User Tools

Site Tools


Sidebar

progetti:cloud-areapd:ced-c:install_and_configure_network_nodes

Configure Network nodes

Authors:

  • Paolo E. Mazzon (DEI)
  • Matteo Menguzzato (INFN Padova)
  • Gianpietro Sella (DISC)

Naming conventions and networking assumptions

In our setup both controller nodes also act as network nodes so we assume that they have a second network interface em2 for data network:

  • Data network : 192.168.61.0/24

and 2 NIC connected with external network:

  • em3 : 2 vlan tagged with 401 and 402
  • em4 : 1 vlan tagged with 303

Further pre-requisite on data network interface

In the net-interface configuration script for data network (something like /etc/sysconfig/network-scripts/ifcfg-XYZ) put the following parameter:

MTU="9000"

Considerations for High Availability

To make the Neutron agents highly available, just repeat this procedure on another network node, changing the value for the only relevant parameter local_ip (the private IP on the data network)

Install OpenStack software (both nodes)

We assume RDO yum repository is already installed, so:

yum -y install openstack-neutron-ml2

Configure system's networking properties (both nodes)

sed -i 's+^net\.ipv4.ip_forward+#net\.ipv4.ip_forward+' /etc/sysctl.conf
sed -i 's+^net\.ipv4\.conf\.default\.rp_filter+#net\.ipv4\.conf\.default\.rp_filter+' /etc/sysctl.conf
sed -i 's+^net\.ipv4\.conf\.all\.rp_filter+#net\.ipv4\.conf\.all\.rp_filter+' /etc/sysctl.conf
cat << EOF >> /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
EOF
sysctl -p
service network restart
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT

Configure Neutron agent services (both nodes)

In this section we customize several configuration files related to Neutron's agents.

api-paste.ini

while read i
do
   openstack-config --set /etc/neutron/api-paste.ini ${i}
done << EOF
filter:authtoken auth_host 192.168.60.180
filter:authtoken auth_uri http://192.168.60.180:5000
EOF

l3-agent.ini

openstack-config --set /etc/neutron/l3_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.OVSInterfaceDriver
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT use_namespaces True
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT router_delete_namespaces True
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT gateway_external_network_id   
openstack-config --set /etc/neutron/l3_agent.ini DEFAULT external_network_bridge   

dhcp_agent.ini

openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.OVSInterfaceDriver
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT use_namespaces True
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver neutron.agent.linux.dhcp.Dnsmasq
openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_delete_namespaces True

metadata_agent.ini

while read i
do
   openstack-config --set /etc/neutron/metadata_agent.ini ${i}
done << EOF
DEFAULT auth_url http://192.168.60.180:5000/v2.0
DEFAULT auth_region regionOne
DEFAULT admin_tenant_name services
DEFAULT admin_user neutron
DEFAULT admin_password NEUTRON_PASS
DEFAULT nova_metadata_ip 192.168.60.180
DEFAULT metadata_proxy_shared_secret METADATA_PASS
EOF

ml2_conf.ini

while read i
do
   openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ${i}
done << EOF
ml2_type_vlan network_vlan_ranges physnet1:401:402,physnet2:303:303
ovs tenant_network_type gre
ovs tunnel_id_ranges 1:1000
ovs local_ip 192.168.61.152
ovs enable_tunneling True
ovs integration_bridge br-int
ovs tunnel_bridge br-tun
ovs bridge_mappings physnet1:br-ex,physnet2:br-ex2
ovs network_vlan_ranges physnet1:401:402,physnet2:303:303
EOF
 
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini

Optional

When using GRE the virtual instances can experience low network performances measured by iperf. This is because the ethernet packet is greatly used for GRE overhead information. To solve this problem you can increase to 9000 (this is a good value we've experienced) the MTU of the data network's switch, or do the following additional configuration:

openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dnsmasq_config_file /etc/neutron/dnsmasq-neutron.conf

Create the dnsmasq's config file:

cat << EOF >> /etc/neutron/dnsmasq-neutron.conf
dhcp-option-force=26,1400
EOF

Configure Open vSwitch network bridging (both nodes)

