Openstack

Podman 기반 Opensatck 구성 [1] (Kolla-ansible Bobcat/Cephadm Ceph)

cyuu 2024. 2. 17. 15:53

Openstack을 구성하는 다양한 방법이 있다.  Airship Project를 이용하여 K8s 환경에 하는 방법이나 TripleO(사실상 종료...), Redhat 이 Operator를 이용한 배포 하는 방법 등이 있다. 

Kolla-ansible을 이용 한 방법도 많이 사용되는 방법으로, 오래된 방법인 만큼 안정성도 많고 확장성도 많이 고려된 방법 중 하나이다. 더욱이 최근 Docker 기반의 구성에서 Podman으로 배포하는 방법이 가능해짐에 따라 Podman의 장점을 더욱 활용할 수 있게 되었다. 

이번에 테스트를 통하여 기존 Kolla-ansible Docker 에 비하여 변경된 Pdoman으로 배포하는 과정을 테스트하고, 전체 Cluster와 함께 Ceph 도 Podman으로 하여 Docker 없이 구성하는 테스트를 진행한다. 

Kolla에서 Podman에 대한 지원이 최근에 추가됨 만큼 문서 작성 이후 많은 변화가 있을 수 있으니, 참고 용도로만 한다.

인프라 배포가 완료면 마지막으로 deploy서버에 구축된 KeyCloak 을 통하여 Keystone과 OpenID Connector로 연결하여 SSO구성을 하는 것이 최종 목적이다.

 

구성도는 아래와 같다, ens3을 배포 API용도로 사용 되며, 외부 인터넷 망으로 정의한 네트워크는 실제로는 외부 통신 되는 구간이 아닌 외부 인터넷이 되는 것처럼 테스트를 위하여 연결된 네트워크다.

인스턴스가 Floating IP 할당 후 실제 테스트는 deploy 서버에서 ens5 인터페이스를 통하여 테스틀 진행 하며, 만약 실제 환경일 경우 이 네트워크가 공인 네트워크로 연결하면 된다.

그렇기 때문에 Nuetron 에서 Floating IP대역을 해당 네트워크 대역인 10.113.1.0/24 대역으로 맞춰서 할당하도록 한다.

Ceph는 ens4를 사용하는 네트워크를 Ceph Public 망으로  모두 연결하여 deploy 서버에서 Ceph-ADM으로 BootStrap 후 각 노드에 배포하며, 복제망은 ens5로 사용한다. 

Openstack 노드의 ens5는 테넌트 네트워크 용도로 사용 된다.

 


배포 사전 작업 

 배포 타깃이 되는 호스트는 Deploy서버 기준으로 접근 가능 하도록 미리 Key 가 등록 되어 Ansible 설치 후 SSH기반으로 연결이 가능한 상태이다. 

모든 OS는 Ubuntu 22.04 환경에서 진행되며, 방화벽 내/외부 모두 허용되어 있는 상태이다. 

이때 Deploy 서버는 외부 도메인인 dev24 deploy.cyuucloud.xyz은 공인 아이피가 아닌 내부 사설로 연결할 수 있도록 Deploy 서버의 Hosts파일에  정보를 추가해준다.

root@cyyoon-c1-deploy-010:~# cat /etc/hostst
127.0.0.1 localhost
172.21.1.12 cyyoon-c1-ceph-012
172.21.1.11 cyyoon-c1-ceph-011
172.21.1.13 cyyoon-c1-ceph-013
172.21.1.51 cyyoon-c1-openstack-051 # controller
172.21.1.52 cyyoon-c1-openstack-052 # controller 
172.21.1.53 cyyoon-c1-openstack-053 # controller
172.21.1.54 cyyoon-c1-openstack-054 # compute
172.21.1.55 cyyoon-c1-openstack-055 # comoute
172.21.1.10 cyyoon-c1-deploy-010  dev24deploy.cyuucloud.xyz ### <----- dev24deploy.cyuucloud.xyz  도메인에 대하여 배포서버 진입 시 사설로 연결 하기 위해서 :Registry 용도
172.21.1.99 dev24vip.cyuucloud.xyz  ### <--- Openstack External VIP Endpoint FQDN : Openstack API와 Horizon 연결 용도
 
root@cyyoon-c1-deploy-010:~# apt install ansible -y
root@cyyoon-c1-deploy-010:~# cat /etc/ansible/hosts
[all]
cyyoon-c1-ceph-01[1:3]
cyyoon-c1-openstack-05[1:5]
cyyoon-c1-deploy-010  
 
root@cyyoon-c1-deploy-010:~# ansible -m ping all
cyyoon-c1-ceph-011 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
cyyoon-c1-ceph-013 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}
//...
 
root@cyyoon-c1-deploy-010:~# ansible -m shell -ba 'lsb_release -a|grep -i desc' -i /etc/ansible/hosts  all
cyyoon-c1-ceph-012 | CHANGED | rc=0 >>
Description:    Ubuntu 22.04.3 LTSNo LSB modules are available.
cyyoon-c1-ceph-011 | CHANGED | rc=0 >>
Description:    Ubuntu 22.04.3 LTSNo LSB modules are available.
cyyoon-c1-ceph-013 | CHANGED | rc=0 >>
Description:    Ubuntu 22.04.3 LTSNo LSB modules are available.
cyyoon-c1-openstack-052 | CHANGED | rc=0 >>
Description:    Ubuntu 22.04.3 LTSNo LSB modules are available.
cyyoon-c1-openstack-051 | CHANGED | rc=0 >>
Description:    Ubuntu 22.04.3 LTSNo LSB modules are available.
cyyoon-c1-openstack-055 | CHANGED | rc=0 >>
Description:    Ubuntu 22.04.3 LTSNo LSB modules are available.
//...

배포의 편의성을 위하여 Registry를 구성 하는데, 이때 Podman 버전을 4 이상을 사용하기 위하여,  Kubic rRepository 로 등록 하고, Podman 설치 한다. 그리고, 인증서를 등록하지 않고 Registry 를 사용하기 위함과 short-name-mode를 변경을 위하여 registries.conf 파일을 수정한다.

root@cyyoon-c1-deploy-010:~#  mkdir -p /etc/apt/keyrings
root@cyyoon-c1-deploy-010:~#  curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \
  | gpg --dearmor \
  | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
    https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \
  | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
root@cyyoon-c1-deploy-010:~#  apt update -qq && apt -qq -y install podman
root@cyyoon-c1-deploy-010:~# podman  version
Client:       Podman Engine
Version:      4.6.2
API Version:  4.6.2
Go Version:   go1.18.1
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64
root@cyyoon-c1-deploy-010:~# vi  /etc/containers/registries.conf
//...
unqualified-search-registries = ["cyyoon-c1-deploy-010", "docker.io", "quay.io"]
//...
short-name-mode="permissive"
insecure = true
//...

 Registry를 Podman으로 실행시키고, Login까지 테스트해본다. 해당 도메인은 별도로 구매한 개인 도메인을 사용했고 letsencrypt

zerossl. 와 같은 기간이 짧은 무료 인증서를 통하여 테스트를 한다.

 물론 kolla-ansible 자체에도 사설 인증서를 테스트를 위해 생성할 수도 있고, Openssl 명령으로 생성이 가능하기 때문에 편한 방법으로 인증서만 보유해서 사용하면 된다. 

root@cyyoon-c1-deploy-010:~# mkdir -p /data/registry/data
root@cyyoon-c1-deploy-010:~# mkdir -p /data/registry/config/auth
root@cyyoon-c1-deploy-010:~# podman  run --rm -ti docker.io/xmartlabs/htpasswd:latest cyyoon cyyoon-password >  /data/registry/config/auth/htpasswd
root@cyyoon-c1-deploy-010:~# cat  /data/registry/config/auth/htpasswd
cyyoon:$2y$05$.o7JloR6j.VkYiwfNT617uLF/jzU8ewq6M4gR8fgnJw4ZdclE/hja
root@cyyoon-c1-deploy-010:~# podman  run --name local-docker-registry -d \
--restart=always -p 5000:5000  \
-v  /data/registry/config/auth:/auth  \
-v  /root/ssl/dev24deploy.cyuucloud.xyz:/certs  \
-v /data/registry/data:/var/lib/registry/Docker/registry/v2 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/certificate.crt   \
-e REGISTRY_HTTP_TLS_KEY=/certs/private.key  \
-e REGISTRY_AUTH=htpasswd  \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"  \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd  \
registry:2.8.2
42030e94f3356d8cc6041394f681478421ba41c39c67bf3545741345bdabad2b
 root@cyyoon-c1-deploy-010:~# podman  ps
CONTAINER ID  IMAGE                             COMMAND               CREATED         STATUS         PORTS                   NAMES
f0ef8476dadd  docker.io/library/registry:2.8.2  /etc/docker/regis...  20 seconds ago  Up 20 seconds  0.0.0.0:5000->5000/tcp  local-docker-registry 
 
