Octavia¶
Octavia provides load balancing as a service. This guide covers configuration of Octavia for the Amphora driver. See the Octavia documentation for full details.
Resources¶
Currently in Kolla Ansible it is necessary to manually register the OpenStack resources required by Octavia. Kolla Ansible aims to automate this in the future.
Note
In Ussuri and later releases, resources are registered in the service
project. This is configured via octavia_service_auth_project
,
and may be set to service
to avoid a breaking change when upgrading to
Ussuri. Changing the project on an existing system requires at a minimum
registering a new security group in the new project. Ideally the flavor and
network should be recreated in the new project, although this will impact
existing Amphorae.
All resources should be registered in the admin
project. This can be done
as follows:
source admin-openrc.sh
export OS_USERNAME=octavia
export OS_PASSWORD=<octavia keystone password>
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
You can find the Octavia password in passwords.yml
.
Amphora image¶
It is necessary to build an Amphora image. On CentOS / RHEL 8:
sudo dnf -y install epel-release
sudo dnf install -y debootstrap
On Ubuntu:
sudo apt -y install debootstrap
Acquire the Octavia source code:
git clone https://opendev.org/openstack/octavia -b <branch>
Install diskimage-builder
, ideally in a virtual environment:
python3 -m venv dib-venv
source dib-venv/bin/activate
pip install diskimage-builder
Create the Amphora image:
cd octavia/diskimage-create
./diskimage-create.sh
Register the image in Glance:
openstack image create amphora-x64-haproxy.qcow2 --container-format bare --disk-format qcow2 --private --tag amphora --file amphora-x64-haproxy.qcow2
Octavia uses the tag to determine which image to use.
Amphora flavor¶
Register the flavor in Nova:
openstack flavor create --vcpus 1 --ram 1024 --disk 2 "amphora" --private
Make a note of the ID of the flavor, or specify one via --id
.
Keypair¶
Register the keypair in Nova:
openstack keypair create --public-key <path to octavia public key> octavia_ssh_key
Network and subnet¶
Register the management network and subnet in Neutron. This must be a network that is accessible from the controllers. Typically a VLAN provider network is used. In that case it will be necessary to enable Neutron provider networks.
OCTAVIA_MGMT_SUBNET=192.168.43.0/24
OCTAVIA_MGMT_SUBNET_START=192.168.43.10
OCTAVIA_MGMT_SUBNET_END=192.168.43.254
openstack network create lb-mgmt-net --provider-network-type vlan --provider-segment 107 --provider-physical-network physnet1
openstack subnet create --subnet-range $OCTAVIA_MGMT_SUBNET --allocation-pool \
start=$OCTAVIA_MGMT_SUBNET_START,end=$OCTAVIA_MGMT_SUBNET_END \
--network lb-mgmt-net lb-mgmt-subnet
Make a note of the ID of the network.
Security group¶
Register the security group in Neutron.
openstack security group create lb-mgmt-sec-grp
openstack security group rule create --protocol icmp lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp
Make a note of the ID of the security group.
Kolla Ansible configuration¶
Globals¶
The following options should be added to globals.yml
.
Enable the Octavia service:
enable_octavia: yes
If using a VLAN for the Octavia management network, enable Neutron provider networks:
enable_neutron_provider_networks: yes
Configure the name of the network interface on the controllers used to access the Octavia management network. If using a VLAN provider network, ensure that the traffic is also bridged to Open vSwitch on the controllers.
octavia_network_interface: <network interface on controllers>
Set the IDs of the resources registered previously:
octavia_amp_boot_network_list: <ID of lb-mgmt-net>
octavia_amp_secgroup_list: <ID of lb-mgmt-sec-grp>
octavia_amp_flavor_id: <ID of amphora flavor>
Passwords¶
The following option should be set in passwords.yml
, matching the password
used to encrypt the CA key:
octavia_ca_password: <CA key password>
Certificates¶
Follow the octavia documentation to generate certificates for Amphorae. These should be copied to the Kolla Ansible configuration as follows:
cp client_ca/certs/ca.cert.pem /etc/kolla/config/octavia/client_ca.cert.pem
cp server_ca/certs/ca.cert.pem /etc/kolla/config/octavia/server_ca.cert.pem
cp server_ca/private/ca.key.pem /etc/kolla/config/octavia/server_ca.key.pem
cp client_ca/private/client.cert-and-key.pem /etc/kolla/config/octavia/client.cert-and-key.pem