OpenStack组件安装配置测试之：Octavia

运维扫盲人 2021-06-10

3452

overview

neutron-lbaas 从Openstack Queens版本开始被抛弃，而被Octavia项目取代。

https://wiki.openstack.org/wiki/Neutron/LBaaS/Deprecation#When_will_the_neutron-lbaas_deprecation_cycle_end.3F
https://docs.openstack.org/mitaka/networking-guide/config-lbaas.html
https://docs.openstack.org/octavia/latest/install/install.html

第一部分 openstack-octavia配置安装

一、创建database

CREATE DATABASE octavia;
GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'localhost' IDENTIFIED BY 'OCTAVIA_DBPASS';
GRANT ALL PRIVILEGES ON octavia.* TO 'octavia'@'%' IDENTIFIED BY 'OCTAVIA_DBPASS';

二、创建用户并授权admin角色

root@controller-01:~# . admin
root@controller-01:~# openstack user create --domain default --password-prompt octavia
root@controller-01:~# openstack role add --project service --user octavia admin

三、创建octavia服务

openstack service create --name octavia --description "OpenStack Octavia" load-balancer

四、创建octavia endpoint API

openstack endpoint create --region RegionOne load-balancer public http://controller:9876
openstack endpoint create --region RegionOne load-balancer internal http://controller:9876
openstack endpoint create --region RegionOne load-balancer admin http://controller:9876

五、添加环境变量

cat << EOF >> $HOME/octavia-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=service
export OS_USERNAME=octavia
export OS_PASSWORD=OCTAVIA
export OS_AUTH_URL=http://controller:5000
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export OS_VOLUME_API_VERSION=3
EOF

六、创建 amphora image

amphora 是octavia服务的核心组件。

6.1 安装必要程序包（requirement）

root@ubuntu:~# apt-get install python3-pip
root@ubuntu:~# apt install python-virtualenv

6.2 安装disk_builder环境

root@ubuntu:~# virtualenv octavia_disk_image_create
root@ubuntu:~# source octavia_disk_image_create/bin/activate

6.3 安装必要的工具

root@ubuntu:~# apt install qemu-utils git kpartx debootstrap
#或者
root@ubuntu:~# git clone https://github.com/openstack/python-octaviaclient.git -b stable/train
root@ubuntu:~# cd python-octaviaclient
root@ubuntu:~# pip install -r requirements.txt -e .

6.4 创建镜像

6.4.1 搭建创建环境

root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID:  Ubuntu
Description:  Ubuntu 18.04.5 LTS
Release:  18.04
Codename:  bionic

root@ubuntu:~# python3 -V
Python 3.6.9


root@ubuntu:~# pip3 -V
pip 9.0.1 from usr/lib/python3/dist-packages (python 3.6)


(octavia_disk_image_create) root@ubuntu:~# pip -V
pip 20.3.4 from root/octavia_disk_image_create/local/lib/python2.7/site-packages/pip (python 2.7)

root@ubuntu:~# cat etc/apt/sources.list
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse


deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse


deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse


deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse


deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

6.4.2 获取源码

(octavia_disk_image_create) root@ubuntu:~# cd
(octavia_disk_image_create) root@ubuntu:~# git clone https://github.com/openstack/octavia.git
(octavia_disk_image_create) root@ubuntu:~# cd octavia/diskimage-create/
(octavia_disk_image_create) root@ubuntu:~# pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

6.4.3 替换仓库地址

(octavia_disk_image_create) root@ubuntu:~/octavia/diskimage-create# cat root/octavia/elements/amphora-agent/source-repository-amphora-agent 
# This is used for source-based builds
#amphora-agent git opt/amphora-agent https://opendev.org/openstack/octavia stable/train
amphora-agent git opt/amphora-agent https://github.com/wangguan1998-long/octavia stable/train
#upper-constraints file opt/upper-constraints.txt https://opendev.org/openstack/requirements/raw/branch/stable/train/upper-constraints.txt
upper-constraints file /opt/upper-constraints.txt http://172.17.61.200/config/upper-constraints.txt

Tips：在amphora-agent镜像生成过程中会去https://opendev.org站点获取依赖程序包，由于网络原因会导致超时；解决办法是：可根据elements文件的内容将需要的程序包提前下载，再上传至自己的github仓库。

6.4.4 生成镜像

(octavia_disk_image_create) root@ubuntu:~# ./diskimage-create.sh -t qcow2 -o amphora-x64-haproxy -r 1234qwer -s 4  -g stable/train
...
2021-02-09 02:44:36.763 | Converting image using qemu-img convert
2021-02-09 02:45:25.086 | Image file root/octavia/diskimage-create/amphora-x64-haproxy-1.qcow2 created...
2021-02-09 02:45:25.376 | Build completed successfully
Successfully built the amphora using the stable/train amphora-agent.
(octavia_disk_image_create) root@ubuntu:~/octavia/diskimage-create# ll amphora-x64-haproxy.qcow2 
-rw-r--r-- 1 root root 353865728 Feb  9 00:50 amphora-x64-haproxy.qcow2

