目录:
第一节 多节点OpenStack Charms 部署指南0.0.1.dev223–1--OpenStack Charms 部署指南
第二节 多节点OpenStack Charms 部署指南0.0.1.dev223–2-安装MAAS
第三节 多节点OpenStack Charms 部署指南0.0.1.dev223–3-安装Juju
第四节 多节点OpenStack Charms 部署指南0.0.1.dev223–4-安装openstack
第五节 多节点OpenStack Charms 部署指南0.0.1.dev223–5--使bundle安装openstack
第六节 多节点OpenStack Charms 部署指南0.0.1.dev223–6--配置vault和设置数字证书生命周期
第七节 多节点OpenStack Charms 部署指南0.0.1.dev223–7--juju 离线部署bundle
第八节 多节点OpenStack Charms 部署指南0.0.1.dev223–8--配置 OpenStack
第九节 多节点OpenStack Charms 部署指南0.0.1.dev223–9--网络拓扑
第十节 多节点OpenStack Charms 部署指南0.0.1.dev223–10–OpenStack 高可用基础架构实际
第十一节 多节点OpenStack Charms 部署指南0.0.1.dev223–11–访问Juju仪表板
重新部署openstack-base70后很长时间,没进行配置,春节前想着配置下,然后在上面跑k8s,不幸的是,source openrcv3_project后,出错了:
source openrcv3_project
echo $OS_USERNAME
admin
openstack endpoint list --interface admin
Failed to discover available identity versions when contacting https://10.0.2.81:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://10.0.2.81:5000/v3/auth/tokens: HTTPSConnectionPool(host=‘10.0.2.81’, port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,),))
再次source openrc:
source openrc
openstack endpoint list --interface admin
Could not find a suitable TLS CA certificate bundle, invalid path: /tmp/root-ca.crt
开始有些困惑,以为是需要做TLS配置,但是配置几次都出现问题,配置不通。
困惑了几天,然后去论坛提问,答疑者说希望我将bundle.yaml贴他给他看看。
贴了之后,答疑者回复说你的OS_CACERT=/home/ubuntu/snap/openstackclients/common/root-ca.crt啊,而不是在 /tmp/root-ca.crt
当时更加困惑了,以前看的文档里不是说产生的根证书在 /tmp/root-ca.crt 么。
然后再次看了看openrc,没发现什么特别的问题。
突然发现,openstack base怎么版本变openstack base#72了,笔者一直部署的#70。
后来直接再次部署了bundle openstack-base#72,在 juju run-action --wait vault/leader 'generate-root-ca'前,将/root/snap/openstackclient/common/root-ca.crt和/tmp/root-ca.crt删除,然后 juju run-action --wait vault/leader ‘generate-root-ca’,发现果然在/tmp目录下没有生成root-ca.crt根证书文件,而是在/root/snap/openstackclient/common/root-ca.crt,再次source openrc,顺利的部署成功openstack
openstack endpoint list --interface admin
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| 075e5dbf0bf94c99b1863441ce7cab42 | RegionOne | swift | object-store | True | admin | https://10.0.2.103:443/swift |
| 2a91f454e99c47bbae6959be815e4f76 | RegionOne | cinderv2 | volumev2 | True | admin | https://10.0.2.110:8776/v2/$(tenant_id)s |
| 522bdd0accc64aeba73d1ad9414765da | RegionOne | s3 | s3 | True | admin | https://10.0.2.103:443/ |
| 5763f522530145ed90513f97fd734fdd | RegionOne | glance | image | True | admin | https://10.0.2.96:9292 |
| 5dcf573397954218917df491e7f868b9 | RegionOne | keystone | identity | True | admin | https://10.0.2.101:35357/v3 |
| a17a3f32438640f68dfce72763390765 | RegionOne | neutron | network | True | admin | https://10.0.2.113:9696 |
| daaa222120dc4ed2bbc7341590a3acdb | RegionOne | placement | placement | True | admin | https://10.0.2.99:8778 |
| dfab9da33a974dc1b15228a18fac90c7 | RegionOne | cinderv3 | volumev3 | True | admin | https://10.0.2.110:8776/v3/$(tenant_id)s |
| f4b5e242719a48088df20621dea5d643 | RegionOne | nova | compute | True | admin | https://10.0.2.105:8774/v2.1 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
。
看来是在bundle中,执行juju run-action --wait vault/leader 'generate-root-ca'后,生成的根证书文件目录发生了变更。
对比下openrc:
openstack-base#70:
if [ ! -z $JUJU_MODEL ]; then
_juju_model_arg="-m $JUJU_MODEL"
fi
_keystone_major_version=$(juju status $_juju_model_arg keystone --format yaml| \
awk '/^ version:/ {print $2; exit}' | cut -f1 -d\.)
_keystone_preferred_api_version=$(juju config $_juju_model_arg keystone preferred-api-version)
_root_ca=/tmp/root-ca.crt
juju run $_juju_model_arg --unit vault/leader 'leader-get root-ca' > /tmp/root-ca.crt 2>/dev/null
if [ $_keystone_major_version -ge 13 -o \
"$_keystone_preferred_api_version" = '3' ]; then
echo Using Keystone v3 API
. $(dirname ${BASH_SOURCE[0]})/openrcv3_project
else
echo Using Keystone v2.0 API
. $(dirname ${BASH_SOURCE[0]})/openrcv2
fi
openstack-base#72:
if [ ! -z $JUJU_MODEL ]; then
_juju_model_arg="-m $JUJU_MODEL"
fi
_keystone_major_version=$(juju status $_juju_model_arg keystone --format yaml| \
awk '/^ version:/ {print $2; exit}' | cut -f1 -d\.)
_keystone_preferred_api_version=$(juju config $_juju_model_arg keystone preferred-api-version)
# The per user snap data directory is not created until first execution of snap
openstack --version 2>&1 > /dev/null || true
if [ -d ~/snap/openstackclients/common/ ]; then
# When using the openstackclients confined snap the certificate has to be
# placed in a location reachable by the clients in the snap.
_root_ca=~/snap/openstackclients/common/root-ca.crt
else
_root_ca=/tmp/root-ca.crt
fi
juju run $_juju_model_arg --unit vault/leader 'leader-get root-ca' > $_root_ca 2>/dev/null
if [ $_keystone_major_version -ge 13 -o \
"$_keystone_preferred_api_version" = '3' ]; then
echo Using Keystone v3 API
. $(dirname ${BASH_SOURCE[0]})/openrcv3_project
else
echo Using Keystone v2.0 API
. $(dirname ${BASH_SOURCE[0]})/openrcv2
fi
看来是在source openrc设置环境变量时,本来要用 /tmp/root-ca.crt ,但是执行bundle openstack-base时,生成的根证书是在/root/snap/openstackclient/common/root-ca.crt目录,所以source失败。