Chapter 6. MidoNet Cluster

The MidoNet Cluster is a new type of node introduced in MidoNet v5 that replaces the MidoNet API. The MidoNet Cluster provides the REST API endpoint, and also hosts a number of management services such as VxLAN Gateway Controller.

 Recommended installation nodes

The MidoNet Cluster can be installed on any node with access to the ZooKeeper cluster (which typically uses three ports: TCP/2181, TCP/2888, and TCP/3888.

For test/evaluation purposes MidoNet Cluster, ZooKeeper and Cassandra can coexist on the same physical host.

Note however that such configuration is discouraged for production deployments. In this case, each of MidoNet Cluster, ZooKeeper and Casandra should be placed in dedicated nodes.

 Fault-tolerant configuration guidelines

In order to provide a fault-tolerant solution, we recommend running several instances of the MidoNet Cluster on different nodes and then exposing a common virtual IP (VIP) address using an external load balancer to distribute the API calls between the instances.

No special load balancer features are needed, so any load balancer will work.

 MidoNet REST API HTTP endpoint

The MidoNet Cluster exposes a RESTful API running over the Hypertext Transfer Protocol (HTTP) that provides the integration point between external applications (including the cloud controller) and the internal MidoNet configurations. The REST API is stateless, so you can scale out this service by simply adding more Cluster nodes.

The MidoNet REST API supports OpenStack Keystone authentication.

The REST API will be exposed on port TCP/8181 by default. This port can be changed with the following mn-conf command:

echo "cluster.rest_api.http_port = $NEW_PORT" | mn-conf set -t default

 MidoNet REST API HTTPS endpoint

To enable the HTTPS end-point of the MidoNet Cluster REST API service, you must configure a JKS key store containing the private and public key X.509 certificate used for encrypting such connections.

The location of the key store file and the password for the private key are specified as the following Java system properties.

 

Table 6.1. System Properties for the HTTPS Key Store

Property NameDefault ValueDescription

midonet.keystore_path

/etc/midonet-cluster/ssl/midonet.jks

The name of the key store file.

midonet.keystore_password

none

The password for the private key entry. If not set, the HTTPS end-point of the REST API will be disabled (default).


To change the previous properties, and enable HTTPS, you can add the corresponding property values to the environmental MidoNet Cluster script file found at /etc/midonet-cluster/midonet-cluster-env.sh:

JVM_OPTS="$JVM_OPTS -Dmidonet.keystore_path=<key-store-file>"
JVM_OPTS="$JVM_OPTS -Dmidonet.keystore_password=<key-entry-password>"

HTTPS is exposed on port TCP/8443 by default. This port can be changed with the following mn-conf command:

echo "cluster.rest_api.https_port = $NEW_PORT" | mn-conf set -t default

MidoNet Cluster will disable the HTTPS endpoint if the port is set to a value equal or less than 0, or if no keystore is accessible on the system.

To generate a self-signed key, you can use the following procedure. Note that you will be prompted for passwords during this process, and need to keep the keystore password for later use.

openssl genrsa -des3 -out midonet.key 2048
openssl rsa -in midonet.key -out midonet.key
openssl req -sha256 -new -key midonet.key -out midonet.csr -subj '/CN=localhost'
openssl x509 -req -days 365 -in midonet.csr -signkey midonet.key -out midonet.crt

Now we will combine the private key into the cert, because we generated them separately:

openssl pkcs12 -inkey midonet.key -in midonet.crt -export -out midonet.pkcs12

And load the certificate into the keystore:

keytool -importkeystore -srckeystore midonet.pkcs12 -srcstoretype PKCS12 -destkeystore midonet.jks

Now place the keystore in the default location:

mv midonet.jks /etc/midonet-cluster/ssl

For more advanced key management, including adding your own certificate to the keystore, please refer to the following documentation:

https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

Questions? Discuss on Mailing Lists or Chat.
Found an error? Report a bug.