Current octavia doc missing some vital parts, without which is very hard to handle octavia deployment. Change-Id: If6841452b8659b0f3c1240dda56898babf1e0c89
11 KiB
Configuring the Octavia Load Balancing service (optional)
Octavia is an OpenStack project which provides operator-grade Load Balancing (as opposed to the namespace driver) by deploying each individual load balancer to its own virtual machine and leveraging haproxy to perform the load balancing.
Octavia is scalable and has built-in high availability through active-passive.
OpenStack-Ansible deployment
Create
br-lbaas
bridge on the controllers. Creating br-lbaas is done during the deployers host preparation and is out of scope of openstack-ansible. Some explanation of how br-lbaas is used is given below.Create the openstack-ansible container(s) for Octavia. To do that you need to define hosts for
octavia-infra_hosts
group inopenstack_user_config.yml
. Once you do this, run the following playbook:openstack-ansible playbooks/containers-lxc-create.yml --limit lxc_hosts,octavia_all
Define required overrides of the variables in defaults/main.yml of the openstack-ansible octavia role.
Run the os-octavia playbook
openstack-ansible playbooks/os-octavia-install.yml
Run the haproxy-install.yml playbook to add the new octavia API endpoints to the load balancer.
Setup a neutron network for use by octavia
Octavia needs connectivity between the control plane and the load balancing VMs. For this purpose a provider network should be created which gives L2 connectivity between the octavia services on the controllers (either containerised or deployed on metal) and the octavia amphora VMs. Refer to the appropriate documentation for the octavia service and consult the tests in this project for a working example.
Special attention needs to be applied to the provider network
--allocation-pool
not to have ip addresses which overlap
with those assigned to hosts, lxc containers or other infrastructure
such as routers or firewalls which may be in use.
An example which gives 172.29.232.0-9/22 to the OSA dynamic inventory and the remainder of the addresses to the neutron allocation pool without overlap is as follows:
In openstack_user_config.yml
the following:
#the address range for the whole lbaas network
cidr_networks:
lbaas: 172.29.232.0/22
#the range of ip addresses excluded from the dynamic inventory
used_ips:
- "172.29.232.10,172.29.235.200"
And define in user_variables.yml
:
#the range of addresses which neutron can allocate for amphora VM
octavia_management_net_subnet_allocation_pools: "172.29.232.10-172.29.235.200"
Note
The system will deploy an iptables firewall if
octavia_ip_tables_fw
is set to True
(the
default). This adds additional protection to the control plane in the
rare instance a load balancing vm is compromised. Please review
carefully the rules and adjust them for your installation. Please be
aware that logging of dropped packages is not enabled and you will need
to add those rules manually.
FLAT networking scenario
In a general case, neutron networking can be a simple flat network.
However in a complex case, this can be whatever you need and want.
Ensure you adjust the deployment accordingly. An example entry into
openstack_user_config.yml
is shown below:
- network:
container_bridge: "br-lbaas"
container_type: "veth"
container_interface: "eth14"
host_bind_override: "bond0" # Defines neutron physical network mapping
ip_from_q: "octavia"
type: "flat"
net_name: "octavia"
group_binds:
- neutron_linuxbridge_agent
- octavia-worker
- octavia-housekeeping
- octavia-health-manager
There are a couple of variables which need to be adjusted if you
don't use lbaas
for the provider network name and
lbaas-mgmt
for the neutron name. Furthermore, the system
tries to infer certain values based on the inventory which might not
always work and hence might need to be explicitly declared. Review the
file defaults/main.yml
for more information.
The octavia ansible role can create the required neutron networks
itself. Please review the corresponding settings - especially
octavia_management_net_subnet_cidr
should be adjusted to
suit your environment. Alternatively, the neutron network can be
pre-created elsewhere and consumed by Octavia.
VLAN networking scenario
In case you want to leverage standard vlan networking for the Octavia
management network the definition in
openstack_user_config.yml
may look like this:
- network:
container_bridge: "br-lbaas"
container_type: "veth"
container_interface: "eth14"
ip_from_q: "lbaas"
type: "raw"
group_binds:
- neutron_linuxbridge_agent
- octavia-worker
- octavia-housekeeping
- octavia-health-manager
Add extend user_variables.yml
with following
overrides:
octavia_provider_network_name: vlan
octavia_provider_network_type: vlan
octavia_provider_segmentation_id: 400
octavia_container_network_name: lbaas_address
In addition to this, you will need to ensure that you have an interface that links neutron-managed br-vlan with br-lbaas on the controller nodes (for the case when br-vlan already exists on the controllers when they also host the neutron L3 agent). Making veth pairs or macvlans for this might be suitable.
