openstack-ansible-os_neutron/doc/source/configure-network-services.rst
James Denton 3dd5cbd165 [docs] Update FWaaS v2 deployment scenario
The docs currently do not mention that OVS is required for FWaaS v2.
This patch provides a note and links to OVS deployment scenarios.

Closes-Bug: 1781166
Change-Id: I650b42f9a4645ed17fbfe3b5c25da9d23c6a3a52
2019-02-13 10:10:05 -05:00

463 lines
16 KiB
ReStructuredText

=======================================================
Configuring the Networking service (neutron) (optional)
=======================================================
The OpenStack Networking service (neutron) includes the following services:
Firewall as a Service (FWaaS)
Provides a software-based firewall that filters traffic from the router.
Load Balancer as a Service (LBaaS)
Provides load balancers that direct traffic to OpenStack instances or other
servers outside the OpenStack deployment.
VPN as a Service (VPNaaS)
Provides a method for extending a private network across a public network.
BGP Dynamic Routing service
Provides a means for advertising self-service (private) network prefixes
to physical network devices that support BGP.
SR-IOV Support
Provides the ability to provision virtual or physical functions to guest
instances using SR-IOV and PCI passthrough. (Requires compatible NICs)
Firewall service (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following procedure describes how to modify the
``/etc/openstack_deploy/user_variables.yml`` file to enable FWaaS.
Deploying FWaaS v1
------------------
.. note::
The FWaaS v1 API is deprecated upstream. While FWaaS v1.0 is still
maintained, new features will be implemented in FWaaS v2.0 API.
#. Override the default list of neutron plugins to include
``firewall``:
.. code-block:: yaml
neutron_plugin_base:
- firewall
- ...
#. ``neutron_plugin_base`` is as follows:
.. code-block:: yaml
neutron_plugin_base:
- router
- firewall
- neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
- vpnaas
- metering
- qos
#. Execute the neutron install playbook in order to update the configuration:
.. code-block:: shell-session
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
#. Execute the horizon install playbook to show the FWaaS panels:
.. code-block:: shell-session
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-horizon-install.yml
The FWaaS default configuration options may be changed through the
`conf override`_ mechanism using the ``neutron_neutron_conf_overrides``
dict.
Deploying FWaaS v2
------------------
FWaaS v2 is the next generation Neutron firewall service and will provide
a rich set of APIs for securing OpenStack networks. It is still under
active development.
Refer to the `FWaaS 2.0 API specification
<https://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html>`_
for more information on these FWaaS v2 features.
FWaaS v2 requires the use of Open vSwitch. To deploy an environment using
Open vSwitch for virtual networking, please refer to the following
documentation:
* `Scenario - Using Open vSwitch <app-openvswitch.html>`_
* `Scenario - Using Open vSwitch with DVR
<app-openvswitch-dvr.html>`_
Follow the steps below to deploy FWaaS v2:
.. note::
FWaaS v1 and v2 cannot be deployed simultaneously.
#. Add the FWaaS v2 plugin to the ``neutron_plugin_base`` variable
in ``/etc/openstack_deploy/user_variables.yml``:
.. code-block:: yaml
neutron_plugin_base:
- router
- metering
- firewall_v2
Ensure that ``neutron_plugin_base`` includes all of the plugins that you
want to deploy with neutron in addition to the firewall_v2 plugin.
#. Run the neutron playbook to deploy the FWaaS v2 service plugin
.. code-block:: console
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
Load balancing service (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The `neutron-lbaas`_ plugin for neutron provides a software load balancer
service and can direct traffic to multiple servers. The service runs as an
agent and it manages `HAProxy`_ configuration files and daemons.
The Newton release contains only the LBaaS v2 API. For more details about
transitioning from LBaaS v1 to v2, review the :ref:`lbaas-special-notes`
section below.
Deployers can make changes to the LBaaS default configuration options via the
``neutron_lbaas_agent_ini_overrides`` dictionary. Review the documentation on
the `conf override`_ mechanism for more details.
.. _neutron-lbaas: https://wiki.openstack.org/wiki/Neutron/LBaaS
.. _HAProxy: http://www.haproxy.org/
Deploying LBaaS v2 namespace driver
-----------------------------------
#. Add the LBaaS v2 plugin to the ``neutron_plugin_base`` variable
in ``/etc/openstack_deploy/user_variables.yml``:
.. code-block:: yaml
neutron_plugin_base:
- router
- metering
- neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
Ensure that ``neutron_plugin_base`` includes all of the plugins that you
want to deploy with neutron in addition to the LBaaS plugin.
Adding the LBaaS v2 plugin to ``neutron_plugin_base`` automatically enables
the Dashboard panels for LBaaS v2 when the ``os_horizon`` role is
redeployed (see the following step).
Alternatively you can set the ``neutron_lbaasv2`` flag to ``True`` which
will add the LBaaS v2 plugin by itself.
