Configure systems for use with Calico
When running Calico with OpenStack, you also need to configure various OpenStack components, as follows.
Nova (/etc/nova/nova.conf)
Calico uses the Nova metadata service to provide metadata to VMs, without any proxying by Neutron. To make that work:
- An instance of the Nova metadata API must run on every compute node.
/etc/nova/nova.confmust not setservice_neutron_metadata_proxyorservice_metadata_proxytoTrue. (The defaultFalsevalue is correct for a Calico cluster.)
Neutron server (/etc/neutron/neutron.conf)
In /etc/neutron/neutron.conf you need the following settings to
configure the Neutron service.
| Setting | Value | Meaning |
|---|---|---|
| core_plugin | calico | Use the Calico core plugin |
| -------------------- | --------- | ---------------------------------------- |
Calico can operate either as a core plugin or as an ML2 mechanism driver. The function is the same both ways, except that floating IPs are only supported when operating as a core plugin; hence the recommended setting here.
However, if you don't need floating IPs and have other reasons for using ML2, you can, instead, set
| Setting | Value | Meaning |
|---|---|---|
| core_plugin | neutron.plugins.ml2.plugin.ML2Plugin | Use ML2 plugin |
| -------------------- | -------------------------------------- | ---------------------- |
and then the further ML2-specific configuration as covered below.
The following options in the [calico] section of /etc/neutron/neutron.conf govern how
the Calico plugin/driver and DHCP agent connect to the Calico etcd
datastore. You should set etcd_host to the IP of your etcd server, and etcd_port if
that server is using a non-standard port. If the etcd server is TLS-secured, also set:
-
etcd_cert_fileto a client certificate, which must be signed by a Certificate Authority that the server trusts -
etcd_key_fileto the corresponding private key file -
etcd_ca_cert_fileto a file containing data for the Certificate Authorities that you trust to sign the etcd server's certificate.
| Setting | Default Value | Meaning |
|---|---|---|
| etcd_host | 127.0.0.1 | The hostname or IP of the etcd server |
| etcd_port | 2379 | The port to use for the etcd node/proxy |
| etcd_key_file | The path to the TLS key file to use with etcd | |
| etcd_cert_file | The path to the TLS client certificate file to use with etcd | |
| etcd_ca_cert_file | The path to the TLS CA certificate file to use with etcd |
In a multi-region deployment,
[calico] openstack_region configures the name of the region that the local compute or controller
node belongs to.
| Setting | Default Value | Meaning |
|---|---|---|
openstack_region | none | The name of the region that the local compute of controller node belongs to. |
When specified, the value of openstack_region must be a string of lower case alphanumeric
characters or '-', starting and ending with an alphanumeric character, and must match the value of
OpenStackRegion
configured for the Felixes in the same region.
ML2 (.../ml2_conf.ini)
In /etc/neutron/plugins/ml2/ml2_conf.ini you need the following
settings to configure the ML2 plugin.
| Setting | Value | Meaning |
|---|---|---|
| mechanism_drivers | calico | Use Calico |
| type_drivers | local, flat | Allow 'local' and 'flat' networks |
| tenant_network_types | local, flat | Allow 'local' and 'flat' networks |