 
## Curl TLS 통신 테스트를 위하여 CA인증서 업데이트를 해당 서버에 하고 Curl 로 테스트 해야 한다.
root@cyyoon-c1-deploy-010:~# apt-get upgrade ca-certificates&&  update-ca-certificates
root@cyyoon-c1-deploy-010:~# curl -u "cyyoon:cyyoon-password" https://dev24deploy.cyuucloud.xyz:5000/v2/_catalog
{"repositories":[]}
 
 root@cyyoon-c1-deploy-010:~# mkdir -p   ~/.config/containers/
 root@cyyoon-c1-deploy-010:~# podman login    --authfile ~/.config/containers/auth.json dev24deploy.cyuucloud.xyz:5000
Username: cyyoon
Password:
Login Succeeded!
root@cyyoon-c1-deploy-010:~/ssl/dev24deploy.cyuucloud.xyz
# cat  ~/.config/containers/auth.json
{
        "auths": {
                "dev24deploy.cyuucloud.xyz:5000": {
                        "auth": "Y3l5b29uOmN5eW9vbi1wYXNzd29yZA=="
                }
        }

Skopeo를 사용하여 테스트 Container Image를 생성한 Registry로 Copy 하는 테스트를 수행해 본다.

root@cyyoon-c1-deploy-010:~# podman run --rm --security-opt seccomp=unconfined --net host quay.io/skopeo/stable copy --dest-tls-verify=false \
 --dest-creds cyyoon:cyyoon-password \
  docker://quay.io/openstack.kolla/prometheus-libvirt-exporter:2023.2-ubuntu-jammy \
  docker://dev24deploy.cyuucloud.xyz:5000/openstack.kolla/prometheus-libvirt-exporter:2023.2-ubuntu-jammy
 //...
 Getting image source signatures
Copying blob sha256:df2fac849a4581b035132d99e203fd83dc65590ea565435a266cb0e14a508838
Copying blob sha256:4aa22da760be3229029adbd1459d59b17a69d549bef2650317706b428692378a
//...
root@cyyoon-c1-deploy-010:~#  curl -u "cyyoon:cyyoon-password" https://dev24deploy.cyuucloud.xyz:5000/v2/_catalog
{"repositories":["openstack.kolla/prometheus-libvirt-exporter"]}

배포 시 다양한 Python 패키지들에 대한 의존성 문제가 발생할 수 있기 때문에  pip 설치와 함께 VirtualEnv 설정을 진행한다.

root@cyyoon-c1-deploy-010:~/test# apt install python3-pip -y
root@cyyoon-c1-deploy-010:~/test# pip3 install virtualenv
root@cyyoon-c1-deploy-010:~/test# virtualenv  /home/cy-deploy-env/
created virtual environment CPython3.10.12.final.0-64 in 416ms
  creator CPython3Posix(dest=/home/cy-deploy-env, clear=False, no_vcs_ignore=False, global=False)
  seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/root/.local/share/virtualenv)
    added seed packages: pip==23.3.1, setuptools==69.0.2, wheel==0.42.0
  activators BashActivator,CShellActivator,FishActivator,NushellActivator,PowerShellActivator,PythonActivator
root@cyyoon-c1-deploy-010:~/test# source  /home/cy-deploy-env/bin/activate
(cy-deploy-env) root@cyyoon-c1-deploy-010:~/test# which python
/home/cy-deploy-env/bin/python

 


Cephadm Ceph Cluster (v18.2.1 Reef)

Ceph배포를 위하여 사용되는 Container Image는 미리 Skopeo를 이용하여 Registry에 등록해둔다.

root@cyyoon-c1-deploy-010:~#  podman run --rm --security-opt seccomp=unconfined --net host quay.io/skopeo/stable copy \
 --dest-tls-verify=false --dest-creds cyyoon:cyyoon-password \
  docker://quay.io/ceph/ceph:v18.2.1-20240118 \
  docker://dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-20240118
 
root@cyyoon-c1-deploy-010:~#  curl -u "cyyoon:cyyoon-password" http://dev24deploy.cyuucloud.xyz:5000/v2/_catalog
{"repositories":["ceph/ceph"]}

이제 Ceph-ansiable 설치 Tool에 대한 제공이 종료된 시점에서 Ceph Cluster 배포는 Cephadm과 Rook Operator를 이용하는 방법 두 가지로 나눠졌다(https://docs.ceph.com/en/reef/install/)

Upstream에서 Cephadm으로 설치되는 Package 설치 이후, Reef(18.2)으로 업데이트하는 방법이 공식 문서에서 제안하는 방법이다. 해당 방법으로 Cephadm을 설치한다.(https://docs.ceph.com/en/reef/cephadm/install/#update-cephadm)

(cy-deploy-env) root@cyyoon-c1-deploy-010:/home# apt install cephadm -y
//...
cy-deploy-env) root@cyyoon-c1-deploy-010:/home# cephadm version
ceph version 17.2.7 (b12291d110049b2f35e32e0de30d70e9a4c060d2) quincy (stable)
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:/home# cephadm add-repo --release reef
Installing repo GPG key from https://download.ceph.com/keys/release.gpg...
Installing repo file at /etc/apt/sources.list.d/ceph.list...
Updating package list...
Completed adding repo.
(cy-deploy-env) root@cyyoon-c1-deploy-010:/home# cephadm install
Installing packages ['cephadm']...
(cy-deploy-env) root@cyyoon-c1-deploy-010:/home# which cephadm
/usr/sbin/cephadm
 
root@cyyoon-c1-deploy-010:/home/cephadm# cephadm --image dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-202401 version
cephadm version 18.2.1 (7fe91d5d5842e04be3b4f514d6dd990c54b29c76) reef (stable)

 

배포 전 Chrony 설정하여 시간 동기화를 진행한다.

root@cyyoon-c1-deploy-010:~# cat /etc/ansible/hosts
[ceph]
cyyoon-c1-ceph-01[1:3]
cyyoon-c1-deploy-010
 
root@cyyoon-c1-deploy-010:~# ansible -m shell -ba 'apt install chrony -y ' ceph
root@cyyoon-c1-deploy-010:~# ansible -m shell -ba 'systemctl enable --now chrony' ceph
root@cyyoon-c1-deploy-010:~# ansible -m shell -ba 'chronyc  sources' ceph
cyyoon-c1-ceph-012 | CHANGED | rc=0 >>
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- prod-ntp-3.ntp1.ps5.cano>     2   6    77    64   +532us[ +532us] +/-  127ms
^- prod-ntp-4.ntp1.ps5.cano>     2   6   177     1   -705us[ -705us] +/-  127ms
^- prod-ntp-5.ntp1.ps5.cano>     2   6    77    64  +4124us[+4124us] +/-  134ms
^- alphyn.canonical.com          2   6    77    64  -1744us[-1623us] +/-  120ms
^- 106.247.248.106               2   6   177     0   +482us[ +482us] +/-   26ms
^- ntp-seoul.gombadi.com         2   6   237     3    -49ms[  -49ms] +/-  134ms
^* 193.123.243.2                 2   6   177     5  +2386ns[+2169ns] +/- 4632us
^- 121.174.142.82                3   6   177     7  +1539us[+1539us] +/-   42ms
cyyoon-c1-ceph-011 | CHANGED | rc=0 >>
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^- prod-ntp-4.ntp1.ps5.cano>     2   6   177    16    +25us[  +25us] +/-  127ms
^- prod-ntp-5.ntp4.ps5.cano>     2   6   177    15   -164us[ -164us] +/-  137ms
^- prod-ntp-3.ntp4.ps5.cano>     2   6   177    15  +3274us[+3274us] +/-  130ms
^- alphyn.canonical.com          2   6   177    16   +432us[ +432us] +/-  122ms

hosts 파일을 각 노드에 복사해준다.

root@cyyoon-c1-deploy-010:/home/cephadm# cat /etc/hosts
127.0.0.1 localhost
172.21.1.12 cyyoon-c1-ceph-012
172.21.1.11 cyyoon-c1-ceph-011
172.21.1.13 cyyoon-c1-ceph-013
172.21.1.51 cyyoon-c1-openstack-051
172.21.1.52 cyyoon-c1-openstack-052
172.21.1.53 cyyoon-c1-openstack-053
172.21.1.54 cyyoon-c1-openstack-054
172.21.1.55 cyyoon-c1-openstack-055
//...
root@cyyoon-c1-deploy-010:/home/cephadm# ansible -m copy -ba 'src=/etc/hosts dest=/etc/hosts' ceph

Ceph 배포를 위하여 사용되는 ceph-011~3 노드에 Podman을 각각 설치한다.

# ceph-011
root@cyyoon-c1-ceph-011:~# curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \
  | gpg --dearmor \
  | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
    https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \
  | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
root@cyyoon-c1-ceph-011:~# apt update -qq && apt -qq -y install podman
root@cyyoon-c1-ceph-011:~# podman  version  | grep -i ^version
Version:      4.6.2
root@cyyoon-c1-ceph-011:~# cat /etc/containers/registries.conf
//..추가
[[registry]]
insecure = true
location = "dev24deploy.cyuucloud.xyz:5000"
root@cyyoon-c1-ceph-011:~# podman login dev24deploy.cyuucloud.xyz:5000 Username: cyyoon
Password:
Login Succeeded!
root@cyyoon-c1-ceph-011:~# podman pull dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-20240118ㄱㄷ
Trying to pull dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-20240118...
 
