반응형
* Openstack Octavia Install Guide(Xena - Ubuntu 20.04.2 LTS)
- Octavia는 사전 배포 이후 인증서 생성한다.
- Ussuri 버전부터 Octavia는 admin이 아닌 service 프로젝트에 등록된다.
- https://docs.openstack.org/kolla-ansible/latest/reference/networking/octavia.html#customise-network-and-subnet
Octavia — kolla-ansible 14.1.0.dev62 documentation
Octavia Octavia provides load balancing as a service. This guide covers configuration of Octavia for the Amphora driver. See the Octavia documentation for full details. The installation guide is a useful reference. Enabling Octavia Enable the octavia servi
docs.openstack.org
1. Octavia 파일 생성
| $ cp admin-openrc.sh octavia-openrc.sh # Ansible managed # Clear any old environment that may conflict. for key in $( set | awk '{FS="="} /^OS_/ {print $1}' ); do unset $key ; done export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=service export OS_TENANT_NAME=service export OS_USERNAME=octavia export OS_PASSWORD=openstack export OS_AUTH_URL=http://172.16.0.110:35357/v3 export OS_INTERFACE=internal export OS_ENDPOINT_TYPE=internalURL export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME=RegionOne export OS_AUTH_PLUGIN=password |
2. Amphora 이미지 생성
| $ apt -y install debootstrap $ git clone https://opendev.org/openstack/octavia -b stable/xena $ pip3 install diskimage-builder $ apt install debootstrap qemu-utils kpartx -y $ cd /octavia/diskimage-create $ ./diskimage-create.sh $ openstack image create amphora-x64-haproxy.qcow2 --container-format bare --disk-format qcow2 --private --tag amphora --file amphora-x64-haproxy.qcow2 |
3. SSL 인증서 생성
| ### 다음 두가 빙법 설정 ############################################################################################ * 자동 생성 $ vim /etc/kolla/globals.yml octavia_certs_country: KR octavia_certs_state: Oregon octavia_certs_organization: OpenStack octavia_certs_organizational_unit: Octavia $ kolla-ansible octavia-certificates ############################################################################################ * 수동 생성 $ mkdir -p /etc/kolla/config/octavia/certs $ chmod -R 700 /etc/kolla/config/octavia/certs $ cd octavia/bin/ $ cp openssl.cnf /etc/kolla/config/octavia/certs $ cd /etc/kolla/config/octavia/certs $ mkdir server_ca $ mkdir client_ca $ cd server_ca/ $ mkdir certs crl newcerts private $ chmod 700 private $ touch index.txt $ echo 1000 > serial # 서버 CA key 생성 $ openssl genrsa -aes256 -out private/ca.key.pem 4096 -> password : openstack $ chmod 400 private/ca.key.pem # 서버 CA 인증서 생성 $ openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem Country Name (2 letter code) [US]:US State or Province Name [Oregon]:Oregon Locality Name [Corvallis]:Corvallis Organization Name [OpenStack]:openstack Organizational Unit Name [Octavia]:octavia Common Name [example.org]:openstack Email Address []: $ $ cd ../client_ca $ mkdir certs crl csr newcerts private $ chmod 700 private $ touch index.txt $ echo 1000 > serial # 클라이언트 CA 키 생성 $ openssl genrsa -aes256 -out private/ca.key.pem 4096 -> password : openstack $ chmod 400 private/ca.key.pem # 클라이언트 CA 인증서 생성 $ openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem # 클라이언트 CA 인증서 키 생성 $ openssl genrsa -aes256 -out private/client.key.pem 2048 -> password : openstack $ openssl req -config ../openssl.cnf -new -sha256 -key private/client.key.pem -out csr/client.csr.pem $ touch index.txt.attr # 클라이언트 인증서 요청에 서명 $ openssl ca -config ../openssl.cnf -extensions usr_cert -days 7300 -notext -md sha256 -in csr/client.csr.pem -out certs/client.cert.pem # 연결된 클라이언트 인증서 및 키 파일 생성 $ openssl rsa -in private/client.key.pem -out private/client.cert-and-key.pem $ cat certs/client.cert.pem >> private/client.cert-and-key.pem ##### 아래 칸 생략해도 됨 ------------------------------------------------------------------------------------ $ cd .. $ mkdir -p octavia/certs $ chmod 700 octavia/certs/ $ cp server_ca/private/ca.key.pem octavia/certs/server_ca.key.pem -> cp server_ca/private/ca.key.pem /etc/kolla/config/octavia/server_ca.key.pem $ chmod 700 /etc/kolla/config/octavia/certs/server_ca.key.pem ------------------------------------------------------------------------------------ ##### $ cd /etc/kolla/config/octavia/certs/ $ cp client_ca/certs/ca.cert.pem /etc/kolla/config/octavia/client_ca.cert.pem $ cp server_ca/certs/ca.cert.pem /etc/kolla/config/octavia/server_ca.cert.pem $ cp server_ca/private/ca.key.pem /etc/kolla/config/octavia/server_ca.key.pem $ cp client_ca/private/client.cert-and-key.pem /etc/kolla/config/octavia/client.cert-and-key.pem $ cd .. $ chmod 700 client.cert-and-key.pem ### $ chmod 700 octavia/certs/client.cert-and-key.pem -> 없음 제외 생성된 client_ca.cert.pem, client.cert-and-key.pem, server_ca.cert.pem, server_ca.key.pem 4개의 파일이 /etc/kolla/config/octavia 디렉토리에 있으면 됨! |
