Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Text | 194.69 KB |
Contents
SeerEngine-DC Neutron plug-ins
SeerEngine-DC Neutron security plug-ins
Deploying OpenStack by using Kolla Ansible
Preprovisioning basic SeerEngine-DC settings
Setting up the basic environment
Installing the SeerEngine-DC Neutron plug-ins
Obtaining the SeerEngine-DC Neutron plug-in installation package
Installing the SeerEngine-DC Neutron plug-ins on the OpenStack control node
Upgrading the SeerEngine-DC Neutron plug-ins
Installing the SeerEngine-DC Neutron security plug-in on OpenStack
Installing the security plug-in on the controller node
Upgrading the SeerEngine-DC Neutron security plug-in
(Optional.) Configuring the metadata service for network nodes
Overview
This document describes how to install OpenStack plug-ins for interoperability with OpenStack cloud platforms. Then SeerEngine-DC can process requests from the OpenStack cloud platforms.
OpenStack plug-ins include SeerEngine-DC Neutron plug-ins, Nova patch, openvswitch-agent patch, and DHCP failover components.
SeerEngine-DC Neutron plug-ins
Neutron is a type of OpenStack services used to manage all virtual networking infrastructures (VNIs) in an OpenStack environment. It provides virtual network services to the devices managed by OpenStack computing services.
SeerEngine-DC Neutron plug-ins are developed for the SeerEngine-DC controller based on the OpenStack framework.
The SeerEngine-DC Neutron plug-ins allow deployment of the network configuration obtained from OpenStack through REST APIs on the SeerEngine-DC controller, including tenants' networks, subnets, routers, and ports.
|
|
CAUTION: To avoid service interruptions, do not modify the settings issued by the cloud platform on the controller, such as the virtual link layer network, vRouter, and vSubnet settings after the plug-ins connect to the OpenStack cloud platform. |
SeerEngine-DC Neutron security plug-ins
SeerEngine-DC Neutron security plug-ins are developed for the SeerEngine-DC controller based on the OpenStack framework. SeerEngine-DC Neutron security plug-ins can obtain security configuration from OpenStack through REST APIs and synchronize the configuration to the SeerEngine-DC controllers. They can obtain settings for the tenants' FW, LB, or VPN.
Preparing for installation
Hardware requirements
Table 1 shows the hardware requirements for installing the SeerEngine-DC Neutron plug-ins on a server or virtual machine.
|
CPU |
Memory size |
Disk space |
|
Single-core and multicore CPUs |
2 GB and above |
5 GB and above |
Software requirements
Table 2 shows the software requirements for installing the SeerEngine-DC Neutron plug-ins.
|
Item |
Supported versions |
|
OpenStack deployed by using Kolla-Ansible |
· OpenStack Ocata · OpenStack Pike · OpenStack Queens · OpenStack Rocky · OpenStack Stein |
|
|
IMPORTANT: Before you install the OpenStack plug-ins, make sure the following requirements are met: · Your system has a reliable Internet connection. · OpenStack has been deployed correctly. Verify that the /etc/hosts file on all nodes has the host name-IP address mappings, and the OpenStack Neutron extension services (Neutron-FWaas, Neutron-VPNaas, or Neutron-LBaas) have been deployed. For the deployment procedure, see the installation guide for the specific OpenStack version on the OpenStack official website. |
|
|
NOTE: · The SeerEngine-DC Neutron security plug-in does not support OpenStack Stein. · For the installation of converged version of SeerEngine_DC plug-ins (SeerEngine_DC_PLUGIN-version-py2.7.egg), see H3C SeerEngine-DC OpenStack Converged Plug-Ins Installation Guide. |
Deploying OpenStack by using Kolla Ansible
Before installing the plug-ins, deploy OpenStack by using Kolla Ansible first. For the OpenStack deployment procedure, see the installation guide for the specific OpenStack version on the OpenStack official website.
Preprovisioning basic SeerEngine-DC settings
This procedure preprovisions only basic SeerEngine-DC settings. For the configuration in a specific scenario, see the SeerEngine-DC configuration guide for that scenario.
Table 3 Preprovisioning basic SeerEngine-DC settings
|
Item |
Configuration directory |
|
Fabrics |
Provision > Network Design > Fabrics |
|
VDS |
Tenants > Common Network Settings > Virtual Distributed Switches |
|
IP address pool |
Provision > Inventory > IP Address Pools |
|
VNID pools (VLANs, VXLANs, and VLAN-VXLAN mappings) |
Provision > Inventory > VNID Pools > VLANs Provision > Inventory > VNID Pools > VXLANs Provision > Inventory > VNID Pools > VLAN-VXLAN Mappings |
|
Add access devices and border devices to a fabric |
Provision > Network Design > Fabrics |
|
L4-L7 device, physical resource pool, and template |
Provision > Inventory > Devices > L4-L7 Device Provision > Inventory > Devices > L4-L7 Physical Resource Pools |
|
Border gateway |
Tenants > Common Network Settings > Gateway |
|
Domains and hosts |
Provision > Network Design > Domains Provision > Network Design > Domains > Hosts |
|
Interoperability with OpenStack |
Virtual Networking > OpenStack NOTE: · Make sure the cloud platform name (case sensitive) is the same as the value for the cloud_region_name parameter in the ml2_conf.ini file of the Neutron plug-in. · Make the VNI range is the same as the VXLAN VNI range on the cloud platform. |
Installing OpenStack plug-ins
The SeerEngine-DC Neutron plug-ins can be installed on different OpenStack versions. The installation package varies by OpenStack version. However, you can use the same procedure to install the Neutron plug-ins on different OpenStack versions. This document uses OpenStack Ocata as an example.
The SeerEngine-DC Neutron plug-ins are installed on the OpenStack control node.
Setting up the basic environment
Before installing SeerEngine-DC Neutron plug-ins on the OpenStack control node, set up the basic environment on the node.
