You are previewing Learning OpenStack Networking (Neutron) - Second Edition.
O'Reilly logo
Learning OpenStack Networking (Neutron) - Second Edition

Book Description

Wield the power of OpenStack Neutron networking to bring network infrastructure and capabilities to your cloud

About This Book

  • This completely up-to-date edition will show you how to deploy a cloud on OpenStack using community-driven processes. It includes rich examples that will help you understand complex networking topics with ease

  • Understand every aspect of designing, creating, customizing, and maintaining the core network foundation of an OpenStack cloud using OpenStack Neutron all in one book

  • Written by best-selling author James Denton, who has more than 15 years of experience in system administration and networking. James has experience of deploying, operating, and maintaining OpenStack clouds and has worked with top enterprises and organizations

  • Who This Book Is For

    If you are an OpenStack-based cloud operator and administrator who is new to Neutron networking and wants to build your very own OpenStack cloud, then this book is for you.

    Prior networking experience and a physical server and network infrastructure is recommended to follow along with concepts demonstrated in the book.

    What You Will Learn

  • Architect and install the latest release of OpenStack on Ubuntu Linux 14.04 LTS

  • Review the components of OpenStack networking, including plugins, agents, and services, and learn how they work together to coordinate network operations

  • Build a virtual switching infrastructure using reference architectures based on ML2 + Open vSwitch or ML2 + LinuxBridge

  • Create networks, subnets, and routers that connect virtual machine instances to the network

  • Deploy highly available routers using DVR or VRRP-based methods

  • Scale your application with haproxy and Load Balancing as-a-Service

  • Implement port and router-level security using Security Groups and Firewall as-a-Service

  • Provide connectivity to tenant networks with Virtual Private Networking as-a-Service (VPNaaS)

  • Find out how to manage OpenStack networking resources using CLI and GUI-driven methods

  • In Detail

    OpenStack Neutron is an OpenStack component that provides networking as a service for other OpenStack services to architect networks and create virtual machines through its API. This API lets you define network connectivity in order to leverage network capabilities to cloud deployments.

    Through this practical book, you will build a strong foundational knowledge of Neutron, and will architect and build an OpenStack cloud using advanced networking features.

    We start with an introduction to OpenStack Neutron and its various components, including virtual switching, routing, FWaaS, VPNaaS, and LBaaS. You’ll also get hands-on by installing OpenStack and Neutron and its components, and use agents and plugins to orchestrate network connectivity and build a virtual switching infrastructure.

    Moving on, you’ll get to grips with the HA routing capabilities utilizing VRRP and distributed virtual routers in Neutron. You’ll also discover load balancing fundamentals, including the difference between nodes, pools, pool members, and virtual IPs. You’ll discover the purpose of security groups and learn how to apply the security concept to your cloud/tenant/instance.

    Finally, you'll configure virtual private networks that will allow you to avoid the use of SNAT and floating IPs when connecting to remote networks.

    Style and approach

    This easy-to-follow guide on networking in OpenStack follows a step-by-step process to installing OpenStack and configuring the base networking components. Each major networking component has a dedicated chapter that will build on your experience gained from prior chapters.

    Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the code file.

