This document describes how to install OpenStack plug-ins for interoperability with OpenStack cloud platforms. Then SeerEngine-DC can process requests from the OpenStack cloud platforms.

OpenStack plug-ins include SeerEngine-DC Neutron plug-ins, Nova patch, openvswitch-agent patch, and DHCP failover components.

SeerEngine-DC Neutron plug-ins

Neutron is a type of OpenStack services used to manage all virtual networking infrastructures (VNIs) in an OpenStack environment. It provides virtual network services to the devices managed by OpenStack computing services.

SeerEngine-DC Neutron plug-ins are developed for the SeerEngine-DC controller based on the OpenStack framework. SeerEngine-DC Neutron plug-ins can obtain network configuration from OpenStack through REST APIs and synchronize the configuration to the SeerEngine-DC controllers. They can obtain settings for the tenants' networks, subnets, routers, or ports.

CAUTION:

To avoid service interruptions, do not modify the settings issued by the cloud platform on the controller, such as the virtual link layer network, vRouter, and vSubnet settings after the plug-ins connect to the OpenStack cloud platform.

Nova patch

Nova is an OpenStack computing controller that provides virtual services for users. The virtual services include creating, starting up, shutting down, and migrating virtual machines and setting configuration information for the virtual machines, such as CPU and memory information.

In specific scenarios (such as a host-based overlay or vCenter network-based overlay scenario), you must install the Nova patch to enable virtual machines created by OpenStack to access networks managed by SeerEngine-DC controllers.

Openvswitch-agent patch

The open source openvswitch-agent process on an OpenStack compute node might fail to deploy VLAN flow tables to open source vSwitches when the following conditions exist:

· The kernel-based virtual machine (KVM) technology is used on the node.

· The hierarchical port binding feature is configured on the node.

To resolve this issue, you must install the openvswitch-agent patch.

DHCP failover components

DHCP component

In the network-based overlay scenario, only a controller is currently allowed to assign addresses to virtual machines or bare metal servers as a DHCP server. When the controller is disconnected from the southbound network, the virtual machines or bare metal servers will not be able to renew and reobtain addresses through DHCP. To resolve the issue, you can install a DHCP component on a network node to provide DHCP failover in the network-based overlay scenario. When the controller loses connection to the southbound network, the virtual machines or bare metal servers can renew and reobtain addresses through the independently deployed DHCP server.

Metadata component

In the DHCP failover scenario, you must install a Metadata component on the network node to provide the Metadata function for the DHCP component.

SeerEngine-DC Neutron security plug-ins

SeerEngine-DC Neutron security plug-ins are developed for the SeerEngine-DC controller based on the OpenStack framework. SeerEngine-DC Neutron security plug-ins can obtain security configuration from OpenStack through REST APIs and synchronize the configuration to the SeerEngine-DC controllers. They can obtain settings for the tenants' FW, LB, or VPN.

Restrictions and guidelines

This document describes interoperability between SeerEngine-DC with one OpenStack platform that contains one controller node. In other scenarios, follow these restrictions and guidelines:

· SeerEngine-DC interoperates with one OpenStack platform that contains multiple controller nodes.

Configure all controller nodes on the OpenStack platform in the same way a single controller is configured, and make sure the configuration on all controller nodes is the same.

· SeerEngine-DC interoperates with multiple OpenStack platforms. Only Queens and Rocky plug-ins are supported.

¡ Install plug-ins on all controller nodes on each OpenStack platform, and configure interoperability parameters, including the cloud_region_name parameter in ml2_conf.ini of the SeerEngine-DC Neutron.

[SDNCONTROLLER]

cloud_region_name = default

cloud_region_name represents the name of the cloud platform. The default value is default. Make sure the value for this parameter is the same as the cloud platform name added on the Virtual Networking > OpenStack page on the SeerEngine-DC controller. Make sure the cloud platform name and VXLAN VNI are unique for each cloud platform.

¡ If each OpenStack platform uses an exclusive keystone service, verify that SeerEngine-DC can interoperate with each OpenStack platform and each platform can deploy services to its tenant.

¡ If multiple OpenStack platforms share the same keystone service, verify that SeerEngine-DC can interoperate with each OpenStack platform and all platforms can deploy services to the same tenant.

· Check the OpenStack version and OSs. Table 1 shows the software requirements for installing the SeerEngine-DC Neutron plug-ins, Nova patch, or openvswitch-agent patch.

Table 1 Software requirements

Item

Supported versions

OpenStack (deployed on CentOS with YUM)

· OpenStack Kilo 2015.1 on Ubuntu 14.04

· OpenStack Liberty on Ubuntu 14.04

· OpenStack Mitaka on Ubuntu 14.04

· OpenStack Newton on Ubuntu 14.04

· OpenStack Ocata on Ubuntu 14.04

· OpenStack Pike on Ubuntu 16 and higher

· OpenStack Queens on Ubuntu 16 and higher

· OpenStack Rocky on Ubuntu 16 and higher

· OpenStack Stein on Ubuntu 16 and higher

IMPORTANT:

· OpenStack security plug-ins do not support the OpenStack Stein version.

· To install OpenStack Pike plug-ins, the dnsmasq version must be 2.76. You can use the dnsmasq –v command to display the dnsmasq version number.

· Make sure your system has a reliable Internet connection before you install the OpenStack plug-ins.

Installing OpenStack cloud platforms

See the installation guide for the specific OpenStack version on the OpenStack official website to install and deploy OpenStack cloud platforms. Verify that the /etc/hosts file on all nodes has the host name-IP address mappings, and the OpenStack Neutron component has been deployed.

Preconfiguring SeerEngine-DC

SeerEngine-DC preconfiguration provides only basic configuration for SeerEngine-DC. For detailed configuration for different scenarios, see the configuration guides.

Table 2 SeerEngine-DC preconfiguration

Configuration	Path
Fabrics	Provision > Network Design > Fabrics
VDS	Tenants > Common Network Settings > Virtual Distributed Switches
Address pools	Provision > Inventory > IP Pools
VNID pools (VLANs, VXLANs, and VLAN-VXLAN mappings)	Provision > Inventory > VNID Pools > VLANs Provision > Inventory > VNID Pools > VXLANs Provision > Inventory > VNID Pools > VLAN-VXLAN Mappings
Adding access and border devices to a fabric	Provision > Network Design > Fabrics
L4-L7 physical devices, resource pools, and profiles	Provision > Inventory > Devices > Physical Devices Provision > Inventory > Devices > L4-L7 Physical Resource Pools
Gateway	Tenants > Common Network Settings > Gateway
Domains and hosts	Provision > Network Design > Domains Provision > Network Design > Domains > Hosts
Interoperability with OpenStack	Virtual Networking > OpenStack NOTE: · Make sure the cloud platform name (case sensitive) is the same as the value for the cloud_region_name parameter in the ml2_conf.ini file of the Neutron plug-in. · Make the VNI range is the same as the VXLAN VNI range on the cloud platform.

Installing SeerEngine-DC Neutron plug-ins and patches on OpenStack

The SeerEngine-DC Neutron plug-ins, Nova patch, openvswitch-agent patch, and DHCP failover components can be installed on different OpenStack versions. The installation package varies by OpenStack version. However, you can use the same procedure to install the Neutron plug-ins, Nova patch, or openvswitch-agent patch on different OpenStack versions. This document uses OpenStack Pike as an example.

Install the SeerEngine-DC Neutron plug-ins on an OpenStack controller node, the Nova patch and openvswitch-agent patch on an OpenStack compute node, and the DHCP failover components on a network node. Before installation, you must install the Python tools on the associated node.

Installing the Python tools

Before installing the plug-ins, first you must download the Python tools online and install them.

To download and install the Python tools:

1. Update the software source list.

sdn@ubuntu:~$ sudo apt-get update

2. Download and install the Python tools.

sdn@ubuntu:~$ sudo apt-get install python-pip python-setuptools

3. Log in to the controller node to edit the /etc/hosts file:

a. Add the IP and name mappings for all OpenStack hosts on the Provision > Domains > Hosts page on SeerEngine-DC.

b. Add the IP and name mappings of all leaf, spine, and boarder devices on the Provision > Inventory > Physical Devices page on SeerEngine-DC.

sdn@ubuntu:~$ sudo vi /etc/hosts

127.0.0.1 localhost

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

99.0.83.75 controller

99.0.83.76 compute1

99.0.83.77 compute2

99.0.83.78 nfs-server

99.0.83.79 compute3

99.0.83.74 compute4

4. Install websocket-client on the controller node. Make sure the version is 0.56.

sdn@ubuntu:~$ sudo apt-get install python-websocket-client

Configuring interoperability in the KVM host-based overlay scenario

Installing and configuring plug-ins on the controller node

Obtaining the SeerEngine-DC Neutron plug-in installation package

The SeerEngine-DC Neutron plug-ins are included in the SeerEngine-DC OpenStack package. Obtain the SeerEngine-DC OpenStack package of the required version and then save the package to the target installation directory on the server or virtual machine.

Alternatively, transfer the installation package to the target installation directory through a file transfer protocol such as FTP, TFTP, or SCP. Use the binary transfer mode to prevent the software package from being corrupted during transit.

Installing the SeerEngine-DC Neutron plug-ins on the controller node

CAUTION:

The QoS feature will not operate correctly if you configure the database connection in configuration file neutron.conf as follows:

[database]

connection = mysql://…

This is an open source bug in OpenStack. To prevent this problem, configure the database connection as follows:

[database]

connection = mysql+pymysql://…

The three dots (…) in the command line represents the neutron database link information.

Some parameters must be configured with the required values as described in "Parameters and fields."

To install the SeerEngine-DC Neutron plug-ins:

1. Access the directory where the SeerEngine-DC OpenStack package (an .egg file) is saved, and install the package on the OpenStack controller node. The name of the SeerEngine-DC OpenStack package is SeerEngine_DC_PLUGIN-version-py2.7.egg. version represents the version of the package.

sdn@ubuntu:~$ sudo easy_install SeerEngine_DC_PLUGIN-E3608-py2.7.egg

2. Change the user group and permissions of the plug-in file to be consistent with those of the Neutron file.

sdn@ubuntu:~$ sudo cd /usr/local/lib/python2.7/dist-packages

sdn@ubuntu:~$ sudo chown -R --reference==/usr/lib/python2.7/dist-packages/neutron SeerEngine*

sdn@ubuntu:~$ sudo chmod -R --reference=/usr/lib/python2.7/dist-packages/neutron SeerEngine*

sdn@ubuntu:~$ sudo cd /usr/bin

sdn@ubuntu:~$ sudo chown -R --reference=neutron-server h3c*

sdn@ubuntu:~$ sudo chmod -R --reference=neutron-server h3c*

3. Install the SeerEngine-DC Neutron plug-ins.

sdn@ubuntu:~$ sudo h3c-sdnplugin controller install

Editing the configuration file

1. Modify the neutron.conf configuration file.

a. Use the vi editor to open the neutron.conf configuration file.

sdn@ubuntu:~$ sudo vi /etc/neutron/neutron.conf

b. Press I to switch to the insert mode, and modify the configuration file. For information about the parameters, see "neutron.conf."