To set up the basic environment:
1. Update the software source list, and then download and install the Python tools.
The following uses commands on a CentOS operating system as an example.
[root@localhost ~]# yum clean all
[root@localhost ~]# yum makecache
[root@localhost ~]# yum install –y python-pip python-setuptools
2. Install runlike.
[root@localhost ~]# pip install runlike
3. Log in to the controller node and edit the /etc/hosts file. Add the following information to the file.
¡ IP and name mappings of all hosts in this OpenStack environment. To obtain this information, access the SeerEngine-DC controller and select Provision > Domains > Hosts.
¡ IP and name mappings of all leaf, spine, and border devices in this scenario. To obtain this information, access the SeerEngine-DC controller and select Provision > Inventory > Devices.
[root@localhost ~]# vim /etc/hosts
127.0.0.1 localhost
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
99.0.83.75 controller
99.0.83.76 compute1
99.0.83.77 compute2
99.0.83.78 nfs-server
99.0.83.79 compute3
99.0.83.74 compute4
4. Install websocket-client on the controller node. Make sure the version is 0.56.
[root@localhost ~]# yum install –y python-websocket-client
Installing the SeerEngine-DC Neutron plug-ins
Obtaining the SeerEngine-DC Neutron plug-in installation package
The SeerEngine-DC Neutron plug-ins are included in the SeerEngine-DC OpenStack package. Obtain the SeerEngine-DC OpenStack package of the required version and then save the package to the target installation directory on the server or virtual machine.
Alternatively, transfer the installation package to the target installation directory through a file transfer protocol such as FTP, TFTP, or SCP. Use the binary transfer mode to prevent the software package from being corrupted during transit.
Installing the SeerEngine-DC Neutron plug-ins on the OpenStack control node
1. Generate the startup script for the neutron-server container.
[root@localhost ~]# runlike neutron_server>docker-neutron-server.sh
2. Modify the neutron.conf configuration file.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/neutron.conf
b. Press I to switch to the insert mode, and modify the configuration file. For information about the parameters, see "neutron.conf."
[DEFAULT]
core_plugin = ml2
service_plugins = h3c_l3_router,qos,h3c_vpc_connection,h3c_port_forwarding
[service_providers]
service_provider=VPC_CONNECTION:H3C:networking_h3c.vpc_connection.h3c_vpc_connection_driver.H3CVpcConnectionDriver:default
[qos]
notification_drivers = message_queue,qos_h3c
|
|
IMPORTANT: For the Pike plug-ins, if deployment of firewall policies and rules takes a long time, you can change firewall in the value of the service_plugins parameter to fwaas_h3c. |
For Ocata plug-ins:
[DEFAULT]
core_plugin = ml2
service_plugins = h3c_vcfplugin.l3_router.h3c_l3_router_plugin.H3CL3RouterPlugin,firewall,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2,vpnaas,qos
[service_providers]
service_provider=FIREWALL:H3C:h3c_vcfplugin.fw.h3c_fwplugin_driver.H3CFwaasDriver:default
service_provider=LOADBALANCERV2:H3C:h3c_vcfplugin.lb.h3c_lbplugin_driver_v2.H3CLbaasv2PluginDriver:default
service_provider=VPN:H3C:h3c_vcfplugin.vpn.h3c_vpnplugin_driver.H3CVpnPluginDriver:default
[qos]
notification_drivers = message_queue,qos_h3c
|
|
IMPORTANT: The QoS feature will not operate correctly if you configure the database connection in configuration file neutron.conf as follows: This is an open source bug in OpenStack. To prevent this problem, configure the database connection as follows: The three dots (…) in the command line represents the neutron database link information. |
|
|
IMPORTANT: · In the neutrone_server configuration directory (/etc/kolla/neutron-server/), you can configure the service_provider parameter for a service once only. If you have configured the service_provider parameter for the firewall service in the neutron.conf configuration file, do not configure the service_provider parameter in the fwaas_driver.ini file. This rule applies also to the LBaaS and PNaaS services. · For h3c_agent to load the driver correctly, change the FWaaS driver value in the /etc/kolla/neutron-server/fwaas_driver.ini file to networking_h3c.fw.h3c_fwplugin_driver.H3CfwaasDriver. |
3. Modify the ml2_conf.ini configuration file.
a. Use the vi editor to open the ml2_conf.ini configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/ml2_conf.ini
b. Press I to switch to the insert mode, and set the parameters in the ml2_conf.ini configuration file. For information about the parameters, see "ml2_conf.ini."
[ml2]
type_drivers = vxlan,vlan
tenant_network_types = vxlan,vlan
mechanism_drivers = ml2_h3c
extension_drivers = ml2_extension_h3c,qos
[ml2_type_vlan]
network_vlan_ranges = physicnet1:1000:2999,port_security
[ml2_type_vxlan]
vni_ranges = 1:500
c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the ml2_conf.ini file.
4. Modify the neutron.conf configuration file and add plug-ins configuration items.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/neutron.conf
b. Press I to switch to the insert mode. Retain the existing configuration and add configuration as follows:
[SDNCONTROLLER]
url = http://127.0.0.1:10080
username = admin
password = admin@123
domain = sdn
timeout = 1800
retry = 10
vif_type = ovs
vhostuser_mode = server
white_list = False
use_neutron_credential = False
output_json_log = False
vendor_rpc_topic = VENDOR_PLUGIN
hierarchical_port_binding_physicnets = ANY
hierarchical_port_binding_physicnets_prefix = physicnet
enable_dhcp_hierarchical_port_binding = False
enable_security_group = True
enable_https = False
neutron_plugin_ca_file =
neutron_plugin_cert_file =
neutron_plugin_key_file =
enable_iam_auth = False
enable_sdnc_rpc = False
sdnc_rpc_url = ws://127.0.0.1:1080
sdnc_rpc_ping_interval = 60
websocket_fragment_size = 102400
enable_l3_router_rpc_notify = False
qos_rx_limit_min = 0
cloud_region_name = default
c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.
