Octavia Production Deployment Confused

Michael Johnson johnsomor at gmail.com
Thu Dec 6 00:13:02 UTC 2018


Hi Zufar,

Tenant traffic into the VIP and out to member servers is isolated from
the lb-mgmt-net. The VIP network is hot-plugged into the amphora
network namespace for tenant traffic when a user creates a load
balancer and specifies the VIP subnet or network.

As for the certificate creation, please see this document awaiting
patch review: https://review.openstack.org/613454
I wrote up a detailed certificate configuration guide that should help
you resolve your certificate configuration issue.

Michael

On Tue, Dec 4, 2018 at 3:59 PM Zufar Dhiyaulhaq
<zufar at onf-ambassador.org> wrote:
>
> Hi all,
>
> Thank you,
> So the amphora will use a provider network. but how we can access this load balancer externally? via IP assign into amphora (provider network IP)?
>
> Another question, I am facing a problem with a keypair. I am generating a keypair with `create_certificates.sh`
> source /tmp/octavia/bin/create_certificates.sh /etc/octavia/certs /tmp/octavia/etc/certificates/openssl.cnf
>
> but when creating the load balancer service, I got this error from /var/log/octavia/worker.log
> ERROR oslo_messaging.rpc.server CertificateGenerationException: Could not sign the certificate request: Failed to load CA Private Key /etc/octavia/certs/private/cakey.pem.
>
> I am using this configuration under octavia.conf
> [certificates]
>
> ca_certificate = /etc/octavia/certs/ca_01.pem
>
> ca_private_key = /etc/octavia/certs/private/cakey.pem
>
> ca_private_key_passphrase = foobar
>
> Anyone know this issue?
> I am following Mr. Lingxian Kong blog in https://lingxiankong.github.io/2016-06-07-octavia-deployment-prerequisites.html
>
> Best Regards,
> Zufar Dhiyaulhaq
>
>
> On Wed, Dec 5, 2018 at 4:35 AM Lingxian Kong <anlin.kong at gmail.com> wrote:
>>
>> On Wed, Dec 5, 2018 at 6:27 AM Gaël THEROND <gael.therond at gmail.com> wrote:
>>>
>>> You can do it with any routed network that you’ll load as a provider network too.
>>>
>>> Way more simpler, no need for ovs manipulation, just get your network team to give you a vlan both available from computer node and controller plan. It can be a network subnet and vlan completely unknown from you controller as long as you get an intermediary equipment that route your traffic or that you add the proper route on your controllers.
>>
>>
>> Yeah, that's also how we did for our Octavia service in production thanks to our ops team.
>>
>> Cheers,
>> Lingxian Kong



More information about the openstack-discuss mailing list