OpenStack Train版 简单部署流程(4)- octavia
Prerequisites
1.Create the database, complete these steps:
mysql -uroot -p1234qwer CREATE DATABASE octavia; GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'localhost' IDENTIFIED BY 'OCTAVIA_DBPASS'; GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'%' IDENTIFIED BY 'OCTAVIA_DBPASS'; quit
2.To create the Octavia service credentials, complete these steps:
openstack user create --domain default --password octavia123 octavia openstack role add --project admin --user octavia admin openstack service create --name octavia --description "OpenStack Octavia" load-balancer
3.Create the Load-balancer service API endpoints:
openstack endpoint create --region RegionOne load-balancer public http://controller:9876 openstack endpoint create --region RegionOne load-balancer internal http://controller:9876 openstack endpoint create --region RegionOne load-balancer admin http://controller:9876
4.Create the amphora image
git clone https://github.com/openstack/octavia.git -b stable/train yum -y install python2-pip qemu-img git e2fsprogs policycoreutils-python debootstrap libguestfs-tools virt-install.noarch python-virtualenv ##创建镜像 systemctl restart libvirtd;systemctl enable libvirtd git clone https://github.com/openstack/octavia.git -b stable/train virtualenv octavia_disk_image_create source octavia_disk_image_create/bin/activate cd octavia/diskimage-create/ pip install -r requirements.txt ./diskimage-create.sh -i centos-minimal -t qcow2 -o amphora-x64-haproxy -r 1234qwer -s 4
5.Upload the amphora image
cat << EOF >> $HOME/octavia-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=octavia export OS_PASSWORD=octavia123 export OS_AUTH_URL=http://controller:5000 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export OS_VOLUME_API_VERSION=3 EOF . $HOME/octavia-openrc openstack image create --disk-format qcow2 --container-format bare --private --tag amphora --file amphora-x64-haproxy.qcow2 amphora-x64-haproxy
6.Create a flavor for the amphora image
openstack flavor create --id 200 --vcpus 1 --ram 1024 --disk 5 "amphora" --private
Install and configure components
1.Install the packages:
yum -y install openstack-octavia-api openstack-octavia-health-manager openstack-octavia-housekeeping openstack-octavia-worker python-octavia python-octaviaclient
2.Create the certificates
##Creating the Certificate Authorities ##1 cd mkdir certs chmod 700 certs cd certs ##2 vim openssl.cnf # OpenSSL root CA configuration file. [ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = ./ certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/ca.key.pem certificate = $dir/certs/ca.cert.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 3650 preserve = no policy = policy_strict [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = US stateOrProvinceName_default = Oregon localityName_default = 0.organizationName_default = OpenStack organizationalUnitName_default = Octavia emailAddress_default = commonName_default = example.org [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always ##3 mkdir client_ca mkdir server_ca ##从服务器证书颁发机构,准备CA。 ##4 cd server_ca mkdir certs crl newcerts private chmod 700 private touch index.txt echo 1000 > serial ##5 ##创建服务器CA键 openssl genrsa -aes256 -out private/ca.key.pem 4096 ##您需要指定一个密码来保护密钥文件 chmod 400 private/ca.key.pem ##6 openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem ##7 cd ../client_ca mkdir certs crl csr newcerts private chmod 700 private touch index.txt echo 1000 > serial ##8 openssl genrsa -aes256 -out private/ca.key.pem 4096 chmod 400 private/ca.key.pem ##9 openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem ##10 openssl genrsa -aes256 -out private/client.key.pem 2048 ##11 openssl req -config ../openssl.cnf -new -sha256 -key private/client.key.pem -out csr/client.csr.pem ##12 openssl ca -config ../openssl.cnf -extensions usr_cert -days 7300 -notext -md sha256 -in csr/client.csr.pem -out certs/client.cert.pem ##13 openssl rsa -in private/client.key.pem -out private/client.cert-and-key.pem cat certs/client.cert.pem >> private/client.cert-and-key.pem ##Configuring Octavia ##14 cd /root/certs mkdir /etc/octavia/certs chmod 700 /etc/octavia/certs cp server_ca/private/ca.key.pem /etc/octavia/certs/server_ca.key.pem chmod 700 /etc/octavia/certs/server_ca.key.pem cp server_ca/certs/ca.cert.pem /etc/octavia/certs/server_ca.cert.pem cp client_ca/certs/ca.cert.pem /etc/octavia/certs/client_ca.cert.pem cp client_ca/private/client.cert-and-key.pem /etc/octavia/certs/client.cert-and-key.pem chmod 700 /etc/octavia/certs/client.cert-and-key.pem chown -R octavia.octavia /etc/octavia/certs
3.Create security groups and their rules
. $HOME/octavia-openrc openstack security group create lb-mgmt-sec-grp openstack security group rule create --protocol icmp lb-mgmt-sec-grp openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp openstack security group create lb-health-mgr-sec-grp openstack security group rule create --protocol udp --dst-port 5555 lb-health-mgr-sec-grp
4.Create a key pair for logging in to the amphora instance
ssh-keygen openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
5.Create dhclient.conf file for dhclient
cd $HOME sudo mkdir -m755 -p /etc/dhcp/octavia sudo cp octavia/etc/dhcp/dhclient.conf /etc/dhcp/octavia
6.Create a network
OCTAVIA_MGMT_SUBNET=172.16.0.0/12 OCTAVIA_MGMT_SUBNET_START=172.16.0.100 OCTAVIA_MGMT_SUBNET_END=172.16.31.254 OCTAVIA_MGMT_PORT_IP=172.16.0.2 openstack network create lb-mgmt-net openstack subnet create --subnet-range $OCTAVIA_MGMT_SUBNET --allocation-pool \ start=$OCTAVIA_MGMT_SUBNET_START,end=$OCTAVIA_MGMT_SUBNET_END \ --network lb-mgmt-net lb-mgmt-subnet SUBNET_ID=$(openstack subnet show lb-mgmt-subnet -f value -c id) PORT_FIXED_IP="--fixed-ip subnet=$SUBNET_ID,ip-address=$OCTAVIA_MGMT_PORT_IP" MGMT_PORT_ID=$(openstack port create --security-group \ lb-health-mgr-sec-grp --device-owner Octavia:health-mgr \ --host=$(hostname) -c id -f value --network lb-mgmt-net \ $PORT_FIXED_IP octavia-health-manager-listen-port) MGMT_PORT_MAC=$(openstack port show -c mac_address -f value \ $MGMT_PORT_ID) MGMT_PORT_IP=$(openstack port show -f yaml -c fixed_ips \ $MGMT_PORT_ID | awk '{FS=",|";gsub(",","");gsub("'\''",""); \ for(line = 1; line <= NF; ++line) {if ($line ~ /^- ip_address:/) \ {split($line, word, " ");if (ENVIRON["IPV6_ENABLED"] == "" && word[3] ~ /\./) \ print word[3];if (ENVIRON["IPV6_ENABLED"] != "" && word[3] ~ /:/) print word[3];} \ else {split($line, word, " ");for(ind in word) {if (word[ind] ~ /^ip_address=/) \ {split(word[ind], token, "=");if (ENVIRON["IPV6_ENABLED"] == "" && token[2] ~ /\./) \ print token[2];if (ENVIRON["IPV6_ENABLED"] != "" && token[2] ~ /:/) print token[2];}}}}}') sudo ip link add o-hm0 type veth peer name o-bhm0 NETID=$(openstack network show lb-mgmt-net -c id -f value) BRNAME=brq$(echo $NETID|cut -c 1-11) sudo brctl addif $BRNAME o-bhm0 sudo ip link set o-bhm0 up sudo ip link set dev o-hm0 address $MGMT_PORT_MAC sudo iptables -I INPUT -i o-hm0 -p udp --dport 5555 -j ACCEPT sudo dhclient -v o-hm0 -cf /etc/dhcp/octavia
7.Edit the /etc/octavia/octavia.conf file