5. If you have set the white_list parameter to True, perform the following tasks:
¡ Delete the username, password, and domain parameters in the ml2_conf_h3c.ini configuration file.
¡ Add an authentication-free user to the controller.
- Enter the IP address of the host where the Neutron server resides.
- Specify the role as Admin.
6. If you have set the use_neutron_credential parameter to True, perform the following steps:
a. Modify the neutron.conf configuration file.
# Use the vi editor to open the neutron.conf configuration file.
# Press I to switch to insert mode, and add the following configuration. For information about the parameters, see "neutron.conf."
[keystone_authtoken]
admin_user = neutron
admin_password = 123456
# Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.
b. Add an admin user to the controller.
# Configure the username as neutron.
# Specify the role as Admin.
# Enter the password of the neutron user in OpenStack.
7. Copy the plug-ins installation package to the neutron_server container.
[root@localhost ~]# docker cp SeerEngine_DC_PLUGIN-D3601_ocata_2017.1-py2.7.egg neutron_server:/
8. Access the neutron_server container and install the plug-ins installation package.
[root@localhost ~]# neutron_server_image=$(docker ps --format {{.Image}} --filter name=neutron_server)
[root@localhost ~]# docker exec -it -u root --name $neutron_server_image bash
[root@localhost ~]# easy_install SeerEngine_DC_PLUGIN-E3608-py2.7.egg
[root@localhost ~]# h3c-vcfplugin controller install
|
|
NOTE: An error might be reported when the h3c-vcfplugin controller install command is executed. Just ignore it. |
9. Create neutron-server container images.
[root@localhost ~]# neutron_server_image=$(docker ps --format {{.Image}} --filter name=neutron_server)
[root@localhost ~]# docker commit $neutron_server_image kolla/neutron-server-h3c
[root@localhost ~]# docker rm -f neutron_server
[root@localhost ~]# docker tag $neutron_server_image kolla/neutron-server-origin
[root@localhost ~]# docker rmi $neutron_server_image
[root@localhost ~]# docker tag kolla/neutron-server-h3c $neutron_server_image
[root@localhost ~]# docker rmi kolla/neutron-server-h3c
10. Copy the neutron-server configuration to the h3c-agent directory and modify the configuration.
[root@localhost ~]# cp -pR /etc/kolla/neutron-server /etc/kolla/h3c-agent
[root@localhost ~]# sed -i 's/neutron-server/h3c-agent/g' /etc/kolla/h3c-agent/config.json
11. Start the neutron-server container.
[root@localhost ~]# source docker-neutron-server.sh
12. View the startup status of the containers. If their status is Up, they have been started up correctly.
[root@localhost ~]# docker ps --filter "name=neutron_server"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
289e4e132a9b kolla/centos-source-neutron-server:ocata "dumb-init --single-? 1 minutes ago Up 1 minutes neutron_server
Parameters and fields
This section describes parameters in configuration files and fields included in parameters.
neutron.conf
|
Parameter |
Required value |
Description |
|
core_plugin |
ml2 |
Used for loading the core plug-in ml2 to OpenStack. |
|
service_plugins |
h3c_vcfplugin.l3_router.h3c_l3_router_plugin.H3CL3RouterPlugin,firewall,lbaas,vpnaas |
Used for loading the extension plug-ins to OpenStack. For the Kilo, Mitaka, Pike, and Queens plug-ins, if deployment of firewall policies and rules takes a long time, you can change firewall in the value to fwaas_h3c. |
|
service_provider |
· FIREWALL:H3C:h3c_vcfplugin.fw.h3c_fwplugin_driver.H3CFwaasDriver:default · LOADBALANCER:H3C:h3c_vcfplugin.lb.h3c_lbplugin_driver.H3CLbaasPluginDriver:default · VPN:H3C:h3c_vcfplugin.vpn.h3c_vpnplugin_driver.H3CVpnPluginDriver:default |
Directory where the extension plug-ins are saved. |
|
notification_drivers |
message_queue,qos_h3c |
Name of the QoS notification driver. |
|
admin_user |
N/A |
Admin username for Keystone authentication in OpenStack, for example, neutron. |
|
admin_password |
N/A |
Admin password for Keystone authentication in OpenStack, for example, 123456. |
ml2_conf.ini
|
Parameter |
Required value |
Description |
|
type_drivers |
vxlan,vlan |
Driver type. vxlan must be specified as the first driver type. |
|
tenant_network_types |
vxlan,vlan |
Type of the networks to which the tenants belong. vxlan must be specified as the first driver type. For intranet, only vxlan is available. For extranet, only vlan is available. |
|
mechanism_drivers |
ml2_h3c |
Name of the ml2 driver. To create SR-IOV instances for VLAN networks, set this parameter to sriovnicswitch, ml2_h3c. To create hierarchy-supported instances, set this parameter to ml2_h3c,openvswitch. |
|
extension_drivers |
ml2_extension_h3c,qos |
Names of the ml2 extension drivers. Available names include ml2_extension_h3c, qos, and port_security. If the QoS feature is not enabled on OpenStack, you do not need to specify the value qos for this parameter. To not enable port security on OpenStack, you do not need to specify the port_security value for this parameter (The Ocata 2017.1 plug-ins do not support the port_security value.) Kilo 2015.1 plug-ins do not support the QoS driver. |
|
network_vlan_ranges |
N/A |
Value range for the VLAN ID of the extranet, for example, physicnet1:1000:2999. |
|
vni_ranges |
N/A |
Value range for the VXLAN ID of the intranet, for example, 1:500. |
ml2_conf_h3c.ini
|
Parameter |
Description |
|
url |
URL address for logging in to SNA Center, for example, http://127.0.0.1:10080. |
|
username |
Username for logging in to SNA Center, for example, admin. You do not need to configure a username when the use_neutron_credential parameter is set to True. |
|
password |
Password for logging in to SNA Center, for example, admin@123. You do not need to configure a password when the use_neutron_credential parameter is set to True. |
|
domain |
Name of the domain where the controller resides, for example, sdn. |
|
timeout |
The amount of time that the Neutron server waits for a response from the controller in seconds, for example, 1800 seconds. As a best practice, set the waiting time greater than or equal to 1800 seconds. |
