contrail controller #12

Supports: xenial bionic
Add to new model


Contral controller component within docker container.


OpenContrail ( is a fully featured Software Defined Networking (SDN) solution for private clouds. It supports high performance isolated tenant networks without requiring external hardware support. It provides a Neutron plugin to integrate with OpenStack.

This charm provides the Contrail Controller role that includes configuration API server, control API server, WebUI and required third-party components.

Only OpenStack Mitaka or newer is supported. Only for Contrail 4.0 for now. Juju 2.0 is required.


Contrail Analytics is prerequisite service to deploy. Once ready, deploy and relate as follows:

juju deploy contrail-controller
juju add-relation contrail-analytics contrail-controller


The charm requires docker image with Contrail Controller as a resource. It can be provided as usual for Juju 2.0 in deploy command or through attach-resource:

juju attach contrail-controller contrail-controller="$PATH_TO_IMAGE"

External Docker repository

Istead of attaching resource with docker image charm can accept image from remote docker repository. docker-registry should be specified if the registry is only accessible via http protocol (insecure registry). docker-user / docker-password can be specified if registry requires authentification. And image-name / image-tag are the parameters for the image itself.

High Availability (HA)

Multiple units of this charm can be deployed to support HA deployments:

juju add-unit contrail-controller

Relating to haproxy charm (http-services relation) allows multiple units to be load balanced:

juju add-relation contrail-controller:http-services haproxy
juju add-relation contrail-controller:https-services haproxy

The charm can tell to haproxy list of backends via two relations: http-services and https-services. It passes unsecured backend (like contrail-api:8082) via http-services and secured (like webUI:8143) via https-services. Such option allows to relate this charm to different haproxy applications.

For https connections there are two modes - tcp and http. Mode tcp means that haproxy will be configured in pass-through mode and mode http mode means that haproxy will be configured in termination mode. By default tcp mode (webui) is used. If you want to implement ssl-termination for HAproxy for webui you can configure it:

juju config contrail-controller haproxy-https-mode=http
juju config haproxy ssl_cert=SELFSIGNED

For http connections there are two modes - http and https. Both modes configure haproxy in http mode (termination). Mode https additionaly configure haproxy to use SSL for frontend. By default http mode is used. To confugire haproxy in https mode you can run:

juju config contrail-controller haproxy-http-mode=https

Or another certificate is also can be used for haproxy charm. Please check its manual for more information.


This charm supports relation to easyrsa charm to obtain certificates for XMPP and Sandesh connections:

juju add-relation contrail-controller easyrsa

Please note that in this case all charms must be related to easyrsa. Components require CA certificate for communication.

External RabbitMQ

Charm can be related to RabbitMQ:

juju add-relation contrail-controller rabbitmq-server:amqp

In this case internal RabbitMQ server will not be run and Contrail software will be configured to use external one.


(string) It represents 'aaa_mode' configuration key of Contrail. Can be one of: 'rbac', 'cloud-admin' or 'no-auth' Authentication mode. Detailed information can be found in the Contrail documentation. In case of 'rbac' charm will configure Contrail to RBAC mode and administrator must configure RBAC rules to allow users to work. In case of 'cloud-admin' charm will configure Contrail in compatible mode.
(string) Default router ASN
(string) Memory limits for Java process of Cassandra.
(string) Contrail has this as parameter and checks it at startup. If disk is smaller then status of DB is not good.
(string) Role name in keystone for users that have full access to everything.
(string) Network where API services are listening on. The IP address and netmask of the control network (e.g. or physical device name. This network will be used for all services in the charm charm except control/dns. In Contrail this network is called as API(/MGMT) network. If not specified, default network will be used.
(string) Network for data traffic of workload and for control traffic between compute nodes and control services. The IP address and netmask of the control network (e.g. or physical device name. This network will be used for Contrail endpoints. If not specified then control-network will be used of default network will be used.
(string) A logging driver for the service’s containers.
(string) Logging options for the logging driver. Logging options available depend on which logging driver you use.
max-size=20m max-file=5
(string) Password to the docker registry.
(string) URL of docker-registry
(boolean) Is it docker-registry insecure and should docker be configured for it
(string) Login to the docker registry.
(string) Docker runtime to install valid values are "upstream" (Docker PPA), "apt" (Ubuntu archive), "auto" (Ubuntu archive), or "custom" (must have set `docker_runtime_repo` URL, `docker_runtime_key_url` URL and `docker_runtime_package` name). Warning! The changes will not be applied after the package is installed.
(string) Custom Docker repository validation key URL. Warning! The changes will not be applied after the package is installed.
(string) Custom Docker repository package name. Warning! The changes will not be applied after the package is installed.
(string) Custom Docker repository, given in deb format. Use `{ARCH}` to determine architecture at runtime. Use `{CODE}` to set release codename. E.g. `deb [arch={ARCH}] {CODE} stable`. Warning! The changes will not be applied after the package is installed.
(string) Defines how much flow records will be exported by vRouter agent to the Contrail Collector when a flow is created or deleted.
(string) Role name in keystone for users that have read-only access to everything.
(string) Mode for haproxy for http backends - http or https. https means that haproxy will be configured with SSL termination. http configures haproxy without SSL and http services (config-api and analytics-api) can be accessed via haproxy by http connection.
(string) Mode for haproxy for https backends (WebUI) - tcp or http. tcp means pass-through for SSL connection - client will see cert from backend. http mode means ssl-termination in haproxy - cert from backend will be parsed by haproxy and client will see cert that is set for haproxy itself.
(string) URL to use for HTTP_PROXY to be used by Docker. Only useful in closed environments where a proxy is the only option for routing to the registry to pull images
(string) URL to use for HTTPS_PROXY to be used by Docker. Only useful in closed environments where a proxy is the only option for routing to the registry to pull images
(string) Tag of docker image.
(boolean) Write RabbitMQ resolutions for cluster node names into /etc/hosts based on addresses from subnets configured in control-network config as well as a system hostname plus '-contrail-rmq' postfix. This config option is useful for multi-homed setups where a system hostname in the configured DNS does not correspond to an address used for RabbitMQ clustering traffic.
(string) Log level for contrail services. Valid values are: SYS_EMERG, SYS_ALERT, SYS_CRIT, SYS_ERR, SYS_WARN, SYS_NOTICE, SYS_INFO, SYS_DEBUG
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
(string) Comma-separated list of destinations (either domain names or IP addresses) that should be directly accessed, by opposition of going through the proxy defined above. Must be less than 2023 characters long
(string) Contrail API VIP to be used for configuring haproxy relation for external clients. To be set up also in KeepAlived charm configuration if it’s used for HA. All internal clients like vrouter-agent and openstack clients like neutron will be configured with list of unit's IP-s.