 # ceph-012
root@cyyoon-c1-ceph-012:~#  mkdir -p /etc/apt/keyrings
root@cyyoon-c1-ceph-012:~# curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \
  | gpg --dearmor \
  | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
    https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \
  | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
root@cyyoon-c1-ceph-012:~#   apt update -qq && apt -qq -y install podman
root@cyyoon-c1-ceph-012:~# podman version | grep -i ^version
Version:      4.6.2
root@cyyoon-c1-ceph-012:~# cat /etc/containers/registries.conf
//..추가
[[registry]]
insecure = true
location = "dev24deploy.cyuucloud.xyz:5000"
root@cyyoon-c1-ceph-012:~# podman login dev24deploy.cyuucloud.xyz:5000 Username: cyyoon
Password:
Login Succeeded!
root@cyyoon-c1-ceph-012:~# podman pull dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-20240118
 
 # ceph-013
root@cyyoon-c1-ceph-013:~# podman pull dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-20240118  # ceph-013
root@cyyoon-c1-ceph-013:~# mkdir -p /etc/apt/keyrings
root@cyyoon-c1-ceph-013:~# curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key \
  | gpg --dearmor \
  | sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
    https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \
  | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
root@cyyoon-c1-ceph-013:~# podman version | grep -i ^version
Version:      4.6.2
root@cyyoon-c1-ceph-013:~# cat /etc/containers/registries.conf
//..추가
[[registry]]
insecure = true
location = "dev24deploy.cyuucloud.xyz:5000"
root@cyyoon-c1-ceph-013:~# podman  login dev24deploy.cyuucloud.xyz:5000 Username: cyyoon
Password:
Login Succeeded!
root@cyyoon-c1-ceph-013:~# podman  pull dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-20240118

실제 운영 환경에서는 초기에 많은 ceph 설정이 들어가기 때문에 아래와 같이 initial ceph 설정 파일을 생성하고, 자동으로 ceph mgr db에 들어갈 수 있도록 한다.

root@cyyoon-c1-deploy-010:~# cd /home/cephadm/
root@cyyoon-c1-deploy-010:/home/cephadm# cat initial-ceph.conf
[global]
debug asok = 0/0
debug auth = 0/0
debug bdev = 0/0
debug bluefs = 0/0
debug bluestore = 0/0
debug buffer = 0/0
debug civetweb = 0/0
debug client = 0/0
debug compressor = 0/0
debug context = 0/0
debug crush = 0/0
 
[osd]
osd_min_pg_log_entries = 10
osd_max_pg_log_entries =10

배포를 위한 OSD /MON 등의 배치는 Spec을 통하여 진행할 수 있도록 한다.

root@cyyoon-c1-deploy-010:/home/cephadm# cat cluster-spec.yaml
service_type: host
addr: 172.21.1.10
hostname: cyyoon-c1-deploy-010
---
service_type: host
addr: 172.21.1.11
hostname: cyyoon-c1-ceph-011
location:
  root: default
  datacenter: DC1
  rack: rack-a
labels:
  - osd
  - mon
  - mgr
---
service_type: host
addr: 172.21.1.12
hostname: cyyoon-c1-ceph-012
location:
  root: default
  datacenter: DC1
  rack: rack-b
labels:
  - osd
  - mon
  - mgr
---
service_type: host
addr: 172.21.1.13
hostname: cyyoon-c1-ceph-013
location:
  root: default
  datacenter: DC1
  rack: rack-c
labels:
  - osd
  - mon
  - mgr
---
service_type: mon
placement:
  hosts:
    - cyyoon-c1-ceph-011
    - cyyoon-c1-ceph-012
    - cyyoon-c1-ceph-013
---
service_type: mgr
placement:
  hosts:
    - cyyoon-c1-ceph-011
    - cyyoon-c1-ceph-012
    - cyyoon-c1-ceph-013
---
service_type: osd
service_id: cyyoon_osd
placement:
  hosts:
    - cyyoon-c1-ceph-011
    - cyyoon-c1-ceph-012
    - cyyoon-c1-ceph-013
spec:
  data_devices:
    paths:
      - /dev/sdb

각 노드들이 Registry에 접근할 때 사용 하는 인증 정보는 별도 registry.json를 통하여 배포 관리 하도록 한다.

root@cyyoon-c1-deploy-010:/home/cephadm# cat registry.json
{
         "url":"dev24deploy.cyuucloud.xyz:5000",
         "username":"cyyoon",
           "password":"cyyoon-password"
}

이제 , 이러한 정보를 기반으로 Bootstrap을 수행 한다. 명령어에서 알 수 있듯이 10.111.2.0 대역은 Cluster Network 로 사용 하며, Monitor Network 는 Bootstrap 을 수행하는 노드의 아이피로 해당 아이피 대역으로 설정되어 Cluster 가 배포 된다.

root@cyyoon-c1-deploy-010:/home/cephadm# cephadm   --image dev24deploy.cyuucloud.xyz:5000/ceph/ceph:v18.2.1-20240118   \
 bootstrap  --ssh-user=root  --mon-ip=10.111.1.10  --cluster-network=10.112.1.0/24  --registry-json registry.json \
   --config initial-ceph.conf \
   --apply-spec=cluster-spec.yaml  \
   --initial-dashboard-user=admin --initial-dashboard-password=password  --skip-monitoring-stack
//...  
Saving cluster configuration to /var/lib/ceph/94aac626-b80d-11ee-963c-8d6b99fb8b9d/config directory
Enabling autotune for osd_memory_target
You can access the Ceph CLI as following in case of multi-cluster or non-default config:
 
        sudo /usr/sbin/cephadm shell --fsid 94aac626-b80d-11ee-963c-8d6b99fb8b9d -c /etc/ceph/ceph.conf -k /etc/ceph/ceph.client.admin.keyring
 
Or, if you are only running a single cluster on this host:
 
        sudo /usr/sbin/cephadm shell
 
Please consider enabling telemetry to help improve Ceph:
 
        ceph telemetry on
 
For more information see:
 
        https://docs.ceph.com/en/latest/mgr/telemetry/
 
Bootstrap complete.

Bootstrap 명령어가 종료 때 Chepadm 명령으로 Sheall에 들어갈 수 있도록 fsid와 함께 명령줄을 제공해준다. 해당 명령어를 이용하여 Shell에 진입한다. 어느 정도 시간이 지나서 확인하면, ceph orch 명령으로 배포된 상태를 확인할 수 있다.

root@cyyoon-c1-deploy-010:/home/cephadm#         sudo /usr/sbin/cephadm shell --fsid 94aac626-b80d-11ee-963c-8d6b99fb8b9d -c /etc/ceph/ceph.conf -k /etc/ceph/ceph.client.admin.keyring
root@cyyoon-c1-deploy-010:/# ceph -s
  cluster:
    id:     94aac626-b80d-11ee-963c-8d6b99fb8b9d
    health: HEALTH_OK
 
  services:
    mon: 3 daemons, quorum cyyoon-c1-ceph-013,cyyoon-c1-ceph-012,cyyoon-c1-ceph-011 (age 50s)
    mgr: cyyoon-c1-deploy-010.ftnoav(active, since 2m), standbys: cyyoon-c1-ceph-013.hsikld, cyyoon-c1-ceph-011.ntghis, cyyoon-c1-ceph-012.lwfgzn
    osd: 3 osds: 3 up (since 9s), 3 in (since 49s)
 
  data:
    pools:   1 pools, 1 pgs
    objects: 2 objects, 257 KiB
    usage:   79 MiB used, 195 GiB / 195 GiB avail
    pgs:     1 active+clean
 
