barbican + Octavia with juju (오픈스택 LB 서비스) 설치

# barbican + Octavia with juju [Load balancing — charm-guide 0.0.1.dev810 documentation](https://docs.openstack.org/charm-guide/latest/admin/networking/load-balancing.html) [juju octavia 관련 설정](https://charmhub.io/octavia/configurations) - barbican ```bash juju deploy barbican --to lxd:10 --channel 2023.2/stable juju deploy barbican-vault juju deploy --channel 8.0/stable mysql-router barbican-mysql-router juju integrate barbican-mysql-router:db-router mysql-innodb-cluster:db-router juju integrate barbican-mysql-router:shared-db barbican:shared-db juju integrate barbican rabbitmq-server juju integrate barbican keystone juju integrate barbican barbican-vault juju integrate barbican-vault:secrets-storage vault:secrets ``` - octavia ```bash juju deploy ch:octavia --channel 2023.2/stable --to 8 juju integrate octavia rabbitmq-server juju deploy --channel 8.0/stable mysql-router octavia-mysql-router juju integrate octavia-mysql-router:db-router mysql-innodb-cluster:db-router juju integrate octavia-mysql-router:shared-db octavia:shared-db juju integrate octavia keystone juju integrate octavia:ovsdb-subordinate ovn-chassis:ovsdb-subordinate juju integrate octavia:ovsdb-cms ovn-central:ovsdb-cms juju integrate octavia neutron-api #juju integrate octavia:neutron-plugin ovn-chassis:neutron-plugin juju config neutron-api enable-ml2-port-security=True ``` - octavia dashboard ```bash juju deploy octavia-dashboard juju integrate octavia-dashboard openstack-dashboard ``` - **Generate certificates** ```bash mkdir -p demoCA/newcerts touch demoCA/index.txt touch demoCA/index.txt.attr # keystone unit IP = {192.168.2.125} openssl genpkey -algorithm RSA -aes256 -pass pass:foobar -out issuing_ca_key.pem openssl req -x509 -passin pass:foobar -new -nodes -key issuing_ca_key.pem \ -config /etc/ssl/openssl.cnf \ -subj "/C=KR/ST=Seoul/O=Direa/CN=192.168.2.125" \ -out issuing_ca.pem openssl genpkey -algorithm RSA -aes256 -pass pass:foobar -out controller_ca_key.pem openssl req -x509 -passin pass:foobar -new -nodes \ -key controller_ca_key.pem \ -config /etc/ssl/openssl.cnf \ -subj "/C=KR/ST=Seoul/O=Direa/CN=192.168.2.125" \ -out controller_ca.pem openssl req \ -newkey rsa:2048 -nodes -keyout controller_key.pem \ -subj "/C=KR/ST=Seoul/O=Direa/CN=192.168.2.125" \ -out controller.csr openssl ca -passin pass:foobar -config /etc/ssl/openssl.cnf \ -cert controller_ca.pem -keyfile controller_ca_key.pem \ -create_serial -batch \ -in controller.csr -days 365 -out controller_cert.pem cat controller_cert.pem controller_key.pem > controller_cert_bundle.pem ``` ```bash juju config octavia \ lb-mgmt-issuing-cacert="$(base64 issuing_ca.pem)" \ lb-mgmt-issuing-ca-private-key="$(base64 issuing_ca_key.pem)" \ lb-mgmt-issuing-ca-key-passphrase=foobar \ lb-mgmt-controller-cacert="$(base64 controller_ca.pem)" \ lb-mgmt-controller-cert="$(base64 controller_cert_bundle.pem)" juju run octavia/0 configure-resources ``` - Amphora image (LB가 배치되는 VM) ```bash juju deploy glance-simplestreams-sync --to 7 juju deploy octavia-diskimage-retrofit \ --config amp-image-tag=octavia-amphora juju integrate glance-simplestreams-sync keystone juju integrate glance-simplestreams-sync:certificates vault:certificates juju integrate octavia-diskimage-retrofit glance-simplestreams-sync juju integrate octavia-diskimage-retrofit keystone openstack image create "Amphora" --tag "octavia-amphora" --file cloud-images/jammy-amd64.img --disk-format qcow2 --container-format bare --public openstack image set --property architecture=x86_64 1c99425c-2c0a-4167-ba93-c995102abd54 openstack image set --property os_distro=ubuntu 1c99425c-2c0a-4167-ba93-c995102abd54 openstack image set --property os_version=22.04 1c99425c-2c0a-4167-ba93-c995102abd54 openstack image set --property version_name=jammy 1c99425c-2c0a-4167-ba93-c995102abd54 openstack image set --property product_name="ubuntu-amphora" 1c99425c-2c0a-4167-ba93-c995102abd54 juju run octavia-diskimage-retrofit/leader retrofit-image source-image=1c99425c-2c0a-4167-ba93-c995102abd54 ``` - role ```bash openstack role add --user-domain admin_domain --user admin \ --project-domain admin_domain --project admin \ load-balancer_admin ``` - 추후 확인필요한 것 ```bash juju config neutron-api manage-neutron-plugin-legacy-mode=false # (CLI) 로 LB 만들시 에러 발생함 원인은 불명, **대시보드로 만듬** # LB 설정시 timeout 이 delay 보다 높으면 에러 상태임 (로그도 안 찍힘..) ``` ### Note (LB IP에 대해서 ping 테스트는 못 함) Security groups implemented for the load balancer VIP only allow data traffic for the required protocols and ports. For this reason, you cannot ping load balancer VIPs, as **ICMP traffic is blocked**. [Chapter 13. Troubleshooting and maintaining the Load-balancing service | Red Hat Product Documentation](https://docs.redhat.com/en/documentation/red_hat_openstack_platform/16.2/html/using_octavia_for_load_balancing-as-a-service/troubleshoot-maintain-lb-service_rhosp-lbaas#lb-verify_troubleshoot-maintain-lb-service) ### openstack show