    Table of Contents

    1. Learning OpenStack Networking (Neutron) Second Edition
      1. Table of Contents
      2. Learning OpenStack Networking (Neutron) Second Edition
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Downloading the color images of this book
          3. Errata
          4. Piracy
          5. Questions
      8. 1. Preparing the Network for OpenStack
        1. What is OpenStack Networking?
          1. Features of OpenStack Networking
            1. Switching
            2. Routing
            3. Load balancing
            4. Firewalling
            5. Virtual private networks
            6. Network functions virtualization
        2. Preparing the physical infrastructure
          1. Types of network traffic
            1. Management network
            2. API network
            3. External network
            4. Guest network
        3. Physical server connections
          1. Single interface
          2. Multiple interfaces
          3. Bonding
        4. Separating services across nodes
          1. Using a single controller node
          2. Using a dedicated network node
        5. Summary
      9. 2. Installing OpenStack
        1. System requirements
          1. Operating system requirements
        2. Initial network configuration
          1. Example networks
          2. Interface configuration
        3. Initial steps
          1. Updating the system
          2. Permissions
          3. Configuring the OpenStack repository
          4. Installing OpenStack utilities
          5. Setting the hostnames
          6. Installing and configuring Network Time Protocol
          7. Upgrading the system
        4. Installing OpenStack
          1. Installing and configuring the MySQL database server
          2. Installing and configuring the messaging server
          3. Installing and configuring the identity service
          4. Installing Keystone
            1. Configuring the database
            2. Configuring tokens and drivers
            3. Configuring the Apache HTTP server
            4. Download WSGI components
            5. Define services and API endpoints in Keystone
            6. Defining users, tenants, and roles in Keystone
            7. Verifying the Keystone installation
            8. Setting environment variables
          5. Installing and configuring the image service
            1. Configuring the database
            2. Configuring authentication settings
            3. Configuring additional settings
            4. Defining the Glance service and API endpoints in Keystone
            5. Verifying the Glance image service installation
            6. Installing additional images
          6. Installing and configuring the Compute service
            1. Installing and configuring controller node components
            2. Configuring the database
            3. Configuring authentication settings
            4. Additional controller tasks
            5. Installing and configuring compute node components
              1. Additional compute tasks
            6. Verifying communication between services
          7. Installing the OpenStack dashboard
            1. Identifying the Keystone server
            2. Configuring a default role
            3. Reload Apache
            4. Uninstalling the default Ubuntu theme (optional)
            5. Testing connectivity to the dashboard
        5. Summary
      10. 3. Installing Neutron
        1. Basic networking elements in Neutron
        2. Extending functionality with plugins
          1. Modular Layer 2 plugin
            1. Drivers
              1. Type drivers
              2. Mechanism drivers
            2. ML2 architecture
          2. Third-party support
        3. Network namespaces
        4. Installing and configuring Neutron services
          1. Creating the Neutron database
          2. Configuring the Neutron user, role, and endpoint in Keystone
          3. Enabling packet forwarding
          4. Configuring Neutron to use Keystone
          5. Configuring Neutron to use a messaging service
          6. Configuring Nova to utilize Neutron networking
          7. Configuring Neutron to notify Nova
        5. Configuring Neutron services
          1. Starting neutron-server
          2. Configuring the Neutron DHCP agent
            1. Restarting the Neutron DHCP agent
          3. Configuring the Neutron metadata agent
            1. Restarting the Neutron metadata agent
          4. Configuring the Neutron L3 agent
          5. Configuring the Neutron LBaaS agent
          6. Using the Neutron command-line interface
        6. Summary
      11. 4. Building a Virtual Switching Infrastructure
        1. Virtual network devices
          1. Virtual network interfaces
          2. Virtual network switches
            1. Configuring the bridge interface
          3. Overlay networks
            1. Connectivity issues when using overlay networks
        2. Network types supported by Neutron
        3. Choosing a plugin and driver
          1. Using the LinuxBridge driver
          2. Using the Open vSwitch driver
          3. Using the L2 population driver
        4. Visualizing traffic flow when using LinuxBridge
          1. VLAN
          2. Flat
          3. VXLAN
          4. Local
        5. Visualizing the traffic flow when using Open vSwitch
          1. Identifying ports on the virtual switch
          2. Identifying the VLANs associated with ports
          3. Programming flow rules
            1. Flow rules for VLANs
            2. Flow rules for flat networks
            3. Flow rules for local networks
        6. Configuring the ML2 networking plugin
          1. ML2 plugin configuration options
            1. Type drivers
            2. Mechanism drivers
