[Rdo-list] Neutron configuration files for a two node Neutron+GRE+OVS
Boris Derzhavets
bderzhavets at hotmail.com
Sun Feb 9 07:45:00 UTC 2014
In previous successful attempt reproduce your schema on real F20 boxes I was able to start neutron-server with
[root at dfw02 neutron(keystone_admin)]$ cat plugin.ini | grep -v ^# | grep -v ^$
[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = 192.168.1.127
[agent]
[securitygroup]
[DATABASE]
sql_connection = mysql://root:password@dfw02.localdomain/ovs_neutron
[SECURITYGROUP]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
and finally
[root at dfw02 ~]# ovs-vsctl show
7d78d536-3612-416e-bce6-24605088212f
Bridge br-int
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Bridge br-ex
Port "p37p1"
Interface "p37p1"
Port br-ex
Interface br-ex
type: internal
Bridge br-tun
Port br-tun
Interface br-tun
type: internal
Port "gre-2"
Interface "gre-2"
type: gre
options: {in_key=flow, local_ip="192.168.1.127", out_key=flow, remote_ip="192.168.1.137"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
ovs_version: "2.0.0"
Compute node instances were able to obtain floating and internal ip addresses
I am running this TwoNode Cluster in mean time with all `yum updates` after
01/23/2014
In new attempt on fresh F20 instance Neutron-server may be started only with
[DATABASE]
sql_connection = mysql://root:password@localhost/ovs_neutron
Block like :-
Port "gre-2"
Interface "gre-2"
type: gre
options: {in_key=flow, local_ip="192.168.1.147", out_key=flow, remote_ip="192.168.1.157"}
doesn't appear in `ovs-vsctl show` output . Nothing works on Compute all Configs are the the same as in first attempt.
The error from mysql, which I get "Access denied fror 'root"@'new_hostname'
new_hostname as before is in /etc/hosts
192.168.1.147 new_hostname.localdomain new_hostname
and in /etc/hostname
new_hostname.localdomain
For me it looks like bug for neutron-server to be bind to 127.0.0.1 ,actually, connected with MariaDB database.
I did 2 attempts to reproduce it from scratch building Controller and every time Neutron-server start up limitation came up.
Kashyap, my question to you :-
Am I correct in my conclusions regarding Neutron-Server mysql credentials affecting
network abilities of Neutron or libvirtd daemon is a real carrier for metadata and schema would work only on non-default libvirt's network for virtual machines ?
Then working real cluster is a kind of miracle. It's under testing on daily basis.
Thanks.
Boris.
PS. All snapshots done on first Cluster (successfully working in meantime with all updates accepted from yum) may be viewed here :-
http://bderzhavets.blogspot.com/2014/01/setting-up-two-physical-node-openstack.html
> Date: Thu, 30 Jan 2014 10:45:29 +0530
> From: kchamart at redhat.com
> To: rdo-list at redhat.com
> Subject: [Rdo-list] Neutron configuration files for a two node Neutron+GRE+OVS
>
> Heya,
>
> Just in case if it's useful for someone, here are my working Neutron
> configuration files (and iptables rules) for a two node set-up based on
> IceHouse-M2 on Fedora-20,
>
> - Controller node: Nova, Keystone (token-based auth), Cinder,
> Glance, Neutron (using Open vSwitch plugin and GRE tunneling).
>
> - Compute node: Nova (nova-compute), Neutron (openvswitch-agent)
>
>
> Controller node Neutron configurations
> ======================================
>
> 1. neutron.conf
> ---------------
>
> $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
> [DEFAULT]
> core_plugin
> =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
> rpc_backend = neutron.openstack.common.rpc.impl_qpid
> control_exchange = neutron
> qpid_hostname = 192.169.142.49
> auth_strategy = keystone
> allow_overlapping_ips = True
> dhcp_lease_duration = 120
> allow_bulk = True
> qpid_port = 5672
> qpid_heartbeat = 60
> qpid_protocol = tcp
> qpid_tcp_nodelay = True
> qpid_reconnect_limit=0
> qpid_reconnect_interval_max=0
> qpid_reconnect_timeout=0
> qpid_reconnect=True
> qpid_reconnect_interval_min=0
> qpid_reconnect_interval=0
> debug = False
> verbose = False
> [quotas]
> [agent]
> [keystone_authtoken]
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> auth_host = 192.169.142.49
> auth_port = 35357
> auth_protocol = http
> auth_uri=http://192.169.142.49:5000/
> [database]
> [service_providers]
> [AGENT]
> root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
>
> 2. (OVS) plugin.ini
> -------------------
>
> $ cat /etc/neutron/plugin.ini | grep -v ^$ | grep -v ^#
> [ovs]
> tenant_network_type = gre
> tunnel_id_ranges = 1:1000
> enable_tunneling = True
> integration_bridge = br-int
> tunnel_bridge = br-tun
> local_ip = 192.169.142.49
> [agent]
> [securitygroup]
> [DATABASE]
> sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
> sql_max_retries=10
> reconnect_interval=2
> sql_idle_timeout=3600
> [SECURITYGROUP]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
> 3. dhcp_agent.ini
> -----------------
>
> $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
> handle_internal_only_routers = TRUE
> external_network_bridge = br-ex
