Contents

Overview·· 1

VCF Neutron plug-ins· 1

Preparing for installation· 2

Hardware requirements· 2

Software requirements· 2

Installing OpenStack plug-ins· 3

Installing the Python tools· 3

Installing the VCF Neutron plug-ins· 3

Prerequisites· 3

Installation procedure· 3

Verifying the installation· 6

Parameters and fields· 7

Removing the VCF Neutron plug-ins· 11

Upgrading the VCF Neutron plug-ins· 11

 

Overview

This document describes how to install the virtual converged framework (VCF) Neutron plug-ins that are compatible with OpenStack on SUSE.

VCF Neutron plug-ins

Neutron is a type of OpenStack services used to manage all virtual networking infrastructures (VNIs) in an OpenStack environment. It provides virtual network services to the devices managed by OpenStack computing services.

VCF Neutron plug-ins are developed for VCF controller based on the OpenStack framework. VCF Neutron plug-ins can obtain network configuration from OpenStack through REST APIs and synchronize the configuration to the VCF controllers. They can obtain settings for the tenants' networks, subnets, routers, ports, FW, LB, or VPN. Different types of VCF Neutron plug-ins can provide the following features for tenants:

·     VCF Neutron Core plug-in—Allows tenants to use basic network communication for cores, including networks, subnets, routers, and ports.

·     VCF Neutron L3_Routing—Allows tenants to forward traffic to each other at Layer 3.

·     VCF Neutron FWaaS plug-in—Allows tenants to create firewall services.

·     VCF Neutron LBaaS plug-in—Allows tenants to create LB services.

·     VCF Neutron VPNaaS plug-in—Allows tenants to create VPN services.

Preparing for installation

Hardware requirements

To install VCF Neutron plug-ins on a server or a virtual machine, make sure the server or virtual machine meets the hardware requirements in Table 1.

Table 1 Hardware requirements

CPU	Memory size	Disk space
Single-core and multicore CPUs	2 GB and above	5 GB and above

 

Software requirements

Table 2 shows the software requirements for installing the VCF Neutron plug-ins.

Table 2 Software requirements

Item	Supported version
OpenStack	OpenStack Juno 2014.2 operates on SUSE Linux Enterprise Server 11 SP3 (x86_64)

 

IMPORTANT: Before you install the Neutron plug-ins, make sure the following requirements are met: ·     Your system has Internet access because the system must first access the Internet to set up the installation environment. ·     Make sure the OpenStack environment is deployed correctly. For example, the /etc/hosts file on all nodes has the host name-IP address mappings. For information about the OpenStack environment deployment, see the installation guide for the specific OpenStack version on the official website.

 

Installing OpenStack plug-ins

Install the VCF Neutron plug-ins on an OpenStack control node. Before installation, you need to install the Python tools on the associated node.

Installing the Python tools

Before you install the plug-ins, first download the Python tools online and install them.

[root@localhost ~]# zypper install –y python-pip python-setuptools

Installing the VCF Neutron plug-ins

Prerequisites

The VCF Neutron plug-ins are included in the VCF OpenStack package. Perform the following steps to download the VCF OpenStack package from the H3C website:

1.     In the Web browser address bar, enter http://www.h3c.com/cn/Software_Download. Select SDN > H3C Virtual Converged Framework Controller, and download the VCF OpenStack package of the required version.

2.     Copy the VCF OpenStack package to the installation directory on the server or virtual machine, or upload it to the installation directory through FTP, TFTP, or SCP.

 

NOTE: If you decide to upload the VCF OpenStack package through FTP or TFTP, use the binary mode to avoid damage to the package.

 

Installation procedure

Some parameters must be configured with the required values as described in "Parameters and fields."

To install the VCF Neutron plug-ins:

1.     Change the working directory to where the VCF OpenStack package (an .egg file) is saved, and install the package on the OpenStack control node. The name of the VCF OpenStack package is VCF_CONTROLLER_PLUGIN-version1_version2-py2.7. version1 represents the version of the package and version2 represents the version of OpenStack.

In the following example, the VCF OpenStack package is saved to the path /root.