root@cyyoon-c1-deploy-010:/# ceph osd df tree
ID  CLASS  WEIGHT   REWEIGHT  SIZE     RAW USE  DATA     OMAP  META    AVAIL    %USE  VAR   PGS  STATUS  TYPE NAME
-1         0.19048         -  195 GiB   81 MiB  2.1 MiB   0 B  78 MiB  195 GiB  0.04  1.00    -          root default
-4         0.19048         -  195 GiB   81 MiB  2.1 MiB   0 B  78 MiB  195 GiB  0.04  1.00    -              datacenter DC1
-3         0.06349         -   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.01    -                  rack rack-a
-2         0.06349         -   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.01    -                      host cyyoon-c1-ceph-011
 1    hdd  0.06349   1.00000   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.01    1      up                  osd.1
-6         0.06349         -   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.00    -                  rack rack-b
-5         0.06349         -   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.00    -                      host cyyoon-c1-ceph-012
 0    hdd  0.06349   1.00000   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.00    1      up                  osd.0
-8         0.06349         -   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.00    -                  rack rack-c
-7         0.06349         -   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.00    -                      host cyyoon-c1-ceph-013
 2    hdd  0.06349   1.00000   65 GiB   27 MiB  732 KiB   0 B  26 MiB   65 GiB  0.04  1.00    1      up                  osd.2
                       TOTAL  195 GiB   81 MiB  2.1 MiB   0 B  78 MiB  195 GiB  0.04
MIN/MAX VAR: 1.00/1.01  STDDEV: 0
root@cyyoon-c1-deploy-010:/# ceph orch ls
NAME             PORTS  RUNNING  REFRESHED  AGE  PLACEMENT
crash                       4/4  39s ago    3m   *
mgr                         4/3  39s ago    2m   cyyoon-c1-ceph-011;cyyoon-c1-ceph-012;cyyoon-c1-ceph-013
mon                         3/3  39s ago    2m   cyyoon-c1-ceph-011;cyyoon-c1-ceph-012;cyyoon-c1-ceph-013
osd.service_osd               3  39s ago    2m   cyyoon-c1-ceph-011;cyyoon-c1-ceph-012;cyyoon-c1-ceph-013
root@cyyoon-c1-deploy-010:/# ceph orch ps
NAME                             HOST                  PORTS        STATUS          REFRESHED   AGE  MEM USE  MEM LIM  VERSION  IMAGE ID      CONTAINER ID
crash.cyyoon-c1-ceph-011         cyyoon-c1-ceph-011                 running (99s)      2s ago   98s    6656k        -  18.2.1   7f099bcd7014  b1aa816057f1
crash.cyyoon-c1-ceph-012         cyyoon-c1-ceph-012                 running (102s)     2s ago  101s    6656k        -  18.2.1   7f099bcd7014  d527178bf9b8
crash.cyyoon-c1-ceph-013         cyyoon-c1-ceph-013                 running (105s)     2s ago  105s    6665k        -  18.2.1   7f099bcd7014  f05b153ccab7
crash.cyyoon-c1-deploy-010       cyyoon-c1-deploy-010               running (2m)       1s ago    2m    6656k        -  18.2.1   7f099bcd7014  53e526c44daa
mgr.cyyoon-c1-ceph-011.ntghis    cyyoon-c1-ceph-011    *:8443,8765  running (93s)      2s ago   92s     438M        -  18.2.1   7f099bcd7014  328f0cd1a815
mgr.cyyoon-c1-ceph-012.lwfgzn    cyyoon-c1-ceph-012    *:8443,8765  running (90s)      2s ago   90s     438M        -  18.2.1   7f099bcd7014  2102bcd87efd
mgr.cyyoon-c1-ceph-013.hsikld    cyyoon-c1-ceph-013    *:8443,8765  running (96s)      2s ago   96s     437M        -  18.2.1   7f099bcd7014  905a72d8df4f
mgr.cyyoon-c1-deploy-010.ftnoav  cyyoon-c1-deploy-010  *:9283,8765  running (4m)       1s ago    4m     488M        -  18.2.1   7f099bcd7014  7e17dfc4571c
mon.cyyoon-c1-ceph-011           cyyoon-c1-ceph-011                 running (77s)      2s ago   76s    29.0M    2048M  18.2.1   7f099bcd7014  50ff23032031
mon.cyyoon-c1-ceph-012           cyyoon-c1-ceph-012                 running (83s)      2s ago   83s    29.4M    2048M  18.2.1   7f099bcd7014  5e32b2929a38
mon.cyyoon-c1-ceph-013           cyyoon-c1-ceph-013                 running (87s)      2s ago   86s    38.0M    2048M  18.2.1   7f099bcd7014  818083dbffc7
osd.0                            cyyoon-c1-ceph-012                 running (49s)      2s ago   48s    53.5M    4096M  18.2.1   7f099bcd7014  9f59a19cd76e
osd.1                            cyyoon-c1-ceph-011                 running (48s)      2s ago   48s    54.1M    4096M  18.2.1   7f099bcd7014  54d0aee3f52d
osd.2                            cyyoon-c1-ceph-013                 running (49s)      2s ago   48s    52.1M    4096M  18.2.1   7f099bcd7014  78ad78032c07

Build Kolla Container Images

테스트하는 2024년 1월 기준 Bobcat Kolla Project 에는 이제 Container Build 시 Podman을 이용하는 방법도 추가되었다.

( https://docs.openstack.org/kolla/latest/admin/image-building.html)

Podman의 장점 중 하나인 Daemon-less로 동작하기 때문에 Kolla에서 Build 시 Container API 연결에 필요한 Socket를 별도로 실행해야 한다.  그래서 아래와 같이 "systemctl enable --now podman.socket" 명령을 수행하여 Build 시 Podman에 의하여 Build 및 Push 가 되도록 하는 것이다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:/home# pip install git+https://github.com/openstack/kolla.git@stable/2023.2
Collecting git+https://github.com/openstack/kolla.git@stable/2023.2
  Cloning https://github.com/openstack/kolla.git (to revision stable/2023.2) to /tmp/pip-req-build-l0x9yo81
  Running command git clone --filter=blob:none --quiet https://github.com/openstack/kolla.git /tmp/pip-req-build-l0x9yo81
  Running command git checkout -b stable/2023.2 --track origin/stable/2023.2
  Switched to a new branch 'stable/2023.2'
(cy-deploy-env) root@cyyoon-c1-deploy-010:/home# python3 -m pip install podman
(cy-deploy-env) root@cyyoon-c1-deploy-010:/home#  systemctl  enable --now podman.socket
Created symlink /etc/systemd/system/sockets.target.wants/podman.socket → /lib/systemd/system/podman.socket.

 

Kolla-build 시 Profile이 기본적으로 설정되어 있기 때문에 원하는 경우 Custom 한 Profile로 Container Build시 선택 하는 Kolla Container Image를 편하게 지정할 수 있다. 

아래 config.py 에는 이번 테스트에서 진행하려는 Default Profile 시 Build 되는 Component를 확인할 있다. 

(cy-deploy-env) root@cyyoon-c1-deploy-010:/home# cat /home/cy-deploy-env/lib/python3.10/site-packages/kolla/common/config.py
//...
    cfg.ListOpt('default',
                default=[
                    'cron',
                    'kolla-toolbox',
                    'fluentd',
                    'glance',
                    'haproxy',
                    'heat',
                    'horizon',
                    'keepalived',
                    'keystone',
                    'mariadb',
                    'memcached',
                    'neutron',
                    'nova-',
                    'placement',
                    'proxysql',
                    'openvswitch',
                    'rabbitmq',
                ],
                help='Default images'),
//...

Profile Default로 확인된  Component를 Build 하고, 추가적으로 Cinder도 Build 하고 Registry에 Push 가 자동으로 될 수 있도록 한다. 다 완료 되고 Registry 에 등록된 Image를 확인한다.

 

Deploy Openstack (Kolla-ansible) 

- 배포 준비

배포 준비 https://docs.openstack.org/kolla-ansible/latest/user/quickstart.html 문서 내용과 같이 배포 노드에서 배포를 위한 kolla-ansible 설치 및 관련 패키지들을 설치 및 기본 설정 복사를 진행한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# sudo apt install git python3-dev libffi-dev gcc libssl-dev
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# pip install git+https://github.com/openstack/kolla-ansible.git@stable/2023.2
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# pip install 'ansible-core>=2.14,<2.16'
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# kolla-ansible --version
17.0.1
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# sudo mkdir -p /etc/kolla && sudo chown $USER:$USER /etc/kolla
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cp -r /home/cy-deploy-env/share/kolla-ansible/etc_examples/kolla/* /etc/kolla
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cp /home/cy-deploy-env/share/kolla-ansible/ansible/inventory/multinode  /etc/kolla/
 (cy-deploy-env) root@cyyoon-c1-deploy-010:~# kolla-ansible install-deps
Installing Ansible Galaxy dependencies
//...

kolla-genpwd를 이용하여 설정 필요 혹은 지정할 password를 제외하고 모두 자동 생성하도록 한다. 본 테스트에서는 "docker_registry_password" 변수에 앞서 registry 생성 시 사용된 비밀번호와 , admin keystone 비밀번호만 설정한다.  아래와 같이 복사된 파일에서 value로 설정 후 value 가 없는 변수이름의 비밀번호에 대하여 자동으로  kolla-genpwd 명령으로 생성되도록 한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cat /etc/kolla/passwords.yml | grep cyyoon
docker_registry_password: cyyoon-password
keystone_admin_password: cyyoon-password
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# kolla-genpwd
WARNING: Passwords file "/etc/kolla/passwords.yml" is world-readable. The permissions will be changed.
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# tail -n 5 /etc/kolla/passwords.yml
vmware_vcenter_host_password: QTvhgMqLzbkN1HTdUzWpE5HVBRJ6DvwJcobmBqCB
watcher_database_password: ZyJm7Z4yjn3W9dyJYILEEfF7v84My6RB3tuuDpoL
watcher_keystone_password: vndmbF9fdZm5idkMRThwAzLGm2ZND6EmeCxZa1XB
zun_database_password: mr4zmkQrnHYP0Q8APwiUZt5eN5VcgGl4NU0YnpQq
zun_keystone_password: hNWVUSQg3TWzPKFaoPYuVPsVqjIQJdTZ63GMdvuw

