You can enable Octavia on an operational OpenStack environment with Neutron OVS as a networking solution deployed by MCP.
To enable Octavia on an existing OpenStack environment:
Log in to the Salt Master node.
Add the following class to
cluster/<cluster_name>/openstack/database.yml
:
- system.galera.server.database.octavia
Add the following classes to
cluster/<cluster_name>/openstack/control/init.yml
:
- system.keystone.client.service.octavia
- system.glance.client.image.octavia
- system.nova.client.service.octavia
- system.octavia.client
Select from the following options:
To run Octavia worker services in a cluster,
add the following class to
cluster/<cluster_name>/openstack/control/init.yml
:
- system.neutron.client.service.octavia
To run a single instance of Octavia worker services,
add the following class to
cluster/<cluster_name>/openstack/control/init.yml
:
- system.neutron.client.service.octavia.single
If Barbican support is required, add the following classes to
cluster/<cluster_name>/openstack/control/init.yml
:
- system.barbican.client.v1.octavia
- system.barbican.client.v1.signed_images.octavia
- system.salt.minion.cert.octavia.image_sign
Caution
If signing of images is disabled for Nova, do not add the images-related classes.
Add the following classes to
cluster/<cluster_name>/openstack/control.yml
:
- system.neutron.control.openvswitch.octavia
- system.octavia.api.cluster
Note
Starting the OpenStack Queens release, the
system.neutron.control.openvswitch.octavia
class
is not required.
The system.octavia.api.cluster
class configures an Octavia API cluster
to run on the OpenStack controller nodes. Alternatively, if you want to run
a single instance of Octavia API, add the following class instead:
- system.octavia.api.single
In cluster/<cluster_name>/infra/config.yml
, configure the Octavia
Manager services (Controller Worker, Health Manager, and Housekeeping)
to run on one of the gateway nodes that is gtw01
by default:
Add the following classes:
- system.salt.minion.ca.octavia_amphora_ca
- system.salt.minion.cert.octavia.amphora_cluster_client
If you run the OpenStack gateway services in a cluster, add the following class:
- system.reclass.storage.system.openstack_gateway_single_octavia
before
- system.reclass.storage.system.openstack_gateway_cluster
If you run the OpenStack gateway services in a single mode, add the following class:
- system.reclass.storage.system.openstack_gateway_single_octavia
before
- system.reclass.storage.system.openstack_gateway_single
TECHNICAL PREVIEW If you want to add Octavia Cluster Manager, also add the following class:
- system.reclass.storage.system.openstack_gateway_cluster_octavia
Verify the classes and parameters:
Verify that the cluster/<cluster_name>/openstack/octavia_manager.yml
file exists and contains import of the following classes as well as
a private key that will be used to log in to amphorae. For example:
classes:
- system.octavia.manager.single
- system.salt.minion.ca.octavia_ca
- system.salt.minion.cert.octavia.amphora_client
parameters:
_param:
cluster_local_address: ${_param:single_address}
octavia_private_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtjnPDJsQToHBtoqIo15mdSYpfi8z6DFMi8Gbo0KCN33OUn5u
OctbdtjUfeuhvI6px1SCnvyWi09Ft8eWwq+KwLCGKbUxLvqKltuJ7K3LIrGXkt+m