> use_namespaces = True
> dnsmasq_config_file = /etc/neutron/dnsmasq.conf
>
> 4. l3_agent.ini
> ---------------
>
> $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
> handle_internal_only_routers = TRUE
> external_network_bridge = br-ex
> use_namespaces = True
> dnsmasq_config_file = /etc/neutron/dnsmasq.conf
>
> 5. dnsmasq.conf
> ---------------
>
> This logs dnsmasq output is to a file, instead of journalctl):
>
> $ cat /etc/neutron/dnsmasq.conf | grep -v ^$ | grep -v ^#
> log-facility = /var/log/neutron/dnsmasq.log
> log-dhcp
>
> 6. api-paste.ini
> ----------------
>
> $ cat /etc/neutron/api-paste.ini | grep -v ^$ | grep -v ^#
> [composite:neutron]
> use = egg:Paste#urlmap
> /: neutronversions
> /v2.0: neutronapi_v2_0
> [composite:neutronapi_v2_0]
> use = call:neutron.auth:pipeline_factory
> noauth = extensions neutronapiapp_v2_0
> keystone = authtoken keystonecontext extensions neutronapiapp_v2_0
> [filter:keystonecontext]
> paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
> [filter:authtoken]
> paste.filter_factory =
> keystoneclient.middleware.auth_token:filter_factory
> admin_user=neutron
> auth_port=35357
> admin_password=fedora
> auth_protocol=http
> auth_uri=http://192.169.142.49:5000/
> admin_tenant_name=services
> auth_host = 192.169.142.49
> [filter:extensions]
> paste.filter_factory =
> neutron.api.extensions:plugin_aware_extension_middleware_factory
> [app:neutronversions]
> paste.app_factory = neutron.api.versions:Versions.factory
> [app:neutronapiapp_v2_0]
> paste.app_factory = neutron.api.v2.router:APIRouter.factory
>
> 7. metadata_agent.ini
> ---------------------
>
> $ cat /etc/neutron/metadata_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> auth_url = http://192.169.142.49:35357/v2.0/
> auth_region = regionOne
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> nova_metadata_ip = 192.168.142.49
> nova_metadata_port = 8775
> metadata_proxy_shared_secret = fedora
>
>
> Compute node Neutron configurations
> ===================================
>
> 1. neutron.conf
> ---------------
>
> $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
> [DEFAULT]
> core_plugin
> =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
> rpc_backend = neutron.openstack.common.rpc.impl_qpid
> qpid_hostname = 192.169.142.49
> auth_strategy = keystone
> allow_overlapping_ips = True
> qpid_port = 5672
> debug = True
> verbose = True
> [quotas]
> [agent]
> [keystone_authtoken]
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> auth_host = 192.169.142.49
> [database]
> [service_providers]
> [AGENT]
> root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
>
> 2. (OVS) plugin.ini
> -------------------
>
> $ cat plugin.ini | grep -v ^$ | grep -v ^#
> [ovs]
> tenant_network_type = gre
> tunnel_id_ranges = 1:1000
> enable_tunneling = True
> integration_bridge = br-int
> tunnel_bridge = br-tun
> local_ip = 192.169.142.57
> [DATABASE]
> sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
> [SECURITYGROUP]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> [agent]
> [securitygroup]
>
> 3. metadata_agent.ini
> ---------------------
>
> $ cat metadata_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> auth_url = http://localhost:5000/v2.0
> auth_region = RegionOne
> admin_tenant_name = %SERVICE_TENANT_NAME%
> admin_user = %SERVICE_USER%
> admin_password = %SERVICE_PASSWORD%
>
>
> iptables rules on both Controller and Compute nodes
> ===================================================
>
> iptables on Controller node
> ---------------------------
>
> $ cat /etc/sysconfig/iptables
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001
> cinder incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
> horizon incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
> glance incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment
> --comment "001 keystone incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
> mariadb incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001
> novncproxy incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment
> "001 novaapi incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001
> neutron incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
> qpid incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001
> metadata incoming" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A INPUT -p gre -j ACCEPT
> -A OUTPUT -p gre -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> iptables on Compute node
> ------------------------
>
> $ cat /etc/sysconfig/iptables
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -p gre -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -p gre -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
>
> [1] Also here --
> http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt
>
>
> --
> /kashyap
>
> _______________________________________________
> Rdo-list mailing list
> Rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20140209/4325c30a/attachment.html>
More information about the dev
mailing list