#. Run the neutron playbook to deploy the LBaaS v2 agent and enable the
Dashboard panels for LBaaSv2:
.. code-block:: console
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
# openstack-ansible os-horizon-install.yml
Deploying LBaaS v2 with Octavia
-------------------------------
The namespace driver and Octavia can both run at the same time and the
end user can choose which type of load balancer to create with the
``--provider`` flag on load balanceer create.
#. Activate the LBaaS v2 plugin together with the Octavia driver by setting
``neutron_lbaas_octavia`` to ``True``. This will automatically be
triggered if Octavia is installed.
#. (optional) To make sure the namespace driver is available set
``neutron_lbaas_namespace`` to ``True`` or if you want
Octavia installed stand-alone to ``False``.
#. Run the neutron playbook to deploy the LBaaS v2 agent and enable the
Dashboard panels for LBaaSv2:
.. code-block:: console
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
# openstack-ansible os-horizon-install.yml
Deploying LBaaS v2 with Octavia proxy plugin
--------------------------------------------
Beginning Queens as part of the transition to the Octavia API endpoint
LBaaS V2 supports the Octavia proxy driver which will send all LBaaS V2
requests straight to Octavia and bypass the Neutron database and any
installed third party LBaaS V2 drivers.
#. Set ``neutron_lbaas_octavia`` to ``True`` to get the Octavia settings
along with LBaaS V2 being enabled.
#. Set ``neutron_octavia_proxy_plugin`` to ``True`` to activate the
byapssing proxy.
#. Run the neutron playbook to deploy the LBaaS v2 agent and enable the
Dashboard panels for LBaaSv2:
.. code-block:: console
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
# openstack-ansible os-horizon-install.yml
Special notes about LBaaS
-------------------------
**LBaaS v1 was deprecated in the Mitaka release and is not available in the
Newton release.**
LBaaS v1 and v2 agents are unable to run at the same time. If you switch
LBaaS v1 to v2, the v2 agent is the only agent running. The LBaaS v1 agent
stops along with any load balancers provisioned under the v1 agent.
Load balancers are not migrated between LBaaS v1 and v2 automatically. Each
implementation has different code paths and database tables. You need
to manually delete load balancers, pools, and members before switching LBaaS
versions. Recreate these objects afterwards.
Virtual private network service (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following procedure describes how to modify the
``/etc/openstack_deploy/user_variables.yml`` file to enable VPNaaS.
#. Override the default list of neutron plugins to include
``vpnaas``:
.. code-block:: yaml
neutron_plugin_base:
- router
- metering
#. ``neutron_plugin_base`` is as follows:
.. code-block:: yaml
neutron_plugin_base:
- router
- metering
- vpnaas
#. Override the default list of specific kernel modules
in order to include the necessary modules to run ipsec:
.. code-block:: yaml
openstack_host_specific_kernel_modules:
- { name: "ebtables", pattern: "CONFIG_BRIDGE_NF_EBTABLES=", group: "network_hosts" }
- { name: "af_key", pattern: "CONFIG_NET_KEY=", group: "network_hosts" }
- { name: "ah4", pattern: "CONFIG_INET_AH=", group: "network_hosts" }
- { name: "ipcomp", pattern: "CONFIG_INET_IPCOMP=", group: "network_hosts" }
#. Execute the openstack hosts setup in order to load the kernel modules at
boot and runtime in the network hosts
.. code-block:: shell-session
# openstack-ansible openstack-hosts-setup.yml --limit network_hosts\
--tags "openstack_hosts-config"
#. Execute the neutron install playbook in order to update the configuration:
.. code-block:: shell-session
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
#. Execute the horizon install playbook to show the VPNaaS panels:
.. code-block:: shell-session
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-horizon-install.yml
The VPNaaS default configuration options are changed through the
`conf override`_ mechanism using the ``neutron_neutron_conf_overrides``
dict.
.. _conf override: https://docs.openstack.org/openstack-ansible/latest/admin/openstack-operations.html
BGP Dynamic Routing service (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The `BGP Dynamic Routing`_ plugin for neutron provides BGP speakers which can
advertise OpenStack project network prefixes to external network devices, such
as routers. This is especially useful when coupled with the `subnet pools`_
feature, which enables neutron to be configured in such a way as to allow users
to create self-service `segmented IPv6 subnets`_.
.. _BGP Dynamic Routing: https://docs.openstack.org/neutron/latest/admin/config-bgp-dynamic-routing.html
.. _subnet pools: https://docs.openstack.org/neutron/latest/admin/config-subnet-pools.html
.. _segmented IPv6 subnets: https://cloudbau.github.io/openstack/neutron/networking/2016/05/17/neutron-ipv6.html
The following procedure describes how to modify the
``/etc/openstack_deploy/user_variables.yml`` file to enable the BGP Dynamic
Routing plugin.
#. Add the BGP plugin to the ``neutron_plugin_base`` variable
in ``/etc/openstack_deploy/user_variables.yml``:
.. code-block:: yaml
neutron_plugin_base:
- ...
- neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin
Ensure that ``neutron_plugin_base`` includes all of the plugins that you
want to deploy with neutron in addition to the BGP plugin.
#. Execute the neutron install playbook in order to update the configuration:
.. code-block:: shell-session
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
SR-IOV Support (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following procedure describes how to modify the OpenStack-Ansible
configuration to enable Neutron SR-IOV support.
