------------------+--------------------+-----------------------------+-------+----------------+
| 188fe879-be8a-4390-b766-04e188e35c3c | L3 agent           | network-02.cloud.pd.infn.it | :-)   | True           |
| 42647a60-dbd0-4a85-942d-8fdbb0e2ae24 | Open vSwitch agent | network-01.cloud.pd.infn.it | :-)   | True           |
| cf6f7ec2-8700-498b-b62d-49d8b5616682 | DHCP agent         | network-02.cloud.pd.infn.it | :-)   | True           |
| dc249956-e81d-465c-b51f-cff0e1e04f05 | DHCP agent         | network-01.cloud.pd.infn.it | :-)   | True           |
| e196a6a2-8a3a-4bfe-b048-b50bee14761c | Open vSwitch agent | network-02.cloud.pd.infn.it | :-)   | True           |
| eb902101-8a16-43b5-87f8-b058530407f6 | L3 agent           | network-01.cloud.pd.infn.it | :-)   | True           |
+--------------------------------------+--------------------+-----------------------------+-------+----------------+
</code>

===== Optional: Configure Neutron's agents for SSL =====
Configure files to use ''https'' and fully qualified hostname:
<code bash>
openstack-config --set /etc/neutron/neutron.conf DEFAULT ssl_ca_file /etc/grid-security/chain.pem
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_host cloud.cedc.csia.unipd.it
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_protocol https
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri https://cloud.cedc.csia.unipd.it:35357/
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken identity_uri https://cloud.cedc.csia.unipd.it:35357
 
openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_host cloud.cedc.csia.unipd.it
openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_uri https://cloud.cedc.csia.unipd.it:5000
openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_protocol https
 
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT auth_url https://cloud.cedc.csia.unipd.it:5000/v2.0
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT auth_ca_cert /etc/grid-security/chain.pem
</code>
Restart Neutron's agents:
<code bash>
systemctl restart neutron-dhcp-agent
systemctl restart neutron-l3-agent
systemctl restart neutron-metadata-agent
systemctl restart neutron-openvswitch-agent
</code>