contrail controller #8

Supports: xenial bionic
Add to new model


Contral controller component within docker container.


OpenContrail ( is a fully featured Software Defined
Networking (SDN) solution for private clouds. It supports high performance
isolated tenant networks without requiring external hardware support. It
provides a Neutron plugin to integrate with OpenStack.

This charm provides the Contrail Controller role that includes
configuration API server, control API server, WebUI and required third-party

Only OpenStack Mitaka or newer is supported.
Only for Contrail 4.0 for now.
Juju 2.0 is required.


Contrail Analytics is prerequisite service to deploy.
Once ready, deploy and relate as follows:

juju deploy contrail-controller
juju add-relation contrail-analytics contrail-controller


The charm requires docker image with Contrail Controller as a resource.
It can be provided as usual for Juju 2.0 in deploy command or
through attach-resource:

juju attach contrail-controller contrail-controller="$PATH_TO_IMAGE"

External Docker repository

Istead of attaching resource with docker image charm can accept image from remote docker repository.
docker-registry should be specified if the registry is only accessible via http protocol (insecure registry).
docker-user / docker-password can be specified if registry requires authentification.
And image-name / image-tag are the parameters for the image itself.

High Availability (HA)

Multiple units of this charm can be deployed to support HA deployments:

juju add-unit contrail-controller

Relating to haproxy charm (http-services relation) allows multiple units to be
load balanced:

juju add-relation contrail-controller:http-services haproxy
juju add-relation contrail-controller:https-services haproxy

The charm can tell to haproxy list of backends via two relations: http-services and https-services.
It passes unsecured backend (like contrail-api:8082) via http-services and secured (like webUI:8143) via https-services.
Such option allows to relate this charm to different haproxy applications.

For https connections there are two modes - tcp and http. Mode tcp means that haproxy will be configured in pass-through mode and mode http mode means that haproxy will be configured in termination mode. By default tcp mode (webui) is used. If you want to implement ssl-termination for HAproxy for webui you can configure it:

juju config contrail-controller haproxy-https-mode=http
juju config haproxy ssl_cert=SELFSIGNED

For http connections there are two modes - http and https. Both modes configure haproxy in http mode (termination). Mode https additionaly configure haproxy to use SSL for frontend. By default http mode is used. To confugire haproxy in https mode you can run:

juju config contrail-controller haproxy-http-mode=https

Or another certificate is also can be used for haproxy charm. Please check its manual for more information.


This charm supports relation to easyrsa charm to obtain certificates for XMPP and Sandesh connections:

juju add-relation contrail-controller easyrsa

Please note that in this case all charms must be related to easyrsa. Components require CA certificate for communication.

External RabbitMQ

Charm can be related to RabbitMQ:

juju add-relation contrail-controller rabbitmq-server:amqp

In this case internal RabbitMQ server will not be run and Contrail software will be configured
to use external one.


(string) It represents 'aaa_mode' configuration key of Contrail. Can be one of: 'rbac', 'cloud-admin' or 'no-auth' Authentication mode. Detailed information can be found in the Contrail documentation. In case of 'rbac' charm will configure Contrail to RBAC mode and administrator must configure RBAC rules to allow users to work. In case of 'cloud-admin' charm will configure Contrail in compatible mode.
(string) Default router ASN
(string) Memory limits for Java process of Cassandra.
(string) Contrail has this as parameter and checks it at startup. If disk is smaller then status of DB is not good.
(string) Role name in keystone for users that have full access to everything.
(string) The IP address and netmask of the control network (e.g. This network will be used for Contrail endpoints. If not specified, default network will be used.
(string) Password to the docker registry.
(string) URL of docker-registry
(boolean) Is it docker-registry insecure and should docker be configured for it
(string) Login to the docker registry.
(string) Docker runtime to install valid values are "upstream" (Docker PPA), "apt" (Ubuntu archive), "auto" (Ubuntu archive), or "custom" (must have set `docker_runtime_repo` URL, `docker_runtime_key_url` URL and `docker_runtime_package` name).
(string) Custom Docker repository validation key URL.
(string) Custom Docker repository package name.
(string) Custom Docker repository, given in deb format. Use `{ARCH}` to determine architecture at runtime. Use `{CODE}` to set release codename. E.g. `deb [arch={ARCH}] {CODE} stable`.
(string) Defines how much flow records will be exported by vRouter agent to the Contrail Collector when a flow is created or deleted.
(string) Role name in keystone for users that have read-only access to everything.
(string) Mode for haproxy for http backends - http or https. https means that haproxy will be configured with SSL termination. http configures haproxy without SSL and http services (config-api and analytics-api) can be accessed via haproxy by http connection.
(string) Mode for haproxy for https backends (WebUI) - tcp or http. tcp means pass-through for SSL connection - client will see cert from backend. http mode means ssl-termination in haproxy - cert from backend will be parsed by haproxy and client will see cert that is set for haproxy itself.
(string) URL to use for HTTP_PROXY to be used by Docker. Only useful in closed environments where a proxy is the only option for routing to the registry to pull images
(string) URL to use for HTTPS_PROXY to be used by Docker. Only useful in closed environments where a proxy is the only option for routing to the registry to pull images
(string) Tag of docker image.
(boolean) Write RabbitMQ resolutions for cluster node names into /etc/hosts based on addresses from subnets configured in control-network config as well as a system hostname plus '-contrail-rmq' postfix. This config option is useful for multi-homed setups where a system hostname in the configured DNS does not correspond to an address used for RabbitMQ clustering traffic.
(string) Log level for contrail services. Valid values are: SYS_EMERG, SYS_ALERT, SYS_CRIT, SYS_ERR, SYS_WARN, SYS_NOTICE, SYS_INFO, SYS_DEBUG
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
(string) Comma-separated list of destinations (either domain names or IP addresses) that should be directly accessed, by opposition of going through the proxy defined above. Must be less than 2023 characters long
(string) Contrail API VIP to be used for configuring haproxy relation for external clients. To be set up also in KeepAlived charm configuration if it’s used for HA. All internal clients like vrouter-agent and openstack clients like neutron will be configured with list of unit's IP-s.