H3C SeerEngine-DC User manual
Copyright © 2021, New H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of New H3C Technologies Co., Ltd.
Trademarks
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this
document are the property of their respective owners.
Notice
The information in this document is subject to change without notice. All contents in this document, including
statements, information, and recommendations, are believed to be accurate, but they are presented without
warranty of any kind, express or implied. H3C shall not be liable for technical or editorial errors or omissions
contained herein.
Preface
This installation guide describes the procedures for installing and removing the SeerEngine-DC
OpenStack converged plug-ins.
This preface includes the following topics about the documentation:
•
Audience.
•
Conventions.
•
Documentation feedback.
Audience
This documentation is intended for:
•
Network planners.
•
Field technical support and servicing engineers.
•
Network administrators working.
Conventions
The following information describes the conventions used in the documentation.
GUI conventions
Convention
Description
Boldface Window names, button names, field names, and menu items are in Boldface. For
example, the New User window opens; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create >
Folder.
Symbols
Convention
Description
WARNING! An alert that calls attention to important information that if not understood or followed
can result in personal injury.
CAUTION:
An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT:
An alert that calls attention to essential information.
NOTE:
An alert that contains additional or supplementary information.
TIP:
An alert that provides helpful information.
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Overview ·······································································································1
SeerEngine-DC Neutron plug-ins ······················································································································1
SeerEngine-DC Neutron security plug-ins·········································································································1
Preparing for installation················································································2
Hardware requirements······································································································································2
Software requirements·······································································································································2
Deploying OpenStack by using Kolla Ansible ················································3
Preprovisioning basic SeerEngine-DC settings··············································4
Installing OpenStack plug-ins ········································································5
Setting up the basic environment·······················································································································5
Installing the SeerEngine-DC Neutron plug-ins ·································································································6
Obtaining the SeerEngine-DC Neutron plug-in installation package ·························································6
Installing the SeerEngine-DC Neutron plug-ins on the OpenStack control node·······································6
Parameters and fields································································································································9
Upgrading the SeerEngine-DC Neutron plug-ins·····························································································13
Installing the SeerEngine-DC Neutron security plug-in on OpenStack····························································13
Installing the security plug-in on the controller node················································································13
Upgrading the SeerEngine-DC Neutron security plug-in ·········································································23
(Optional.) Configuring the metadata service for network nodes··················24
FAQ·············································································································25
The Python tools cannot be installed using the yum command when a proxy server is used for Internet access.
What should I do?············································································································································25
After the plug-ins are installed successfully, what should I do if the controller fails to interconnect with the cloud
platform?··························································································································································25
1
Overview
This document describes how to install OpenStack plug-ins for interoperability with OpenStack cloud
platforms. Then SeerEngine-DC can process requests from the OpenStack cloud platforms.
OpenStack plug-ins include SeerEngine-DC Neutron plug-ins, Nova patch, openvswitch-agent patch,
and DHCP failover components.
SeerEngine-DC Neutron plug-ins
Neutron is a type of OpenStack services used to manage all virtual networking infrastructures (VNIs)
in an OpenStack environment. It provides virtual network services to the devices managed by
OpenStack computing services.
SeerEngine-DC Neutron plug-ins are developed for the SeerEngine-DC controller based on the
OpenStack framework.
The SeerEngine-DC Neutron plug-ins allow deployment of the network configuration obtained from
OpenStack through REST APIs on the SeerEngine-DC controller, including tenants' networks,
subnets, routers, and ports.
CAUTION:
To avoid service interruptions, do not modify the
settings issued by the cloud platform on the
controller
, such as the virtual link layer network, vRouter, and vSubnet settings after the plug-ins
connect to the OpenStack cloud platform.
SeerEngine-DC Neutron security plug-ins
SeerEngine-DC Neutron security plug-ins are developed for the SeerEngine-DC controller based on
the OpenStack framework. SeerEngine-DC Neutron security plug-ins can obtain security
configuration from OpenStack through REST APIs and synchronize the configuration to the
SeerEngine-DC controllers. They can obtain settings for the tenants' FW, LB, or VPN.
