Enabling Neutron Extensions

Overview

Kolla deploys Neutron by default as OpenStack networking component. This guide describes configuring and running Neutron extensions like LBaaS, Networking-SFC, QoS, etc.

Networking-SFC

Preparation and deployment

Modify the configuration file /etc/kolla/globals.yml and change the following:

neutron_plugin_agent: "sfc"

Networking-SFC is an additional Neutron plugin. For SFC to work, this plugin has to be installed in neutron-server container as well. Modify the configuration file /etc/kolla/kolla-build.conf and add the following contents:

[neutron-server-plugin-networking-sfc]
type = git
location = https://github.com/openstack/networking-sfc.git
reference = mitaka

Verification

Verify the build and deploy operation of Networking-SFC container. Successful deployment will bring up an SFC container in the list of running containers. Run the following command to login into the neutron-server container:

docker exec -it neutron_server bash

Neutron should provide the following CLI extensions.

#neutron help|grep port

port-chain-create                 [port_chain] Create a Port Chain.
port-chain-delete                 [port_chain] Delete a given Port Chain.
port-chain-list                   [port_chain] List Port Chains that belong
                                  to a given tenant.
port-chain-show                   [port_chain] Show information of a
                                  given Port Chain.
port-chain-update                 [port_chain] Update Port Chain's
                                  information.
port-pair-create                  [port_pair] Create a Port Pair.
port-pair-delete                  [port_pair] Delete a given Port Pair.
port-pair-group-create            [port_pair_group] Create a Port Pair
                                  Group.
port-pair-group-delete            [port_pair_group] Delete a given
                                  Port Pair Group.
port-pair-group-list              [port_pair_group] List Port Pair Groups
                                  that belongs to a given tenant.
port-pair-group-show              [port_pair_group] Show information of a
                                  given Port Pair Group.
port-pair-group-update            [port_pair_group] Update Port Pair
                                  Group's information.
port-pair-list                    [port_pair] List Port Pairs that belongs
                                  to a given tenant.
port-pair-show                    [port_pair] Show information of a given
                                  Port Pair.
port-pair-update                  [port_pair] Update Port Pair's
                                  information.

For setting up a testbed environment and creating a port chain, please refer to the following link:

For the source code, please refer to the following link:

Neutron VPNaaS (VPN-as-a-Service)

Preparation and deployment

Modify the configuration file /etc/kolla/globals.yml and change the following:

enable_neutron_vpnaas: "yes"

Verification

VPNaaS is a complex subject, hence this document provides directions for a simple smoke test to verify the service is up and running.

On the network node(s), the neutron_vpnaas_agent should be up (image naming and versioning may differ depending on deploy configuration):

docker ps --filter name=neutron_vpnaas_agent
CONTAINER ID        IMAGE
COMMAND             CREATED             STATUS              PORTS
NAMES
97d25657d55e
operator:5000/kolla/oraclelinux-source-neutron-vpnaas-agent:4.0.0
"kolla_start"       44 minutes ago      Up 44 minutes
neutron_vpnaas_agent

kolla-ansible includes a small script that can be used in tandem with tools/init-runonce to verify the VPN using two routers and two Nova VMs:

tools/init-runonce
tools/init-vpn

Verify both VPN services are active:

neutron vpn-service-list
+--------------------------------------+----------+--------------------------------------+--------+
| id                                   | name     | router_id                            | status |
+--------------------------------------+----------+--------------------------------------+--------+
| ad941ec4-5f3d-4a30-aae2-1ab3f4347eb1 | vpn_west | 051f7ce3-4301-43cc-bfbd-7ffd59af539e | ACTIVE |
| edce15db-696f-46d8-9bad-03d087f1f682 | vpn_east | 058842e0-1d01-4230-af8d-0ba6d0da8b1f | ACTIVE |
+--------------------------------------+----------+--------------------------------------+--------+

Two VMs can now be booted, one on vpn_east, the other on vpn_west, and encrypted ping packets observed being sent from one to the other.

For more information on this and VPNaaS in Neutron refer to the VPNaaS area on the OpenStack wiki: