Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Contrail OpenStack for a Centralized Deployment

    After you have installed Contrail Service Orchestration (CSO) and uploaded virtualized network functions (VNFs) for a centralized deployment, you must complete the following tasks in Contrail OpenStack.

    Updating the VNF Image Properties

    After you have uploaded the VNF images for your centralized deployment, you must update the image properties. To do so:

    1. Obtain the identifiers for your VNF images.
      root@host:/# glance image-list
    2. Execute the following command for each VNF image that you uploaded.
      glance image-update --property hw_cdrom_bus=ide --property hw_disk_bus=ide --property hw_vif_model=e1000 vnf-image-id

      Where:

      vnf-image-id—Identifier of the VNF image

      For example:

      root@host:/# glance image-update --property hw_cdrom_bus=ide --property hw_disk_bus=ide --property hw_vif_model=e1000 c79c1ade4f5eed8760fe

    Updating the Public Endpoints’ IP Addresses

    You must update the deployment’s public endpoints’ IP addresses to match the management IP address of the Contrail controller node. This action enables Contrail to communicate with CSO. To do so:

    1. Copy the endpoint_replace.py script from the CSO installer VM to the Contrail controller node.

      The endpoint_replace.py script is located at the /root/Contrail_Service_Orchestration_3.3/scripts directory.

    2. Log in to the Contrail controller node as root.
    3. Obtain the Keystone service token from the /etc/contrail/keystone file.
    4. Execute the following command:
      root@host:/# python endpoint_replace.py --admin-token service-token --management-ip contrail-controller-ip-address

      Where:

      • service-token—Service token for the Contrail OpenStack Keystone

      • contrail-controller-ip-address—Management IP address of the Contrail controller node

      For example:

      root@host:/# python endpoint_replace.py --admin-token 9390f3df14812451541f --management-ip 192.0.2.1

    Updating the OpenStack Heat Resources

    Use the following procedure to check that the JSM Heat resource is available in Contrail OpenStack on the Contrail Controller node.

    Note: This procedure must be performed on all the Contrail Controller nodes in your CSO installation.

    1. Log in to the Contrail Controller as root.
    2. To check whether the JSM Heat resource is available, execute the heat resource-type-list | grep JSM command.

      If the search returns the text OS::JSM::Get Flavor, the file is available in Contrail OpenStack.

    3. If the file is missing, do the following:
      1. Use Secure Copy Protocol (SCP) to copy the jsm_contrail_3.py file as follows:
        • For Heat V1 APIs, the /usr/lib/python2.7/dist-packages/contrail_heat/resources directory on the Contrail Controller node.

        • For Heat V2 APIs, the /usr/lib/python2.7/dist-packages/vnc_api/gen/heat/resources directory on the Contrail Controller node.

        Note: The jsm_contrail_3.py file is located in the /root/Contrail_Service_Orchestration_3.3/scripts directory on the VM or server on which you installed CSO.

      2. Rename the file to jsm.py in both heat resources directories.
      3. Restart the heat services by executing the service heat-api restart && service heat-api-cfn restart && service heat-engine restart command.
      4. After the services restart successfully, verify that the JSM heat resource is available as explained in Step 2. If it is not available, repeat Step 3.

    Specifying Attributes for Virtual Networks Created in Contrail

    A centralized deployment uses Contrail virtual networks for management and Internet traffic. You can create these virtual networks when you set up a centralized deployment in Administration Portal. Alternatively, you can create the networks in Contrail or use existing networks that you created in Contrail. For more information about this subject, see: https://www.juniper.net/documentation/en_US/contrail3.0/topics/task/configuration/creating-virtual-network-juniper-vnc-consolidate.html.

    If you create the virtual networks in Administration Portal, CSO automatically sets up the required routing and sharing attributes for the networks. If, however, you create the virtual networks in Contrail, you must:

    • Configure routing from the Contrail Service Orchestration (CSO) regional server to both virtual networks.

    • Specify that the management virtual network is shared (public).

      This action ensures that the multiple tenants (customers) can access the network.

    Configuring the Contrail OpenStack Keystone as the CSO External Keystone

    When you install CSO, you can specify that the deployment should use the Contrail OpenStack Keystone as an external Keystone for authentication of CSO operations. If you do so, you must use this procedure to configure the Contrail OpenStack Keystone to authenticate CSO operations. To do so:

    1. Log in to the Contrail controller node as root.
    2. If you want to execute Keystone commands, set the source path, using the path that you configured during the installation.

      For example:

      root@host:~/# source /etc/contrail/keystonerc
    3. Set the OpenStack source path.