            3. Tenant network types
            4. Flat networks
            5. Network VLAN ranges
            6. Tunnel ID ranges
            7. VNI ranges
            8. Firewall driver
            9. Enable security group
            10. Enable ipset
        7. Configuring the LinuxBridge driver and agent
          1. Installing the LinuxBridge agent
          2. Configuring Nova to use LinuxBridge
          3. Configuring the DHCP agent to use LinuxBridge
          4. ML2 configuration options for LinuxBridge
            1. Physical interface mappings
            2. Enable VXLAN
            3. L2 population
            4. Local IP
          5. Restarting services
          6. Verifying LinuxBridge agents
        8. Configuring the Open vSwitch driver and agent
          1. Installing the Open vSwitch agent
          2. Configuring Nova to use Open vSwitch
          3. Configuring the DHCP agent to use Open vSwitch
          4. ML2 configuration options for Open vSwitch
            1. Bridge mappings
              1. Configuring the bridges
            2. Enable tunneling
            3. Tunnel type
            4. Integration bridge
            5. Tunnel bridge
            6. Local IP
            7. Tunnel types
          5. Restarting services to enable the Open vSwitch plugin
          6. Verifying Open vSwitch agents
        9. Summary
      12. 5. Creating Networks with Neutron
        1. Network management
          1. Provider and tenant networks
          2. Managing networks in the CLI
            1. Creating a flat network in the CLI
            2. Creating a VLAN network in the CLI
            3. Creating a local network in the CLI
            4. Listing networks in the CLI
            5. Showing network properties in the CLI
            6. Updating networks in the CLI
            7. Deleting networks in the CLI
          3. Creating networks in the dashboard
            1. Creating a network via the Admin tab as an administrator
            2. Creating a network via the Project tab as a user
          4. Subnets in Neutron
            1. Creating subnets in the CLI
            2. Creating a subnet in the CLI
            3. Listing subnets in the CLI
            4. Showing subnet properties in the CLI
            5. Updating a subnet in the CLI
          5. Creating subnets in the dashboard
            1. Creating subnets via the Admin tab as an administrator
            2. Creating subnets via the Project tab as a user
        2. Neutron ports
          1. Creating a port
        3. Attaching instances to networks
          1. Attaching instances to networks using nova boot
          2. Attaching network interfaces
          3. Detaching network interfaces
        4. Exploring how instances get their addresses
          1. Watching the DHCP lease cycle
          2. Troubleshooting DHCP
        5. Exploring how instances retrieve their metadata
          1. The DHCP namespace
            1. Adding a manual route to 169.254.169.254
            2. Using DHCP to inject the route
        6. Summary
      13. 6. Managing Security Groups
        1. Security groups in OpenStack
        2. An introduction to iptables
          1. Using ipset
        3. Working with security groups
          1. Managing security groups in the CLI
            1. Creating security groups in the CLI
            2. Deleting security groups in the CLI
            3. Listing security groups in the CLI
            4. Showing the details of a security group in the CLI
            5. Updating security groups in the CLI
            6. Creating security group rules in the CLI
            7. Deleting security group rules in the CLI
            8. Listing security group rules in the CLI
            9. Showing the details of a security group rule in the CLI
            10. Applying security groups to instances and ports in the CLI
            11. Removing security groups from instances and ports in the CLI
        4. Implementing security group rules
          1. Stepping through the chains
        5. Working with security groups in the dashboard
          1. Creating a security group
          2. Managing security group rules
          3. Applying security groups to instances
        6. Disabling port security
          1. Configuring Neutron
            1. Issues with enabling the port security extension
          2. Disabling port security for all ports on a network
          3. Disabling port security on an individual port
        7. Summary
      14. 7. Creating Standalone Routers with Neutron
        1. Routing traffic in a cloud
        2. Installing and configuring the Neutron L3 agent
          1. Defining an interface driver
          2. Setting the external bridge
          3. Setting the external network
          4. Enabling router namespace deletion
          5. Enabling the metadata proxy
          6. Setting the agent mode
          7. Restarting the Neutron L3 agent
        3. Router management in the CLI
          1. Creating routers in the CLI
          2. Working with router interfaces in the CLI
            1. Attaching internal interfaces to routers
            2. Attaching a gateway interface to a router
          3. Listing the interfaces attached to routers
          4. Deleting internal interfaces
          5. Clearing the gateway interface
          6. Listing routers in the CLI
          7. Displaying router attributes in the CLI
          8. Updating router attributes in the CLI
          9. Deleting routers in the CLI
        4. Network address translation
          1. Floating IP addresses
        5. Floating IP management
          1. Creating floating IPs in the CLI
          2. Associating floating IPs with ports in the CLI
          3. Listing floating IPs in the CLI
