Add haproxy element

This element will be needed for HA deployments. Haproxy will
listen on other-than-default-openstack ports so that
openstack services can be bound to all IP addresses. Keystone
endpoint urls will be updated to point to haproxied non-standard
ports.

Change-Id: Ib8fca60d8e31877aed39739c09a77c68de20f7b0
This commit is contained in:
Jan Provaznik 2014-01-15 04:55:06 -05:00
parent d94af53567
commit 2705b691ea
6 changed files with 127 additions and 0 deletions

View File

@ -0,0 +1,31 @@
Element to install haproxy. This element proxies services listed in
haproxy.services and additionally enables ports in firewall.
Configuration
-------------
haproxy:
nodes:
- name: notcompute
ip: 192.0.2.5
- name: notcomputeSlave0
ip: 192.0.2.6
services:
- name: dashboard_cluster
proxy_port: 444
port: 443
- name: glance_api_cluster
proxy_port: 9293
port:9292
You can override set of nodes for a service by setting its own set of
haproxy.nodes inside a service definition:
services:
- name: dashboard_cluster
proxy_port: 444
port: 443
haproxy:
nodes:
- name: foo0
ip: 10.0.0.1

View File

@ -0,0 +1,12 @@
#!/bin/bash
set -eux
install-packages haproxy
if [ "$DIB_INIT_SYSTEM" == "systemd" ] ; then
systemctl enable haproxy.service
fi
# haproxy service has to be explicitly enabled in /etc/default/haproxy on ubuntu/debian systems
[ -f /etc/default/haproxy ] && sed -i -e 's/ENABLED=0/ENABLED=1/' /etc/default/haproxy

View File

@ -0,0 +1,31 @@
global
chroot /var/lib/haproxy
daemon
group haproxy
maxconn 4000
pidfile /var/run/haproxy.pid
user haproxy
defaults
log global
maxconn 8000
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
{{#haproxy.services}}
listen {{name}}
bind *:{{proxy_port}}
mode tcp
balance source
option tcpka
option tcplog
{{#haproxy.nodes}}
server {{name}} {{ip}}:{{port}} check inter 2000 rise 2 fall 5
{{/haproxy.nodes}}
{{/haproxy.services}}

View File

@ -0,0 +1,4 @@
#!/bin/bash
set -eux
service haproxy restart

View File

@ -0,0 +1,40 @@
#!/bin/bash
set -eu
DISTRO=`lsb_release -si` || true
if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
# Check if the iptables service is active
if systemctl is-active iptables.service ; then
IPT_FILE=/etc/sysconfig/iptables
if [ -f $IPT_FILE ]; then
iptables-restore < $IPT_FILE
fi
CONF=`os-apply-config --key haproxy.services --type raw | sed "s/u'/'/g"|sed "s/'/\"/g"`
[ -z "$CONF" ] && exit 0
# parses metadata hash and returns lines in "port-proxy_port" format:
LINES=`echo "$CONF" | python -c 'import json,sys;obj=json.load(sys.stdin);print "\n".join(["%d-%d" % (x["port"], x["proxy_port"]) for x in obj])'`
[ -z "$LINES" ] && exit 0
for LINE in $LINES; do
PORT=${LINE%-*}
PROXY_PORT=${LINE#*-}
# keystone is the only exception where ports are twisted - real
# service listens on non-standard port if haproxy is used so
# PORT instead of PROXY_PORT should be enabled
if [ $PROXY_PORT = "5000" -o $PROXY_PORT = "35357" ];then
FW_PORT=$PORT
else
FW_PORT=$PROXY_PORT
fi
RULE="INPUT -p tcp --dport $FW_PORT -j ACCEPT"
iptables -C $RULE 2>/dev/null || iptables -I $RULE
done
iptables-save > $IPT_FILE
fi
fi

View File

@ -11,6 +11,15 @@ verbose={{keystone.verbose}}
debug={{keystone.debug}} debug={{keystone.debug}}
{{/keystone.debug}} {{/keystone.debug}}
{{#haproxy}}
# if haproxy is used, run real keystone on no-default port,
# haproxy will listen on the default port.
# For other openstack services haproxy can listen on different ports and
# endpoints in keystone will just point to this no-default ports
public_port = 5010
admin_port = 35367
{{/haproxy}}
[sql] [sql]
connection = {{keystone.db}} connection = {{keystone.db}}