Start OVS service, and create an integration bridge $ systemctl start openvswitch.service $ systemctl enable openvswitch.service $ systemctl enable neutron-ovs-cleanup.service $ ovs-vsctl add-br br-int $ cat < /etc/sysconfig/network-scripts/ifcfg-br-ex DEVICE=br-ex BOOTPROTO=static ONBOOT=yes IPADDR=192.168.122.163 NETMASK=255.255.255.0 GATEWAY=192.168.122.1 EOF $ ovs-vsctl add-br br-ex $ ovs-vsctl add-port br-ex eth0 $ systemctl stop NetworkManager $ systemctl disable NetworkManager $ systemctl restart network $ systemct status network # must be running Update /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini to use GRE tunneling: $ grep "\[ovs\]" -A7 ovs_neutron_plugin.ini [...] [ovs] tenant_network_type = gre tunnel_id_ranges = 1:1000 enable_tunneling = True integration_bridge = br-int tunnel_bridge = br-tun local_ip = 192.168.122.163 Config neutron.conf $ openstack-config --set /etc/neutron/neutron.conf DEFAULT \ core_plugin neutron.plugins.openvswitch.ovs_neutron_plugin.OVSQuantumPluginV2 $ openstack-config --set /etc/neutron/neutron.conf DEFAULT \ ovs_use_veth True $ openstack-config --set /etc/neutron/neutron.conf DEFAULT allow_overlapping_ips True $ openstack-config --set /etc/neutron/neutron.conf DEFAULT \ rpc_backend neutron.openstack.common.rpc.impl_qpid $ openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_hostname 192.168.122.163 $ openstack-config --set /etc/neutron/neutron.conf DEFAULT \ qpid_port 5672 Make Neutron Keystone entries $ openstack-config --set /etc/neutron/neutron.conf \ DEFAULT auth_strategy keystone $ openstack-config --set /etc/neutron/neutron.conf \ keystone_authtoken auth_host 192.168.122.163 $ openstack-config --set /etc/neutron/neutron.conf \ keystone_authtoken admin_tenant_name services $ openstack-config --set /etc/neutron/neutron.conf \ keystone_authtoken admin_user neutron $ openstack-config --set /etc/neutron/neutron.conf \ keystone_authtoken admin_password redhat $ openstack-config --set /etc/neutron/neutron.conf \ AGENT root_helper sudo neutron-rootwrap /etc/neutron/rootwrap.conf Ensure to have sql connection info noted clearly (Note, the syntax below is user:password -- neutron:redhat) $ grep sql_connection plugin.ini sql_connection = mysql://neutron:redhat@vm01-controller/ovs_neutron Configure DHCP agent to use OVS $ openstack-config --set /etc/neutron/dhcp_agent.ini \ DEFAULT interface_driver \ neutron.agent.linux.interface.OVSInterfaceDriver Handle routes $ openstack-config --set /etc/neutron/dhcp_agent.ini \ DEFAULT handle_internal_only_routers TRUE Handle external bridge network $ openstack-config --set /etc/neutron/dhcp_agent.ini \ DEFAULT external_network_bridge br-ex Use veth $ openstack-config --set /etc/neutron/dhcp_agent.ini \ DEFAULT ovs_use_veth True Use network namespaces $ openstack-config --set /etc/neutron/dhcp_agent.ini \ DEFAULT use_namespaces True DHCP agent configuration $ cat dhcp_agent.ini | grep -v ^$ | grep -v ^# [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver handle_internal_only_routers = TRUE external_network_bridge = br-ex ovs_use_veth = True use_namespaces = True L3 agent configuration $ cat l3_agent.ini | grep -v ^$ | grep -v ^# [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver handle_internal_only_routers = TRUE ovs_use_veth = True use_namespaces = True metadata_ip = 192.168.122.163 metadata_port = 8700 Configure Identity records for Neutron $ keystone user-create --name=neutron --pass=redhat +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | d18d9504e4324e619b4c9482bdbbcf88 | | name | neutron | +----------+----------------------------------+ $ keystone user-role-add --user neutron --role admin \ --tenant servicesa $ keystone service-create --name neutron --type network \ > --description "Neutron Network Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Neutron Network Service | | id | 7aa4d0c833db478bad4efb8c0b1e0c3a | | name | neutron | | type | network | +-------------+----------------------------------+ $ keystone endpoint-create --service_id 7aa4d0c833db478bad4efb8c0b1e0c3a \ --publicurl "http://192.168.122.163:9696" \ --adminurl "http://192.168.122.163:9696" \ --internalurl "http://192.168.122.163:9696" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://192.168.122.163:9696 | | id | d09647c5ed774a258e73f8181fbc5e7f | | internalurl | http://192.168.122.163:9696 | | publicurl | http://192.168.122.163:9696 | | region | regionOne | | service_id | 7aa4d0c833db478bad4efb8c0b1e0c3a | +-------------+----------------------------------+ Start, enable, Neutron services $ for i in start enable status; \ do systemctl $i openvswitch; done $ for i in start enable status; \ do systemctl $i neutron-server; done $ for i in start enable status; \ do systemctl $i