[root@localhost ~]# easy_install --no-deps VCF_CONTROLLER_PLUGIN-D2156_juno_2014.2-py2.7.egg

Processing VCF_CONTROLLER_PLUGIN-D2156_juno_2014.2-py2.7.egg

creating /usr/local/lib64/python2.6/site-packages/VCF_CONTROLLER_PLUGIN-D2156_juno_2014.2-py2.7.egg

Extracting VCF_CONTROLLER_PLUGIN-D2156_juno_2014.2-py2.7.egg to /usr/local/lib64/python2.6/site-packages

Adding VCF-CONTROLLER-PLUGIN D2156-juno-2014.2 to easy-install.pth file

Installing h3c-vcfplugin script to /usr/local/bin

Installing h3c-agent script to /usr/local/bin

 

Installed /usr/local/lib64/python2.6/site-packages/VCF_CONTROLLER_PLUGIN-D2156_juno_2014.2-py2.7.egg

Processing dependencies for VCF-CONTROLLER-PLUGIN==D2156-juno-2014.2

Finished processing dependencies for VCF-CONTROLLER-PLUGIN==D2156-juno-2014.2

 

IMPORTANT: For successful installation, you must specify the --no-deps option in the easy_install command to ignore the software dependencies.

 

2.     Install the VCF Neutron plug-ins.

[root@localhost ~]# h3c-vcfplugin controller install

3.     Use the vi editor to open the neutron.conf configuration file.

[root@localhost ~]# vi /etc/neutron/neutron.conf

4.     Press I to switch to the insert mode, and set the parameters in the neutron.conf configuration file. For information about the parameters, see "neutron.conf."

[DEFAULT]

core_plugin = ml2

service_plugins = h3c_vcfplugin.l3_router.h3c_l3_router_plugin.H3CL3RouterPlugin,firewall,lbaas,vpnaas

[service_providers]

service_provider=FIREWALL:H3C:h3c_vcfplugin.fw.h3c_fwplugin_driver.H3CFwaasDriver:default

service_provider=LOADBALANCER:H3C:h3c_vcfplugin.lb.h3c_lbplugin_driver.H3CLbaasPluginDriver:default

service_provider=VPN:H3C:h3c_vcfplugin.vpn.h3c_vpnplugin_driver.H3CVpnPluginDriver:default

5.     Press Esc to quit the insert mode.

6.     Enter :wq to exit the vi editor and save the neutron.conf file.

:wq

7.     Use the vi editor to open the ml2_conf.ini configuration file.

[root@localhost ~]# vi /etc/neutron/plugins/ml2/ml2_conf.ini

8.     Press I to switch to the insert mode, and set the parameters in the ml2_conf.ini configuration file. For information about the parameters, see "ml2_conf.ini."

[ml2]

type_drivers = vxlan,vlan

tenant_network_types = vxlan,vlan

mechanism_drivers = ml2_h3c

extension_drivers = ml2_extension_h3c

[ml2_type_vlan]

network_vlan_ranges = physicnet1:1000:2999

[ml2_type_vxlan]

vni_ranges = 1:500

9.     Press Esc to quit the insert mode.

10.     Enter :wq to exit the vi editor and save the ml2_conf.ini file.

:wq

11.     Use the vi editor to open the local_settings configuration file.

12.     Press I to switch to the insert mode.

Set the values for the LB, FW, and VPN fields in the OPENSTACK_NEUTRON_NETWORK parameter to enable the associated configuration pages in OpenStack Web. For information about the fields, see "OPENSTACK_NEUTRON_NETWORK."

[root@localhost ~]# vi /etc/openstack-dashboard/local_settings

OPENSTACK_NEUTRON_NETWORK = {

    'enable_lb': True,

    'enable_firewall': True,

    'enable_quotas': True,

    'enable_vpn': True,

    # The profile_support option is used to detect if an external router can be

    # configured via the dashboard. When using specific plugins the

    # profile_support can be turned on if needed.

    'profile_support': None,

    #'profile_support': 'cisco',

}

13.     Press Esc to quit the insert mode.

14.     Enter :wq to exit the vi editor and save the local_settings file.

:wq

15.     Use the vi editor to open the ml2_conf_h3c.ini configuration file.

[root@localhost ~]# vi /etc/neutron/plugins/ml2/ml2_conf_h3c.ini

16.     Press I to switch to the insert mode, and set the parameters in the ml2_conf_h3c.ini configuration file. For information about the parameters, see "ml2_conf_h3c.ini."