[DEFAULT]

core_plugin = ml2

service_plugins = h3c_l3_router,qos,h3c_port_forwarding,h3c_vpc_connection

[qos]

notification_drivers = message_queue,qos_h3c

[service_providers]

service_provider=VPC_CONNECTION:H3C:networking_h3c.vpc_connection.h3c_vpc_connection_driver.H3CVpcConnectionDriver:default

For Liberty, Mitaka, Newton, Ocata, and Queens plug-ins:

[qos]

notification_drivers = message_queue,qos_h3c

IMPORTANT:

· OpenStack Kilo does not support QoS. You do not need to specify QoS in the service_plugins parameter.

· The open source port forwarding software has known problems and is not compatible with the Neutron plug-in L3 Plugin. As a best practice, use h3c_port_forwarding Plugin in the Neutron plug-in, and make sure the Neutron community version has resolved the known BUG #1799135.

· Only OpenStack Pike, Queens, Rocky, and Stein support configuring port forwarding. Remove the h3c_port_forwarding configuration from the service_plugins parameter for other versions or in a scenario that does not require port forwarding.

· Only OpenStack Pike supports VPC connections. For other versions or in a scenario that does not require VPC connections, remove the vpc-connection configuration in the service_plugins and service_provider parameters.

c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.

2. Modify the ml2_conf.ini configuration file.

a. Use the vi editor to open the ml2_conf.ini configuration file.

sdn@ubuntu:~$ sudo vi /etc/neutron/plugins/ml2/ml2_conf.ini

b. Press I to switch to the insert mode, and set the parameters in the ml2_conf.ini configuration file. For information about the parameters, see "ml2_conf.ini."

[ml2]

type_drivers = vxlan,vlan

tenant_network_types = vxlan,vlan

mechanism_drivers = ml2_h3c

extension_drivers = ml2_extension_h3c,qos

[ml2_type_vlan]

network_vlan_ranges = physicnet1:1000:2999,port_security

[ml2_type_vxlan]

vni_ranges = 1:500

c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the ml2_conf.ini file.

3. Modify the ml2_conf.ini configuration file after the SeerEngine-DC Neutron plug-in is installed.

a. Use the vi editor to open the ml2_conf.ini configuration file.

sdn@ubuntu:~$ sudo vi /etc/neutron/plugins/ml2/ml2_conf.ini

b. Press I to switch to the insert mode, and set the following parameters in the ml2_conf.ini configuration file. For information about the parameters, see "ml2_conf_h3c.ini."

[SDNCONTROLLER]

url = http://127.0.0.1:10080

username = admin

password = admin@123

domain = sdn

timeout = 1800

retry = 10

vhostuser_mode = server

white_list = False

use_neutron_credential = False

output_json_log = False

vendor_rpc_topic = VENDOR_PLUGIN

hierarchical_port_binding_physicnets = ANY

hierarchical_port_binding_physicnets_prefix = physicnet

enable_dhcp_hierarchical_port_binding = False

enable_security_group = True

enable_https = False

neutron_plugin_ca_file =

neutron_plugin_cert_file =

neutron_plugin_key_file =

enable_iam_auth = False

enable_sdnc_rpc = False

sdnc_rpc_url = ws://127.0.0.1:1080

sdnc_rpc_ping_interval = 60

websocket_fragment_size = 102400

enable_l3_router_rpc_notify = False

qos_rx_limit_min = 0

cloud_region_name = default

c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the ml2_conf.ini file.

4. If you have set the white_list parameter to True, perform the following tasks:

¡ Delete the username, password, and domain parameters in the ml2_conf.ini configuration file.

¡ Add an authentication-free user to the controller.

- Enter the IP address of the host where the Neutron server resides.

- Specify the role as Admin.

5. If you have set the use_neutron_credential parameter to True, perform the following steps:

a. Modify the neutron.conf configuration file.

# Use the vi editor to open the neutron.conf configuration file.

# Press I to switch to insert mode, and add the following configuration. For information about the parameters, see "neutron.conf."

[keystone_authtoken]

admin_user = neutron

admin_password = 123456

# Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.

b. Add an admin user to the controller.

# Configure the username as neutron.

# Specify the role as Admin.

# Enter the password of the neutron user in OpenStack.

6. Restart the neutron-server service.

sdn@ubuntu:~$ sudo service neutron-server restart

neutron-server stop/waiting

neutron-server start/running, process 4583

Verifying the installation

# Verify that the SeerEngine-DC OpenStack package is correctly installed. If the correct software and OpenStack versions are displayed, the package is successfully installed.

sdn@ubuntu:~$ sudo pip freeze | grep PLUGIN

SeerEngine-DC-PLUGIN===E3608

# Verify that the neutron-server service is enabled. The service is enabled if its state is running.

sdn@ubuntu:~$ sudo service neutron-server status

neutron-server start/running, process 1849

Parameters and fields

This section describes parameters in configuration files and fields included in parameters.

neutron.conf

Parameter	Required value	Description
core_plugin	ml2	Used for loading the core plug-in ml2 to OpenStack.
service_plugins	h3c_l3_router,qos,h3c_port_forwarding,h3c_vpc_connection	Used for loading the extension plug-ins to OpenStack.
service_provider	N/A	Directory where the extension plug-ins are saved.
notification_drivers	message_queue,qos_h3c	Name of the QoS notification driver.
admin_user	N/A	Admin username for Keystone authentication in OpenStack, for example, neutron.
admin_password	N/A	Admin password for Keystone authentication in OpenStack, for example, 123456.

ml2_conf.ini

Parameter	Required value	Description
type_drivers	vxlan,vlan	Driver type. vxlan must be specified as the first driver type.
tenant_network_types	vxlan,vlan	Type of the networks to which the tenants belong. vxlan must be specified as the first driver type. For intranet, only vxlan is available. For extranet, only vlan is available.
mechanism_drivers	ml2_h3c	Name of the ml2 driver. To create SR-IOV instances for VLAN networks, set this parameter to sriovnicswitch, ml2_h3c. To create hierarchy-supported instances, set this parameter to ml2_h3c,openvswitch.
extension_drivers	ml2_extension_h3c,qos	Names of the ml2 extension drivers. Available names include ml2_extension_h3c, qos, and port_security. If the QoS feature is not enabled on OpenStack, you do not need to specify the value qos for this parameter. To not enable port security on OpenStack, you do not need to specify the port_security value for this parameter (The Kilo 2015.1, Liberty 2015.2, and Ocata 2017.1 plug-ins do not support the port_security value.) Kilo 2015.1 plug-ins do not support the QoS driver.
network_vlan_ranges	N/A	Value range for the VLAN ID of the extranet, for example, physicnet1:1000:2999.
vni_ranges	N/A	Value range for the VXLAN ID of the intranet, for example, 1:500.

ml2_conf_h3c.ini

Parameter	Description
url	URL address for logging in to SNA Center or Unified Platform, for example, http://127.0.0.1:10080.
username	Username for logging in to SNA Center or Unified Platform, for example, admin. You do not need to configure a username when the use_neutron_credential parameter is set to True.
password	Password for logging in to SNA Center or Unified Platform, for example, admin@123. You do not need to configure a password when the use_neutron_credential parameter is set to True.
domain	Name of the domain where the controller resides, for example, sdn.
timeout	The amount of time that the Neutron server waits for a response from the controller in seconds, for example, 1800 seconds. As a best practice, set the waiting time greater than or equal to 1800 seconds.
retry	Maximum times for sending connection requests from the Neutron server to the controller, for example, 10.
vif_type	Default vNIC type: · ovs · vhostuser (applied to the OVS DPDK solution) You can set the vhostuser_mode parameter when the value of this parameter is vhostuser. Only the Mitaka, Newton, and Pike plug-ins support this parameter.
vhostuser_mode	Default DPDK vHost-user mode: · server · client The default value is server. This setting takes effect only when the value of the vif_type parameter is vhostuser.
white_list	Whether to enable or disable the authentication-free user feature on OpenStack. · True—Enable. · False—Disable.
use_neutron_credential	Whether to use the OpenStack Neutron username and password to communicate with the controller. · True—Use. · False—Do not use.
output_json_log	Whether to output REST API messages to the OpenStack operating logs in JSON format for communication between the SeerEngine-DC Neutron plug-ins and the controller. · True—Enable. · False—Disable.
vendor_rpc_topic	RPC topic of the vendor. This parameter is required when the vendor needs to obtain Neutron data from the SeerEngine-DC Neutron plug-ins. The available values are as follows: · VENDOR_PLUGIN—Default value, which means that the parameter does not take effect. · DP_PLUGIN—RPC topic of DPtech. The value of this parameter must be negotiated by the vendor and H3C.
hierarchical_port_binding_physicnets	Policy for OpenStack to select a physical VLAN when performing hierarchical port binding. The default value is ANY. · ANY—A VLAN is selected from all physical VLANs for VLAN ID assignment. · PREFIX—A VLAN is selected from all physical VLANs matching the specified prefix for VLAN ID assignment. Only the Mitaka, Newton, Ocata, Pike, Queens, and Rocky plug-ins support this parameter.
hierarchical_port_binding_physicnets_prefix	Prefix for matching physical VLANs. The default value is physicnet. This parameter is available only when you set the value of the hierarchical_port_binding_physicnets parameter to PREFIX. Only the Mitaka, Newton, Ocata, Pike, Queens, Rocky, and Stein plug-ins support this parameter.
enable_dhcp_hierarchical_port_binding	Whether to enable DHCP hierarchical port binding. The default value is False. · True—Enable. · False—Disable. Only the Pike plug-ins support this parameter.
enable_security_group	Whether to deploy OpenStack security group rules to SeerEngine-DC. The default value is False.
enable_https	Whether to enable HTTPS bidirectional authentication. The default value is False. · True—Enable. · False—Disable. Only the Pike plug-ins support this parameter.
neutron_plugin_ca_file	Save location for the CA certificate of the controller, for example, /etc/neutron/ca.crt. As a best practice, save the CA certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter.
neutron_plugin_cert_file	Save location for the Cert certificate of the controller, for example, /etc/neutron/sna.pem. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter.
neutron_plugin_key_file	Save location for the Key certificate of the controller, for example, /etc/neutron/sna.key. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter.
enable_iam_auth	Whether to enable IAM interface authentication. · True—Enable. · False—Disable. When connecting to SNA Center, you can set the value to True to use the IAM interface for authentication. The default value is False. Only the Mitaka and Newton plug-ins support this parameter.
enable_sdnc_rpc	Whether to enable RPC connection between the plug-ins and the controller in the DHCP failover scenario. Bool type. The default value is False. Set the value to False when Metadata is enabled or DHCP fail-safe is supported.
sdnc_rpc_url	RPC interface URL of the controller. Only a WebSocket type interface is supported. String type. The default value is ws://127.0.0.1:1080.
sdnc_rpc_ping_interval	Interval at which an RPC ICMP echo request message is sent to the controller, in seconds. Int type. The default value is 60 seconds.
websocket_fragment_size	Size of a WebSocket fragment sent from the plug-in to the controller in the DHCP failover scenario, in bytes. Int type. The value is an integer equal to or larger than 1024. The default value is 102400. If the value is 1024, the message is not fragmented.
enable_l3_router_rpc_notify	Whether to enable or disable the feature of sending Layer 3 routing events through RPC. · True—Enable. · False—Disable.
qos_rx_limit_min	Minimum inbound bandwidth, in kbps. If the QoS minimum inbound bandwidth configured on OpenStack is smaller than this parameter value, this parameter value takes effect. Only the Kilo 2015.1 plug-ins support this parameter.
cloud_region_name	Name of the cloud platform. String type. The default value is default. Make sure the value of this parameter is the same as the cloud platform name configured on the Virtual Networking > OpenStack page on SeerEngine-DC.