          4. Displaying the floating IP attributes in the CLI
          5. Disassociating floating IPs in the CLI
          6. Deleting floating IPs in the CLI
        6. Demonstrating traffic flow from an instance to the Internet
          1. Setting the foundation
          2. Creating an external provider network
          3. Creating a Neutron router
          4. Attaching the router to the external network
            1. Identifying the L3 agent and namespace
          5. Testing gateway connectivity
          6. Creating an internal network
          7. Attaching the router to the internal network
          8. Creating instances
          9. Verifying instance connectivity
          10. Observing default NAT behavior
          11. Assigning floating IPs
          12. Reassigning floating IPs
        7. Router management in the dashboard
          1. Creating a router in the dashboard
          2. Attaching internal interfaces in the dashboard
          3. Viewing the network topology in the dashboard
          4. Associating floating IPs to instances in the dashboard
          5. Disassociating floating IPs in the dashboard
        8. Summary
      15. 8. Router Redundancy Using VRRP
        1. Using keepalived and VRRP to provide redundancy
          1. VRRP groups
          2. VRRP priority
          3. VRRP's working mode
            1. Preemptive
            2. Non-preemptive
          4. VRRP timers
            1. Advertisement interval timer
            2. Preemption delay timer
        2. Networking of highly available routers
          1. A dedicated HA network
            1. Limitations
          2. The virtual IP
          3. Determining the master router
        3. Installing and configuring additional L3 agents
          1. Defining an interface driver
          2. Setting the external bridge
          3. Enabling router namespace deletion
          4. Setting the agent mode
          5. Restarting the Neutron L3 agent
        4. Configuring Neutron
        5. Working with highly available routers
          1. Creating highly available routers
          2. Deleting highly available routers
        6. Decomposing a highly available router
          1. Examining the keepalived configuration
          2. Executing a failover
            1. Issues with failovers
        7. Summary
      16. 9. Distributed Virtual Routers
        1. Distributing routers across the cloud
        2. Installing and configuring Neutron components
          1. Installing additional L3 agents
          2. Defining an interface driver
          3. Enabling distributed mode
          4. Setting the external bridge
          5. Enabling router namespace deletion
          6. Setting the agent mode
          7. Configuring Neutron
          8. Restarting the Neutron L3 and Open vSwitch agent
          9. Managing distributed virtual routers
            1. Creating distributed virtual routers
        3. Routing east-west traffic between instances
          1. Reviewing the topology
          2. Plumbing it up
          3. Distributing router ports
            1. Making it work
          4. Demonstrating traffic between instances
        4. Centralized SNAT
          1. Reviewing the topology
          2. Using the routing policy database
          3. Tracing a packet through the SNAT namespace
        5. Floating IPs through distributed virtual routers
          1. Introducing (yet) another namespace
          2. Tracing a packet through the FIP namespace
            1. Sending traffic from an instance with a floating IP
            2. Returning traffic to the floating IP
              1. Using proxy ARP
        6. Summary
      17. 10. Load Balancing Traffic to Instances
        1. Fundamentals of load balancing
          1. Load balancing algorithms
          2. Monitoring
          3. Session persistence
        2. Integrating load balancers into the network
          1. Network namespaces
        3. Installing LBaaS
          1. Configuring the Neutron LBaaS agent service
            1. Defining an interface driver
            2. Defining a device driver
          2. Configuring Neutron
            1. Defining a service plugin
            2. Defining a service provider
          3. Restarting the Neutron LBaaS agent and API service
        4. Load balancer management in the CLI
          1. Managing pools in the CLI
            1. Creating a pool
            2. Deleting a pool
            3. Listing pools
            4. Showing pool details
            5. Showing pool statistics
            6. Updating a pool
            7. Listing pools associated with an agent
          2. Managing pool members in the CLI
            1. Creating pool members
            2. Deleting pool members
            3. Listing pool members
            4. Showing pool member details
            5. Updating a pool member
          3. Managing health monitors in the CLI
            1. Creating a health monitor
            2. Deleting a health monitor
            3. Associating a health monitor with a pool
            4. Disassociating a health monitor from a pool
            5. Listing health monitors
            6. Showing health monitor details
            7. Updating a health monitor
          4. Managing virtual IPs in the CLI
            1. Creating a virtual IP
            2. Deleting a virtual IP
            3. Listing virtual IPs
            4. Showing virtual IP details
            5. Updating a virtual IP
        5. Building a load balancer
          1. Creating a pool
          2. Creating pool members
          3. Creating a health monitor
          4. Creating a virtual IP
          5. The LBaaS network namespace
          6. Confirming load balancer functionality
            1. Observing health monitors
