Deployer_Openstack_avec_Octavia
Création du model
juju add-model openstack-octavia
Téléchargement du charm
charm pull cs:bundle/openstack-base ~/openstack-octavia
cd openstack-octavia/
Modifier le nom de l'interface réseau eno2 en enp4s0f1 (Deuxième carte sur la machine MAAS)
vim bundle.yaml
Téléchargement d'octavia
curl https://raw.githubusercontent.com/openstack-charmers/openstack-bundles/master/stable/overlays/loadbalancer-octavia.yaml -o loadbalancer-octavia.yaml
Modifier le fichier
vim loadbalancer-octavia.yaml
Ajouter ce bout de code après trunk
options:
source: ppa:simplestreams-dev/trunk
use_swift: False
mirror_list: "[{url: 'http://cloud-images.ubuntu.com/daily/',
name_prefix: 'ubuntu:released',
path: 'streams/v1/index.sjson',
max: 1,
item_filters: [
'release~(xenial|bionic|focal)',
'arch~(x86_64|amd64)',
'ftype~(disk1.img|disk.img)'
]
},
{url: 'http://cloud-images.ubuntu.com/minimal/daily/',
name_prefix: 'ubuntu:released',
path: 'streams/v1/index.sjson',
max: 1,
item_filters: [
'release~(xenial|bionic|focal)',
'arch~(x86_64|amd64)',
'ftype~(disk1.img|disk.img)'
]
}]"
to
- lxd:0
Déployer Openstack avec Octavia
juju deploy ./bundle.yaml --overlay loadbalancer-octavia.yaml
Suivre l'avancement du déploiement du model
watch -cd juju status --color
A un moment vault va bloquer le déploiement du model, car on a besoin de déceler les certificats pour que voult puise les propager aux autres services.
Se connecter sur la machine vault quand on voit le message "vault need initialized"
juju ssh vault/0
Récupérer l'adresse ip de la machine vault
ip a
export VAULT_ADDR="http://192.168.1.238:8200"
Afficher les clés
vault operator init -key-shares=5 -key-threshold=3
Unseal Key 1: 29z/5rd0HJ1d8DfgnPtB7qyWaSj0gbdZxsHlor41vgYS
Unseal Key 2: 2X7o73aKwnFF7lhbjpU2reVq6WVm+OH56iTr0RHLJdEb
Unseal Key 3: xerIVaiD/L26uQ92OWGzdeBUvJWrY5RF25+fxSo4+qLB
Unseal Key 4: 1GgofZR+6Hj9wuPQWFYxLGqtGI5TZOEFjsGzE4u7VpIE
Unseal Key 5: dqLnrN7/nhswNiJ89NGU6Y8ag94vmtdBX5lSIWZvQmso
Initial Root Token: s.N792P5isPSURbn11hSWAYPBK
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
Bien sauvegarder les différentes clés dans un fichier à part.
Déceler 3 certificats, on laisse les deux autres en plus
ubuntu@juju-992de7-0-lxd-6:~$ vault operator unseal jOiiYt5L8DK8BK2q9zK8kLdAeMI8OTSwXQhVj8CRnUdj
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce 906b104d-c1e7-02bb-91a4-913938675230
Version 1.1.1
HA Enabled false
ubuntu@juju-992de7-0-lxd-6:~$ vault operator unseal +oeejlXqXgm7v90sXjxKcSinw62I6nNu9piIrLg59jwi
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce 906b104d-c1e7-02bb-91a4-913938675230
Version 1.1.1
HA Enabled false
