[Rdo-list] RE(2): Neutron configuration files for a two node Neutron+GRE+OVS
Boris Derzhavets
bderzhavets at hotmail.com
Sun Feb 9 12:20:58 UTC 2014
To add to first RE:
On compute node 192.168.1.137 :-
[root at dfw01 neutron]# cat plugin.ini
[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = 192.168.1.137
[agent]
[securitygroup]
[DATABASE]
sql_connection = mysql://root:password@192.168.1.127/ovs_neutron
[SECURITYGROUP]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
It cannot work any longer affecting neutron-openvswitch service on compute node
I am using native F20 repos
It was never possible for me to start neutron-server with "mysql://neutron:fedora@hostname/ovs_neutron" . Starting as root causes some trouble, but it's acceptable.
Thanks.
Boris.
> Date: Thu, 30 Jan 2014 10:45:29 +0530
> From: kchamart at redhat.com
> To: rdo-list at redhat.com
> Subject: [Rdo-list] Neutron configuration files for a two node Neutron+GRE+OVS
>
> Heya,
>
> Just in case if it's useful for someone, here are my working Neutron
> configuration files (and iptables rules) for a two node set-up based on
> IceHouse-M2 on Fedora-20,
>
> - Controller node: Nova, Keystone (token-based auth), Cinder,
> Glance, Neutron (using Open vSwitch plugin and GRE tunneling).
>
> - Compute node: Nova (nova-compute), Neutron (openvswitch-agent)
>
>
> Controller node Neutron configurations
> ======================================
>
> 1. neutron.conf
> ---------------
>
> $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
> [DEFAULT]
> core_plugin
> =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
> rpc_backend = neutron.openstack.common.rpc.impl_qpid
> control_exchange = neutron
> qpid_hostname = 192.169.142.49
> auth_strategy = keystone
> allow_overlapping_ips = True
> dhcp_lease_duration = 120
> allow_bulk = True
> qpid_port = 5672
> qpid_heartbeat = 60
> qpid_protocol = tcp
> qpid_tcp_nodelay = True
> qpid_reconnect_limit=0
> qpid_reconnect_interval_max=0
> qpid_reconnect_timeout=0
> qpid_reconnect=True
> qpid_reconnect_interval_min=0
> qpid_reconnect_interval=0
> debug = False
> verbose = False
> [quotas]
> [agent]
> [keystone_authtoken]
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> auth_host = 192.169.142.49
> auth_port = 35357
> auth_protocol = http
> auth_uri=http://192.169.142.49:5000/
> [database]
> [service_providers]
> [AGENT]
> root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
>
> 2. (OVS) plugin.ini
> -------------------
>
> $ cat /etc/neutron/plugin.ini | grep -v ^$ | grep -v ^#
> [ovs]
> tenant_network_type = gre
> tunnel_id_ranges = 1:1000
> enable_tunneling = True
> integration_bridge = br-int
> tunnel_bridge = br-tun
> local_ip = 192.169.142.49
> [agent]
> [securitygroup]
> [DATABASE]
> sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
> sql_max_retries=10
> reconnect_interval=2
> sql_idle_timeout=3600
> [SECURITYGROUP]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
> 3. dhcp_agent.ini
> -----------------
>
> $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
> handle_internal_only_routers = TRUE
> external_network_bridge = br-ex
> use_namespaces = True
> dnsmasq_config_file = /etc/neutron/dnsmasq.conf
>
> 4. l3_agent.ini
> ---------------
>
> $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
> handle_internal_only_routers = TRUE
> external_network_bridge = br-ex
> use_namespaces = True
> dnsmasq_config_file = /etc/neutron/dnsmasq.conf
>
> 5. dnsmasq.conf
> ---------------
>
> This logs dnsmasq output is to a file, instead of journalctl):
>
> $ cat /etc/neutron/dnsmasq.conf | grep -v ^$ | grep -v ^#
> log-facility = /var/log/neutron/dnsmasq.log
> log-dhcp
>
> 6. api-paste.ini
> ----------------
>
> $ cat /etc/neutron/api-paste.ini | grep -v ^$ | grep -v ^#
> [composite:neutron]
> use = egg:Paste#urlmap
> /: neutronversions
> /v2.0: neutronapi_v2_0
> [composite:neutronapi_v2_0]
> use = call:neutron.auth:pipeline_factory
> noauth = extensions neutronapiapp_v2_0
> keystone = authtoken keystonecontext extensions neutronapiapp_v2_0
> [filter:keystonecontext]
> paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
> [filter:authtoken]
> paste.filter_factory =
> keystoneclient.middleware.auth_token:filter_factory
> admin_user=neutron
> auth_port=35357
> admin_password=fedora
> auth_protocol=http
> auth_uri=http://192.169.142.49:5000/
> admin_tenant_name=services
> auth_host = 192.169.142.49
> [filter:extensions]
> paste.filter_factory =
> neutron.api.extensions:plugin_aware_extension_middleware_factory
> [app:neutronversions]
> paste.app_factory = neutron.api.versions:Versions.factory
> [app:neutronapiapp_v2_0]
> paste.app_factory = neutron.api.v2.router:APIRouter.factory
>
> 7. metadata_agent.ini
> ---------------------
>
> $ cat /etc/neutron/metadata_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> auth_url = http://192.169.142.49:35357/v2.0/
> auth_region = regionOne
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> nova_metadata_ip = 192.168.142.49
> nova_metadata_port = 8775
> metadata_proxy_shared_secret = fedora
>
>
> Compute node Neutron configurations
> ===================================
>
> 1. neutron.conf
> ---------------
>
> $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
> [DEFAULT]
> core_plugin
> =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
> rpc_backend = neutron.openstack.common.rpc.impl_qpid
> qpid_hostname = 192.169.142.49
> auth_strategy = keystone
> allow_overlapping_ips = True
> qpid_port = 5672
> debug = True
> verbose = True
> [quotas]
> [agent]
> [keystone_authtoken]
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> auth_host = 192.169.142.49
> [database]
> [service_providers]
> [AGENT]
> root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
>
> 2. (OVS) plugin.ini
> -------------------
>
> $ cat plugin.ini | grep -v ^$ | grep -v ^#
> [ovs]
> tenant_network_type = gre
> tunnel_id_ranges = 1:1000
> enable_tunneling = True
> integration_bridge = br-int
> tunnel_bridge = br-tun
> local_ip = 192.169.142.57
> [DATABASE]
> sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
> [SECURITYGROUP]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> [agent]
> [securitygroup]
>
> 3. metadata_agent.ini
> ---------------------
>
> $ cat metadata_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> auth_url = http://localhost:5000/v2.0
> auth_region = RegionOne
> admin_tenant_name = %SERVICE_TENANT_NAME%
> admin_user = %SERVICE_USER%
> admin_password = %SERVICE_PASSWORD%
>
>
> iptables rules on both Controller and Compute nodes
> ===================================================
>
> iptables on Controller node
> ---------------------------
>
> $ cat /etc/sysconfig/iptables
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001
> cinder incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
> horizon incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
> glance incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment
> --comment "001 keystone incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
> mariadb incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001
> novncproxy incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment
> "001 novaapi incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001
> neutron incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
> qpid incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001
> metadata incoming" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A INPUT -p gre -j ACCEPT
> -A OUTPUT -p gre -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> iptables on Compute node
> ------------------------
>
> $ cat /etc/sysconfig/iptables
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -p gre -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -p gre -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
>
> [1] Also here --
> http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt
>
>
> --
> /kashyap
>
> _______________________________________________
> Rdo-list mailing list
> Rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20140209/0577dde9/attachment.html>
More information about the dev
mailing list