octavia组件在3控制节点中部署

本篇不涉及octavia集群部署，是在3控制节点中，其中的一台中部署octavia组件，使3台控制节点调用一台的endpoint，其3台都可以正常工作

部署方法与单节点安装octavia基本一致

##1.创建数据库

mysql -uroot -p1234qwer
CREATE DATABASE octavia;
GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'localhost'  IDENTIFIED BY 'OCTAVIA_DBPASS';
GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'%' IDENTIFIED BY 'OCTAVIA_DBPASS';
quit

##2.

openstack user create --domain default --password octavia123 octavia
openstack role add --project admin --user octavia admin
openstack service create --name octavia --description "OpenStack Octavia" load-balancer
openstack endpoint create --region RegionOne load-balancer public http://10.199.103.13:9876
openstack endpoint create --region RegionOne load-balancer internal http://10.199.103.13:9876
openstack endpoint create --region RegionOne load-balancer admin http://10.199.103.13:9876

##3.创建镜像

yum -y install epel-release
yum -y install openstack-octavia-api.noarch openstack-octavia-common.noarch openstack-octavia-health-manager.noarch openstack-octavia-housekeeping.noarch openstack-octavia-worker.noarch openstack-octavia-diskimage-create.noarch python2-octaviaclient.noarch python-pip.noarch

##第二种安装方法
git clone https://github.com/openstack/python-octaviaclient.git -b stable/train
cd python-octaviaclient
pip install -r requirements.txt -e .

##创建amphora镜像
git clone https://github.com/openstack/octavia.git
cd octavia/diskimage-create/
./diskimage-create.sh -i centos -t qcow2 -o amphora-x64-haproxy -r 1234qwer -s 4

##4.注册镜像

cat << EOF >> $HOME/octavia-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=octavia
export OS_PASSWORD=octavia123
export OS_AUTH_URL=http://10.199.103.21:5000
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export OS_VOLUME_API_VERSION=3
EOF

. $HOME/octavia-openrc
openstack image create amphora-x64-haproxy --public --container-format=bare --disk-format qcow2 --file amphora-x64-haproxy.qcow2 --tag amphora
openstack flavor create --id 200 --vcpus 1 --ram 1024 --disk 5 "amphora" --private

镜像注册到其中一台控制节点，需要手动复制到其他控制节点上，并且修改镜像权限，否则会报错

cd /var/lib/glance/images/
scp f45d74be-1f6f-4283-913a-d9a45422f998 controller01:/var/lib/glance/images/
scp f45d74be-1f6f-4283-913a-d9a45422f998 controller02:/var/lib/glance/images/
chown glance:glance f45d74be-1f6f-4283-913a-d9a45422f998

##5.安装软件包

yum -y install openstack-octavia-api openstack-octavia-health-manager openstack-octavia-housekeeping openstack-octavia-worker python-octavia python-octaviaclient

##6.创建认证密钥

##1
cd
mkdir certs
chmod 700 certs
cd certs

##2
vim openssl.cnf

# OpenSSL root CA configuration file.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = ./
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 3650
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = US
stateOrProvinceName_default     = Oregon
localityName_default            =
0.organizationName_default      = OpenStack
organizationalUnitName_default  = Octavia
emailAddress_default            =
commonName_default              = example.org

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

##3
mkdir client_ca
mkdir server_ca
##从服务器证书颁发机构，准备CA。

##4
cd server_ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

##5
##创建服务器CA键
openssl genrsa -aes256 -out private/ca.key.pem 4096
##您需要指定一个密码来保护密钥文件
chmod 400 private/ca.key.pem

##6
openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

##7
cd ../client_ca
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

##8
openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem

##9
openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

##10
openssl genrsa -aes256 -out private/client.key.pem 2048

##11
openssl req -config ../openssl.cnf -new -sha256 -key private/client.key.pem -out csr/client.csr.pem

##12
openssl ca -config ../openssl.cnf -extensions usr_cert -days 7300 -notext -md sha256 -in csr/client.csr.pem -out certs/client.cert.pem

##13
openssl rsa -in private/client.key.pem -out private/client.cert-and-key.pem
cat certs/client.cert.pem >> private/client.cert-and-key.pem

##Configuring Octavia
##14
cd /root/certs
mkdir /etc/octavia/certs
chmod 700 /etc/octavia/certs
cp server_ca/private/ca.key.pem /etc/octavia/certs/server_ca.key.pem
chmod 700 /etc/octavia/certs/server_ca.key.pem
cp server_ca/certs/ca.cert.pem /etc/octavia/certs/server_ca.cert.pem
cp client_ca/certs/ca.cert.pem /etc/octavia/certs/client_ca.cert.pem
cp client_ca/private/client.cert-and-key.pem /etc/octavia/certs/client.cert-and-key.pem
chmod 700 /etc/octavia/certs/client.cert-and-key.pem
chown -R octavia.octavia /etc/octavia/certs