배포에 사용되는 invetory 파일은 multinode파일을 수정하는데, openstack-051~53은 Controller 노드로 Network 노드의 역할을 겸하도록 한다. 나머지 openstack-054~55는 Compute 노드의 역할을 하도록 한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# head -n 30 /etc/kolla/multinode
# These initial groups are the only groups required to be modified. The
# additional groups are for more control of the environment.
[control]
# These hostname must be resolvable from your deployment host
cyyoon-c1-openstack-05[1:3]
# The above can also be specified as follows:
#control[01:03]     ansible_user=kolla
 
# The network nodes are where your l3-agent and loadbalancers will run
# This can be the same as a host in the control group
[network]
cyyoon-c1-openstack-05[1:3]
[compute]
cyyoon-c1-openstack-05[4:5]
[monitoring]
cyyoon-c1-openstack-05[1:3]
 
# When compute nodes and control nodes use different interfaces,
# you need to comment out "api_interface" and other interfaces from the globals.yml
# and specify like below:
#compute01 neutron_external_interface=eth0 api_interface=em1 tunnel_interface=em1
 
[storage]
cyyoon-c1-openstack-05[1:3]
 
[deployment]
localhost       ansible_connection=local
 
[baremetal:children]
control //...

- Ceph 연동 설정

openstack 배포에 필요한 pool 생성하고, keyring 설정을 진행한다. 이때 Ceph Client 설정을 CephADM Shell 이 아닌 호스트 OS 에서 직접 설치하여 진행 한다. 이미 CephADM Bootstrap 과정에서 자동으로 "/etc/ceph/" 디렉터리 밑으로 Admin Keyring 정보와 Ceph.conf Client 정보가 있기 때문에 Client 만 설치하면 Admin 계정으로 접근이 가능하다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ls -al /etc/ceph/
total 24
drwxr-xr-x   2 root root 4096 Jan 21 03:36 .
drwxr-xr-x 105 root root 4096 Jan 22 09:35 ..
-rw-------   1 root root  151 Jan 21 03:36 ceph.client.admin.keyring
-rw-r--r--   1 root root  265 Jan 21 03:36 ceph.conf
-rw-r--r--   1 root root  595 Jan 21 03:32 ceph.pub
-rw-------   1 root root  101 Jan 21 03:36 podman-auth.json
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# apt install ceph-common  -y
Reading package lists... Done
//...
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph -s
  cluster:
    id:     94aac626-b80d-11ee-963c-8d6b99fb8b9d
    health: HEALTH_OK
 
  services:
    mon: 3 daemons, quorum cyyoon-c1-ceph-013,cyyoon-c1-ceph-012,cyyoon-c1-ceph-011 (age 32h)
    mgr: cyyoon-c1-ceph-013.hsikld(active, since 32h), standbys: cyyoon-c1-ceph-011.ntghis, cyyoon-c1-ceph-012.lwfgzn
    osd: 3 osds: 3 up (since 32h), 3 in (since 32h)
 
  data:
    pools:   1 pools, 1 pgs
    objects: 2 objects, 577 KiB
    usage:   186 MiB used, 195 GiB / 195 GiB avail
    pgs:     1 active+clean
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph osd pool create volumes 32
pool 'volumes' created
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  ceph osd pool create backups 8
pool 'backups' created
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  ceph osd pool create images 8
pool 'images' created
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph osd pool create vms 8
pool 'vms' created
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph auth get-or-create client.cinder mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms, allow rx pool=images'
[client.cinder]
        key = AQDrXa5lDXecMxAAeQqA8ZTIXwyMCN7GO0e85g==
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  ceph auth get-or-create client.cinder-backup mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=backups'
[client.cinder-backup]
        key = AQDxXa5lZr6KARAAcrbdhRay0+stxYju4KCLNA==
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  ceph auth get-or-create client.glance mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool=images'
[client.glance]
        key = AQDzXa5lotCfNBAA4c9tdRWh9mVedI4PkN4nXw==

생성한 pool과 keyring을 각각 cinder, nova, glance 가 사용할 수 있도록 "/etc/kolla/config" 하위 디렉터리에 저장한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  mkdir -p /etc/kolla/config/glance/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  mkdir  /etc/kolla/config/cinder/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  mkdir  /etc/kolla/config/nova/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  mkdir  /etc/kolla/config/cinder/cinder-volume/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  mkdir  /etc/kolla/config/cinder/cinder-backup/
 
## ceph.conf 파일 복사 하기 전에 원본 ceph.conf 파일에 tab으로 시작 하는 부분은 공백 없이 수정 해준다.
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cat /etc/ceph/ceph.conf
# minimal ceph.conf for 94aac626-b80d-11ee-963c-8d6b99fb8b9d
[global]
        fsid = 94aac626-b80d-11ee-963c-8d6b99fb8b9d
        mon_host = [v2:10.111.1.11:3300/0,v1:10.111.1.11:6789/0] [v2:10.111.1.12:3300/0,v1:10.111.1.12:6789/0] [v2:10.111.1.13:3300/0,v1:10.111.1.13:6789/0]
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# vi /etc/ceph/ceph.conf
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cat /etc/ceph/ceph.conf
# minimal ceph.conf for 94aac626-b80d-11ee-963c-8d6b99fb8b9d
[global]
fsid = 94aac626-b80d-11ee-963c-8d6b99fb8b9d
mon_host = [v2:10.111.1.11:3300/0,v1:10.111.1.11:6789/0] [v2:10.111.1.12:3300/0,v1:10.111.1.12:6789/0] [v2:10.111.1.13:3300/0,v1:10.111.1.13:6789/0]
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  ceph auth get-or-create client.glance > /etc/kolla/config/glance/ceph.client.glance.keyring
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cp /etc/ceph/ceph.conf /etc/kolla/config/glance/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph auth get-or-create client.cinder> /etc/kolla/config/cinder/cinder-volume/ceph.client.cinder.keyring
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph auth get-or-create client.cinder> /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder.keyring
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph auth get-or-create client.cinder-backup > /etc/kolla/config/cinder/cinder-backup/ceph.client.cinder-backup.keyring
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cp /etc/ceph/ceph.conf /etc/kolla/config/cinder/cinder-volume/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cp /etc/ceph/ceph.conf /etc/kolla/config/cinder/cinder-backup/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ceph auth get-or-create client.cinder> /etc/kolla/config/nova/ceph.client.cinder.keyring
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cp /etc/ceph/ceph.conf /etc/kolla/config/nova/

/etc/kolla/globals.yml 파일은 아래와 같이 구성하며, 배포를 위한 설정이 들어간다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# egrep  -v '^#|^$' /etc/kolla/globals.yml
---
workaround_ansible_issue_8743: yes
kolla_base_distro: "ubuntu"
openstack_release: "2023.2"
openstack_tag: "17.1.1"
kolla_internal_vip_address: "172.21.1.100"
kolla_external_vip_address: "172.21.1.99"
kolla_external_fqdn: "dev24vip.cyuucloud.xyz"
kolla_container_engine: podman
docker_registry: "dev24deploy.cyuucloud.xyz:5000"
docker_registry_username: "cyyoon"
docker_namespace: "kolla"
network_interface: "ens3"
api_interface: "{{ network_interface }}"
tunnel_interface: "ens5"
neutron_external_interface: "ens6"
neutron_plugin_agent: "openvswitch"
keepalived_virtual_router_id: "51"
kolla_enable_tls_internal: "no"
kolla_enable_tls_external: "yes"
kolla_certificates_dir: "{{ node_config }}/certificates"
kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/certificate.crt"
enable_openstack_core: "yes"
enable_glance: "{{ enable_openstack_core | bool }}"
enable_keepalived: "{{ enable_haproxy | bool }}"
enable_keystone: "{{ enable_openstack_core | bool }}"
enable_mariadb: "yes"
enable_memcached: "yes"
enable_neutron: "{{ enable_openstack_core | bool }}"
enable_nova: "{{ enable_openstack_core | bool }}"
enable_rabbitmq: "{{ 'yes' if om_rpc_transport == 'rabbit' or om_notify_transport == 'rabbit' else 'no' }}"
enable_cinder: "yes"
enable_neutron_dvr: "yes"
enable_skyline: "yes"
external_ceph_cephx_enabled: "yes"
ceph_glance_keyring: "client.glance.keyring"
ceph_glance_user: "glance"
ceph_glance_pool_name: "images"
ceph_cinder_keyring: "client.cinder.keyring"
ceph_cinder_user: "cinder"
ceph_cinder_pool_name: "volumes"
ceph_cinder_backup_keyring: "client.cinder-backup.keyring"
ceph_cinder_backup_user: "cinder-backup"
ceph_cinder_backup_pool_name: "backups"
ceph_nova_keyring: "{{ ceph_cinder_keyring }}"
ceph_nova_user: "cinder"
ceph_nova_pool_name: "vms"
glance_backend_ceph: "yes"
glance_backend_file: "no"
cinder_backend_ceph: "yes"
nova_backend_ceph: "yes"
nova_compute_virt_type: "qemu" ## 만약 운영 환경으로 한다면 반드시 kvm 혹은 다른 virt 타입이 필요 . qemu 는 테스트 용도로만 
nova_console: "novnc"