qZN4O9XKeVKfZH+mQWkkxRWgX2r8RKNV3GkdNtd74VjhP+R6XSKJQ1Z8b7eHM10v
6IjTY/jPczjK+eyCeEj4qbSnV8eKlqLhhquuSQRmUO2DRSjLVdpdf2BB4/BdWFsD
YOmX7mb8kpEr9vQ+c1JKMXDwD6ehzyU8kE+1kVm5zOeEy4HdYIMpvUfN49P1anRV
2ISQ1ZE+r22IAMKl0tekrGH0e/1NP1DF5rINMwIDAQABAoIBAQCkP/cgpaRNHyg8
ISKIHs67SWqdEm73G3ijgB+JSKmW2w7dzJgN//6xYUAnP/zIuM7PnJ0gMQyBBTMS
NBTv5spqZLKJZYivj6Tb1Ya8jupKm0jEWlMfBo2ZYVrfgFmrfGOfEebSvmuPlh9M
vuzlftmWVSSUOkjODmM9D6QpzgrbpktBuA/WpX+6esMTwJpOcQ5xZWEnHXnVzuTc
SncodVweE4gz6F1qorbqIJz8UAUQ5T0OZTdHzIS1IbamACHWaxQfixAO2s4+BoUK
ANGGZWkfneCxx7lthvY8DiKn7M5cSRnqFyDToGqaLezdkMNlGC7v3U11FF5blSEW
fL1o/HwBAoGBAOavhTr8eqezTchqZvarorFIq7HFWk/l0vguIotu6/wlh1V/KdF+
aLLHgPgJ5j+RrCMvTBoKqMeeHfVGrS2udEy8L1mK6b3meG+tMxU05OA55abmhYn7
7vF0q8XJmYIHIXmuCgF90R8Piscb0eaMlmHW9unKTKo8EOs5j+D8+AMJAoGBAMo4
8WW+D3XiD7fsymsfXalf7VpAt/H834QTbNZJweUWhg11eLutyahyyfjjHV200nNZ
cnU09DWKpBbLg7d1pyT69CNLXpNnxuWCt8oiUjhWCUpNqVm2nDJbUdlRFTzYb2fS
ZC4r0oQaPD5kMLSipjcwzMWe0PniySxNvKXKInFbAoGBAKxW2qD7uKKKuQSOQUft
aAksMmEIAHWKTDdvOA2VG6XvX5DHBLXmy08s7rPfqW06ZjCPCDq4Velzvgvc9koX
d/lP6cvqlL9za+x6p5wjPQ4rEt/CfmdcmOE4eY+1EgLrUt314LHGjjG3ScWAiirE
QyDrGOIGaYoQf89L3KqIMr0JAoGARYAklw8nSSCUvmXHe+Gf0yKA9M/haG28dCwo
780RsqZ3FBEXmYk1EYvCFqQX56jJ25MWX2n/tJcdpifz8Q2ikHcfiTHSI187YI34
lKQPFgWb08m1NnwoWrY//yx63BqWz1vjymqNQ5GwutC8XJi5/6Xp+tGGiRuEgJGH
EIPUKpkCgYAjBIVMkpNiLCREZ6b+qjrPV96ed3iTUt7TqP7yGlFI/OkORFS38xqC
hBP6Fk8iNWuOWQD+ohM/vMMnvIhk5jwlcwn+kF0ra04gi5KBFWSh/ddWMJxUtPC1
2htvlEc6zQAR6QfqXHmwhg1hP81JcpqpicQzCMhkzLoR1DC6stXdLg==
-----END RSA PRIVATE KEY-----
The private key is saved to /etc/octavia/.ssh/octavia_ssh_key
on the Octavia manager node.
Note
To generate an SSH key pair, run:
ssh-keygen -b 2048 -t rsa -N "" -f ~/.ssh/octavia_ssh_key
To use a spare amphorae pool for the Octavia load balancer, specify the
spare_amphora_pool_size
parameter as required.
octavia:
manager:
house_keeping:
spare_amphora_pool_size: 0
Verify that the following Octavia parameters are configured in
cluster/<cluster_name>/openstack/init.yml
. For example:
parameters:
_param:
octavia_version: ${_param:openstack_version}
octavia_service_host: ${_param:openstack_control_address}
mysql_octavia_password: <db_password>
keystone_octavia_password: <keystone_password>
amp_flavor_id: <amphora-flavor-id>
octavia_health_manager_node01_address: 192.168.0.10
# If clusterization enaled:
# octavia_health_manager_node02_address: 192.168.0.11
# octavia_health_manager_node03_address: 192.168.0.12
octavia_loadbalancer_topology: "SINGLE"
octavia_public_key: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2Oc8MmxBOgcG2ioijXmZ1J
il+LzPoMUyLwZujQoI3fc5Sfm45y1t22NR966G8jqnHVIKe/JaLT0W3x5bCr4
rAsIYptTEu+oqW24nsrcsisZeS36apk3g71cp5Up9kf6ZBaSTFFaBfavxEo1X
caR0213vhWOE/5HpdIolDVnxvt4czXS/oiNNj+M9zOMr57IJ4SPiptKdXx4qW
ouGGq65JBGZQ7YNFKMtV2l1/YEHj8F1YWwNg6ZfuZvySkSv29D5zUkoxcPAPp
6HPJTyQT7WRWbnM54TLgd1ggym9R83j0/VqdFXYhJDVkT6vbYgAwqXS16SsYf
R7/U0/UMXmsg0z root@cfg01
Note
octavia_public_key
should contain
a public key generated in the previous step. In our
example, it is taken from ~/.ssh/octavia_ssh_key.pub
.octavia_loadbalancer_topology
to ACTIVE_STANDBY
. By
default, octavia_loadbalancer_topology
is set to SINGLE
to use the default load balancer topology.Optional. Override the default Octavia parameters in
cluster/<cluster_name>/openstack/octavia_manager.yml
.
