From 723772199b008c7b6ac1957e861dc4573ac23cd5 Mon Sep 17 00:00:00 2001 From: Bin Hu Date: Thu, 24 Dec 2015 20:35:38 -0800 Subject: JIRA: IPVSIX-29 Change-Id: Ic48ba0dfbc5d25bdb3ff145b41c225beeb67c8d1 Signed-off-by: Bin Hu --- .../5-ipv6-configguide-scenario-1-native-os.rst | 202 ++++++++++++++------- 1 file changed, 134 insertions(+), 68 deletions(-) (limited to 'docs/setupservicevm/5-ipv6-configguide-scenario-1-native-os.rst') diff --git a/docs/setupservicevm/5-ipv6-configguide-scenario-1-native-os.rst b/docs/setupservicevm/5-ipv6-configguide-scenario-1-native-os.rst index 266acb1..b6c92fc 100644 --- a/docs/setupservicevm/5-ipv6-configguide-scenario-1-native-os.rst +++ b/docs/setupservicevm/5-ipv6-configguide-scenario-1-native-os.rst @@ -2,24 +2,115 @@ Scenario 1 - Native OpenStack Environment ========================================= -Scenario 1 is the native OpenStack environment. Because the anti-spoofing rule of Security Group feature in OpenStack -prevents a VM from forwarding packets, we need to work around Security Group feature in the native OpenStack -environment. +Scenario 1 is the native OpenStack environment. Although the instructions are based on Liberty, they can be +applied to Kilo in the same way. Because the anti-spoofing rules of Security Group feature in OpenStack prevents +a VM from forwarding packets, we need to disable Security Group feature in the native OpenStack environment. For exemplary purpose, we assume: -* A two-node setup of OpenStack environment is used -* The hostname of OpenStack Controller+Network+Compute Node is ``opnfv-os-controller`` -* The hostname of OpenStack Compute Node is ``opnfv-os-compute`` +* A two-node setup of OpenStack environment is used as shown in :numref:`s1-figure1` +* The hostname of OpenStack Controller+Network+Compute Node is ``opnfv-os-controller``, and the host IP address +is ``192.168.0.10`` +* The hostname of OpenStack Compute Node is ``opnfv-os-compute``, and the host IP address is ``192.168.0.20`` * Ubuntu 14.04 is installed * We use ``opnfv`` as username to login. -* We use ``devstack`` to install OpenStack Kilo +* We use ``devstack`` to install OpenStack Liberty. Please note that OpenStack Kilo can be used as well. -*********************************** -Verify OpenStack is Setup Correctly -*********************************** +.. figure:: images/ipv6-topology-scenario-1.png + :name: s1-figure1 + :width: 100% -**OS-NATIVE-1**: Show hypervisor list + Underlay Network Topology - Scenario 1 + +**Please note that the IP address shown in** :numref:`s1-figure1` +**are for exemplary purpose. You need to configure your public IP +address connecting to Internet according to your actual network +infrastructure. And you need to make sure the private IP address are +not conflicting with other subnets**. + +************ +Prerequisite +************ + +**OS-NATIVE-0**: Clone the following GitHub repository to get the configuration and metadata files + +.. code-block:: bash + + git clone https://github.com/sridhargaddam/opnfv_os_ipv6_poc.git /opt/stack/opnfv_os_ipv6_poc + +******************************** +Set up OpenStack Controller Node +******************************** + +We assume the hostname is ``opnfv-os-controller``, and the host IP address is ``192.168.0.10``. + +**OS-NATIVE-N-1**: Clone ``stable/liberty`` ``devstack`` code base. + +.. code-block:: bash + + git clone https://github.com/openstack-dev/devstack.git -b stable/liberty + +**OS-NATIVE-N-2**: Copy ``local.conf.controller`` to ``devstack`` as ``local.conf`` + +.. code-block:: bash + + cp /opt/stack/local.conf.controller ~/devstack/local.conf + +**OS-NATIVE-N-3**: If you want to modify any ``devstack`` configuration, update ``local.conf`` now. + +**OS-NATIVE-N-4**: Start the ``devstack`` installation. + +.. code-block:: bash + + cd ~/devstack + ./stack.sh + +**OS-NATIVE-N-5**: If all goes well, you should see the following output. + +.. code-block:: bash + + This is your host IP address: 192.168.0.10 + This is your host IPv6 address: ::1 + Horizon is now available at http://192.168.0.10/ + Keystone is serving at http://192.168.0.10:5000/ + The default users are: admin and demo + The password: password + +***************************** +Set up OpenStack Compute Node +***************************** + +We assume the hostname is ``opnfv-os-compute``, and the host IP address is ``192.168.0.20``. + +**OS-NATIVE-M-1**: Clone ``stable/liberty`` ``devstack`` code base. + +.. code-block:: bash + + git clone https://github.com/openstack-dev/devstack.git -b stable/liberty + +**OS-NATIVE-M-2**: Copy ``local.conf.compute`` to ``devstack`` as ``local.conf`` + +.. code-block:: bash + + cp /opt/stack/local.conf.compute ~/devstack/local.conf + +**OS-NATIVE-M-3**: If you want to modify any ``devstack`` configuration, update ``local.conf`` now. + +**OS-NATIVE-M-4**: Start the ``devstack`` installation. + +.. code-block:: bash + + cd ~/devstack + ./stack.sh + +**OS-NATIVE-M-5**: If all goes well, you should see the following output. + +.. code-block:: bash + + This is your host IP address: 192.168.0.20 + This is your host IPv6 address: ::1 + +**OS-NATIVE-M-6 (OPTIONAL)**: You can verify that OpenStack is set up correctly by showing hypervisor list .. code-block:: bash @@ -31,11 +122,17 @@ Verify OpenStack is Setup Correctly | 2 | opnfv-os-compute | up | enabled | +----+------------------------------------+---------+------------+ -********************************************** -Disable Security Groups in OpenStack ML2 Setup -********************************************** +******************************************************** +**Note**: Disable Security Groups in OpenStack ML2 Setup +******************************************************** + +Please note that Security Groups feature has been disabled automatically through ``local.conf`` configuration file +during the setup procedure of OpenStack in both Controller Node and Compute Node. -**OS-NATIVE-2**: Change the settings in ``/etc/neutron/plugins/ml2/ml2_conf.ini`` as follows +If you are an experienced user that installs OpenStack in a different way, please reference the following +instructions to verify that Security Groups are disabled, and configuration matches the note below. + +**OS-NATIVE-SEC-1**: Change the settings in ``/etc/neutron/plugins/ml2/ml2_conf.ini`` as follows .. code-block:: bash @@ -44,7 +141,7 @@ Disable Security Groups in OpenStack ML2 Setup enable_security_group = False firewall_driver = neutron.agent.firewall.NoopFirewallDriver -**OS-NATIVE-3**: Change the settings in ``/etc/nova/nova.conf`` as follows +**OS-NATIVE-SEC-2**: Change the settings in ``/etc/nova/nova.conf`` as follows .. code-block:: bash @@ -53,27 +150,11 @@ Disable Security Groups in OpenStack ML2 Setup security_group_api = nova firewall_driver = nova.virt.firewall.NoopFirewallDriver -*********************************************************************** -Prepare Fedora22 Image, Configuration and Metadata Files for Service VM -*********************************************************************** - -**OS-NATIVE-4**: Clone the following GitHub repository to get the configuration and metadata files - -.. code-block:: bash - - git clone https://github.com/sridhargaddam/opnfv_os_ipv6_poc.git /opt/stack/opnfv_os_ipv6_poc - -**OS-NATIVE-5**: Download ``fedora22`` image which would be used for ``vRouter`` - -.. code-block:: bash - - wget https://download.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Base-22-20150521.x86_64.qcow2 - ********************************* Set Up Service VM as Ipv6 vRouter ********************************* -**OS-NATIVE-5**: Now we assume that OpenStack multi-node setup is up and running. The following +**OS-NATIVE-SETUP-1**: Now we assume that OpenStack multi-node setup is up and running. The following commands should be executed: .. code-block:: bash @@ -81,19 +162,19 @@ commands should be executed: cd ~/devstack source openrc admin demo -**OS-NATIVE-6**: Download ``fedora22`` image which would be used for ``vRouter`` +**OS-NATIVE-SETUP-2**: Download ``fedora22`` image which would be used for ``vRouter`` .. code-block:: bash wget https://download.