Files
openstack-ansible-os_octavia/doc/source/configure-octavia.rst
Dmitriy Rabotyagov 53baf4054d Deprecate quota management with Octavia
With adding Octavia Load Balancer to the `openstack.cloud.quota`
module [1] we have a chicken-egg situation:
* If Octavia endpoint exist, but Octavia service is not yet running or
disabled on HAProxy, openstack_resources will fail on quotas
* We need service_setup to run before openstack_resources as
otherwise there will be no user to create/upload SSH key for

Quota management inside of the Octavia role also creates a confusion,
as Octavia does use default `service` project by default, which
is shared with other services, like Trove, which may result in
conflicts between these services.

As a solution it is proposed to deprecate quota management in
favor of ``openstack.osa.openstack_resources`` playbook and guide
operators on way to set quotas in their user_variables instead.

[1] 57c63e7918 (diff-ca4fad21675b7d9b029b213a9629606546fe7009)

Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/958661
Change-Id: Ib6a5c074ef99459f8707ab0874edb55d39d495ad
Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
2025-08-28 11:10:00 +02:00

345 lines
13 KiB
ReStructuredText

=========================================================
Configuring the Octavia Load Balancing service (optional)
=========================================================
Octavia is an OpenStack project which provides operator-grade Load Balancing
(as opposed to the namespace driver) by deploying each individual load
balancer to its own virtual machine and leveraging haproxy to perform the
load balancing.
Octavia is scalable and has built-in high availability through active-passive.
OpenStack-Ansible deployment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#. Create ``br-lbaas`` bridge on the controllers. Creating br-lbaas is done during
the deployers host preparation and is out of scope of openstack-ansible.
Some explanation of how br-lbaas is used is given below.
#. Create the openstack-ansible container(s) for Octavia. To do that you need
to define hosts for ``octavia-infra_hosts`` group in
``openstack_user_config.yml``. Once you do this, run the following playbook:
.. code-block:: yaml
openstack-ansible playbooks/containers-lxc-create.yml --limit lxc_hosts,octavia_all
#. Define required overrides of the variables in defaults/main.yml of the
openstack-ansible octavia role.
#. Run the os-octavia playbook
.. code-block:: yaml
openstack-ansible playbooks/os-octavia-install.yml
#. Run the haproxy-install.yml playbook to add the new octavia API endpoints
to the load balancer.
Define project quota for Amphora driver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Amphora driver for Octavia is a default option on spawning Load Balancers
with Octavia. The driver relies on OpenStack Nova/Neutron services to spawn
VMs from a specialized image which serve as Load Balancers.
These VMs are created in a ``service`` project by default, and tenants have
no direct access to them.
With that operator must ensure, that the ``service`` project
has sufficient quotas defined to handle all tenant Load Balancers in it.
The suggested way of doing that is through leveraging the
``openstack.osa.openstack_resources`` playbook and defining following
variables in ``user_variables.yml`` or ``group_vars/utility_all``:
.. code-block:: yaml
# In case of `octavia_loadbalancer_topology` set to ACTIVE_STANDBY (default)
# each Load Balancer will create 2 VMs
_max_amphora_instances: 10000
openstack_user_identity:
quotas:
- name: "service"
# Default Amphora flavor is 1 Core, 1024MB RAM
cores: "{{ _max_amphora_instances }}"
ram: "{{ (_max_amphora_instances | int) * 1024 }}"
instances: "{{ _max_amphora_instances }}"
port: "{{ (_max_amphora_instances | int) * 10 }}"
server_groups: "{{ ((_max_amphora_instances | int) * 0.5) | int | abs }}"
server_group_members: 50
# A security group is created per Load Balancer listener
security_group: "{{ (_max_amphora_instances | int) * 1.5 | int | abs }}"
security_group_rule: "{{ ((_max_amphora_instances | int) * 1.5 | int | abs) * 100 }}"
# If `octavia_cinder_enabled: true` also define these
volumes: "{{ _max_amphora_instances }}"
# Volume size is defined with `octavia_cinder_volume_size` with default of 20
gigabytes: "{{ (_max_amphora_instances | int) * 20 }}"
These values will be applied on running ``openstack-ansible openstack.osa.openstack_resources``,