ubuntu@juju-992de7-0-lxd-6:~$ vault operator unseal K2LPioxHlsIDbVi6xuHnnQ/fNiN3nfk0xKTAS/segVW0
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.1.1
Cluster Name vault-cluster-2ca79f1c
Cluster ID d98d919b-f104-e9a9-fcfb-fdb1e699782b
HA Enabled false
Configuration du token
export VAULT_TOKEN=s.ZyyiBs2eSyzU84H0dzmQ1Bgs
ubuntu@juju-992de7-0-lxd-6:~$ vault token create -ttl=10m
Key Value
--- -----
token s.BCPlQ336tW4IKla4tcjEXYZ5
token_accessor Pju7Fk5WNMcMIE6agwBmTeye
token_duration 10m
token_renewable true
token_policies ["root"]
identity_policies []
policies ["root"]
Quitter la machine vault/o
exit
Avec le dernier token
moula@maas-home-lab:~/openstack-base1$ juju run-action --wait vault/leader authorize-charm token=s.BCPlQ336tW4IKla4tcjEXYZ5
unit-vault-0:
UnitId: vault/0
id: "2"
results:
Stdout: |
lxc
lxc
active
active
lxc
status: completed
timing:
completed: 2020-06-24 06:48:28 +0000 UTC
enqueued: 2020-06-24 06:48:25 +0000 UTC
started: 2020-06-24 06:48:25 +0000 UTC
moula@maas-home-lab:~/openstack-base1$ juju run-action --wait vault/leader generate-root-ca
unit-vault-0:
UnitId: vault/0
id: "4"
results:
Stdout: |
lxc
lxc
active
active
active
active
lxc
output: |-
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUDsQt9fs5Z1i7YzYHO8YYbbxr/MMwDQYJKoZIhvcNAQEL
BQAwPTE7MDkGA1UEAxMyVmF1bHQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkg
KGNoYXJtLXBraS1sb2NhbCkwHhcNMjAwNjI0MDY0ODE4WhcNMzAwNjIyMDU0ODQ4
WjA9MTswOQYDVQQDEzJWYXVsdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAo
Y2hhcm0tcGtpLWxvY2FsKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANCjhxuAsiLfQok4Lz/CWpJtbr9jhlKqbSwwO8pdJkXplCd5bqPk6t0Fug5kib1R
IBOzkLxvKybysbKcKoDbt5Lz6O7a0m6QkPFS+4QPV25Bqy8ODkXe5lRn1nZ5eu12
/6XDTxu1SSPunHUWrpWMAe5Uui2gclAGDwdx3BVemZ2q8K0dlFSNT71sWvkyRWUy
EsM69hRcDRmc7aPfyiURmXCeIi/PmzZnccg20Q2fISPGJLCvmluOHBzu8pNBZvag
GNlAsM6r72wyz4+A+NnibYkXZpiBjk29viittfWGqFHUOOYSlNTAseuPKLi+BqXm
jjojNZ+w73ekOwTLcQTiR+MCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFBFERdpsbizUJ7Fgqu1K0pRTRafnMB8GA1Ud
IwQYMBaAFBFERdpsbizUJ7Fgqu1K0pRTRafnMA0GCSqGSIb3DQEBCwUAA4IBAQCL
/9uGXg9jXPgoKFpRtLOWEbP2PlNau0c71SO3Y0w0r6lzuDr6AnS/BRfnDz3GUo3i
jTMm3HJI34eVRMZMYy2Qhq2b9goIeSiBDbWQtiFBaRPIyXH7uMqN923YQk3PC7GC
A54MyPvcpl8i2ymb6Lz+SVx+YJqTjdA61FomRe8v4/sQQFQAe3vU7LbHB+1hzVaW
7ZMVEbl6PhkWJxrwKnA2Z/RxzhbzryWkbvs/c2NTK1jgtU8ikjb3soeh/y52LhQ3
O6pW/MZWNvZgJWrjcnCnSryPcjTZH5ka2YBzgpff5FiafhTMS7+Oe/GaU5d5iYHq
b08Gk1D2nbDPbA8fInpY
-----END CERTIFICATE-----
status: completed
timing:
completed: 2020-06-24 06:48:58 +0000 UTC
enqueued: 2020-06-24 06:48:45 +0000 UTC
started: 2020-06-24 06:48:45 +0000 UTC
Maintenant Vault va pouvoir dispatcher les certificats sur les différents services.