[VCFCONTROLLER]

url = https://127.0.0.1:8443

username = sdn

password = skyline123

domain = sdn

timeout = 300

retry = 10

vnic_type=ovs

hybrid_vnic = True

default_tenant_mode = False

ip_mac_binding = False

denyflow_age =300

white_list = False

binddefaultrouter = False

auto_create_tenant_to_vcfc = True

router_binding_public_vrf = False

enable_subnet_dhcp = True

dhcp_lease_time = 365

firewall_type = SERVICE_CHAIN

lb_type = GATEWAY

resource_mode = NFV

auto_delete_tenant_to_vcfc = True

auto_create_resource = True

nfv_ha = True

vds_name = VDS1

enable_metadata = False

use_neutron_credential = False

enable_security_group = True

disable_internal_l3flow_offload = True

firewall_force_audit = True

enable_l3_router_rpc_notify = False

output_json_log = False

lb_enable_snat = False

empty_rule_action = deny

vendor_rpc_topic = VENDOR_PLUGIN

17.     Press Esc to quit the insert mode.

18.     Enter :wq to exit the vi editor and save the ml2_conf_h3c.ini file.

:wq

19.     If you have set the white_list parameter to True, perform the following tasks:

?     Delete the username, password, and domain parameters in the ml2_conf_h3c.ini configuration file.

?     Add an authentication-free user to the VCF controller:

On the top navigation bar of the VCF controller Web interface, select Controller > System > Authentication.

Click Add.

Enter the IP address of the host where openstack-neutron is installed, and specify the role as Admin.

Click OK.

20.     If you have set the binddefaultrouter parameter to True, perform the following steps:

a.     On the top navigation bar of the VCF controller Web interface, select vNetwork > vRouter.

b.     Click Add vRouter.

Configure the vRouter name as defaultRouter and the tenant as default, and select Public network VRF.

Click OK.

21.     If you have set the use_neutron_credential parameter to True, perform the following steps:

a.     On the top navigation bar of the VCF controller Web interface, select Controller > System > Users.

b.     Click Add user.

Configure the username as neutron and the role as Admin, and set the password to the one that is used with username neutron in OpenStack.

Click OK.

22.     Restart the openstack-neutron service.

[root@localhost ~]# service openstack-neutron restart

openstack-neutron stop/waiting

openstack-neutron start/running, process 4583

23.     Restart the h3c-agent service.

[root@localhost ~]# service h3c-agent restart

h3c-agent stop/waiting

h3c-agent start/running, process 4678

Verifying the installation

# Verify that the VCF OpenStack package is correctly installed. If the correct software and OpenStack versions are displayed, the package is successfully installed.

[root@localhost ~]# pip freeze | grep VCF

VCF-CONTROLLER-PLUGIN==D2156-juno-2014.2

# Verify that the openstack-neutron service is enabled. The service is enabled if its state is running.

[root@localhost ~]# service openstack-neutron status

openstack-neutron start/running, process 1849

# Verify that the h3c-agent service is enabled. The service is enabled if its state is running.

[root@localhost ~]# service h3c-agent status

h3c-agent start/running, process 4678

Parameters and fields

This section describes parameters in configuration files and fields included in parameters.

neutron.conf

Parameter	Required value	Description
core_plugin	ml2	Used for loading the core plug-in ml2 to OpenStack.
service_plugins	h3c_vcfplugin.l3_router.h3c_l3_router_plugin.H3CL3RouterPlugin,firewall,lbaas,vpnaas	Used for loading the extension plug-ins to OpenStack.
service_provider	·     FIREWALL:H3C:h3c_vcfplugin.fw.h3c_fwplugin_driver.H3CFwaasDriver:default ·     LOADBALANCER:H3C:h3c_vcfplugin.lb.h3c_lbplugin_driver. H3CLbaasPluginDriver:default ·     VPN:H3C:h3c_vcfplugin.vpn.h3c_vpnplugin_driver.H3CVpnPluginDriver:default	Directory where the extension plug-ins are saved.