6.4.5 强制升级pip后报错—解决方案

wget https://bootstrap.pypa.io/2.7/get-pip.py
python get-pip.py

Tips：本步骤在配置过程未执行，只是作为拓展。

七、上传amphora image

root@controller-01:~# scp image—builder-server:/root/octavia/diskimage-create/amphora-x64-haproxy-1.qcow2 /root
root@controller-01:~# openstack image create --disk-format qcow2 --container-format bare   --private --tag amphora --file amphora-x64-haproxy.qcow2 amphora-x64-haproxy

八、创建flavor

root@controller-01:~# openstack flavor create --id 200 --vcpus 1 --ram 1024   --disk 2 "amphora"

九、安装必要服务

root@controller-01:~# yum -y install openstack-octavia-api openstack-octavia-health-manager openstack-octavia-housekeeping openstack-octavia-worker python-octavia python-octaviaclient

十、创建证书

https://docs.openstack.org/octavia/latest/admin/guides/certificates.html

注意：使用github脚本创建（失败）

git clone https://opendev.org/openstack/octavia.git
cd octavia/bin/
source create_dual_intermediate_CA.sh
mkdir -p /etc/octavia/certs/private
chmod 755 /etc/octavia -R
cp -p etc/octavia/certs/server_ca.cert.pem /etc/octavia/certs
cp -p etc/octavia/certs/server_ca-chain.cert.pem /etc/octavia/certs
cp -p etc/octavia/certs/server_ca.key.pem /etc/octavia/certs/private
cp -p etc/octavia/certs/client_ca.cert.pem /etc/octavia/certs
cp -p etc/octavia/certs/client.cert-and-key.pem /etc/octavia/certs/private

10.1 创建证书目录

mkdir certs
chmod 700 certs
cd certs

10.2 创建OpenSSL配置文件

root@controller-01:~# cat certs/openssl.cnf 
[ ca ]
# `man ca`
default_ca = CA_default


[ CA_default ]
# Directory and file locations.
dir               = ./
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand


# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem


# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30


# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256


name_opt          = ca_default
cert_opt          = ca_default
default_days      = 3650
preserve          = no
policy            = policy_strict


[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only


# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256


# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca


[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address


# Optionally, specify some defaults.
countryName_default             = US
stateOrProvinceName_default     = Oregon
localityName_default            =
0.organizationName_default      = OpenStack
organizationalUnitName_default  = Octavia
emailAddress_default            =
commonName_default              = example.org


[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign


[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection


[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth


[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

10.3 为server_CA与client_CA自建CA机构创建目录

mkdir client_ca
mkdir server_ca

10.4 创建自建server_CA机构

10.4.1 为server_CA私钥准备目录与序列号文件

cd server_ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

10.4.2 创建server_CA私钥

openssl genrsa -aes256 -out private/ca.key.pem 4096

Enter pass phrase for private/ca.key.pem:serverca
Verifying - Enter pass phrase for private/ca.key.pem:serverca

chmod 400 private/ca.key.pem

10.4.3 创建server_CA

openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

Enter pass phrase for private/ca.key.pem:serverca


---
Country Name (2 letter code) [US]:sa
State or Province Name [Oregon]:sa
Locality Name []:sa
Organization Name [OpenStack]:sa
Organizational Unit Name [Octavia]:sa
Common Name [example.org]:sa
Email Address []:sa

10.5 创建自建client_CA机构

10.5.1 为client_CA私钥准备目录与序列号文件

cd ../client_ca
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

10.5.2 创建client_CA私钥

openssl genrsa -aes256 -out private/ca.key.pem 4096

Enter pass phrase for private/ca.key.pem:clientca
Verifying - Enter pass phrase for private/ca.key.pem:clientca

chmod 400 private/ca.key.pem

10.5.3 创建client_CA

openssl req -config ../openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem

Enter pass phrase for private/ca.key.pem:clientca


-----
Country Name (2 letter code) [US]:ca
State or Province Name [Oregon]:ca
Locality Name []:ca
Organization Name [OpenStack]:ca
Organizational Unit Name [Octavia]:ca
Common Name [example.org]:ca
Email Address []:ca

10.6 创建客户端私钥（controller请求证书使用）

openssl genrsa -aes256 -out private/client.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................+++++
........................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for private/client.key.pem:client
Verifying - Enter pass phrase for private/client.key.pem:client

10.7 请求签发证书

openssl req -config ../openssl.cnf -new -sha256 -key private/client.key.pem -out csr/client.csr.pem

ent.key.pem -out csr/client.csr.pem:client
Enter pass phrase for private/client.key.pem:client
-----
Country Name (2 letter code) [US]:ca
State or Province Name [Oregon]:ca
Locality Name []:ca
Organization Name [OpenStack]:ca
Organizational Unit Name [Octavia]:ca
Common Name [example.org]:ca
Email Address []:ca