|
retry |
Maximum times for sending connection requests from the Neutron server to the controller, for example, 10. |
|
vif_type |
Default vNIC type: · ovs · vhostuser (applied to the OVS DPDK solution) You can set the vhostuser_mode parameter when the value of this parameter is vhostuser. Only the Pike plug-in supports this parameter. |
|
vhostuser_mode |
Default DPDK vHost-user mode: · server · client The default value is server. This setting takes effect only when the value of the vif_type parameter is vhostuser. |
|
white_list |
Whether to enable or disable the authentication-free user feature on OpenStack. · True—Enable. · False—Disable. |
|
use_neutron_credential |
Whether to use the OpenStack Neutron username and password to communicate with the controller. · True—Use. · False—Do not use. |
|
output_json_log |
Whether to output REST API messages to the OpenStack operating logs in JSON format for communication between the SeerEngine-DC Neutron plug-ins and the controller. · True—Enable. · False—Disable. |
|
vendor_rpc_topic |
RPC topic of the vendor. This parameter is required when the vendor needs to obtain Neutron data from the SeerEngine-DC Neutron plug-ins. The available values are as follows: · VENDOR_PLUGIN—Default value, which means that the parameter does not take effect. · DP_PLUGIN—RPC topic of DPtech. The value of this parameter must be negotiated by the vendor and H3C. |
|
hierarchical_port_binding_physicnets |
Policy for OpenStack to select a physical VLAN when performing hierarchical port binding. The default value is ANY. · ANY—A VLAN is selected from all physical VLANs for VLAN ID assignment. · PREFIX—A VLAN is selected from all physical VLANs matching the specified prefix for VLAN ID assignment. |
|
hierarchical_port_binding_physicnets_prefix |
Prefix for matching physical VLANs. The default value is physicnet. This parameter is available only when you set the value of the hierarchical_port_binding_physicnets parameter to PREFIX. |
|
enable_dhcp_hierarchical_port_binding |
Whether to enable DHCP hierarchical port binding. The default value is False. · True—Enable. · False—Disable. Only the Pike plug-in supports this parameter. |
|
enable_security_group |
Whether to deploy OpenStack security group rules to the SeerEngine-DC controller. The default value is False. |
|
enable_https |
Whether to enable HTTPS bidirectional authentication. The default value is False. · True—Enable. · False—Disable. Only the Pike plug-in supports this parameter. |
|
neutron_plugin_ca_file |
Save location for the CA certificate of the controller. As a best practice, save the CA certificate in the /usr/share/neutron directory. Only the Pike plug-in supports this parameter. |
|
neutron_plugin_cert_file |
Save location for the Cert certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-in supports this parameter. |
|
neutron_plugin_key_file |
Save location for the Key certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-in supports this parameter. |
|
enable_iam_auth |
Whether to enable IAM interface authentication. · True—Enable. · False—Disable. When connecting to SNA Center, you can set the value to True to use the IAM interface for authentication. The default value is False. Only the Mitaka and Newton plug-ins support this parameter. |
|
enable_sdnc_rpc |
Whether to enable RPC connection between the plug-ins and the controller in the DHCP fail-safe scenario. The default value is False. |
|
sdnc_rpc_url |
RPC interface URL of the controller. Only a WebSocket type interface is supported. The default value is ws://127.0.0.1:1080. |
|
sdnc_rpc_ping_interval |
Interval at which an RPC ICMP echo request message is sent to the controller, in seconds. The default value is 60 seconds. |
|
websocket_fragment_size |
Size of a WebSocket fragment sent from the plug-in to the controller in the DHCP fail-safe scenario, in bytes. The value is an integer equal to or larger than 1024. The default value is 1024. If the value is 1024, the message is not fragmented. |
|
enable_l3_router_rpc_notify |
Whether to enable or disable the feature of sending Layer 3 routing events through RPC. · True—Enable. · False—Disable. |
|
qos_rx_limit_min |
Minimum inbound bandwidth, in kbps. If the QoS minimum inbound bandwidth configured on OpenStack is smaller than this parameter value, this parameter value takes effect. Only the Kilo 2015.1 plug-in supports this parameter. |
|
cloud_region_name |
Name of the cloud platform. String type. The default value is default. Make sure the value of this parameter is the same as the cloud platform name configured on the Virtual Networking > OpenStack page on SeerEngine-DC. |
Upgrading the SeerEngine-DC Neutron plug-ins
|
|
CAUTION: · Services might be interrupted during the SeerEngine-DC Neutron plug-ins upgrade procedure. Make sure you understand the impact of the upgrade before performing it on a live network. · The plug-ins settings will not be restored automatically after an upgrade in the Kolla environment. Before an upgrade, back up the settings in the /etc/kolla/neutron-server/neutron.conf and /etc/kolla/neutron-server/ml2_conf.ini configuration files. After the upgrade, modify the parameter settings according to the configuration files to ensure configuration consistency before and after the upgrade. |
To upgrade the SeerEngine-DC Neutron plug-ins, just install the new version of the plug-ins. For information about installing the SeerEngine-DC Neutron plug-ins, see "Installing the SeerEngine-DC Neutron plug-ins."
Installing the SeerEngine-DC Neutron security plug-in on OpenStack
The SeerEngine-DC Neutron security plug-in can be installed on multiple versions of OpenStack. This section uses OpenStack Pike as an example to describe the security plug-in installation.
The SeerEngine-DC Neutron security plug-in is installed on the OpenStack controller node. Before installation, set up the base environment on the node.