Upgrading the SeerEngine-DC Neutron plug-ins

CAUTION:

· Services might be interrupted during the SeerEngine-DC Neutron plug-ins upgrade procedure.

· The default parameter settings for SeerEngine-DC Neutron plug-ins might vary by OpenStack version (Kilo 2015.1, Liberty, Mitaka, and Ocata). Modify the default parameter settings for SeerEngine-DC Neutron plug-ins when upgrading the OpenStack version to ensure that the plug-ins have the same configurations before and after the upgrade.

To upgrade the SeerEngine-DC Neutron plug-ins:

1. Remove the SeerEngine-DC Neutron plug-ins.

sdn@ubuntu:~$ sudo h3c-sdnplugin controller uninstall

Restore config files

Uninstallation complete.

2. Remove the SeerEngine-DC OpenStack package.

sdn@ubuntu:~$ sudo pip uninstall seerengine-dc-plugin

Uninstalling SeerEngine-DC-PLUGIN-E3608:

/usr/bin/h3c-sdnplugin

/usr/lib/python2.7/site-packages/SeerEngine_DC_PLUGIN-E3608-py2.7.egg

Proceed (y/n)? y

Successfully uninstalled SeerEngine-DC-PLUGIN-E3608

3. Install plug-ins of the new version. For more information, see "Installing and configuring plug-ins on the controller node."

Installing configuring plug-ins on a compute node

You must install the Nova patch only in the following scenarios:

· In KVM host-based overlay or network-based overlay scenario, virtual machines are load balancer members, and the load balancer must be aware of the member status.

· vCenter network-based overlay scenario.

Obtaining the Nova patch installation package

The Nova patch is included in the SeerEngine-DC OpenStack package. Perform the following steps to download the SeerEngine-DC OpenStack package from the H3C website:

1. Obtain the SeerEngine-DC OpenStack package of the required version.

2. Copy the SeerEngine-DC OpenStack package to the installation directory on the server or virtual machine, or upload it to the installation directory through FTP, TFTP, or SCP.

NOTE:

If you decide to upload the SeerEngine-DC OpenStack package through FTP or TFTP, use the binary mode to avoid damage to the package.

Installing the Nova patch

Based on your network environment, choose one step between step 3 and step 4.

To install the Nova patch on the OpenStack compute node:

1. Access the directory where the SeerEngine-DC OpenStack package (an .egg file) is saved, and install the package on the OpenStack compute node. The name of the SeerEngine-DC OpenStack package is SeerEngine_DC_PLUGIN-version1-py2.7.egg. version represents the version of the package.

In this example, the SeerEngine-DC OpenStack package is saved to the /root directory.

sdn@ubuntu:~$ sudo easy_install SeerEngine_DC_PLUGIN-E3608-py2.7.egg

2. Install the Nova patch.

sdn@ubuntu:~$ sudo h3c-sdnplugin compute install

Install the nova patch

modifying:

/usr/lib/python2.7/dist-packages/nova/virt/vmwareapi/vmops.py

modify success, backuped at: /usr/lib/python2.7/dist-packages/nova/virt/vmwareapi/vmops.py.h3c_bak

NOTE:

The contents below the modifying: line indicate the modified open source Neutron file and the backup path of the file before modification.

3. Perform the following steps:

a. Stop the neutron-openvswitch-agent service on the compute node and disable the system from starting the service at startup.

sdn@ubuntu:~$ sudo service neutron-openvswitch-agent stop

sdn@ubuntu:~$ sudo systemctl disable neutron-openvswitch-agent.service

b. Execute the neutron agent-list command on the controller node to identify whether the agent of the compute node exists in the database.

- If the agent of the compute node does not exist in the database, go to the next step.

- If the agent of the compute node exists in the database, execute the neutron agent-delete id command to delete the agent. The id argument represents the agent ID.

sdn@ubuntu:~$ sudo neutron agent-list

| id | agent_type | host |

| 25c3d3ac-5158-4123-b505-ed619b741a52 | Open vSwitch agent | compute3

sdn@ubuntu:~$ sudo neutron agent-delete 25c3d3ac-5158-4123-b505-ed619b741a52

Deleted agent: 25c3d3ac-5158-4123-b505-ed619b741a52

c. Use the vi editor on the compute node to open the nova.conf configuration file.

sdn@ubuntu:~$ sudo vi /etc/nova/nova.conf

d. Press I to switch to the insert mode, and set the parameters in the nova.conf configuration file as follows. For descriptions of the parameters, see Table 3.

If the hypervisor type of the compute node is KVM, modify the nova.conf configuration file as follows:

[s1020v]

s1020v = False

member_status = True

[neutron]

ovs_bridge = vds1-br

If the hypervisor type of the compute node is VMware vCenter, modify the nova.conf configuration file as follows:

[DEFAULT]

compute_driver = vmwareapi.VMwareVCDriver

[vmware]

host_ip = 127.0.0.1

host_username = sdn

host_password = skyline123

cluster_name = vcenter

insecure = True

[s1020v]

s1020v = False

vds = VDS2

e. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the nova.conf file.

Table 3 Parameters in the configuration file

Parameter	Description
s1020v	Whether to use the S1020V vSwitch to forward the traffic between vSwitches and the traffic between the vSwitches and the external network. · True—Use the S1020V vSwitch. · False—Do not use the S1020V vSwitch. This parameter is obsoleted.
member_status	Whether to enable or disable the feature of modifying the status of members on OpenStack load balancers. · True—Enable. · False—Disable.
vds	VDS to which the host in the vCenter belongs. In this example, the host belongs to VDS2. In the host-based overlay networking, you can only specify the VDS that the controller synchronizes to the vCenter. In the network-based overlay networking, you can specify an existing VDS on demand.
ovs_bridge	Name of the bridge for the H3C S1020V vSwitch. Make sure the bridges created on all H3C S1020V vSwitches use the same name.
compute_driver	Name of the driver used by the compute node for virtualization.
host_ip	IP address used to log in to the vCenter, for example, 127.0.0.1.
host_username	Username for logging in to the vCenter, for example, sdn.
host_password	Password for logging in to the vCenter, for example, skyline123.
cluster_name	Name of the team in the vCenter environment, for example, vcenter.
insecure	Whether to enable or disable security check. · True—Do not perform security check. · False—Perform security check. This value is not supported in the current software version.

4. Restart the openstack-nova-compute service.

sdn@ubuntu:~$ sudo service openstack-nova-compute restart

Verifying the installation

# Verify that the SeerEngine-DC OpenStack package is correctly installed. If the correct software and OpenStack versions are displayed, the package is successfully installed.

sdn@ubuntu:~$ sudo pip freeze | grep PLUGIN

SeerEngine-DC-PLUGIN===E3608

# Verify that the openstack-nova-compute service is enabled. The service is enabled if its state is running.

sdn@ubuntu:~$ sudo service openstack-nova-compute status

nova-compute start/running, process 184

Upgrading the Nova patch

CAUTION:

Services might be interrupted during the Nova patch upgrade procedure.

You must remove the Nova patch before upgrading the Nova patch.

To upgrade the Nova patch:

1. Remove the Nova patch.

sdn@ubuntu:~$ sudo h3c-sdnplugin compute uninstall

Uninstall the nova patch

2. Remove the SeerEngine-DC OpenStack package.

sdn@ubuntu:~$ sudo pip uninstall seerengine-dc-plugin

Uninstalling SeerEngine-DC-PLUGIN-E3608:

/usr/bin/h3c-sdnplugin

/usr/lib/python2.7/dist-packages/SeerEngine_DC_PLUGIN-E368-py2.7.egg

Proceed (y/n)? y

Successfully uninstalled SeerEngine-DC-PLUGIN-E3608

3. Install the new-version Nova patch. For more information, see "Installing configuring plug-ins on a compute node."

Verifying interoperability

1. Create a VXLAN network and a VM on OpenStack.

2. Log in to SeerEngine-DC, and access the Tenants > All Tenants > vPorts page to identify whether the vPort exists. If the vPort information is correct and the vPort is up, the interoperation has succeeded.

Configuring interoperability in the KVM network-based overlay scenario

Installing and configuring plug-ins on the controller node

Installing the SeerEngine-DC Neutron plug-ins on the controller node

See "Installing the SeerEngine-DC Neutron plug-ins ."

Editing the configuration file

IMPORTANT:

You must configure a physical network name and VLAN range for all compute nodes in the network_vlan_ranges parameter in the ml2_conf.ini file. Make sure the physical network name in the bridge_mappings parameter in the openvswitch_agent.ini file is unique for a compute node.

To edit the configuration file:

1. Log in to a controller node as a root user.

2. Edit the network_vlan_ranges parameter in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file. The value to the left of the colon represents the physical network name, and the value to the right of the colon represents the VLAN range.

