Chapter 7: Neutron - Advanced Commands - Part 1
Commands :
1. Neutron Service Status :
Note : admin access is required to run this command.
This command shows the l3 agent, dhcp agent, metadata agent, ovs agent status.
To verify the neutron agents service status,
neutron agent-list
2. Neutron extension List :
Note: admin access is required to run this command.
Many services/features(allowed address pair, security-group, router, etc) in neutron are implemented as extensions. This command lists currently installed extensions
neutron ext-list
3. Quota :
Quota is the neutron feature used for limit the network resources(networks,subnets,ports, floatingips etc) to the tenant.
If the admin user doesnt set the quota for the denant, then The default quota is applied.
The default quota can be seen using this below command.
neutron quota-default-show
Admin user can create the network quota as below,
Syntax
neutron quota-update --<network resource name> <qty>
network resource name means, network, subnet, port, router, floatingip, security-group,vip,pool,loadbalancer etc.
Example:
neutron quota-update --network 2 --subnet 2 --port 2 --router 1 --floatingip 2
If you try to create the resource above the quota, you will see the error as below,
Quota exceeded for resources: [resource name].
4. RBAC :
Neutron resources(networks,qos) can be created as shared or private . Shared means, accessible by all tenants. Private means, access by the tenant only.
RBAC feature brings the facility to share the Neutron resources(networks, qos) to subset of tenants instead of the all-or-nothing choice .
To create a RBAC to share a network:
Syntax:
neutron rbac-create --target-tenant <target tenant id> --action access_as_shared --type {qos-policy,network} <Obj ID>
Example:
neutron rbac-create --target-tenant 2fd3c36c44d94ac2bae2f28a36020c62 --action access_as_shared --type network ce894f96
-b2cd-45f0-9e86-5d2019c619d3
To List the RBAC :
neutron rbac-list
Example scenario:
demo and demo1 tenants
demo and demo1 are Member users respect with demo and demo1 tenants.
Objective : Share the Server-Net network from Demo tenant to demo1 tenant.
demo1 tenant id :5dae81c6055944ef8bba14d7ec757c06
source openrc demo demo
neutron net-list
neutron rbac-create --target-tenant 5dae81c6055944ef8bba14d7ec757c06 --action access_as_shared --type network c31098fb-431f-4429-90a5-e2b88a1e8763
neutron rbac-list
Login with demo1 tenant and list the networks(shared networks should be listed)
source openrc demo1 demo1
neutron net-list
5. Host Route :
Host route feature provides
- static route to all the VMs present in the network.
This is part of subnet parameter
--host-route destination=<CIDR>,nexthop=<IP>
Example:
--host-route destination=192.168.101.0/24,nexthop=10.10.10.254
Example:
neutron subnet-create --name Office-Sub --gateway 10.10.10.1 --allocation-pool start=10.10.10.10,end=10.10.10.50 --host-route destination=192.168.101.0/24,nexthop=10.10.10.254 Office-Net 10.10.10.0/24
Note: Exercise 3 covered the detailed example of Host Route.
Refereces:
http://blog.arunsriraman.com/2016/02/a-glance-into-host-routes-tenant.html
6. Allowed Address Pair :
The allowed address pair extension extends the port attribute to enable you to specify arbitrary mac_address/ip_address(cidr) pairs that are allowed to pass through a port regardless of the subnet associated with the network.
Its mainly used in the VRRP usecase. Exercise 4 covered the detailed example of Allowed Address Pair.
This is part of port parameter,
--allowed_address_pairs list=true type=dict ip_address=<IP>
Example:
--allowed_address_pairs list=true type=dict ip_address=10.10.10.200
neutron port-update 6a433072-2fe0-4c9a-b3bb-590b7c17136f --allowed_address_pairs list=true type=dict ip_address=10.10.10.200
Ref:
https://specs.openstack.org/openstack/neutron-specs/specs/api/allowed_address_pairs.html
http://docs.catalystcloud.io/tutorials/deploying-highly-available-instances-with-keepalived.html
Execution logs:
1. Neutron Service Status :
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+----------------------+--------------------+------+-------------------+-------+----------------+------------------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+----------------------+--------------------+------+-------------------+-------+----------------+------------------------+
| 2f1379f2-ea61-43b6-b | L3 agent | dev1 | nova | :-) | True | neutron-l3-agent |
| 0e4-196c6c3f7496 | | | | | | |
| ab7db2e3-87d4-4bf8-9 | Metadata agent | dev1 | | :-) | True | neutron-metadata-agent |
| 9d6-e4126df224d9 | | | | | | |
| d3de224b-542b-4d95-9 | DHCP agent | dev1 | nova | :-) | True | neutron-dhcp-agent |
| 593-0b21df17b19e | | | | | | |
| ef91e7f8-f698-4a2b- | Open vSwitch agent | dev1 | | :-) | True | neutron-openvswitch- |
| 9a67-2068e32e1416 | | | | | | agent |
+----------------------+--------------------+------+-------------------+-------+----------------+------------------------+
(osclient) cloud@dev1:~/osclient$
2. Neutron extension List :
(osclient) cloud@dev1:~/osclient$ neutron ext-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+---------------------------+-------------------------------------------------------------+
| alias | name |
+---------------------------+-------------------------------------------------------------+
| default-subnetpools | Default Subnetpools |
| network-ip-availability | Network IP Availability |
| network_availability_zone | Network Availability Zone |
