You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This article should aid in installing openstack-octavia, which is a multi-step approach as octavia have multiple complex prerequirements.

Prerequirements

For octavia to work there needs to be a routed openstack network in place where octavia can place the management-interface of its VM's (amphora). It also needs a keypair to give to these VM's in case an admin needs to log in. The VM's needs an image to boot from, and there need to be a couple of CA's in place to sign certificates authenticating octavia-servers and octavia-amphora.

Network

The octavia amphora uses a dedicated network to its amphora for administration. This network needs to be available for nova to put VM's on, and is realized in one of two ways:

  • Using neutrons subnet-pool feature to create a subnet with routable IP's in it, and attach an openstack router as one usually do, and announcing these over bgp to the physical network.
  • Hack it by creating a subnet using real IP's, and add a router with no external gateways to it. This router should also have an interface on ntnu-internal, and needs to have a static default-route defined. The physical network also needs a static route for the octavia-network pointed to the virtual router.

The first option is prefferred!

The ID of the created network should be places into hiera at the key ntnuopenstack::octavia::network::id and the network CIDR should be placed at ntnuopenstack::octavia::management::ipv4::network

SSH Keypair

The amphora needs a keypair if an admin should be able to log into the machine and see whats going on.

  • Create a regular ssh keypair
  • Upload the public-key to openstack using the octavia keystone user.
  • Add the name of this keypair in hiera as ntnuopenstack::octavia::ssh::keypair::name

Security-group

A security-group limiting access to the octavia management ports needs to be created in the services project. This security-group needs to permit the following:

  • TCP 22 from relevant administrative subnets.
  • TCP 80 from the infrastructure-network.
  • TCP 5555 from the infrastructure-network.
  • TCP 9443 from the infrastructure-network.
  • UDP 5555 from the infrastructure-network.

In addition some rules are useful for debugging-purposes:

  • ICMP

Add the ID of the security-group created to hiera at the key ntnuopenstack::octavia::secgroup::id

Flavor

A suitable flavor for octavia needs to be created, or an existing one should be selected, and its ID should be placed in hiera at the key ntnuopenstack::octavia::flavor::id.

CA's

Octavia utilizes certificates for mutual authentication of the amphora and the octavia controllers. These certificates is signed by one of two CA's:

  • Controllers gets certificates manually created by an admin, which is signed by one CA. (client-cert, as the octavia controller is client contacting the amphora api)
  • Controllers have the root cert for a second CA which it uses to sign amphora's client CA when the amphora is created. (a server-cert, as the amphora is hosting an api)

To create these CA's, follow the guide from openstack:

Create client-certificates for all the octavia-controllers you plan to install.

Amphora

  • No labels