部署 Ocatvia
版本:Pike
操作系统:CentOS 7
手动方式集成 Octavia
Step 1. 安装软件包
yum -y install \ openstack-octavia-api.noarch \ openstack-octavia-common.noarch \ openstack-octavia-health-manager.noarch \ openstack-octavia-housekeeping.noarch \ openstack-octavia-worker.noarch \ openstack-octavia-diskimage-create.noarch # openstack loadbalancer 扩展子命令 git clone https://github.com/openstack/python-octaviaclient.git -b stable/pike pip install -r requirements.txt -e .
Step 2. 创建数据库
mysql> CREATE DATABASE octavia; mysql> GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'localhost' IDENTIFIED BY 'OCTAVIA_DBPASS'; mysql> GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'%' IDENTIFIED BY 'OCTAVIA_DBPASS'; mysql> flush privileges ;
Step 3. 创建 Keystone 认证体系
openstack user create --domain default --password-prompt octavia openstack role add --project service --user octavia admin openstack service create load-balancer --name octavia openstack endpoint create octavia public http://172.18.128.109:9876 --region RegionOne openstack endpoint create octavia admin http://172.18.128.109:9876 --region RegionOne openstack endpoint create octavia internal http://172.18.128.109:9876 --region RegionOne
Step 4. 创建安全组
# Amphora 虚拟机使用,LB Network 与 Amphora 通信 openstack security group create lb-mgmt-sec-grp --project <admin project id> openstack security group create lb-mgmt-sec-grp --project <service project id>
如图:
安全组规则:
# Amphora 虚拟机使用,Health Manager 与 Amphora 通信 openstack security group create lb-health-mgr-sec-grp --project <admin project id> openstack security group create lb-health-mgr-sec-grp --project <service project id>
如图:
Step 5. 创建 LB Network,Octavia Controller 与 Amphora 通信的网络
openstack network create lb-mgmt-net openstack subnet create \ --subnet-range 192.168.0.0/24 \ --allocation-pool start=192.168.0.2,end=192.168.0.200 \ --network lb-mgmt-net lb-mgmt-subnet
Step 6. 签署和自检 CA 证书,在 Octavia Controller 和 Amphora 或者 Amphora 和后端云主机通信时,都会使用到 CA 证书。所以还需要注意开启 barbican 服务。
source /opt/pike/octavia/bin/create_certificates.sh /etc/octavia/certs/ /opt/pike/octavia/etc/certificates/openssl.cnf
Step 7. 创建 Health Manager 对应的 Controller 网络端口,Controller 中的 Health Manager 通过该 Port 与 Amphora 通信
neutron port-create --name octavia-health-manager-standalone-listen-port \ --security-group <lb-health-mgr-sec-grp> \ --device-owner Octavia:health-mgr \ --binding:host_id=<hostname> lb-mgmt-net \ --tenant-id <octavia service> ovs-vsctl --may-exist add-port br-int o-hm0 \ -- set Interface o-hm0 type=internal \ -- set Interface o-hm0 external-ids:iface-status=active \ -- set Interface o-hm0 external-ids:attached-mac=<Health Manager Listen Port MAC> \ -- set Interface o-hm0 external-ids:iface-id=<Health Manager Listen Port ID>
Step 8. Health Manager 监听端口设置 IP
# /etc/octavia/dhcp/dhclient.conf request subnet-mask,broadcast-address,interface-mtu; do-forward-updates false; ip link set dev o-hm0 address <Health Manager Listen Port MAC> dhclient -v o-hm0 -cf /etc/octavia/dhcp/dhclient.conf
Step 9. 创建 Amphora 的 Key Pair
mkdir -p /etc/octavia/.ssh ssh-keygen -b 2048 -t rsa -N "" -f /etc/octavia/.ssh/octavia_ssh_key nova keypair-add --pub-key=/etc/octavia/.ssh/octavia_ssh_key.pub octavia_ssh_key --user <octavia user id>
Step 10. 制作并上传 Amphora 镜像文件,生产环节中不建议设定密码,使用 Key Pair 启动实例
octavia-diskimage-create.sh -i centos openstack image create amphora-x64-haproxy \ --public \ --container-format=bare \ --disk-format qcow2 \ --file /opt/pike/octavia/diskimage-create/amphora-x64-haproxy.qcow2 \ --tag amphora
Step 11. 修改 Octavia 配置文件(PS:这里以 Devstack 自动生成的配置文件举例)
[DEFAULT] transport_url = rabbit://stackrabbit:admin@172.18.128.109:5672/ api_handler = queue_producer bind_host = 172.18.128.109 [api_settings] [database] connection = mysql+pymysql://root:admin@127.0.0.1:3306/octavia [health_manager] bind_port = 5555 # lb-health-mgr-sec-grp 安全组开发该 UDP 端口 bind_ip = 192.168.0.7 # Step 7 创建的 o-hm0 网络设备 IP 地址 controller_ip_port_list = 192.168.0.7:5555 # 对应 Step 7 的 Health Manager 监听端口 heartbeat_key =insecure [keystone_authtoken] memcached_servers = 172.18.128.109:11211 signing_dir = cafile = /opt/stack/data/ca-bundle.pem project_domain_name = Default project_name = service user_domain_name = Default password = admin username = octavia auth_url = http://172.18.128.109/identity auth_type = password [certificates] ca_private_key_passphrase = foobar ca_private_key = /etc/octavia/certs/private/cakey.pem # Step 6 生成的证书 ca_certificate = /etc/octavia/certs/ca_01.pem [anchor] [networking] [haproxy_amphora] server_ca = /etc/octavia/certs/ca_01.pem # 与 certificates Section 的证书匹配 client_cert = /etc/octavia/certs/client.pem base_path = /var/lib/octavia base_cert_dir = /var/lib/octavia/certs connection_max_retries = 1500 # 验证 Amphora 是否正常启动的超时配置 connection_retry_interval = 1 rest_request_conn_timeout = 10 rest_request_read_timeout = 120 [controller_worker] amp_boot_network_list = 6fd0afdc-c683-4157-8354-dcdd43011dad # Step 5 创建的 LB Network amp_image_tag = amphora # Step 9 制作的镜像 tag amp_secgroup_list = d4d7a2bb-efc4-4a0f-bb6b-efcc6f9797d3 # lb-mgmt-sec-grp ID amp_flavor_id = 0b8517a7-0a9c-4d66-b9f1-60afd2e3061c # Amphora Flavor amp_image_owner_id = 542a9377317a4fe081c9bac54780eb75 # Amphora Image Owner ID amp_ssh_key_name = octavia_ssh_key # Amphora Key Pair network_driver = allowed_address_pairs_driver compute_driver = compute_nova_driver amphora_driver = amphora_haproxy_rest_driver workers = 2 amp_active_retries = 100 amp_active_wait_sec = 2 loadbalancer_topology = ACTIVE_STANDBY # 启动主备模式 Amphora [task_flow] [oslo_messaging] topic = octavia_prov rpc_thread_pool_size = 2 [house_keeping] load_balancer_expiry_age = 3600 # 定时清理周期 amphora_expiry_age = 3600 [amphora_agent] [keepalived_vrrp] [service_auth] memcached_servers = 172.18.128.109:11211 cafile = /opt/stack/data/ca-bundle.pem project_domain_name = Default project_name = admin user_domain_name = Default password = admin username = admin auth_type = password auth_url = http://172.18.128.109/identity [nova] [glance] [neutron] [quotas]
Step 12. 初始化 Octavia 数据库
octavia-db-manage upgrade head
Step 13. 启动服务
systemctl start octavia-api.service systemctl start octavia-worker.service systemctl start octavia-health-manager.service systemctl start octavia-housekeeping.service
Step 14. 添加 Load Balancers 页面
# Pike 版本依旧使用 neutron-lbaas-dashboard git clone https://github.com/openstack/neutron-lbaas-dashboard.git -b stable/pike pip install -r requirements.txt -e . cp /opt/pike/neutron-lbaas-dashboard/neutron_lbaas_dashboard/enabled/_1481_project_ng_loadbalancersv2_panel.py /opt/pike/horizon/openstack_dashboard/enabled/ /opt/pike/horizon/manage.py collectstatic /opt/pike/horizon/manage.py compress sudo service apache2 restart
Step 15. 修改 Neutron 配置
# /etc/neutron/neutron.conf [DEFAULT] service_plugins = neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,lbaasv2 [octavia] base_url = http://172.18.128.109/load-balancer request_poll_timeout = 3000 # /etc/neutron/neutron_lbaas.conf [DEFAULT] [certificates] [quotas] [service_auth] auth_version = 2 admin_password = admin admin_user = admin admin_tenant_name = admin auth_url = http://172.18.128.109/identity/v2.0 [service_providers] service_provider = LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default # /etc/neutron/services/loadbalancer/haproxy/lbaas_agent.ini [DEFAULT] user_group = nobody interface_driver = openvswitch ovs_use_veth = False [haproxy] user_group = nobody
最后不要忘记重启 Neutron 服务。
Devstack 方式部署
LBaaS 相关组件:
neutron octavia neutron-lbaas neutron-lbaas-dashboard
devstack配置:
[[local|localrc]] HOST_IP=172.18.128.109 # Reclone each time RECLONE=no #OFFLINE=True # Enable Logging DEST=/opt/pike LOGFILE=$DEST/logs/stack.sh.log VERBOSE=True LOG_COLOR=True SCREEN_LOGDIR=$DEST/logs # Define images to be automatically downloaded during the DevStack built process. DOWNLOAD_DEFAULT_IMAGES=False IMAGE_URLS="http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img" # use TryStack git mirror GIT_BASE=http://git.trystack.cn NOVNC_REPO=http://git.trystack.cn/kanaka/noVNC.git SPICE_REPO=http://git.trystack.cn/git/spice/sice-html5.git # Credentials ADMIN_PASSWORD=admin DATABASE_PASSWORD=$ADMIN_PASSWORD SERVICE_PASSWORD=$ADMIN_PASSWORD RABBIT_PASSWORD=$ADMIN_PASSWORD SERVICE_TOKEN=$ADMIN_PASSWORD ## Neutron ENABLED_SERVICES+=,q-lbaasv2 ENABLED_SERVICES+=,octavia,o-cw,o-hk,o-hm,o-api enable_plugin neutron-lbaas https://git.openstack.org/openstack/neutron-lbaas enable_plugin octavia https://git.openstack.org/openstack/octavia enable_plugin neutron-lbaas-dashboard https://github.com/openstack/neutron-lbaas-dashboard disable_service n-net enable_service q-svc q-agt q-dhcp q-l3 q-meta neutron enable_service q-fwaas q-vpn
参考:https://blog.csdn.net/jmilk/article/details/81279795