- 인증서 구성 

이제 API에 대한 TLS 처리를 위하여 인증서를 등록해준다. 인증서는 앞서 미리 준비한 "dev24 vip.cyuucloud.xyz" 도메인에 대한 인증서로 사용된다.  반드시 Pem 파일에는 개인키와 인증서 그리고 CA까지 같이 포함되어야 한다.(https://openmetal.io/docs/manuals/operators-manual/day-4/kolla-ansible/enable-tls#prepare-ssl-file)

인증서는 역할에  따라서  Internal 혹은   External Endpoint에  TLS 설정이  되는데,  Haproxy에서  로드밸런싱 되는  과정에서 노출 시 인증서가  추가된다. 해당 구성에서는  아래구성과  같이 External에 TLS 설정을  하여  배포한다.(https://docs.openstack.org/kolla-ansible/latest/admin/tls.html

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# mkdir /etc/kolla/certificates/
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cp /root/ssl/dev24vip.cyuucloud.xyz/certificate.crt  /etc/kolla/certificates/haproxy.pem
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# echo  "" >> /etc/kolla/certificates/haproxy.pem
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cat  /root/ssl/dev24vip.cyuucloud.xyz/private.key >>  /etc/kolla/certificates/haproxy.pem
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cat /backups/kolla/globals.yml
//...
#kolla_enable_tls_internal: "no"
kolla_enable_tls_external: "yes"
kolla_certificates_dir: "{{ node_config }}/certificates"
kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
//...

 

- Kolla-ansible 이용한 배포 및 테스트 

kolla-ansible bootstrap-servers를 진행하여 배포하려는 노드에 Kolla 배포 전 Podman 등 필요한 패키지들을 설치한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  kolla-ansible -i /etc/kolla/multinode   bootstrap-servers  -e ansible_python_interpreter=/usr/bin/python3
//...
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# kolla-ansible -i /etc/kolla/multinode  prechecks -e ansible_python_interpreter=/usr/bin/python3
//...

kolla-ansible deploy를 실행하여 배포를 진행한다. 

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# kolla-ansible  -i /etc/kolla/multinode  deploy   -e ansible_python_interpreter=/usr/bin/python3  
//...

앞의 배포가 완료가 잘 되었다면 post-deploy를 수행하여 admin 계정의 환경 변수 파일 생성 후 openstack client를 설치하여, 올라온 서비스 상태를 확인한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# kolla-ansible -i /etc/kolla/multinode post-deploy  -e ansible_python_interpreter=/usr/bin/python3
 //...
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cat /etc/kolla/admin-openrc.sh
# Ansible managed
 
# Clear any old environment that may conflict.
for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
export OS_PROJECT_DOMAIN_NAME='Default'
export OS_USER_DOMAIN_NAME='Default'
export OS_PROJECT_NAME='admin'
export OS_TENANT_NAME='admin'
export OS_USERNAME='admin'
export OS_PASSWORD='cyyoon-password'
export OS_AUTH_URL='http://172.21.1.100:5000'
export OS_INTERFACE='internal'
export OS_ENDPOINT_TYPE='internalURL'
export OS_IDENTITY_API_VERSION='3'
export OS_REGION_NAME='RegionOne'
export OS_AUTH_PLUGIN='password'
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# source  /etc/kolla/admin-openrc.sh
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# pip install python-openstackclient==6.5.0
 
## Nova 서비스 상태 확인
 (cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack compute service list
+--------------------------------------+----------------+-------------------------+----------+---------+-------+----------------------------+
| ID                                   | Binary         | Host                    | Zone     | Status  | State | Updated At                 |
+--------------------------------------+----------------+-------------------------+----------+---------+-------+----------------------------+
| 9120de96-b55c-4435-81f8-546c9cd85601 | nova-scheduler | cyyoon-c1-openstack-051 | internal | enabled | up    | 2024-02-10T03:56:53.000000 |
| 7f002186-def6-43b0-9ed6-fe61382cc907 | nova-scheduler | cyyoon-c1-openstack-053 | internal | enabled | up    | 2024-02-10T03:56:48.000000 |
| d2639dc2-fd94-4c4d-b105-11689d920179 | nova-scheduler | cyyoon-c1-openstack-052 | internal | enabled | up    | 2024-02-10T03:56:54.000000 |
| 01eed177-d61c-485b-83ad-8138c083d77e | nova-conductor | cyyoon-c1-openstack-051 | internal | enabled | up    | 2024-02-10T03:56:55.000000 |
| 843946bb-2607-4e97-b853-18fc5cdb89dc | nova-conductor | cyyoon-c1-openstack-052 | internal | enabled | up    | 2024-02-10T03:56:54.000000 |
| 61e975d1-9f28-4e49-b98c-7e06325d9e55 | nova-conductor | cyyoon-c1-openstack-053 | internal | enabled | up    | 2024-02-10T03:56:48.000000 |
| 8b6b8633-06eb-46d6-a007-a8314f14ac2c | nova-compute   | cyyoon-c1-openstack-054 | nova     | enabled | up    | 2024-02-10T03:56:50.000000 |
| 4b510123-ae8c-4f40-a7d6-61a663155cf8 | nova-compute   | cyyoon-c1-openstack-055 | nova     | enabled | up    | 2024-02-10T03:56:00.000000 |
+--------------------------------------+----------------+-------------------------+----------+---------+-------+----------------------------+
 
## Neutron  서비스 상태 확인
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack network agent list
+--------------------------------------+--------------------+-------------------------+-------------------+-------+-------+---------------------------+
| ID                                   | Agent Type         | Host                    | Availability Zone | Alive | State | Binary                    |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+-------+---------------------------+
| 0548e6ce-6427-4a24-b40a-fe91f262ff91 | Open vSwitch agent | cyyoon-c1-openstack-051 | None              | :-)   | UP    | neutron-openvswitch-agent |
| 1ed7d061-8ae4-4529-bbf0-2ad13b86524d | L3 agent           | cyyoon-c1-openstack-052 | nova              | :-)   | UP    | neutron-l3-agent          |
| 3622af6d-ce26-4818-b22c-995a1b00c48d | Metadata agent     | cyyoon-c1-openstack-053 | None              | :-)   | UP    | neutron-metadata-agent    |
| 376b4601-fd51-4f61-b3a8-fb0c732d83e7 | DHCP agent         | cyyoon-c1-openstack-051 | nova              | :-)   | UP    | neutron-dhcp-agent        |
| 444bd114-0ee2-45f2-a5a8-36acf455191d | Open vSwitch agent | cyyoon-c1-openstack-054 | None              | :-)   | UP    | neutron-openvswitch-agent |
| 4709ec0c-bb95-4309-8100-395fdb1accbc | L3 agent           | cyyoon-c1-openstack-051 | nova              | :-)   | UP    | neutron-l3-agent          |
| 57b0c506-5c3c-4501-bc82-98763dd8c687 | DHCP agent         | cyyoon-c1-openstack-053 | nova              | :-)   | UP    | neutron-dhcp-agent        |
| 663268e9-31cc-4413-9379-0c8d3278edd6 | L3 agent           | cyyoon-c1-openstack-054 | nova              | :-)   | UP    | neutron-l3-agent          |
| 79c220f3-1842-4a9d-b4c9-6c4ce12eb8cc | L3 agent           | cyyoon-c1-openstack-055 | nova              | :-)   | UP    | neutron-l3-agent          |
| 8581daee-ae70-4fd0-b21b-9964c9981bd1 | L3 agent           | cyyoon-c1-openstack-053 | nova              | :-)   | UP    | neutron-l3-agent          |
| 8e88fc90-3ea9-46cd-8fc9-e86280bf73a8 | Open vSwitch agent | cyyoon-c1-openstack-055 | None              | :-)   | UP    | neutron-openvswitch-agent |
| a4019a8c-fede-4bcc-85c6-81ffdfed8c70 | DHCP agent         | cyyoon-c1-openstack-052 | nova              | :-)   | UP    | neutron-dhcp-agent        |
| aed51df7-f77d-4615-bbb7-43a93de590df | Metadata agent     | cyyoon-c1-openstack-051 | None              | :-)   | UP    | neutron-metadata-agent    |
| b5912c0e-31e5-4b72-bea6-343c24cea0f3 | Metadata agent     | cyyoon-c1-openstack-052 | None              | :-)   | UP    | neutron-metadata-agent    |
| c2c1002d-c3b8-4775-9056-73309ac0b6c1 | Open vSwitch agent | cyyoon-c1-openstack-052 | None              | :-)   | UP    | neutron-openvswitch-agent |
| d2ca06cf-45fa-41ca-bdd8-f57b80ca22d3 | Open vSwitch agent | cyyoon-c1-openstack-053 | None              | :-)   | UP    | neutron-openvswitch-agent |
| df0a7b02-3ae2-4f39-9166-57af658a3f73 | Metadata agent     | cyyoon-c1-openstack-054 | None              | :-)   | UP    | neutron-metadata-agent    |
| dffcea92-d79b-40b5-975a-371dbb403402 | Metadata agent     | cyyoon-c1-openstack-055 | None              | :-)   | UP    | neutron-metadata-agent    |
+--------------------------------------+--------------------+-------------------------+-------------------+-------+-------+---------------------------+
 