The default parameters are as follows:
parameters:
octavia:
manager:
certificates:
ca_private_key: '/etc/octavia/certs/private/cakey.pem'
ca_certificate: '/etc/octavia/certs/ca_01.pem'
controller_worker:
amp_flavor_id: ${_param:amp_flavor_id}
amp_image_tag: amphora
amp_ssh_key_name: octavia_ssh_key
loadbalancer_topology: 'SINGLE'
haproxy_amphora:
client_cert: '/etc/octavia/certs/client.pem'
client_cert_key: '/etc/octavia/certs/client.key'
client_cert_all: '/etc/octavia/certs/client_all.pem'
server_ca: '/etc/octavia/certs/ca_01.pem'
health_manager:
bind_ip: ${_param:octavia_hm_bind_ip}
heartbeat_key: 'insecure'
house_keeping:
spare_amphora_pool_size: 0
Note
Starting from MCP 2019.2.7 maintenance update, haproxy_amphora
includes the build_rate_limit
parameter, set to 2
by default. Use
the parameter to configure the build rate limit for the Octavia manager.
Add the configured Octavia roles to the corresponding nodes:
salt-call state.sls reclass.storage
Refresh pillars:
salt '*' saltutil.refresh_pillar
Update the Salt Minion configuration:
salt-call state.sls salt.minion.service
Create the Octavia database:
salt -C 'I@galera:master' state.sls galera
salt -C 'I@galera:slave' state.sls galera -b 1
Configure HAProxy for Octavia API:
salt -C 'I@haproxy:proxy' state.sls haproxy
Configure NGINX proxy for Octavia API:
salt -C 'I@nginx:server' state.sls nginx
Create an Octavia user and endpoints in Keystone:
salt -C 'I@keystone:client' state.sls keystone.client
Upload an amphora image to Glance:
salt -C 'I@glance:client' state.sls glance.client
Create an amphora flavor and a key pair in Nova:
salt -C 'I@nova:client' state.sls nova.client
This state expects you to provide an SSH key that is used to create a key pair.
Create the Neutron resources for Octavia:
salt -C 'I@neutron:client' state.sls neutron.client
This state creates security groups and rules for amphora instances and Health Manager, a management network with a subnet for Octavia, and a port for Health Manager.
If Barbican and signing of the images for Nova are enabled, apply the following states to create a certificate and sign the Octavia amphora image:
salt -C 'I@barbican:client' state.sls salt.minion.cert
salt -C 'I@barbican:client' state.sls barbican.client
Update the Salt mine:
salt '*' mine.update
Deploy the Octavia services:
salt -C 'I@octavia:api and *01*' state.sls octavia
salt -C 'I@octavia:api' state.sls octavia
salt -C 'I@octavia:manager' state.sls octavia
Generate certificates for the Octavia controller-amphora communication:
salt-call state.sls salt.minion.ca
salt-call state.sls salt.minion.cert
Note
You may need to apply the above states twice before they succeed.
If you added Octavia Cluster Manager in previous steps, also apply the following states:
salt-call state.sls salt.minion.ca
salt-call state.sls salt.minion.cert
Set up the Octavia client:
salt -C 'I@octavia:client' state.sls octavia.client
See also