什么是magnum?
Mangum现在应该是OpenStack里边比较热门的一个和Docker集成的新项目。Magnum是去年巴黎峰会后开始的一个新的专门针对Container的一个新项目,用来向用户提供容器服务。从去年11月份开始在stackforge提交第一个patch,今年3月份进入OpenStack namespace,这个项目应该是OpenStack社区从stackforge迁移到OpenStack namespace最快的一个项目。Magnum现在可以为用户提供Kubernetes as a Service、Swarm as a Service和这几个平台集成的主要目的是能让用户可以很方便的通过OpenStack云平台来管理k8s,swarm,这些已经很成型的Docker集群管理系统,使用户很方便的使用这些容器管理系统来提供容器服务。
使用devstack安装magnum
magnum依赖于nova,glance,heat,barbican,neutron这些组件来模拟一个物理的环境,在裸机上部署magnum社区还在开发中,推荐使用Ubuntu14.04(Trusty)和Fedora 20/21
首先 Clone devstack
1 2 |
cd ~ git clone https://git.openstack.org/openstack-dev/devstack |
配置devstack,enable heat和neutron
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
cd devstack cat > local.conf << END [[local|localrc]] # Modify to your environment FLOATING_RANGE=192.168.1.224/27 PUBLIC_NETWORK_GATEWAY=192.168.1.225 PUBLIC_INTERFACE=em1 # Credentials ADMIN_PASSWORD=password DATABASE_PASSWORD=password RABBIT_PASSWORD=password SERVICE_PASSWORD=password SERVICE_TOKEN=password enable_service rabbit # Ensure we are using neutron networking rather than nova networking # (Neutron is enabled by default since Kilo) disable_service n-net enable_service q-svc enable_service q-agt enable_service q-dhcp enable_service q-l3 enable_service q-meta enable_service neutron # Enable heat services enable_service h-eng enable_service h-api enable_service h-api-cfn enable_service h-api-cw # Enable barbican services enable_plugin barbican https://git.openstack.org/openstack/barbican FIXED_RANGE=10.0.0.0/24 Q_USE_SECGROUP=True ENABLE_TENANT_VLANS=True TENANT_VLAN_RANGE= PHYSICAL_NETWORK=public OVS_PHYSICAL_BRIDGE=br-ex # Log all output to files LOGFILE=$HOME/logs/devstack.log SCREEN_LOGDIR=$HOME/logs VOLUME_BACKING_FILE_SIZE=20G END |
创建local.sh,使的magnum能够使用devstack创建的网络
1 2 3 4 5 6 7 |
cat > local.sh << 'END_LOCAL_SH' #!/bin/sh ROUTE_TO_INTERNET=$(ip route get 8.8.8.8) OBOUND_DEV=$(echo ${ROUTE_TO_INTERNET#*dev} | awk '{print $1}') sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE END_LOCAL_SH chmod 755 local.sh |
运行devstack
1 |
./stack.sh |
source环境变量
1 |
source ~/devstack/openrc admin admin |
把Fedora Atomic micro-OS存在glance中
1 2 3 4 5 6 7 |
cd ~ wget https://fedorapeople.org/groups/magnum/fedora-21-atomic-5.qcow2 glance image-create --name fedora-21-atomic-5 \ --visibility public \ --disk-format qcow2 \ --os-distro fedora-atomic \ --container-format bare < fedora-21-atomic-5.qcow2 |
创建keypair来使用baymodel
1 2 |
test -f ~/.ssh/id_rsa.pub || ssh-keygen -t rsa -N "" -f ~/.ssh/id_rsa nova keypair-add --pub-key ~/.ssh/id_rsa.pub testkey |
为magnum创建MySql数据库
1 2 3 4 5 |
mysql -h 127.0.0.1 -u root -ppassword mysql <<EOF CREATE DATABASE IF NOT EXISTS magnum DEFAULT CHARACTER SET utf8; GRANT ALL PRIVILEGES ON magnum.* TO 'root'@'%' IDENTIFIED BY 'password' EOF |
安装magnum
1 2 3 4 |
cd ~ git clone https://git.openstack.org/openstack/magnum cd magnum sudo pip install -e . |
配置magnum
