12a3fbafd0
The issue is present if you're running 2 or more nodes with a keepalived < 1.2.8. This bumps the version of keepalived role (installing a more recent version of keepalived by default) AND edits the keepalived configuration file to avoid having nodes with the same priority. This will restart your keepalived service. Please note this commit is not meant for backporting. The deployer running on mitaka and below should follow the documentation here: https://review.openstack.org/#/c/279664/ Bug: #1545066 Change-Id: Ie28d2d3fa8670212c64ecbdf5a87314e7ca0a2d9
4.0 KiB
Home OpenStack-Ansible Installation Guide
Configuring HAProxy (optional)
HAProxy provides load balancing for high availability architectures
deployed by OpenStack-Ansible. The default HAProxy configuration
provides highly-available load balancing services via keepalived if
there are more than one hosts in the haproxy_hosts
group.
Note
A load balancer is required for a successful installation. Deployers may prefer to make use of hardware load balancers instead of haproxy. If hardware load balancers are used then the load balancing configuration for services must be implemented prior to executing the deployment.
To deploy HAProxy within your OpenStack-Ansible environment, define target hosts which should run HAProxy:
haproxy_hosts: 123456-infra01: ip: 172.29.236.51 123457-infra02: ip: 172.29.236.52 123458-infra03: ip: 172.29.236.53
There is an example configuration file already provided in
/etc/openstack_deploy/conf.d/haproxy.yml.example. Rename
the file to haproxy.yml and configure it with the correct
target hosts to use HAProxy in an OpenStack-Ansible deployment.
Making HAProxy highly-available
HAProxy will be deployed in a highly-available manner, by installing keepalived if multiple hosts are found in the inventory.
To skip the deployment of keepalived along HAProxy when installing
HAProxy on multiple hosts, edit the
/etc/openstack_deploy/user_variables.yml by setting:
haproxy_use_keepalived: FalseOtherwise, edit at least the following variables in
user_variables.yml to make keepalived work:
haproxy_keepalived_external_vip_cidr: 192.168.0.4/25
haproxy_keepalived_internal_vip_cidr: 172.29.236.54/16
haproxy_keepalived_external_interface: br-flat
haproxy_keepalived_internal_interface: br-mgmthaproxy_keepalived_internal_interfaceandhaproxy_keepalived_external_interfacerepresent the interfaces on the deployed node where the keepalived nodes will bind the internal/external vip. By default thebr-mgmtwill be used.haproxy_keepalived_internal_vip_cidrandhaproxy_keepalived_external_vip_cidrrepresents the internal and external (respectively) vips (with their prefix length) that will be used on keepalived host with the master status, on the interface listed above.- Additional variables can be set to adapt keepalived in the deployed
environment. Please refer to the
user_variables.ymlfor more descriptions.
To always deploy (or upgrade to) the latest stable version of
keepalived, edit the
/etc/openstack_deploy/user_variables.yml by setting:
keepalived_use_latest_stable: TrueThe HAProxy playbook makes use of the variable file
vars/configs/keepalived_haproxy.yml, and feeds its content
to the keepalived role, for keepalived master and backup nodes.
You can use your own variable file by setting the path in your
/etc/openstack_deploy/user_variables.yml:
haproxy_keepalived_vars_file:Securing HAProxy communication with SSL certificates
The OpenStack-Ansible project provides the ability to secure HAProxy communications with self-signed or user-provided SSL certificates. By default, self-signed certificates are used with HAProxy. However, deployers can provide their own certificates by using the following Ansible variables:
haproxy_user_ssl_cert: # Path to certificate
haproxy_user_ssl_key: # Path to private key
haproxy_user_ssl_ca_cert: # Path to CA certificateRefer to Securing services with SSL certificates for more information on these configuration options and how deployers can provide their own certificates and keys to use with HAProxy.