2
Preparing for installation
Hardware requirements
Table 1 shows the hardware requirements for installing the SeerEngine-DC Neutron plug-ins on a
server or virtual machine.
Table 1 Hardware requirements
CPU Memory size Disk space
Single-core and multicore
CPUs 2 GB and above 5 GB and above
Software requirements
Table 2 shows the software requirements for installing the SeerEngine-DC Neutron plug-ins.
Table 2 Software requirements
Item Supported versions
OpenStack deployed by using
Kolla-Ansible
•OpenStack Ocata
•OpenStack Pike
•OpenStack Queens
•OpenStack Rocky
•OpenStack Stein
IMPORTANT:
Before you install the OpenStack plug
-ins, make sure the following requirements are met:
•
Your system has a reliable Internet connection.
•
OpenStack has been deployed correctly. Verify that the /etc/hosts
file on all nodes has the host
name-IP address mappings, and the OpenStack Neutron extension services (Neutron-FWaas,
Neutron-VPNaas, or Neutron-LBaas) have been deployed. For the deployment procedure, see
the installation guide for the specific OpenStack version on the OpenStack official website.
NOTE:
•
The SeerEngine-DC Neutron security plug-in does not support OpenStack Stein.
•
For the installation of converged version of SeerEngine_DC plug-ins
(SeerEngine_DC_PLUGIN-version-py2.7.egg), see H3C SeerEngine-DC OpenStack
Converged Plug-Ins Installation Guide.
3
Deploying OpenStack by using Kolla
Ansible
Before installing the plug-ins, deploy OpenStack by using Kolla Ansible first. For the OpenStack
deployment procedure, see the installation guide for the specific OpenStack version on the
OpenStack official website.
4
Preprovisioning basic SeerEngine-DC
settings
This procedure preprovisions only basic SeerEngine-DC settings. For the configuration in a specific
scenario, see the SeerEngine-DC configuration guide for that scenario.
Table 3 Preprovisioning basic SeerEngine-DC settings
Item Configuration directory
Fabrics Provision > Network Design > Fabrics
VDS Tenants > Common Network Settings > Virtual Distributed
Switches
IP address pool Provision > Inventory > IP Address Pools
VNID pools (VLANs, VXLANs, and
VLAN-VXLAN mappings)
Provision > Inventory > VNID Pools > VLANs
Provision > Inventory > VNID Pools> VXLANs
Provision > Inventory > VNID Pools > VLAN-VXLAN
Mappings
Add access devices and border devices to
a fabric Provision > Network Design > Fabrics
L4-L7 device, physical resource pool, and
template
Provision > Inventory > Devices > L4-L7 Device
Provision > Inventory > Devices > L4-L7 Physical
Resource Pools
Border gateway Tenants > Common Network Settings > Gateway
Domains and hosts Provision > Network Design > Domains
Provision > Network Design > Domains > Hosts
Interoperability with OpenStack
Virtual Networking > OpenStack
NOTE:
•Make sure the cloud platform name (case sensitive)
is the same as the value for the cloud_region_name
parameter in the ml2_conf.ini file of the Neutron
plug-in.
•Make the VNI range is the same as the VXLAN VNI
range on the cloud platform.
5
Installing OpenStack plug-ins
The SeerEngine-DC Neutron plug-ins can be installed on different OpenStack versions. The
installation package varies by OpenStack version. However, you can use the same procedure to
install the Neutron plug-ins on different OpenStack versions. This document uses OpenStack Ocata
as an example.
The SeerEngine-DC Neutron plug-ins are installed on the OpenStack control node.
Setting up the basic environment
Before installing SeerEngine-DC Neutron plug-ins on the OpenStack control node, set up the basic
environment on the node.
To set up the basic environment:
1. Update the software source list, and then download and install the Python tools.
The following uses commands on a CentOS operating system as an example.
[root@localhost ~]# yum clean all
[root@localhost ~]# yum makecache
[root@localhost ~]# yum install –y python-pip python-setuptools
2. Install runlike.
[root@localhost ~]# pip install runlike
3. Log in to the controller node and edit the /etc/hosts file. Add the following information to the file.
IP and name mappings of all hosts in this OpenStack environment. To obtain this
information, access the SeerEngine-DC controller and select Provision > Domains >
Hosts.