 

ml2_conf.ini

Parameter	Required value	Description
type_drivers	vxlan, vlan	Driver type. vxlan must be specified as the first driver type.
tenant_network_types	vxlan, vlan	Type of the networks to which the tenants belong. vxlan must be specified as the first driver type. For intranet, only vxlan is available. For extranet, only vlan is available.
mechanism_drivers	ml2_h3c	Name of the ml2 driver.
extension_drivers	ml2_extension_h3c	Name of the ml2 extension driver.
network_vlan_ranges	N/A	Value range for the VLAN ID of the extranet, for example, physicnet1:1000:2999.
vni_ranges	1:500	Value range for the VXLAN ID of the intranet, for example, 1:500.

 

OPENSTACK_NEUTRON_NETWORK

Field	Description
enable_lb	Whether to enable or disable the LB configuration page. ·     True—Enable. ·     False—Disable.
enable_firewall	Whether to enable or disable the FW configuration page. ·     True—Enable. ·     False—Disable.
enable_vpn	Whether to enable or disable the VPN configuration page. ·     True—Enable. ·     False—Disable.

 

ml2_conf_h3c.ini

Parameter	Description
url	HTTPS URL address of the VCF controller, for example, https://127.0.0.1:8443.
username	Username for logging in to the VCF controller, for example, sdn. You do not need to configure a username if the use_neutron_credential parameter is set to True.
password	Password for logging in to the VCF controller, for example, skyline123. You do not need to configure a password if the use_neutron_credential parameter is set to True.
domain	Name of the domain where the VCF controller resides, for example, sdn.
timeout	Time period that the Neutron server waits for a response from the VCF controller in seconds, for example, 300 seconds.
retry	Maximum times for sending connection requests from the Neutron server to the VCF controller, for example, 10.
vnic_type	Type of the virtual NIC that the virtual machine supports, for example, ovs.
hybrid_vnic	Whether to enable or disable the feature of mapping OpenStack VLAN to VCF controller VXLAN. ·     True—Enable. ·     False—Disable.
default_tenant_mode	Whether to enable or disable the default tenant mode. ·     True—Enable. ·     False—Disable. All tenants use the virtualized network function (VNF) resources for the default tenant after the default tenant mode is enabled.
ip_mac_binding	Whether to enable or disable IP-MAC binding. ·     True—Enable. ·     False—Disable.
denyflow_age	Anti-spoofing flow table aging time for the virtual distributed switch (VDS), an integer in the range of 1 to 3600 seconds, for example, 300 seconds.
white_list	Whether to enable or disable the authentication-free user feature on OpenStack. ·     True—Enable. ·     False—Disable.
binddefaultrouter	Whether to enable or disable the feature of binding networks to the VCF controller default router. ·     True—Enable. ·     False—Disable.
auto_create_tenant_to_vcfc	Whether to enable or disable the feature of automatically creating tenants on the VCF controller. ·     True—Enable. ·     False—Disable.
router_binding_public_vrf	Whether to use the public network VRF for creating a vRouter. ·     True—Use. ·     False—Do not use.
enable_subnet_dhcp	Whether to disable or enable DHCP for creating a vSubnet. ·     True—Enable. ·     False—Disable.
dhcp_lease_time	Valid time for vSubnet IP addresses obtained from the DHCP address pool in days, for example, 365 days.
firewall_type	Mode of the firewall created on the VCF controller. ·     SERVICE_CHAIN—Service chain type firewall, which is available only when the value of the resource_mode parameter is set to NFV. ·     CGSR—Gateway service type firewall, which is available only when the value of the resource_mode parameter is set to CORE_GATEWAY. Each CGSR type firewall uses an independent context.
lb_type	Mode of the load balancer created on the VCF controller. ·     GATEWAY—Gateway type load balancer, which is available only when the value of the resource_mode parameter is set to NFV. ·     SERVICE_CHAIN—Service chain type load balancer, which is available only when the value of the resource_mode parameter is set to NFV. SERVICE_CHAIN load balancers that belong to one tenant share the same VNF. SERVICE_CHAIN load balancers that belong to different tenants use different VNFs. ·     CGSR—Gateway service type load balancer, which is available only when the value of the resource_mode parameter is set to CORE_GATEWAY. CGSR type load balancers that belong to one tenant use the same context. CGSR type load balancers that belong to different tenants use different contexts.
resource_mode	Type of the resource created on the VCF controller. The available values are as follows: ·     SELF_GATEWAY—Independent gateway resource. ·     NFV—VNF resource. ·     CORE_GATEWAY—Gateway service resource.
auto_delete_tenant_to_vcfc	Whether to enable or disable the feature of automatically removing tenants from the VCF controller. ·     True—Enable. ·     False—Disable.
auto_create_resource	Whether to enable or disable the feature of automatically creating resources. ·     True—Enable. ·     False—Disable.
nfv_ha	Whether configure the NFV resources to support stack. ·     True—Support. ·     False—Do not support.
vds_name	Name of the VDS, for example, VDS1. After deleting a VDS and recreating a VDS with the same name, you must perform the following tasks on the controller node for the new VDS to take effect: ·     Reboot the neutron-server service. ·     Reboot the h3c-agent service.
enable_metadata	Whether to enable or disable metadata for OpenStack. ·     True—Enable. ·     False—Disable. If you enable this feature, you must set the enable_l3_router_rpc_notify parameter to True.
use_neutron_credential	Whether to use the OpenStack Neutron username and password to communicate with the VCF controller. ·     True—Use. ·     False—Do not use.
enable_security_group	Whether to enable or disable the feature of deploying security group rules to the VCF controller. ·     True—Enable. ·     False—Disable.
disable_internal_l3flow_offload	Whether to enable or disable the gateway to forward traffic inside the Overlay network. ·     True—Disable. ·     False—Enable.
firewall_force_audit	Whether to audit firewall policies synchronized to the VCF controller by OpenStack. ·     True—Audits firewall policies synchronized to the VCF controller by OpenStack. The auditing state of the synchronized policies on the controller is True (audited). ·     False—Does not audit firewall policies synchronized to the VCF controller by OpenStack. The synchronized policies on the controller retain their previous auditing state.
enable_l3_router_rpc_notify	Whether to enable or disable the feature of sending Layer 3 routing events through RPC. ·     True—Enable. ·     False—Disable.
output_json_log	Whether to output REST API messages to the OpenStack operating logs in JSON format for communication between the VCF Neutron plugins and VCF controller. ·     True—Enable. ·     False—Disable.
lb_enable_snat	Whether to enable Source Network Address Translation (SNAT) for load balancers on the VCF controller. ·     True—Enable. ·     False—Disable.
empty_rule_action	Set the action for security policies that do not contain any ACL rules on the VCF controller. In the current software version, only the deny action is supported.
vendor_rpc_topic	RPC topic of the vendor. This parameter is required when the vendor needs to obtain Neutron data from the VCF Neutron plug-ins. The available values are as follows: ·     VENDOR_PLUGIN—Default value, which means that the parameter does not take effect. ·     DP_PLUGIN—RPC topic of DPtech. The value of this parameter must be negotiated by the vendor and H3C.