.. _SR-IOV-Passthrough-For-Networking: https://wiki.openstack.org/wiki/SR-IOV-Passthrough-For-Networking
#. Define SR-IOV capable physical host interface for a provider network
As part of every Openstack-Ansible installation, all provider networks
known to Neutron need to be configured inside the
``/etc/openstack_deploy/openstack_user_config.yml`` file.
For each supported network type (e.g. vlan), the attribute
``sriov_host_interfaces`` can be defined to map ML2 network names
(``net_name`` attribute) to one or many physical interfaces.
Additionally, the network will need to be assigned to the
``neutron_sriov_nic_agent`` container group.
Example configuration:
.. code-block:: yaml
provider_networks
- network:
container_bridge: "br-vlan"
container_type: "veth"
container_interface: "eth11"
type: "vlan"
range: "1000:2000"
net_name: "physnet1"
sriov_host_interfaces: "p1p1,p4p1"
group_binds:
- neutron_linuxbridge_agent
- neutron_sriov_nic_agent
#. Configure Nova
With SR-IOV, Nova uses PCI passthrough to allocate VFs and PFs to guest
instances. Virtual Functions (VFs) represent a slice of a physical NIC,
and are passed as virtual NICs to guest instances. Physical Functions
(PFs), on the other hand, represent an entire physical interface and are
passed through to a single guest.
To use PCI passthrough in Nova, the ``PciPassthroughFilter`` filter
needs to be added to the `conf override`_
``nova_scheduler_default_filters``.
Finally, PCI devices available for passthrough need to be allow via
the `conf override`_
``nova_pci_passthrough_whitelist``.
Possible options which can be configured:
.. code-block:: yaml
# Single device configuration
nova_pci_passthrough_whitelist: '{ "physical_network":"physnet1", "devname":"p1p1" }'
# Multi device configuration
nova_pci_passthrough_whitelist: '[{"physical_network":"physnet1", "devname":"p1p1"}, {"physical_network":"physnet1", "devname":"p4p1"}]'
# Whitelisting by PCI Device Location
# The example pattern for the bus location '0000:04:*.*' is very wide. Make sure that
# no other, unintended devices, are whitelisted (see lspci -nn)
nova_pci_passthrough_whitelist: '{"address":"0000:04:*.*", "physical_network":"physnet1"}'
# Whitelisting by PCI Device Vendor
# The example pattern limits matches to PCI cards with vendor id 8086 (Intel) and
# product id 10ed (82599 Virtual Function)
nova_pci_passthrough_whitelist: '{"vendor_id":"8086", "product_id":"10ed", "physical_network":"physnet1"}'
# Additionally, devices can be matched by their type, VF or PF, using the dev_type parameter
# and type-VF or type-PF options
nova_pci_passthrough_whitelist: '{"vendor_id":"8086", "product_id":"10ed", "dev_type":"type-VF", physical_network":"physnet1"}'
It is recommended to use whitelisting by either the Linux device name
(devname attribute) or by the PCI vendor and product id combination
(``vendor_id`` and ``product_id`` attributes)
#. Enable the SR-IOV ML2 plugin
The `conf override`_ ``neutron_plugin_type`` variable defines the core
ML2 plugin, and only one plugin can be defined at any given time.
The `conf override`_ ``neutron_plugin_types`` variable can contain a list
of additional ML2 plugins to load. Make sure that only compatible
ML2 plugins are loaded at all times.
The SR-IOV ML2 plugin is known to work with the linuxbridge (``ml2.lxb``)
and openvswitch (``ml2.ovs``) ML2 plugins.
``ml2.lxb`` is the standard activated core ML2 plugin.
.. code-block:: yaml
neutron_plugin_types:
- ml2.sriov
#. Execute the Neutron install playbook in order to update the configuration:
.. code-block:: shell-session
# cd /opt/openstack-ansible/playbooks
# openstack-ansible os-neutron-install.yml
# openstack-ansible os-nova-install.yml
#. Check Neutron SR-IOV agent state
After the playbooks have finished configuring Neutron and Nova, the new
Neutron Agent state can be verified with:
.. code-block:: shell-session
# neutron agent-list --agent_type 'NIC Switch agent'
+--------------------------------------+------------------+-----------+-------+----------------+-------------------------+
| id | agent_type | host | alive | admin_state_up | binary |
+--------------------------------------+------------------+-----------+-------+----------------+-------------------------+
| 3012ff0e-de35-447b-aff6-fdb55b04c518 | NIC Switch agent | compute01 | :-) | True | neutron-sriov-nic-agent |
| bb0c0385-394d-4e72-8bfe-26fd020df639 | NIC Switch agent | compute02 | :-) | True | neutron-sriov-nic-agent |
+--------------------------------------+------------------+-----------+-------+----------------+-------------------------+
Deployers can make changes to the SR-IOV nic agent default configuration
options via the ``neutron_sriov_nic_agent_ini_overrides`` dict.
Review the documentation on the `conf override`_ mechanism for more details.