[Rdo-list] Neutron configuration files for a two node Neutron+GRE+OVS
Boris Derzhavets
bderzhavets at hotmail.com
Thu Jan 30 07:43:01 UTC 2014
How to surf internet via Neutron GRE tunnel (Fedora 20) ?
https://ask.openstack.org/en/question/11122/how-to-surf-internet-via-neutron-gre-tunnel-fedora-20/
I've also tried to set MTU to 1400 on F20 (KDE desktop) & CentOS 6.5 (Gnome) instances along with p37p1 on Compute Node (real host ) and br-ex on Controller Node ( real host) . I cannot touch outgoing router ( not Cisco model). No luck. I just can open only fedoraproject.org and yandex.ru.
Native F20 repos have been used for reproducing your setup on real F20 nodes ( Controller - 192.168.1.127, Compute - 192.168.1.137)
Boris
> Date: Thu, 30 Jan 2014 10:45:29 +0530
> From: kchamart at redhat.com
> To: rdo-list at redhat.com
> Subject: [Rdo-list] Neutron configuration files for a two node Neutron+GRE+OVS
>
> Heya,
>
> Just in case if it's useful for someone, here are my working Neutron
> configuration files (and iptables rules) for a two node set-up based on
> IceHouse-M2 on Fedora-20,
>
> - Controller node: Nova, Keystone (token-based auth), Cinder,
> Glance, Neutron (using Open vSwitch plugin and GRE tunneling).
>
> - Compute node: Nova (nova-compute), Neutron (openvswitch-agent)
>
>
> Controller node Neutron configurations
> ======================================
>
> 1. neutron.conf
> ---------------
>
> $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
> [DEFAULT]
> core_plugin
> =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
> rpc_backend = neutron.openstack.common.rpc.impl_qpid
> control_exchange = neutron
> qpid_hostname = 192.169.142.49
> auth_strategy = keystone
> allow_overlapping_ips = True
> dhcp_lease_duration = 120
> allow_bulk = True
> qpid_port = 5672
> qpid_heartbeat = 60
> qpid_protocol = tcp
> qpid_tcp_nodelay = True
> qpid_reconnect_limit=0
> qpid_reconnect_interval_max=0
> qpid_reconnect_timeout=0
> qpid_reconnect=True
> qpid_reconnect_interval_min=0
> qpid_reconnect_interval=0
> debug = False
> verbose = False
> [quotas]
> [agent]
> [keystone_authtoken]
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> auth_host = 192.169.142.49
> auth_port = 35357
> auth_protocol = http
> auth_uri=http://192.169.142.49:5000/
> [database]
> [service_providers]
> [AGENT]
> root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
>
> 2. (OVS) plugin.ini
> -------------------
>
> $ cat /etc/neutron/plugin.ini | grep -v ^$ | grep -v ^#
> [ovs]
> tenant_network_type = gre
> tunnel_id_ranges = 1:1000
> enable_tunneling = True
> integration_bridge = br-int
> tunnel_bridge = br-tun
> local_ip = 192.169.142.49
> [agent]
> [securitygroup]
> [DATABASE]
> sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
> sql_max_retries=10
> reconnect_interval=2
> sql_idle_timeout=3600
> [SECURITYGROUP]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
>
> 3. dhcp_agent.ini
> -----------------
>
> $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
> handle_internal_only_routers = TRUE
> external_network_bridge = br-ex
> use_namespaces = True
> dnsmasq_config_file = /etc/neutron/dnsmasq.conf
>
> 4. l3_agent.ini
> ---------------
>
> $ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
> handle_internal_only_routers = TRUE
> external_network_bridge = br-ex
> use_namespaces = True
> dnsmasq_config_file = /etc/neutron/dnsmasq.conf
>
> 5. dnsmasq.conf
> ---------------
>
> This logs dnsmasq output is to a file, instead of journalctl):
>
> $ cat /etc/neutron/dnsmasq.conf | grep -v ^$ | grep -v ^#
> log-facility = /var/log/neutron/dnsmasq.log
> log-dhcp
>
> 6. api-paste.ini
> ----------------
>
> $ cat /etc/neutron/api-paste.ini | grep -v ^$ | grep -v ^#
> [composite:neutron]
> use = egg:Paste#urlmap
> /: neutronversions
> /v2.0: neutronapi_v2_0
> [composite:neutronapi_v2_0]
> use = call:neutron.auth:pipeline_factory
> noauth = extensions neutronapiapp_v2_0
> keystone = authtoken keystonecontext extensions neutronapiapp_v2_0
> [filter:keystonecontext]
> paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
