This tutorial will guide you on how you can configure OpenStack networking service in order to allow access from external networks to OpenStack instances.
Modify Network Interface Configuration.
First we need to create an OVS bridge and modify our physical network interface to bind as a port to OVS bridge.
Navigate to network interfaces directory scripts and use the physical interface as an excerpt to setup OVS bridge interface by issuing the following commands:
cd /etc/sysconfig/network-scripts/
Backup existing network config
cp ifcfg-enp5s0 ifcfg-enp5s0.bak
Copy existing network config to create bridge
cp ifcfg-enp5s0 ifcfg-br-ex
Next, edit and modify the bridge interface (br-ex) using a text editor as illustrated below:
nano ifcfg-br-ex
Here is what it looks like:
DEVICE=br-ex
DEVICETYPE=ovs
TYPE=OVSBridge
BOOTPROTO=static
IPADDR=192.168.0.211
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
DNS1=1.1.1.1
ONBOOT=yes
Do the same with the physical interface (ifcfg-enp5s0), but make sure it looks like this (no BOOTPROTO!):
DEVICE=br-ex
DEVICETYPE=ovs
TYPE=OVSBridge
BOOTPROTO=static
IPADDR=192.168.0.211
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
DNS1=1.1.1.1
ONBOOT=yes
[root@host network-scripts]# cat ifcfg-enp5s0
DEVICE=enp5s0
TYPE=OVSPort
DEVICETYPE=ovs
OVS_BRIDGE=br-ex
ONBOOT=yes
Important: While editing interfaces cards make sure you replace the physical interface name, IPs and DNS servers accordingly.
Finally, after you’ve modified edited both network interfaces, reboot and verify the new configurations using ip command.
reboot
If you are connected via ssh, you will be disconnected. Start a new ssh session. Check the config:
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UP group default qlen 1000
link/ether 8c:89:a5:17:1b:e5 brd ff:ff:ff:ff:ff:ff
inet6 fe80::8e89:a5ff:fe17:1be5/64 scope link
valid_lft forever preferred_lft forever
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 6a:ac:54:9b:2f:fc brd ff:ff:ff:ff:ff:ff
4: br-int: <BROADCAST,MULTICAST> mtu 1442 qdisc noop state DOWN group default qlen 1000
link/ether fe:f9:9a:3e:3b:44 brd ff:ff:ff:ff:ff:ff
5: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 8c:89:a5:17:1b:e5 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.211/24 brd 192.168.0.255 scope global br-ex
valid_lft forever preferred_lft forever
inet6 2603:8081:2300:476d:8e89:a5ff:fe17:1be5/64 scope global mngtmpaddr dynamic
valid_lft 351364sec preferred_lft 351364sec
inet6 fe80::cc94:93ff:fe71:f243/64 scope link
valid_lft forever preferred_lft forever
Now, create the external network with Neutron.
. keystonerc_admin
neutron net-create external_network --provider:network_type flat --provider:physical_network extnet --router:external
Please note: “extnet” is the L2 segment we defined with –os-neutron-ovs-bridge-mappings above.
You need to create a public subnet with an allocation range outside of your external DHCP range and set the gateway to the default gateway of the external network.
Please note: 192.168.0.1/24 is the router and CIDR we defined in /etc/sysconfig/network-scripts/ifcfg-br-ex for external connectivity.
neutron subnet-create --name public_subnet --enable_dhcp=False --allocation-pool=start=192.168.0.10,end=192.168.0.20 --gateway=192.168.0.1 external_network 192.168.0.0/24
Get a cirros image, not provisioned without demo provisioning:
curl -L http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img | glance \
image-create --name='cirros image' --visibility=public --container-format=bare --disk-format=qcow2
That’s all you need to do from admin perspective to allow your users to connect their private networks to the outside world. Now let’s switch to the user.
Since you haven’t created a user yet. This is optional.
openstack project create --enable internal
openstack user create --project internal --password foo --email bar@corp.com --enable internal
Now, let's switch to the newly created user:
# export OS_USERNAME=internal
# export OS_TENANT_NAME=internal
# export OS_PASSWORD=foo
Then create a router and set its gateway using the external network created by the admin in one of previous steps:
neutron router-create router1
neutron router-gateway-set router1 external_network
Now create a private network and a subnet in it, since demo provisioning has been disabled:
neutron net-create private_network
neutron subnet-create --name private_subnet private_network 192.168.100.0/24
Finally, connect your new private network to the public network through the router, which will provide floating IP addresses.
neutron router-interface-add router1 private_subnet
Easiest way to the network and to launch instances is via horizon, which was set up by packstack.