or as part of ``openstack.osa.setup_openstack`` playbook.
Setup a neutron network for use by octavia
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Octavia needs connectivity between the control plane and the
load balancing VMs. For this purpose a provider network should be
created which gives L2 connectivity between the octavia services
on the controllers (either containerised or deployed on metal)
and the octavia amphora VMs. Refer to the appropriate documentation
for the octavia service and consult the tests in this project
for a working example.
Special attention needs to be applied to the provider network
``--allocation-pool`` not to have ip addresses which overlap with
those assigned to hosts, lxc containers or other infrastructure such
as routers or firewalls which may be in use.
An example which gives 172.29.232.0-9/22 to the OSA dynamic inventory
and the remainder of the addresses to the neutron allocation pool
without overlap is as follows:
In ``openstack_user_config.yml`` the following:
.. code-block:: yaml
#the address range for the whole lbaas network
cidr_networks:
lbaas: 172.29.232.0/22
#the range of ip addresses excluded from the dynamic inventory
used_ips:
- "172.29.232.10,172.29.235.200"
And define in ``user_variables.yml``:
.. code-block:: yaml
#the range of addresses which neutron can allocate for amphora VM
octavia_management_net_subnet_allocation_pools: "172.29.232.10-172.29.235.200"
.. note::
The system will deploy an iptables firewall if ``octavia_ip_tables_fw`` is set
to ``True`` (the default). This adds additional protection to the control plane
in the rare instance a load balancing vm is compromised. Please review carefully
the rules and adjust them for your installation. Please be aware that logging
of dropped packages is not enabled and you will need to add those rules manually.
FLAT networking scenario
------------------------
In a general case, neutron networking can be a simple flat network. However in
a complex case, this can be whatever you need and want. Ensure you adjust the
deployment accordingly. An example entry into ``openstack_user_config.yml`` is
shown below:
.. code-block:: yaml
- network:
container_bridge: "br-lbaas"
container_type: "veth"
container_interface: "eth14"
host_bind_override: "bond0" # Defines neutron physical network mapping
ip_from_q: "octavia"
type: "flat"
net_name: "octavia"
group_binds:
- neutron_linuxbridge_agent
- octavia-worker
- octavia-housekeeping
- octavia-health-manager
There are a couple of variables which need to be adjusted if you don't use
``lbaas`` for the provider network name and ``lbaas-mgmt`` for the neutron
name. Furthermore, the system tries to infer certain values based on the
inventory which might not always work and hence might need to be explicitly
declared. Review the file ``defaults/main.yml`` for more information.
The octavia ansible role can create the required neutron networks itself.
Please review the corresponding settings - especially
``octavia_management_net_subnet_cidr`` should be adjusted to suit your
environment. Alternatively, the neutron network can be pre-created elsewhere
and consumed by Octavia.
VLAN networking scenario
------------------------
In case you want to leverage standard vlan networking for the Octavia
management network the definition in ``openstack_user_config.yml`` may
look like this:
.. code-block:: yaml
- network:
container_bridge: "br-lbaas"
container_type: "veth"
container_interface: "eth14"
ip_from_q: "lbaas"
type: "raw"
net_name: lbaas
group_binds:
- neutron_linuxbridge_agent
- octavia-worker
- octavia-housekeeping
- octavia-health-manager
Add extend ``user_variables.yml`` with following overrides:
.. code-block:: yaml
octavia_provider_network_name: vlan
octavia_provider_network_type: vlan
octavia_provider_segmentation_id: 400
octavia_provider_inventory_net_name: lbaas
In addition to this, you will need to ensure that you have an interface that
links neutron-managed br-vlan with br-lbaas on the controller nodes (for the case
when br-vlan already exists on the controllers when they also host the neutron
L3 agent). Making veth pairs or macvlans for this might be suitable.
Building Octavia images
~~~~~~~~~~~~~~~~~~~~~~~
.. note::
The default behavior is to download a test image from the OpenStack artifact
storage the Octavia team provides daily. Because this image doesn't apply