[ml2]

type_drivers = vxlan,vlan

tenant_network_types = vxlan,vlan

mechanism_drivers = ml2_h3c,openvswitch

[ml2_type_vlan]

network_vlan_ranges = physicnet1:1000:1999,physicnet2:2000:2999

[ml2_type_vxlan]

vni_ranges = 1:500

3. Restart the neutron-server service.

sdn@ubuntu:~$ sudo service neutron-server restart

neutron-server stop/waiting

neutron-server start/running, process 4583

Installing and configuring plug-ins on a compute node

Installing the Nova patch

You must install the Nova patch only in the following scenarios:

· In KVM host-based overlay or network-based overlay scenario, virtual machines are load balancer members, and the load balancer must be aware of the member status.

· vCenter network-based overlay scenario.

For the installation procedure, see "Installing configuring plug-ins on a compute node."

Installing the openvswitch-agent patch

The Rocky and Stein plug-ins do not require installation of the openvswitch-agent patch.

To install the openvswitch-agent patch:

1. Access the directory where the SeerEngine-DC OpenStack package (an .egg file) is saved, and install the package on the OpenStack compute node. The name of the SeerEngine-DC OpenStack package is SeerEngine_DC_PLUGIN-version -py2.7.egg. version represents the version of the package.

sdn@ubuntu:~$ sudo easy_install SeerEngine_DC_PLUGIN-E3608-py2.7.egg

2. Install the openvswitch-agent patch.

sdn@ubuntu:~$ sudo h3c-sdnplugin openvswitch install

3. Restart the openvswitch-agent service.

sdn@ubuntu:~$ sudo service neutron-openvswitch-agent restart

Verifying the installation

# Verify that the SeerEngine-DC OpenStack package is correctly installed. If the correct software and OpenStack versions are displayed, the package is successfully installed.

sdn@ubuntu:~$ sudo pip freeze | grep PLUGIN

SeerEngine-DC-PLUGIN===E3608

# Verify that the openvswitch-agent service is enabled. The service is enabled if its state is running.

sdn@ubuntu:~$ sudo service neutron-openvswitch-agent status

Redirecting to /bin/systemctl status neutron-openvswitch-agent.service

neutron-openvswitch-agent.service - OpenStack Neutron Open vSwitch Agent

Loaded: loaded (/usr/lib/systemd/system/neutron-openvswitch-agent.service; enabled; vendor preset: disabled)

Active: active (running) since Mon 2016-12-05 16:58:18 CST; 18h ago

Main PID: 807 (neutron-openvsw)

Upgrading the openvswitch-agent patch

CAUTION:

Services might be interrupted during the openvswitch-agent patch upgrade procedure.

To upgrade the openvswitch-agent patch, you must remove the current version first, and install a new version.

To upgrade the openvswitch-agent patch:

1. Remove the openvswitch-agent patch.

sdn@ubuntu:~$ sudo h3c-sdnplugin openvswitch uninstall

2. Remove the SeerEngine-DC OpenStack package.

sdn@ubuntu:~$ sudo pip uninstall seerengine-dc-plugin

Uninstalling SeerEngine-DC-PLUGIN-E3608:

/usr/bin/h3c-agent

/usr/bin/h3c-sdnplugin

/usr/lib/python2.7/site-packages/SeerEngine_DC_PLUGIN-E3608-py2.7.egg

Proceed (y/n)? y

Successfully uninstalled SeerEngine-DC-PLUGIN-E3608

3. Install the new patch. For more information, see "Installing and configuring plug-ins on a compute node."

Setting up the environment

IMPORTANT:

Make sure the physical network name in the bridge_mappings parameter in the openvswitch_agent.ini file is unique for a compute node.

To edit the configuration file:

1. Log in to a controller node as a root user.

2. Edit the bridge_mappings parameter in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file. The value to the left of the colon represents the physical network name, and the value to the right of the colon represents the manually created OVS bridge name.

Make sure the physical network name is the same as the physical network name of the bound NIC.

[ovs]

bridge_mappings = physicnet1:br-ens33

3. Create a bridge named br-ens33.

sdn@ubuntu:~$ sudo ovs-vsctl add-br br-ens33

4. Map the bridge to the physical port.

sdn@ubuntu:~$ sudo ovs-vsctl add-port br-ens33 ens33

5. Verify that the bridge was created successfully.

sdn@ubuntu:~$ sudo ovs-vsctl show

6. Delete the default bridge.

sdn@ubuntu:~$ sudo ovs-vsctl del-br br-tun

7. Edit the /etc/neutron/plugins/ml2/openvswitch_agent.ini file to comment out all tunnel-related parameters.

[agent]

# tunnel_types = vxlan

# vxlan_udp_port = 4789

# l2_population = true

[ovs]

# tunnel_bridge = br-tun

# local_ip = 192.168.1.100

8. Restart the openvswicth-agent and neutron-openvswitch-agent services to verify that the br-tun bridge has been deleted successfully.

sdn@ubuntu:~$ sudo systemctl restart neutron-openvswitch-agent.service

sdn@ubuntu:~$ sudo systemctl restart openvswitch-agent.service

sdn@ubuntu:~$ sudo ovs-vsctl show

Installing and configuring plug-ins on a network node

To provide DHCP failover in the network-based overlay scenario, you must install DHCP failover and Metadata components. Only the Pike plug-ins support DHCP failover.

IMPORTANT:

The DHCP failover components can operate only on the CentOS 7.2.1511 operating system with a kernel version of 3.10.0-327.el7.x86_64. If the kernel version does not match that of the S1020V, install the kernel patch first .

Installing basic components

1. Install WebSocket Client on the network node.

IMPORTANT:

Make sure WebSocket Client is in version 0.56 or later.

sdn@ubuntu:~$ sudo yum install –y python-websocket-client

2. Install an S1020V vSwitch on the network node and configure bridge and controller settings. For the installation and configuration procedures, see H3C S1020V Installation Guide.

sdn@ubuntu:~$ sudo rpm -ivh --force -all -i s1020v_ubuntu14.04-2.2.1.20_amd64.deb

3. Stop the open-source DHCP and Metadata services on OpenStack.

sdn@ubuntu:~$ sudo systemctl stop neutron-dhcp-agent neutron-metadata-agent

sdn@ubuntu:~$ sudo systemctl disable neutron-dhcp-agent neutron-metadata-agent

Obtaining the installation package of the DHCP failover components

Two SeerEngine-DC OpenStack packages are available: one contains the DHCP failover components package and one does not. The SeerEngine-DC OpenStack package that contains the DHCP failover components package is named in the SeerEngine_DC_PLUGIN-DHCP_version1_version2.egg format. version1 represents the software package version number. version2 represents the OpenStack version number.

Obtain the required version of the SeerEngine-DC OpenStack package and then save the package to the target installation directory on the server or virtual machine. You can also transfer the installation package to the target installation directory through a file transfer protocol such as FTP, TFTP, or SCP. Use the binary transfer mode to prevent the software package from being corrupted during transit.

Installing the DHCP component

1. Access the directory where the SeerEngine-DC OpenStack package (an .egg file) is saved and then install the package.

In the following example, the SeerEngine-DC OpenStack package is in the /root directory.

sdn@ubuntu:~$ sudo easy_install SeerEngine_DC_PLUGIN-DHCP_E3607_pike_2017.10-py2.7.egg

2. Install the DHCP component.

sdn@ubuntu:~$ sudo h3c-sdnplugin dhcp install

Install Environment dependent packages

Preparing… ########## [100%]

Updating / installing…

1. python2-six-1.10.0-9.el7 ########## [ 1%]

2. ………

Install config files

Install services

Installation complete

Please do not remove the *.h3c_bak files.

3. Edit the DHCP component configuration file.

a. Use the vi editor to open the h3c_dhcp_agent.ini file on the network node.

sdn@ubuntu:~$ sudo vi /etc/neutron/h3c_dhcp_agent.ini

b. Press I to switch to insert mode and edit the configuration file as follows:

[DEFAULT]

interface_driver = openvswitch

dhcp_driver = networking_h3c.agent.dhcp.driver.dhcp.Dnsmasq

enable_isolated_metadata = true

force_metadata = true

ovs_integration_bridge = br0

[h3c]

transport_url = ws://127.0.0.1:8080

websocket_fragment_size = 102400

[ovs]

ovsdb_interface = vsctl

c. To enable certificate authentication, add the following configurations:

[h3c]

ca_file = /etc/neutron/ca.crt

cert_file = /etc/neutron/sna.pem

key_file = /etc/neutron/sna.key

key_password = 123456

insecure = true

d. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.

4. Start the DHCP component.

sdn@ubuntu:~$ sudo systemctl enable h3c-dhcp-agent.service

sdn@ubuntu:~$ sudo systemctl start h3c-dhcp-agent.service

Installing the Metadata component

1. Access the directory where the SeerEngine-DC OpenStack package (an .egg file) is saved and then install the package. The name of the SeerEngine-DC OpenStack package is SeerEngine_DC_PLUGIN-version1_version2-py2.7.egg. version1 represents the version of the package. version2 represents the version of OpenStack.

In the following example, the SeerEngine-DC OpenStack package is in the /root directory.

sdn@ubuntu:~$ sudo easy_install SeerEngine_DC_PLUGIN-E3608_pike_2017.10-py2.7.egg

2. Install the Metadata component.

sdn@ubuntu:~$ sudo h3c-sdnplugin metadata install

Install config files

Install services

Installation complete

Please do not remove the *.h3c_bak files.

3. Edit the Metadata component configuration file.

a. Use the vi editor to open theh3c_metadata_agent.ini configuration file on the network node.

sdn@ubuntu:~$ sudo vi /etc/neutron/h3c_metadata_agent.ini

b. Press I to switch to insert mode and edit the configuration file as follows:

[DEFAULT]

nova_metadata_host = controller

nova_metadata_port = 8775

nova_proxy_shared_secret = METADATA_SECRET

enable_keystone_authtoken = True

[cache]

[keysone_authtoken]

auth_uri = http://controller:5000

auth_url = http://controller:35357

auth_type = password

project_domain_name = default

user_domain_name = default

project_name = service

username = neutron

password = NEUTRON_PASSWORD

[SDNCONTROLLER]

url = https://127.0.0.1:8443

username = sdn

password = skyline

enable_https = False

neutron_plugin_ca_file =

neutron_plugin_cert_file =

neutron_plugin_key_file =

c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.