Building Octavia images
Note
The default behavior is to download a test image from the OpenStack artifact storage the Octavia team provides daily. Because this image doesn't apply operating system security patches in a timely manner it is unsuited for production use.
Some Operating System vendors might provide official amphora builds or an organization might maintain their own artifact storage - for those cases the automatic download can be leveraged, too.
Images using the diskimage-builder
must be built outside
of a container. For this process, use one of the physical hosts within
the environment.
Install the necessary packages and configure a Python virtual environment
apt-get install qemu uuid-runtime curl kpartx git jq python-pip pip install virtualenv virtualenv /opt/octavia-image-build source /opt/octavia-image-build/bin/activate
Clone the necessary repositories and dependencies
git clone https://opendev.org/openstack/octavia.git /opt/octavia-image-build/bin/pip install --isolated \ git+https://git.openstack.org/openstack/diskimage-builder.git
Run Octavia's diskimage script
In the
octavia/diskimage-create
directory run:./diskimage-create.sh
Disable
octavia-image-build
venv:deactivate
Upload the created user images into the Image (glance) Service:
openstack image create --disk-format qcow2 \ --container-format bare --tag octavia-amphora-image --file amphora-x64-haproxy.qcow2 \ --private --project service amphora-x64-haproxy
Note
Alternatively you can specify the new image in the appropriate settings and rerun the ansible with an appropriate tag.
You can find more information abpout the diskimage script and the process at https://opendev.org/openstack/octavia/tree/master/diskimage-create
Here is a script to perform all those tasks at once:
#/bin/sh apt-get install qemu uuid-runtime curl kpartx git jq pip -v >/dev/null || {apt-get install python-pip} pip install virtualenv virtualenv /opt/octavia-image-build || exit 1 source /opt/octavia-image-build/bin/activate pushd /tmp git clone https://opendev.org/openstack/octavia.git /opt/octavia-image-build/bin/pip install --isolated \ git+https://git.openstack.org/openstack/diskimage-builder.git pushd octavia/diskimage-create ./diskimage-create.sh mv amphora-x64-haproxy.qcow2 /tmp deactivate popd popd # upload image openstack image delete amphora-x64-haproxy openstack image create --disk-format qcow2 \ --container-format bare --tag octavia-amphora-image --file /tmp/amphora-x64-haproxy.qcow2 \ --private --project service amphora-x64-haproxy
Note
If you have trouble installing dib-utils from pipy consider installing it directly from source pip install git+https://opendev.org/openstack/dib-utils.git
Creating the cryptographic certificates
Note
For production installation make sure that you review this very carefully with your own security requirements and potantially use your own CA to sign the certificates.
The system will automatically generate and use self-signed certificates with different Certificate Authorities for control plane and amphora. Make sure to store a copy in a safe place for potential disaster recovery.
Optional: Configuring Octavia with ssh access to the amphora
In rare cases it might be beneficial to gain ssh access to the amphora for additional trouble shooting. Follow these steps to enable access.
Configure Octavia accordingly
Add a
octavia_ssh_enabled: True
to the user file in /etc/openstack-deployRun
os_octavia
role. SSH key will be generated and uploaded
Note
SSH key will be stored on the octavia_keypair_setup_host
(which by default is localhost
) in
~/.ssh/{{ octavia_ssh_key_name }}
Optional: Tuning Octavia for production use
Please have a close look at the main.yml
for tunable
parameters. The most important change is to set Octavia into
ACTIVE_STANDBY mode by adding
octavia_loadbalancer_topology: ACTIVE_STANDBY
and
octavia_enable_anti_affinity=True
to ensure that the active
and passive amphora are (depending on the anti-affinity filter deployed
in nova) on two different hosts to the user file in
/etc/openstack-deploy
Also we suggest setting more specific octavia_cert_dir
to prevent accidental certificate rotation.