x86-64, arm64, ppc64le, or s390x processor
Calico must be able to manage
cali*interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to manage
tunl*interfaces. When VXLAN is enabled, Calico also needs to be able to manage the
Linux kernel 3.10 or later with required dependencies. The following distributions have the required kernel, its dependencies, and are known to work well with Calico and OpenStack.
- RedHat Linux 7
- Ubuntu 18.04
- CentOS 8
Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.
- If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
If a host firewall is needed, it can be configured by Calico HostEndpoint and GlobalNetworkPolicy. More information about configuration at Security for host.
Calico requires a key/value store accessible by all Calico components. For production you will likely want multiple nodes for greater performance and reliability. If you don’t already have an etcdv3 cluster to connect to, please refer to the upstream etcd docs for detailed advice and setup.
Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.
|Calico networking (BGP)
|Calico networking with IP-in-IP enabled (default)
|IP-in-IP, often represented by its protocol number
|Officially TCP 2379 but can vary
* If your compute hosts connect directly and don’t use IP-in-IP, you don’t need to allow IP-in-IP traffic.
Ensure that Calico has the
The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.
The Calico Neutron driver is written in Python 3 and so requires an OpenStack release that runs with Python 3. Subject to that, we aim to develop and maintain the Neutron driver for Calico (networking-calico) so that its master code works with OpenStack master or any previous Python 3 release, on any operating system, independently of the deployment mechanism that is used to install it.
However, we recommend using OpenStack Yoga or later, and our active support and testing of Calico v3.27 with OpenStack is with Yoga.
If you are using one of the recommended distributions, you will already satisfy these.
Due to the large number of distributions and kernel version out there, it’s hard to be precise about the names of the particular kernel modules that are required to run Calico. However, in general, you’ll need:
iptablesmodules (both the “legacy” and “nft” variants are supported). These are typically broken up into many small modules, one for each type of match criteria and one for each type of action. Calico requires:
- The “base” modules (including the IPv6 versions if IPv6 is enabled in your cluster).
- At least the following match criteria:
icmpv6(if IPv6 is enabled in your kernel),
kube-proxyin IPVS mode).
- At least the following actions:
IP sets support.
Netfilter Conntrack support compiled in (with SCTP support if using SCTP).
IPVS support if using
kube-proxyin IPVS mode.
IPIP, VXLAN, Wireguard support, if using Caliconetworking in one of those modes.
eBPF (including the
tchook support) and XDP (if you want to use the eBPF dataplane).