Configuring stateless services¶
API services¶
Load-balancer¶
HAProxy¶
HAProxy provides a fast and reliable HTTP reverse proxy and load balancer for TCP or HTTP applications. It is particularly suited for web crawling under very high loads while needing persistence or Layer 7 processing. It realistically supports tens of thousands of connections with recent hardware.
Each instance of HAProxy configures its front end to accept connections only to the virtual IP (VIP) address. The HAProxy back end (termination point) is a list of all the IP addresses of instances for load balancing.
Note
Ensure your HAProxy installation is not a single point of failure, it is advisable to have multiple HAProxy instances running.
You can also ensure the availability by other means, using Keepalived or Pacemaker.
Alternatively, you can use a commercial load balancer, which is hardware or software. We recommend a hardware load balancer as it generally has good performance.
For detailed instructions about installing HAProxy on your nodes, see the HAProxy official documentation.
Configuring HAProxy¶
Restart the HAProxy service.
Locate your HAProxy instance on each OpenStack controller in your environment. The following is an example
/etc/haproxy/haproxy.cfg
configuration file. Configure your instance using the following configuration file, you will need a copy of it on each controller node.global chroot /var/lib/haproxy daemon group haproxy maxconn 4000 pidfile /var/run/haproxy.pid user haproxy defaults log global maxconn 4000 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout check 10s listen dashboard_cluster bind <Virtual IP>:443 balance source option tcpka option httpchk option tcplog server controller1 10.0.0.12:443 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:443 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:443 check inter 2000 rise 2 fall 5 listen galera_cluster bind <Virtual IP>:3306 balance source option mysql-check server controller1 10.0.0.12:3306 check port 9200 inter 2000 rise 2 fall 5 server controller2 10.0.0.13:3306 backup check port 9200 inter 2000 rise 2 fall 5 server controller3 10.0.0.14:3306 backup check port 9200 inter 2000 rise 2 fall 5 listen glance_api_cluster bind <Virtual IP>:9292 balance source option tcpka option httpchk option tcplog server controller1 10.0.0.12:9292 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:9292 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:9292 check inter 2000 rise 2 fall 5 listen glance_registry_cluster bind <Virtual IP>:9191 balance source option tcpka option tcplog server controller1 10.0.0.12:9191 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:9191 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:9191 check inter 2000 rise 2 fall 5 listen keystone_admin_cluster bind <Virtual IP>:35357 balance source option tcpka option httpchk option tcplog server controller1 10.0.0.12:35357 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:35357 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:35357 check inter 2000 rise 2 fall 5 listen keystone_public_internal_cluster bind <Virtual IP>:5000 balance source option tcpka option httpchk option tcplog server controller1 10.0.0.12:5000 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:5000 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:5000 check inter 2000 rise 2 fall 5 listen nova_ec2_api_cluster bind <Virtual IP>:8773 balance source option tcpka option tcplog server controller1 10.0.0.12:8773 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:8773 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:8773 check inter 2000 rise 2 fall 5 listen nova_compute_api_cluster bind <Virtual IP>:8774 balance source option tcpka option httpchk option tcplog server controller1 10.0.0.12:8774 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:8774 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:8774 check inter 2000 rise 2 fall 5 listen nova_metadata_api_cluster bind <Virtual IP>:8775 balance source option tcpka option tcplog server controller1 10.0.0.12:8775 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:8775 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:8775 check inter 2000 rise 2 fall 5 listen cinder_api_cluster bind <Virtual IP>:8776 balance source option tcpka option httpchk option tcplog server controller1 10.0.0.12:8776 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:8776 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:8776 check inter 2000 rise 2 fall 5 listen ceilometer_api_cluster bind <Virtual IP>:8777 balance source option tcpka option tcplog server controller1 10.0.0.12:8777 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:8777 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:8777 check inter 2000 rise 2 fall 5 listen nova_vncproxy_cluster bind <Virtual IP>:6080 balance source option tcpka option tcplog server controller1 10.0.0.12:6080 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:6080 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:6080 check inter 2000 rise 2 fall 5 listen neutron_api_cluster bind <Virtual IP>:9696 balance source option tcpka option httpchk option tcplog server controller1 10.0.0.12:9696 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:9696 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:9696 check inter 2000 rise 2 fall 5 listen swift_proxy_cluster bind <Virtual IP>:8080 balance source option tcplog option tcpka server controller1 10.0.0.12:8080 check inter 2000 rise 2 fall 5 server controller2 10.0.0.13:8080 check inter 2000 rise 2 fall 5 server controller3 10.0.0.14:8080 check inter 2000 rise 2 fall 5
Note
The Galera cluster configuration directive
backup
indicates that two of the three controllers are standby nodes. This ensures that only one node services write requests because OpenStack support for multi-node writes is not yet production-ready.Note
The Telemetry API service configuration does not have the
option httpchk
directive as it cannot process this check properly.
