This article should aid in installing openstack-octavia, which is a multi-step approach as octavia have multiple complex prerequirements.
Prerequirements
For octavia to work there needs to be a routed openstack network in place where octavia can place the management-interface of its VM's (amphora). It also needs a keypair to give to these VM's in case an admin needs to log in. The VM's needs an image to boot from, and there need to be a couple of CA's in place to sign certificates authenticating octavia-servers and octavia-amphora.
Network
The octavia amphora uses a dedicated network to its amphora for administration. This network needs to be available for nova to put VM's on, and is realized in one of two ways:
- Using neutrons subnet-pool feature to create a subnet with routable IP's in it, and attach an openstack router as one usually do, and announcing these over bgp to the physical network.
- Hack it by creating a subnet using real IP's, and add a router with no external gateways to it. This router should also have an interface on ntnu-internal, and needs to have a static default-route defined. The physical network also needs a static route for the octavia-network pointed to the virtual router.
The first option is prefferred!
The ID of the created network should be places into hiera at the key ntnuopenstack::octavia::network::id and the network CIDR should be placed at ntnuopenstack::octavia::management::ipv4::network
SSH Keypair
The amphora needs a keypair if an admin should be able to log into the machine and see whats going on.
- Create a regular ssh keypair
- Upload the public-key to openstack using the octavia keystone user.
- Add the name of this keypair in hiera as ntnuopenstack::octavia::ssh::keypair::name
Security-group
A security-group limiting access to the octavia management ports needs to be created in the services project. This security-group needs to permit the following:
- TCP 22 from relevant administrative subnets.
- TCP 80 from the infrastructure-network.
- TCP 5555 from the infrastructure-network.
- TCP 9443 from the infrastructure-network.
- UDP 5555 from the infrastructure-network.
In addition some rules are useful for debugging-purposes:
- ICMP
Add the ID of the security-group created to hiera at the key ntnuopenstack::octavia::secgroup::id
Flavor
A suitable flavor for octavia needs to be created, or an existing one should be selected, and its ID should be placed in hiera at the key ntnuopenstack::octavia::flavor::id.
CA's
Octavia utilizes certificates for mutual authentication of the amphora and the octavia controllers. These certificates is signed by one of two CA's:
- Controllers gets certificates manually created by an admin, which is signed by one CA. (client-cert, as the octavia controller is client contacting the amphora api)
- Controllers have the root cert for a second CA which it uses to sign amphora's client CA when the amphora is created. (a server-cert, as the amphora is hosting an api)
To create these CA's, follow the guide from openstack:
Create client-certificates for all the octavia-controllers you plan to install.
Amphora
The octavia amphora needs an image, and these images needs to be created. Creating these images is simplest to do in a fresh nova-VM to avoid convoulting your local environment. The steps to create an image is generally:
- Clone the following two git-repositories:
- Check out the branch of the octavia-repo to match your environment
- Install the python dependencies listed in octavia/diskimage-create/requirements.txt
- Install qemu
- Try to build an image:
- octavia/diskimage-create/diskimage-create.sh -a amd64 -d bionic -o filnavn -s 4 -t raw