      For example:

      root@host:~/# source /etc/contrail/openstackrc
    4. Create a user called cspadmin.
      root@host:/# openstack user create --domain default --password-prompt cspadmin
    5. Obtain the identifiers (IDs) of the following users:
      • admin

      • cspadmin

      • neutron

      root@host:/# openstack user list
        ID                     Name           
        0a3615846a4d689bedf8   admin       
        20a61f33a15453f21682   cspadmin  
        41a71e35a152a7c39e69   neutron 
    6. Obtain the ID of the default domain.
      root@host:/# openstack domain list
    7. Create a project called default-project.
      root@host:/# openstack project create --domain default --description "Default Project" default-project
    8. Assign the admin role to the admin and cspadmin users.
      root@host:/# openstack role add admin --user admin --project default-project
      root@host:/# openstack role add admin --user cspadmin --project default-project
    9. Create the roles operator and tenant-operator.
      root@host:~/# openstack role create operator
      root@host:~/# openstack role create tenant-operator
    10. Obtain the Keystone service token from the /etc/contrail/keystone file.
    11. If the following groups do not already exist, create them:
      • admin

      • member

      • operator

      root@host:~/# curl –H “x-auth-token:service-token“ –H “content-type:application/json” –d ‘{“group”: {“name”: “group-name”, “domain_id”: “default”}}’ –XPOST http://contrail-controller-ip-address:5000/v3/groups

      where

      • service-token—Service token for the Contrail OpenStack Keystone

      • group-name—Name of the group

      • domain_id—ID of the domain

      • contrail-controller-ip-address—Management IP address of the Contrail controller node

      For example:

      root@host:~/# curl –H “x-auth-token:9390f3df14812451541f“ –H “content-type:application/json” –d ‘{“group”: {“name”: “operator”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http://192.0.2.1:5000/v3/groups
      root@host:~/# curl –H “x-auth-token:9390f3df14812451541f” –H “content-type:application/json” –d ‘{“group”: {“name”: “admin”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http://192.0.2.1:5000/v3/groups
      root@host:~/# curl –H “x-auth-token:9390f3df14812451541f” –H “content-type:application/json” –d ‘{“group”: {“name”: “_member_”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http:// 192.0.2.1:5000/v3/groups
    12. Obtain the IDs for the groups:
      root@host:/# openstack group list
        ID                     Name           
        7df60593f801df3cad04   _member_       
        5be423fdf76a5d4f8964   admin  
        3bc8235fd643ae814c3d   operator  
    13. Use the following command to add the admin and cspadmin users to the admin and _member_ groups.
      root@host:/# curl –g –I –X PUT http://contrail-controller-ip-address:5000/v3/groups/group-id/users/user-id -H “Accept: application/json” –H “X-Auth-Token:service-token

      where

      • contrail-controller-ip-address—Management IP address of the Contrail controller node

      • group-id—ID of the group

      • user-id—ID of the user

      • service-token—Service token that you use to access Contrail OpenStack

      For example:

      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/5be423fdf76a5d4f8964/users/0a3615846a4d689bedf8 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”
      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/5be423fdf76a5d4f8964/users/20a61f33a15453f21682 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”
      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/7df60593f801df3cad04/users/0a3615846a4d689bedf8 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f
      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/7df60593f801df3cad04/users/20a61f33a15453f21682 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”
    14. Use the following command to assign the system_user property to the admin, cspadmin, and neutron users.
      root@host:/# curl –X PATCH –H “X-Auth-Token:service-token” http://contrail-controller-ip-address:35357/v3/users/user-id -d ‘{“user”: {“system_user”: 1 }}’

      where

      • service-token—Service token for the Contrail OpenStack Keystone

      • contrail-controller-ip-address—Management IP address of the Contrail controller node

      • user-id—ID of the user

      For example:

      root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/0a3615846a4d689bedf8 -d ‘{“user”: {“system_user”: 1 }}’
      root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/20a61f33a15453f21682 -d ‘{“user”: {“system_user”: 1 }}’
      root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/00d3b0113ae21f270d11 -d ‘{“user”: {“system_user”: 1 }}’

    Configuring Contrail OpenStack to Communicate with a CSO Keystone

    If you use the CSO Keystone with a centralized deployment, you must configure Contrail OpenStack to communicate with that Keystone. To do so:

    1. Log in to the Contrail controller node as root.
    2. Create a project for the CSO Keystone.
      root@host:/# openstack project create --domain default --description "CSO Keystone project" cso-project1
    3. Assign the admin role to user admin for the project that you created.
      root@host:~/# openstack role add admin --project cso-project1 –user admin
    4. Create a user, and assign the user to the project that you created.

      For example:

      root@host:~/# openstack user create --project cso-project1 –password prompt user 1
    5. Assign the admin role to the user that you created.
      root@host:/# openstack role add admin --project cso-project 1 –user user1

    Modified: 2018-06-29