4. Octavia 배포
4.1 Octavia 설정
| $ vim /etc/kolla/password.yml # 원하는 password로 변경, ca_password는 인증서 생성시 password와 동일해야함. Octavia_ca_password: openstack Octavia_database_password: openstack Octavia_keystone_password: openstack |
4.2 Octavia 자동 설치 설정
| $ vim /etc/kolla/globals.yml ### 하단 내용 추가 enable_horizon_octavia: "yes" enable_neutron_provider_networks: "yes" enable_octavia_driver_agent: "{{ enable_octavia | bool and neutron_plugin_agent == 'ovn' }}" enable_octavia: "yes" octavia_auto_configure: yes octavia_amp_flavor: name: "m1.amphora" is_public: yes flavorid: 100 vcpus: 2 ram: 2048 disk: 10 octavia_amp_security_groups: mgmt-sec-grp: name: "octavia-sec" enabled: yes rules: - protocol: icmp - protocol: tcp src_port: 22 dst_port: 22 - protocol: tcp src_port: "9443" dst_port: "9443" octavia_amp_network: name: octavia-net shared: true #provider_network_type: geneve ### 자동으로 geneve로 설정됨 subnet: name: octavia-sub cidr: "{{ octavia_amp_network_cidr }}" #allocation_pool_start: "20.0.0.11" ### 범위 설정 해도 되고 안해도됨 #allocation_pool_end: "20.0.0.100" gateway_ip: "20.0.0.1" no_gateway_ip: no enable_dhcp: yes octavia_amp_network_cidr: 20.0.0.0/24 octavia_amp_image_tag: "amphora" octavia_loadbalancer_topology: "SINGLE" octavia_certs_country: KR octavia_certs_state: Oregon octavia_certs_organization: OpenStack octavia_certs_organizational_unit: Octavia |
4.3 Network 포트 설정
| $ sudo docker exec -it openvswitch_vswitchd bash $ pip3 install python-neutronclient $ vi octavia-openrc.sh $ source octavia-openrc.sh ######### 수동설치시 다음 내용 설정하지만 자동 설치시는 하지 않는다.##################################### $ OCTAVIA_MGMT_SUBNET=30.0.0.0/24 $ OCTAVIA_MGMT_SUBNET_START=30.0.0.101 $ OCTAVIA_MGMT_SUBNET_END=30.0.0.200 $ OCTAVIA_AMP_NETWORK_ID=$(neutron net-create lb-mgmt-net | awk '/ id / {print $4}') $ neutron subnet-create --name lb-mgmt-subnet --allocation-pool start=$OCTAVIA_MGMT_SUBNET_START,end=$OCTAVIA_MGMT_SUBNET_END lb-mgmt-net $OCTAVIA_MGMT_SUBNET ############################################################################################ ######################### 멀티 Controller일 경우 모든 노드에 설정################################ (openvswitch-vswitchd)[root@lsmopensteack /] $ neutron port-create --name octavia-hm-port --binding:host_id=$HOSTNAME octavia-net (openvswitch-vswitchd)[root@lsmopensteack /] $ MGMT_PORT_ID=$(neutron port-show octavia-hm-port | awk '/ id / {print $4}') (openvswitch-vswitchd)[root@lsmopensteack /] $ MGMT_PORT_MAC=$(neutron port-show octavia-hm-port | awk '/ mac_address / {print $4}') (openvswitch-vswitchd)[root@lsmopensteack /] $ sudo ovs-vsctl -- --may-exist add-port br-int octavia-hm0 -- set Interface octavia-hm0 type=internal -- set Interface octavia-hm0 external-ids:iface-status=active -- set Interface octavia-hm0 external-ids:attached-mac=$MGMT_PORT_MAC -- set Interface octavia-hm0 external-ids:iface-id=$MGMT_PORT_ID (openvswitch-vswitchd)[root@lsmopensteack /] $ ip link set dev octavia-hm0 address $MGMT_PORT_MAC (openvswitch-vswitchd)[root@lsmopensteack /] $ exit root@lsmopensteack:~$ HM_IP=$(openstack port show octavia-hm-port | awk '/ fixed_ips / {print $4}' | cut -d "'" -f 2) root@lsmopensteack:~$ echo $HM_IP 20.0.0.X root@lsmopensteack:~$ ifconfig octavia-hm0 20.0.0.X/24 ################################################################################################################## ### 하단 내용은 LB 생성시 운영 상태를 온라인으로 변경하는 세팅이며 미설정시 운영 상태는 오프라인으로 표기. ### 멀티노드인 경우 각 노드별 설정 필요 $ vim /etc/kolla/config/octavia.conf [health_manager] bind_ip = {Controller External IP} controller_ip_port_list = {Controller External IP}:5555 |
4.4 Reconfigure Octavia
| $ kolla-ansible -i inventory/all-in-one deploy -t octavia $ kolla-ansible -i inventory/multinode deploy -t octavia $ kolla-ansible -i inventory/all-in-one reconfigure -t octavia $ kolla-ansible -i inventory/multinode reconfigure -t octavia |
4.5 추가설정
| 1. deploy 이후 생성되는 octavia-net를 기본 라우터에 추가한다. 2. octavia-net에서 생성된 octavia-hm-port가 active인지 확인한다. 3. 보안그룹은 확인이후 ICMP, TCP 모두 허용 설정 4. 위 가이드는 global.yml 파일의 설정을 바탕으로 octavia 자동 설치 설정 가이드이다. # 수동 설치는 https://githubhot.com/repo/prastamaha/openstack-octavia 참고 5. https://www.notion.so/miners1205/Openstack-Install-Guide-Xena-Ubuntu-20-04-Netplan-ddca795edd264970b5c4d89648c32b88 가이드와 함께 확인 |
반응형