Configuring Contrail OpenStack for a Centralized Deployment
After you have installed Contrail Service Orchestration (CSO) and uploaded virtualized network functions (VNFs) for a centralized deployment, you must complete the following tasks in Contrail OpenStack.
Updating the VNF Image Properties
After you have uploaded the VNF images for your centralized deployment, you must update the image properties. To do so:
- Obtain the identifiers for your VNF images.
root@host:/# glance image-list - Execute the following command for each VNF image that
you uploaded.
glance image-update --property hw_cdrom_bus=ide --property hw_disk_bus=ide --property hw_vif_model=e1000 vnf-image-idWhere:
vnf-image-id—Identifier of the VNF image
For example:
root@host:/# glance image-update --property hw_cdrom_bus=ide --property hw_disk_bus=ide --property hw_vif_model=e1000 c79c1ade4f5eed8760fe
Updating the Public Endpoints’ IP Addresses
You must update the deployment’s public endpoints’ IP addresses to match the management IP address of the Contrail controller node. This action enables Contrail to communicate with CSO. To do so:
- Copy the endpoint_replace.py
script from the CSO installer VM to the Contrail controller node.
The endpoint_replace.py script is located at the
/root/Contrail_Service_Orchestration_3.3/scriptsdirectory. - Log in to the Contrail controller node as root.
- Obtain the Keystone service token from the
/etc/contrail/keystonefile. - Execute the following command:
root@host:/# python endpoint_replace.py --admin-token service-token --management-ip contrail-controller-ip-addressWhere:
service-token—Service token for the Contrail OpenStack Keystone
contrail-controller-ip-address—Management IP address of the Contrail controller node
For example:
root@host:/# python endpoint_replace.py --admin-token 9390f3df14812451541f --management-ip 192.0.2.1
Updating the OpenStack Heat Resources
Use the following procedure to check that the JSM Heat resource is available in Contrail OpenStack on the Contrail Controller node.
 | Note: This procedure must be performed on all the Contrail Controller nodes in your CSO installation. |
- Log in to the Contrail Controller as root.
- To check whether the
JSM Heat resource is available, execute the heat resource-type-list
| grep JSM command.
If the search returns the text OS::JSM::Get Flavor, the file is available in Contrail OpenStack.
- If the file is missing,
do the following:
- Use Secure Copy Protocol (SCP) to copy the
jsm_contrail_3.pyfile as follows:For Heat V1 APIs, the
/usr/lib/python2.7/dist-packages/contrail_heat/resourcesdirectory on the Contrail Controller node.For Heat V2 APIs, the
/usr/lib/python2.7/dist-packages/vnc_api/gen/heat/resourcesdirectory on the Contrail Controller node.
Note: The
jsm_contrail_3.pyfile is located in the/root/Contrail_Service_Orchestration_3.3/scriptsdirectory on the VM or server on which you installed CSO. - Rename the file to
jsm.pyin both heat resources directories. - Restart the heat services by executing the service heat-api restart && service heat-api-cfn restart && service heat-engine restart command.
- After the services restart successfully, verify that the JSM heat resource is available as explained in Step 2. If it is not available, repeat Step 3.
- Use Secure Copy Protocol (SCP) to copy the
Specifying Attributes for Virtual Networks Created in Contrail
A centralized deployment uses Contrail virtual networks for management and Internet traffic. You can create these virtual networks when you set up a centralized deployment in Administration Portal. Alternatively, you can create the networks in Contrail or use existing networks that you created in Contrail. For more information about this subject, see: https://www.juniper.net/documentation/en_US/contrail3.0/topics/task/configuration/creating-virtual-network-juniper-vnc-consolidate.html.
If you create the virtual networks in Administration Portal, CSO automatically sets up the required routing and sharing attributes for the networks. If, however, you create the virtual networks in Contrail, you must:
Configure routing from the Contrail Service Orchestration (CSO) regional server to both virtual networks.
Specify that the management virtual network is shared (public).
This action ensures that the multiple tenants (customers) can access the network.
Configuring the Contrail OpenStack Keystone as the CSO External Keystone
When you install CSO, you can specify that the deployment should use the Contrail OpenStack Keystone as an external Keystone for authentication of CSO operations. If you do so, you must use this procedure to configure the Contrail OpenStack Keystone to authenticate CSO operations. To do so:
- Log in to the Contrail controller node as root.
- If you want to execute Keystone commands, set the source
path, using the path that you configured during the installation.
For example:
root@host:~/# source /etc/contrail/keystonerc - Set the OpenStack source path.
