Re: 回复: 【octavia】Failed to load CA Certificate /etc/octavia/certs/server_ca.cert.pem

Thomas Goirand zigo at
Fri Apr 3 13:45:19 UTC 2020

On 4/1/20 8:51 AM, hao7.liu at wrote:
> OS version:CentOS7.6, ubuntu1804
> openstack version:Train
> when i create an amphora image, always may errors, such as:
> ./ -i ubuntu -d bionic -r 123456 -s 5 -o
> amphora-x64-haproxy-ubuntu-1804-0401


I found it particularly difficult to create the certs, so I created a
script to do it all:

Maybe you should give it a try?

I also found that the image provided by upstream has many problems, the
biggest of them is that, when having a lot of traffic on your load
balancer, haproxy logs a lot in /var/log/haproxy.log, and the default of
the haproxy package is to keep 52 days of logs, rotated weekly. That's
nearly one year of logs. If there's a lot of traffic on your load
balancer, it will quickly fill-up the small HDD for the amphora,
especially if you leave the default of 2GB (I strongly recommend 4GB
instead of 2).

I also found it very problematic that most of the files made with
diskimage-builder end up not being part of any package. They are just
there, floating around, with no package owning them. In the Debian
package, I made sure that as much as possible, everything is held by the
octavia-agent package. As a result, the setup script becomes super

Using my own tool (openstack-debian-images, used to create the official
Debian OpenStack images), I made a very simple script to build Octavia
images. This isn't using diskimage-builder. Upstream isn't happy about
it, because they can't have their hands on it, and I'd have to rebase my
change whenever they do one. But ... there's no way I'm going to keep
such a dirty setup as they propose. So many things just belong to
packaging, and not to such an image script.

I also find that the DIB elements are kind of over-engineering things.
Getting the files needed in the package was kind of not easy.

The resulting build script can be found here:

The amphora-build is what should be launch, the other script is where it
all resides: tweak of /etc/logrotate.d/haproxy and tweak of
logrotate.timer (so that logrotate starts every hour, not just every day).

If you want the built image, I have just pushed a copy for you here:

Note that I'm working toward having all of this shipped as an official
Debian image, generated automatically with the other images.

I hope this helps,


Thomas Goirand

More information about the openstack-discuss mailing list