Installing the security plug-in on the controller node
Obtaining the installation package
Obtain and copy the security plug-in installation package of the required version to the target installation directory on the server or virtual machine.
Alternatively, transfer the installation package to the target installation directory through a file transfer protocol such as FTP, TFTP, or SCP.
|
|
IMPORTANT: To avoid damaging the installation packages, select binary mode if you are to transfer the package through FTP or TFTP. |
Installing the security plug-in on the OpenStack controller node
1. Generate startup scripts for the neutron-server and h3c-sec-agent containers.
[root@localhost ~]# runlike neutron_server>docker-neutron-server.sh
[root@localhost ~]# cp docker-neutron-server.sh docker-h3c-sec-agent.sh
[root@localhost ~]# sec –i 's/neutron-server/h3c-sec-agent/g' docker-h3c-sec-agent.sh
[root@localhost ~]# sec –i 's/neutron_server/h3c_sec_agent/g' docker-h3c-sec-agent.sh
2. Edit the neutron.conf configuration file.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# sudo vi /etc/kolla/neutron-server/neutron.conf
b. Press I to switch to the insert mode, and then edit the configuration file. For more information about the parameters, see "Parameters and fields."
For the Pike and Rocky plug-ins, edit the neutron.conf configuration file as follows:
[DEFAULT]
service_plugins = firewall,lbaasv2,vpnaas
[service_providers]
service_provider=FIREWALL:H3C:networking_sec_h3c.fw.h3c_fwplugin_driver.H3CFwaasDriver:default
service_provider=LOADBALANCERV2:H3C:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaasv2PluginDriver:default
service_provider=VPN:H3C:networking_sec_h3c.vpn.h3c_vpnplugin_driver.H3CVpnPluginDriver:default
|
|
IMPORTANT: For the Pike plug-ins, when the load balancer supports multiple resource pools of the Context type, you must preprovision a resource pool named dmz or core on the controller, and then change the value of the service provider parameter to LOADBALANCERV2:DMZ:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaasv2PluginDMZDriver:default or LOADBALANCERV2:CORE:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaasv2PluginDMZDriver:default accordingly. |
¡ For the Ocata plug-ins, edit the configuration file as follows:
[DEFAULT]
service_plugins = firewall,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2,vpnaas
[service_providers]
service_provider=FIREWALL:H3C:networking_sec_h3c.fw.h3c_fwplugin_driver.H3CFwaasDriver:default
service_provider=LOADBALANCERV2:H3C:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaasPluginDriver:default
service_provider=VPN:H3C:networking_sec_h3c.vpn.h3c_vpnplugin_ko_driver.H3CVpnPluginDriver:default
|
|
IMPORTANT: The service_provider parameter value for the VPN services is different between the Pike and Rocky plug-ins and the Ocata plug-ins. Be clear about the differences. |
c. Press Esc to quit the insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.
3. Edit the ml2_conf.ini configuration file.
a. Use the vi editor to open the ml2_conf.ini configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/ml2_conf.ini
b. Press I to switch to the insert mode and configure the parameters in the configuration file as follows. For more information about the parameters, see "Parameters and fields."
[ml2]
type_drivers = vxlan,vlan
tenant_network_types = vxlan,vlan
mechanism_drivers = ml2_h3c
extension_drivers = ml2_extension_h3c,qos,port_security
[ml2_type_vlan]
network_vlan_ranges = physicnet1:1000:2999
[ml2_type_vxlan]
vni_ranges = 1:500
c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the file.
4. Edit the neutron.conf configuration file.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/neutron.conf
b. Press I to switch to the insert mode, and then edit the configuration file. For more information about the parameters, see "Parameters and fields."
[SEC_SDNCONTROLLER]
url = https://127.0.0.1:10443
username = sdn
password = skyline
domain = sdn
timeout = 1800
retry = 10
white_list = False
firewall_type = CGSR
fw_share_by_tenant = False
lb_type = CGSR
resource_mode = CORE_GATEWAY
resource_share_count = 1
auto_create_resource = True
nfv_ha = True
use_neutron_credential = False
firewall_force_audit = False
sec_output_json_log = False
lb_enable_snat = False
vendor_rpc_topic = VENDOR_PLUGIN
enable_https = False
neutron_plugin_ca_file =
neutron_plugin_cert_file =
neutron_plugin_key_file =
cgsr_fw_context_limit = 0
force_vip_port_device_owner_none = False
enable_iam_auth = False
enable_firewall_metadata = False
lb_member_slow_shutdown = False
enable_multi_gateways = False
enable_multi_segments = False
tenant_gateway_name = None
tenant_gw_selection_strategy = match_first
enable_router_nat_without_firewall = False
directly_external = OFF
directly_external_suffix = DMZ
sec_agent_enable = True
lb_resource_mode = SP
enable_lb_xff = False
5. If you have set the white_list parameter to True, perform the following tasks:
¡ Delete the username, password, and domain parameters for SEC_SDNCONTROLLER in the ml2_sec_conf_h3c.ini configuration file.
¡ Add an authentication-free user to the controller.
- Enter the IP address of the host where the Neutron server resides.
- Specify the role as Admin.
6. If you have set the use_neutron_credential parameter to True, perform the following steps:
a. Modify the neutron.conf configuration file.
# Use the vi editor to open the neutron.conf configuration file.
# Press I to switch to insert mode, and add the following configuration. For information about the parameters, see "neutron.conf."
[keystone_authtoken]
admin_user = neutron
admin_password = 123456
# Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.
b. Add an admin user to the controller.
