Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Installing Contrail with Red Hat OpenStack

    Overview: Contrail with Red Hat OpenStack

    If you are planning to use Contrail with Red Hat OpenStack, be sure to first install Red Hat OpenStack, using either RDO or RHOSP packages.

    Procedure for Installing RHOSP5

    The following provides general steps for installing Red Hat OpenStack and configuring the setup for Contrail.

    1. Install OpenStack.

      To provision an openstack node with RHOSP5 packages, refer to the official Red Hat documents:


      Note: Configure a password for Keystone, the same password must be used in the Contrail file.

    2. Update the OpenStack password in the Copy the OpenStack Keystone password to the Refer to the Testbed section in the following.
    3. Stop the nova-compute and Neutron services in the OpenStack node:
      # service openstack-nova-compute stop  
      # service neutron-server stop  
      # nova service-disable $(hostname) nova-compute  
    4.  Update nova.conf as follows:
      # openstack-config --set /etc/nova/nova.conf DEFAULT network_api_class  
      # openstack-config --set /etc/nova/nova.conf DEFAULT neutron_url http://<FIRST_CFGM_IP>:9696
       (FIRST_CFGM_IP is the IP address of the first node in the CFGM role defined in the  
      # openstack-config --set /etc/nova/nova.conf DEFAULT neutron_admin_auth_url http://<KEYSTONE_IP_ADDRESS>:35357/v2.0   
      # openstack-config --set /etc/nova/nova.conf DEFAULT  compute_driver nova.virt.libvirt.LibvirtDriver 
    5. Restart the Nova services:
      # service openstack-nova-api restart  
      # service openstack-nova-conductor restart  
      # service openstack-nova-scheduler restart  
      # service openstack-nova-consoleauth restart 
    6. (optional) Configure the novncproxy_port.

      Contrail uses port 5999 for the novncproxy_port. If the same port is preferred for any openstack node, update the  novncproxy_port as in the following:

      # openstack-config --set /etc/nova/nova.conf DEFAULT  novncproxy_port 5999  
      # service openstack-nova-novncproxy restart 

    Install and Configure Contrail

    After Red Hat OpenStack is installed and the has been configured with items for Red Hat, you can install Contrail.

    Repositories for Third Party Packages

    The Contrail installation depends on a number of third party open source packages that are not included in the contrail-install-packages file, however, they are downloaded and installed through the Internet when respective repositories have been enabled in the nodes. 

    • For Red Hat registering of third party applications and subscribing, refer to Red Hat documentation: How to register and subscribe a system to the Red Hat Customer Portal using Red Hat Subscription-Manager at: 
    • For enabling EPEL repositories, the respective EPEL packages might require installation. Refer to EPEL documentation at: .

    Ensure that the contrail_install_repo has the highest priority.

    The following are the least-required RHEL repositories to be enabled in all nodes.

    subscription-manager repos --enable=rhel-7-server-extras-rpms

    subscription-manager repos --enable=rhel-7-server-optional-rpms

    subscription-manager repos --enable=rhel-7-server-rpms

    subscription-manager repos --enable=rhel-7-server-openstack-5.0-rpms

    rpm -ivh

    yum -y install

    Priority for a repository can be set manually by editing the corresponding sections in /etc/yum.repos.d/*.repo files or yum-config-manager can be used.

    To change priority of repos using yum-config-manager:

    yum install yum-plugin-priorities

    yum-config-manager --enable [reponame] --setopt="[reponame].priority=1"

    Download and Install Contrail-Install-Packages to the First Config Node

    The following steps show how to copy and install the contrail-install-packages, before updating the

    1. Copy the contrail-install-packages to the  /root/ of the first config node. The first config node is the first cfgm node defined in the section env.roledefs[‘cfgm’] roles in the
    2. Install the contrail-install-packages:

      # yum --disablerepo=* localinstall <package file>

    3. Set up contrail_install_repo and install fabric-utils:

      # cd /opt/contrail/contrail_packages/

      # ./

    4. Create the file in the testbeds directory, with host details under different Contrail roles.

      cd /opt/contrail/utils/fabfile/testbeds/

      Refer to example files available in the testbeds directory.

    Update the

    The OpenStack node is not provisioned by using the Contrail fabric-utils, it is the that carries node information. 

    Use the following steps to update the to make Contrail nodes aware of the OpenStack node information.

    1. Update the Openstack admin password in the

      #Openstack admin password

      env.openstack_admin_password = '<passwrd>'


       env.keystone = {  
          'keystone_ip'   : '<ip address>',  
          'auth_protocol' : 'http',                  #Default is http  
          'auth_port'     : '35357',                 #Default is 35357  
          'admin_token' : '$ABC123',  
          'admin_user'    : 'admin',                 #Default is admin  
          'admin_password': '<password>',            
          'service_tenant': 'service',               #Default is service  
          'admin_tenant'  : 'admin',                 #Default is admin  
          'region_name'   : 'RegionOne',             #Default is RegionOne  
          'insecure'      : 'True',                  #Default = False  
    2. Update the keystone_ip in the The Keystone IP address is the same as the OpenStack IP address.
      env.keystone = {  
          'keystone_ip'   : '<ip address>',  
          'auth_protocol' : 'http',                  #Default is http  
          'auth_port'     : '35357',                 #Default is 35357  
          'admin_token' : '$ABC123',  
          'admin_user'    : 'admin',                 #Default is admin  
          'admin_password': '<password>',             
          'service_tenant': 'service',               #Default is service  
          'admin_tenant'  : 'admin',                 #Default is admin  
          'region_name'   : 'RegionOne',             #Default is RegionOne  
          'insecure'      : 'True',                  #Default = False
    3. Update the admin_token in the

