neutron openvswitch #0

Supports: xenial

Add to new model


Neutron is a virtual network service for Openstack, and a part of
Netstack. Just like OpenStack Nova provides an API to dynamically
request and configure virtual servers, Neutron provides an API to
dynamically request and configure virtual networks. These networks
connect "interfaces" from other OpenStack services (e.g., virtual NICs
from Nova VMs). The Neutron API supports extensions to provide
advanced network capabilities (e.g., QoS, ACLs, network monitoring,
. This charm provides the OpenStack Neutron Open vSwitch agent, managing
L2 connectivity on nova-compute services.


This subordinate charm provides the Neutron OpenvSwitch configuration for a compute node.

Once deployed it takes over the management of the Neutron base and plugin configuration on the compute node.


To deploy (partial deployment of linked charms only):

juju deploy rabbitmq-server
juju deploy neutron-api
juju deploy nova-compute
juju deploy neutron-openvswitch
juju add-relation neutron-openvswitch nova-compute
juju add-relation neutron-openvswitch neutron-api
juju add-relation neutron-openvswitch rabbitmq-server

Note that the rabbitmq-server can optionally be a different instance of the rabbitmq-server charm than used by OpenStack Nova:

juju deploy rabbitmq-server rmq-neutron
juju add-relation neutron-openvswitch rmq-neutron
juju add-relation neutron-api rmq-neutron

The neutron-api and neutron-openvswitch charms must be related to the same instance of the rabbitmq-server charm.


It should only be used with OpenStack Icehouse and above and requires a seperate neutron-api service to have been deployed.

Disabling security group management

WARNING: this feature allows you to effectively disable security on your cloud!

This charm has a configuration option to allow users to disable any per-instance security group management; this must used with neutron-security-groups enabled in the neutron-api charm and could be used to turn off security on selected set of compute nodes:

juju deploy neutron-openvswitch neutron-openvswitch-insecure
juju set neutron-openvswitch-insecure disable-security-groups=True prevent-arp-spoofing=False
juju deploy nova-compute nova-compute-insecure
juju add-relation nova-compute-insecure neutron-openvswitch-insecure

These compute nodes could then be accessed by cloud users via use of host aggregates with specific flavors to target instances to hypervisors with no per-instance security.

Deploying from source

The minimum openstack-origin-git config required to deploy from source is:

openstack-origin-git: include-file://neutron-juno.yaml

    - {name: requirements,
       repository: 'git://',
       branch: stable/juno}
    - {name: neutron,
       repository: 'git://',
       branch: stable/juno}

Note that there are only two 'name' values the charm knows about: 'requirements'
and 'neutron'. These repositories must correspond to these 'name' values.
Additionally, the requirements repository must be specified first and the
neutron repository must be specified last. All other repostories are installed
in the order in which they are specified.

The following is a full list of current tip repos (may not be up-to-date):

openstack-origin-git: include-file://neutron-master.yaml

    - {name: requirements,
       repository: 'git://',
       branch: master}
    - {name: oslo-concurrency,
       repository: 'git://',
       branch: master}
    - {name: oslo-config,
       repository: 'git://',
       branch: master}
    - {name: oslo-context,
       repository: 'git://',
       branch: master}
    - {name: oslo-db,
       repository: 'git://',
       branch: master}
    - {name: oslo-i18n,
       repository: 'git://',
       branch: master}
    - {name: oslo-messaging,
       repository: 'git://',
       branch: master}
    - {name: oslo-middleware,
       repository': 'git://',
       branch: master}
    - {name: oslo-rootwrap',
       repository: 'git://',
       branch: master}
    - {name: oslo-serialization,
       repository: 'git://',
       branch: master}
    - {name: oslo-utils,
       repository: 'git://',
       branch: master}
    - {name: pbr,
       repository: 'git://',
       branch: master}
    - {name: stevedore,
       repository: 'git://',
       branch: 'master'}
    - {name: python-keystoneclient,
       repository: 'git://',
       branch: master}
    - {name: python-neutronclient,
       repository: 'git://',
       branch: master}
    - {name: python-novaclient,
       repository': 'git://',
       branch: master}
    - {name: keystonemiddleware,
       repository: 'git://',
       branch: master}
    - {name: neutron-fwaas,
       repository': 'git://',
       branch: master}
    - {name: neutron-lbaas,
       repository: 'git://',
       branch: master}
    - {name: neutron-vpnaas,
       repository: 'git://',
       branch: master}
    - {name: neutron,
       repository: 'git://',
       branch: master}

Network Spaces support

This charm supports the use of Juju Network Spaces, allowing the charm to be bound to network space configurations managed directly by Juju. This is only supported with Juju 2.0 and above.

Open vSwitch endpoints can be configured using the 'data' extra-binding, ensuring that tunnel traffic is routed across the correct host network interfaces:

juju deploy neutron-openvswitch --bind "data=data-space"

alternatively these can also be provided as part of a juju native bundle configuration:

  charm: cs:xenial/neutron-openvswitch
    data: data-space

NOTE: Spaces must be configured in the underlying provider prior to attempting to use them.

