[Rdo-list] Neutron configuration files for a two node Neutron+GRE+OVS

Kashyap Chamarthy kchamart at redhat.com
Thu Jan 30 05:15:29 UTC 2014


Heya,

Just in case if it's useful for someone, here are my working Neutron
configuration files (and iptables rules) for a two node set-up based on
IceHouse-M2 on Fedora-20,

  - Controller node: Nova, Keystone (token-based auth), Cinder,
    Glance, Neutron (using Open vSwitch plugin and GRE tunneling).

  - Compute node: Nova (nova-compute), Neutron (openvswitch-agent)


Controller node Neutron configurations
======================================

1. neutron.conf
---------------

    $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
    [DEFAULT]
    core_plugin
=neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
    rpc_backend = neutron.openstack.common.rpc.impl_qpid
    control_exchange = neutron
    qpid_hostname = 192.169.142.49
    auth_strategy = keystone
    allow_overlapping_ips = True
    dhcp_lease_duration = 120
    allow_bulk = True
    qpid_port = 5672
    qpid_heartbeat = 60
    qpid_protocol = tcp
    qpid_tcp_nodelay = True
    qpid_reconnect_limit=0
    qpid_reconnect_interval_max=0
    qpid_reconnect_timeout=0
    qpid_reconnect=True
    qpid_reconnect_interval_min=0
    qpid_reconnect_interval=0
    debug = False
    verbose = False
    [quotas]
    [agent]
    [keystone_authtoken]
    admin_tenant_name = services
    admin_user = neutron
    admin_password = fedora
    auth_host = 192.169.142.49
    auth_port = 35357
    auth_protocol = http
    auth_uri=http://192.169.142.49:5000/
    [database]
    [service_providers]
    [AGENT]
    root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

2. (OVS) plugin.ini
-------------------

    $ cat /etc/neutron/plugin.ini | grep -v ^$ | grep -v ^#
    [ovs]
    tenant_network_type = gre
    tunnel_id_ranges = 1:1000
    enable_tunneling = True
    integration_bridge = br-int
    tunnel_bridge = br-tun
    local_ip = 192.169.142.49
    [agent]
    [securitygroup]
    [DATABASE]
    sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
    sql_max_retries=10
    reconnect_interval=2
    sql_idle_timeout=3600
    [SECURITYGROUP]
    firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

3. dhcp_agent.ini
-----------------

    $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
    [DEFAULT]
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    handle_internal_only_routers = TRUE
    external_network_bridge = br-ex
    use_namespaces = True
    dnsmasq_config_file = /etc/neutron/dnsmasq.conf

4. l3_agent.ini
---------------

    $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
    [DEFAULT]
    interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
    handle_internal_only_routers = TRUE
    external_network_bridge = br-ex
    use_namespaces = True
    dnsmasq_config_file = /etc/neutron/dnsmasq.conf

5. dnsmasq.conf
---------------

This logs dnsmasq output is to a file, instead of journalctl):

    $ cat /etc/neutron/dnsmasq.conf | grep -v ^$ | grep -v ^#
    log-facility = /var/log/neutron/dnsmasq.log
    log-dhcp

6. api-paste.ini
----------------

    $ cat /etc/neutron/api-paste.ini | grep -v ^$ | grep -v ^#
    [composite:neutron]
    use = egg:Paste#urlmap
    /: neutronversions
    /v2.0: neutronapi_v2_0
    [composite:neutronapi_v2_0]
    use = call:neutron.auth:pipeline_factory
    noauth = extensions neutronapiapp_v2_0
    keystone = authtoken keystonecontext extensions neutronapiapp_v2_0
    [filter:keystonecontext]
    paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
    [filter:authtoken]
    paste.filter_factory =
keystoneclient.middleware.auth_token:filter_factory
    admin_user=neutron
    auth_port=35357
    admin_password=fedora
    auth_protocol=http
    auth_uri=http://192.169.142.49:5000/
    admin_tenant_name=services
    auth_host = 192.169.142.49
    [filter:extensions]
    paste.filter_factory =
neutron.api.extensions:plugin_aware_extension_middleware_factory
    [app:neutronversions]
    paste.app_factory = neutron.api.versions:Versions.factory
    [app:neutronapiapp_v2_0]
    paste.app_factory = neutron.api.v2.router:APIRouter.factory

7. metadata_agent.ini
---------------------

    $ cat /etc/neutron/metadata_agent.ini | grep -v ^$ | grep -v ^#
    [DEFAULT]
    auth_url = http://192.169.142.49:35357/v2.0/
    auth_region = regionOne
    admin_tenant_name = services
    admin_user = neutron
    admin_password = fedora
    nova_metadata_ip = 192.168.142.49
    nova_metadata_port = 8775
    metadata_proxy_shared_secret = fedora


Compute node Neutron configurations
===================================

1. neutron.conf
---------------

    $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
    [DEFAULT]
    core_plugin
=neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
    rpc_backend = neutron.openstack.common.rpc.impl_qpid
    qpid_hostname = 192.169.142.49
    auth_strategy = keystone
    allow_overlapping_ips = True
    qpid_port = 5672
    debug = True
    verbose = True
    [quotas]
    [agent]
    [keystone_authtoken]
    admin_tenant_name = services
    admin_user = neutron
    admin_password = fedora
    auth_host = 192.169.142.49
    [database]
    [service_providers]
    [AGENT]
    root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

2. (OVS) plugin.ini
-------------------

    $ cat plugin.ini | grep -v ^$ | grep -v ^#
    [ovs]
    tenant_network_type = gre
    tunnel_id_ranges = 1:1000
    enable_tunneling = True
    integration_bridge = br-int
    tunnel_bridge = br-tun
    local_ip = 192.169.142.57
    [DATABASE]
    sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
    [SECURITYGROUP]
    firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
    [agent]
    [securitygroup]

3. metadata_agent.ini
---------------------

    $ cat metadata_agent.ini | grep -v ^$ | grep -v ^#
    [DEFAULT]
    auth_url = http://localhost:5000/v2.0
    auth_region = RegionOne
    admin_tenant_name = %SERVICE_TENANT_NAME%
    admin_user = %SERVICE_USER%
    admin_password = %SERVICE_PASSWORD%


iptables rules on both Controller and Compute nodes
===================================================

iptables on Controller node
---------------------------

    $ cat /etc/sysconfig/iptables
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001
cinder incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
horizon incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
glance incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment
--comment "001 keystone incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
mariadb incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001
novncproxy incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment
"001 novaapi incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001
neutron incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
qpid incoming" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001
metadata incoming" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A INPUT -p gre -j ACCEPT
    -A OUTPUT -p gre -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT

iptables on Compute node
------------------------

    $ cat /etc/sysconfig/iptables
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -p gre -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A OUTPUT -p gre -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT



[1] Also here --
http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt


-- 
/kashyap




More information about the dev mailing list