10.8 使用client_CA签发证书

 openssl ca -config ../openssl.cnf -extensions usr_cert -days 7300 -notext -md sha256 -in csr/client.csr.pem -out certs/client.cert.pem

Enter pass phrase for .//private/ca.key.pem:clientca
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Feb 23 04:13:10 2021 GMT
            Not After : Feb 18 04:13:10 2041 GMT
        Subject:
            countryName               = ca
            stateOrProvinceName       = ca
            organizationName          = ca
            organizationalUnitName    = ca
            commonName                = ca
            emailAddress              = ca
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier: 
                18:73:79:C5:20:30:7D:EB:F1:EF:8E:4B:62:F0:BB:24:2E:C0:E9:C2
            X509v3 Authority Key Identifier: 
                keyid:5F:DD:60:96:60:6F:18:4F:FA:72:73:16:CB:4D:3F:83:57:19:58:B4


            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
Certificate is to be certified until Feb 18 04:13:10 2041 GMT (7300 days)
Sign the certificate? [y/n]:y




1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

10.9 创建一个串联包含客户端私钥和证书的文件

openssl rsa -in private/client.key.pem -out private/client.cert-and-key.pem

Enter pass phrase for private/client.key.pem:client
writing RSA key

10.10 将证书文件放到指定路径

cd ..
mkdir etc/octavia/certs
chmod 700 etc/octavia/certs
cp server_ca/private/ca.key.pem etc/octavia/certs/server_ca.key.pem
chmod 700 etc/octavia/certs/server_ca.key.pem
cp server_ca/certs/ca.cert.pem etc/octavia/certs/server_ca.cert.pem
cp client_ca/certs/ca.cert.pem etc/octavia/certs/client_ca.cert.pem
cp client_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
chmod 700 etc/octavia/certs/client.cert-and-key.pem
chown -R octavia.octavia etc/octavia/certs

十一、创建security group

openstack security group create lb-mgmt-sec-grp
openstack security group rule create --protocol icmp lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 22 lb-mgmt-sec-grp
openstack security group rule create --protocol tcp --dst-port 9443 lb-mgmt-sec-grp
openstack security group create lb-health-mgr-sec-grp
openstack security group rule create --protocol udp --dst-port 5555 lb-health-mgr-sec-grp

十二、创建key pair

ssh-keygen
openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey

十三、创建dhclient.conf

cd $HOME
mkdir -m755 -p /etc/dhcp/octavia
cp octavia/etc/dhcp/dhclient.conf /etc/dhcp/octavia

注意：此处配置文件为在controller启动一个dhcp服务进程使用，为lb-mgmt-net分配网络地址；

十四、创建网络

14.1 创建lb-mgmt-net

$ OCTAVIA_MGMT_SUBNET=172.16.0.0/12
$ OCTAVIA_MGMT_SUBNET_START=172.16.0.100
$ OCTAVIA_MGMT_SUBNET_END=172.16.31.254
$ OCTAVIA_MGMT_PORT_IP=172.16.0.2


$ openstack network create lb-mgmt-net
$ openstack subnet create --subnet-range $OCTAVIA_MGMT_SUBNET --allocation-pool \
  start=$OCTAVIA_MGMT_SUBNET_START,end=$OCTAVIA_MGMT_SUBNET_END \
  --network lb-mgmt-net lb-mgmt-subnet


$ SUBNET_ID=$(openstack subnet show lb-mgmt-subnet -f value -c id)
$ PORT_FIXED_IP="--fixed-ip subnet=$SUBNET_ID,ip-address=$OCTAVIA_MGMT_PORT_IP"


$ MGMT_PORT_ID=$(openstack port create --security-group \
  lb-health-mgr-sec-grp --device-owner Octavia:health-mgr \
  --host=$(hostname) -c id -f value --network lb-mgmt-net \
  $PORT_FIXED_IP octavia-health-manager-listen-port)


$ MGMT_PORT_MAC=$(openstack port show -c mac_address -f value \
  $MGMT_PORT_ID)


$ MGMT_PORT_IP=$(openstack port show -f yaml -c fixed_ips \
  $MGMT_PORT_ID | awk '{FS=",|";gsub(",","");gsub("'\''",""); \
  for(line = 1; line <= NF; ++line) {if ($line ~ ^- ip_address:/) \
  {split($line, word, " ");if (ENVIRON["IPV6_ENABLED"] == "" && word[3] ~ \./) \
  print word[3];if (ENVIRON["IPV6_ENABLED"] != "" && word[3] ~ :/) print word[3];} \
  else {split($line, word, " ");for(ind in word) {if (word[ind] ~ ^ip_address=/) \
  {split(word[ind], token, "=");if (ENVIRON["IPV6_ENABLED"] == "" && token[2] ~ \./) \
  print token[2];if (ENVIRON["IPV6_ENABLED"] != "" && token[2] ~ :/) print token[2];}}}}}')