      The admin_token is available in the  /etc/keystone/keystone.conf of the OpenStack node.

      env.keystone = {  
          'keystone_ip'   : '<ip address>',  
          'auth_protocol' : 'http',                  #Default is http  
          'auth_port'     : '35357',                 #Default is 35357  
          'admin_token' : '$ABC123',  
          'admin_user'    : 'admin',                 #Default is admin  
          'admin_password': '<password>',            
          'service_tenant': 'service',               #Default is service  
          'admin_tenant'  : 'admin',                 #Default is admin  
          'region_name'   : 'RegionOne',             #Default is RegionOne  
          'insecure'      : 'True',                  #Default = False  }  
    4. (optional) If a different keystone user or tenant for neutron service is preferred, update the keystone settings as in the following:
      env.keystone = {  
          'keystone_ip'   : '<ip address>',  
          'auth_protocol' : 'http',                  #Default is http  
          'auth_port'     : '35357',                 #Default is 35357  
          'admin_token' : '$ABC123',  
          'admin_user'    : 'admin',                 #Default is admin  
          'admin_password': '<password>',             
          'service_tenant': 'service',               #Default is service  
          'admin_tenant'  : 'admin',                 #Default is admin  
          'region_name'   : 'RegionOne',             #Default is RegionOne  
          'insecure'      : 'True',                      #Default = False  
          'manage_neutron': 'no',          #Default = 'yes' , Does configure neutron user/role in keystone required.  
    5. Update the service_token in the

      Copy the admin_token from the /etc/keystone/keystone.conf of the OpenStack node, and enter it as the value for the service_token, as in the following:

      env.openstack = {  
          'service_token' : '$ABC123',  
          'amqp_host' : '<ip address>',  
    6. Update the amqp_host in the

      Enter the value for the amqp_host to be the same as the IP address of the OpenStack node, as in the following:

      env.openstack = {  
          'service_token' : '$ABC123',  
          'amqp_host' : '<ip address>',  
    7. Precheck: Issue a precheck to make sure all nodes are reachable and properly updated in the

      One easy way to precheck is to issue the following command and see if it passes.

      # fab all_command:”uname –a”

    Complete the Installation on Remaining Nodes 

    Use the following procedure to complete the installation.

    1. Copy and Install contrail-install-packages to all other nodes, except the OpenStack node:

      # fab install_pkg_all_without_openstack:</path/to/contrail-install-packages.rpm>

    2. Disable iptables. It is currently required to permanently disable iptables. This is a known issue regarding Contrail install and setup and deletion is the current resolution. 

      Iptables can be disabled by issuing the following fab commands. The fab all_command, as used in the following, executes the given command in all nodes configured in the

      # fab all_command:"iptables --flush"  
      # fab all_command:"sudo service iptables stop; echo pass"  
      # fab all_command:"sudo service ip6tables stop; echo pass"  
      # fab all_command:"sudo systemctl stop firewalld; echo pass"  
      # fab all_command:"sudo systemctl status firewalld; echo pass"  
      # fab all_command:"sudo chkconfig firewalld off; echo pass"  
      # fab all_command:"sudo /usr/libexec/iptables/iptables.init stop; echo pass"  
      # fab all_command:"sudo /usr/libexec/iptables/ip6tables.init stop; echo pass"  
      # fab all_command:"sudo service iptables save; echo pass"  
      # fab all_command:"sudo service ip6tables save; echo pass"  
    3. Install Contrail without OpenStack.

      Because the OpenStack node is set up with RDO or RHOSP, and the relevant details are updated in the, Contrail must be installed without OpenStack. The following fab command is used to set up Contrail without OpenStack, while also assuming that iptables are disabled permanently in all nodes. 

      # fab install_without_openstack

    4. Set up Contrail.

      Use the following fab command to set up Contrail without OpenStack, and with the assumption that iptables are permanently disabled in all nodes.

      # fab setup_without_openstack

    5. Verify the setup.

      Use contrail-status and openstack-status commands to verify the setup status.

      # fab all_command:”contrail-status; echo pass”

      # fab all_command:”openstack-status”

      Note: The contrail-status command is not available from the Red Hat OpenStack node.

    Appendix: Installing with RDO

    You can provision the OpenStack node by using RDO packages instead of RHOSP. This section provides guidelines for installation and reparatioon when using RDO vs. RHOSP.

    For more RDO installation information, refer to the Red Hat OpenStack documentation at


    The following are the prerequisite steps.  

    1. You must already have the Red Hat OpenStack repositories set up and enabled.
    2. Install RDO. 

      # yum install -y

    3. Install Packstack.

      # yum install -y openstack-packstack

    Install All-in-One OpenStack

    Use the following procedure to prepare to install Contrail when using RDO vs. RHOSP for Red Hat.

    1. Install as an all-in-one node using Packstack.

      # packstack --allinone --mariadb-pw=juniper123 --use-epel=y

      Note: Packstack can use an answers file to determine where a service can be enabled or disabled based on your preference. Refer to Packstack documentation for more information. 

    2. Update the Keystone password to use a predictable password.

      Packstack usually sets up Keystone with a random password. Use the following to set a predictable password for Keystone. 

      # source /root/keystonerc_admin && keystone user-password-update --pass <password> admin and update the same password in “OS_PASSWORD” in /root/keystonerc_admin

    Modified: 2016-06-13