Differences

This shows you the differences between two versions of the page.

--- progetti:cloud-areapd:ced-c:install_and_configure_network_nodes [2015/04/01 18:10] – [Configure Open vSwitch network bridging (both nodes)] sella@infn.it
+++ progetti:cloud-areapd:ced-c:install_and_configure_network_nodes [2016/03/02 10:48] (current) – [Configure system's networking properties (both nodes)] mengumat@infn.it
@@ Line 1: / Line 1: @@
+======= Configure Network nodes =======
+Authors:
+   * Paolo E. Mazzon (DEI)
+   * Matteo Menguzzato (INFN Padova)
+   * Gianpietro Sella (DISC)
+===== Naming conventions and networking assumptions =====
+In our setup both controller nodes also act as network nodes so we assume that they have a second network interface em2 for data network:
+   * **Data network** : ''192.168.61.0/24''
+and 2 NIC connected with external network:
+   * **em3** : 2 vlan tagged with 401 and 402
+   * **em4** : 1 vlan tagged with 303
+==== Further pre-requisite on data network interface ====
+In the net-interface configuration script for data network (something like ''/etc/sysconfig/network-scripts/ifcfg-XYZ'') put the following parameter:
+<code bash>
+MTU="9000"
+</code>
+===== Considerations for High Availability =====
+To make the Neutron agents highly available, just repeat this procedure on another network node, changing the value for the only relevant parameter ''local_ip'' (the private IP on the data network)
+===== Install OpenStack software (both nodes) =====
+We assume RDO yum repository is already installed, so:
+<code bash>
+yum -y install openstack-neutron-ml2
+</code>
+===== Configure system's networking properties (both nodes) =====
+<code bash>
+sed -i 's+^net\.ipv4.ip_forward+#net\.ipv4.ip_forward+' /etc/sysctl.conf
+sed -i 's+^net\.ipv4\.conf\.default\.rp_filter+#net\.ipv4\.conf\.default\.rp_filter+' /etc/sysctl.conf
+sed -i 's+^net\.ipv4\.conf\.all\.rp_filter+#net\.ipv4\.conf\.all\.rp_filter+' /etc/sysctl.conf
+cat << EOF >> /etc/sysctl.conf
+net.ipv4.ip_forward=1
+net.ipv4.conf.all.rp_filter=0
+net.ipv4.conf.default.rp_filter=0
+net.bridge.bridge-nf-call-arptables=1
+net.bridge.bridge-nf-call-iptables=1
+net.bridge.bridge-nf-call-ip6tables=1
+EOF
+sysctl -p
+service network restart
+firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
+firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
+</code>
+===== Configure Neutron agent services (both nodes) =====
+In this section we customize several configuration files related to Neutron's agents.
+**api-paste.ini**
+<code bash>
+while read i
+do
+   openstack-config --set /etc/neutron/api-paste.ini ${i}
+done << EOF
+filter:authtoken auth_host 192.168.60.180
+filter:authtoken auth_uri http://192.168.60.180:5000
+EOF
+</code>
+**l3-agent.ini**
+<code bash>
+openstack-config --set /etc/neutron/l3_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.OVSInterfaceDriver
+openstack-config --set /etc/neutron/l3_agent.ini DEFAULT use_namespaces True
+openstack-config --set /etc/neutron/l3_agent.ini DEFAULT router_delete_namespaces True
+openstack-config --set /etc/neutron/l3_agent.ini DEFAULT gateway_external_network_id
+openstack-config --set /etc/neutron/l3_agent.ini DEFAULT external_network_bridge
+</code>
+**dhcp_agent.ini**
+<code bash>
+openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.OVSInterfaceDriver
+openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT use_namespaces True
+openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_driver neutron.agent.linux.dhcp.Dnsmasq
+openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dhcp_delete_namespaces True
+</code>
+**metadata_agent.ini**
+<code bash>
+while read i
+do
+   openstack-config --set /etc/neutron/metadata_agent.ini ${i}
+done << EOF
+DEFAULT auth_url http://192.168.60.180:5000/v2.0
+DEFAULT auth_region regionOne
+DEFAULT admin_tenant_name services
+DEFAULT admin_user neutron
+DEFAULT admin_password NEUTRON_PASS
+DEFAULT nova_metadata_ip 192.168.60.180
+DEFAULT metadata_proxy_shared_secret METADATA_PASS
+EOF
+</code>
+**ml2_conf.ini**
+<code bash>
+while read i
+do
+   openstack-config --set /etc/neutron/plugins/ml2/ml2_conf.ini ${i}
+done << EOF
+ml2_type_vlan network_vlan_ranges physnet1:401:402,physnet2:303:303
+ovs tenant_network_type gre
+ovs tunnel_id_ranges 1:1000
+ovs local_ip 192.168.61.152
+ovs enable_tunneling True
+ovs integration_bridge br-int
+ovs tunnel_bridge br-tun
+ovs bridge_mappings physnet1:br-ex,physnet2:br-ex2
+ovs network_vlan_ranges physnet1:401:402,physnet2:303:303
+EOF
+ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
+</code>
+=== Optional ===