| auto-allocated-topology | Auto Allocated Topology Services |
| ext-gw-mode | Neutron L3 Configurable external gateway mode |
| binding | Port Binding |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| l3_agent_scheduler | L3 Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| flavors | Neutron Service Flavors |
| net-mtu | Network MTU |
| availability_zone | Availability Zone |
| quotas | Quota management support |
| l3-ha | HA Router extension |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| extraroute | Neutron Extra Route |
| subnet-service-types | Subnet service types |
| standard-attr-timestamp | Resource timestamps |
| service-type | Neutron Service Type Management |
| l3-flavors | Router Flavor Extension |
| port-security | Port Security |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| standard-attr-revisions | Resource revision numbers |
| pagination | Pagination support |
| sorting | Sorting support |
| security-group | security-group |
| dhcp_agent_scheduler | DHCP Agent Scheduler |
| router_availability_zone | Router Availability Zone |
| rbac-policies | RBAC Policies |
| tag-ext | Tag support for resources: subnet, subnetpool, port, router |
| standard-attr-description | standard-attr-description |
| router | Neutron L3 Router |
| allowed-address-pairs | Allowed Address Pairs |
| project-id | project_id field enabled |
| dvr | Distributed Virtual Router |
+---------------------------+-------------------------------------------------------------+
(osclient) cloud@dev1:~/osclient$
3. Quota :
#Quota
osclient) cloud@dev1:~/osclient$ neutron quota-default-show
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+---------------------+-------+
| Field | Value |
+---------------------+-------+
| floatingip | 50 |
| network | 10 |
| port | 50 |
| rbac_policy | 10 |
| router | 10 |
| security_group | 10 |
| security_group_rule | 100 |
| subnet | 10 |
| subnetpool | -1 |
+---------------------+-------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ neutron quota-update --network 2 --subnet 2 --port 2 --router 1 --floatingip 2
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+---------------------+-------+
| Field | Value |
+---------------------+-------+
| floatingip | 2 |
| network | 2 |
| port | 2 |
| rbac_policy | 10 |
| router | 1 |
| security_group | 10 |
| security_group_rule | 100 |
| subnet | 2 |
| subnetpool | -1 |
+---------------------+-------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ neutron router-create R2
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Quota exceeded for resources: ['router'].
Neutron server returns request_ids: ['req-1ed4c62b-fb04-4267-9cc2-a1c66dc055b6']
(osclient) cloud@dev1:~/osclient$
4. RBAC :
cloud@dev1:~/devstack$ source openrc demo demo
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
cloud@dev1:~/devstack$ neutron net-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------------+----------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+------------+----------------------------------------------------------+
| 166d0427-cfc5-4234-b61c-b3bb8f6e3a32 | private | 91c773a1-a4e2-4f14-946d-401c1f7ee627 10.0.0.0/26 |
| | | dea60d2b-6809-43eb-a687-d1877e04f679 fd25:cc32:b8d7::/64 |
| 975dd3d1-3576-4c34-991e-eaf24f45295e | public | 8171e8c6-2953-4ffa-beab-8f07b43a08c4 |
| | | 543ef8a3-5717-44d1-81f9-70c5057e889c |
| c31098fb-431f-4429-90a5-e2b88a1e8763 | Server-Net | 7d0c05e6-321e-45f7-9ac4-aa743e88ba3a 10.10.10.0/24 |
+--------------------------------------+------------+----------------------------------------------------------+
cloud@dev1:~/devstack$
cloud@dev1:~/devstack$ neutron rbac-create --target-tenant 5dae81c6055944ef8bba14d7ec757c06 --action access_as_shared --type network c31098fb-431f-4429-90a5-e2b88a1e8763
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | 76ee1bdb-dfdd-46e2-8ce3-7e613378db85 |
| object_id | c31098fb-431f-4429-90a5-e2b88a1e8763 |
| object_type | network |
| project_id | bccf45eee4544264a526c4bca56fdb3c |
| target_tenant | 5dae81c6055944ef8bba14d7ec757c06 |
| tenant_id | bccf45eee4544264a526c4bca56fdb3c |
+---------------+--------------------------------------+
cloud@dev1:~/devstack$
(osclient) cloud@dev1:~/osclient$ neutron rbac-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+-------------+--------------------------------------+
| id | object_type | object_id |
+--------------------------------------+-------------+--------------------------------------+
| 76ee1bdb-dfdd-46e2-8ce3-7e613378db85 | network | c31098fb-431f-4429-90a5-e2b88a1e8763 |
+--------------------------------------+-------------+--------------------------------------+
(osclient) cloud@dev1:~/osclient$
(osclient) cloud@dev1:~/osclient$ source ../devstack/openrc demo1 demo1
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
(osclient) cloud@dev1:~/osclient$ neutron net-list
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+------------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+------------+----------------------------------------------------+
| 975dd3d1-3576-4c34-991e-eaf24f45295e | public | 8171e8c6-2953-4ffa-beab-8f07b43a08c4 |
| | | 543ef8a3-5717-44d1-81f9-70c5057e889c |
| c31098fb-431f-4429-90a5-e2b88a1e8763 | Server-Net | 7d0c05e6-321e-45f7-9ac4-aa743e88ba3a 10.10.10.0/24 |
+--------------------------------------+------------+----------------------------------------------------+
(osclient) cloud@dev1:~/osclient$
5. Host Route :
Refer: Exercise 3
6. Allowed Address Pair :
Refer Exercise 4