CentOS Stream 9
Sponsored Link

OpenStack Yoga : Configure Octavia (Network Node)2022/06/10

 
Install OpenStack Load Balancing as a Service (Octavia).
This example is based on the environment like follows.
------------+-----------------------------+-----------------------------+------------
            |                             |                             |
        eth0|10.0.0.30                eth0|10.0.0.50                eth0|10.0.0.51
+-----------+-----------+     +-----------+-----------+     +-----------+-----------+
|   [ dlp.srv.world ]   |     | [ network.srv.world ] |     |  [ node01.srv.world ] |
|     (Control Node)    |     |     (Network Node)    |     |     (Compute Node)    |
|                       |     |                       |     |                       |
|  MariaDB    RabbitMQ  |     |      Open vSwitch     |     |        Libvirt        |
|  Memcached  httpd     |     |     Neutron Server    |     |      Nova Compute     |
|  Keystone   Glance    |     |      OVN-Northd       |     |      Open vSwitch     |
|  Nova API  Cinder API |     |     Cinder Volume     |     |   OVN Metadata Agent  |
|                       |     |    Octavia Services   |     |     OVN-Controller    |
+-----------------------+     +-----------------------+     +-----------------------+

[1] Install Octavia services.
# install from Yoga, EPEL, CRB

[root@network ~]#
dnf --enablerepo=centos-openstack-yoga,epel,crb -y install openstack-octavia-api openstack-octavia-health-manager openstack-octavia-housekeeping openstack-octavia-worker
[2] Create certificates that are used by LoadBalancer Instance and Octavia services.
[root@network ~]#
mkdir -p /etc/octavia/certs/private

[root@network ~]#
mkdir ~/work

[root@network ~]#
cd ~/work

[root@network work]#
git clone https://opendev.org/openstack/octavia.git

[root@network work]#
cd octavia/bin

[root@network bin]#
./create_dual_intermediate_CA.sh

[root@network bin]#
cp -p ./dual_ca/etc/octavia/certs/server_ca.cert.pem /etc/octavia/certs

[root@network bin]#
cp -p ./dual_ca/etc/octavia/certs/server_ca-chain.cert.pem /etc/octavia/certs

[root@network bin]#
cp -p ./dual_ca/etc/octavia/certs/server_ca.key.pem /etc/octavia/certs/private

[root@network bin]#
cp -p ./dual_ca/etc/octavia/certs/client_ca.cert.pem /etc/octavia/certs

[root@network bin]#
cp -p ./dual_ca/etc/octavia/certs/client.cert-and-key.pem /etc/octavia/certs/private

[root@network bin]#
chown -R octavia /etc/octavia/certs

[3] Configure Octavia.
[root@network ~]#
mv /etc/octavia/octavia.conf /etc/octavia/octavia.conf.org

[root@network ~]#
vi /etc/octavia/octavia.conf
# create new

[DEFAULT]
# RabbitMQ connection info
transport_url = rabbit://openstack:password@dlp.srv.world

[api_settings]
bind_host = 127.0.0.1
bind_port = 9876
auth_strategy = keystone
api_base_uri = https://network.srv.world:9876

# MariaDB connection info
[database]
connection = mysql+pymysql://octavia:password@dlp.srv.world/octavia

[health_manager]
bind_ip = 10.0.0.50
bind_port = 5555

# Keystone auth info
[keystone_authtoken]
www_authenticate_uri = https://dlp.srv.world:5000
auth_url = https://dlp.srv.world:5000
memcached_servers = dlp.srv.world:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = octavia
password = servicepassword
# if using self-signed certs on httpd Keystone, turn to [true]
insecure = false

# specify certificates created on [2]
[certificates]
ca_private_key = /etc/octavia/certs/private/server_ca.key.pem
ca_certificate = /etc/octavia/certs/server_ca.cert.pem
server_certs_key_passphrase = insecure-key-do-not-use-this-key
ca_private_key_passphrase = not-secure-passphrase

# specify certificates created on [2]
[haproxy_amphora]
server_ca = /etc/octavia/certs/server_ca-chain.cert.pem
client_cert = /etc/octavia/certs/private/client.cert-and-key.pem

# specify certificates created on [2]
[controller_worker]
client_ca = /etc/octavia/certs/client_ca.cert.pem

[oslo_messaging]
topic = octavia_prov

# Keystone auth info
[service_auth]
auth_url = https://dlp.srv.world:5000
memcached_servers = dlp.srv.world:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = octavia
password = servicepassword
# if using self-signed certs on httpd Keystone, turn to [true]
insecure = false

[root@network ~]#
chmod 640 /etc/octavia/octavia.conf

[root@network ~]#
chgrp octavia /etc/octavia/octavia.conf
[4] Configure Nginx for proxy settings.
[root@network ~]#
vi /etc/nginx/nginx.conf
# add into the [stream] section

stream {
    upstream neutron-api {
        server 127.0.0.1:9696;
    }
    server {
        listen 10.0.0.50:9696 ssl;
        proxy_pass neutron-api;
    }
    upstream octavia-api {
        server 127.0.0.1:9876;
    }
    server {
        listen 10.0.0.50:9876 ssl;
        proxy_pass octavia-api;
    }
    ssl_certificate "/etc/letsencrypt/live/network.srv.world/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/network.srv.world/privkey.pem";
}
[5] If SELinux is enabled, change policy.
[root@network ~]#
semanage port -a -t http_port_t -p tcp 9876

[6] If Firewalld is running, allow service ports.
[root@network ~]#
firewall-cmd --add-port=9876/tcp

success
[root@network ~]#
firewall-cmd --runtime-to-permanent

success
[7] Add Data into Database and start Octavia services.
[root@network ~]#
su -s /bin/bash octavia -c "octavia-db-manage --config-file /etc/octavia/octavia.conf upgrade head"

[root@network ~]#
systemctl enable --now octavia-api octavia-health-manager octavia-housekeeping octavia-worker

[root@network ~]#
systemctl restart nginx

Matched Content