IP and name mappings of all leaf, spine, and border devices in this scenario. To obtain this
information, access the SeerEngine-DC controller and select Provision > Inventory >
Devices.
[root@localhost ~]# vim /etc/hosts
127.0.0.1 localhost
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
99.0.83.75 controller
99.0.83.76 compute1
99.0.83.77 compute2
99.0.83.78 nfs-server
99.0.83.79 compute3
99.0.83.74 compute4
4. Install websocket-client on the controller node. Make sure the version is 0.56.
[root@localhost ~]# yum install –y python-websocket-client
6
Installing the SeerEngine-DC Neutron plug-ins
Obtaining the SeerEngine-DC Neutron plug-in installation
package
The SeerEngine-DC Neutron plug-ins are included in the SeerEngine-DC OpenStack package.
Obtain the SeerEngine-DC OpenStack package of the required version and then save the package
to the target installation directory on the server or virtual machine.
Alternatively, transfer the installation package to the target installation directory through a file transfer
protocol such as FTP, TFTP, or SCP. Use the binary transfer mode to prevent the software package
from being corrupted during transit.
Installing the SeerEngine-DC Neutron plug-ins on the
OpenStack control node
1. Generate the startup script for the neutron-server container.
[root@localhost ~]# runlike neutron_server>docker-neutron-server.sh
2. Modify the neutron.conf configuration file.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/neutron.conf
b. Press Ito switch to the insert mode, and modify the configuration file. For information about
the parameters, see "neutron.conf."
[DEFAULT]
core_plugin = ml2
service_plugins = h3c_l3_router,qos,h3c_vpc_connection,h3c_port_forwarding
[service_providers]
service_provider=VPC_CONNECTION:H3C:networking_h3c.vpc_connection.h3c_vpc_conn
ection_driver.H3CVpcConnectionDriver:default
[qos]
notification_drivers = message_queue,qos_h3c
IMPORTANT:
For
the Pike plug-ins, if deployment of firewall policies and rules takes a long time, you can
change firewall in the value of the service_plugins parameter to fwaas_h3c.
For Ocata plug-ins:
[DEFAULT]
core_plugin = ml2
service_plugins =
h3c_vcfplugin.l3_router.h3c_l3_router_plugin.H3CL3RouterPlugin,firewall,neutro
n_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2,vpnaas,qos
[service_providers]
service_provider=FIREWALL:H3C:h3c_vcfplugin.fw.h3c_fwplugin_driver.H3CFwaasDri
ver:default
service_provider=LOADBALANCERV2:H3C:h3c_vcfplugin.lb.h3c_lbplugin_driver_v2.H3
CLbaasv2PluginDriver:default
service_provider=VPN:H3C:h3c_vcfplugin.vpn.h3c_vpnplugin_driver.H3CVpnPluginDr
iver:default
7
[qos]
notification_drivers = message_queue,qos_h3c
IMPORTANT
:
The QoS feature will not operate correctly if you configure the
database connection in
configuration file
neutron.conf as follows:
[database]
connection = mysql:/
/…
This is an open source bug in OpenStack. To prevent this problem, configure the database
connection as follows:
[database]
connection = mysql+pymysql:/
/…
The three dots (…) in the command line represents the neutron database link information.
IMPORTANT:
•
In the neutrone_server configuration directory (/etc/kolla/neutron-server/), you can
configure the service_provider parameter for a service once only. If you have
configured the service_provider parameter for the firewall service in the neutron.conf
configuration file, do not configure the service_provider parameter in the
fwaas_driver.ini file. This rule applies also to the LBaaS and PNaaS services.
•
For h3c_agent to load the driver correctly, change the FWaaS driver value in the
/etc/kolla/neutron-server/fwaas_driver.ini file to
networking_h3c.fw.h3c_fwplugin_driver.H3CfwaasDriver.
3. Modify the ml2_conf.ini configuration file.
a. Use the vi editor to open the ml2_conf.ini configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/ml2_conf.ini
b. Press Ito switch to the insert mode, and set the parameters in the ml2_conf.ini
configuration file. For information about the parameters, see "ml2_conf.ini."
