150 lines
5.5 KiB
ReStructuredText
150 lines
5.5 KiB
ReStructuredText
`Home <index.html>`_ OpenStack-Ansible Installation Guide
|
|
|
|
Configuring HAProxy (optional)
|
|
------------------------------
|
|
|
|
HAProxy provides load balancing for high availability architectures deployed by
|
|
OpenStack-Ansible. The default HAProxy configuration provides highly-available
|
|
load balancing services via keepalived if there are more than one hosts in the
|
|
``haproxy_hosts`` group.
|
|
|
|
.. note::
|
|
|
|
Deployers must review the services exposed by HAProxy and **must limit access
|
|
to these services to trusted users and networks only**. For more details,
|
|
refer to the :ref:`least-access-openstack-services` section.
|
|
|
|
.. note::
|
|
|
|
A load balancer is required for a successful installation. Deployers may
|
|
prefer to make use of hardware load balancers instead of haproxy. If hardware
|
|
load balancers are used then the load balancing configuration for services
|
|
must be implemented prior to executing the deployment.
|
|
|
|
To deploy HAProxy within your OpenStack-Ansible environment, define target
|
|
hosts which should run HAProxy:
|
|
|
|
.. code-block:: yaml
|
|
|
|
haproxy_hosts:
|
|
infra1:
|
|
ip: 172.29.236.101
|
|
infra2:
|
|
ip: 172.29.236.102
|
|
infra3:
|
|
ip: 172.29.236.103
|
|
|
|
There is an example configuration file already provided in
|
|
``/etc/openstack_deploy/conf.d/haproxy.yml.example``. Rename the file to
|
|
``haproxy.yml`` and configure it with the correct target hosts to use HAProxy
|
|
in an OpenStack-Ansible deployment.
|
|
|
|
Making HAProxy highly-available
|
|
###############################
|
|
|
|
HAProxy will be deployed in a highly-available manner, by installing
|
|
keepalived if multiple hosts are found in the inventory.
|
|
|
|
To skip the deployment of keepalived along HAProxy when installing
|
|
HAProxy on multiple hosts, edit the
|
|
``/etc/openstack_deploy/user_variables.yml`` by setting:
|
|
|
|
.. code-block:: yaml
|
|
|
|
haproxy_use_keepalived: False
|
|
|
|
Otherwise, edit at least the following variables in
|
|
``user_variables.yml`` to make keepalived work:
|
|
|
|
.. code-block:: yaml
|
|
|
|
haproxy_keepalived_external_vip_cidr: 192.168.0.4/25
|
|
haproxy_keepalived_internal_vip_cidr: 172.29.236.54/16
|
|
haproxy_keepalived_external_interface: br-flat
|
|
haproxy_keepalived_internal_interface: br-mgmt
|
|
|
|
- ``haproxy_keepalived_internal_interface`` and
|
|
``haproxy_keepalived_external_interface`` represent the interfaces on the
|
|
deployed node where the keepalived nodes will bind the internal/external
|
|
vip. By default the ``br-mgmt`` will be used.
|
|
|
|
- ``haproxy_keepalived_internal_vip_cidr`` and
|
|
``haproxy_keepalived_external_vip_cidr`` represents the internal and
|
|
external (respectively) vips (with their prefix length) that will be used on
|
|
keepalived host with the master status, on the interface listed above.
|
|
|
|
- Additional variables can be set to adapt keepalived in the deployed
|
|
environment. Please refer to the ``user_variables.yml`` for more descriptions.
|
|
|
|
To always deploy (or upgrade to) the latest stable version of keepalived,
|
|
edit the ``/etc/openstack_deploy/user_variables.yml`` by setting:
|
|
|
|
.. code-block:: yaml
|
|
|
|
keepalived_use_latest_stable: True
|
|
|
|
The HAProxy playbook reads the ``vars/configs/keepalived_haproxy.yml``
|
|
variable file and provides its content to the keepalived role for
|
|
keepalived master and backup nodes.
|
|
|
|
Keepalived pings a public IP address to check its status. The default
|
|
address is ``193.0.14.129``. To change this default, for example to
|
|
your gateway, set the ``keepalived_ping_address`` variable in the
|
|
``user_variables.yml`` file.
|
|
|
|
.. note:: The keepalived test works with IPv4 addresses only.
|
|
|
|
You can define additional variables to adapt keepalived to the
|
|
deployed environment. Refer to the ``user_variables.yml`` file for
|
|
more information. Optionally, you can use your own variable file, as
|
|
follows:
|
|
|
|
.. code-block:: yaml
|
|
|
|
haproxy_keepalived_vars_file: /path/to/myvariablefile.yml
|
|
|
|
Configuring keepalived ping checks
|
|
##################################
|
|
|
|
OpenStack-Ansible configures keepalived with a check script that pings an
|
|
external resource and uses that ping to determine if a node has lost network
|
|
connectivity. If the pings fail, keepalived will fail over to another node and
|
|
HAProxy will serve requests there.
|
|
|
|
The destination address, ping count and ping interval are configurable via
|
|
Ansible variables in ``/etc/openstack_deploy/user_variables.yml``:
|
|
|
|
.. code-block:: yaml
|
|
|
|
keepalived_ping_address: # IP address to ping
|
|
keepalived_ping_count: # ICMP packets to send (per interval)
|
|
keepalived_ping_interval: # How often ICMP packets are sent
|
|
|
|
By default, OpenStack-Ansible will configure keepalived to ping one of the root
|
|
DNS servers operated by RIPE. You can change this IP address to a different
|
|
external address or another address on your internal network.
|
|
|
|
Securing HAProxy communication with SSL certificates
|
|
####################################################
|
|
|
|
The OpenStack-Ansible project provides the ability to secure HAProxy
|
|
communications with self-signed or user-provided SSL certificates. By default,
|
|
self-signed certificates are used with HAProxy. However, deployers can
|
|
provide their own certificates by using the following Ansible variables:
|
|
|
|
.. code-block:: yaml
|
|
|
|
haproxy_user_ssl_cert: # Path to certificate
|
|
haproxy_user_ssl_key: # Path to private key
|
|
haproxy_user_ssl_ca_cert: # Path to CA certificate
|
|
|
|
Refer to `Securing services with SSL certificates`_ for more information on
|
|
these configuration options and how deployers can provide their own
|
|
certificates and keys to use with HAProxy.
|
|
|
|
.. _Securing services with SSL certificates: configure-sslcertificates.html
|
|
|
|
--------------
|
|
|
|
.. include:: navigation.txt
|