Configure the kernel parameter to allow non-local IP binding. This allows running HAProxy instances to bind to a VIP for failover. Add following line to
/etc/sysctl.conf
:net.ipv4.ip_nonlocal_bind = 1
Restart the host or, to make changes work immediately, invoke:
$ sysctl -p
Add HAProxy to the cluster and ensure the VIPs can only run on machines where HAProxy is active:
pcs
$ pcs resource create lb-haproxy systemd:haproxy --clone $ pcs constraint order start vip then lb-haproxy-clone kind=Optional $ pcs constraint colocation add lb-haproxy-clone with vip
crmsh
$ crm cib new conf-haproxy $ crm configure primitive haproxy lsb:haproxy op monitor interval="1s" $ crm configure clone haproxy-clone haproxy $ crm configure colocation vip-with-haproxy inf: vip haproxy-clone $ crm configure order haproxy-after-vip mandatory: vip haproxy-clone
Pacemaker versus systemd¶
Memcached¶
Memcached is a general-purpose distributed memory caching system. It is used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read.
Memcached is a memory cache demon that can be used by most OpenStack services to store ephemeral data, such as tokens.
Access to Memcached is not handled by HAProxy because replicated access is currently in an experimental state. Instead, OpenStack services must be supplied with the full list of hosts running Memcached.
The Memcached client implements hashing to balance objects among the instances. Failure of an instance impacts only a percentage of the objects and the client automatically removes it from the list of instances. The SLA is several minutes.
Highly available API services¶
Identity API¶
Ensure you have read the OpenStack Identity service getting started documentation.
Add OpenStack Identity resource to Pacemaker¶
The following section(s) detail how to add the Identity service to Pacemaker on SUSE and Red Hat.
SUSE¶
SUSE Enterprise Linux and SUSE-based distributions, such as openSUSE, use a set of OCF agents for controlling OpenStack services.
Run the following commands to download the OpenStack Identity resource to Pacemaker:
# cd /usr/lib/ocf/resource.d # mkdir openstack # cd openstack # wget https://opendev.org/x/openstack-resource-agents/raw/branch/master/ocf/keystone # chmod a+rx *
Add the Pacemaker configuration for the OpenStack Identity resource by running the following command to connect to the Pacemaker cluster:
# crm configure
Add the following cluster resources:
clone p_keystone ocf:openstack:keystone \ params config="/etc/keystone/keystone.conf" os_password="secretsecret" os_username="admin" os_tenant_name="admin" os_auth_url="http://10.0.0.11:5000/v2.0/" \ op monitor interval="30s" timeout="30s"
Note
This configuration creates
p_keystone
, a resource for managing the OpenStack Identity service.Commit your configuration changes from the crm configure menu with the following command:
# commit
The crm configure supports batch input. You may have to copy and paste the above lines into your live Pacemaker configuration, and then make changes as required.