openstack project list amp_image_owner_id = eec492e093a6451983958244799e4175 openstack security group list amp_secgroup_list = 55235a38-2f54-49b4-83e8-4e9c61d752a8 openstack network list amp_boot_network_list = 25dc889f-a8f4-4b74-8674-f2428004deb0
openstack-config --set /etc/octavia/octavia.conf database connection mysql+pymysql://octavia:OCTAVIA_DBPASS@controller/octavia openstack-config --set /etc/octavia/octavia.conf DEFAULT transport_url rabbit://openstack:RABBIT_PASS@controller openstack-config --set /etc/octavia/octavia.conf oslo_messaging topic octavia_prov openstack-config --set /etc/octavia/octavia.conf api_settings bind_host 0.0.0.0 openstack-config --set /etc/octavia/octavia.conf api_settings bind_port 9876 openstack-config --set /etc/octavia/octavia.conf keystone_authtoken www_authenticate_uri http://controller:5000 openstack-config --set /etc/octavia/octavia.conf keystone_authtoken auth_url http://controller:5000 openstack-config --set /etc/octavia/octavia.conf keystone_authtoken memcached_servers controller:11211 openstack-config --set /etc/octavia/octavia.conf keystone_authtoken auth_type password openstack-config --set /etc/octavia/octavia.conf keystone_authtoken project_domain_name default openstack-config --set /etc/octavia/octavia.conf keystone_authtoken user_domain_name default openstack-config --set /etc/octavia/octavia.conf keystone_authtoken project_name admin openstack-config --set /etc/octavia/octavia.conf keystone_authtoken username octavia openstack-config --set /etc/octavia/octavia.conf keystone_authtoken password octavia123 openstack-config --set /etc/octavia/octavia.conf service_auth auth_url http://controller:5000 openstack-config --set /etc/octavia/octavia.conf service_auth memcached_servers controller:11211 openstack-config --set /etc/octavia/octavia.conf service_auth auth_type password openstack-config --set /etc/octavia/octavia.conf service_auth project_domain_name default openstack-config --set /etc/octavia/octavia.conf service_auth user_domain_name default openstack-config --set /etc/octavia/octavia.conf service_auth project_name admin openstack-config --set /etc/octavia/octavia.conf service_auth username octavia openstack-config --set /etc/octavia/octavia.conf service_auth password octavia123 openstack-config --set /etc/octavia/octavia.conf certificates ca_private_key_passphrase 1234 openstack-config --set /etc/octavia/octavia.conf certificates ca_private_key /etc/octavia/certs/server_ca.key.pem openstack-config --set /etc/octavia/octavia.conf certificates ca_certificate /etc/octavia/certs/server_ca.cert.pem openstack-config --set /etc/octavia/octavia.conf certificates cert_generator local_cert_generator openstack-config --set /etc/octavia/octavia.conf haproxy_amphora server_ca /etc/octavia/certs/server_ca.cert.pem openstack-config --set /etc/octavia/octavia.conf haproxy_amphora client_cert /etc/octavia/certs/client.cert-and-key.pem openstack-config --set /etc/octavia/octavia.conf haproxy_amphora key_path /etc/octavia/.ssh/octavia_ssh_key openstack-config --set /etc/octavia/octavia.conf haproxy_amphora base_path /var/lib/octavia openstack-config --set /etc/octavia/octavia.conf haproxy_amphora base_cert_dir /var/lib/octavia/certs openstack-config --set /etc/octavia/octavia.conf haproxy_amphora connection_max_retries 5500 openstack-config --set /etc/octavia/octavia.conf haproxy_amphora connection_retry_interval 5 openstack-config --set /etc/octavia/octavia.conf haproxy_amphora rest_request_conn_timeout 10 openstack-config --set /etc/octavia/octavia.conf haproxy_amphora rest_request_read_timeout 120 openstack-config --set /etc/octavia/octavia.conf health-manager bind_port 5555 openstack-config --set /etc/octavia/octavia.conf health_manager