4. Start the Metadata component.

sdn@ubuntu:~$ sudo systemctl enable h3c-metadata-agent.service

sdn@ubuntu:~$ sudo systemctl start h3c-metadata-agent.service

Removing DHCP failover components

Remove the SeerEngine-DC OpenStack package after removing the DHCP and Metadata components.

To remove the DHCP failover components:

1. Remove the DHCP component.

sdn@ubuntu:~$ sudo h3c-sdnplugin dhcp uninstall

Remove services

Removed symlink /etc/system/system/multi-user.target.wants/h3c-dhcp-agent.service.

Backup config files

Uninstallation complete

2. Remove the Metadata component.

sdn@ubuntu:~$ sudo h3c-sdnplugin metadata uninstall

Remove services

Removed symlink /etc/system/system/multi-user.target.wants/h3c-metadata-agent.service.

Backup config files

Uninstallation complete

3. Remove the SeerEngine-DC OpenStack package.

sdn@ubuntu:~$ sudo pip uninstall seerengine-dc-plugin

Uninstalling SeerEngine-DC-PLUGIN-DHCP_E3608_pike-2017.10:

/usr/bin/h3c-sdnplugin

/usr/lib/python2.7/site-packages/SeerEngine_DC_PLUGIN-DHCP_E3608_pike-2017.10 -py2.7.egg

Proceed (y/n)? y

Successfully uninstalled SeerEngine-DC-PLUGIN-DHCP_E3608_pike-2017.10

Upgrading DHCP failover components

To upgrade DHCP failover components, first remove the old version and then install the new version.

CAUTION:

Service might be interrupted during the upgrade. Before performing an upgrade, be sure you fully understand its impact on the services.

Parameters and fields

This section describes parameters in configuration files and fields included in parameters.

Table 4 DHCP component configuration file

Parameter	Description
ovs_integration_bridge	vSwitch bridge where the DHCP port resides.
websocket_fragment_size	Size of a websocke message fragment sent to the controller, in bytes. The value is an integer equal to or larger than 1024. The default value is 102400. When the value is 1024, the websocke messages are not fragmented.
insecure	Whether to enable WebSocket certificate authentication. The default value is False.

Table 5 Metadata component configuration file

Parameter	Description
enable_keystone_authtoken	Whether to enable Neutron API. When the value is True, you must configure the keystone_authtoken parameter. When the value is False, you must configure the SDNCONTROLLER parameter.

Verifying interoperability

1. Create a VXLAN network and a VM on OpenStack.

Configuring interoperability in the network-based overlay with SR-IOV enabled scenario

Installing and configuring plug-ins on the controller node

IMPORTANT:

Because of the restrictions by the OpenStack community, only VLAN but not VXLAN is supported in this scenario.

See "Installing the SeerEngine-DC Neutron plug-ins ."

Installing and configuring plug-ins on a compute node

See "Installing and configuring plug-ins on a compute node."

Enabling SR-IOV for a vNIC

See the SR-IOV configuration guide at the official website of OpenStack.

Editing the configuration file

1. Log in to a controller node as a root user.

2. Edit the mechanism_drivers parameter in the Ml2 conf.ini file.

[ml2]

type_drivers = vxlan,vlan

tenant_network_types = vxlan,vlan

mechanism_drivers = sriovnicswitch,ml2_h3c,openvswitch

3. Restart the neutron-server service.

Verifying interoperability

1. Create a VLAN network and a direct-type port on OpenStack.

2. Create a VM with this type of port.

3. Log in to SeerEngine-DC, and access the Tenants > All Tenants > vPorts page to identify whether the vPort exists. If the vPort information is correct and the vPort is up, the interoperation has succeeded.

Configuring interoperability with F5 or third-party load balancers

IMPORTANT:

For how to configure interoperability with a third-party load balancer, see the interoperation guide. This section is for reference only.

Installing and configuring plug-ins on the controller node

See "Installing the SeerEngine-DC Neutron plug-ins ."

Installing and configuring plug-ins on a compute node

Installing the Nova patch

See "Installing and configuring plug-ins on a compute node."

Installing the openvswitch patch

For the VXLAN or network overlay environment, see openvswich patch installation in "Installing and configuring plug-ins on a compute node."

Setting up the F5 environment

Log in to a controller node as a root user, and place the F5 plug-ins in a directory on the controller node, for example, /var/log/neutron. The installation package is provided by F5. Please contact the corresponding personnel to obtain the F5 installation package.

Installing the git tool kit

To obtain the networking-f5 package, you must install the git tool kit before installing F5 plug-ins and patches. To download and install the git tool kit, execute the sdn@ubuntu:~$ sudo yum install –y git command.

Installing F5 plug-ins

1. Install base F5 packages.

[root@neutron ~]# rpm -ivh f5-icontrol-rest-1.3.9-1.el7.noarch.rpm

[root@neutron ~]# rpm -ivh f5-sdk-3.0.11-1.el7.noarch.rpm

2. Install the F5 LBv2 plugin driver.

[root@neutron ~]# tar xvf f5.tgz -C /usr/lib/python2.7/site-packages/neutron_lbaas/drivers/

3. Install the F5 LBv2 plugin driver.

[root@neutron ~]# tar xvf f5.tgz -C /usr/lib/python2.7/site-packages/neutron_lbaas/drivers/

4. Install the F5 agent.

[root@neutron ~]# rpm -ivh f5-openstack-agent-9.7.0-35.el7.noarch.rpm

5. Install the F5 ML2 Plugin driver f5networks.

[root@neutron ~]# git clone https://github.com/F5Networks/networking-f5.git

[root@neutron ~]# cd networking-f5/

[root@networking-f5 ~]# python setup.py install

Editing the configuration files

1. Edit the /etc/neutron/neutron.conf file.

a. If LBaaSV1 configuration exists in the service_plugins parameter, remove the configuration, and add the LBaaSV2 configuration. Keep other configuration unchanged.

[DEFAULT]

core_plugin = ml2

service_plugins = …,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2

b. Configure F5 service_providers.

[service_providers]

service_provider=LOADBALANCERV2:F5Networks:neutron_lbaas.drivers.f5.driver_v2.F5LBaaSV2Driver:default

c. Add the following configuration:

[DEFAULT]

unlegacy_setting_placeholder_driver_side = special_driver_side

debug = true

port_normal_or_baremetal = baremetal

to_delete_last_port = False

2. Edit the /etc/neutron/plugins/ml2/ml2_con.ini file.

[ml2]

type_drivers = vxlan,vlan

tenant_network_types = vxlan,vlan

mechanism_drivers = ml2_h3c,...,f5networks //Make sure f5networks is to the right of ml2_h3c

[ml2_type_vlan]

//Separate VLAN ranges with commas (,)

network_vlan_ranges = physicnet1:1000:2999,f5network:3000:3200

[ml2_type_vxlan]

vni_ranges = 1:500 //Specify a VXLAN range

3. Edit the /etc/neutron/services/f5/f5-openstack-agent.ini file.

a. Edit the configuration as follows:

[DEFAULT]

debug = True

// F5 HA modes include standalone and pair

f5_ha_type = standalone

// f5network is the network egress. 5.0 is the name of the trunk created on F5

f5_external_physical_mappings = f5network:5.0:True,default:5.0:True

icontrol_hostname = 31.1.1.135 //F5 management interface address

icontrol_username = admin //F5 account

icontrol_password = admin //F5 password

f5_network_segment_physical_network = f5network //F5 network egress

f5_global_routed_mode = False

agent_id = f5_cluster1 //F5 agent host ID

b. Comment out the following configuration:

#f5_vtep_folder = None

#f5_vtep_selfip_name = None

4. Restart the services.

sdn@ubuntu:~$ sudo systemctl enable f5-openstack-agent

sdn@ubuntu:~$ sudo systemctl restart f5-openstack-agent

sdn@ubuntu:~$ sudo systemctl restart neutron-server

Verifying interoperability

1. Create a LoadBalancer v2 resource on OpenStack.

2. Create a VM with this type of port.

3. Log in to SeerEngine-DC, and access the Tenants > All Tenants > Load Balancers page to identify whether the load balancer exists. If the load balancer information is correct, the interoperation has succeeded.

Configuring interoperability with third-party firewalls

IMPORTANT:

· For more information about interoperability with third-party firewalls, see the interoperation guide. This section uses a DP firewall as an example.

· SeerEngine-DC Neutron plug-ins support using callbacks to process router events. Resources used are h3c_router and h3c_router_interface.

Installing and configuring plug-ins on the controller node

See "Installing the SeerEngine-DC Neutron plug-ins ."

Installing and configuring plug-ins on a compute node

Installing the Nova patch

See "Installing and configuring plug-ins on a compute node."

Installing the openvswitch patch

For the VXLAN or network overlay scenario, see openvswich patch installation in "Installing and configuring plug-ins on a compute node."

Setting up the environment

Editing the configuration files

1. Configure the basic environment based on the third-party interoperability guide.

2. Log in to a controller node as a root user, and edit the ml2_conf.ini file to load DP RPC topic.

[SDNCONTROLLER]

vendor_rpc_topic = DP_PLUGIN

3. Edit the Neutron firewall configuration file to load DP Driver.

vim /etc/neutron/fwaas_driver.ini

[fwaas]

driver= neutron.services.firewall.drivers.linux.dp_fwaas.FwaasDriver

enabled = True

4. Restart the Neutron server.

sdn@ubuntu:~$ sudo systemctl restart neutron-server

Configuring third-party interoperability on SeerEngine-DC

Enable predeployment of third-party interconnect address through REST API:

nem/v1.0/reserve_option

{

"reserve_option": {

"thirdparty_security_service_option": true

}

Verifying interoperability

1. Create a firewall resource on OpenStack and bind it to a router.

2. Create a VM with this type of port.

3. Log in to SeerEngine-DC, and access the Tenants > All Tenants > Firewalls page to identify whether the firewall exists. If the firewall information is correct, the interoperation has succeeded.

Configuring interoperability with Ironic

IMPORTANT:

This section describes only basic installation and configuration procedures. For more information, see the configuration examples.

Installing and configuring plug-ins on the controller node

See "Installing the SeerEngine-DC Neutron plug-ins ."

Deploying Ironic

See the relevant Ironic deployment guide.

Metadata solution

Installing and configuring OpenStack plug-ins on the controller node

For the detailed installation procedure, see "Installing and configuring plug-ins on the controller node"

Installing and configuring OpenStack plug-ins on the compute node

(Optional.) Installing the Nova patch

For the detailed installation procedure, see "Installing configuring plug-ins on a compute node."

(Optional.) Installing the openvswitch patch

For the detailed installation procedure, see "Installing configuring plug-ins on a compute node."