# Configure the username as neutron.
# Specify the role as Admin.
# Enter the password of the neutron user in OpenStack.
7. Copy the installation package to the neutron_server container.
[root@localhost ~]# docker cp SeerEngine_DC_SEC_PLUGIN-E3603P01-py2.7.egg neutron_server:/
8. Install the package.
[root@localhost ~]# docker exec –it –u root –name neutron_server bash
[root@localhost ~]# easy_install SeerEngine_DC_SEC_PLUGIN-E3603P01-py2.7.egg
[root@localhost ~]# h3c-sdnplugin controller install
|
|
IMPORTANT: The system might prompts an error message when you execute the h3c-sdnplugin controller install command. You can ignore this message. |
9. Generate the images for the neutron-server and h3c-sec-agent containers.
[root@localhost ~]# neutron_server_image=$(docker ps –format {{.Image}} –filter name=neutron_server)
[root@localhost ~]# h3c_sec_agent_image=$(echo $neutron_server_image |sed 's/neutron-server/h3c-sec-agent/')
[root@localhost ~]# docker commit $neutron_server_image kolla/neutron-server-h3c
[root@localhost ~]# docker rm –f neutron_server
[root@localhost ~]# docker tag $neutron_server_image kolla/neutron-server-origin
[root@localhost ~]# docker rmi $neutron_server_image
[root@localhost ~]# docker tag kolla/neutron-server-h3c $neutron_server_image
[root@localhost ~]# docker tag kolla/neutron-server-h3c $h3c_sec_agent_image
[root@localhost ~]# docker rmi kolla/neutron-server-h3c
10. Copy the configuration of neutron-server to the h3c-sec-agent directory, and edit the configuration.
[root@localhost ~]# cp –pR /etc/kolla/neutron-server /etc/kolla/h3c-sec-agent
[root@localhost ~]# sed –i 's/neutron-server/h3c-sec-agent/g' /etc/kolla/h3c-sec-agent/config.json
11. Start the neutron-server and h3c-sec-agent services.
[root@localhost ~]# source docker-neutron-server.sh
[root@localhost ~]# source docker-h3c-sec-agent.sh
12. Verify the status of the services.
[root@localhost ~]# # docker ps –filter "name=neutron_server"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
289e4e132a9b kolla/centos-source-neutron-server:ocata "dumb-init –single-?
1 minutes ago Up 1 minutes neutron_server
[root@localhost ~]# # docker ps –filter "name=h3c_sec_agent"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
C334f7ec9857 kolla/centos-source-h3c-sec-agent:ocata "dumb-init –single-?
1 minutes ago Up 1 minutes h3c_sec_agent
Parameters and fields
This section describes parameters in configuration files and fields included in parameters.
neutron.conf
|
Parameter |
Description |
|
service_plugins |
Extension plug-ins loaded to OpenStack. The security plug-in supports the following firewall services, and you can change the values as follows: · For the open-source firewall plug-in agent mode, change firewall in the value to firewall. · If deployment of firewall policies and rules takes a long time, change firewall in the value to fwaas_h3c. · For the open-source firewall plug-in not in agent mode, change firewall in the value to firewall_h3c. In the /etc/kolla/neutron-server/ directory of neutron_server, you can configure the service_provider only once for the same service. Do not configure the service_provider parameter in fwaas_driver.ini after you configure it in neutron.conf. This rule applies also to Lbaas and Vpnaas. To ensure that h3c-sec-agent can load the driver successfully, change the value of the driver field for [fwaas] in the /etc/kolla/neutron-server/fwaas_driver.ini directory to networking_sec_h3c.fw.h3c_fwplugin_driver.H3CFwaasDriver. |
|
service_provider |
Directory where the extension plug-ins are saved. |
|
admin_user |
Admin username for Keystone authentication in OpenStack, for example, neutron. |
|
admin_password |
Admin password for Keystone authentication in OpenStack, for example, 123456. |
ml2_conf.ini
|
Parameter |
Description |
|
type_drivers |
Driver type. vxlan must be specified as the first driver type. |
|
tenant_network_types |
Type of the networks to which the tenants belong. vxlan must be specified as the first driver type. For intranet, only vxlan is available. For extranet, only vlan is available. |
|
mechanism_drivers |
Name of the ml2 driver. To create SR-IOV instances for VLAN networks, set this parameter to sriovnicswitch, ml2_h3c. To create hierarchy-supported instances, set this parameter to ml2_h3c,openvswitch. |
|
extension_drivers |
Names of the ml2 extension drivers. Available names include ml2_extension_h3c, qos, and port_security. If the QoS feature is not enabled on OpenStack, you do not need to specify the value qos for this parameter. To not enable port security on OpenStack, you do not need to specify the port_security value for this parameter (The Kilo 2015.1, Liberty 2015.2, and Ocata 2017.1 plug-ins do not support the port_security value.) Kilo 2015.1 plug-ins do not support the QoS driver. |
|
network_vlan_ranges |
Value range for the VLAN ID of the extranet, for example, physicnet1:1000:2999. |
|
vni_ranges |
Value range for the VXLAN ID of the intranet, for example, 1:500. |
neutron_conf
|
Parameter |
Description |
|
url |
URL address for accessing SNA Center or Unified Platform. |
|
username |
Username for logging in to SNA Center or Unified Platform, for example, sdn. You do not need to configure a username when the use_neutron_credential parameter is set to True. |
|
password |
Password for logging in to SNA Center or Unified Platform, for example, skyline. You do not need to configure a password when the use_neutron_credential parameter is set to True. |
|
domain |
Name of the domain where the SeerEngine-DC controller resides, for example, sdn. |
|
timeout |
The amount of time that the Neutron server waits for a response from the SeerEngine-DC controller in seconds, for example, 1800 seconds. As a best practice, set the waiting time greater than or equal to 1800 seconds. |
|
retry |
Number of connection request attempts, for example, 10. |
|
white_list |
Whether to enable or disable the authentication-free user feature on OpenStack. · True—Enable. · False—Disable. |
|
firewall_type |
Type of the firewalls created on the controller: · CGSR—Context-based gateway service type firewall, each using an independent context. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. · CGSR_SHARE—Context-based gateway service type firewall, all using the same context even if they belong to different tenants. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. · CGSR_SHARE_BY_COUNT—Context-based gateway service type firewall, all using the same context when the number of contexts reaches the threshold set by the cgsr_fw_context_limit parameter. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. Only the Pike plug-ins support this firewall type. · NFV_CGSR—VNF-based gateway service type firewall, each using an independent VNF. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. |