##7.Create security groups and their rules

openstack security group create lb-mgmt-sec-grp --project admin
openstack security group rule create --protocol udp --dst-port 5555 lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp
openstack security group create lb-health-mgr-sec-grp --project admin
openstack security group rule create --protocol udp --dst-port 5555 lb-health-mgr-sec-grp
openstack security group rule create --protocol tcp --dst-port 22 lb-health-mgr-sec-grp
openstack security group rule create --protocol tcp --dst-port 9443 lb-health-mgr-sec-grp

##8.Create a key pair for logging in to the amphora instance

#ssh-keygen
openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey

##9.Create dhclient.conf file for dhclient

cd $HOME
sudo mkdir -m755 -p /etc/dhcp/octavia
sudo cp octavia/etc/dhcp/dhclient.conf /etc/dhcp/octavia

##10.Create a network

OCTAVIA_MGMT_SUBNET=172.16.255.0/24
OCTAVIA_MGMT_SUBNET_START=172.16.255.100
OCTAVIA_MGMT_SUBNET_END=172.16.255.254
OCTAVIA_MGMT_PORT_IP=172.16.255.2

openstack network create lb-mgmt-net
openstack subnet create --subnet-range $OCTAVIA_MGMT_SUBNET --allocation-pool 
start=$OCTAVIA_MGMT_SUBNET_START,end=$OCTAVIA_MGMT_SUBNET_END 
--network lb-mgmt-net lb-mgmt-subnet

SUBNET_ID=$(openstack subnet show lb-mgmt-subnet -f value -c id)
PORT_FIXED_IP="--fixed-ip subnet=$SUBNET_ID,ip-address=$OCTAVIA_MGMT_PORT_IP"

MGMT_PORT_ID=$(openstack port create --security-group 
lb-health-mgr-sec-grp --device-owner Octavia:health-mgr 
--host=$(hostname) -c id -f value --network lb-mgmt-net 
$PORT_FIXED_IP octavia-health-manager-listen-port)

MGMT_PORT_MAC=$(openstack port show -c mac_address -f value 
$MGMT_PORT_ID)

MGMT_PORT_IP=$(openstack port show -f yaml -c fixed_ips 
$MGMT_PORT_ID | awk '{FS=",|";gsub(",","");gsub("'''",""); 
for(line = 1; line <= NF; ++line) {if ($line ~ /^- ip_address:/) 
{split($line, word, " ");if (ENVIRON["IPV6_ENABLED"] == "" && word[3] ~ /./) 
print word[3];if (ENVIRON["IPV6_ENABLED"] != "" && word[3] ~ /:/) print word[3];} 
else {split($line, word, " ");for(ind in word) {if (word[ind] ~ /^ip_address=/) 
{split(word[ind], token, "=");if (ENVIRON["IPV6_ENABLED"] == "" && token[2] ~ /./) 
print token[2];if (ENVIRON["IPV6_ENABLED"] != "" && token[2] ~ /:/) print token[2];}}}}}')

sudo ip link add o-hm0 type veth peer name o-bhm0
NETID=$(openstack network show lb-mgmt-net -c id -f value)
BRNAME=brq$(echo $NETID|cut -c 1-11)
sudo brctl addif $BRNAME o-bhm0
sudo ip link set o-bhm0 up

sudo ip link set dev o-hm0 address $MGMT_PORT_MAC
sudo iptables -I INPUT -i o-hm0 -p udp --dport 5555 -j ACCEPT
sudo dhclient -v o-hm0 -cf /etc/dhcp/octavia

