Openstack – Configure Network Service (neutron-controller) – Part 6

Openstack provides two options for networking. The default network type is nova-network which enables the basic networking for the instances.  Nova-network has limitation and it can support only one network  per instance.  The advanced networking option can be obtained using Openstack neutron service.  It supports plug-ins and provides the different networking equipment and software, providing flexibility to OpenStack architecture and deployment. So that tenant can setup the multi-tier applications  within the openstack private cloud.

Neutron includes the following components,

Openstack Neutron
Openstack Neutron


Have a look at the below diagram to know that how the L2 , L3 and Meta Data proxy agents are communicating to the API node (Controller Node).

Neutron Openstack
Neutron Openstack


Let’s configure the Neutron for our environment.

  • Install & Configure Neutron Related services on Controller Node (We Are here)
  • Install & Configure Neutron Related services for Network Node
  • Install & Configure Neutron Related Services for Compute Node


Refer the password Database here before continuing this article.


Neutron Related configuration on  Controller Node:

1.Login to the controller node .


2. Create the Database tables for Neutron .

root@OSCTRL-UA:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 452
Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE neutron;
Query OK, 1 row affected (0.02 sec)

mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutrondb123';
Query OK, 0 rows affected (0.08 sec)

mysql> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutrondb123';
Query OK, 0 rows affected (0.00 sec)

mysql> quit


Note: My Neutron Database password has been set as “neutrondb123”.


3. Source the admin.rc file. If you do not have , just create a one like below.

root@OSCTRL-UA:~# cat admin.rc
export OS_USERNAME=admin
export OS_PASSWORD=admin123
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://OSCTRL-UA:35357/v2.0
root@OSCTRL-UA:~# source admin.rc


4. Create the identity  service(keystone) credentials for neutron . Create the neutron user  with  password “neutron123”.

root@OSCTRL-UA:~# keystone user-create --name neutron --pass neutron123 --email
| Property |              Value               |
|  email   |       |
| enabled  |               True               |
|    id    | 4d7251244dfd49c889ee8a634fc83c90 |
|   name   |             neutron              |
| username |             neutron              |


5. Add the neutron user in to the admin role.

root@OSCTRL-UA:~# keystone user-role-add --user neutron --tenant service --role admin


6. Create the neutron service in keystone.

root@OSCTRL-UA:~# keystone service-create --name neutron --type network --description "OpenStack Networking"
|   Property  |              Value               |
| description |       OpenStack Networking       |
|   enabled   |               True               |
|      id     | 1d40c9c73ee64522a181bd6310efdf0b |
|     name    |             neutron              |
|     type    |             network              |


7. Create an endpoint service for neutron.

 root@OSCTRL-UA:~# keystone endpoint-create --service-id $(keystone service-list | awk '/ network / {print $2}') --publicurl http://OSCTRL-UA:9696 --adminurl http://OSCTRL-UA:9696 --internalurl http://OSCTRL-UA:9696
|   Property  |              Value               |
|   adminurl  |      http://OSCTRL-UA:9696       |
|      id     | 5f0dfb2bdbb7483fa2d6165cf4d86ccc |
| internalurl |      http://OSCTRL-UA:9696       |
|  publicurl  |      http://OSCTRL-UA:9696       |
|    region   |            regionOne             |
|  service_id | 1d40c9c73ee64522a181bd6310efdf0b |