For example, you may enter
edit p_ip_keystone
from the crm configure menu and edit the resource to match your preferred virtual IP address.Pacemaker now starts the OpenStack Identity service and its dependent resources on all of your nodes.
Red Hat¶
For Red Hat Enterprise Linux and Red Hat-based Linux distributions, the following process uses Systemd unit files.
# pcs resource create openstack-keystone systemd:openstack-keystone --clone interleave=true
Configure OpenStack Identity service¶
Edit the
keystone.conf
file to change the values of the bind(2) parameters:bind_host = 10.0.0.12 public_bind_host = 10.0.0.12 admin_bind_host = 10.0.0.12
The
admin_bind_host
parameter lets you use a private network for admin access.To be sure that all data is highly available, ensure that everything is stored in the MySQL database (which is also highly available):
[catalog] driver = keystone.catalog.backends.sql.Catalog # ... [identity] driver = keystone.identity.backends.sql.Identity # ...
If the Identity service will be sending ceilometer notifications and your message bus is configured for high availability, you will need to ensure that the Identity service is correctly configured to use it.
Configure OpenStack services to use the highly available OpenStack Identity¶
Your OpenStack services now point their OpenStack Identity configuration to the highly available virtual cluster IP address.
For OpenStack Compute service, (if your OpenStack Identity service IP address is 10.0.0.11) use the following configuration in the
api-paste.ini
file:
auth_host = 10.0.0.11
Create the OpenStack Identity Endpoint with this IP address.
Note
If you are using both private and public IP addresses, create two virtual IP addresses and define the endpoint. For example:
$ openstack endpoint create --region $KEYSTONE_REGION \ $service-type public http://PUBLIC_VIP:5000/v2.0 $ openstack endpoint create --region $KEYSTONE_REGION \ $service-type admin http://10.0.0.11:35357/v2.0 $ openstack endpoint create --region $KEYSTONE_REGION \ $service-type internal http://10.0.0.11:5000/v2.0
If you are using Dashboard (horizon), edit the
local_settings.py
file to include the following:OPENSTACK_HOST = 10.0.0.11
Telemetry API¶
The Telemetry polling agent can be configured to partition its polling workload between multiple agents. This enables high availability (HA).
Both the central and the compute agent can run in an HA deployment. This means that multiple instances of these services can run in parallel with workload partitioning among these running instances.
The Tooz library provides the coordination within the groups of service instances. It provides an API above several back ends that can be used for building distributed applications.
Tooz supports various drivers including the following back end solutions:
- Zookeeper:
Recommended solution by the Tooz project.
- Redis:
Recommended solution by the Tooz project.
- Memcached:
Recommended for testing.
You must configure a supported Tooz driver for the HA deployment of the Telemetry services.
For information about the required configuration options
to set in the ceilometer.conf
, see the coordination section
in the OpenStack Configuration Reference.
Note
Only one instance for the central and compute agent service(s) is able
to run and function correctly if the backend_url
option is not set.
The availability check of the instances is provided by heartbeat messages. When the connection with an instance is lost, the workload will be reassigned within the remaining instances in the next polling cycle.
Note
Memcached uses a timeout value, which should always be set to a value that is higher than the heartbeat value set for Telemetry.
For backward compatibility and supporting existing deployments, the central
agent configuration supports using different configuration files. This is for
groups of service instances that are running in parallel.
For enabling this configuration, set a value for the
partitioning_group_prefix
option in the
polling section
in the OpenStack Configuration Reference.
Warning
For each sub-group of the central agent pool with the same
partitioning_group_prefix
, a disjoint subset of meters must be polled
to avoid samples being missing or duplicated. The list of meters to poll
can be set in the /etc/ceilometer/pipeline.yaml
configuration file.
For more information about pipelines see the Data processing and pipelines
section.
To enable the compute agent to run multiple instances simultaneously with
workload partitioning, the workload_partitioning
option must be set to
True
under the compute section
in the ceilometer.conf
configuration file.