[ml2]
type_drivers = vxlan,vlan
tenant_network_types = vxlan,vlan
mechanism_drivers = ml2_h3c
extension_drivers = ml2_extension_h3c,qos
[ml2_type_vlan]
network_vlan_ranges = physicnet1:1000:2999,port_security
[ml2_type_vxlan]
vni_ranges = 1:500
c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the ml2_conf.ini
file.
4. Modify the neutron.conf configuration file and add plug-ins configuration items.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/neutron.conf
b. Press Ito switch to the insert mode. Retain the existing configuration and add configuration
as follows:
[SDNCONTROLLER]
url = http://127.0.0.1:10080
username = admin
password = admin@123
domain = sdn
8
timeout = 1800
retry = 10
vif_type = ovs
vhostuser_mode = server
white_list = False
use_neutron_credential = False
output_json_log = False
vendor_rpc_topic = VENDOR_PLUGIN
hierarchical_port_binding_physicnets = ANY
hierarchical_port_binding_physicnets_prefix = physicnet
enable_dhcp_hierarchical_port_binding = False
enable_security_group = True
enable_https = False
neutron_plugin_ca_file =
neutron_plugin_cert_file =
neutron_plugin_key_file =
enable_iam_auth = False
enable_sdnc_rpc = False
sdnc_rpc_url = ws://127.0.0.1:1080
sdnc_rpc_ping_interval = 60
websocket_fragment_size = 102400
enable_l3_router_rpc_notify = False
qos_rx_limit_min = 0
cloud_region_name = default
c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the neutron.conf
file.
5. If you have set the white_list parameter to True, perform the following tasks:
Delete the username, password, and domain parameters in the ml2_conf_h3c.ini
configuration file.
Add an authentication-free user to the controller.
−Enter the IP address of the host where the Neutron server resides.
−Specify the role as Admin.
6. If you have set the use_neutron_credential parameter to True, perform the following steps:
a. Modify the neutron.conf configuration file.
# Use the vi editor to open the neutron.conf configuration file.
# Press Itoswitch to insert mode, and add the following configuration. For information about
the parameters, see "neutron.conf."
[keystone_authtoken]
admin_user = neutron
admin_password = 123456
# Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the
neutron.conf file.
b. Add an admin user to the controller.
# Configure the username as neutron.
# Specify the role as Admin.
# Enter the password of the neutron user in OpenStack.
7. Copy the plug-ins installation package to the neutron_server container.
9
[root@localhost ~]# docker cp SeerEngine_DC_PLUGIN-D3601_ocata_2017.1-py2.7.egg
neutron_server:/
8. Access the neutron_server container and install the plug-ins installation package.
[root@localhost ~]# neutron_server_image=$(docker ps --format {{.Image}} --filter
name=neutron_server)
[root@localhost ~]# docker exec -it -u root --name $neutron_server_image bash
[root@localhost ~]# easy_install SeerEngine_DC_PLUGIN-E3608-py2.7.egg
[root@localhost ~]# h3c-vcfplugin controller install
NOTE:
A
n error might be reported when the h3c-vcfplugin controller install
command is
executed. Just ignore it.
9. Create neutron-server container images.
[root@localhost ~]# neutron_server_image=$(docker ps --format {{.Image}} --filter
name=neutron_server)
[root@localhost ~]# docker commit $neutron_server_image kolla/neutron-server-h3c
[root@localhost ~]# docker rm -f neutron_server
[root@localhost ~]# docker tag $neutron_server_image kolla/neutron-server-origin
[root@localhost ~]# docker rmi $neutron_server_image
[root@localhost ~]# docker tag kolla/neutron-server-h3c $neutron_server_image
[root@localhost ~]# docker rmi kolla/neutron-server-h3c
10. Copy the neutron-server configuration to the h3c-agent directory and modify the
configuration.