8. Install the neutron related networking modules on controller node.

root@OSCTRL-UA:~# apt-get install neutron-server neutron-plugin-ml2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  ipset libipset3 neutron-common python-jsonrpclib python-neutron
The following NEW packages will be installed:
  ipset libipset3 neutron-common neutron-plugin-ml2 neutron-server
  python-jsonrpclib python-neutron
0 upgraded, 7 newly installed, 0 to remove and 37 not upgraded.
Need to get 1,390 kB of archives.
After this operation, 13.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 trusty/main python-jsonrpclib all 0.1.3-1build1 [14.1 kB]
Get:2 trusty-updates/juno/main python-neutron all 1:2014.2.3-0ubuntu2~cloud0 [1,265 kB]
Get:3 trusty/universe libipset3 amd64 6.20.1-1 [50.8 kB]
Get:4 trusty/universe ipset amd64 6.20.1-1 [34.2 kB]
Get:5 trusty-updates/juno/main neutron-common all 1:2014.2.3-0ubuntu2~cloud0 [15.7 kB]
Get:6 trusty-updates/juno/main neutron-plugin-ml2 all 1:2014.2.3-0ubuntu2~cloud0 [6,870 B]
Get:7 trusty-updates/juno/main neutron-server all 1:2014.2.3-0ubuntu2~cloud0 [3,486 B]
Fetched 1,390 kB in 8s (167 kB/s)
Selecting previously unselected package python-jsonrpclib.
(Reading database ... 101633 files and directories currently installed.)
Preparing to unpack .../python-jsonrpclib_0.1.3-1build1_all.deb ...
Unpacking python-jsonrpclib (0.1.3-1build1) ...
Selecting previously unselected package libipset3:amd64.
Preparing to unpack .../libipset3_6.20.1-1_amd64.deb ...
Unpacking libipset3:amd64 (6.20.1-1) ...
Selecting previously unselected package ipset.
Preparing to unpack .../ipset_6.20.1-1_amd64.deb ...
Unpacking ipset (6.20.1-1) ...
Selecting previously unselected package python-neutron.
Preparing to unpack .../python-neutron_1%3a2014.2.3-0ubuntu2~cloud0_all.deb ...
Unpacking python-neutron (1:2014.2.3-0ubuntu2~cloud0) ...
Selecting previously unselected package neutron-common.
Preparing to unpack .../neutron-common_1%3a2014.2.3-0ubuntu2~cloud0_all.deb ...
Unpacking neutron-common (1:2014.2.3-0ubuntu2~cloud0) ...
Selecting previously unselected package neutron-plugin-ml2.
Preparing to unpack .../neutron-plugin-ml2_1%3a2014.2.3-0ubuntu2~cloud0_all.deb ...
Unpacking neutron-plugin-ml2 (1:2014.2.3-0ubuntu2~cloud0) ...
Selecting previously unselected package neutron-server.
Preparing to unpack .../neutron-server_1%3a2014.2.3-0ubuntu2~cloud0_all.deb ...
Unpacking neutron-server (1:2014.2.3-0ubuntu2~cloud0) ...
Processing triggers for man-db ( ...
Processing triggers for ureadahead (0.100.0-16) ...
Setting up python-jsonrpclib (0.1.3-1build1) ...
Setting up libipset3:amd64 (6.20.1-1) ...
Setting up ipset (6.20.1-1) ...
Setting up python-neutron (1:2014.2.3-0ubuntu2~cloud0) ...
Setting up neutron-common (1:2014.2.3-0ubuntu2~cloud0) ...
Adding system user `neutron' (UID 114) ...
Adding new user `neutron' (UID 114) with group `neutron' ...
Not creating home directory `/var/lib/neutron'.
Setting up neutron-plugin-ml2 (1:2014.2.3-0ubuntu2~cloud0) ...
Setting up neutron-server (1:2014.2.3-0ubuntu2~cloud0) ...
neutron-server start/running, process 4105
Processing triggers for libc-bin (2.19-0ubuntu6.6) ...
Processing triggers for ureadahead (0.100.0-16) ...


9. Edit the file “/etc/neutron/neutron.conf” like below. Here , we are just updating the database connection details, RabbitMQ & keystone configuration.

under [DEFAULT] tab, add the below line. (for Keystone & RabbitMQ)

auth_strategy = keystone
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_host = OSCTRL-UA
rabbit_password = rabbit123


under “[keystone_authtoken]” add like below, (neutron’s user credentials )

auth_uri = http://OSCTRL-UA:5000
auth_host = OSCTRL-UA
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = neutron123


under “[database]” , replace the existing database connection with line below.

connection = mysql://neutron:neutrondb123@OSCTRL-UA/neutron


10 . To notify compute node about the topology changes , we need to add the service tenant keys in /etc/neutron/neutron.conf. To get the service tenant keys, use the command below.

root@OSCTRL-UA:~# keystone tenant-get service
|   Property  |              Value               |
| description |          Service Tenant          |
|   enabled   |               True               |
|      id     | 332f6865332b45aa9cf0d79aacd1ae3b |
|     name    |             service              |


Edit the “/etc/neutron/neutron.conf” & add the following keys under [DEFAULT] tab.

notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://OSCTRL-UA:8774/v2
nova_admin_username = nova
nova_admin_tenant_id = 332f6865332b45aa9cf0d79aacd1ae3b
nova_admin_password = nova123
nova_admin_auth_url = http://OSCTRL-UA:35357/v2.0


11. Edit the /etc/neutron/neutron.conf to add the Modular layer 2 (ML2) plugins.

core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True

12. Set the “verbose = True ” under [DEFAULT] section.

verbose = True


13. Comment out any lines under “[service_providers]” section in /etc/neutron/neutron.conf.
14. Configuring Modular Layer 2 (ML2) plugin: Modular Layer 2 Plugin uses the Open vSwitch to build the virtual networking for the instances. OVS agent will be configured on the neutron node. Edit the ML2 configuration file “/etc/neutron/plugins/ml2/ml2_conf.ini like below.

Add the following keys to the [ml2] section:

type_drivers = flat,gre
tenant_network_types = gre
mechanism_drivers = openvswitch


Add the following key to the [ml2_type_gre] section:

tunnel_id_ranges = 1:1000


Add the [securitygroup] section and the following keys to it:

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True


15. Edit the /etc/nova/nova.conf file to instruct to use the “Neutron Networking” instead of the default “Nova Networking”.

network_api_class =
neutron_url = http://OSCTRL-UA:9696
neutron_auth_strategy = keystone
neutron_admin_tenant_name = service
neutron_admin_username = neutron
neutron_admin_password = neutron123
neutron_admin_auth_url = http://OSCTRL-UA:35357/v2.0
linuxnet_interface_driver =
firewall_driver = nova.virt.firewall.NoopFirewallDriver
security_group_api = neutron