For example:
root@host:~/# source /etc/contrail/openstackrc - Create a user called cspadmin.
root@host:/# openstack user create --domain default --password-prompt cspadmin - Obtain the identifiers (IDs) of the following users:
admin
cspadmin
neutron
root@host:/# openstack user listID Name 0a3615846a4d689bedf8 admin 20a61f33a15453f21682 cspadmin 41a71e35a152a7c39e69 neutron
- Obtain the ID of the default domain.
root@host:/# openstack domain list - Create a project called default-project.
root@host:/# openstack project create --domain default --description "Default Project" default-project - Assign the admin role to the admin and cspadmin users.
root@host:/# openstack role add admin --user admin --project default-projectroot@host:/# openstack role add admin --user cspadmin --project default-project - Create the roles operator and tenant-operator.
root@host:~/# openstack role create operatorroot@host:~/# openstack role create tenant-operator - Obtain the Keystone service token from the
/etc/contrail/keystonefile. - If the following groups do not already exist, create them:
admin
member
operator
root@host:~/# curl –H “x-auth-token:service-token“ –H “content-type:application/json” –d ‘{“group”: {“name”: “group-name”, “domain_id”: “default”}}’ –XPOST http://contrail-controller-ip-address:5000/v3/groupswhere
service-token—Service token for the Contrail OpenStack Keystone
group-name—Name of the group
domain_id—ID of the domain
contrail-controller-ip-address—Management IP address of the Contrail controller node
For example:
root@host:~/# curl –H “x-auth-token:9390f3df14812451541f“ –H “content-type:application/json” –d ‘{“group”: {“name”: “operator”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http://192.0.2.1:5000/v3/groupsroot@host:~/# curl –H “x-auth-token:9390f3df14812451541f” –H “content-type:application/json” –d ‘{“group”: {“name”: “admin”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http://192.0.2.1:5000/v3/groupsroot@host:~/# curl –H “x-auth-token:9390f3df14812451541f” –H “content-type:application/json” –d ‘{“group”: {“name”: “_member_”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http:// 192.0.2.1:5000/v3/groups - Obtain the IDs for the groups:
root@host:/# openstack group listID Name 7df60593f801df3cad04 _member_ 5be423fdf76a5d4f8964 admin 3bc8235fd643ae814c3d operator
- Use the following command to add the admin and cspadmin
users to the admin and _member_ groups.
root@host:/# curl –g –I –X PUT http://contrail-controller-ip-address:5000/v3/groups/group-id/users/user-id -H “Accept: application/json” –H “X-Auth-Token:service-token”where
contrail-controller-ip-address—Management IP address of the Contrail controller node
group-id—ID of the group
user-id—ID of the user
service-token—Service token that you use to access Contrail OpenStack
For example:
root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/5be423fdf76a5d4f8964/users/0a3615846a4d689bedf8 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/5be423fdf76a5d4f8964/users/20a61f33a15453f21682 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/7df60593f801df3cad04/users/0a3615846a4d689bedf8 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/7df60593f801df3cad04/users/20a61f33a15453f21682 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f” - Use the following command to assign the system_user property
to the admin, cspadmin, and neutron users.
root@host:/# curl –X PATCH –H “X-Auth-Token:service-token” http://contrail-controller-ip-address:35357/v3/users/user-id -d ‘{“user”: {“system_user”: 1 }}’where
service-token—Service token for the Contrail OpenStack Keystone
contrail-controller-ip-address—Management IP address of the Contrail controller node
user-id—ID of the user
For example:
root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/0a3615846a4d689bedf8 -d ‘{“user”: {“system_user”: 1 }}’root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/20a61f33a15453f21682 -d ‘{“user”: {“system_user”: 1 }}’root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/00d3b0113ae21f270d11 -d ‘{“user”: {“system_user”: 1 }}’
Configuring Contrail OpenStack to Communicate with a CSO Keystone
If you use the CSO Keystone with a centralized deployment, you must configure Contrail OpenStack to communicate with that Keystone. To do so:
- Log in to the Contrail controller node as root.
- Create a project for the CSO Keystone.
root@host:/# openstack project create --domain default --description "CSO Keystone project" cso-project1 - Assign the admin role to user admin for the project that you
created.
root@host:~/# openstack role add admin --project cso-project1 –user admin - Create a user, and assign the user to the project that
you created.
For example:
root@host:~/# openstack user create --project cso-project1 –password prompt user 1 - Assign the admin role to the user that you created.
root@host:/# openstack role add admin --project cso-project 1 –user user1
