octavia

#!/bin/bash
 
source /etc/kolla/admin-openrc.sh
 
 
function show_lb_owner() {
    LB_ID=$1
 
    # show project
    PROJECT_ID=$(openstack loadbalancer show -c project_id -f value ${LB_ID})
    PROJECT_NAME=$(openstack project show -c name -f value ${PROJECT_ID})
 
    # show domain
    DOMAIN_ID=$(openstack project show -c domain_id -f value ${PROJECT_ID})
    DOMAIN_NAME=$(openstack domain show -c name -f value ${DOMAIN_ID})
 
    echo "Domain: ${DOMAIN_NAME}"
    echo "Project: ${PROJECT_NAME}"
}
 
 
EXIT_CODE=0
 
 
# list broken LB
OUTPUT="$(openstack loadbalancer amphora list --provisioning-status ERROR)"
if [ -n "${OUTPUT}" ]; then
    echo "${OUTPUT}"
 
    EXIT_CODE=1
fi
 
# search for broken LB

Read more about OpenStack: Octavia / Amphora LB check

Octavia: proxy protocol

openstack loadbalancer listener create --name foo-lb1-tcp-80 --protocol TCP --protocol-port 80 foo-lb1
openstack loadbalancer pool create --name foo-lb1-proxy-pool --lb-algorithm ROUND_ROBIN --listener foo-lb1-tcp-80 --protocol PROXY
openstack loadbalancer member create --subnet-id foo-subnet --address 10.0.1.13 --protocol-port 80 foo-lb1-proxy-pool
 
# check whather http_realip_module is available
nginx -V 2>&1 | grep -- 'http_realip_module'
 
# configure nginx
cat /etc/nginx/sites-enabled/default 
...
server {
    listen 80 default_server proxy_protocol;
    set_real_ip_from 10.0.1.17; # incomming proxy IP
    #set_real_ip_from 192.168.1.0/24;
    real_ip_header proxy_protocol;
...
 
cat /etc/nginx/nginx.conf
...
http {
    proxy_set_header X-Real-IP       $proxy_protocol_addr;
    proxy_set_header X-Forwarded-For $proxy_protocol_addr;
...

Links
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
https://www.scaleway.com/en/docs/configure-proxy-protocol-with-a-load-balancer/

Read more about Octavia: proxy protocol

Octavia: Allow SSH login to Amphora VM

Allow SSH access

LB_ID=foo-lb01-prod
 
AMPHORA_ID=$(openstack loadbalancer amphora list --loadbalancer ${LB_ID} --role MASTER -c id -f value)
AMPHORA_COMPUTE_ID=$(openstack loadbalancer amphora show ${AMPHORA_ID} -c compute_id -f value)
LB_NETWORK_IP=$(openstack loadbalancer amphora show ${AMPHORA_ID} -c lb_network_ip -f value)
SECURITY_GROUP_ID=$(openstack port list --server ${AMPHORA_COMPUTE_ID} --fixed-ip "ip-address=${LB_NETWORK_IP}" -c security_group_ids -f value)
 
# DEBUG: show ingress tcp rules
openstack security group rule list --ingress --protocol tcp ${SECURITY_GROUP_ID}
openstack security group rule create --protocol tcp --dst-port 22:22 --remote-ip 172.16.0.0/12  ${SECURITY_GROUP_ID}
openstack loadbalancer amphora list --loadbalancer ${LB_ID} -c  lb_network_ip -c role -f value
openstack loadbalancer amphora list --loadbalancer ${LB_ID} -c  lb_network_ip --role MASTER -f value
 
# login to amphora VM from OpenStack control node
ssh local@ctl1-dev.dev.i.example.com
ssh -i ~/.ssh/id_rsa_octavia ubuntu@${AMPHORA_VM_IP}

Manuall SSH access

Read more about Octavia: Allow SSH login to Amphora VM

Subscribe to octavia