Octavia Production Deployment Confused
Hi, I want to implement Octavia service in OpenStack Queens. I am stuck on two-step : 1. Create Octavia User I am trying to create Octavia user with this command, is this the right way? openstack user create octavia --domain default --password octavia openstack role add --user octavia --project services admin openstack service create --name octavia --description "OpenStack Octavia" load-balancer openstack endpoint create --region RegionOne octavia public http://10.60.60.10:9876 openstack endpoint create --region RegionOne octavia internal http://10.60.60.10:9876 openstack endpoint create --region RegionOne octavia admin http://10.60.60.10:9876 2. Load Balancer Network Configuration "Add appropriate routing to/from the ‘lb-mgmt-net’ such that egress is allowed, and the controller (to be created later) can talk to hosts on this network." I don't know how to route from controller host into a private network, is any specific command for doing that? following tutorial from https://docs.openstack.org/octavia/latest/contributor/guides/dev-quick-start... . Thank You Best Regards, Zufar Dhiyaulhaq
I did this manually. -- Create an ovs port on br-int -- Create a neutron port using the ovs port that you just created. -- Assign the ip address of the neutron port to the ovs port -- Use ip netns exec to assign a route in the router namespace of the LoadBalancer network. If there's somebody who has a better way to do this, please share. Ranga On Tue, Dec 4, 2018 at 11:16 AM Zufar Dhiyaulhaq <zufar@onf-ambassador.org> wrote:
Hi, I want to implement Octavia service in OpenStack Queens.
I am stuck on two-step : 1. Create Octavia User
I am trying to create Octavia user with this command, is this the right way?
openstack user create octavia --domain default --password octavia openstack role add --user octavia --project services admin
openstack service create --name octavia --description "OpenStack Octavia" load-balancer openstack endpoint create --region RegionOne octavia public http://10.60.60.10:9876 openstack endpoint create --region RegionOne octavia internal http://10.60.60.10:9876 openstack endpoint create --region RegionOne octavia admin http://10.60.60.10:9876
2. Load Balancer Network Configuration "Add appropriate routing to/from the ‘lb-mgmt-net’ such that egress is allowed, and the controller (to be created later) can talk to hosts on this network."
I don't know how to route from controller host into a private network, is any specific command for doing that?
following tutorial from https://docs.openstack.org/octavia/latest/contributor/guides/dev-quick-start... .
Thank You
Best Regards, Zufar Dhiyaulhaq
-- M. Ranganathan
You can do it with any routed network that you’ll load as a provider network too. Way more simpler, no need for ovs manipulation, just get your network team to give you a vlan both available from computer node and controller plan. It can be a network subnet and vlan completely unknown from you controller as long as you get an intermediary equipment that route your traffic or that you add the proper route on your controllers. Le mar. 4 déc. 2018 à 18:21, M. Ranganathan <mranga@gmail.com> a écrit :
I did this manually.
-- Create an ovs port on br-int -- Create a neutron port using the ovs port that you just created. -- Assign the ip address of the neutron port to the ovs port -- Use ip netns exec to assign a route in the router namespace of the LoadBalancer network.
If there's somebody who has a better way to do this, please share.
Ranga
On Tue, Dec 4, 2018 at 11:16 AM Zufar Dhiyaulhaq <zufar@onf-ambassador.org> wrote:
Hi, I want to implement Octavia service in OpenStack Queens.
I am stuck on two-step : 1. Create Octavia User
I am trying to create Octavia user with this command, is this the right way?
openstack user create octavia --domain default --password octavia openstack role add --user octavia --project services admin
openstack service create --name octavia --description "OpenStack Octavia" load-balancer openstack endpoint create --region RegionOne octavia public http://10.60.60.10:9876 openstack endpoint create --region RegionOne octavia internal http://10.60.60.10:9876 openstack endpoint create --region RegionOne octavia admin http://10.60.60.10:9876
2. Load Balancer Network Configuration "Add appropriate routing to/from the ‘lb-mgmt-net’ such that egress is allowed, and the controller (to be created later) can talk to hosts on this network."
I don't know how to route from controller host into a private network, is any specific command for doing that?
following tutorial from https://docs.openstack.org/octavia/latest/contributor/guides/dev-quick-start... .
Thank You
Best Regards, Zufar Dhiyaulhaq
-- M. Ranganathan
On Wed, Dec 5, 2018 at 6:27 AM Gaël THEROND <gael.therond@gmail.com> wrote:
You can do it with any routed network that you’ll load as a provider network too.