Turn the openvswitch ON:

systemctl start openvswitch
systemctl enable openvswitch

Create the bridges:

ovs-vsctl add-br br-int
ovs-vsctl add-br br-ex
ovs-vsctl add-br br-ex2
ovs-vsctl add-port br-ex em3
ovs-vsctl add-port br-ex2 em4

Let's assume em3 and em4 are the NIC attached to the external (public) network:

cd /etc/sysconfig/network-scripts
mv ifcfg-em3 em3.orig
cat << EOF >> ifcfg-em3
TYPE=Ethernet
BOOTPROTO=none
DEVICE=em3
ONBOOT=yes
PROMISC=yes
EOF
 
mv ifcfg-em4 em4.orig
cat << EOF >> ifcfg-em4
TYPE=Ethernet
BOOTPROTO=none
DEVICE=em4
ONBOOT=yes
PROMISC=yes
EOF
 
systemctl restart network
cd -

Start and enable the Neutron agents:

sed -i 's,plugins/openvswitch/ovs_neutron_plugin.ini,plugin.ini,g' /usr/lib/systemd/system/neutron-openvswitch-agent.service
systemctl start neutron-dhcp-agent
systemctl start neutron-l3-agent
systemctl start neutron-metadata-agent
systemctl start neutron-openvswitch-agent
 
systemctl enable neutron-dhcp-agent 
systemctl enable neutron-l3-agent 
systemctl enable neutron-metadata-agent 
systemctl enable neutron-openvswitch-agent 

Check agents' redundancy

When you've done, you should be able to see all the agents running on all network nodes where you've applied this procedure. Execute the following command while logged into the controller node, or wherever you've installed the Openstack CLI and copied the keystone_admin.sh created in the guide for the controller node:

[root@cld-blu-03 ~]# neutron agent-list
+--------------------------------------+--------------------+-----------------------------+-------+----------------+
| id                                   | agent_type         | host                        | alive | admin_state_up |
+--------------------------------------+--------------------+-----------------------------+-------+----------------+
| 188fe879-be8a-4390-b766-04e188e35c3c | L3 agent           | network-02.cloud.pd.infn.it | :-)   | True           |
| 42647a60-dbd0-4a85-942d-8fdbb0e2ae24 | Open vSwitch agent | network-01.cloud.pd.infn.it | :-)   | True           |
| cf6f7ec2-8700-498b-b62d-49d8b5616682 | DHCP agent         | network-02.cloud.pd.infn.it | :-)   | True           |
| dc249956-e81d-465c-b51f-cff0e1e04f05 | DHCP agent         | network-01.cloud.pd.infn.it | :-)   | True           |
| e196a6a2-8a3a-4bfe-b048-b50bee14761c | Open vSwitch agent | network-02.cloud.pd.infn.it | :-)   | True           |
| eb902101-8a16-43b5-87f8-b058530407f6 | L3 agent           | network-01.cloud.pd.infn.it | :-)   | True           |
+--------------------------------------+--------------------+-----------------------------+-------+----------------+

Optional: Configure Neutron's agents for SSL

Configure files to use https and fully qualified hostname:

openstack-config --set /etc/neutron/neutron.conf DEFAULT ssl_ca_file /etc/grid-security/chain.pem
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_host cloud.cedc.csia.unipd.it
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_protocol https
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri https://cloud.cedc.csia.unipd.it:35357/
openstack-config --set /etc/neutron/neutron.conf keystone_authtoken identity_uri https://cloud.cedc.csia.unipd.it:35357
 
openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_host cloud.cedc.csia.unipd.it
openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_uri https://cloud.cedc.csia.unipd.it:5000
openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_protocol https
 
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT auth_url https://cloud.cedc.csia.unipd.it:5000/v2.0
openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT auth_ca_cert /etc/grid-security/chain.pem

Restart Neutron's agents:

systemctl restart neutron-dhcp-agent
systemctl restart neutron-l3-agent
systemctl restart neutron-metadata-agent
systemctl restart neutron-openvswitch-agent
progetti/cloud-areapd/ced-c/install_and_configure_network_nodes.txt · Last modified: 2016/03/02 10:48 by mengumat@infn.it