Setting up the environment for the traditional VLAN and VXLAN-based Metadata solution

Perform the following procedure on all nodes where a DHCP agent resides. The node that hosts a DHCP agent requires three physical interfaces: one for management services, one for VLAN data services, and one for VXLAN data services.

To set up the environment for the traditional VLAN and VXLAN-based metadata solution:

1. Configure an IP address for the VXLAN uplink interface.

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 100.101.0.10 netmask 255.255.255.0 broadcast 100.101.0.255

inet6 fe80::250:56ff:fe89:6b8a prefixlen 64 scopeid 0x20<link>

ether 00:50:56:89:6b:8a txqueuelen 1000 (Ethernet)

RX packets 5612 bytes 452681 (442.0 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 142 bytes 14443 (14.1 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

2. Enable all VLAN and VXLAN uplink interfaces to send LLDP messages and assign IP address mngAddr to the uplink interfaces.

# In this example, ens192 is the VXLAN uplink interface and ens193 is the VLAN uplink interface. Configure the same settings for the two uplink interfaces.

sdn@ubuntu:~$ sudo lldptool set-lldp -i ens192 adminStatus=rxtx;

sdn@ubuntu:~$ sudo lldptool -T -i ens192 -V sysName enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens192 -V portDesc enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens192 -V sysDesc enableTx=yes;

sdn@ubuntu:~$ sudo ldptool -T -i ens192 -V sysCap enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens192 -V mngAddr enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens192 -V mngAddr ipv4=100.101.0.10 //Configure an IP address for the VXLAN uplink interface.

sdn@ubuntu:~$ sudo lldptool -t -i ens193

sdn@ubuntu:~$ sudo lldptool set-lldp -i ens193 adminStatus=rxtx;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V sysName enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V portDesc enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V sysDesc enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V sysCap enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V mngAddr enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V mngAddr ipv4=100.101.0.10 //Configure the IP address for the VLAN uplink interface to be the same as that of the VXLAN interface.

sdn@ubuntu:~$ sudo lldptool -t -i ens193

3. Add the following settings for the neutron openvswitch agent process.

sdn@ubuntu:~$ sudo vi /etc/neutron/plugins/ml2/openvswitch_agent.ini

[agent]

tunnel_types = vxlan

[ovs]

local_ip = 100.101.0.10 //Configure an IP address for the uplink interface.

4. Restart the neutron-openvswitch-agent process.

sdn@ubuntu:~$ sudo systemctl restart neutron-openvswitch-agent

Setting up the environment for the traditional VLAN and VXLAN hierarchical port binding-based Metadata solution

Controller node

1. Modify the ml2_conf.ini file.

sdn@ubuntu:~$ sudo vi /etc/neutron/plugins/ml2/ml2_conf.ini

[SDNCONTROLLER]

enable_dhcp_hierarchical_port_binding = True

2. Restart the service.

sdn@ubuntu:~$ sudo systemctl restart neutron-server.service

Network node

1. Access the /etc/neutron/plugins/ml2/openvswitch_agent.ini file and edit the bridge_mappings parameter for OVS.

¡ The value before the colon is the physical network name bound to the network card.

¡ The value after the colon is the name of the OVS bridge to be created manually. You can define the name as required.

[ovs]

bridge_mappings = physicnet1:br-ens192

2. Create a network bridge.

In this example, the network bridge is named br-ens192.

sdn@ubuntu:~$ sudo ovs-vsctl add-br br-ens192

3. Bind the network bridge to the physical interface.

sdn@ubuntu:~$ sudo ovs-vsctl add-port br-ens192 ens192

4. Verify that the OVS settings are correct.

sdn@ubuntu:~$ sudo ovs-vsctl show

5. Delete the default network bridge.

In this example, the network bridge br-tun is deleted.

sdn@ubuntu:~$ sudo ovs-vsctl del-br br-tun

6. Enable all VLAN uplink interfaces to send LLDP messages and assign IP address mngAddr to the uplink interface.

In this example, the VLAN uplink interface is ens193. You are not required to specify an IP address for it.

sdn@ubuntu:~$ sudo lldptool set-lldp -i ens193 adminStatus=rxtx;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V sysName enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V portDesc enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V sysDesc enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V sysCap enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193 -V mngAddr enableTx=yes;

sdn@ubuntu:~$ sudo lldptool -T -i ens193

7. Access the /etc/neutron/plugins/ml2/openvswitch_agent.ini file to delete all tunnel-related parameters.

[agent]

# tunnel_types = vxlan

# vxlan_udp_port = 4789

# l2_population = true

[ovs]

# tunnel_bridge = br-tun

# local_ip = 192.168.1.100

8. Edit the /etc/neutron/dhcp_agent.ini configuration file.

[DEFAULT]

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq

enable_isolated_metadata = true

force_metadata = true

9. Restart the service.

sdn@ubuntu:~$ sudo systemctl restart neutron-dhcp-agent.service

sdn@ubuntu:~$ sudo systemctl restart neutron-openvswitch-agent.service

Installing the SeerEngine-DC Neutron security plug-ins on OpenStack

The SeerEngine-DC Neutron security plug-ins can be installed on multiple OpenStack versions. This section uses OpenStack Pike as an example to describe the security plug-ins installation.

The SeerEngine-DC Neutron security plug-ins are installed on the OpenStack controller node. Before installation, set up the base environment on the node.

Installing the security plug-ins on the controller node

Obtaining the installation package

Obtain and copy the security plug-ins installation package of the required version to the target installation directory on the server or virtual machine.

Alternatively, transfer the installation package to the target installation directory through a file transfer protocol such as FTP, TFTP, or SCP.

IMPORTANT:

To avoid damaging the installation packages, select binary mode if you are to transfer the package through FTP or TFTP.

Installing the security plug-ins on the OpenStack controller node

1. Access the directory where the security plug-ins installation package is saved. The name of installation package is in the SeerEngine_DC_SEC_PLUGIN-version-py2.7.egg format.

In this example, the package is saved in the /root directory.

sdn@ubuntu:~$ sudo easy_install SeerEngine_DC_SEC_PLUGIN-E3603P01-py2.7.egg

2. Edit the user group and permissions for the plug-ins installation package to be the same as those of the Neutron component installation package.

sdn@ubuntu:~$ sudo cd /usr/local/lib/python2.7/dist-packages

sdn@ubuntu:~$ sudo chown -R --reference==/usr/lib/python2.7/dist-packages/neutron SeerEngine*

sdn@ubuntu:~$ sudo chmod -R --reference=/usr/lib/python2.7/dist-packages/neutron SeerEngine*

sdn@ubuntu:~$ sudo cd /usr/bin

sdn@ubuntu:~$ sudo chown -R --reference=neutron-server h3c*

sdn@ubuntu:~$ sudo chmod -R --reference=neutron-server h3c*

3. Install the SeerEngine-DC Neutron security plug-ins.

sdn@ubuntu:~$ sudo h3c-secplugin controller install

Editing the configuration files on the OpenStack controller node

1. Edit the neutron.conf configuration file.

a. Use the vi editor to open the neutron.conf configuration file.

sdn@ubuntu:~$ sudo vi /etc/neutron/neutron.conf

b. Press I to switch to the insert mode, and then edit the configuration file. For more information about the parameters, see "neutron.conf."

For the Pike, Queens, and Rocky plug-ins, edit the neutron.conf configuration file as follows:

[DEFAULT]

service_plugins = firewall,lbaasv2,vpnaas

[service_providers]

service_provider=FIREWALL:H3C:networking_sec_h3c.fw.h3c_fwplugin_driver.H3CFwaasDriver:default

service_provider=LOADBALANCERV2:H3C:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaasv2PluginDriver:default

service_provider=VPN:H3C:networking_sec_h3c.vpn.h3c_vpnplugin_driver.H3CVpnPluginDriver:default

IMPORTANT:

For the Pike plug-ins, when the load balancer supports multiple resource pools of the Context type, you must preprovision a resource pool named dmz or core on the controller, and then change the value of the service provider parameter to LOADBALANCERV2:DMZ:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaasv2PluginDMZDriver:default or LOADBALANCERV2:CORE:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaasv2PluginDMZDriver:default accordingly.

¡ For the Kilo2015.1, Liberty, and Mitaka plug-ins, configure the neutron.conf configuration file as follows when Load balancer V1 is configured in OpenStack:

[DEFAULT]

service_plugins = firewall,lbaas,vpnaas

[service_providers]

service_provider=FIREWALL:H3C:networking_sec_h3c.fw.h3c_fwplugin_driver.H3CFwaasDriver:default

service_provider=LOADBALANCER:H3C:networking_sec_h3c.lb.h3c_lbplugin_driver.H3CLbaasPluginDriver:default

service_provider=VPN:H3C:networking_sec_h3c.vpn.h3c_vpnplugin_ko_driver.H3CVpnPluginDriver:default

¡ For the Newton and Ocata plug-ins, you can specify only Load balancer V2 and edit the service_provider parameter for the VPN service as follows:

service_provider=VPN:H3C:networking_sec_h3c.vpn.h3c_vpnplugin_ko_driver.H3CVpnPluginDriver:default

IMPORTANT:

The service_provider parameter value for the VPN services is different between the Pike, Queens, and Rocky plug-ins and the Kilo2015.1, Liberty, Mitaka, Newton, and Ocata plug-ins. Be clear about the differences.

c. Press Esc to quit the insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.

2. Edit the local_settings configuration file.

a. Use the vi editor to open the local_settings configuration file.

sdn@ubuntu:~$ sudo vi /etc/openstack-dashboard/local_settings

b. Press I to switch to the insert mode. Edit the OPENSTACK_NEUTRON_NETWORK parameter to enable LB, FW, and VPN configuration pages in OpenStack Web.

OPENSTACK_NEUTRON_NETWORK = {

'enable_lb': True,

'enable_firewall': True,

'enable_quotas': True,

'enable_vpn': True,

# The profile_support option is used to detect if an external router can be

# configured via the dashboard. When using specific plugins the

# profile_support can be turned on if needed.

'profile_support': None,

#'profile_support': 'cisco',

}

c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the local_settings file.