[root@localhost ~]# cp -pR /etc/kolla/neutron-server /etc/kolla/h3c-agent
[root@localhost ~]# sed -i 's/neutron-server/h3c-agent/g'
/etc/kolla/h3c-agent/config.json
11. Start the neutron-server container.
[root@localhost ~]# source docker-neutron-server.sh
12. View the startup status of the containers. If their status is Up, they have been started up
correctly.
[root@localhost ~]# docker ps --filter "name=neutron_server"
CONTAINER ID IMAGE COMMAND
CREATED
STATUS PORTS NAMES
289e4e132a9b kolla/centos-source-neutron-server:ocata "dumb-init --single-?
1 minutes ago Up 1 minutes neutron_server
Parameters and fields
This section describes parameters in configuration files and fields included in parameters.
neutron.conf
Parameter Required value Description
core_plugin ml2 Used for loading the core plug-in ml2 to
OpenStack.
service_plugins h3c_vcfplugin.l3_router.h3c_l3_rout
er_plugin.H3CL3RouterPlugin,firew
all,lbaas,vpnaas
Used for loading the extension plug-ins to
OpenStack.
For the Kilo, Mitaka, Pike, and Queens
plug-ins, if deployment of firewall policies
and rules takes a long time, you can
10
Parameter Required value Description
change firewall in the value to
fwaas_h3c
.
service_provider
•FIREWALL:H3C:h3c_vcfplugin.
fw.h3c_fwplugin_driver.H3CFw
aasDriver:default
•LOADBALANCER:H3C:h3c_vc
fplugin.lb.h3c_lbplugin_driver.H
3CLbaasPluginDriver:default
•VPN:H3C:h3c_vcfplugin.vpn.h
3c_vpnplugin_driver.H3CVpnPl
uginDriver:default
Directory where the extension plug-ins are
saved.
notification_drivers message_queue,qos_h3c Name of the QoS notification driver.
admin_user N/A Admin username for Keystone
authentication in OpenStack, for example,
neutron.
admin_password N/A Admin password for Keystone
authentication in OpenStack, for example,
123456.
ml2_conf.ini
Parameter Required value Description
type_drivers vxlan,vlan Driver type.
vxlan
must be specified as the first driver type.
tenant_network_types vxlan,vlan
Type of the networks to which the tenants belong.
vxlan must be specified as the first driver type.
For intranet, only vxlan is available.
For extranet, only vlan is available.
mechanism_drivers ml2_h3c
Name of the ml2 driver.
To create SR-
IOV instances for VLAN networks, set
this parameter to sriovnicswitch, ml2_h3c.
To create hierarchy-supported instances, set this
parameter to ml2_h3c,openvswitch.
extension_drivers ml2_extension_h3c,qos
Names of the ml2 extension drivers. Available
names include ml2_extension_h3c, qos, and
port_security. If the QoS feature is not enabled on
OpenStack, you do not need to specify the value
qos for this parameter. To not enable port security
on OpenStack, you do not need to specify the
port_security value for this parameter (The Ocata
2017.1 plug-ins do not support the port_security
value.)
Kilo 2015.1 plug-ins do not support the QoS driver.
network_vlan_ranges N/A Value range for the VLAN ID of the extranet, for
example, physicnet1:1000:2999.
vni_ranges N/A Value range for the VXLAN ID of the intranet, for
example, 1:500.
11
ml2_conf_h3c.ini
Parameter Description
url URL address for logging in to SNA Center, for example,
http://127.0.0.1:10080.
username Username for logging in to SNA Center, for example, admin. You do not
need to configure a username when the use_neutron_credential
parameter is set to True.
password Password for logging in to SNA Center, for example, admin@123. You do
not need to configure a password when the use_neutron_credential
parameter is set to True.
domain Name of the domain where the controller resides, for example, sdn.
timeout
The amount of time that the Neutron server waits for a response from the
controller in seconds, for example, 1800 seconds.
As a best practice, set the waiting time greater than or equal to 1800
seconds.
retry Maximum times for sending connection requests from the Neutron server
to the controller, for example, 10.
vif_type
Default vNIC type:
•ovs
•vhostuser (applied to the OVS DPDK solution)
You can set the vhostuser_mode parameter when the value of this
parameter is vhostuser.