NOTE: Existing deployments using os-data-network configuration options will continue to function; this option is preferred over any network space binding provided if set.

DPDK fast packet processing support

For OpenStack Mitaka running on Ubuntu 16.04, its possible to use experimental DPDK userspace network acceleration with Open vSwitch and OpenStack.

Currently, this charm supports use of DPDK enabled devices in bridges supporting connectivity to provider networks.

To use DPDK, you'll need to have supported network cards in your server infrastructure (see dpdk-nics[DPDK documentation]); DPDK must be enabled and configured during deployment of the charm, for example:

    enable-dpdk: True
    data-port: "br-phynet1:a8:9d:21:cf:93:fc br-phynet2:a8:9d:21:cf:93:fd br-phynet3:a8:9d:21:cf:93:fe"

As devices are not typically named consistently across servers, multiple instances of each bridge -> mac address mapping can be provided; the charm deals with resolution of the set of bridge -> port mappings that are required for each individual unit of the charm.

DPDK requires the use of hugepages, which is not directly configured in the neutron-openvswitch charm; Hugepage configuration can either be done by providing kernel boot command line options for individual servers using MAAS or using the 'hugepages' configuration option of the nova-compute charm:

    hugepages: 50%

By default, the charm will configure Open vSwitch/DPDK to consume a processor core + 1G of RAM from each NUMA node on the unit being deployed; this can be tuned using the dpdk-socket-memory and dpdk-socket-cores configuration options of the charm. The userspace kernel driver can be configured using the dpdk-driver option. See config.yaml for more details.

NOTE: Changing dpdk-socket-* configuration options will trigger a restart of Open vSwitch, which currently causes connectivity to running instances to be lost - connectivity can only be restored with a stop/start of each instance.

NOTE: Enabling DPDK support automatically disables security groups for instances.


(string) Space-delimited list of ML2 data bridge mappings with format <provider>:<bridge>.
(string) Space-delimited list of bridge:port mappings. Ports will be added to their corresponding bridge. The bridges will allow usage of flat or VLAN network types with Neutron and should match this defined in bridge-mappings. . Ports provided can be the name or MAC address of the interface to be added to the bridge. If MAC addresses are used, you may provide multiple bridge:mac for the same bridge so as to be able to configure multiple units. In this case the charm will run through the provided MAC addresses for each bridge until it finds one it can resolve to an interface name.
(boolean) Enable debug logging.
(boolean) Disable neutron based security groups - setting this configuration option will override any settings configured via the neutron-api charm. . BE CAREFUL - this option allows you to disable all port level security within an OpenStack cloud.
(string) Kernel userspace device driver to use for DPDK devices, valid values include: . vfio-pci uio_pci_generic . Only used when DPDK is enabled.
(int) Number of cores to allocate to DPDK per NUMA socket in deployed systems. . Only used when DPDK is enabled.
(int) Amount of hugepage memory in MB to allocate per NUMA socket in deployed systems. . Only used when DPDK is enabled.
(boolean) Enable DPDK fast userspace networking; this requires use of DPDK supported network interface drivers and must be used in conjuction with the data-port configuration option to configure each bridge with an appropriate DPDK enabled network device.
(boolean) Enable local Neutron DHCP and Metadata Agents. This is useful for deployments which do not include a neutron-gateway (do not require l3, lbaas or vpnaas services) and should only be used in-conjunction with flat or VLAN provider networks configurations.
(string) A space-separated list of external ports to use for routing of instance traffic to the external public network. Valid values are either MAC addresses (in which case only MAC addresses for interfaces without an IP address already assigned will be used), or interfaces (eth0)
(string) Space-delimited list of Neutron flat network providers.
(string) Specifies a YAML-formatted dictionary listing the git repositories and branches from which to install OpenStack and its dependencies. When openstack-origin-git is specified, openstack-specific packages will be installed from source rather than from the the nova-compute charm's openstack-origin repository. Note that the installed config files will be determined based on the OpenStack release of the nova-compute charm's openstack-origin option. For more details see
(string) The IP address and netmask of the OpenStack Data network (e.g., . This network will be used for tenant network traffic in overlay networks. . In order to support service zones spanning multiple network segments, a space-delimited list of a.b.c.d/x can be provided The address of the first network found to have an address configured will be used.
(boolean) Enable suppression of ARP responses that don't match an IP address that belongs to the port from which they originate. . Only supported in OpenStack Liberty or newer, which has the required minimum version of Open vSwitch.
(string) Username used to access RabbitMQ queue
(string) RabbitMQ vhost
(boolean) Setting this to True will allow supporting services to log to syslog.
(boolean) Enable verbose logging.
(string) Space-delimited list of <physical_network>:<vlan_min>:<vlan_max> or <physical_network> specifying physical_network names usable for VLAN provider and tenant networks, as well as ranges of VLAN tags on each available for allocation to tenant networks.