Récupération des identifiants et l'IP du dashboard Horizon
Afficher le statut du dashboard
juju status openstack-dashboard
source openrc
ou
source ~/openstack-base1/openrc
Adresse IP du dashboard
juju status openstack-dashboard/0* | grep Container | awk '{print $3}'
Les identifiants de connexion
env | grep OS_
echo -e "Domain: $OS_USER_DOMAIN_NAME\nUser Name: $OS_USERNAME\nPassword: $OS_PASSWORD"
Connection sur l'interface web
http:///horizon
Se connecter sur la machine qui héberge le dashboard
juju ssh openstack-dashboard/0
Installation a faire sur la machine MAAS
sudo snap install openstackclients --classic
Mettre à jour vers la version edge
sudo snap refresh openstackclients --edge
Création des certificats autosignés
mkdir -p demoCA/newcerts
touch demoCA/index.txt
touch demoCA/index.txt.attr
openssl genrsa -passout pass:****** -des3 -out issuing_ca_key.pem 2048
openssl req -x509 -passin pass:****** -new -nodes -key issuing_ca_key.pem \
-config /etc/ssl/openssl.cnf \
-subj "/C=FR/ST=Paris/O=Wf/CN=www.tychecloud.wf" \
-days 365 \
-out issuing_ca.pem
openssl genrsa -passout pass:****** -des3 -out controller_ca_key.pem 2048
openssl req -x509 -passin pass:****** -new -nodes \
-key controller_ca_key.pem \
-config /etc/ssl/openssl.cnf \
-subj "/C=FR/ST=Paris/O=Wf/CN=www.tychecloud.wf" \
-days 365 \
-out controller_ca.pem
openssl req \
-newkey rsa:2048 -nodes -keyout controller_key.pem \
-subj "/C=FR/ST=Paris/O=Wf/CN=www.tychecloud.wf" \
-out controller.csr
openssl ca -passin pass:****** -config /etc/ssl/openssl.cnf \
-cert controller_ca.pem -keyfile controller_ca_key.pem \
-create_serial -batch \
-in controller.csr -days 365 -out controller_cert.pem
cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem
Appliquer les certificats
juju config octavia \
lb-mgmt-issuing-cacert="$(base64 controller_ca.pem)" \
lb-mgmt-issuing-ca-private-key="$(base64 controller_ca_key.pem)" \
lb-mgmt-issuing-ca-key-passphrase=mou68mama \
lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \
lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)"
Configurer les ressources du cloud openstack avec octavia
juju run-action --wait octavia/0 configure-resources
juju run-action --wait octavia-diskimage-retrofit/leader retrofit-image
$openstack image list
+--------------------------------------+-----------------------------------------------------------------+--------+
| ID | Name | Status |
+--------------------------------------+-----------------------------------------------------------------+--------+
| ec09b0e4-cd63-4c9f-87c2-3faadfa9d21e | amphora-haproxy-x86_64-ubuntu-18.04-20200519.1 | active |
| 2fac2e9b-995b-441a-b268-f928e924df8e | auto-sync/ubuntu-bionic-18.04-amd64-server-20200519.1-disk1.img | active |
| c648d2e4-d093-4d98-a636-81407e52eba3 | auto-sync/ubuntu-trusty-14.04-amd64-server-20191107-disk1.img | active |
| a9ede5d1-612b-4894-9270-c49ebe8dcd43 | auto-sync/ubuntu-xenial-16.04-amd64-server-20200522-disk1.img | active |
Voici quelques exemples :
Ubuntu 20.04
curl https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img | \
openstack image create --public --container-format=bare \
--disk-format=qcow2 focal
Ubuntu 18.04
curl https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-amd64.img | \
openstack image create --public --container-format=bare \
--disk-format=qcow2 bionic
CentOS 7
curl http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2 | \
openstack image create --public --container-format=bare \
--disk-format=qcow2 centos7
Fedora 32
curl https://fr2.rpmfind.net/linux/fedora/linux/releases/32/Cloud/x86_64/images/Fedora-Cloud-Base-32-1.6.x86_64.qcow2 | \
openstack image create --public --container-format=bare \
--disk-format=qcow2 fedora32
Ajout et configuration des gabarits (Flavors)
openstack flavor create --ram 1024 --disk 10 m1.small
openstack flavor create --vcpus 2 --ram 2048 --disk 20 m1.medium
openstack flavor create --vcpus 4 --ram 4096 --disk 40 m1.large
Lister les gabarits
openstack flavor list
--------------------------------------+-----------+------+------+-----------+-------+-----------+
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+--------------------------------------+-----------+------+------+-----------+-------+-----------+
| 9eb5dcc8-3a43-43e9-b3ac-da2987a9f03f | m1.small | 1024 | 10 | 0 | 1 | True |
| ac14575f-d24c-461e-a910-995c19a49d30 | m1.medium | 2048 | 20 | 0 | 2 | True |
| e55541f7-9a82-4dec-ae06-84517c620327 | m1.large | 4096 | 40 | 0 | 4 | True |
+--------------------------------------+-----------+------+------+-----------+-------+-----------+
Création de deux réseaux : un externe et un autre interne
Création du réseau externe
$openstack network create ext_net --share --external --provider-network-type flat --provider-physical-network physnet1
$openstack subnet create ext_subnet --no-dhcp --allocation-pool start=192.168.1.101,end=192.168.1.254 \
--subnet-range 192.168.1.0/24 --gateway 192.168.1.254 --dns-nameserver 192.168.1.254 --network ext_net
Création du réseau interne
$openstack network create int_net
$openstack subnet create int_subnet --allocation-pool start=10.0.0.11,end=10.0.0.254 \
--subnet-range 10.0.0.0/24 --gateway 10.0.0.1 --dns-nameserver 192.168.10.1 --network int_net
Lister les réseaux
$openstack network list
$openstack subnet list
Projets Open Source
