Will you be at KubeCon this year? Join us for CalicoCon 2019!

Configuring systems for use with Calico

When running Calico with OpenStack, you also need to configure various OpenStack components, as follows.

Nova (/etc/nova/nova.conf)

Calico uses the Nova metadata service to provide metadata to VMs, without any proxying by Neutron. To make that work:

  • An instance of the Nova metadata API must run on every compute node.
  • /etc/nova/nova.conf must not set service_neutron_metadata_proxy or service_metadata_proxy to True. (The default False value is correct for a Calico cluster.)

Neutron server (/etc/neutron/neutron.conf)

In /etc/neutron/neutron.conf you need the following settings to configure the Neutron service.

Setting Value Meaning
core_plugin calico Use the Calico core plugin

Calico can operate either as a core plugin or as an ML2 mechanism driver. The function is the same both ways, except that floating IPs are only supported when operating as a core plugin; hence the recommended setting here.

However, if you don’t need floating IPs and have other reasons for using ML2, you can, instead, set

Setting Value Meaning
core_plugin neutron.plugins.ml2.plugin.ML2Plugin Use ML2 plugin

and then the further ML2-specific configuration as covered below.

With OpenStack releases earlier than Liberty you will also need:

Setting Value Meaning
dhcp_agents_per_network 9999 Allow unlimited DHCP agents per network

The following options in the [calico] section of /etc/neutron/neutron.conf govern how the Calico plugin/driver and DHCP agent connect to the Calico etcd datastore. You should set etcd_host to the IP of your etcd server, and etcd_port if that server is using a non-standard port. If the etcd server is TLS-secured, also set:

  • etcd_cert_file to a client certificate, which must be signed by a Certificate Authority that the server trusts

  • etcd_key_file to the corresponding private key file

  • etcd_ca_cert_file to a file containing data for the Certificate Authorities that you trust to sign the etcd server’s certificate.

Setting Default Value Meaning
etcd_host The hostname or IP of the etcd server
etcd_port 2379 The port to use for the etcd node/proxy
etcd_key_file   The path to the TLS key file to use with etcd
etcd_cert_file   The path to the TLS client certificate file to use with etcd
etcd_ca_cert_file   The path to the TLS CA certificate file to use with etcd

In a multi-region deployment, [calico] openstack_region configures the name of the region that the local compute or controller node belongs to.

Setting Default Value Meaning
openstack_region none The name of the region that the local compute of controller node belongs to.

When specified, the value of openstack_region must be a string of lower case alphanumeric characters or ‘-‘, starting and ending with an alphanumeric character, and must match the value of OpenstackRegion configured for the Felixes in the same region.

ML2 (…/ml2_conf.ini)

In /etc/neutron/plugins/ml2/ml2_conf.ini you need the following settings to configure the ML2 plugin.

Setting Value Meaning
mechanism_drivers calico Use Calico
type_drivers local, flat Allow ‘local’ and ‘flat’ networks
tenant_network_types local, flat Allow ‘local’ and ‘flat’ networks

DHCP agent (…/dhcp_agent.ini)

With OpenStack releases earlier than Liberty, in /etc/neutron/dhcp_agent.ini you need the following setting to configure the Neutron DHCP agent.

Setting Value Meaning
interface_driver RoutedInterfaceDriver Use Calico’s modified DHCP agent support for TAP interfaces that are routed instead of being bridged