Way more simpler, no need for ovs manipulation, just get your network team to give you a vlan both available from computer node and controller plan. It can be a network subnet and vlan completely unknown from you controller as long as you get an intermediary equipment that route your traffic or that you add the proper route on your controllers.
Yeah, that's also how we did for our Octavia service in production thanks to our ops team. Cheers, Lingxian Kong
Hi all, Thank you, So the amphora will use a provider network. but how we can access this load balancer externally? via IP assign into amphora (provider network IP)? Another question, I am facing a problem with a keypair. I am generating a keypair with `create_certificates.sh` source /tmp/octavia/bin/create_certificates.sh /etc/octavia/certs /tmp/octavia/etc/certificates/openssl.cnf but when creating the load balancer service, I got this error from /var/log/octavia/worker.log ERROR oslo_messaging.rpc.server CertificateGenerationException: Could not sign the certificate request: Failed to load CA Private Key /etc/octavia/certs/private/cakey.pem. I am using this configuration under octavia.conf [certificates] ca_certificate = /etc/octavia/certs/ca_01.pem ca_private_key = /etc/octavia/certs/private/cakey.pem ca_private_key_passphrase = foobar Anyone know this issue? I am following Mr. Lingxian Kong blog in https://lingxiankong.github.io/2016-06-07-octavia-deployment-prerequisites.h... Best Regards, Zufar Dhiyaulhaq On Wed, Dec 5, 2018 at 4:35 AM Lingxian Kong <anlin.kong@gmail.com> wrote:
On Wed, Dec 5, 2018 at 6:27 AM Gaël THEROND <gael.therond@gmail.com> wrote:
You can do it with any routed network that you’ll load as a provider network too.
Way more simpler, no need for ovs manipulation, just get your network team to give you a vlan both available from computer node and controller plan. It can be a network subnet and vlan completely unknown from you controller as long as you get an intermediary equipment that route your traffic or that you add the proper route on your controllers.
Yeah, that's also how we did for our Octavia service in production thanks to our ops team.
Cheers, Lingxian Kong
Hi Zufar, Tenant traffic into the VIP and out to member servers is isolated from the lb-mgmt-net. The VIP network is hot-plugged into the amphora network namespace for tenant traffic when a user creates a load balancer and specifies the VIP subnet or network. As for the certificate creation, please see this document awaiting patch review: https://review.openstack.org/613454 I wrote up a detailed certificate configuration guide that should help you resolve your certificate configuration issue. Michael On Tue, Dec 4, 2018 at 3:59 PM Zufar Dhiyaulhaq <zufar@onf-ambassador.org> wrote:
Hi all,
Thank you, So the amphora will use a provider network. but how we can access this load balancer externally? via IP assign into amphora (provider network IP)?
Another question, I am facing a problem with a keypair. I am generating a keypair with `create_certificates.sh` source /tmp/octavia/bin/create_certificates.sh /etc/octavia/certs /tmp/octavia/etc/certificates/openssl.cnf
but when creating the load balancer service, I got this error from /var/log/octavia/worker.log ERROR oslo_messaging.rpc.server CertificateGenerationException: Could not sign the certificate request: Failed to load CA Private Key /etc/octavia/certs/private/cakey.pem.
I am using this configuration under octavia.conf [certificates]
ca_certificate = /etc/octavia/certs/ca_01.pem
ca_private_key = /etc/octavia/certs/private/cakey.pem
ca_private_key_passphrase = foobar
Anyone know this issue? I am following Mr. Lingxian Kong blog in https://lingxiankong.github.io/2016-06-07-octavia-deployment-prerequisites.h...
Best Regards, Zufar Dhiyaulhaq
On Wed, Dec 5, 2018 at 4:35 AM Lingxian Kong <anlin.kong@gmail.com> wrote:
On Wed, Dec 5, 2018 at 6:27 AM Gaël THEROND <gael.therond@gmail.com> wrote:
You can do it with any routed network that you’ll load as a provider network too.
Way more simpler, no need for ovs manipulation, just get your network team to give you a vlan both available from computer node and controller plan. It can be a network subnet and vlan completely unknown from you controller as long as you get an intermediary equipment that route your traffic or that you add the proper route on your controllers.
Yeah, that's also how we did for our Octavia service in production thanks to our ops team.
Cheers, Lingxian Kong
participants (5)
-
Gaël THEROND
-
Lingxian Kong
-
M. Ranganathan
-
Michael Johnson
-
Zufar Dhiyaulhaq