neutron-l3-agent; done $ for i in start enable status; \ do systemctl $i neutron-dhcp-agent; done $ for i in start enable status; \ do systemctl $i neutron-openvswitch-agent; done $ for i in start enable status; \ do systemctl $i neutron-ovs-cleanup; done Display OVS bridges and ports $ ovs-vsctl show 6f5d0e33-7013-4816-bc97-29af9abe8309 Bridge br-int Port br-int Interface br-int type: internal Port patch-tun Interface patch-tun type: patch options: {peer=patch-int} Bridge br-tun Port patch-int Interface patch-int type: patch options: {peer=patch-tun} Port br-tun Interface br-tun type: internal Bridge br-ex Port "eth0" Interface "eth0" Port br-ex Interface br-ex type: internal ovs_version: "2.0.0" Configuration files: ==================== 1. plugin.ini (#OVS) --------------------- $ cat plugin.ini | grep -v ^$ | grep -v ^# [ovs] [agent] [securitygroup] [ovs] tenant_network_type = gre tunnel_id_ranges = 1:1000 enable_tunneling = True integration_bridge = br-int tunnel_bridge = br-tun local_ip = 192.168.122.163 [DATABASE] sql_connection = mysql://neutron:redhat@vm01-controller/ovs_neutron [SECURITYGROUP] firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver 2. neutron.conf: ----------------- $ cat neutron.conf | grep -v ^$ | grep -v ^# [DEFAULT] core_plugin = neutron.plugins.openvswitch.ovs_neutron_plugin.OVSNeutronPluginV2 rpc_backend = neutron.openstack.common.rpc.impl_qpid qpid_hostname = localhost auth_strategy = keystone ovs_use_veth = True allow_overlapping_ips = True qpid_port = 5672 [quotas] quota_network = 20 quota_subnet = 20 [agent] root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf [keystone_authtoken] auth_host = 192.168.122.163 admin_tenant_name = services admin_user = neutron admin_password = redhat [database] [service_providers] 3. l3_agent.ini ---------------- $ cat l3_agent.ini | grep -v ^$ | grep -v ^# [DEFAULT] interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver handle_internal_only_routers = TRUE ovs_use_veth = True use_namespaces = True metadata_ip = 192.168.122.163 metadata_port = 8700 4. metadata_agent.ini --------------------- $ cat metadata_agent.ini | grep -v ^$ | grep -v ^# [DEFAULT] auth_url = http://192.168.122.163:35357/v2.0/ auth_region = regionOne admin_tenant_name = services admin_user = neutron admin_password = redhat nova_metadata_ip = 192.168.122.163 nova_metadata_port = 8700 metadata_proxy_shared_secret = redhat 5. iptables ----------- $ cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dports 3260 -m comment --comment "001 cinder incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 3306 -m comment --comment "001 mariadb incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8770:8780 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5672 -m comment --comment "001 qpid incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8700 -m comment --comment "001 metadata incoming" -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5999 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p gre -j ACCEPT -A OUTPUT -p gre -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT 5. Output of ovs-vsctl show ---------------------------- $ ovs-vsctl show 6f5d0e33-7013-4816-bc97-29af9abe8309 Bridge br-int Port patch-tun Interface patch-tun type: patch options: {peer=patch-int} Port br-int Interface br-int type: internal Port "tap63ea2815-b5" tag: 1 Interface "tap63ea2815-b5" Bridge br-ex Port "eth0" Interface "eth0" Port "tape7110dba-a9" Interface "tape7110dba-a9" Port br-ex Interface br-ex type: internal Bridge br-tun Port patch-int Interface patch-int type: patch options: {peer=patch-tun} Port br-tun Interface br-tun type: internal Port "gre-2" Interface "gre-2" type: gre options: {in_key=flow, local_ip="192.168.122.163", out_key=flow, remote_ip="192.168.122.100"} ovs_version: "2.0.0" Create Neutron networks on Controller node ------------------------------------------ Find the tenant_id of services tenant $ keystone tenant-list | grep services | awk '{print $2;}' a04e8158c9974f2699185994791e78c1 Create an external network $ neutron net-create --tenant-id a04e8158c9974f2699185994791e78c1 \ ext --router:external=True Created a new network: +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | 12e4de23-34f8-4f9f-ba2b-810c36f3cc40 | | name | ext | | provider:network_type | gre | | provider:physical_network | | | provider:segmentation_id | 1 | | router:external | True | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | a04e8158c9974f2699185994791e78c1 | +---------------------------+--------------------------------------+ Create subnet for the 'ext' network $ neutron subnet-create --tenant-id a04e8158c9974f2699185994791e78c1 \ ext 192.168.122.0/24 --enable_dhcp=False --allocation-pool \ start=192.168.122.10,end=192.168.122.200 --gateway-ip \ 192.168.122.1 Created a new subnet: +------------------+-------------------------------------------------------+ | Field | Value | +------------------+-------------------------------------------------------+ | allocation_pools | {"start": "192.168.122.10", "end": "192.168.122.200"} | | cidr | 192.168.122.0/24 | | dns_nameservers | | | enable_dhcp | False | | gateway_ip | 192.168.122.1 | | host_routes | | | id | 2b84cf48-0db5-4e9f-b8f7-cef2a204f497 | | ip_version | 4 | | name | | | network_id | 12e4de23-34f8-4f9f-ba2b-810c36f3cc40 | | tenant_id | a04e8158c9974f2699185994791e78c1 | +------------------+-------------------------------------------------------+ $ neutron net-list +--------------------------------------+------+-------------------------------------------------------+ | id | name | subnets | +--------------------------------------+------+-------------------------------------------------------+ | 12e4de23-34f8-4f9f-ba2b-810c36f3cc40 | ext | 2b84cf48-0db5-4e9f-b8f7-cef2a204f497 192.168.122.0/24 | +--------------------------------------+------+-------------------------------------------------------+ $ neutron subnet-list +--------------------------------------+------+------------------+-------------------------------------------------------+ | id | name | cidr | allocation_pools | +--------------------------------------+------+------------------+-------------------------------------------------------+ | 2b84cf48-0db5-4e9f-b8f7-cef2a204f497 | | 192.168.122.0/24 | {"start": "192.168.122.10", "end": "192.168.122.200"} | +--------------------------------------+------+------------------+-------------------------------------------------------+ $ neutron net-show ext +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | 12e4de23-34f8-4f9f-ba2b-810c36f3cc40 | | name | ext | | provider:network_type | gre | | provider:physical_network | | | provider:segmentation_id | 1 | | router:external | True | | shared | False | | status | ACTIVE | | subnets | 2b84cf48-0db5-4e9f-b8f7-cef2a204f497 | | tenant_id | a04e8158c9974f2699185994791e78c1 | +---------------------------+--------------------------------------+ Next, let's create an internal network under a tenant network (ostenant). Source the keystone user's credentials: $ . keystonerc_kashyap Create a router attached to the external network. This router routes traffic to the internal subnets $ neutron router-create router1 Created a new router: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | external_gateway_info | | | id | d72adddf-4c02-4916-ae6d-16bfdaf59d99 | | name | router1 | | status | ACTIVE | | tenant_id | 2c845a6ad20e45ccb0b045cee27a9661 | +-----------------------+--------------------------------------+ Connect the router to ext by setting the gateway for the router as ext $ neutron router-gateway-set router1 ext Set gateway for router router1 Create an internal network and its associated subnet $ neutron net-create int Created a new network: +----------------+--------------------------------------+ | Field | Value | +----------------+--------------------------------------+ | admin_state_up | True | | id | 1a4157a6-5cf2-46e3-bdea-1533c8f54cdf | | name | int | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | 2c845a6ad20e45ccb0b045cee27a9661 | +----------------+--------------------------------------+ $ neutron subnet-create int 30.0.0.0/24 --dns_nameservers list=true 192.168.122.1 Created a new subnet: +------------------+--------------------------------------------+ | Field | Value | +------------------+--------------------------------------------+ | allocation_pools | {"start": "30.0.0.2", "end": "30.0.0.254"} | | cidr | 30.0.0.0/24 | | dns_nameservers | 192.168.122.1 | | enable_dhcp | True | | gateway_ip | 30.0.0.1 | | host_routes | | | id | 04b95f13-cc77-4f9a-8206-7f6ed183461d | | ip_version | 4 | | name | | | network_id | 1a4157a6-5cf2-46e3-bdea-1533c8f54cdf | | tenant_id | 2c845a6ad20e45ccb0b045cee27a9661 | +------------------+--------------------------------------------+ Connect the above subnet to the router by setting it as a port $ neutron router-interface-add router1 04b95f13-cc77-4f9a-8206-7f6ed183461d Added interface 63ea2815-b524-4a12-931d-3e7db60ea170 to router router1. List subnets (as keystonerc_kashyap) $ neutron subnet-list +--------------------------------------+------+-------------+--------------------------------------------+ | id | name | cidr | allocation_pools | +--------------------------------------+------+-------------+--------------------------------------------+ | 04b95f13-cc77-4f9a-8206-7f6ed183461d | | 30.0.0.0/24 | {"start": "30.0.0.2", "end": "30.0.0.254"} | +--------------------------------------+------+-------------+--------------------------------------------+