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Base-22-20150521.x86_64.qcow2 -**OS-NATIVE-7**: Import Fedora22 image to ``glance`` +**OS-NATIVE-SETUP-3**: Import Fedora22 image to ``glance`` .. code-block:: bash - glance image-create --name 'Fedora20' --disk-format qcow2 --container-format bare --file ./Fedora-Cloud-Base-22-20150521.x86_64.qcow2 + glance image-create --name 'Fedora22' --disk-format qcow2 --container-format bare --file ./Fedora-Cloud-Base-22-20150521.x86_64.qcow2 -**OS-NATIVE-8**: Create Neutron routers ``ipv4-router`` and ``ipv6-router`` which need to provide external +**OS-NATIVE-SETUP-4**: Create Neutron routers ``ipv4-router`` and ``ipv6-router`` which need to provide external connectivity. .. code-block:: bash @@ -101,14 +182,14 @@ connectivity. neutron router-create ipv4-router neutron router-create ipv6-router -**OS-NATIVE-9**: Create an external network/subnet ``ext-net`` using the appropriate values based on the +**OS-NATIVE-SETUP-5**: Create an external network/subnet ``ext-net`` using the appropriate values based on the data-center physical network setup. .. code-block:: bash neutron net-create --router:external ext-net -**OS-NATIVE-10**: If your ``opnfv-os-controller`` node has two interfaces ``eth0`` and ``eth1``, +**OS-NATIVE-SETUP-6**: If your ``opnfv-os-controller`` node has two interfaces ``eth0`` and ``eth1``, and ``eth1`` is used for external connectivity, move the IP address of ``eth1`` to ``br-ex``. Please note that the IP address ``198.59.156.113`` and related subnet and gateway addressed in the command @@ -124,7 +205,7 @@ below are for exemplary purpose. **Please replace them with the IP addresses of sudo ip route add default via 198.59.156.1 dev br-ex neutron subnet-create --disable-dhcp --allocation-pool start=198.59.156.251,end=198.59.156.254 --gateway 198.59.156.1 ext-net 198.59.156.0/24 -**OS-NATIVE-11**: Verify that ``br-ex`` now has the original external IP address, and that the default route is on +**OS-NATIVE-SETUP-7**: Verify that ``br-ex`` now has the original external IP address, and that the default route is on ``br-ex`` .. code-block:: bash @@ -143,7 +224,7 @@ below are for exemplary purpose. **Please replace them with the IP addresses of 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 198.59.156.0/24 dev br-ex proto kernel scope link src 198.59.156.113 -**OS-NATIVE-12**: Create Neutron networks ``ipv4-int-network1`` and ``ipv6-int-network2`` +**OS-NATIVE-SETUP-8**: Create Neutron networks ``ipv4-int-network1`` and ``ipv6-int-network2`` with port_security disabled .. code-block:: bash @@ -151,7 +232,7 @@ with port_security disabled neutron net-create --port_security_enabled=False ipv4-int-network1 neutron net-create --port_security_enabled=False ipv6-int-network2 -**OS-NATIVE-13**: Create IPv4 subnet ``ipv4-int-subnet1`` in the internal network ``ipv4-int-network1``, +**OS-NATIVE-SETUP-9**: Create IPv4 subnet ``ipv4-int-subnet1`` in the internal network ``ipv4-int-network1``, and associate it to ``ipv4-router``. .. code-block:: bash @@ -159,15 +240,15 @@ and associate it to ``ipv4-router``. neutron subnet-create --name ipv4-int-subnet1 --dns-nameserver 8.8.8.8 ipv4-int-network1 20.0.0.0/24 neutron router-interface-add ipv4-router ipv4-int-subnet1 -**OS-NATIVE-14**: Associate the ``ext-net`` to the Neutron routers ``ipv4-router`` and ``ipv6-router``. +**OS-NATIVE-SETUP-10**: Associate the ``ext-net`` to the Neutron routers ``ipv4-router`` and ``ipv6-router``. .. code-block:: bash neutron router-gateway-set ipv4-router ext-net neutron router-gateway-set ipv6-router ext-net -**OS-NATIVE-15**: Create IPv4 subnet ``ipv4-int-subnet2`` and IPv6 subnet ``ipv6-int-subnet2`` in -the internal network ``ipv6-int-network2``, and associate them to ``ipv6-router`` +**OS-NATIVE-SETUP-11**: Create two subnets, one IPv4 subnet ``ipv4-int-subnet2`` and one IPv6 subnet +``ipv6-int-subnet2`` in ``ipv6-int-network2``, and associate both subnets to ``ipv6-router`` .. code-block:: bash @@ -176,13 +257,13 @@ the internal network ``ipv6-int-network2``, and associate them to ``ipv6-router` neutron router-interface-add ipv6-router ipv4-int-subnet2 neutron router-interface-add ipv6-router ipv6-int-subnet2 -**OS-NATIVE-16**: Create a keypair +**OS-NATIVE-SETUP-12**: Create a keypair .. code-block:: bash nova keypair-add vRouterKey > ~/vRouterKey -**OS-NATIVE-17**: Create ports for vRouter (with some specific MAC address - basically for automation - +**OS-NATIVE-SETUP-13**: Create ports for vRouter (with some specific MAC address - basically for automation - to know the IPv6 addresses that would be assigned to the port). .. code-block:: bash @@ -190,31 +271,31 @@ to know the IPv6 addresses that would be assigned to the port). neutron port-create --name eth0-vRouter --mac-address fa:16:3e:11:11:11 ipv6-int-network2 neutron port-create --name eth1-vRouter --mac-address fa:16:3e:22:22:22 ipv4-int-network1 -**OS-NATIVE-18**: Create ports for VM1 and VM2. +**OS-NATIVE-SETUP-14**: Create ports for VM1 and VM2. .. code-block:: bash neutron port-create --name eth0-VM1 --mac-address fa:16:3e:33:33:33 ipv4-int-network1 neutron port-create --name eth0-VM2 --mac-address fa:16:3e:44:44:44 ipv4-int-network1 -**OS-NATIVE-19**: Update ``ipv6-router`` with routing information to subnet ``2001:db8:0:2::/64`` +**OS-NATIVE-SETUP-15**: Update ``ipv6-router`` with routing information to subnet ``2001:db8:0:2::/64`` .. code-block:: bash neutron router-update ipv6-router --routes type=dict list=true destination=2001:db8:0:2::/64,nexthop=2001:db8:0:1:f816:3eff:fe11:1111 -**OS-NATIVE-20**: Boot Service VM (``vRouter``), VM1 and VM2 +**OS-NATIVE-SETUP-16**: Boot Service VM (``vRouter``), VM1 and VM2 .. code-block:: bash - nova boot --image Fedora20 --flavor m1.small --user-data /opt/stack/opnfv_os_ipv6_poc/metadata.txt --availability-zone nova:opnfv-os-compute --nic port-id=$(neutron port-list | grep -w eth0-vRouter | awk '{print $2}') --nic port-id=$(neutron port-list | grep -w eth1-vRouter | awk '{print $2}') --key-name vRouterKey vRouter + nova boot --image Fedora22 --flavor m1.small --user-data /opt/stack/opnfv_os_ipv6_poc/metadata.txt --availability-zone nova:opnfv-os-compute --nic port-id=$(neutron port-list | grep -w eth0-vRouter | awk '{print $2}') --nic port-id=$(neutron port-list | grep -w eth1-vRouter | awk '{print $2}') --key-name vRouterKey vRouter nova list nova console-log vRouter #Please wait for some 10 to 15 minutes so that necessary packages (like radvd) are installed and vRouter is up. nova boot --image cirros-0.3.4-x86_64-uec --flavor m1.tiny --nic port-id=$(neutron port-list | grep -w eth0-VM1 | awk '{print $2}') --availability-zone nova:opnfv-os-controller --key-name vRouterKey --user-data /opt/stack/opnfv_os_ipv6_poc/set_mtu.sh VM1 nova boot --image cirros-0.3.4-x86_64-uec --flavor m1.tiny --nic port-id=$(neutron port-list | grep -w eth0-VM2 | awk '{print $2}') --availability-zone nova:opnfv-os-compute --key-name vRouterKey --user-data /opt/stack/opnfv_os_ipv6_poc/set_mtu.sh VM2 nova list # Verify that all the VMs are in ACTIVE state. -**OS-NATIVE-21**: If all goes well, the IPv6 addresses assigned to the VMs would be as shown as follows: +**OS-NATIVE-SETUP-17**: If all goes well, the IPv6 addresses assigned to the VMs would be as shown as follows: .. code-block:: bash @@ -223,24 +304,9 @@ to know the IPv6 addresses that would be assigned to the port). VM1 would have the following IPv6 address: 2001:db8:0:2:f816:3eff:fe33:3333/64 VM2 would have the following IPv6 address: 2001:db8:0:2:f816:3eff:fe44:4444/64 -**OS-NATIVE-22**: To ``SSH`` to vRouter, you can execute the following command. +**OS-NATIVE-SETUP-18**: To ``SSH`` to vRouter, you can execute the following command. .. code-block:: bash sudo ip netns exec qrouter-$(neutron router-list | grep -w ipv6-router | awk '{print $2}') ssh -i ~/vRouterKey fedora@2001:db8:0:1:f816:3eff:fe11:1111 -******************* -Miscellaneour Notes -******************* - -We are adding some static routes to the ``ipv6-router``. For whatever reason, if we want to delete the router -or dissociate the ``ipv6-router`` from ``ipv6-int-subnet2``, ``Neutron`` will not allow this operation because -the static route requires the ``ipv6-int-subnet2`` subnet. - -In order to work around this issue, and to clear the static routes associated to the ``ipv6-router``, -you may execute the following: - -.. code-block:: bash - - neutron router-update ipv6-router --routes action=clear - -- cgit 1.2.3-korg