## Cinder 서비스 상태 확인
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack volume service list
+------------------+-------------------------------+------+---------+-------+----------------------------+
| Binary           | Host                          | Zone | Status  | State | Updated At                 |
+------------------+-------------------------------+------+---------+-------+----------------------------+
| cinder-scheduler | cyyoon-c1-openstack-052       | nova | enabled | up    | 2024-02-10T04:06:09.000000 |
| cinder-scheduler | cyyoon-c1-openstack-053       | nova | enabled | up    | 2024-02-10T04:06:09.000000 |
| cinder-scheduler | cyyoon-c1-openstack-051       | nova | enabled | up    | 2024-02-10T04:06:09.000000 |
| cinder-volume    | cyyoon-c1-openstack-052@rbd-1 | nova | enabled | up    | 2024-02-10T04:06:09.000000 |
| cinder-volume    | cyyoon-c1-openstack-053@rbd-1 | nova | enabled | up    | 2024-02-10T04:06:09.000000 |
| cinder-volume    | cyyoon-c1-openstack-051@rbd-1 | nova | enabled | up    | 2024-02-10T04:06:02.000000 |
| cinder-backup    | cyyoon-c1-openstack-052       | nova | enabled | up    | 2024-02-10T04:06:09.000000 |
| cinder-backup    | cyyoon-c1-openstack-053       | nova | enabled | up    | 2024-02-10T04:06:09.000000 |
| cinder-backup    | cyyoon-c1-openstack-051       | nova | enabled | up    | 2024-02-10T04:06:06.000000 |
+------------------+-------------------------------+------+---------+-------+----------------------------+

 

이제 배포된 Openstack에 기능을 확인하기 위해서  이미지 등록 및 Flavor , 네트워크 생성 등의 과정을 수동으로 진행한다.

https://docs.openstack.org/kolla-ansible/latest/user/quickstart.html 문서에 나와 있는 것과 같이 init-runonce를 통하여 바로 스크립트 실행 할 수도 있지만 다소 환경에 따라 수정할 부분이 있어서 현 구성에서는 수동으로 진행한다.

 

Ubuntu Cloud Image 다운로드 후 raw 포맷 변환 후 Glance에 등록한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# wget https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img
//...
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#   apt-get install qemu-utils -y
//...
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# qemu-img  info jammy-server-cloudimg-amd64.img| grep format
file format: qcow2
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# qemu-img convert -f qcow2 -O raw jammy-server-cloudimg-amd64.img  jammy-server-cloudimg-amd64.raw
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# qemu-img  info jammy-server-cloudimg-amd64.raw | grep format
file format: raw
## Glance 이미지 등록
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack image create --container-format bare --disk-forma raw --public --file jammy-server-cloudimg-amd64.raw jammy-server-cloudimg-amd64
//...
 
## 등록된 이미지 확인
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack image show jammy-server-cloudimg-amd64
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+
| Field            | Value                                                                                                                                         |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+
| checksum         | ba8aca11adc5cc96126765d723043c3a                                                                                                              |
| container_format | bare                                                                                                                                          |
| created_at       | 2024-02-10T04:16:18Z                                                                                                                          |
| disk_format      | raw                                                                                                                                           |
| file             | /v2/images/96bdcd5a-319d-412e-ab25-034d12556396/file                                                                                          |
| id               | 96bdcd5a-319d-412e-ab25-034d12556396                                                                                                          |
| min_disk         | 0                                                                                                                                             |
| min_ram          | 0                                                                                                                                             |
| name             | jammy-server-cloudimg-amd64                                                                                                                   |
| owner            | ba817ea71e4f4836bd93dfc915d15c66                                                                                                              |
| properties       | os_hash_algo='sha512', os_hash_value='171a6ae7d85518490769eadf9c479d5e118670616a0d6e7f0cff7ea62a5c2e685c7669fbe82ce86813a5ea6e6150d13332607aa |
|                  | 4a0022843a8be0fdb798e7112', os_hidden='False', owner_specified.openstack.md5='', owner_specified.openstack.object='images/jammy-server-       |
|                  | cloudimg-amd64', owner_specified.openstack.sha256='', stores='rbd'                                                                            |
| protected        | False                                                                                                                                         |
| schema           | /v2/schemas/image                                                                                                                             |
| size             | 2361393152                                                                                                                                    |
| status           | active                                                                                                                                        |
| tags             |                                                                                                                                               |
| updated_at       | 2024-02-10T04:18:48Z                                                                                                                          |
| virtual_size     | 2361393152                                                                                                                                    |
| visibility       | public                                                                                                                                        |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------

다음으로 , SSH 접근을 위한 Keypair 등록 및 앞에서 등록한 Ubuntu 이미지 생성할 때 사용할 Flavor를 추가한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:PR7jEtfO5tXhouApcy88pD1x6Q3Du75bdVYaBa5CA8U root@cyyoon-c1-deploy-010
The key's randomart image is:
+---[RSA 3072]----+
|        .o.   ...|
|         .E  . . |
|          o   o .|
|         o o . o.|
|        S O + .oo|
|         B &  ooo|
|        *.* Oo...|
|       +.Oo=oo.  |
|        +o*B=    |
+----[SHA256]-----+
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack flavor create --id 1 --vcpus 2 --ram 2048 --disk 20  test

네트워크를 생성한다. 이때 neutron_external_interface: "ens6" 설정을 진행했기 때문에 외부로 나가는 External Network의 Subnet 대역은 해당 대역이 통신 가능한 대역으로 요청해야 한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# cat /etc/kolla/globals.yml |grep neutron_external_interface
neutron_external_interface: "ens6"
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  openstack network create --share --external \
--provider-physical-network physnet1 \
--provider-network-type flat provider
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  openstack subnet create --network provider \
--allocation-pool start=10.113.1.210,end=10.113.1.230 \
--dns-nameserver 8.8.4.4 --gateway 10.113.1.1 \
--subnet-range 10.113.1.0/24 provider
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  openstack network create test-network
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#   openstack subnet create --network test-network \
--dns-nameserver 8.8.4.4 --gateway 192.168.200.1 \
--subnet-range 192.168.200/24 test-subnet
 
## Router 생성 하여 앞에서 생성한 사설 네트워크 연결 후, 외부 통신 가능 하게 외부 External 네트워크를 Router 의 게이트웨이로 설정
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#   openstack router create test-router
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack router add subnet test-router test-subnet
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack router set --external-gateway provider test-router

테스트를 위해 사용할 Security Group과 Rule을 생성한다. 테스트를 위해서 ICMP와 TCP 연결을 모두 허용하도록 한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~#  openstack security group create test
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#   openstack security group rule create --proto icmp test
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#   openstack security group rule create --proto icmp --egress test
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#   openstack security group rule create --proto tcp --egress test
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#   openstack security group rule create --proto tcp --ingress test

이제,  앞에서 생성한 Image , Security Group , Network 등을 이용하여 Test를 위한 Instance를 생성한다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# NET_ID=$(openstack network list --name test-network  -f value -c ID)
(cy-deploy-env) root@cyyoon-c1-deploy-010:~#    openstack server create --flavor test  --image jammy-server-cloudimg-amd64 --nic net-id=$NET_ID --security-group test  --key-name mykey    test-instance
## 생성 확인
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack server list
+--------------------------------------+---------------+--------+-----------------------------+-----------------------------+--------+
| ID                                   | Name          | Status | Networks                    | Image                       | Flavor |
+--------------------------------------+---------------+--------+-----------------------------+-----------------------------+--------+
| a52c072a-36c3-41e6-8b95-2e8574fadbb3 | test-instance | ACTIVE | test-network=192.168.200.31 | jammy-server-cloudimg-amd64 | test   |
+--------------------------------------+---------------+--------+-----------------------------+-----------------------------+--------+

Floaitng IP 생성 후, 생성한 Instance에 Attach 후, SSH 통신을 확인해본다.