> [filter:authtoken]
> paste.filter_factory =
> keystoneclient.middleware.auth_token:filter_factory
> admin_user=neutron
> auth_port=35357
> admin_password=fedora
> auth_protocol=http
> auth_uri=http://192.169.142.49:5000/
> admin_tenant_name=services
> auth_host = 192.169.142.49
> [filter:extensions]
> paste.filter_factory =
> neutron.api.extensions:plugin_aware_extension_middleware_factory
> [app:neutronversions]
> paste.app_factory = neutron.api.versions:Versions.factory
> [app:neutronapiapp_v2_0]
> paste.app_factory = neutron.api.v2.router:APIRouter.factory
>
> 7. metadata_agent.ini
> ---------------------
>
> $ cat /etc/neutron/metadata_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> auth_url = http://192.169.142.49:35357/v2.0/
> auth_region = regionOne
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> nova_metadata_ip = 192.168.142.49
> nova_metadata_port = 8775
> metadata_proxy_shared_secret = fedora
>
>
> Compute node Neutron configurations
> ===================================
>
> 1. neutron.conf
> ---------------
>
> $ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
> [DEFAULT]
> core_plugin
> =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
> rpc_backend = neutron.openstack.common.rpc.impl_qpid
> qpid_hostname = 192.169.142.49
> auth_strategy = keystone
> allow_overlapping_ips = True
> qpid_port = 5672
> debug = True
> verbose = True
> [quotas]
> [agent]
> [keystone_authtoken]
> admin_tenant_name = services
> admin_user = neutron
> admin_password = fedora
> auth_host = 192.169.142.49
> [database]
> [service_providers]
> [AGENT]
> root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf
>
> 2. (OVS) plugin.ini
> -------------------
>
> $ cat plugin.ini | grep -v ^$ | grep -v ^#
> [ovs]
> tenant_network_type = gre
> tunnel_id_ranges = 1:1000
> enable_tunneling = True
> integration_bridge = br-int
> tunnel_bridge = br-tun
> local_ip = 192.169.142.57
> [DATABASE]
> sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
> [SECURITYGROUP]
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> [agent]
> [securitygroup]
>
> 3. metadata_agent.ini
> ---------------------
>
> $ cat metadata_agent.ini | grep -v ^$ | grep -v ^#
> [DEFAULT]
> auth_url = http://localhost:5000/v2.0
> auth_region = RegionOne
> admin_tenant_name = %SERVICE_TENANT_NAME%
> admin_user = %SERVICE_USER%
> admin_password = %SERVICE_PASSWORD%
>
>
> iptables rules on both Controller and Compute nodes
> ===================================================
>
> iptables on Controller node
> ---------------------------
>
> $ cat /etc/sysconfig/iptables
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001
> cinder incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001
> horizon incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001
> glance incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment
> --comment "001 keystone incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001
> mariadb incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001
> novncproxy incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment
> "001 novaapi incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001
> neutron incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001
> qpid incoming" -j ACCEPT
> -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001
> metadata incoming" -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A INPUT -p gre -j ACCEPT
> -A OUTPUT -p gre -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> iptables on Compute node
> ------------------------
>
> $ cat /etc/sysconfig/iptables
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -p gre -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -p gre -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
>
> [1] Also here --
> http://kashyapc.fedorapeople.org/virt/openstack/neutron-configs-GRE-OVS-two-node.txt
>
>
> --
> /kashyap
>
> _______________________________________________
> Rdo-list mailing list
> Rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20140130/34a520a9/attachment.html>
More information about the dev
mailing list