16. Finalize the installation by populating the database.

root@OSCTRL-UA:~# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
INFO  [alembic.migration] Context impl MySQLImpl.
INFO  [alembic.migration] Will assume non-transactional DDL.
INFO  [alembic.migration] Running upgrade None -> havana, havana_initial
INFO  [alembic.migration] Running upgrade havana -> e197124d4b9, add unique constraint to members
INFO  [alembic.migration] Running upgrade e197124d4b9 -> 1fcfc149aca4, Add a unique constraint on (agent_type, host) columns to prevent a race
condition when an agent entry is 'upserted'.
INFO  [alembic.migration] Running upgrade 1fcfc149aca4 -> 50e86cb2637a, nsx_mappings
INFO  [alembic.migration] Running upgrade 50e86cb2637a -> 1421183d533f, NSX DHCP/metadata support
INFO  [alembic.migration] Running upgrade 1421183d533f -> 3d3cb89d84ee, nsx_switch_mappings
INFO  [alembic.migration] Running upgrade 3d3cb89d84ee -> 4ca36cfc898c, nsx_router_mappings
INFO  [alembic.migration] Running upgrade 4ca36cfc898c -> 27cc183af192, ml2_vnic_type
INFO  [alembic.migration] Running upgrade 27cc183af192 -> 50d5ba354c23, ml2 binding:vif_details
INFO  [alembic.migration] Running upgrade 50d5ba354c23 -> 157a5d299379, ml2 binding:profile
INFO  [alembic.migration] Running upgrade 157a5d299379 -> 3d2585038b95, VMware NSX rebranding
INFO  [alembic.migration] Running upgrade 3d2585038b95 -> abc88c33f74f, lb stats
INFO  [alembic.migration] Running upgrade abc88c33f74f -> 1b2580001654, nsx_sec_group_mapping
INFO  [alembic.migration] Running upgrade 1b2580001654 -> e766b19a3bb, nuage_initial
INFO  [alembic.migration] Running upgrade e766b19a3bb -> 2eeaf963a447, floatingip_status
INFO  [alembic.migration] Running upgrade 2eeaf963a447 -> 492a106273f8, Brocade ML2 Mech. Driver
INFO  [alembic.migration] Running upgrade 492a106273f8 -> 24c7ea5160d7, Cisco CSR VPNaaS
INFO  [alembic.migration] Running upgrade 24c7ea5160d7 -> 81c553f3776c, bsn_consistencyhashes
INFO  [alembic.migration] Running upgrade 81c553f3776c -> 117643811bca, nec: delete old ofc mapping tables
INFO  [alembic.migration] Running upgrade 117643811bca -> 19180cf98af6, nsx_gw_devices
INFO  [alembic.migration] Running upgrade 19180cf98af6 -> 33dd0a9fa487, embrane_lbaas_driver
INFO  [alembic.migration] Running upgrade 33dd0a9fa487 -> 2447ad0e9585, Add IPv6 Subnet properties
INFO  [alembic.migration] Running upgrade 2447ad0e9585 -> 538732fa21e1, NEC Rename quantum_id to neutron_id
INFO  [alembic.migration] Running upgrade 538732fa21e1 -> 5ac1c354a051, n1kv segment allocs for cisco n1kv plugin
INFO  [alembic.migration] Running upgrade 5ac1c354a051 -> icehouse, icehouse
INFO  [alembic.migration] Running upgrade icehouse -> 54f7549a0e5f, set_not_null_peer_address
INFO  [alembic.migration] Running upgrade 54f7549a0e5f -> 1e5dd1d09b22, set_not_null_fields_lb_stats
INFO  [alembic.migration] Running upgrade 1e5dd1d09b22 -> b65aa907aec, set_length_of_protocol_field
INFO  [alembic.migration] Running upgrade b65aa907aec -> 33c3db036fe4, set_length_of_description_field_metering
INFO  [alembic.migration] Running upgrade 33c3db036fe4 -> 4eca4a84f08a, Remove ML2 Cisco Credentials DB
INFO  [alembic.migration] Running upgrade 4eca4a84f08a -> d06e871c0d5, set_admin_state_up_not_null_ml2
INFO  [alembic.migration] Running upgrade d06e871c0d5 -> 6be312499f9, set_not_null_vlan_id_cisco
INFO  [alembic.migration] Running upgrade 6be312499f9 -> 1b837a7125a9, Cisco APIC Mechanism Driver
INFO  [alembic.migration] Running upgrade 1b837a7125a9 -> 10cd28e692e9, nuage_extraroute
INFO  [alembic.migration] Running upgrade 10cd28e692e9 -> 2db5203cb7a9, nuage_floatingip
INFO  [alembic.migration] Running upgrade 2db5203cb7a9 -> 5446f2a45467, set_server_default
INFO  [alembic.migration] Running upgrade 5446f2a45467 -> db_healing, Include all tables and make migrations unconditional.
INFO  [alembic.migration] Context impl MySQLImpl.
INFO  [alembic.migration] Will assume non-transactional DDL.
INFO  [] Detected server default on column 'cisco_ml2_apic_epgs.provider'
INFO  [] Detected removed index 'cisco_n1kv_vlan_allocations_ibfk_1' on 'cisco_n1kv_vlan_allocations'
INFO  [] Detected server default on column 'cisco_n1kv_vxlan_allocations.allocated'
INFO  [] Detected removed index 'cisco_n1kv_vxlan_allocations_ibfk_1' on 'cisco_n1kv_vxlan_allocations'
INFO  [] Detected removed index 'embrane_pool_port_ibfk_2' on 'embrane_pool_port'
INFO  [] Detected removed index 'firewall_rules_ibfk_1' on 'firewall_rules'
INFO  [] Detected removed index 'firewalls_ibfk_1' on 'firewalls'
INFO  [] Detected server default on column 'meteringlabelrules.excluded'
INFO  [] Detected server default on column ''
INFO  [] Detected added column 'nuage_routerroutes_mapping.destination'
INFO  [] Detected added column 'nuage_routerroutes_mapping.nexthop'
INFO  [] Detected server default on column 'poolmonitorassociations.status'
INFO  [] Detected added index 'ix_quotas_tenant_id' on '['tenant_id']'
INFO  [] Detected NULL on column 'tz_network_bindings.phy_uuid'
INFO  [] Detected NULL on column 'tz_network_bindings.vlan_id'
INFO  [neutron.db.migration.alembic_migrations.heal_script] Detected removed foreign key u'nuage_floatingip_pool_mapping_ibfk_2' on table u'nuage_floatingip_pool_mapping'
INFO  [alembic.migration] Running upgrade db_healing -> 3927f7f7c456, L3 extension distributed mode
INFO  [alembic.migration] Running upgrade 3927f7f7c456 -> 2026156eab2f, L2 models to support DVR
INFO  [alembic.migration] Running upgrade 2026156eab2f -> 37f322991f59, removing_mapping_tables
INFO  [alembic.migration] Running upgrade 37f322991f59 -> 31d7f831a591, add constraint for routerid
INFO  [alembic.migration] Running upgrade 31d7f831a591 -> 5589aa32bf80, L3 scheduler additions to support DVR
INFO  [alembic.migration] Running upgrade 5589aa32bf80 -> 884573acbf1c, Drop NSX table in favor of the extra_attributes one
INFO  [alembic.migration] Running upgrade 884573acbf1c -> 4eba2f05c2f4, correct Vxlan Endpoint primary key
INFO  [alembic.migration] Running upgrade 4eba2f05c2f4 -> 327ee5fde2c7, set_innodb_engine
INFO  [alembic.migration] Running upgrade 327ee5fde2c7 -> 3b85b693a95f, Drop unused servicedefinitions and servicetypes tables.
INFO  [alembic.migration] Running upgrade 3b85b693a95f -> aae5706a396, nuage_provider_networks
INFO  [alembic.migration] Running upgrade aae5706a396 -> 32f3915891fd, cisco_apic_driver_update
INFO  [alembic.migration] Running upgrade 32f3915891fd -> 58fe87a01143, cisco_csr_routing
INFO  [alembic.migration] Running upgrade 58fe87a01143 -> 236b90af57ab, ml2_type_driver_refactor_dynamic_segments
INFO  [alembic.migration] Running upgrade 236b90af57ab -> 86d6d9776e2b, Cisco APIC Mechanism Driver
INFO  [alembic.migration] Running upgrade 86d6d9776e2b -> 16a27a58e093, ext_l3_ha_mode
INFO  [alembic.migration] Running upgrade 16a27a58e093 -> 3c346828361e, metering_label_shared
INFO  [alembic.migration] Running upgrade 3c346828361e -> 1680e1f0c4dc, Remove Cisco Nexus Monolithic Plugin
INFO  [alembic.migration] Running upgrade 1680e1f0c4dc -> 544673ac99ab, add router port relationship
INFO  [alembic.migration] Running upgrade 544673ac99ab -> juno, juno


