Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Contrail OpenStack for a Centralized Deployment

    After you have installed Contrail Service Orchestration (CSO) and uploaded virtualized network functions (VNFs) for a centralized deployment, you must complete the following tasks in Contrail OpenStack.

    Updating the VNF Image Properties

    After you have uploaded the VNF images for your centralized deployment, you must update the image properties. To do so:

    1. Obtain the identifiers for your VNF images.
      root@host:/# glance image-list
    2. Execute the following command for each VNF image that you uploaded.
      glance image-update --property hw_cdrom_bus=ide --property hw_disk_bus=ide --property hw_vif_model=e1000 vnf-image-id

      where:

      vnf-image-id—Identifier of the VNF image

      For example:

      root@host:/# glance image-update --property hw_cdrom_bus=ide --property hw_disk_bus=ide --property hw_vif_model=e1000 c79c1ade4f5eed8760fe

    Updating the Public Endpoints’ IP Addresses

    You must update the deployment’s public endpoints’ IP addresses to match the management IP address of the Contrail controller node.. This action enables Contrail to communicate with CSO. To do so:

    1. Log in to the Contrail controller node as root.
    2. Obtain the Keystone service token from the /etc/contrail/keystone file.
    3. Execute the following command:
      root@host:/# python endpoint_replace.py --admin-token service-token --management-ip contrail-controller-ip-address

      where:

      • service-token—Service token for the Contrail OpenStack Keystone
      • contrail-controller-ip-address—Management IP address of the Contrail controller node

      For example:

      root@host:/# python endpoint_replace.py --admin-token 9390f3df14812451541f --management-ip 192.0.2.1

    Updating the OpenStack Heat Resources

    Use the following procedure to check that the JSM Heat resource is available in Contrail OpenStack on the Contrail Controller node.

    Note: This procedure must be performed on all the Contrail Controller nodes in your CSO installation.

    1. Log in to the Contrail Controller as root.
    2. To check whether the JSM Heat resource is available, execute the heat resource-type-list | grep JSM command.

      If the search returns the text OS::JSM::Get Flavor, the file is available in Contrail OpenStack.

    3. If the file is missing, do the following:
      1. Use Secure Copy Protocol (SCP) to copy the jsm_contrail_3.pyc file as follows:
        • For Heat V1 APIs, the /usr/lib/python2.7/dist-packages/contrail_heat/resources directory on the Contrail Controller node.
        • For Heat V2 APIs, the /usr/lib/python2.7/dist-packages/vnc_api/gen/heat/resources directory on the Contrail Controller node.

        Note: The jsm_contrail_3.pyc file is located in the /root/Contrail_Service_Orchestration_3.1/deployments/central/file_root/contrail_openstack/ directory on the VM or server on which you installed CSO.

      2. Rename the file to jsm.pyc in both heat resources directories.
      3. Restart the heat services by executing the service heat-api restart && service heat-api-cfn restart && service heat-engine restart command.
      4. After the services restart successfully, verify that the JSM heat resource is available as explained in Step 2. If it is not available, repeat Step 3.

    Specifying Attributes for Virtual Networks Created in Contrail

    A centralized deployment uses Contrail virtual networks for management and Internet traffic. You can create these virtual networks when you set up a centralized deployment in Administration Portal. Alternatively, you can create the networks in Contrail or use existing networks that you created in Contrail. For more information about this subject, see: https://www.juniper.net/documentation/en_US/contrail3.0/topics/task/configuration/creating-virtual-network-juniper-vnc-consolidate.html.

    If you create the virtual networks in Administration Portal, CSO automatically sets up the required routing and sharing attributes for the networks. If, however, you create the virtual networks in Contrail, you must:

    • Configure routing from the Contrail Service Orchestration (CSO) regional server to both virtual networks.
    • Specify that the management virtual network is shared (public).

      This action ensures that the multiple tenants (customers) can access the network.

    Configuring the Contrail Cloud Platform Keystone as the CSO External Keystone

    When you install CSO, you can specify that the deployment should use the Contrail Cloud Platform Keystone as an external Keystone for authentication of CSO operations. If you do so, you must use this procedure to configure the Contrail Cloud Platform Keystone to authenticate CSO operations. To do so:

    1. Log in to the Contrail controller node as root.
    2. If you want to execute Keystone commands, set the source path, using the path that you configured during the installation.

      For example:

      root@host:~/# source /etc/contrail/keystonerc
    3. Set the OpenStack source path.

      For example:

      root@host:~/# source /etc/contrail/openstackrc
    4. Create a user called cspadmin.
      root@host:/# openstack user create --domain default \ --password-prompt cspadmin
    5. Obtain the identifiers (IDs) of the following users:
      • admin
      • cspadmin
      • neutron
      root@host:/# openstack user list
        ID                     Name           
        0a3615846a4d689bedf8   admin       
        20a61f33a15453f21682   cspadmin  
        41a71e35a152a7c39e69   neutron 
    6. Obtain the ID of the default domain.
      root@host:/# openstack domain list
    7. Create a project called default-project.
      root@host:/# openstack project create --domain default \ --description "Default Project" default-project
    8. Assign the admin role to the admin and cspadmin users.
      root@host:/# openstack role add --user admin admin --user cspadmin admin
    9. Create the roles operator and tenant-operator.
      root@host:~/# openstack role create operator
      root@host:~/# openstack role create tenant-operator
    10. Obtain the Keystone service token from the /etc/contrail/keystone file.
    11. If the following groups do not already exist, create them:
      • admin
      • member
      • operator
      root@host:~/# curl –H “x-auth-token:service-token“ –H “content-type:application/json” –d ‘{“group”: {“name”: “group-name”, “domain_id”: “default”}}’ –XPOST http://contrail-controller-ip-address:5000/v3/groups

      where

      • service-token—Service token for the Contrail OpenStack Keystone
      • group-name—Name of the group
      • domain_id—ID of the domain
      • contrail-controller-ip-address—Management IP address of the Contrail controller node