|
fw_share_by_tenant |
Whether to enable exclusive use of a gateway service type firewall context by a single tenant and allow the context to be shared by service resources of the tenant when the firewall type is CGSR_SHARE. |
|
lb_type |
Type of the load balancers created on the controller. · CGSR—Gateway service type load balancer on a context. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, CGSR type load balancers that belong to one tenant use the same context. CGSR type load balancers that belong to different tenants use different contexts. When the value of the lb_resource_mode parameter is MP, CGSR type load balancers that belong to one tenant and are bound to the same gateway use the same context. CGSR type load balancers that belong to different tenants use different contexts. · CGSR_SHARE—Gateway service type load balancer on a context. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, all CGSR_SHARE type load balancers use the same context even if they belong to different tenants. When the value of the lb_resource_mode parameter is MP, CGSR_SHARE type load balancers that belong to different tenants and are bound to the same gateway use the same context. · NFV_CGSR—Gateway service type load balancer on a VNF. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, NFV_CGSR type load balancers that belong to one tenant use the same VNF. NFV_CGSR type load balancers that belong to different tenants use different VNFs. When the value of the lb_resource_mode parameter is MP, NFV_CGSR type load balancers that belong to one tenant and are bound to the same gateway use the same VNF. NFV_CGSR type load balancers that belong to different tenants use different VNFs. |
|
resource_mode |
Type of the resource created on the controller. The available values are as follows: · CORE_GATEWAY—Gateway service resource. · NFV—VNF resource. This parameter has been obsoleted. |
|
resource_share_count |
Maximum times that the resource node can be shared by resources. The value is in the range of 1 to 65535. The default value is 1, indicating that the resources cannot be shared. |
|
auto_create_resource |
Whether to enable or disable the automatic resources creation feature. · True—Enable. · False—Disable. |
|
nfv_ha |
Whether the NFV and NFV_SHARE resources support stack. · True—Support. · False—Do not support. |
|
use_neutron_credential |
Whether to use the OpenStack Neutron username and password to communicate with the SeerEngine-DC controller. · True—Use. False—Do not use. |
|
firewall_force_audit |
Whether to audit firewall policies synchronized to the controller by OpenStack. The default value is True for the Kilo 2015.1 plug-ins and False for plug-ins of other versions. · True—Audits firewall policies synchronized to the controller by OpenStack. The auditing state of the synchronized policies on the controller is True (audited). · False—Does not audit firewall policies synchronized to the controller by OpenStack. The synchronized policies on the controller retain their previous auditing state. |
|
sec_output_json_log |
Whether to output REST API messages between the SeerEngine-DC Neutron security plugins and SeerEngine-DC controller to the OpenStack operating logs in JSON format. · True—Enable. · False—Disable. |
|
lb_enable_snat |
Whether to enable or disable Source Network Address Translation (SNAT) for load balancers on the SeerEngine-DC controller. · True—Enable. False—Disable. |
|
vendor_rpc_topic |
RPC topic of the vendor. This parameter is required when the vendor needs to obtain Neutron data from the SeerEngine-DC Neutron plug-ins. The available values are as follows: · VENDOR_PLUGIN—Default value, which means that the parameter does not take effect. · DP_PLUGIN—RPC topic of DPtech. The value of this parameter must be negotiated by the vendor and H3C. |
|
enable_https |
Whether to enable HTTPS bidirectional authentication. The default value is False. · True—Enable. · False—Disable. Only the Pike plug-ins support this parameter. |
|
neutron_plugin_ca_file |
Save location for the CA certificate of the controller. As a best practice, save the CA certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter. |
|
neutron_plugin_cert_file |
Save location for the Cert certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter. |
|
neutron_plugin_key_file |
Save location for the Key certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter. |
|
cgsr_fw_context_limit |
Context threshold for context-based gateway service type firewalls. The value is an integer. When the threshold is reached, all the context-based gateway service type firewalls use the same context. This parameter takes effect only when the value of the firewall_type parameter is CGSR_SHARE_BY_COUNT. Only the Pike plug-ins support this parameter. |
|
force_vip_port_device_owner_none |
Whether to support the LB vport device_owner field. · False—Support the LB vport device_owner field. This setting is applicable to an LB tight coupling solution. · True—Do not support the LB vport device_owner field. This setting is applicable to an LB loose coupling solution. The default value is False. |
|
enable_iam_auth |
Whether to enable IAM interface authentication. · True—Enable. · False—Disable. When connecting to SNA Center, you can set the value to True to use the IAM interface for authentication. The default value is False. Only the Mitaka and Newton plug-ins support this parameter. |
|
enable_firewall_metadata |
Whether to allow the CloudOS platform to issue firewall-related fields such as the resource pool name to the controller. This parameter is used only for communication with the CloudOS platform. Only the Pike plug-ins support this parameter. |
|
lb_member_slow_shutdown |
Whether to enable slow shutdown when creating an LB real server. · True—Enable. · False—Disable. The default value is False. |
|
enable_multi_gateways |
Whether to enable the multi-gateway mode for the tenant. · True—Enable the multi-gateway mode for the tenant. In an OpenStack environment without the Segments configuration, this setting enables different vRouters to access the external network over different gateways. · False—Not enable the multi-gateway mode for the tenant. The default value is False. Only the Pike, Queens, and Rocky plug-ins support this parameter. |
|
enable_multi_segments |
Whether to enable multiple outbound interfaces, allowing the vRouter to access the external network from multiple outbound interfaces. The default value is False. To enable multiple outbound interfaces, configure the following settings: · Set the value of this parameter to True. · Set the value of the network_force_flat parameter to False. · Access the /etc/neutron/plugins/ml2/ml2_conf.ini file on the controller node and specify the controller's gateway name for the network_vlan_ranges parameter. Only the Pike plug-ins support this parameter. |
