Home > Neutron configuration files (and iptables rules) for a two node setup:

Neutron configuration files (and iptables rules) for a two node setup:

Neutron configuration files (and iptables rules) for a two node setup:

- Controller node: Nova, Keystone, Cinder, Glance, Neutron (using Open
vSwitch plugin and GRE tunneling).

- Compute node: Nova (nova-compute), Neutron (openvswitch-agent)


Controller node Neutron configurations
======================================

1. neutron.conf
---------------

$ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
[DEFAULT]
core_plugin =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
rpc_backend = neutron.openstack.common.rpc.impl_qpid
control_exchange = neutron
qpid_hostname = 192.169.142.49
auth_strategy = keystone
allow_overlapping_ips = True
dhcp_lease_duration = 120
allow_bulk = True
qpid_port = 5672
qpid_heartbeat = 60
qpid_protocol = tcp
qpid_tcp_nodelay = True
qpid_reconnect_limit=0
qpid_reconnect_interval_max=0
qpid_reconnect_timeout=0
qpid_reconnect=True
qpid_reconnect_interval_min=0
qpid_reconnect_interval=0
debug = False
verbose = False
[quotas]
[agent]
[keystone_authtoken]
admin_tenant_name = services
admin_user = neutron
admin_password = fedora
auth_host = 192.169.142.49
auth_port = 35357
auth_protocol = http
auth_uri=http://192.169.142.49:5000/
[database]
[service_providers]
[AGENT]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

2. (OVS) plugin.ini
-------------------

$ cat /etc/neutron/plugin.ini | grep -v ^$ | grep -v ^#
[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = 192.169.142.49
[agent]
[securitygroup]
[DATABASE]
sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
sql_max_retries=10
reconnect_interval=2
sql_idle_timeout=3600
[SECURITYGROUP]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

3. dhcp_agent.ini
-----------------

$ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
handle_internal_only_routers = TRUE
external_network_bridge = br-ex
use_namespaces = True
dnsmasq_config_file = /etc/neutron/dnsmasq.conf

4. l3_agent.ini
---------------

$ cat /etc/neutron/dhcp_agent.ini | grep -v ^$ | grep -v ^#
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
handle_internal_only_routers = TRUE
external_network_bridge = br-ex
use_namespaces = True
dnsmasq_config_file = /etc/neutron/dnsmasq.conf

5. dnsmasq.conf
---------------

This logs dnsmasq output is to a file, instead of journalctl):

$ cat /etc/neutron/dnsmasq.conf | grep -v ^$ | grep -v ^#
log-facility = /var/log/neutron/dnsmasq.log
log-dhcp

6. api-paste.ini
----------------

$ cat /etc/neutron/api-paste.ini | grep -v ^$ | grep -v ^#
[composite:neutron]
use = egg:Paste#urlmap
/: neutronversions
/v2.0: neutronapi_v2_0
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = extensions neutronapiapp_v2_0
keystone = authtoken keystonecontext extensions neutronapiapp_v2_0
[filter:keystonecontext]
paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_user=neutron
auth_port=35357
admin_password=fedora
auth_protocol=http
auth_uri=http://192.169.142.49:5000/
admin_tenant_name=services
auth_host = 192.169.142.49
[filter:extensions]
paste.filter_factory = neutron.api.extensions:plugin_aware_extension_middleware_factory
[app:neutronversions]
paste.app_factory = neutron.api.versions:Versions.factory
[app:neutronapiapp_v2_0]
paste.app_factory = neutron.api.v2.router:APIRouter.factory

7. metadata_agent.ini
---------------------

$ cat /etc/neutron/metadata_agent.ini | grep -v ^$ | grep -v ^#
[DEFAULT]
auth_url = http://192.169.142.49:35357/v2.0/
auth_region = regionOne
admin_tenant_name = services
admin_user = neutron
admin_password = fedora
nova_metadata_ip = 192.168.142.49
nova_metadata_port = 8775
metadata_proxy_shared_secret = fedora


Compute node Neutron configurations
===================================

1. neutron.conf
---------------

$ cat /etc/neutron/neutron.conf | grep -v ^$ | grep -v ^#
[DEFAULT]
core_plugin =neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2
rpc_backend = neutron.openstack.common.rpc.impl_qpid
qpid_hostname = 192.169.142.49
auth_strategy = keystone
allow_overlapping_ips = True
qpid_port = 5672
debug = True
verbose = True
[quotas]
[agent]
[keystone_authtoken]
admin_tenant_name = services
admin_user = neutron
admin_password = fedora
auth_host = 192.169.142.49
[database]
[service_providers]
[AGENT]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

2. (OVS) plugin.ini
-------------------

$ cat plugin.ini | grep -v ^$ | grep -v ^#
[ovs]
tenant_network_type = gre
tunnel_id_ranges = 1:1000
enable_tunneling = True
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip = 192.169.142.57
[DATABASE]
sql_connection = mysql://neutron:fedora@node1-controller/ovs_neutron
[SECURITYGROUP]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
[agent]
[securitygroup]

3. metadata_agent.ini
---------------------

$ cat metadata_agent.ini | grep -v ^$ | grep -v ^#
[DEFAULT]
auth_url = http://localhost:5000/v2.0
auth_region = RegionOne
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%


iptables rules on both Controller and Compute nodes
===================================================

iptables on Controller node
---------------------------

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p gre -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

iptables on Compute node
------------------------

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p gre -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Set Home | Add to Favorites

All Rights Reserved Powered by Free Document Search and Download

Copyright © 2011
This site does not host pdf,doc,ppt,xls,rtf,txt files all document are the property of their respective owners. complaint#downhi.com
TOP