            2. Connecting to the virtual IP externally
        6. Load balancer management in the dashboard
          1. Creating a pool in the dashboard
          2. Creating pool members in the dashboard
          3. Creating a virtual IP in the dashboard
            1. Connecting to the virtual IP externally
        7. Summary
      18. 11. Firewall as a Service
        1. Enabling FWaaS
          1. Configuring the firewall driver
            1. Defining a device driver
          2. Configuring Neutron
            1. Defining a service plugin
          3. Workarounds
        2. Firewall Management in the CLI
          1. Managing firewall rules
            1. Creating a firewall rule in the CLI
            2. Deleting a firewall rule in the CLI
            3. Listing firewall rules in the CLI
            4. Showing the details of a firewall rule in the CLI
            5. Updating a firewall rule in the CLI
          2. Managing firewall policies
            1. Creating a firewall policy in the CLI
            2. Deleting a firewall policy in the CLI
            3. Listing firewall policies in the CLI
            4. Showing the details of a firewall policy in the CLI
            5. Updating a firewall policy in the CLI
            6. Inserting rules into firewall policies in the CLI
            7. Removing rules from firewall policies in the CLI
          3. Managing firewalls
            1. Creating a firewall in the CLI
            2. Deleting a firewall in the CLI
            3. Listing firewalls in the CLI
            4. Showing the details of a firewall in the CLI
            5. Updating a firewall in the CLI
            6. Firewall management in the dashboard
          4. Creating a firewall rule
          5. Creating a firewall policy
          6. Creating a firewall
        3. Demonstrating traffic flow through a firewall
          1. Examining the chains
        4. Summary
      19. 12. Virtual Private Network as a Service
        1. An overview of IPSec
          1. Encapsulating Security Payload
          2. Authentication Header
          3. Security association
          4. Modes
            1. Tunnel mode
            2. Transport mode
          5. Internet Security Association and Key Management Protocol
          6. Creating a secure tunnel
            1. Initiation
            2. IKE phase 1
            3. IKE phase 2
            4. Data transfer
            5. Termination
        2. Installing VPNaaS
          1. Configuring the Neutron VPN agent service
            1. Defining a device driver
          2. Configuring Neutron
            1. Defining a service plugin
            2. Defining a service provider
          3. Configuring AppArmor
          4. Additional workarounds
          5. Restarting the Neutron VPN agent service
        3. VPN management in the CLI
          1. Managing IKE policies
            1. Creating an IKE policy in the CLI
            2. Deleting an IKE policy in the CLI
            3. Listing IKE policies in the CLI
            4. Showing the details of an IKE policy in the CLI
            5. Updating an IKE policy in the CLI
          2. Managing IPSec policies
            1. Creating an IPSec policy in the CLI
            2. Deleting an IPSec policy in the CLI
            3. Listing IPSec policies in the CLI
            4. Showing the details of an IPSec policy in the CLI
            5. Updating an IPSec policy in the CLI
          3. Managing VPN services
            1. Creating a VPN service in the CLI
            2. Deleting a VPN service in the CLI
            3. Listing VPN services in the CLI
            4. Showing the details of a VPN service in the CLI
            5. Updating a VPN service in the CLI
          4. Managing IPSec connections
            1. Creating a site-to-site connection in the CLI
            2. Deleting a site-to-site connection in the CLI
            3. Listing site-to-site connections in the CLI
            4. Showing the details of a site-to-site connection in the CLI
            5. Updating a site-to-site connection in the CLI
        4. VPN management in the dashboard
          1. Creating an IKE policy
          2. Creating an IPSec policy
          3. Creating a VPN service
          4. Creating an IPSec site connection
        5. A tale of two routers
          1. Building a tunnel
          2. Confirming connectivity
        6. Summary
      20. A. Additional Neutron Commands
        1. Neutron extensions
          1. Listing the Neutron API extensions
          2. Showing the details of an API extension
        2. Neutron agents
          1. DHCP agents
          2. L3 agents
          3. LBaaS agents
        3. Per-tenant quotas
          1. Listing the current tenant quotas
          2. Updating tenant quotas
          3. Listing tenant quotas
          4. Deleting tenant quotas
        4. Cisco Nexus 1000V command reference
        5. VMware NSX command reference
        6. Nuage VSP command reference
        7. L3 metering
        8. The LBaaS v2 API
        9. Summary
      21. B. Virtualizing the Environment
        1. Configuring VirtualBox networking
          1. Configuring host-only networks
        2. Creating a virtual machine
        3. Configuring a virtual machine
        4. Installing the Ubuntu operating system
          1. Attaching the ISO to the virtual machine
          2. Starting the virtual machine
        5. Configuring virtual machine networking
          1. Accessing the virtual machine
          2. Configuring network interfaces
        6. Accessing a virtual machine over SSH
        7. Changes to the OpenStack installation
          1. Changes to the Nova configuration
          2. Changes to the Neutron configuration
        8. Summary
      22. Index