Only the Pike plug-in supports this parameter.
vhostuser_mode
Default DPDK vHost-user mode:
•server
•client
The default value is server.
This setting takes effect only when the value of the vif_type parameter is
vhostuser.
white_list
Whether to enable or disable the authentication-free user feature on
OpenStack.
•True—Enable.
•False—Disable.
use_neutron_credential
Whether to use the OpenStack Neutron username and password to
communicate with the controller.
•True—Use.
•False—Do not use.
output_json_log
Whether to output RESTAPI messages to the OpenStack operating logs in
JSON format for communication between the SeerEngine-DC Neutron
plug-ins and the controller.
•True—Enable.
•
False
—Disable.
vendor_rpc_topic
RPC topic of the vendor. This parameter is required when the vendor
needs to obtain Neutron data from the SeerEngine-DC Neutron plug-ins.
The available values are as follows:
•VENDOR_PLUGIN—Default value, which means that the parameter
does not take effect.
•DP_PLUGIN—RPC topic of DPtech.
The value of this parameter must be negotiated by the vendor and H3C.
12
Parameter Description
hierarchical_port_binding_phy
sicnets
Policy for OpenStack to select a physical VLAN when performing
hierarchical port binding. The default value is ANY.
•ANY—A VLAN is selected from all physical VLANs for VLAN ID
assignment.
•PREFIX—A VLAN is selected from all physical VLANs matching the
specified prefix for VLAN ID assignment.
hierarchical_port_binding_phy
sicnets_prefix
Prefix for matching physical VLANs. The default value is physicnet. This
parameter is available only when you set the value of the
hierarchical_port_binding_physicnets parameter to PREFIX.
enable_dhcp_hierarchical_por
t_binding
Whether to enable DHCP hierarchical port binding. The default value is
False.
•True—Enable.
•False—Disable.
Only the Pike plug-in supports this parameter.
enable_security_group Whether to deploy OpenStack security group rules to the SeerEngine-DC
controller. The default value is False.
enable_https
Whether to enable HTTPS bidirectional authentication. The default value is
False.
•True—Enable.
•False—Disable.
Only the Pike plug-in supports this parameter.
neutron_plugin_ca_file Save location for the CA certificate of the controller. As a best practice,
save the CA certificate in the /usr/share/neutron directory.
Only the Pike plug-in supports this parameter.
neutron_plugin_cert_file Save location for the Cert certificate of the controller. As a best practice,
save the Cert certificate in the /usr/share/neutron directory.
Only the Pike plug-in supports this parameter.
neutron_plugin_key_file Save location for the Key certificate of the controller. As a best practice,
save the Cert certificate in the /usr/share/neutron directory.
Only the Pike plug-in supports this parameter.
enable_iam_auth
Whether to enable IAM interface authentication.
•True—Enable.
•False—Disable.
When connecting to SNA Center, you can set the value to True to use the
IAM interface for authentication.
The default value is False.
Only the Mitaka and Newton plug-ins support this parameter.
enable_sdnc_rpc Whether to enable RPC connection between the plug-ins and the controller
in the DHCP fail-safe scenario.
The default value is False.
sdnc_rpc_url RPC interface URL of the controller. Only a WebSocket type interface is
supported.
The default value is ws://127.0.0.1:1080.
sdnc_rpc_ping_interval Interval at which an RPC ICMP echo request message is sent to the
controller, in seconds.
The default value is 60 seconds.
websocket_fragment_size Size of a WebSocket fragment sent from the plug-in to the controller in the
DHCP fail-safe scenario, in bytes.
13
Parameter Description
The value is an integer equal to or larger than 1024. The default value is
1024. If the value is 1024, the message is not fragmented.
enable_l3_router_rpc_notify
W
hether to enable or disable the feature of sending Layer 3 routing events
through RPC.
•True—Enable.
•False—Disable.
qos_rx_limit_min
Minimum inbound bandwidth, in kbps. If the QoS minimum inbound
bandwidth configured on OpenStack is smaller than this parameter value,
this parameter value takes effect.
