Okay, I have workarounds for all the bugs that stopped Octavia (Openstack Loadbalancer) coming up for TripleO 16.1 Beta - Train on CentOS7 production capable installation. I hate having to answer all my own questions.
OCTAVIA BUGS OR MISCONFIGURATIONS
1. /var/run/octavia has incorrect ownership of root.root. It needs to be oactavia.octavia it prevents the new driver_agent from running, so nothing runs then.
WORKAROUND
Go to the Docker Container octavia_driver_agent and change the ownership to octavia.octavia then restart all octavia Docker Containers. Notice, we are all Docker here because Podman does not work with Pacemaker HA on CentOS7.
You have to execute these on all controllers.
-----------------COMMANDS
sudo docker exec -ti --user root octavia_driver_agent /bin/bash # Root on the container
chown octavi.octavia /var/run/octavia
exit
I did try changing the docker image in the container-image-prepare command, but somewhere in the YAML deployment scripts /var/run/octavia gets reset to root.root ownership.
2. No Octavia certs get generated automatically.
The logic within the deployment jinga2 script /usr/share/openstack-tripleo-heat-templates/deployment/octavia/octavia-deployment-config.j2.yaml means that Octavia Certs are only generated if OctaviaGenerateCerts is true and IMPORTANTLY the Stack is at state CREATE.
WORKAROUND
So it only works if your TripleO deploys completely the first time round. If you are looking at multiple Controllers and Computes the share number of moving parts makes this highly unlikely. I think the logic should be changed so that generate_certs is true when OctaviaGenerateCerts is true and Stack is CREATE or STACK is UPDATE.
Is there a problem with regenerating the certs each time you deploy??? (it's better than not creating them at all)
My TripleO never deploys completely each time, I always have at least one restart even just owing to docker.io pull bandwidth issues. So I changed Stack - CREATE to UPDATE. I'll change it to CREATE or UPDATE (the best option) on my next redeployment.
3. No Octavia roles are generated by deployment scripts. This is a strange one. The Policy file is generated and in place but no roles are set. Octavia cannot work without the 'load-balancer_member' and 'load-balancer_admin' roles being set for users. So we might as well generate the roles then.
This was an abandoned update (shown below possible fix).
WORKAROUND
------------------------------COMMANDS
source overcloudrc
openstack role create load-balancer_member
openstack role create load-balancer_admin
openstack role create load-balancer_observer
openstack role create load-balancer_global_observer
openstack role create load-balancer_quota_admin
For USER and PROJECT
openstack role add --user USER --project PROJECT load-balancer_admin
openstack role add --user USER --project PROJECT load-balancer_member
POSSIBLE FIX
Increase the ansible install Steps to 6 and add the following to /usr/share/openstack-tripleo-heat-templates/deployment/octavia/octavia-api-container-puppet.yaml after Step 5 or add it to the end of Step 5. I'll see if this works on my next redeploy.
step_6: # If you chose to add ansible Step_6 config_volume: octavia puppet_tags: keystone_role step_config: |
include ::octavia::roles config_image: {get_param: ContainerOctaviaConfigImage}
volumes:
- /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia:ro
Okay so my Octavia Loadbalancer service at the latest version is working beautifully for a 3 Controller, 3 Compute, 3 Ceph - TripleO Train CentOS7 environment now.
Okay, I have workarounds for all the bugs that stopped Octavia (Openstack Loadbalancer) coming up for TripleO 16.1 Beta - Train on CentOS7 production capable installation. I hate having to answer all my own questions.
OCTAVIA BUGS OR MISCONFIGURATIONS
1. /var/run/octavia has incorrect ownership of root.root. It needs to be oactavia.octavia it prevents the new driver_agent from running, so nothing runs then.
WORKAROUND driver_ agent and change the ownership to octavia.octavia then restart all octavia Docker Containers. Notice, we are all Docker here because Podman does not work with Pacemaker HA on CentOS7.
Go to the Docker Container octavia_
You have to execute these on all controllers.
------- ------- ---COMMANDS driver_ agent /bin/bash # Root on the container
sudo docker exec -ti --user root octavia_
chown octavi.octavia /var/run/octavia
exit
sudo docker restart octavia_ driver_ agent housekeeping health_ manager
sudo docker restart octavia_worker
sudo docker restart octavia_
sudo docker restart octavia_
------------------
I did try changing the docker image in the container- image-prepare command, but somewhere in the YAML deployment scripts /var/run/octavia gets reset to root.root ownership.
2. No Octavia certs get generated automatically.
The logic within the deployment jinga2 script /usr/share/ openstack- tripleo- heat-templates/ deployment/ octavia/ octavia- deployment- config. j2.yaml means that Octavia Certs are only generated if OctaviaGenerate Certs is true and IMPORTANTLY the Stack is at state CREATE.
WORKAROUND Certs is true and Stack is CREATE or STACK is UPDATE.
So it only works if your TripleO deploys completely the first time round. If you are looking at multiple Controllers and Computes the share number of moving parts makes this highly unlikely. I think the logic should be changed so that generate_certs is true when OctaviaGenerate
Is there a problem with regenerating the certs each time you deploy??? (it's better than not creating them at all)
My TripleO never deploys completely each time, I always have at least one restart even just owing to docker.io pull bandwidth issues. So I changed Stack - CREATE to UPDATE. I'll change it to CREATE or UPDATE (the best option) on my next redeployment.
------- ------- ------- ------- ---- /usr/share/ openstack- tripleo- heat-templates/ deployment/ octavia/ octavia- deployment- config. j2.yaml
generate_certs: Certs
and:
- get_param: OctaviaGenerate
- equals:
- get_param: StackAction
# - CREATE
- UPDATE
3. No Octavia roles are generated by deployment scripts. This is a strange one. The Policy file is generated and in place but no roles are set. Octavia cannot work without the 'load-balancer_ member' and 'load-balancer_ admin' roles being set for users. So we might as well generate the roles then.
This was an abandoned update (shown below possible fix).
WORKAROUND ------- ------- ------- --COMMANDS member observer global_ observer quota_admin
-------
source overcloudrc
openstack role create load-balancer_
openstack role create load-balancer_admin
openstack role create load-balancer_
openstack role create load-balancer_
openstack role create load-balancer_
For USER and PROJECT member
openstack role add --user USER --project PROJECT load-balancer_admin
openstack role add --user USER --project PROJECT load-balancer_
POSSIBLE FIX openstack- tripleo- heat-templates/ deployment/ octavia/ octavia- api-container- puppet. yaml after Step 5 or add it to the end of Step 5. I'll see if this works on my next redeploy.
Increase the ansible install Steps to 6 and add the following to /usr/share/
step_6: # If you chose to add ansible Step_6
config_ volume: octavia
puppet_ tags: keystone_role
step_ config: |
config_ image: {get_param: ContainerOctavi aConfigImage} config- data/puppet- generated/ octavia/ etc/octavia: /etc/octavia: ro
include ::octavia::roles
volumes:
- /var/lib/
Okay so my Octavia Loadbalancer service at the latest version is working beautifully for a 3 Controller, 3 Compute, 3 Ceph - TripleO Train CentOS7 environment now.