 

Removing the VCF Neutron plug-ins

You must remove the VCF Neutron plug-ins before removing the VCF OpenStack package.

To remove the VCF Neutron plug-ins:

1.     Remove the VCF Neutron plug-ins by using either of the following methods:

?     Enter y to remove the database for the VCF Neutron plug-ins at the same time. As a best practice, remove the configurations for the SERVICE_CHAIN type firewalls, or GATEWAY or SERVICE_CHAIN type load balancers on OpenStack before you remove the plug-ins.

?     Enter n to retain the database. When you install new VCF Neutron plug-ins, the plug-ins automatically read the configuration file from the database.

[root@localhost ~]# h3c-vcfplugin controller uninstall

Uninstall the neutron plugin

whether to drop database tables:(y/n):

2.     Remove the VCF OpenStack package.

[root@localhost ~]# pip uninstall VCF-CONTROLLER-PLUGIN

Uninstalling VCF-CONTROLLER-PLUGIN:

  /usr/local/lib64/python2.6/site-packages/ VCF_CONTROLLER_PLUGIN-D2156_juno_2014.2-py2.7.egg

Proceed (y/n)? y

  Successfully uninstalled VCF-CONTROLLER-PLUGIN

Upgrading the VCF Neutron plug-ins

	CAUTION: Services might be interrupted during the Neutron plug-ins upgrade procedure.

 

To upgrade the VCF Neutron plug-ins, you need to remove the current version first, and install the new version. For information about installing the VCF Neutron plug-ins, see "Installing the VCF Neutron plug-ins." For information about removing the VCF Neutron plug-ins, see "Removing the VCF Neutron plug-ins."