Only the Kilo 2015.1 plug-in supports this parameter.
cloud_region_name
Name of the cloud platform. String type. The default value is default. Make
sure the value of this parameter is the same as the cloud platform name
configured on the Virtual Networking > OpenStack page on
SeerEngine-DC.
Upgrading the SeerEngine-DC Neutron plug-ins
CAUTION:
•
Services might be interrupted during the SeerEngine-DC Neutron plug-ins upgrade procedure.
Make sure you understand the impact of the upgrade before performing it on a live network.
•
The plug-ins settings will not be restored automatically after an upgrade in the Kolla environment.
Before an upgrade, back up the settings in the /etc/kolla/neutron-server/neutron.conf and
/etc/kolla/neutron-server/ml2_conf.ini configuration files. After the upgrade, modify the
parameter settings according to the configuration files to ensure configuration consistency before
and after the upgrade.
To upgrade the SeerEngine-DC Neutron plug-ins, just install the new version of the plug-ins. For
information about installing the SeerEngine-DC Neutron plug-ins, see "Installing the SeerEngine-DC
Neutron plug-ins."
Installing the SeerEngine-DC Neutron security
plug-in on OpenStack
The SeerEngine-DC Neutron security plug-in can be installed on multiple versions of OpenStack.
This section uses OpenStack Pike as an example to describe the security plug-in installation.
The SeerEngine-DC Neutron security plug-in is installed on the OpenStack controller node. Before
installation, set up the base environment on the node.
Installing the security plug-in on the controller node
Obtaining the installation package
Obtain and copy the security plug-in installation package of the required version to the target
installation directory on the server or virtual machine.
Alternatively, transfer the installation package to the target installation directory through a file transfer
protocol such as FTP, TFTP, or SCP.
14
IMPORTANT:
T
o avoid damaging the installation packages
, select binary mode if you are to transfer the package
through FTP or TFTP.
Installing the security plug-in on the OpenStack controller node
1. Generate startup scripts for the neutron-server and h3c-sec-agent containers.
[root@localhost ~]# runlike neutron_server>docker-neutron-server.sh
[root@localhost ~]# cp docker-neutron-server.sh docker-h3c-sec-agent.sh
[root@localhost ~]# sec –i 's/neutron-server/h3c-sec-agent/g'
docker-h3c-sec-agent.sh
[root@localhost ~]# sec –i 's/neutron_server/h3c_sec_agent/g'
docker-h3c-sec-agent.sh
2. Edit the neutron.conf configuration file.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# sudo vi /etc/kolla/neutron-server/neutron.conf
b. Press Ito switch to the insert mode, and then edit the configuration file. For more
information about the parameters, see "Parameters and fields."
For the Pike and Rocky plug-ins, edit the neutron.conf configuration file as follows:
[DEFAULT]
service_plugins = firewall,lbaasv2,vpnaas
[service_providers]
service_provider=FIREWALL:H3C:networking_sec_h3c.fw.h3c_fwplugin_driver.H3CFwa
asDriver:default
service_provider=LOADBALANCERV2:H3C:networking_sec_h3c.lb.h3c_lbplugin_driver_
v2.H3CLbaasv2PluginDriver:default
service_provider=VPN:H3C:networking_sec_h3c.vpn.h3c_vpnplugin_driver.H3CVpnPlu
ginDriver:default
IMPORTANT:
For the Pike
plug-ins, when the load balancer supports multiple resource pools of the
Context type, you
must preprovision a resource pool named dmz or core
on the controller,
and then
change the value of the service provider parameter to
LOADBALANCERV2:DMZ:networking_sec_h3c.lb.h3c_lbplugin_driver_v2.H3CLbaas
v2PluginDMZDriver:default
or
LOADBALANCERV2:CORE:networking_sec_h3c.lb.h3c_lbplugin_driver
_v2.H3CLba
asv2PluginDMZDriver:default accordingly.
