Add haproxy element
This element will be needed for HA deployments. Haproxy will listen on other-than-default-openstack ports so that openstack services can be bound to all IP addresses. Keystone endpoint urls will be updated to point to haproxied non-standard ports. Change-Id: Ib8fca60d8e31877aed39739c09a77c68de20f7b0
This commit is contained in:
parent
d94af53567
commit
2705b691ea
31
elements/haproxy/README.md
Normal file
31
elements/haproxy/README.md
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
Element to install haproxy. This element proxies services listed in
|
||||||
|
haproxy.services and additionally enables ports in firewall.
|
||||||
|
|
||||||
|
Configuration
|
||||||
|
-------------
|
||||||
|
|
||||||
|
haproxy:
|
||||||
|
nodes:
|
||||||
|
- name: notcompute
|
||||||
|
ip: 192.0.2.5
|
||||||
|
- name: notcomputeSlave0
|
||||||
|
ip: 192.0.2.6
|
||||||
|
services:
|
||||||
|
- name: dashboard_cluster
|
||||||
|
proxy_port: 444
|
||||||
|
port: 443
|
||||||
|
- name: glance_api_cluster
|
||||||
|
proxy_port: 9293
|
||||||
|
port:9292
|
||||||
|
|
||||||
|
You can override set of nodes for a service by setting its own set of
|
||||||
|
haproxy.nodes inside a service definition:
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: dashboard_cluster
|
||||||
|
proxy_port: 444
|
||||||
|
port: 443
|
||||||
|
haproxy:
|
||||||
|
nodes:
|
||||||
|
- name: foo0
|
||||||
|
ip: 10.0.0.1
|
12
elements/haproxy/install.d/76-haproxy
Executable file
12
elements/haproxy/install.d/76-haproxy
Executable file
@ -0,0 +1,12 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
install-packages haproxy
|
||||||
|
|
||||||
|
if [ "$DIB_INIT_SYSTEM" == "systemd" ] ; then
|
||||||
|
systemctl enable haproxy.service
|
||||||
|
fi
|
||||||
|
|
||||||
|
# haproxy service has to be explicitly enabled in /etc/default/haproxy on ubuntu/debian systems
|
||||||
|
[ -f /etc/default/haproxy ] && sed -i -e 's/ENABLED=0/ENABLED=1/' /etc/default/haproxy
|
31
elements/haproxy/os-config-applier/etc/haproxy/haproxy.cfg
Normal file
31
elements/haproxy/os-config-applier/etc/haproxy/haproxy.cfg
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
global
|
||||||
|
chroot /var/lib/haproxy
|
||||||
|
daemon
|
||||||
|
group haproxy
|
||||||
|
maxconn 4000
|
||||||
|
pidfile /var/run/haproxy.pid
|
||||||
|
user haproxy
|
||||||
|
|
||||||
|
defaults
|
||||||
|
log global
|
||||||
|
maxconn 8000
|
||||||
|
retries 3
|
||||||
|
timeout http-request 10s
|
||||||
|
timeout queue 1m
|
||||||
|
timeout connect 10s
|
||||||
|
timeout client 1m
|
||||||
|
timeout server 1m
|
||||||
|
timeout check 10s
|
||||||
|
|
||||||
|
{{#haproxy.services}}
|
||||||
|
listen {{name}}
|
||||||
|
bind *:{{proxy_port}}
|
||||||
|
mode tcp
|
||||||
|
balance source
|
||||||
|
option tcpka
|
||||||
|
option tcplog
|
||||||
|
{{#haproxy.nodes}}
|
||||||
|
server {{name}} {{ip}}:{{port}} check inter 2000 rise 2 fall 5
|
||||||
|
{{/haproxy.nodes}}
|
||||||
|
|
||||||
|
{{/haproxy.services}}
|
4
elements/haproxy/os-refresh-config/post-configure.d/20-haproxy
Executable file
4
elements/haproxy/os-refresh-config/post-configure.d/20-haproxy
Executable file
@ -0,0 +1,4 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
service haproxy restart
|
40
elements/haproxy/os-refresh-config/pre-configure.d/98-haproxy-iptables
Executable file
40
elements/haproxy/os-refresh-config/pre-configure.d/98-haproxy-iptables
Executable file
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
DISTRO=`lsb_release -si` || true
|
||||||
|
|
||||||
|
if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
|
||||||
|
|
||||||
|
# Check if the iptables service is active
|
||||||
|
if systemctl is-active iptables.service ; then
|
||||||
|
IPT_FILE=/etc/sysconfig/iptables
|
||||||
|
if [ -f $IPT_FILE ]; then
|
||||||
|
iptables-restore < $IPT_FILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
CONF=`os-apply-config --key haproxy.services --type raw | sed "s/u'/'/g"|sed "s/'/\"/g"`
|
||||||
|
[ -z "$CONF" ] && exit 0
|
||||||
|
|
||||||
|
# parses metadata hash and returns lines in "port-proxy_port" format:
|
||||||
|
LINES=`echo "$CONF" | python -c 'import json,sys;obj=json.load(sys.stdin);print "\n".join(["%d-%d" % (x["port"], x["proxy_port"]) for x in obj])'`
|
||||||
|
[ -z "$LINES" ] && exit 0
|
||||||
|
|
||||||
|
for LINE in $LINES; do
|
||||||
|
PORT=${LINE%-*}
|
||||||
|
PROXY_PORT=${LINE#*-}
|
||||||
|
# keystone is the only exception where ports are twisted - real
|
||||||
|
# service listens on non-standard port if haproxy is used so
|
||||||
|
# PORT instead of PROXY_PORT should be enabled
|
||||||
|
if [ $PROXY_PORT = "5000" -o $PROXY_PORT = "35357" ];then
|
||||||
|
FW_PORT=$PORT
|
||||||
|
else
|
||||||
|
FW_PORT=$PROXY_PORT
|
||||||
|
fi
|
||||||
|
RULE="INPUT -p tcp --dport $FW_PORT -j ACCEPT"
|
||||||
|
iptables -C $RULE 2>/dev/null || iptables -I $RULE
|
||||||
|
done
|
||||||
|
|
||||||
|
iptables-save > $IPT_FILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
@ -11,6 +11,15 @@ verbose={{keystone.verbose}}
|
|||||||
debug={{keystone.debug}}
|
debug={{keystone.debug}}
|
||||||
{{/keystone.debug}}
|
{{/keystone.debug}}
|
||||||
|
|
||||||
|
{{#haproxy}}
|
||||||
|
# if haproxy is used, run real keystone on no-default port,
|
||||||
|
# haproxy will listen on the default port.
|
||||||
|
# For other openstack services haproxy can listen on different ports and
|
||||||
|
# endpoints in keystone will just point to this no-default ports
|
||||||
|
public_port = 5010
|
||||||
|
admin_port = 35367
|
||||||
|
{{/haproxy}}
|
||||||
|
|
||||||
[sql]
|
[sql]
|
||||||
connection = {{keystone.db}}
|
connection = {{keystone.db}}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user