$ sudo ip link add o-hm0 type veth peer name o-bhm0
$ NETID=$(openstack network show lb-mgmt-net -c id -f value)
$ BRNAME=brq$(echo $NETID|cut -c 1-11)
$ sudo brctl addif $BRNAME o-bhm0
$ sudo ip link set o-bhm0 up


$ sudo ip link set dev o-hm0 address $MGMT_PORT_MAC
$ sudo iptables -I INPUT -i o-hm0 -p udp --dport 5555 -j ACCEPT
$ sudo dhclient -v o-hm0 -cf etc/dhcp/octavia

[root@openstack-controller ~]# echo -e "$BRNAME\n""$MGMT_PORT_MAC"
brq70844e37-07
fa:16:3e:73:07:65

14.2 创建lb-vip-net（可选）

Tips：理论上lb-vip-net可以与tenant-net、lb-mgmt-net是同一个网络，但是生产中为了便于做安全控制，建议将lb-vip-net与tenant-net、lb-mgmt-net分离；

openstack network create lb-vip-net
openstack subnet create --subnet-range 10.10.10.0/24 --allocation-pool  start=10.10.10.2,end=10.10.10.253  --network lb-vip-net lb-vip-subnet
openstack  network  set --share lb-vip-net

Tips：为了给vip绑定float-ip需要将lb-vip-subnet添加至provider路由器上，否则添加不成功；

openstack router add subnet router lb-vip-subnet

十五、配置服务

注意：第十五节操作目的在于重启后controller节点到lb-mgmt-net网络自动恢复；

15.1 etc/systemd/network/o-hm0.network

mkdir etc/systemd/network/ -pv
cat >>/etc/systemd/network/o-hm0.network<<EOF
[Match]
Name=o-hm0


[Network]
DHCP=yes
EOF

15.2 etc/systemd/system/octavia-interface.service

cat >>/etc/systemd/system/octavia-interface.service<<EOF
[Unit]
Description=Octavia Interface Creator
Requires=neutron-linuxbridge-agent.service
After=neutron-linuxbridge-agent.service


[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/opt/octavia-interface.sh start
ExecStop=/opt/octavia-interface.sh stop


[Install]
WantedBy=multi-user.target
EOF

root@controller-01:~# systemctl enable octavia-interface.service
root@controller-01:~# systemctl status octavia-interface.service 
● octavia-interface.service - Octavia Interface Creator
   Loaded: loaded (/etc/systemd/system/octavia-interface.service; enabled; vendor preset: enabled)
   Active: active (exited) since Wed 2021-02-24 14:23:59 UTC; 11min ago
  Process: 8835 ExecStart=/opt/octavia-interface.sh start (code=exited, status=0/SUCCESS)
 Main PID: 8835 (code=exited, status=0/SUCCESS)

15.3 opt/octavia-interface.sh

root@controller-01:~# cat opt/octavia-interface.sh 
#!/bin/bash


set -ex


MAC=fa:16:3e:73:07:65
BRNAME=brq70844e37-07


if [ "$1" == "start" ]; then
  ip link add o-hm0 type veth peer name o-bhm0
  brctl addif $BRNAME o-bhm0
  ip link set o-bhm0 up
  ip link set dev o-hm0 address $MAC
  ip link set o-hm0 up
  iptables -I INPUT -i o-hm0 -p udp --dport 5555 -j ACCEPT
elif [ "$1" == "stop" ]; then
  ip link del o-hm0
else
  brctl show $BRNAME
  ip a s dev o-hm0
fi

root@controller-01:~# chmod a+x opt/octavia-interface.sh

15.4 etc/octavia/octavia.conf

root@controller-01:~# cat  etc/octavia/octavia.conf | egrep -v "^#|^$"
[DEFAULT]
transport_url = rabbit://openstack:RABBIT_PASS@controller
[amphora_agent]
[anchor]
[api_settings]
bind_host = 0.0.0.0
bind_port = 9876
[audit]
[certificates]
cert_generator = local_cert_generator
ca_certificate = etc/octavia/certs/server_ca.cert.pem
ca_private_key = etc/octavia/certs/server_ca.key.pem
ca_private_key_passphrase = serverca
[controller_worker]
amp_image_owner_id = ded04e0f8ea5491582278519ce380edc
amp_image_id = 898604dc-352f-4137-8da4-e448b04846b8
amp_ssh_key_name = mykey
amp_secgroup_list = dd11e4dd-7ef3-4d36-bc84-634a9f5966cf
amp_boot_network_list = 70844e37-07c6-436b-bc83-4e38e2678e8f
amp_flavor_id = 200
network_driver = allowed_address_pairs_driver
compute_driver = compute_nova_driver
amphora_driver = amphora_haproxy_rest_driver
client_ca = etc/octavia/certs/client_ca.cert.pem
loadbalancer_topology = ACTIVE_STANDBY
[database]
connection = mysql+pymysql://octavia:OCTAVIA_DBPASS@controller/octavia
[driver_agent]
[glance]
[haproxy_amphora]
client_cert = etc/octavia/certs/client.cert-and-key.pem
server_ca = etc/octavia/certs/server_ca.cert.pem
[health_manager]
bind_port = 5555
bind_ip = 172.16.0.2
controller_ip_port_list = 172.16.0.2:5555
[house_keeping]
[keepalived_vrrp]
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = octavia
password = OCTAVIA
[networking]
[neutron]
[nova]
[oslo_messaging]
topic = octavia_prov
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[quotas]
[service_auth]
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = octavia
password = OCTAVIA
[task_flow]

