Ubuntu
These instructions will take you through a first-time install of Calico. If you are upgrading an existing system, please see Upgrading Calico on OpenStack instead.
There are two sections to the install: adding Calico to OpenStack control nodes, and adding Calico to OpenStack compute nodes. Follow the Common steps on each node before moving on to the specific instructions in the control and compute sections. If you want to create a combined control and compute node, work through all three sections.
Before you begin​
- Ensure that you meet the requirements.
- Confirm that you have SSH access to and root privileges on one or more Ubuntu hosts (your OpenStack compute or control nodes).
- Install OpenStack with Neutron and ML2 networking on the Ubuntu hosts.
Common steps​
Some steps need to be taken on all machines being installed with Calico. These steps are detailed in this section.
Configure APT to use the Calico PPA:
add-apt-repository ppa:project-calico/calico-3.29
Add the official BIRD PPA. This PPA contains fixes to BIRD that are not yet available in Ubuntu. To add the PPA, run:
add-apt-repository ppa:cz.nic-labs/bird
tipIf the above command fails with error
'ascii' codec can't decode byte
, try running the command with a UTF-8 enabled locale:LC_ALL=en_US.UTF-8 add-apt-repository ppa:cz.nic-labs/bird
.Update your package manager on each machine:
apt-get update
Install version 1.0.1 of the
etcd3gw
Python package. This is needed by Calico's OpenStack driver and DHCP agent.apt-get install -y python3-pip
pip3 install etcd3gw==1.0.1Edit
/etc/neutron/neutron.conf
. Add a[calico]
section with the following content, where<ip>
is the IP address of the etcd server.[calico]
etcd_host = <ip>
Control node install​
On each control node, perform the following steps.
Delete all configured OpenStack state, in particular any instances, routers, subnets and networks (in that order) created by the install process referenced above. You can do this using the web dashboard or at the command line.
tipThe Admin and Project sections of the web dashboard both have subsections for networks and routers. Some networks may need to be deleted from the Admin section.
cautionThe Calico install will fail if incompatible state is left around.
Run
apt-get upgrade
andapt-get dist-upgrade
. These commands bring in Calico-specific updates to the OpenStack packages and todnsmasq
.Edit
/etc/neutron/neutron.conf
. In the[DEFAULT]
section, find the line beginning withcore_plugin
, and change it to readcore_plugin = calico
. Also remove any existing setting forservice_plugins
.Install the
calico-control
package:apt-get install -y calico-control
Restart the Neutron server process:
service neutron-server restart
Compute node install​
On each compute node, perform the following steps:
Open
/etc/nova/nova.conf
and remove the line from the[DEFAULT]
section that reads:linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
Remove the lines from the
[neutron]
section settingservice_neutron_metadata_proxy
orservice_metadata_proxy
toTrue
, if there are any.Restart nova compute.
service nova-compute restart
If they're running, stop the Open vSwitch services:
service openvswitch-switch stop
service neutron-plugin-openvswitch-agent stopThen, prevent the services running if you reboot:
sh -c "echo 'manual' > /etc/init/openvswitch-switch.override"
sh -c "echo 'manual' > /etc/init/openvswitch-force-reload-kmod.override"
sh -c "echo 'manual' > /etc/init/neutron-plugin-openvswitch-agent.override"Then, on your control node, run the following command to find the agents that you just stopped:
neutron agent-list
For each agent, delete them with the following command on your control node, replacing
<agent-id>
with the ID of the agent:neutron agent-delete <agent-id>
Install some extra packages:
apt-get install -y neutron-common neutron-dhcp-agent nova-api-metadata
Run
apt-get upgrade
andapt-get dist-upgrade
. These commands bring in Calico-specific updates to the OpenStack packages and todnsmasq
.Edit
/etc/neutron/neutron.conf
. In the[oslo_concurrency]
section, ensure that thelock_path
variable is uncommented and set as follows.# Directory to use for lock files. For security, the specified directory should
# only be writable by the user running the processes that need locking.
# Defaults to environment variable OSLO_LOCK_PATH. If external locks are used,
# a lock path must be set.
lock_path = $state_path/lockInstall the Calico DHCP agent (which uses etcd, allowing it to scale to higher numbers of hosts) and disable the Neutron-provided one:
service neutron-dhcp-agent stop
echo manual | tee /etc/init/neutron-dhcp-agent.override
apt-get install -y calico-dhcp-agentInstall the
calico-compute
package:apt-get install -y calico-compute
This step may prompt you to save your iptables rules to make them persistent on restart -- hit yes.
Configure BIRD. By default Calico assumes that you will deploy a route reflector to avoid the need for a full BGP mesh. To this end, it includes configuration scripts to prepare a BIRD config file with a single peering to the route reflector. If that's correct for your network, you can run either or both of the following commands.
For IPv4 connectivity between compute hosts:
```bash
calico-gen-bird-conf.sh <compute_node_ip> <route_reflector_ip> <bgp_as_number>
```
And/or for IPv6 connectivity between compute hosts:
```bash
calico-gen-bird6-conf.sh <compute_node_ipv4> <compute_node_ipv6> <route_reflector_ipv6> <bgp_as_number>
```
You will also need to [configure your route reflector to allow connections from the compute node as a route reflector client](/calico/latest/networking/configuring/bgp).
If you _are_ configuring a full BGP mesh you need to handle the BGP
configuration appropriately on each compute host. The scripts above can be
used to generate a sample configuration for BIRD, by replacing the
`<route_reflector_ip>` with the IP of one other compute host -- this will
generate the configuration for a single peer connection, which you can
duplicate and update for each compute host in your mesh.
To maintain connectivity between VMs if BIRD crashes or is upgraded,
configure BIRD graceful restart:
- Add `-R` to `BIRD_ARGS` in /etc/bird/envvars (you may need to
uncomment this option).
- Edit the upstart jobs /etc/init/bird.conf and bird6.conf (if
you're using IPv6), and add the following script to it.
```bash
pre-stop script
PID=`status bird | egrep -oi '([0-9]+)$' | head -n1`
kill -9 $PID
end script
```Create
/etc/calico/felix.cfg
with the following content, where<ip>
is the IP address of the etcd server.[global]
DatastoreType = etcdv3
EtcdAddr = <ip>:2379Restart the Felix service.
service calico-felix restart
Configuration for etcd authentication​
If your etcd cluster has authentication enabled, you must also configure the
relevant Calico components with an etcd user name and password. You
can create a single etcd user for Calico that has permission to read
and write any key beginning with /calico/
, or you can create specific etcd
users for each component, with more precise permissions.
This table sets out where to configure each component of Calico for OpenStack, and the detailed access permissions that each component needs:
Component | Configuration | Access |
---|---|---|
Felix | CALICO_ETCD_USERNAME and CALICO_ETCD_PASSWORD variables in Felix's environment on each compute node. | See here |
Neutron driver | etcd_username and etcd_password in [calico] section of /etc/neutron/neutron.conf on each control node. | See here |
DHCP agent | etcd_username and etcd_password in [calico] section of /etc/neutron/neutron.conf on each compute node. | See here |