OpenStack Bobcat : Configure Octavia (Network Node)2023/10/26 |
Install OpenStack Load Balancing as a Service (Octavia).
This example is based on the environment like follows.
------------+--------------------------+--------------------------+------------ | | | eth0|10.0.0.30 eth0|10.0.0.50 eth0|10.0.0.51 +-----------+-----------+ +-----------+-----------+ +-----------+-----------+ | [ dlp.srv.world ] | | [ network.srv.world ] | | [ node01.srv.world ] | | (Control Node) | | (Network Node) | | (Compute Node) | | | | | | | | MariaDB RabbitMQ | | Open vSwitch | | Libvirt | | Memcached Nginx | | Neutron Server | | Nova Compute | | Keystone httpd | | OVN-Northd | | Open vSwitch | | Glance Nova API | | Nginx iSCSI Target | | OVN Metadata Agent | | Cinder API | | Cinder Volume | | OVN-Controller | | | | Octavia Services | | | +-----------------------+ +-----------------------+ +-----------------------+ |
[1] | Install Octavia services. |
[root@network ~]# dnf --enablerepo=centos-openstack-bobcat,epel,crb -y install openstack-octavia-api openstack-octavia-health-manager openstack-octavia-housekeeping openstack-octavia-worker
|
[2] | Create certificates that are used by LoadBalancer Instance and Octavia services. |
[root@network ~]# mkdir -p /etc/octavia/certs/private [root@network ~]# mkdir ~/work [root@network ~]# cd ~/work [root@network work]# git clone https://opendev.org/openstack/octavia.git [root@network work]# cd octavia/bin [root@network bin]# ./create_dual_intermediate_CA.sh [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/server_ca.cert.pem /etc/octavia/certs [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/server_ca-chain.cert.pem /etc/octavia/certs [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/server_ca.key.pem /etc/octavia/certs/private [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/client_ca.cert.pem /etc/octavia/certs [root@network bin]# cp -p ./dual_ca/etc/octavia/certs/client.cert-and-key.pem /etc/octavia/certs/private [root@network bin]# chown -R octavia /etc/octavia/certs |
[3] | Configure Octavia. |
[root@network ~]# mv /etc/octavia/octavia.conf /etc/octavia/octavia.conf.org
[root@network ~]#
vi /etc/octavia/octavia.conf # create new [DEFAULT] # RabbitMQ connection info transport_url = rabbit://openstack:password@dlp.srv.world [api_settings] bind_host = 127.0.0.1 bind_port = 9876 auth_strategy = keystone api_base_uri = https://network.srv.world:9876 # MariaDB connection info [database] connection = mysql+pymysql://octavia:password@dlp.srv.world/octavia [health_manager] bind_ip = 10.0.0.50 bind_port = 5555 # Keystone auth info [keystone_authtoken] www_authenticate_uri = https://dlp.srv.world:5000 auth_url = https://dlp.srv.world:5000 memcached_servers = dlp.srv.world:11211 auth_type = password project_domain_name = default user_domain_name = default project_name = service username = octavia password = servicepassword # if using self-signed certs on httpd Keystone, turn to [true] insecure = false # specify certificates created on [2] [certificates] ca_private_key = /etc/octavia/certs/private/server_ca.key.pem ca_certificate = /etc/octavia/certs/server_ca.cert.pem server_certs_key_passphrase = insecure-key-do-not-use-this-key ca_private_key_passphrase = not-secure-passphrase # specify certificates created on [2] [haproxy_amphora] server_ca = /etc/octavia/certs/server_ca-chain.cert.pem client_cert = /etc/octavia/certs/private/client.cert-and-key.pem # specify certificates created on [2] [controller_worker] client_ca = /etc/octavia/certs/client_ca.cert.pem [oslo_messaging] topic = octavia_prov # Keystone auth info [service_auth] auth_url = https://dlp.srv.world:5000 memcached_servers = dlp.srv.world:11211 auth_type = password project_domain_name = Default user_domain_name = Default project_name = service username = octavia password = servicepassword # if using self-signed certs on httpd Keystone, turn to [true] insecure = false chmod 640 /etc/octavia/octavia.conf [root@network ~]# chgrp octavia /etc/octavia/octavia.conf
|
[4] | Configure Nginx for proxy settings. |
[root@network ~]#
vi /etc/nginx/nginx.conf # add into the [stream] section
stream {
upstream neutron-api {
server 127.0.0.1:9696;
}
server {
listen 10.0.0.50:9696 ssl;
proxy_pass neutron-api;
}
upstream octavia-api {
server 127.0.0.1:9876;
}
server {
listen 10.0.0.50:9876 ssl;
proxy_pass octavia-api;
}
ssl_certificate "/etc/letsencrypt/live/network.srv.world/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/network.srv.world/privkey.pem";
}
|
[5] | If SELinux is enabled, change policy. |
[root@network ~]# semanage port -a -t http_port_t -p tcp 9876 |
[6] | If Firewalld is running, allow service ports. |
[root@network ~]# firewall-cmd --add-port=9876/tcp success [root@network ~]# firewall-cmd --runtime-to-permanent success |
[7] | Add Data into Database and start Octavia services. |
[root@network ~]# su -s /bin/bash octavia -c "octavia-db-manage --config-file /etc/octavia/octavia.conf upgrade head" [root@network ~]# systemctl enable --now octavia-api octavia-health-manager octavia-housekeeping octavia-worker [root@network ~]# systemctl restart nginx |
Sponsored Link |