|
tenant_gateway_name |
Name of the gateway to which the tenant is bound. The default value is None. When the value of the tenant_gw_selection_strategy parameter is match_gateway_name. You must specify the name of an existing gateway on the controller side. Only the Pike, Queens, and Rocky plug-ins support this parameter. |
|
tenant_gw_selection_strategy |
Gateway selection strategy for the tenant. · match_first—Select the first gateway. · match_gateway_name—Take effect together with the tenant_gateway_name parameter. Only the Pike, Queens, and Rocky plug-ins support this parameter. |
|
enable_router_nat_without_firewall |
Whether to enable NAT when no firewall is configured for the tenant. · True—Enable NAT when no firewall is configured. This setting automatically creates default firewall resources to implement NAT if the vRouter has been bound to an external network. · False—Not enable NAT when no firewall is configured. The default value is False. Only the Pike plug-ins support this parameter. |
|
directly_external |
Whether traffic to the external network is directly forwarded by the gateway. The default value is OFF. The available values are as follows: · ANY—Traffic to the external network is directly forwarded by the gateway to the external network. · OFF—Traffic to the external network is forwarded by the gateway to the firewall and then to the external network. · SUFFIX—Traffic that matches the vRouter name suffix is forwarded by the gateway to the firewall and then to the external network. |
|
directly_external_suffix |
vRouter name suffix (DMZ for example). This parameter is available only when you set the value of the directly_external parameter to SUFFIX. When you change the vRouter name, make sure you understand the impact on this parameter. Only the Pike, Queens, and Rocky plug-ins support this parameter. |
|
sec_agent_enable |
Whether to enable the h3c-sec-agent process. The default value is True. This parameter is used and takes effect only for security plug-in upgrade. Value change of this parameter does not take effect immediately. After you set the value to True, you must install the security plug-in and execute the h3c-secplugin controller install command to enable the process. |
|
lb_resource_mode |
Resource pool mode of LB service resources. · SP—All gateways share the same LB resource pool. · MP—Each gateway uses an LB resource pool. The default value is SP. |
|
enable_lb_xff |
Whether to enable XFF transparent transmission for LB listeners. · True—Enable. · False—Disable. When the value is True and the listener protocol is HTTP or TERMINATED_HTTPS, a newly created listener is enabled with XFF transparent transmission by default, and the client's IP address is transparently transmitted to the server encapsulated in the X-Forward-For field of the HTTP header. Only the Pike plug-ins support this parameter. |
Upgrading the SeerEngine-DC Neutron security plug-in
To upgrade the SeerEngine-DC Neutron security plug-in, first remove the old version and then install the new version. For more information, see "Installing the security plug-in on the controller node."
|
|
CAUTION: Service might be interrupted during the upgrade. Before performing an upgrade, be sure you fully understand its impact on services. |
|
|
IMPORTANT: The default parameter settings vary depending on the version of SeerEngine-DC Neutron security plug-in. Modify the default parameter settings for SeerEngine-DC Neutron security plug-in to ensure that the plug-ins have the same parameter settings before and after the upgrade. |
(Optional.) Configuring the metadata service for network nodes
OpenStack supports obtaining metadata from network nodes for VMs through DHCP or L3 gateway. H3C supports only the DHCP method. To configure the metadata service for network nodes:
1. Download the OpenStack installation guide from the OpenStack official website and follow the installation guide to configure the metadata service for the network nodes.
2. Configure the network nodes to provide metadata service through DHCP.
a. Use the vi editor to open configuration file dhcp_agent.ini.
[root@network ~]# vi /etc/kolla/neutron-dhcp-agent/dhcp_agent.ini
b. Press I to switch to the insert mode, and modify configuration file dhcp_agent.ini as follows:
[DEFAULT]
force_metadata = True
Set the value to True for the force_metadata parameter to force the network nodes to provide metadata service through DHCP.
c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the dhcp_agent.ini configuration file.
3. Restart the dhcp-agent container.
[root@network ~]# docker restart neutron_dhcp_agent
FAQ
The Python tools cannot be installed using the yum command when a proxy server is used for Internet access. What should I do?
Configure HTTP proxy by performing the following steps:
1. Make sure the server or the virtual machine can access the HTTP proxy server.
2. At the CLI of the CentOS system, use the vi editor to open the yum.conf configuration file. If the yum.conf configuration file does not exist, this step creates the file.
[root@localhost ~]# vi /etc/yum.conf
3. Press I to switch to the insert mode, and provide HTTP proxy information as follows:
¡ If
the server does not require authentication, enter HTTP proxy information in the following format:
proxy =
http://yourproxyaddress:proxyport
¡ If the server requires authentication, enter
HTTP proxy information in the following format:
proxy = http://yourproxyaddress:proxyport
proxy_username=username
proxy_password=password
Table 4 describes the arguments in HTTP proxy information.
Table 4 Arguments in HTTP proxy information
|
Field |
Description |
|
username |
Username for logging in to the proxy server, for example, sdn. |
|
password |
Password for logging in to the proxy server, for example, 123456. |
|
yourproxyaddress |
IP address of the proxy server, for example, 172.25.1.1. |
|
proxyport |
Port number of the proxy server, for example, 8080. |
proxy = http://172.25.1.1:8080
proxy_username = sdn
proxy_password = 123456
4. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the yum.conf file.
After the plug-ins are installed successfully, what should I do if the controller fails to interconnect with the cloud platform?
Follow these steps to resolve the interconnection failure with the cloud platform:
1. Make sure you have strictly followed the procedure in this document to install and configure the plug-ins.
2. Contact the cloud platform vendor to determine whether a configuration issue exists on the cloud platform side.
3. If the issue persists, contact after-sales engineers.
