System requirements
Node requirements
-
x86-64 processor
- Linux kernel 3.10 or later with required dependencies.
The following distributions have the required kernel, its dependencies, and are
known to work well with Calico and OpenStack.
- RedHat Linux 7
- Ubuntu 16.04 and 18.04
- CentOS 7
-
Calico must be able to manage
cali*
interfaces on the host. When IPIP is enabled (the default), Calico also needs to be able to managetunl*
interfaces. When VXLAN is enabled, Calico also needs to be able to manage thevxlan.calico
interface.Note: Many Linux distributions, such as most of the above, include NetworkManager. By default, NetworkManager does not allow Calico to manage interfaces. If your nodes have NetworkManager, complete the steps in Preventing NetworkManager from controlling Calico interfaces before installing Calico.
Key/value store
Calico v3.15 requires a key/value store accessible by all Calico components. For production you will likely want multiple nodes for greater performance and reliability. If you don’t already have an etcdv3 cluster to connect to, please refer to the upstream etcd docs for detailed advice and setup.
Network requirements
Ensure that your hosts and firewalls allow the necessary traffic based on your configuration.
Configuration | Host(s) | Connection type | Port/protocol |
---|---|---|---|
Calico networking (BGP) | All | Bidirectional | TCP 179 |
Calico networking with IP-in-IP enabled (default) | All | Bidirectional | IP-in-IP, often represented by its protocol number 4 |
Calico networking with VXLAN enabled | All | Bidirectional | UDP 4789 |
Calico networking with Typha enabled | Typha agent hosts | Incoming | TCP 5473 (default) |
flannel networking (VXLAN) | All | Bidirectional | UDP 4789 |
All | kube-apiserver host | Incoming | Often TCP 443 or 6443* |
etcd datastore | etcd hosts | Incoming | Officially TCP 2379 but can vary |
* If your compute hosts connect directly and don’t use IP-in-IP, you don’t need to allow IP-in-IP traffic.
Privileges
Ensure that Calico has the CAP_SYS_ADMIN
privilege.
The simplest way to provide the necessary privilege is to run Calico as root or in a privileged container.
OpenStack requirements
We aim to develop and maintain the Neutron driver for Calico (networking-calico) so that its master code works with OpenStack master or any previous release (back to Liberty), on any operating system, independently of the deployment mechanism that is used to install it. However, we recommend using OpenStack Newton or later.
Specific platform notes
Active testing
Our active testing of Calico v3.15 with OpenStack is with the following releases and platforms:
Python version | OpenStack release | OS platform |
---|---|---|
Python 2 | Queens | Ubuntu 18.04 |
Python 2 | Rocky | CentOS 7 |
Python 3 | Ussuri | Ubuntu 18.04 |
Live migration with Train and later
Live migration with Train and later OpenStack releases requires
live_migration_wait_for_vif_plug
to be set to false in nova.conf
, on all compute nodes.
Nova patch needed with Mitaka and earlier
With OpenStack Mitaka and earlier, and if your libvirt is >= 1.3.3 and < 3.1, you will need to patch the Nova code post installation, on each compute host, as in this change. In case you need the same Nova code to work with all possible libvirt versions, you should then add this further change. OpenStack Newton and later already include these two changes.
Kernel dependencies
Tip: If you are using one of the recommended distributions, you will already satisfy these.
ip_set
ip_tables
(for IPv4)ip6_tables
(for IPv6)ipt_REJECT
ipt_rpfilter
ipt_set
nf_conntrack_netlink
subsystemnf_conntrack_proto_sctp
sctp
xt_addrtype
xt_comment
xt_conntrack
xt_icmp
(for IPv4)xt_icmp6
(for IPv6)xt_ipvs
xt_mark
xt_multiport
xt_rpfilter
xt_sctp
xt_set
xt_u32
ipip
(if using Calico networking)