[openstack-dev] [kolla] add service discovery, proxysql, vault, fabio and FQDN endpoints

Florian Engelmann florian.engelmann at everyware.ch
Fri Oct 19 08:24:12 UTC 2018


> currently we are testing what is needed to get consul + registrator and 
> kolla/kolla-ansible play together nicely.
> 
> To get the services created in consul by registrator all kolla 
> containers running relevant services (eg. keystone, nova, cinder, ... 
> but also mariadb, memcached, es, ...) need to "--expose" their ports.
> Registrator will use those "exposed" ports to add a service to consul.
> 
> I there any (existing) option to add those ports to the container 
> bootstrap?
> What about "docker_common_options"?
> 
> command should look like:
> 
> docker run -d --expose 5000/tcp --expose 35357/tcp --name=keystone ...
> 

After testing registrator I recognized the project seems to be 
unmaintained. So we won't use registrator.

I just need to find another method to register a container (service) in 
consul after the contaier has started.

I would like to do so without changing any kolla container or 
kolla-ansible code.


> 
> Am 10/10/18 um 9:18 AM schrieb Florian Engelmann:
>> by "another storage system" you mean the KV store of consul? That's 
>> just someting consul brings with it...
>>
>> consul is very strong in doing health checks
>>
>> Am 10/9/18 um 6:09 PM schrieb Fox, Kevin M:
>>> etcd is an already approved openstack dependency. Could that be used 
>>> instead of consul so as to not add yet another storage system? 
>>> coredns with the https://coredns.io/plugins/etcd/ plugin would maybe 
>>> do what you need?
>>>
>>> Thanks,
>>> Kevin
>>> ________________________________________
>>> From: Florian Engelmann [florian.engelmann at everyware.ch]
>>> Sent: Monday, October 08, 2018 3:14 AM
>>> To: openstack-dev at lists.openstack.org
>>> Subject: [openstack-dev] [kolla] add service discovery, proxysql, 
>>> vault, fabio and FQDN endpoints
>>>
>>> Hi,
>>>
>>> I would like to start a discussion about some changes and additions I
>>> would like to see in in kolla and kolla-ansible.
>>>
>>> 1. Keepalived is a problem in layer3 spine leaf networks as any floating
>>> IP can only exist in one leaf (and VRRP is a problem in layer3). I would
>>> like to use consul and registrar to get rid of the "internal" floating
>>> IP and use consuls DNS service discovery to connect all services with
>>> each other.
>>>
>>> 2. Using "ports" for external API (endpoint) access is a major headache
>>> if a firewall is involved. I would like to configure the HAProxy (or
>>> fabio) for the external access to use "Host:" like, eg. "Host:
>>> keystone.somedomain.tld", "Host: nova.somedomain.tld", ... with HTTPS.
>>> Any customer would just need HTTPS access and not have to open all those
>>> ports in his firewall. For some enterprise customers it is not possible
>>> to request FW changes like that.
>>>
>>> 3. HAProxy is not capable to handle "read/write" split with Galera. I
>>> would like to introduce ProxySQL to be able to scale Galera.
>>>
>>> 4. HAProxy is fine but fabio integrates well with consul, statsd and
>>> could be connected to a vault cluster to manage secure certificate 
>>> access.
>>>
>>> 5. I would like to add vault as Barbican backend.
>>>
>>> 6. I would like to add an option to enable tokenless authentication for
>>> all services with each other to get rid of all the openstack service
>>> passwords (security issue).
>>>
>>> What do you think about it?
>>>
>>> All the best,
>>> Florian
>>>
>>> __________________________________________________________________________ 
>>>
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: 
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>> __________________________________________________________________________ 
>>
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: 
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-- 

EveryWare AG
Florian Engelmann
Systems Engineer
Zurlindenstrasse 52a
CH-8003 Z├╝rich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: mailto:florian.engelmann at everyware.ch
web: http://www.everyware.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5210 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20181019/ceab2297/attachment.bin>


More information about the OpenStack-dev mailing list