I see a bunch of references to neutron-rootwrap-xen-dom0 in various developer resources, but I am having a hard time finding any deployment / operational resources that might outline a successful deployment (ie specific requirements on the Dom0.) Any resources or shared experiences would be helpful!
The one thing I did find is that it needed to be specified as "root_helper = neutron-rootwrap-xen-dom0 /etc/neutron/rootwrap.conf" in the [agent] section of /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini for it to get used. You also have to configure the xenapi related bits at the end of /etc/neutron/rootwrap.conf.
You also have to have all the XenServer plugins installed in dom0. This was not a simple thing. There are also some patches to apply, which no longer apply properly due to versioning differences. I had to do those manually.
That said, I have had zero success with it. Every attempt to use it has resulted in a cascading series of errors that resulted in every configuration variant I could think of failing. Many resulted in the XenServer public IP getting knocked offline. Most of the trouble stemmed from security groups getting hosed for lack of iptables support in the XenServer plugins. I ran out of time to resolve that issue. A two week project turned into a two month nightmare, with more compromises than I wanted.
Ultimately, I settled for running all the networking within a VM. It has some drawbacks, but it works.
Since I supplied this answer, I've learned more. You have to set your security groups driver to nova (not neutron) in nova.conf on your compute node. No firewall drivers exist for xenserver in neutron, so you have to use the dom0 iptables firewall driver in nova for security groups to function.
That said, this code: https://review.openstack.org/#/c/66375/ will break XenServer HVM. No ports will get VLAN tags as a result.
Asked: 2014-01-21 10:27:31 -0500
Seen: 791 times
Last updated: Feb 11 '14