bind_ip 172.16.0.2 openstack-config --set /etc/octavia/octavia.conf health_manager controller_ip_port_list 172.16.0.2:5555 amp_image_owner_id=$(openstack project list|grep admin|awk '{print $2}') amp_secgroup_list=$(openstack security group list|grep lb-mgmt-sec-grp|awk '{print $2}') amp_boot_network_list=$(openstack network list|grep lb-mgmt-net|awk '{print $2}') openstack-config --set /etc/octavia/octavia.conf controller_worker amp_image_owner_id $amp_image_owner_id openstack-config --set /etc/octavia/octavia.conf controller_worker amp_image_tag "amphora" openstack-config --set /etc/octavia/octavia.conf controller_worker amp_ssh_key_name mykey openstack-config --set /etc/octavia/octavia.conf controller_worker amp_secgroup_list $amp_secgroup_list openstack-config --set /etc/octavia/octavia.conf controller_worker amp_boot_network_list $amp_boot_network_list openstack-config --set /etc/octavia/octavia.conf controller_worker amp_flavor_id 200 openstack-config --set /etc/octavia/octavia.conf controller_worker network_driver allowed_address_pairs_driver openstack-config --set /etc/octavia/octavia.conf controller_worker compute_driver compute_nova_driver openstack-config --set /etc/octavia/octavia.conf controller_worker amphora_driver amphora_haproxy_rest_driver openstack-config --set /etc/octavia/octavia.conf controller_worker client_ca /etc/octavia/certs/client_ca.cert.pem
8.Populate the octavia database:
octavia-db-manage --config-file /etc/octavia/octavia.conf upgrade head systemctl enable octavia-api octavia-health-manager octavia-housekeeping octavia-worker systemctl restart octavia-api octavia-health-manager octavia-housekeeping octavia-worker systemctl status octavia-api octavia-health-manager octavia-housekeeping octavia-worker
添加 Load Balancers 页面
git clone https://github.com/openstack/octavia-dashboard.git -b stable/train cd /root/octavia-dashboard python setup.py install cd /root/octavia-dashboard/octavia_dashboard/enabled cp _1482_project_load_balancer_panel.py /usr/share/openstack-dashboard/openstack_dashboard/enabled/ cd /usr/share/openstack-dashboard echo yes|./manage.py collectstatic ./manage.py compress systemctl restart httpd
重启创建 veth pair 脚本
Below settings are required to create veth pair after the host reboot
1.Edit the /etc/systemd/network/o-hm0.network file
mkdir -p /etc/systemd/network/
cat >>/etc/systemd/network/o-hm0.network<<EOF [Match] Name=o-hm0 [Network] DHCP=yes EOF
2.Edit the /etc/systemd/system/octavia-interface.service file
cat >>/etc/systemd/system/octavia-interface.service<<EOF [Unit] Description=Octavia Interface Creator Requires=neutron-linuxbridge-agent.service After=neutron-linuxbridge-agent.service [Service] Type=oneshot RemainAfterExit=true ExecStart=/opt/octavia-interface.sh start ExecStop=/opt/octavia-interface.sh stop [Install] WantedBy=multi-user.target EOF
3.Edit the /opt/octavia-interface.sh file
cat >>/opt/octavia-interface.sh<<EOF #!/bin/bash set -ex MGMT_PORT_ID=$(openstack port list|grep octavia-health-manager-listen-port|awk '{print$2}') MAC=$(openstack port show -c mac_address -f value $MGMT_PORT_ID) NETID=$(openstack network show lb-mgmt-net -c id -f value) BRNAME=brq$(echo $NETID|cut -c 1-11)
if [ "$1" == "start" ]; then ip link add o-hm0 type veth peer name o-bhm0 brctl addif $BRNAME o-bhm0 ip link set o-bhm0 up ip link set dev o-hm0 address $MAC ip link set o-hm0 up iptables -I INPUT -i o-hm0 -p udp --dport 5555 -j ACCEPT elif [ "$1" == "stop" ]; then ip link del o-hm0 else brctl show $BRNAME ip a s dev o-hm0 fi
EOF
重启之后执行脚本
cd /opt sh octavia-interface.sh start sudo dhclient -v o-hm0 -cf /etc/dhcp/octavia