amp_image_owner_id=$(openstack project list|grep admin|awk '{print $2}')
amp_secgroup_list=$(openstack security group list|grep lb-mgmt-sec-grp|awk '{print $2}')
amp_boot_network_list=$(openstack network list|grep lb-mgmt-net|awk '{print $2}')

十六、同步数据库

octavia-db-manage --config-file etc/octavia/octavia.conf upgrade head

十七、启动服务

root@controller-01:~# systemctl restart octavia-api octavia-health-manager octavia-housekeeping octavia-worker
root@controller-01:~# systemctl enable octavia-api octavia-health-manager octavia-housekeeping octavia-worker

十八、dash-board

git clone https://github.com/openstack/octavia-dashboard.git -b stable/train
cd /root/octavia-dashboard
python3 setup.py install
cd /root/octavia-dashboard/octavia_dashboard/enabled
cp _1482_project_load_balancer_panel.py usr/share/openstack-dashboard/openstack_dashboard/enabled/
cd /usr/share/openstack-dashboard
echo yes| python3 manage.py collectstatic
python3 manage.py compress
systemctl restart apache2

十九、排错篇

19.1 python版本

ubuntu18.04默认使用python3，安装dash-board官方提供的方法使用python2，需要改为python3才能避免报错；

19.2 证书签署失败

19.2.1

生成自签证书时，需要区分客户端和服务端组织结构和私钥保护密码；

19.2.2

官方提供的证书生成脚本生成的证书不可用；

19.3 octavia.conf配置文件

19.3.1

配置文件使用amphora-x64-haproxy镜像的tag会报错无法找到镜像，需要修改为image_id

19.3.2

配置文件需要根据官方提供的证书生成篇来配置[certificates]部分；

19.3.3

[certificates]部分中的server_certs_key_passphrase不能设置密码，否则octavia服务会异常；

19.3.4

loadbalancer创建过程中，会一直探测loadbalancer instance的9443端口，由于虚拟机启动较慢，因此适当增大失败重试次数；

19.4 lb-mgmt-net

本测试案例使用linux'bridge作为二层桥设备，桥设备会自动添加o-bhm0设备；

19.5 操作系统

建议使用ubuntu18.04作为测试系统；

第二部分 openstack-octavia测试

一、创建实例

二、创建loadbalancer

root@controller-01:~# ssh 172.16.1.44
The authenticity of host '172.16.1.44 (172.16.1.44)' can't be established.
ECDSA key fingerprint is SHA256:G02CH/UA1NW6UWOLdtaT2edVZPeJpucMKcKn4kJ+Ctw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.44' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-135-generic x86_64)


 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in usr/share/doc/*/copyright.


Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.16.1.44  netmask 255.240.0.0  broadcast 172.31.255.255
        inet6 fe80::f816:3eff:fe18:8ec8  prefixlen 64  scopeid 0x20<link>
        ether fa:16:3e:18:8e:c8  txqueuelen 1000  (Ethernet)
        RX packets 422  bytes 112187 (112.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 387  bytes 148484 (148.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns list
amphora-haproxy (id: 0)
root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns exec amphora-haproxy ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.10.10.53  netmask 255.255.255.0  broadcast 10.10.10.255
        ether fa:16:3e:db:be:e6  txqueuelen 1000  (Ethernet)
        RX packets 21  bytes 1194 (1.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 752  bytes 38092 (38.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 192.1.0.10  netmask 255.255.255.0  broadcast 192.1.0.255
        ether fa:16:3e:c2:24:50  txqueuelen 1000  (Ethernet)
        RX packets 183  bytes 12886 (12.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 325  bytes 22322 (22.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@controller-01:~# ssh 172.16.4.76
The authenticity of host '172.16.4.76 (172.16.4.76)' can't be established.
ECDSA key fingerprint is SHA256:6UVkpWk1UCuuMNwh+S16222t4bOo7cRuddnuklnUUiA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.4.76' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-135-generic x86_64)


 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in usr/share/doc/*/copyright.


Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


root@amphora-bace39b5-9ca6-4e84-96ca-fbd5f1a7831c:~# ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.16.4.76  netmask 255.240.0.0  broadcast 172.31.255.255
        inet6 fe80::f816:3eff:fe0f:b2e6  prefixlen 64  scopeid 0x20<link>
        ether fa:16:3e:0f:b2:e6  txqueuelen 1000  (Ethernet)
        RX packets 475  bytes 114954 (114.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 407  bytes 151009 (151.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


root@amphora-bace39b5-9ca6-4e84-96ca-fbd5f1a7831c:~# ip netns list
amphora-haproxy (id: 0)
root@amphora-bace39b5-9ca6-4e84-96ca-fbd5f1a7831c:~# ip netns exec amphora-haproxy ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 10.10.10.33  netmask 255.255.255.0  broadcast 10.10.10.255
        ether fa:16:3e:44:ae:9f  txqueuelen 1000  (Ethernet)
        RX packets 843  bytes 42706 (42.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17  bytes 994 (994.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 192.1.0.28  netmask 255.255.255.0  broadcast 192.1.0.255
        ether fa:16:3e:8a:4d:f7  txqueuelen 1000  (Ethernet)
        RX packets 208  bytes 14724 (14.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 364  bytes 24968 (24.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@controller-01:~# openstack loadbalancer list
+--------------------------------------+---------+----------------------------------+--------------+---------------------+----------+
| id                                   | name    | project_id                       | vip_address  | provisioning_status | provider |
+--------------------------------------+---------+----------------------------------+--------------+---------------------+----------+
| 5bdd8160-2217-47b1-9a6d-91db5cfa15ea | web_app | f6faef563147458c8b96022029e33266 | 10.10.10.184 | ACTIVE              | amphora  |
+--------------------------------------+---------+----------------------------------+--------------+---------------------+----------+

三、测试loadbalancer效果

root@controller-01:~# ssh cirros@10.1.112.107
$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr FA:16:3E:71:A7:13  
          inet addr:192.1.0.13  Bcast:172.31.255.255  Mask:255.240.0.0
          inet6 addr: fe80::f816:3eff:fe71:a713/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1184 errors:0 dropped:0 overruns:0 frame:0
          TX packets:722 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:101839 (99.4 KiB)  TX bytes:68945 (67.3 KiB)


root@controller-01:~# ssh cirros@10.1.112.107
$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr FA:16:3E:AB:60:95  
          inet addr:192.1.0.144  Bcast:172.31.255.255  Mask:255.240.0.0
          inet6 addr: fe80::f816:3eff:feab:6095/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1395 errors:0 dropped:0 overruns:0 frame:0
          TX packets:891 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:126126 (123.1 KiB)  TX bytes:90362 (88.2 KiB

第三部分 openstack-octavia原理分析

一、Concept

Amphora(e)：实体为云主机，作为负载均衡器的载体，运行amphora-agent、haproxy、keepalived服务进程，也是 Octavia 的 Default Loadbalancer Provider。
lb-mgmt-net：是一个与 OpenStack Management/API Network 打通的网络，东侧连接 Amphora Instance、西侧连接 Octavia 服务进程。
tenant-net：业务云主机所在的网络。
vip-net：提供 VIP 地址池的网络。
Listener：下属于 loadbalancer 的监听器，用户可配置监听外部对 VIP 的访问类型（e.g. 协议、端口）。
Pool：后端的真实业务云主机集群域，一般用户会根据云主机的业务类型进行划分。
Member：业务云主机，下属于 Pool，对应传统负载均衡体系中的 Real Server。
Health Monitor：挂靠于 Pool，周期性对 Pool 中的 Member(s) 进行健康检查。

二、Octavia Amphora Provider 设计思路

Amphora 作为负载均衡器软件（HAProxy）和高可用支撑（Keepalived）的运行载体，通过 Agent 与 Octavia 服务进程通信
Octavia 服务进程接收到用户的 loadbalancer 和 VIP 的配置参数，通过 Agent 动态修改 haproxy、keepalived 的配置文件；
将 Member 处于的 Subnet 接入 Amphora，Amphora 通过 Member Socket (IP, Port) 分发请求数据包。
octavia controller worker服务是octavia服务任务的管理者；octavia-health-manager 监听于UDP 5555口，接收amphora-agent发送的来自pool member的健康检测信息；amphora-agent 作为octavia service与amphora（haproxy、keepalived）的通信中介，监听于TCP 9443端口。
amphora 被分配到 loadbalancer 之后会添加一个 vrrp_port 类型的端口，vrrp_port 充当着 keepalived 虚拟路由的一张网卡，被注入到 namespace 中，一般是 eth1。
只有当octavia.conf配置文件loadbalancer_topology = ACTIVE_STANDBY（默认为SINGLE），创建loadbalancer时才会创建两个amphora instance，在并且在vip-net创建两个vrrp-port，作为keepalived VIP漂移的载体，；

2.1 amphora-agent服务

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ps -ef | grep agent
root      1055   885  0 09:08 ?        00:00:01 /opt/amphora-agent-venv/bin/python3 /usr/local/bin/amphora-agent --config-file /etc/octavia/amphora-agent.conf

2.2 amphora-agent服务配置文件

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# cat /etc/octavia/amphora-agent.conf