operating system security patches in a timely manner it is unsuited
for production use.
Some Operating System vendors might provide official amphora builds or an
organization might maintain their own artifact storage - for those cases the
automatic download can be leveraged, too.
Images using the ``diskimage-builder`` must be built outside of a container.
For this process, use one of the physical hosts within the environment.
#. Install the necessary packages and configure a Python virtual environment
.. code-block:: bash
apt-get install qemu uuid-runtime curl kpartx git jq python3-pip
pip3 install virtualenv
virtualenv -p /usr/bin/python3 /opt/octavia-image-build
source /opt/octavia-image-build/bin/activate
#. Clone the necessary repositories and dependencies
.. code-block:: bash
git clone https://opendev.org/openstack/octavia.git
/opt/octavia-image-build/bin/pip install --isolated \
git+https://git.openstack.org/openstack/diskimage-builder.git
#. Run Octavia's diskimage script
In the ``octavia/diskimage-create`` directory run:
.. code-block:: bash
./diskimage-create.sh
Disable ``octavia-image-build`` venv:
.. code-block:: bash
deactivate
#. Upload the created user images into the Image (glance) Service:
.. code-block:: bash
openstack image create --disk-format qcow2 \
--container-format bare --tag octavia-amphora-image --file amphora-x64-haproxy.qcow2 \
--private --project service amphora-x64-haproxy
.. note::
Alternatively you can specify the new image in the appropriate settings and rerun the
ansible with an appropriate tag.
You can find more information about the diskimage script and the process at
https://opendev.org/openstack/octavia/tree/master/diskimage-create
Here is a script to perform all those tasks at once:
.. code-block:: bash
#/bin/sh
apt-get install qemu uuid-runtime curl kpartx git jq
pip -v >/dev/null || {apt-get install python3-pip}
pip3 install virtualenv
virtualenv -p /usr/bin/python3 /opt/octavia-image-build || exit 1
source /opt/octavia-image-build/bin/activate
pushd /tmp
git clone https://opendev.org/openstack/octavia.git
/opt/octavia-image-build/bin/pip install --isolated \
git+https://git.openstack.org/openstack/diskimage-builder.git
pushd octavia/diskimage-create
./diskimage-create.sh
mv amphora-x64-haproxy.qcow2 /tmp
deactivate
popd
popd
# upload image
openstack image delete amphora-x64-haproxy
openstack image create --disk-format qcow2 \
--container-format bare --tag octavia-amphora-image --file /tmp/amphora-x64-haproxy.qcow2 \
--private --project service amphora-x64-haproxy
.. note::
If you have trouble installing dib-utils from pipy consider
installing it directly from source
`pip install git+https://opendev.org/openstack/dib-utils.git`
Creating the cryptographic certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
For production installation make sure that you review this very
carefully with your own security requirements and potentially use
your own CA to sign the certificates.
The system will automatically generate and use self-signed
certificates with different Certificate Authorities for control plane
and amphora. Make sure to store a copy in a safe place for potential
disaster recovery.
Optional: Configuring Octavia with ssh access to the amphora
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In rare cases it might be beneficial to gain ssh access to the
amphora for additional trouble shooting. Follow these steps to
enable access.
#. Configure Octavia accordingly
Add a ``octavia_ssh_enabled: True`` to the user file in
/etc/openstack-deploy
#. Run ``os_octavia`` role. SSH key will be generated and uploaded
.. note::
SSH key will be stored on the ``octavia_keypair_setup_host`` (which
by default is ``localhost``) in ``~/.ssh/{{ octavia_ssh_key_name }}``
Optional: Tuning Octavia for production use
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please have a close look at the ``main.yml`` for tunable parameters.
The most important change is to set Octavia into ACTIVE_STANDBY mode
by adding ``octavia_loadbalancer_topology: ACTIVE_STANDBY`` and
``octavia_enable_anti_affinity=True`` to ensure that the active and passive
amphora are (depending on the anti-affinity filter deployed in nova) on two
different hosts to the user file in /etc/openstack-deploy
Also we suggest setting more specific ``octavia_cert_dir`` to prevent
accidental certificate rotation.