loadbalancer 상세

```bash direa@maascontroller:~$ openstack loadbalancer show lb1 +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | admin_state_up | True | | availability_zone | None | | created_at | 2024-10-10T05:26:21 | | description | | | flavor_id | None | | id | b3abe330-e1f9-4e96-b424-c5834b2734c5 | | listeners | 0ed41875-8bb0-4f8a-a5c4-0ddb48d3812d | | name | lb1 | | operating_status | ONLINE | | pools | 99841ca4-998b-462e-abef-a97533d12eb2 | | project_id | 72faa4515e7843489ac23485dbf46d90 | | provider | amphora | | provisioning_status | ACTIVE | | updated_at | 2024-10-11T01:06:19 | | vip_address | 10.0.0.104 | | vip_network_id | 96302d7f-7fc3-4ad7-bb2c-e330f52af87f | | vip_port_id | aa1c6d98-01ba-499d-8973-0ebf1d924872 | | vip_qos_policy_id | None | | vip_subnet_id | 0e6fc837-d51c-4103-a794-bd989403bb36 | | tags | | +---------------------+--------------------------------------+ ```

리스너 상세

```bash direa@maascontroller:~$ openstack loadbalancer listener show listener1 +-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2024-10-10T08:28:28 | | default_pool_id | 99841ca4-998b-462e-abef-a97533d12eb2 | | default_tls_container_ref | None | | description | | | id | 0ed41875-8bb0-4f8a-a5c4-0ddb48d3812d | | insert_headers | None | | l7policies | | | loadbalancers | b3abe330-e1f9-4e96-b424-c5834b2734c5 | | name | listener1 | | operating_status | ONLINE | | project_id | 72faa4515e7843489ac23485dbf46d90 | | protocol | HTTP | | protocol_port | 80 | | provisioning_status | ACTIVE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | 2024-10-11T01:06:19 | | client_ca_tls_container_ref | None | | client_authentication | NONE | | client_crl_container_ref | None | | allowed_cidrs | 0.0.0.0/0 | | tls_ciphers | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- | | | AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 | | tls_versions | None | | alpn_protocols | None | | tags | | +-----------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ```

풀 상세

```bash direa@maascontroller:~$ openstack loadbalancer pool show pool1 +----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | True | | created_at | 2024-10-10T08:38:31 | | description | | | healthmonitor_id | 4b0a618b-85f4-48b7-b3a0-6f6d9f9176e2 | | id | 99841ca4-998b-462e-abef-a97533d12eb2 | | lb_algorithm | ROUND_ROBIN | | listeners | 0ed41875-8bb0-4f8a-a5c4-0ddb48d3812d | | loadbalancers | b3abe330-e1f9-4e96-b424-c5834b2734c5 | | members | 53cf0b90-5e18-4260-aa62-2ca13c55289e | | | 4e4c570f-8935-44ed-83ad-1ec127def7f3 | | name | pool1 | | operating_status | ONLINE | | project_id | 72faa4515e7843489ac23485dbf46d90 | | protocol | HTTP | | provisioning_status | ERROR | | session_persistence | type=APP_COOKIE | | | cookie_name=PHPSESSIONID | | | persistence_timeout=None | | | persistence_granularity=None | | updated_at | 2024-10-11T01:06:19 | | tls_container_ref | None | | ca_tls_container_ref | None | | crl_container_ref | None | | tls_enabled | False | | tls_ciphers | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA- | | | AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 | | tls_versions | None | | tags | | | alpn_protocols | None | +----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ```

멤버 상세

```bash direa@maascontroller:~$ openstack loadbalancer member show pool1 lb-test2 +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | address | 10.0.0.210 | | admin_state_up | True | | created_at | 2024-10-10T08:38:36 | | id | 53cf0b90-5e18-4260-aa62-2ca13c55289e | | name | lb-test2 | | operating_status | ONLINE | | project_id | 72faa4515e7843489ac23485dbf46d90 | | protocol_port | 80 | | provisioning_status | ACTIVE | | subnet_id | 0e6fc837-d51c-4103-a794-bd989403bb36 | | updated_at | 2024-10-10T09:02:50 | | weight | 1 | | monitor_port | 80 | | monitor_address | 10.0.0.210 | | backup | False | | tags | | +---------------------+--------------------------------------+ # 처음에 에러 상태인데 monitor_port, monitor_address 수정하면 ACTIVE 로 바뀜 (원인불명) ```

healthmonitor 상세

```bash direa@maascontroller:~$ openstack loadbalancer healthmonitor show healthmonitor +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | project_id | 72faa4515e7843489ac23485dbf46d90 | | name | healthmonitor | | admin_state_up | True | | pools | 99841ca4-998b-462e-abef-a97533d12eb2 | | created_at | 2024-10-10T09:02:42 | | provisioning_status | ACTIVE | | updated_at | 2024-10-10T09:02:43 | | delay | 5 | | expected_codes | 200 | | max_retries | 3 | | http_method | GET | | timeout | 5 | | max_retries_down | 3 | | url_path | /healthcheck | | type | HTTP | | id | 4b0a618b-85f4-48b7-b3a0-6f6d9f9176e2 | | operating_status | ONLINE | | http_version | None | | domain_name | None | | tags | | +---------------------+--------------------------------------+ ```