[DEFAULT]
debug = False


[haproxy_amphora]
base_cert_dir = /var/lib/octavia/certs
base_path = /var/lib/octavia
bind_host = ::
bind_port = 9443
haproxy_cmd = /usr/sbin/haproxy
respawn_count = 2
respawn_interval = 2
use_upstart = True


[health_manager]
controller_ip_port_list = 172.16.0.2:5555
heartbeat_interval = 10
heartbeat_key = None


[amphora_agent]
agent_server_ca = /etc/octavia/certs/client_ca.pem
agent_server_cert = /etc/octavia/certs/server.pem
agent_request_read_timeout = 180
amphora_id = a4b92c63-1819-4cfa-a177-3aa94b4733c8
amphora_udp_driver = keepalived_lvs


[controller_worker]

2.3 lb-vrrp-net vip信息

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns exec amphora-haproxy cat /etc/network/interfaces.d/eth1.cfg


# Generated by Octavia agent
auto eth1
iface eth1 inet static
address 10.10.10.53
broadcast 10.10.10.255
netmask 255.255.255.0
gateway 10.10.10.1
mtu 1450


# Add a source routing table to allow members to access the VIP


post-up /sbin/ip route add default via 10.10.10.1 dev eth1 onlink table 1
post-down /sbin/ip route del default via 10.10.10.1 dev eth1 onlink table 1


post-up /sbin/iptables -t nat -A POSTROUTING -p udp -o eth1 -j MASQUERADE
post-down /sbin/iptables -t nat -D POSTROUTING -p udp -o eth1 -j MASQUERADEr

2.4 haproxy服务

2.4.1 haproxy服务进程

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns exec amphora-haproxy ps -ef | grep haproxy
root       876     1  0 09:07 ?        00:00:01 /usr/sbin/haproxy -Ws -f /var/lib/octavia/5bdd8160-2217-47b1-9a6d-91db5cfa15ea/haproxy.cfg -f /var/lib/octavia/haproxy-default-user-group.conf -p /var/lib/octavia/5bdd8160-2217-47b1-9a6d-91db5cfa15ea/5bdd8160-2217-47b1-9a6d-91db5cfa15ea.pid -L D7Zb3aIHaBtpilTdpYmeQlsG43M
nobody     888   876  0 09:07 ?        00:00:03 /usr/sbin/haproxy -Ws -f /var/lib/octavia/5bdd8160-2217-47b1-9a6d-91db5cfa15ea/haproxy.cfg -f /var/lib/octavia/haproxy-default-user-group.conf -p /var/lib/octavia/5bdd8160-2217-47b1-9a6d-91db5cfa15ea/5bdd8160-2217-47b1-9a6d-91db5cfa15ea.pid -L D7Zb3aIHaBtpilTdpYmeQlsG43M

2.4.2 haproxy服务配置文件

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# cat /var/lib/octavia/5bdd8160-2217-47b1-9a6d-91db5cfa15ea/haproxy.cfg
# Configuration for loadbalancer 5bdd8160-2217-47b1-9a6d-91db5cfa15ea
global
    daemon
    user nobody
    log /dev/log local0
    log /dev/log local1 notice
    stats socket /var/lib/octavia/5bdd8160-2217-47b1-9a6d-91db5cfa15ea.sock mode 0666 level user
    maxconn 1000000


defaults
    log global
    retries 3
    option redispatch
    option splice-request
    option splice-response
    option http-keep-alive


peers 5bdd8160221747b19a6d91db5cfa15ea_peers
    peer D7Zb3aIHaBtpilTdpYmeQlsG43M 10.10.10.53:1025
    peer Trkzl9Yy82h2pRzpLnulpBCb0WM 10.10.10.33:1025




frontend 460eccd0-2014-4c6c-b50c-80152b73fd56
    option tcplog
    maxconn 1000000
    bind 10.10.10.184:22
    mode tcp
    default_backend 331026f7-1e79-4642-af9d-94c189f24c29:460eccd0-2014-4c6c-b50c-80152b73fd56
    timeout client 50000


backend 331026f7-1e79-4642-af9d-94c189f24c29:460eccd0-2014-4c6c-b50c-80152b73fd56
    mode tcp
    balance roundrobin
    timeout check 5s
    fullconn 1000000
    option allbackups
    timeout connect 5000
    timeout server 50000
    server 2705c383-1f93-4947-b09d-5c052d484f5f 192.1.0.13:22 weight 1 check inter 5s fall 3 rise 3
    server 515ed29e-eda4-42c4-8b27-0d5c6add1a91 192.1.0.144:22 weight 1 check inter 5s fall 3 rise 3

2.4.3 haproxy service文件

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns exec amphora-haproxy cat /lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
Documentation=man:haproxy(1)
Documentation=file:/usr/share/doc/haproxy/configuration.txt.gz
After=network.target rsyslog.service


[Service]
EnvironmentFile=-/etc/default/haproxy
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS
ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
SuccessExitStatus=143
Type=notify


# The following lines leverage SystemD's sandboxing options to provide
# defense in depth protection at the expense of restricting some flexibility
# in your setup (e.g. placement of your configuration files) or possibly
# reduced performance. See systemd.service(5) and systemd.exec(5) for further
# information.