+When using GRE the virtual instances can experience low network performances measured by iperf. This is because the ethernet packet is greatly used for GRE overhead information. To solve this problem you can increase to 9000 (this is a good value we've experienced) the MTU of the data network's switch, or do the following additional configuration:
+<code bash>
+openstack-config --set /etc/neutron/dhcp_agent.ini DEFAULT dnsmasq_config_file /etc/neutron/dnsmasq-neutron.conf
+</code>
+Create the dnsmasq's config file:
+<code bash>
+cat << EOF >> /etc/neutron/dnsmasq-neutron.conf
+dhcp-option-force=26,1400
+EOF
+</code>
+===== Configure Open vSwitch network bridging (both nodes) =====
+Turn the ''openvswitch'' ON:
+<code bash>
+systemctl start openvswitch
+systemctl enable openvswitch
+</code>
+Create the bridges:
+<code bash>
+ovs-vsctl add-br br-int
+ovs-vsctl add-br br-ex
+ovs-vsctl add-br br-ex2
+ovs-vsctl add-port br-ex em3
+ovs-vsctl add-port br-ex2 em4
+</code>
+Let's assume ''em3'' and ''em4'' are the NIC attached to the external (public) network:
+<code bash>
+cd /etc/sysconfig/network-scripts
+mv ifcfg-em3 em3.orig
+cat << EOF >> ifcfg-em3
+TYPE=Ethernet
+BOOTPROTO=none
+DEVICE=em3
+ONBOOT=yes
+PROMISC=yes
+EOF
+mv ifcfg-em4 em4.orig
+cat << EOF >> ifcfg-em4
+TYPE=Ethernet
+BOOTPROTO=none
+DEVICE=em4
+ONBOOT=yes
+PROMISC=yes
+EOF
+systemctl restart network
+cd -
+</code>
+Start and enable the Neutron agents:
+<code bash>
+sed -i 's,plugins/openvswitch/ovs_neutron_plugin.ini,plugin.ini,g' /usr/lib/systemd/system/neutron-openvswitch-agent.service
+systemctl start neutron-dhcp-agent
+systemctl start neutron-l3-agent
+systemctl start neutron-metadata-agent
+systemctl start neutron-openvswitch-agent
+systemctl enable neutron-dhcp-agent
+systemctl enable neutron-l3-agent
+systemctl enable neutron-metadata-agent
+systemctl enable neutron-openvswitch-agent
+</code>
+===== Check agents' redundancy =====
+When you've done, you should be able to see all the agents running on all network nodes where you've applied this procedure. Execute the following command while logged into the controller node, or wherever you've installed the Openstack CLI and copied the ''keystone_admin.sh'' created in the guide for the [[http://wiki.infn.it/progetti/cloud-areapd/keystone-glance_high_availability/openstack_ha/controller_node|controller node]]:
+<code bash>
+[root@cld-blu-03 ~]# neutron agent-list
++--------------------------------------+--------------------+-----------------------------+-------+----------------+
+| id                                   | agent_type         | host                        | alive | admin_state_up |
++--------------------------------------+--------------------+-----------------------------+-------+----------------+
+| 188fe879-be8a-4390-b766-04e188e35c3c | L3 agent           | network-02.cloud.pd.infn.it | :-)   | True           |
+| 42647a60-dbd0-4a85-942d-8fdbb0e2ae24 | Open vSwitch agent | network-01.cloud.pd.infn.it | :-)   | True           |
+| cf6f7ec2-8700-498b-b62d-49d8b5616682 | DHCP agent         | network-02.cloud.pd.infn.it | :-)   | True           |
+| dc249956-e81d-465c-b51f-cff0e1e04f05 | DHCP agent         | network-01.cloud.pd.infn.it | :-)   | True           |
+| e196a6a2-8a3a-4bfe-b048-b50bee14761c | Open vSwitch agent | network-02.cloud.pd.infn.it | :-)   | True           |
+| eb902101-8a16-43b5-87f8-b058530407f6 | L3 agent           | network-01.cloud.pd.infn.it | :-)   | True           |
++--------------------------------------+--------------------+-----------------------------+-------+----------------+
+</code>
+===== Optional: Configure Neutron's agents for SSL =====
+Configure files to use ''https'' and fully qualified hostname:
+<code bash>
+openstack-config --set /etc/neutron/neutron.conf DEFAULT ssl_ca_file /etc/grid-security/chain.pem
+openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_host cloud.cedc.csia.unipd.it
+openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_protocol https
+openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri https://cloud.cedc.csia.unipd.it:35357/
+openstack-config --set /etc/neutron/neutron.conf keystone_authtoken identity_uri https://cloud.cedc.csia.unipd.it:35357
+openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_host cloud.cedc.csia.unipd.it
+openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_uri https://cloud.cedc.csia.unipd.it:5000
+openstack-config --set /etc/neutron/api-paste.ini filter:authtoken auth_protocol https
+openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT auth_url https://cloud.cedc.csia.unipd.it:5000/v2.0
+openstack-config --set /etc/neutron/metadata_agent.ini DEFAULT auth_ca_cert /etc/grid-security/chain.pem
+</code>
+Restart Neutron's agents:
+<code bash>
+systemctl restart neutron-dhcp-agent
+systemctl restart neutron-l3-agent
+systemctl restart neutron-metadata-agent
+systemctl restart neutron-openvswitch-agent
+</code>