For the Ocata plug-ins, edit the configuration file as follows:
[DEFAULT]
service_plugins =
firewall,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2,vpnaa
s
[service_providers]
service_provider=FIREWALL:H3C:networking_sec_h3c.fw.h3c_fwplugin_driver.H3CFwa
asDriver:default
service_provider=LOADBALANCERV2:H3C:networking_sec_h3c.lb.h3c_lbplugin_driver_
v2.H3CLbaasPluginDriver:default
service_provider=VPN:H3C:networking_sec_h3c.vpn.h3c_vpnplugin_ko_driver.H3CVpn
PluginDriver:default
15
IMPORTANT:
The
service_provider parameter value for the VPN services is different between the Pike
and Rocky plug-ins and the Ocata plug-ins. Be clear about the differences.
c. Press Esc to quit the insert mode, and enter :wq to exit the vi editor and save the
neutron.conf file.
3. Edit the ml2_conf.ini configuration file.
a. Use the vi editor to open the ml2_conf.ini configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/ml2_conf.ini
b. Press Ito switch to the insert mode and configure the parameters in the configuration file as
follows. For more information about the parameters, see "Parameters and fields."
[ml2]
type_drivers = vxlan,vlan
tenant_network_types = vxlan,vlan
mechanism_drivers = ml2_h3c
extension_drivers = ml2_extension_h3c,qos,port_security
[ml2_type_vlan]
network_vlan_ranges = physicnet1:1000:2999
[ml2_type_vxlan]
vni_ranges = 1:500
c. Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the file.
4. Edit the neutron.conf configuration file.
a. Use the vi editor to open the neutron.conf configuration file.
[root@localhost ~]# vi /etc/kolla/neutron-server/neutron.conf
b. Press Ito switch to the insert mode, and then edit the configuration file. For more
information about the parameters, see "Parameters and fields."
[SEC_SDNCONTROLLER]
url = https://127.0.0.1:10443
username = sdn
password = skyline
domain = sdn
timeout = 1800
retry = 10
white_list = False
firewall_type = CGSR
fw_share_by_tenant = False
lb_type = CGSR
resource_mode = CORE_GATEWAY
resource_share_count = 1
auto_create_resource = True
nfv_ha = True
use_neutron_credential = False
firewall_force_audit = False
sec_output_json_log = False
lb_enable_snat = False
vendor_rpc_topic = VENDOR_PLUGIN
enable_https = False
neutron_plugin_ca_file =
16
neutron_plugin_cert_file =
neutron_plugin_key_file =
cgsr_fw_context_limit = 0
force_vip_port_device_owner_none = False
enable_iam_auth = False
enable_firewall_metadata = False
lb_member_slow_shutdown = False
enable_multi_gateways = False
enable_multi_segments = False
tenant_gateway_name = None
tenant_gw_selection_strategy = match_first
enable_router_nat_without_firewall = False
directly_external = OFF
directly_external_suffix = DMZ
sec_agent_enable = True
lb_resource_mode = SP
enable_lb_xff = False
5. If you have set the white_list parameter to True, perform the following tasks:
Delete the username, password, and domain parameters for SEC_SDNCONTROLLER
in the ml2_sec_conf_h3c.ini configuration file.
Add an authentication-free user to the controller.
−Enter the IP address of the host where the Neutron server resides.
−Specify the role as Admin.
6. If you have set the use_neutron_credential parameter to True, perform the following steps:
a. Modify the neutron.conf configuration file.
# Use the vi editor to open the neutron.conf configuration file.
# Press Itoswitch to insert mode, and add the following configuration. For information about
the parameters, see "neutron.conf."
[keystone_authtoken]
admin_user = neutron
admin_password = 123456
# Press Esc to quit insert mode, and enter :wq to exit the vi editor and save the
neutron.conf file.
b. Add an admin user to the controller.
# Configure the username as neutron.
# Specify the role as Admin.
# Enter the password of the neutron user in OpenStack.
7. Copy the installation package to the neutron_server container.
[root@localhost ~]# docker cp SeerEngine_DC_SEC_PLUGIN-E3603P01-py2.7.egg
neutron_server:/
8. Install the package.
[root@localhost ~]# docker exec –it –u root –name neutron_server bash
[root@localhost ~]# easy_install SeerEngine_DC_SEC_PLUGIN-E3603P01-py2.7.egg
[root@localhost ~]# h3c-sdnplugin controller install
Table of contents
Other H3C Controllers manuals