# NoNewPrivileges=true
# ProtectHome=true
# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
# any state files and any other files written using 'ReadWritePaths' or
# 'RuntimeDirectory'.
# ProtectSystem=true
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=true
# If your SystemD version supports them, you can add: @reboot, @swap, @sync
# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io


[Install]
WantedBy=multi-user.target

2.5 keepalived服务

2.5.1 keepalived服务进程

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns exec amphora-haproxy ps -ef | grep keepalived
root       892     1  0 09:07 ?        00:00:00 /usr/sbin/keepalived --log-facility=1 -f /var/lib/octavia/vrrp/octavia-keepalived.conf -p /var/lib/octavia/vrrp/octavia-keepalived.pid
root       893   892  0 09:07 ?        00:00:00 /usr/sbin/keepalived --log-facility=1 -f /var/lib/octavia/vrrp/octavia-keepalived.conf -p /var/lib/octavia/vrrp/octavia-keepalived.pid

2.5.2 keepalived配置文件

master

root@amphora-bace39b5-9ca6-4e84-96ca-fbd5f1a7831c:~# ip netns exec amphora-haproxy cat /var/lib/octavia/vrrp/octavia-keepalived.conf
vrrp_script check_script {
  script /var/lib/octavia/vrrp/check_script.sh
  interval 5
  fall 2
  rise 2
}


vrrp_instance 5bdd8160221747b19a6d91db5cfa15ea {
  state MASTER
  interface eth1
  virtual_router_id 1
  priority 100
  nopreempt
  accept
  garp_master_refresh 5
  garp_master_refresh_repeat 2
  advert_int 1
  authentication {
    auth_type PASS
    auth_pass ec74379
  }


  unicast_src_ip 10.10.10.33
  unicast_peer {
    10.10.10.53
  }


  virtual_ipaddress {
    10.10.10.184
  }


  virtual_routes {
    10.10.10.0/24 dev eth1 src 10.10.10.184 scope link table 1
  }


  virtual_rules {
    from 10.10.10.184/32 table 1 priority 100
  }


  track_script {
    check_script
  }
}

backup

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns exec amphora-haproxy cat /var/lib/octavia/vrrp/octavia-keepalived.conf
vrrp_script check_script {
  script /var/lib/octavia/vrrp/check_script.sh
  interval 5
  fall 2
  rise 2
}


vrrp_instance 5bdd8160221747b19a6d91db5cfa15ea {
  state BACKUP
  interface eth1
  virtual_router_id 1
  priority 90
  nopreempt
  accept
  garp_master_refresh 5
  garp_master_refresh_repeat 2
  advert_int 1
  authentication {
    auth_type PASS
    auth_pass ec74379
  }


  unicast_src_ip 10.10.10.53
  unicast_peer {
    10.10.10.33
  }


  virtual_ipaddress {
    10.10.10.184
  }


  virtual_routes {
    10.10.10.0/24 dev eth1 src 10.10.10.184 scope link table 1
  }


  virtual_rules {
    from 10.10.10.184/32 table 1 priority 100
  }


  track_script {
    check_script
  }
}

2.5.3 keepalived service文件

root@amphora-a4b92c63-1819-4cfa-a177-3aa94b4733c8:~# ip netns exec amphora-haproxy cat /lib/systemd/system/keepalived.service
[Unit]
Description=Keepalive Daemon (LVS and VRRP)
After=syslog.target network-online.target
Wants=network-online.target
# Only start if there is a configuration file
ConditionFileNotEmpty=/etc/keepalived/keepalived.conf


[Service]
Type=forking
KillMode=process
# Read configuration variable file if it is present
EnvironmentFile=-/etc/default/keepalived
ExecStart=/usr/sbin/keepalived $DAEMON_ARGS
ExecReload=/bin/kill -HUP $MAINPID


[Install]
WantedBy=multi-user.target

2.5.4 keepalived健康检测脚本

root@amphora-bace39b5-9ca6-4e84-96ca-fbd5f1a7831c:~# ip netns exec amphora-haproxy cat /var/lib/octavia/vrrp/check_script.sh
#!/bin/bash


# Don't try to run the directory when it is empty
shopt -s nullglob


status=0
for file in /var/lib/octavia/vrrp/check_scripts/*
do
  echo "Running check script: " $file
  sh $file
  status=$(( $status + $? ))
done
exit $status

数据库

文章转载自运维扫盲人，如果涉嫌侵权，请发送邮件至：contact@modb.pro进行举报，并提供相关证据，一经查实，墨天轮将立刻删除相关内容。

OpenStack组件安装配置测试之：Octavia

评论