3. Edit the ml2_sec_conf_h3c.ini configuration file.

a. Use the vi editor to open the ml2_sec_conf_h3c.ini configuration file.

sdn@ubuntu:~$ sudo vi /etc/neutron/plugins/ml2/ml2_sec_conf_h3c.ini

b. Press I to switch to the insert mode and configure the parameters in the configuration file as follows. For more information about the parameters, see "ml2_sec_conf_h3c.ini"

[SEC_SDNCONTROLLER]

url = https://127.0.0.1:10443

username = sdn

password = skyline

domain = sdn

timeout = 1800

retry = 10

white_list = False

firewall_type = CGSR

fw_share_by_tenant = False

lb_type = CGSR

resource_mode = CORE_GATEWAY

resource_share_count = 1

auto_create_resource = True

nfv_ha = True

use_neutron_credential = False

firewall_force_audit = False

sec_output_json_log = False

lb_enable_snat = False

vendor_rpc_topic = VENDOR_PLUGIN

enable_https = False

neutron_plugin_ca_file =

neutron_plugin_cert_file =

neutron_plugin_key_file =

cgsr_fw_context_limit = 0

force_vip_port_device_owner_none = False

enable_iam_auth = False

enable_firewall_metadata = False

lb_member_slow_shutdown = False

enable_multi_gateways = False

enable_multi_segments = False

tenant_gateway_name = None

tenant_gw_selection_strategy = match_first

enable_router_nat_without_firewall = False

directly_external = OFF

directly_external_suffix = DMZ

sec_agent_enable = True

lb_resource_mode = SP

enable_lb_xff = False

c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the ml2_sec_conf_h3c.ini file.

4. If you have set the white_list parameter to True, perform the following tasks:

¡ Delete the username, password, and domain parameters for SEC_SDNCONTROLLER in the ml2_conf_h3c.ini configuration file.

¡ Add an authentication-free user to the controller.

- Enter the IP address of the host where the Neutron server resides.

- Specify the role as Admin.

5. If you have set the use_neutron_credential parameter to True, perform the following steps:

a. Modify the neutron.conf configuration file.

# Use the vi editor to open the neutron.conf configuration file.

# Press I to switch to insert mode, and add the following configuration. For information about the parameters, see "neutron.conf."

[keystone_authtoken]

admin_user = neutron

admin_password = 123456

# Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf file.

b. Add an admin user to the controller.

# Configure the username as neutron.

# Specify the role as Admin.

# Enter the password of the neutron user in OpenStack.

6. Restart the neutron-server service.

sdn@ubuntu:~$ sudo service neutron-server restart

neutron-server stop/waiting

neutron-server start/running, process 4583

7. (Optional.) For the firewall to operate in h3c-sec-agent mode, you can restart the h3c-sec-agent process.

sdn@ubuntu:~$ sudo service h3c-sec-agent restart

h3c-sec-agent stop/waiting

h3c-sec-agent start/running, process 4585

Verifying the installation

1. Verify that the SeerEngine-DC OpenStack security plug-ins is installed correctly. If the version number of the plug-ins is displayed correctly, the installation is successful.

sdn@ubuntu:~$ sudo pip freeze | grep PLUGIN

SeerEngine-DC-SEC-PLUGIN===E3603P01

2. Verify that the neutron-server service has been enabled. If the service is in running state, the service is enabled successfully.

sdn@ubuntu:~$ sudo service neutron-server status

neutron-server start/running, process 1849

3. (Optional.) For the firewall to operate in h3c-sec-agent mode, verify that the h3c-sec-agent service is enabled. If the service is running state, the service is enabled.

sdn@ubuntu:~$ sudo service h3c-sec-agent status

h3c-sec-agent start/running, process 1855

Parameters and fields

This section describes parameters in configuration files and fields included in parameters.

neutron.conf

Parameter	Description
service_plugins	Extension plug-ins loaded to OpenStack. The values include firewall, fwaas_h3c, and firewall_h3c. To use the firewall service with the h3c-sec-agent process enabled, set the value to firewall. To speed up deployment of firewall policies and rules, set the value to fwaas_h3c. To use the firewall service with the h3c-sec-agent process disabled, set the value to firewall_h3c.
service_provider	Directory where the extension plug-ins are saved.
admin_user	Admin username for Keystone authentication in OpenStack, for example, neutron.
admin_password	Admin password for Keystone authentication in OpenStack, for example, 123456.

ml2_sec_conf_h3c.ini

Parameter	Description
url	URL address for accessing SNA Center or Unified Platform.
username	Username for logging in to SNA Center or Unified Platform, for example, sdn. You do not need to configure a username when the use_neutron_credential parameter is set to True.
password	Password for logging in to SNA Center or Unified Platform, for example, skyline. You do not need to configure a password when the use_neutron_credential parameter is set to True.
domain	Name of the domain where the SeerEngine-DC controller resides, for example, sdn.
timeout	The amount of time that the Neutron server waits for a response from the SeerEngine-DC controller in seconds, for example, 1800 seconds. As a best practice, set the waiting time greater than or equal to 1800 seconds.
retry	Times of sending connection requests, for example, 10.
white_list	Whether to enable or disable the authentication-free user feature on OpenStack. · True—Enable. · False—Disable.
firewall_type	Type of the firewalls created on the controller: · CGSR—Context-based gateway service type firewall, each using an independent context. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. · CGSR_SHARE—Context-based gateway service type firewall, all using the same context even if they belong to different tenants. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. · CGSR_SHARE_BY_COUNT—Context-based gateway service type firewall, all using the same context when the number of contexts reaches the threshold set by the cgsr_fw_context_limit parameter. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY. Only the Pike plug-ins support this firewall type. · NFV_CGSR—VNF-based gateway service type firewall, each using an independent VNF. This firewall type is available only when the value of the resource_mode parameter is CORE_GATEWAY.
fw_share_by_tenant	Whether to enable exclusive use of a gateway service type firewall context by a single tenant and allow the context to be shared by service resources of the tenant when the firewall type is CGSR_SHARE.
lb_type	Type of the load balancers created on the controller. · CGSR—Gateway service type load balancer on a context. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, CGSR type load balancers that belong to one tenant use the same context. CGSR type load balancers that belong to different tenants use different contexts. When the value of the lb_resource_mode parameter is MP, CGSR type load balancers that belong to one tenant and are bound to the same gateway use the same context. CGSR type load balancers that belong to different tenants use different contexts. · CGSR_SHARE—Gateway service type load balancer on a context. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, all CGSR_SHARE type load balancers use the same context even if they belong to different tenants. When the value of the lb_resource_mode parameter is MP, CGSR_SHARE type load balancers that belong to different tenants and are bound to the same gateway use the same context. · NFV_CGSR—Gateway service type load balancer on a VNF. This type of load balancers are available only when the value of the resource_mode parameter is set to CORE_GATEWAY. When the value of the lb_resource_mode parameter is SP, NFV_CGSR type load balancers that belong to one tenant use the same VNF. NFV_CGSR type load balancers that belong to different tenants use different VNFs. When the value of the lb_resource_mode parameter is MP, NFV_CGSR type load balancers that belong to one tenant and are bound to the same gateway use the same VNF. NFV_CGSR type load balancers that belong to different tenants use different VNFs.
resource_mode	Type of the resource created on the controller. The available values are as follows: · CORE_GATEWAY—Gateway service resource. · NFV—VNF resource. This parameter has been obsoleted.
resource_share_count	Maximum times that the resource node can be shared by resources. The value is in the range of 1 to 65535. The default value is 1, indicating that the resources cannot be shared.
auto_create_resource	Whether to enable or disable the automatic resources creation feature. · True—Enable. · False—Disable.
nfv_ha	Whether the NFV and NFV_SHARE resources support stack. · True—Support. · False—Do not support.
use_neutron_credential	Whether to use the OpenStack Neutron username and password to communicate with the SeerEngine-DC controller. · True—Use. · False—Do not use.
firewall_force_audit	Whether to audit firewall policies synchronized to the controller by OpenStack. The default value is True for the Kilo 2015.1 plug-ins and False for plug-ins of other versions. · True—Audits firewall policies synchronized to the controller by OpenStack. The auditing state of the synchronized policies on the controller is True (audited). · False—Does not audit firewall policies synchronized to the controller by OpenStack. The synchronized policies on the controller retain their previous auditing state.
sec_output_json_log	Whether to output REST API messages between the SeerEngine-DC Neutron security plugins and SeerEngine-DC controller to the OpenStack operating logs in JSON format. · True—Enable. · False—Disable.
lb_enable_snat	Whether to enable or disable Source Network Address Translation (SNAT) for load balancers on the SeerEngine-DC controller. · True—Enable. · False—Disable.
vendor_rpc_topic	RPC topic of the vendor. This parameter is required when the vendor needs to obtain Neutron data from the SeerEngine-DC Neutron plug-ins. The available values are as follows: · VENDOR_PLUGIN—Default value, which means that the parameter does not take effect. · DP_PLUGIN—RPC topic of DPtech. The value of this parameter must be negotiated by the vendor and H3C.
enable_https	Whether to enable HTTPS bidirectional authentication. The default value is False. · True—Enable. · False—Disable. Only the Pike plug-ins support this parameter.
neutron_plugin_ca_file	Save location for the CA certificate of the controller. As a best practice, save the CA certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter.
neutron_plugin_cert_file	Save location for the Cert certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter.
neutron_plugin_key_file	Save location for the Key certificate of the controller. As a best practice, save the Cert certificate in the /usr/share/neutron directory. Only the Pike plug-ins support this parameter.
cgsr_fw_context_limit	Context threshold for context-based gateway service type firewalls. The value is an integer. When the threshold is reached, all the context-based gateway service type firewalls use the same context. This parameter takes effect only when the value of the firewall_type parameter is CGSR_SHARE_BY_COUNT. Only the Pike plug-ins support this parameter.
force_vip_port_device_owner_none	Whether to support the LB vport device_owner field. · False—Support the LB vport device_owner field. This setting is applicable to an LB tight coupling solution. · True—Do not support the LB vport device_owner field. This setting is applicable to an LB loose coupling solution. The default value is False.
enable_iam_auth	Whether to enable IAM interface authentication. · True—Enable. · False—Disable. When connecting to SNA Center, you can set the value to True to use the IAM interface for authentication. The default value is False. Only the Mitaka and Newton plug-ins support this parameter.
enable_firewall_metadata	Whether to allow the CloudOS platform to issue firewall-related fields such as the resource pool name to the controller. This parameter is used only for communication with the CloudOS platform. Only the Pike plug-ins support this parameter.
lb_member_slow_shutdown	Whether to enable slow shutdown when creating an LB real server. · True—Enable. · False—Disable. The default value is False.
enable_multi_gateways	Whether to enable the multi-gateway mode for the tenant. · True—Enable the multi-gateway mode for the tenant. In an OpenStack environment without the Segments configuration, this setting enables different vRouters to access the external network over different gateways. · False—Not enable the multi-gateway mode for the tenant. The default value is False. Only the Pike, Queens, and Rocky plug-ins support this parameter.
enable_multi_segments	Whether to enable multiple outbound interfaces, allowing the vRouter to access the external network from multiple outbound interfaces. The default value is False. To enable multiple outbound interfaces, configure the following settings: · Set the value of this parameter to True. · Set the value of the network_force_flat parameter to False. · Access the /etc/neutron/plugins/ml2/ml2_conf.ini file on the controller node and specify the controller's gateway name for the network_vlan_ranges parameter. Only the Pike plug-ins support this parameter.
tenant_gateway_name	Name of the gateway to which the tenant is bound. The default value is None. When the value of the tenant_gw_selection_strategy parameter is match_gateway_name. You must specify the name of an existing gateway on the controller side. Only the Pike, Queens, and Rocky plug-ins support this parameter.
tenant_gw_selection_strategy	Gateway selection strategy for the tenant. · match_first—Select the first gateway. · match_gateway_name—Take effect together with the tenant_gateway_name parameter. Only the Pike, Queens, and Rocky plug-ins support this parameter.
enable_router_nat_without_firewall	Whether to enable NAT when no firewall is configured for the tenant. · True—Enable NAT when no firewall is configured. This setting automatically creates default firewall resources to implement NAT if the vRouter has been bound to an external network. · False—Not enable NAT when no firewall is configured. The default value is False. Only the Pike plug-ins support this parameter.
directly_external	Whether traffic to the external network is directly forwarded by the gateway. The default value is OFF. The available values are as follows: · ANY—Traffic to the external network is directly forwarded by the gateway to the external network. · OFF—Traffic to the external network is forwarded by the gateway to the firewall and then to the external network. · SUFFIX—Traffic that matches the vRouter name suffix is forwarded by the gateway to the firewall and then to the external network.
directly_external_suffix	vRouter name suffix (DMZ for example). This parameter is available only when you set the value of the directly_external parameter to SUFFIX. When you change the vRouter name, make sure you understand the impact on this parameter. Only the Pike, Queens, and Rocky plug-ins support this parameter.
sec_agent_enable	Whether to enable the h3c-sec-agent process. The default value is True. This parameter is used and takes effect only for security plug-in upgrade. Value change of this parameter does not take effect immediately. After you set the value to True, you must install the security plug-in and execute the h3c-secplugin controller install command to enable the process.
lb_resource_mode	Resource pool mode of LB service resources. · SP—All gateways share the same LB resource pool. · MP—Each gateway uses an LB resource pool. The default value is SP.
enable_lb_xff	Whether to enable XFF transparent transmission for LB listeners. · True—Enable. · False—Disable. When the value is True and the listener protocol is HTTP or TERMINATED_HTTPS, a newly created listener is enabled with XFF transparent transmission by default, and the client's IP address is transparently transmitted to the server encapsulated in the X-Forward-For field of the HTTP header. Only the Pike plug-ins support this parameter.

