OpenStack Victoria : Configure Octavia (Network Node)2020/11/26 |
Install OpenStack Load Balancing as a Service (Octavia).
This example is based on the environment like follows.
------------+---------------------------+---------------------------+------------ | | | eth0|10.0.0.30 eth0|10.0.0.50 eth0|10.0.0.51 +-----------+-----------+ +-----------+-----------+ +-----------+-----------+ | [ Control Node ] | | [ Network Node ] | | [ Compute Node ] | | | | | | | | MariaDB RabbitMQ | | Open vSwitch | | Libvirt | | Memcached httpd | | Neutron Server | | Nova Compute | | Keystone Glance | | OVN-Northd | | Open vSwitch | | Nova API | | Octavia Services | | OVN Metadata Agent | | | | | | OVN-Controller | +-----------------------+ +-----------------------+ +-----------------------+ |
[1] | Install Octavia services. |
[root@network ~]# dnf --enablerepo=centos-openstack-victoria,powertools,epel -y install openstack-octavia-api openstack-octavia-health-manager openstack-octavia-housekeeping openstack-octavia-worker
|
[2] | Create certificates that are used among LoadBalancer Instance and Octavia services. |
[root@network ~]# mkdir -p /etc/octavia/certs/private [root@network ~]# mkdir ~/work [root@network ~]# cd ~/work [root@network work]# git clone https://opendev.org/openstack/octavia.git [root@network work]# cd octavia/bin [root@network bin]# ./create_dual_intermediate_CA.sh [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/server_ca.cert.pem /etc/octavia/certs [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/server_ca-chain.cert.pem /etc/octavia/certs [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/server_ca.key.pem /etc/octavia/certs/private [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/client_ca.cert.pem /etc/octavia/certs [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/client.cert-and-key.pem /etc/octavia/certs/private [root@network bin]# chown -R octavia /etc/octavia/certs |
[3] | Configure Octavia. |
[root@network ~]# mv /etc/octavia/octavia.conf /etc/octavia/octavia.conf.org
[root@network ~]#
vi /etc/octavia/octavia.conf # create new [DEFAULT] # RabbitMQ connection info transport_url = rabbit://openstack:password@10.0.0.30 [api_settings] # IP address this host listens bind_host = 10.0.0.50 bind_port = 9876 auth_strategy = keystone api_base_uri = http://10.0.0.50:9876 # MariaDB connection info [database] connection = mysql+pymysql://octavia:password@10.0.0.30/octavia [health_manager] bind_ip = 0.0.0.0 bind_port = 5555 # Keystone auth info [keystone_authtoken] www_authenticate_uri = http://10.0.0.30:5000 auth_url = http://10.0.0.30:5000 memcached_servers = 10.0.0.30:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = octavia password = servicepassword # specify certificates created on [2] [certificates] ca_private_key = /etc/octavia/certs/private/server_ca.key.pem ca_certificate = /etc/octavia/certs/server_ca.cert.pem server_certs_key_passphrase = insecure-key-do-not-use-this-key ca_private_key_passphrase = not-secure-passphrase # specify certificates created on [2] [haproxy_amphora] server_ca = /etc/octavia/certs/server_ca-chain.cert.pem client_cert = /etc/octavia/certs/private/client.cert-and-key.pem # specify certificates created on [2] [controller_worker] client_ca = /etc/octavia/certs/client_ca.cert.pem [oslo_messaging] topic = octavia_prov # Keystone auth info [service_auth] auth_url = http://10.0.0.30:5000 memcached_servers = 10.0.0.30:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = octavia password = servicepassword
[root@network ~]#
[root@network ~]# chmod 640 /etc/octavia/octavia.conf [root@network ~]# chgrp octavia /etc/octavia/octavia.conf
su -s /bin/bash octavia -c "octavia-db-manage --config-file /etc/octavia/octavia.conf upgrade head" [root@network ~]# systemctl enable --now octavia-api octavia-health-manager octavia-housekeeping octavia-worker |
[4] | If Firewalld is running, allow service ports. |
[root@network ~]# firewall-cmd --add-port=9876/tcp --permanent success [root@network ~]# firewall-cmd --reload success |
Sponsored Link |