If you get any error like , “Access denied for user neutron@ (using password: YES)) None None ” , then there must be inconsistency in password what you have given in step 2 & what you have updated in neutron.conf file.


17. Restart the nova & networking services.

root@OSCTRL-UA:~# service nova-api restart
nova-api stop/waiting
nova-api start/running, process 15291
root@OSCTRL-UA:~# service neutron-server restart
neutron-server stop/waiting
neutron-server start/running, process 15319


List loaded extensions to verify successful launch of the neutron-server process.

root@OSCTRL-UA:~# neutron ext-list
| alias                 | name                                          |
| security-group        | security-group                                |
| l3_agent_scheduler    | L3 Agent Scheduler                            |
| ext-gw-mode           | Neutron L3 Configurable external gateway mode |
| binding               | Port Binding                                  |
| provider              | Provider Network                              |
| agent                 | agent                                         |
| quotas                | Quota management support                      |
| dhcp_agent_scheduler  | DHCP Agent Scheduler                          |
| l3-ha                 | HA Router extension                           |
| multi-provider        | Multi Provider Network                        |
| external-net          | Neutron external network                      |
| router                | Neutron L3 Router                             |
| allowed-address-pairs | Allowed Address Pairs                         |
| extraroute            | Neutron Extra Route                           |
| extra_dhcp_opt        | Neutron Extra DHCP opts                       |
| dvr                   | Distributed Virtual Router                    |
root@OSCTRL-UA:~# date
Wed Sep 30 22:33:52 IST 2015


If you get any error like below, then you need to re-validate the keystone configuration on neutron.conf file.
root@OSCTRL-UA:~# neutron ext-list
Unauthorized (HTTP 401) (Request-ID: req-eeea0ae8-3133-4fbf-9bbf-152bae461f7b)


Please find the attached below file to know the full contents of neutron.conf &  ml2_conf.ini.

neutron.conf & ml2_conf.ini

Hope this article informative to you .  Share it ! Be Sociable !!!