(Optional.) Upgrading the SeerEngine-DC Neutron security plug-ins

To upgrade the SeerEngine-DC Neutron security plug-ins, first remove the old version and then install the new version.

CAUTION:

Service might be interrupted during the upgrade. Before performing an upgrade, be sure you fully understand its impact on services.

IMPORTANT:

The default parameter settings vary depending on the version of SeerEngine-DC Neutron security plug-ins. Modify the default parameter settings for SeerEngine-DC Neutron security plug-ins to ensure that the plug-ins have the same parameter settings before and after the upgrade.

To upgrade SeerEngine-DC Neutron security plug-ins:

1. Uninstall the SeerEngine-DC Neutron security plug-ins.

sdn@ubuntu:~$ sudo h3c-secplugin controller uninstall

Restore config files

Uninstallation complete.

2. Uninstall the SeerEngine-DC OpenStack software package.

sdn@ubuntu:~$ sudo pip uninstall seerengine-dc-sec-plugin

Uninstalling SeerEngine-DC-SEC-PLUGIN-E3603P01:

/usr/bin/h3c-secplugin

/usr/lib/python2.7/site-packages/SeerEngine_DC_SEC_PLUGIN-E3603P01-py2.7.egg

Proceed (y/n)? y

Successfully uninstalled SeerEngine-DC-SEC-PLUGIN-E3603P01

3. Install the new version of SeerEngine-DC Neutron security plug-ins.

For more information, see "Installing the security plug-ins on the controller node."

Comparing and synchronizing firewall information between the cloud platform and controller

Only Pike plug-ins supports this task.

To compare and synchronize firewall information between the cloud platform and controller:

1. Execute the h3c-secplugin-extension compare --file [absolute path] file name.csv command to compare resource information between the cloud platform and controller.

¡ If you do not specify --file [absolute path] filename.csv, the comparison result is saved to the /var/log/neutron/'compare_sec_data-time.csv file, where time indicates the comparison start time.

¡ If you specify --file [absolute path] filename.csv, the comparison result is saved to the specified file. If you do not specify an absolute path, the result is saved to /var/log/neutron/file name.csv.

The comparison result file contains the following fields:

¡ Resource—Resource type.

¡ Name—Resource name.

¡ Id—Resource ID.

¡ Tenant_id—Tenant ID of the resource.

¡ Tenant_name—Tenant name of the resource.

¡ Status—Comparison result.

- lost—Less resources on the controller. You must add resources to the controller.

- different—Different resources on the controller than the cloud platform. You must update resources on the controller.

- surplus—More resources on the controller. You must remove excessive resources from the controller.

2. Execute the h3c-secplugin-extension sync –file comparison result file name.csv command. If the comparison result file is in the /var/log/neutron/ path, enter the file name directly. If the comparison result file is in another path, enter the absolute file path.

After the synchronization is complete, a synchronization result file /var/log/neutron/detail_result_sec_time.csv is generated, where time indicates the synchronization start time.

CAUTION:

Do not add or edit information in the synchronize result file.

Comparing and synchronizing resource information between the controller and cloud platform

Only Rocky, Queens, Pike, Newton, and Mitaka plug-ins support this task.

To compare and synchronize resource information between the controller and cloud platform:

1. Execute the h3c-sdnplugin-extension compare --file [absolute path] file name.csv command to compare resource information between the controller and cloud platform.

¡ If you do not specify --file [absolute path] filename.csv, the comparison result is saved to the /var/log/neutron/'compare_data-time.csv file, where time indicates the comparison start time.

The comparison result file contains the following fields:

¡ Resource—Resource type.

¡ Name—Resource name.

¡ Id—Resource ID.

¡ Tenant_id—Tenant ID of the resource.

¡ Tenant_name—Tenant name of the resource.

¡ Status—Comparison result.

- lost—Less resources on the controller. You must add resources to the controller.

- different—Different resources on the controller than the cloud platform. You must update resources on the controller.

- surplus—More resources on the controller. You must remove excessive resources from the controller.

2. Execute the h3c-sdnplugin-extension sync --file comparison result file name.csv command. If the comparison result file is in the /var/log/neutron/ path, enter the file name directly. If the comparison result file is in another path, enter the absolute file path.

After the command is executed, the system displays resource statistics and prompts for your confirmation to start the synchronization. The system starts the synchronization only after receiving your confirmation for twice.

After the synchronization is complete, a synchronization result file /var/log/neutron/sync_all-time.csv is generated, where time indicating the synchronization start time.

CAUTION:

· Do not add or edit information in the synchronize result file.

· To avoid anomaly caused by misoperations, examine and compare the result file and resource statistics carefully.

FAQ

The Python tools cannot be installed using the yum command when a proxy server is used for Internet access. What should I do?

Configure HTTP proxy by performing the following steps:

1. Make sure the server or the virtual machine can correctly access the HTTP proxy server.

2. At the CLI of the Ubuntu, use the vi editor to open the apt.conf configuration file. If the apt.conf configuration file does not exist, this step creates the file.

sdn@ubuntu:~$ sudo vi /etc/apt/apt.conf

3. Press I to switch to the insert mode, and provide HTTP proxy information as follows:

¡ If the server does not require authentication, enter HTTP proxy information in the following format:

Acquire::http::proxy = http://yourproxyaddress:proxyport

¡ If the server requires authentication, enter HTTP proxy information in the following format:

Acquire::http::proxy = http:// username:password@yourproxyaddress:proxyport, for example, Acquire::http::proxy "http://sdn:123456@172.25.1.1:8080

Table 6 describes the arguments in HTTP proxy information.

Table 6 Arguments in HTTP proxy information

Field	Description
username	Username for logging in to the proxy server, for example, sdn.
password	Password for logging in to the proxy server, for example, 123456.
yourproxyaddress	IP address of the proxy server, for example, 172.25.1.1.
proxyport	Port number of the proxy server, for example, 8080.

4. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the apt.conf file.

H3C SeerEngine-DC Controller Converged OpenStack Plug-Ins Installation Guide for Ubuntu-E37xx-5W701

SeerEngine-DC Neutron security plug-ins

Installing SeerEngine-DC Neutron plug-ins and patches on OpenStack

Configuring interoperability in the KVM host-based overlay scenario

Obtaining the SeerEngine-DC Neutron plug-in installation package

Installing the SeerEngine-DC Neutron plug-ins on the controller node

Editing the configuration file

Verifying the installation

Parameters and fields

neutron.conf

Upgrading the SeerEngine-DC Neutron plug-ins

Obtaining the Nova patch installation package

Installing the Nova patch

Verifying the installation

Configuring interoperability in the KVM network-based overlay scenario

Installing the SeerEngine-DC Neutron plug-ins on the controller node

Editing the configuration file

Installing the Nova patch

Installing the openvswitch-agent patch

Verifying the installation

Upgrading the openvswitch-agent patch

Setting up the environment

Installing basic components

Obtaining the installation package of the DHCP failover components

Installing the DHCP component

Installing the Metadata component

Removing DHCP failover components

Upgrading DHCP failover components

Parameters and fields

Configuring interoperability in the network-based overlay with SR-IOV enabled scenario

Installing the Nova patch

Installing the openvswitch patch

Installing the git tool kit

Installing F5 plug-ins

Editing the configuration files

Installing the Nova patch

Installing the openvswitch patch

Editing the configuration files

Configuring third-party interoperability on SeerEngine-DC

Metadata solution

(Optional.) Installing the Nova patch

(Optional.) Installing the openvswitch patch

Controller node

Network node

Comparing and synchronizing firewall information between the cloud platform and controller

The Python tools cannot be installed using the yum command when a proxy server is used for Internet access. What should I do?

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us