      For example:

      root@host:~/# curl –H “x-auth-token:9390f3df14812451541f“ –H “content-type:application/json” –d ‘{“group”: {“name”: “operator”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http://192.0.2.1:5000/v3/groups
      root@host:~/# curl –H “x-auth-token:9390f3df14812451541f” –H “content-type:application/json” –d ‘{“group”: {“name”: “admin”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http://192.0.2.1:5000/v3/groups
      root@host:~/# curl –H “x-auth-token:9390f3df14812451541f” –H “content-type:application/json” –d ‘{“group”: {“name”: “_member_”, “2738ef02df227c34ec49”: “default”}}’ –XPOST http:// 192.0.2.1:5000/v3/groups
    12. Obtain the IDs for the groups:
      root@host:/# openstack group list
        ID                     Name           
        7df60593f801df3cad04   _member_       
        5be423fdf76a5d4f8964   admin  
        3bc8235fd643ae814c3d   operator  
    13. Use the following command to add the admin and cspadmin users to the admin and _member_ groups.
      root@host:/# curl –g –I –X PUT http://contrail-controller-ip-address:5000/v3/groups/group-id/users/user-id -H “Accept: application/json” –H “X-Auth-Token:service-token

      where

      • contrail-controller-ip-address—Management IP address of the Contrail controller node
      • group-id—ID of the group
      • user-id—ID of the user
      • service-token—Service token that you use to access Contrail OpenStack

      For example:

      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/5be423fdf76a5d4f8964/users/0a3615846a4d689bedf8 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”
      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/5be423fdf76a5d4f8964/users/20a61f33a15453f21682 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”
      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/7df60593f801df3cad04/users/0a3615846a4d689bedf8 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f
      root@host:/# curl –g –I –X PUT http://192.0.2.1:5000/v3/groups/7df60593f801df3cad04/users/20a61f33a15453f21682 -H “Accept: application/json” –H “X-Auth-Token:9390f3df14812451541f”
    14. Use the following command to assign the system_user property to the admin, cspadmin, and neutron users.
      root@host:/# curl –X PATCH –H “X-Auth-Token:service-token” http://contrail-controller-ip-address:35357/v3/users/user-id -d ‘{“user”: {“system_user”: 1 }}’

      where

      • service-token—Service token for the Contrail OpenStack Keystone
      • contrail-controller-ip-address—Management IP address of the Contrail controller node
      • user-id—ID of the user

      For example:

      root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/0a3615846a4d689bedf8 -d ‘{“user”: {“system_user”: 1 }}’
      root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/20a61f33a15453f21682 -d ‘{“user”: {“system_user”: 1 }}’
      root@host:/# curl –X PATCH –H “X-Auth-Token:9390f3df14812451541f” http://192.0.2.1:35357/v3/users/00d3b0113ae21f270d11 -d ‘{“user”: {“system_user”: 1 }}’

    Configuring Contrail OpenStack to Communicate with a CSO Keystone

    If you use the CSO Keystone with a centralized deployment, you must configure Contrail OpenStack to communicate with that Keystone. To do so:

    1. Log in to the Contrail controller node as root.
    2. Create a project for the CSO Keystone.
      root@host:/# openstack project create --domain default \ --description "CSO Keystone project" cso-project1
    3. Obtain the ID for the project.

      For example:

      root@host:/# openstack project list
        ID                     Name           
        58090bdedd6661ba034d   cso-project1       
    4. Obtain the IDs for the admin and _member_ roles.

      For example:

      root@host:/# openstack role list
        ID                     Name           
        8fc18ab8437442875556   _member_       
        d30b1eb296b703e17a88   admin  
    5. Add the admin and _member_ roles to the project that you created.
      root@host:~/# openstack role add --project 58090bdedd6661ba034d d30b1eb296b703e17a88
      root@host:~/# openstack role add --project 58090bdedd6661ba034d 8fc18ab8437442875556
    6. Create a user, and assign the user to the project that you created.

      For example:

      root@host:/# openstack user create --project 58090bdedd6661ba034d --password-prompt user1
       
        Field        Value                             
        email        None                              
        enabled      True                              
        id           22c9ec47317b1b04790  
        name         user1                          
        project_id   58090bdedd6661ba034d  
        username     user1                          
      
    7. Obtain the ID for the user that you created.

      For example:

      root@host:/# openstack user list
       ID                                 Name           
        22c9ec47317b1b04790    user1       
    8. Assign the admin and _member_ roles to the user that you created.
      root@host:/# openstack role add --user 22c9ec47317b1b04790 d30b1eb296b703e17a88
      root@host:/# openstack role add --user 22c9ec47317b1b04790 8fc18ab8437442875556

    Modified: 2017-12-19