systemctl restart network

##11.Edit the /etc/octavia/octavia.conf file

openstack-config --set /etc/octavia/octavia.conf database connection mysql+pymysql://octavia:OCTAVIA_DBPASS@10.199.103.21/octavia
openstack-config --set /etc/octavia/octavia.conf DEFAULT transport_url rabbit://openstack:RABBIT_PASS@10.199.103.13:5672,openstack:RABBIT_PASS@10.199.103.15:5672,openstack:RABBIT_PASS@10.199.103.17:5672
openstack-config --set /etc/octavia/octavia.conf oslo_messaging topic octavia_prov
openstack-config --set /etc/octavia/octavia.conf api_settings bind_host 10.199.103.13
openstack-config --set /etc/octavia/octavia.conf api_settings bind_port 9876
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken www_authenticate_uri http://10.199.103.21:5000
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken auth_url http://10.199.103.21:5000
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken memcached_servers 10.199.103.13:11211,10.199.103.15:11211,10.199.103.17:11211
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken auth_type password
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken project_domain_name default
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken user_domain_name default
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken project_name admin
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken username octavia
openstack-config --set /etc/octavia/octavia.conf keystone_authtoken password octavia123
openstack-config --set /etc/octavia/octavia.conf service_auth auth_url http://10.199.103.21:5000
openstack-config --set /etc/octavia/octavia.conf service_auth memcached_servers 10.199.103.13:11211,10.199.103.15:11211,10.199.103.17:11211
openstack-config --set /etc/octavia/octavia.conf service_auth auth_type password
openstack-config --set /etc/octavia/octavia.conf service_auth project_domain_name default
openstack-config --set /etc/octavia/octavia.conf service_auth user_domain_name default
openstack-config --set /etc/octavia/octavia.conf service_auth project_name admin
openstack-config --set /etc/octavia/octavia.conf service_auth username octavia
openstack-config --set /etc/octavia/octavia.conf service_auth password octavia123
openstack-config --set /etc/octavia/octavia.conf certificates ca_private_key_passphrase 1234
openstack-config --set /etc/octavia/octavia.conf certificates ca_private_key /etc/octavia/certs/server_ca.key.pem
openstack-config --set /etc/octavia/octavia.conf certificates ca_certificate /etc/octavia/certs/server_ca.cert.pem
openstack-config --set /etc/octavia/octavia.conf certificates cert_generator local_cert_generator
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora server_ca /etc/octavia/certs/server_ca.cert.pem
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora client_cert /etc/octavia/certs/client.cert-and-key.pem
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora key_path  /etc/octavia/.ssh/octavia_ssh_key
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora base_path  /var/lib/octavia
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora base_cert_dir  /var/lib/octavia/certs
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora connection_max_retries  5500
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora connection_retry_interval  5
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora rest_request_conn_timeout  10
openstack-config --set /etc/octavia/octavia.conf haproxy_amphora rest_request_read_timeout  120
openstack-config --set /etc/octavia/octavia.conf health-manager bind_port 5555
openstack-config --set /etc/octavia/octavia.conf health_manager bind_ip 172.16.255.2
openstack-config --set /etc/octavia/octavia.conf health_manager controller_ip_port_list 172.16.255.2:5555
amp_image_owner_id=$(openstack project list|grep admin|awk '{print $2}')
amp_secgroup_list=$(openstack security group list|grep lb-mgmt-sec-grp|awk '{print $2}')
amp_boot_network_list=$(openstack network list|grep lb-mgmt-net|awk '{print $2}')
openstack-config --set /etc/octavia/octavia.conf controller_worker amp_image_owner_id $amp_image_owner_id
openstack-config --set /etc/octavia/octavia.conf controller_worker amp_image_tag "amphora"
openstack-config --set /etc/octavia/octavia.conf controller_worker amp_ssh_key_name mykey
openstack-config --set /etc/octavia/octavia.conf controller_worker amp_secgroup_list $amp_secgroup_list
openstack-config --set /etc/octavia/octavia.conf controller_worker amp_boot_network_list $amp_boot_network_list
openstack-config --set /etc/octavia/octavia.conf controller_worker amp_flavor_id 200
openstack-config --set /etc/octavia/octavia.conf controller_worker network_driver allowed_address_pairs_driver
openstack-config --set /etc/octavia/octavia.conf controller_worker compute_driver compute_nova_driver
openstack-config --set /etc/octavia/octavia.conf controller_worker amphora_driver amphora_haproxy_rest_driver
openstack-config --set /etc/octavia/octavia.conf controller_worker client_ca /etc/octavia/certs/client_ca.cert.pem

##12.Populate the octavia database

octavia-db-manage --config-file /etc/octavia/octavia.conf upgrade head
systemctl enable octavia-api octavia-health-manager octavia-housekeeping octavia-worker
systemctl restart octavia-api octavia-health-manager octavia-housekeeping octavia-worker
systemctl status octavia-api octavia-health-manager octavia-housekeeping octavia-worker

##13.在3台控制节点上添加 Load Balancers 页面

git clone https://github.com/openstack/octavia-dashboard.git -b stable/train
cd /root/octavia-dashboard
python setup.py install
cd /root/octavia-dashboard/octavia_dashboard/enabled
cp _1482_project_load_balancer_panel.py /usr/share/openstack-dashboard/openstack_dashboard/enabled/
cd /usr/share/openstack-dashboard
echo yes|./manage.py collectstatic
./manage.py compress
systemctl restart httpd