(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack floating ip create provider
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| created_at          | 2024-02-17T05:59:32Z                 |
| description         |                                      |
| dns_domain          | None                                 |
| dns_name            | None                                 |
| fixed_ip_address    | None                                 |
| floating_ip_address | 10.113.1.212                         |
| floating_network_id | 50fc08fc-d675-4844-bd28-475761d3d885 |
| id                  | a76e0d09-d22b-45be-8bf2-d0005115e523 |
| name                | 10.113.1.212                         | ##<ㅡ----- Floating IP확인
| port_details        | None                                 |
| port_id             | None                                 |
| project_id          | d399bb8349844656a743d73fae3361e1     |
| qos_policy_id       | None                                 |
| revision_number     | 0                                    |
| router_id           | None                                 |
| status              | DOWN                                 |
| subnet_id           | None                                 |
| tags                | []                                   |
| updated_at          | 2024-02-17T05:59:32Z                 |
+---------------------+--------------------------------------+
 
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack server add floating ip test-instance 10.113.1.212
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# openstack server list
+--------------------------------------+---------------+--------+--------------------------------------------+-----------------------------+--------+
| ID                                   | Name          | Status | Networks                                   | Image                       | Flavor |
+--------------------------------------+---------------+--------+--------------------------------------------+-----------------------------+--------+
| 1c61a29e-4cb8-4d10-9f0b-37b0bc1e1c3f | test-instance | ACTIVE | test-network=10.113.1.212, 192.168.200.123 | jammy-server-cloudimg-amd64 | test   |
+--------------------------------------+---------------+--------+--------------------------------------------+-----------------------------+--------+
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ping 10.113.1.212  -c 1
PING 10.113.1.212 (10.113.1.212) 56(84) bytes of data.
64 bytes from 10.113.1.212: icmp_seq=1 ttl=62 time=3.60 ms
 
--- 10.113.1.212 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.598/3.598/3.598/0.000 ms
 
(cy-deploy-env) root@cyyoon-c1-deploy-010:~# ssh 10.113.1.212 -l ubuntu   -i ~/.ssh/id_rsa
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-92-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
 
 System information disabled due to load higher than 2.0
 
 
Expanded Security Maintenance for Applications is not enabled.
 
0 updates can be applied immediately.
 
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
 
Last login: Sat Feb 17 06:06:03 2024 from 10.113.1.10
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
 
idubuntu@test-instance:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1350 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:1a:66:d2 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 192.168.200.123/24 metric 100 brd 192.168.200.255 scope global dynamic ens3
       valid_lft 86211sec preferred_lft 86211sec
    inet6 fe80::f816:3eff:fe1a:66d2/64 scope link
       valid_lft forever preferred_lft forever

 

주의사항 1) 

현 구성에서 SSH를 이용한 Instance를 연결한 것은 아래와 같이 그림으로 표현할 수 있다. 실제 운영 환경이 아니기 때문에 External Network(10.113.1.0/24)를 공인 네트워크 망으로 생각하고 테스트했기 때문에 단순 SSH 통신 테스트가 가능하게 한 것이다. 운영 환경일 경우 해당 네트워크가 공인 네트워크와 연결되고, 상단 L3에서 라우팅이 되는 구조여야 할 것이다. 그렇기 때문에 현 구성에서 Instance는 외부 인터넷으로 연결이 안 되는 상태이다. 만약 이 상태에서 외부 인터넷이 가능하도록 하기 위해서는 별도의 Proxy 혹은 Nat 구성이 필요로 할 것이다.

 

주의사항 2) 

디버깅이나, 내부 분석을 위하여 네트워크를 직접 확인한다면 아래와 같은 이슈를 볼 수 있다.

통신은 잘 되는 것으로 확인되나 아래와 같이 NetworkNamespace를 확인하는 과정에서 "Peer netns reference is invalid." 이 발생할 것이다. 

exec로 명령어 전달도 불가하다.

이 이슈는 Podman으로 배포하면 발생되며 호스트 OS 파일시스템에  Networ Namepsace 가 마운트 안돼서 아래와 같은 메시지가 발생되고 있는 것이다. (https://rodolfo-alonso.com/network-namespaces-and-containers)

root@cyyoon-c1-openstack-054:~# ip netns
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
qrouter-90ac5963-2490-4f49-9868-165dd78af743
Error: Peer netns reference is invalid.
fip-c3265f9a-128c-41f1-9c5e-a6e8f0dd6ae3
 
root@cyyoon-c1-openstack-054:~# ip netns exec qrouter-90ac5963-2490-4f49-9868-165dd78af743 ip a
setting the network namespace "qrouter-90ac5963-2490-4f49-9868-165dd78af743" failed: Invalid argument
 
 
## Docker 로 동일 설정 배포 시
root@cyyoon-c1-openstack-064:~# findmnt -oTARGET,SOURCE,FSTYPE,PROPAGATION
TARGET                                                      SOURCE           FSTYPE     PROPAGATION
/                                                           /dev/sda1        ext4       shared
├─/sys                                                      sysfs            sysfs      shared
│ ├─/sys/kernel/security                                    securityfs       securityfs shared
│ ├─/sys/fs/cgroup                                          cgroup2          cgroup2    shared
//....
├─/run                                                      tmpfs            tmpfs      shared
│ ├─/run/lock                                               tmpfs            tmpfs      shared
│ ├─/run/credentials/systemd-sysusers.service               none             ramfs      shared
│ ├─/run/snapd/ns                                           tmpfs[/snapd/ns] tmpfs      private
│ │ └─/run/snapd/ns/lxd.mnt                                 nsfs[mnt:[4026532401]]
│ │                                                                          nsfs       private
│ ├─/run/netns/qrouter-e39e0091-666e-40a0-a51c-3ec5e13d0714 nsfs[net:[4026532521]]
│ │                                                                          nsfs       shared
│ ├─/run/docker/netns/default                               nsfs[net:[4026531840]]
│ │                                                                          nsfs       shared
│ ├─/run/netns/fip-28b7787a-d512-43c9-9548-e60aad1fb1cb     nsfs[net:[4026532585]]
│ │                                                                          nsfs       shared
│ └─/run/user/0                                             tmpfs            tmpfs      shared
 
## Pdoman 으로 동일 설정 배포 시
root@cyyoon-c1-openstack-054:~# findmnt -oTARGET,SOURCE,FSTYPE,PROPAGATION
TARGET                                                                                                                       SOURCE      FSTYPE        PROPAGATION
/                                                                                                                            /dev/sda1   ext4          shared
├─/sys                                                                                                                       sysfs       sysfs         shared
//...
│ ├─/run/lock                                                                                                                tmpfs       tmpfs         shared
│ ├─/run/credentials/systemd-sysusers.service                                                                                none        ramfs         shared
│ ├─/run/snapd/ns                                                                                                            tmpfs[/snapd/ns]
│ │                                                                                                                                      tmpfs         private
│ │ └─/run/snapd/ns/lxd.mnt                                                                                                  nsfs[mnt:[4026532446]]
│ │                                                                                                                                      nsfs          private
│ └─/run/user/0                                                                                                              tmpfs       tmpfs         shared

실제 파일시스템 마운트는 neutron_l3_agent와 같은 Container에서 확인이 가능하다.

root@cyyoon-c1-openstack-054:~# podman  exec  neutron_l3_agent ip netns
qrouter-90ac5963-2490-4f49-9868-165dd78af743 (id: 0)
fip-c3265f9a-128c-41f1-9c5e-a6e8f0dd6ae3 (id: 1)
 
root@cyyoon-c1-openstack-054:~# podman  exec  neutron_l3_agent  findmnt -oTARGET,SOURCE,FSTYPE,PROPAGATION
TARGET                                                      SOURCE                                                                                                                                FSTYPE  PROPAGATION
/                                                           overlay                                                                                                                               overlay shared
├─/dev                                                      tmpfs                                                                                                                                 tmpfs   private
│ ├─/dev/pts                                                devpts                                                                                                                                devpts  private
│ ├─/dev/mqueue                                             mqueue                                                                                                                                mqueue  private
│ └─/dev/shm                                                shm                                                                                                                                   tmpfs   private
├─/sys                                                      sysfs                                                                                                                                 sysfs   private
│ └─/sys/fs/cgroup                                          cgroup2                                                                                                                               cgroup2 private
├─/proc                                                     proc                                                                                                                                  proc    private
├─/usr/lib/modules                                          /dev/sda1[/usr/lib/modules]                                                                                                           ext4    private
├─/run/netns                                                tmpfs[/netns]                                                                                                                         tmpfs   shared
│ ├─/run/netns/qrouter-90ac5963-2490-4f49-9868-165dd78af743 nsfs[net:[4026532469]]                                                                                                                nsfs    shared
│ └─/run/netns/fip-c3265f9a-128c-41f1-9c5e-a6e8f0dd6ae3     nsfs[net:[4026532594]]                                                                                                                nsfs    shared

 


Summary

드디어 Kolla-ansible 사용 시 Docker 를 탈출 할 수 있게 되었다. Podman 의 장점인 Daemonless 한 구성이 좀더 운영하는데 안정적일 것이라 보인다. 다만 RootLess 구성으로 될것 이라 봤는데 현실적으로 고려할 부분이나, 성능적인 이슈에서 아직 Root 로 동작 하는 것을 확인 했다. Podman 도 버전이 빠르게 오르면서 CNI 가 삭제 되고 다른 대체 되는 것 처럼 RootLess 에 대한 안정성/성능 이 점점 오르게 된다면 RootLess 로 가지 않을까 라는 생각도 든다.

 

 

 

반응형