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# create the magnum conf directory sudo mkdir -p /etc/magnum # copy sample config and modify it as necessary sudo cp etc/magnum/magnum.conf.sample /etc/magnum/magnum.conf # copy policy.json sudo cp etc/magnum/policy.json /etc/magnum/policy.json # enable debugging output sudo sed -i "s/#debug\s*=.*/debug=true/" /etc/magnum/magnum.conf # set RabbitMQ userid sudo sed -i "s/#rabbit_userid\s*=.*/rabbit_userid=stackrabbit/" \ /etc/magnum/magnum.conf # set RabbitMQ password sudo sed -i "s/#rabbit_password\s*=.*/rabbit_password=password/" \ /etc/magnum/magnum.conf # set SQLAlchemy connection string to connect to MySQL sudo sed -i "s/#connection\s*=.*/connection=mysql:\/\/root:password@localhost\/magnum/" \ /etc/magnum/magnum.conf # set Keystone account username sudo sed -i "s/#admin_user\s*=.*/admin_user=admin/" \ /etc/magnum/magnum.conf # set Keystone account password sudo sed -i "s/#admin_password\s*=.*/admin_password=password/" \ /etc/magnum/magnum.conf # set admin Identity API endpoint sudo sed -i "s/#identity_uri\s*=.*/identity_uri=http:\/\/127.0.0.1:35357/" \ /etc/magnum/magnum.conf # set public Identity API endpoint sudo sed -i "s/#auth_uri\s*=.*/auth_uri=http:\/\/127.0.0.1:5000\/v2.0/" \ /etc/magnum/magnum.conf # set oslo messaging notifications driver (if using ceilometer) sudo sed -i "s/#driver\s*=.*/driver=messaging/" \ /etc/magnum/magnum.conf |
安装magnum客户端
1 2 3 4 |
cd ~ git clone https://git.openstack.org/openstack/python-magnumclient cd python-magnumclient sudo pip install -e . |
为magnum配置数据库
1 |
magnum-db-manage upgrade |
配置keystone的endpoint
1 2 3 4 5 6 7 8 |
openstack service create --name=magnum \ --description="Magnum Container Service" \ container openstack endpoint create --region=RegionOne \ --publicurl=http://127.0.0.1:9511/v1 \ --internalurl=http://127.0.0.1:9511/v1 \ --adminurl=http://127.0.0.1:9511/v1 \ magnum |
启动magnum
1 2 |
magnum-api magnum-conductor |
Magnum关于DevStack启动的代码解读
├── devstack
│ ├── lib
│ │ └── magnum
│ ├── plugin.sh
│ ├── README.rst
│ ├── settings
magnum中定义了magnum所创建文件的路径以及git镜像时的路径
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
MAGNUM_REPO=${MAGNUM_REPO:-${GIT_BASE}/openstack/magnum.git} MAGNUM_BRANCH=${MAGNUM_BRANCH:-master} MAGNUM_DIR=$DEST/magnum GITREPO["python-magnumclient"]=${MAGNUMCLIENT_REPO:-${GIT_BASE}/openstack/python-magnumclient.git} GITBRANCH["python-magnumclient"]=${MAGNUMCLIENT_BRANCH:-master} GITDIR["python-magnumclient"]=$DEST/python-magnumclient MAGNUM_STATE_PATH=${MAGNUM_STATE_PATH:=$DATA_DIR/magnum} MAGNUM_AUTH_CACHE_DIR=${MAGNUM_AUTH_CACHE_DIR:-/var/cache/magnum} MAGNUM_CONF_DIR=/etc/magnum MAGNUM_CONF=$MAGNUM_CONF_DIR/magnum.conf MAGNUM_POLICY_JSON=$MAGNUM_CONF_DIR/policy.json MAGNUM_API_PASTE=$MAGNUM_CONF_DIR/api-paste.ini |
定义好路径之后就创建各种配置文件。并进行检查。如果不存在则创建该文件,并赋予权限
1 2 3 4 5 6 |
function configure_magnum { # Put config files in ``/etc/magnum`` for everyone to find if [[ ! -d $MAGNUM_CONF_DIR ]]; then sudo mkdir -p $MAGNUM_CONF_DIR sudo chown $STACK_USER $MAGNUM_CONF_DIR fi |
由于magnum的认证需要依赖keystone。那么需要对mysql进行操作。需要创建服务并返回endpoint
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
function create_magnum_accounts { create_service_user "magnum" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then local magnum_service=$(get_or_create_service "magnum" \ "container" "Magnum Container Service") get_or_create_endpoint $magnum_service \ "$REGION_NAME" \ "$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \ "$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \ "$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" fi } |
然后使用类似于shell的文件写入命令进行配置文件的写入操作
1 2 3 4 5 6 7 8 9 10 11 12 |
function create_magnum_conf { # (Re)create ``magnum.conf`` rm -f $MAGNUM_CONF iniset $MAGNUM_CONF DEFAULT debug "$ENABLE_DEBUG_LOG_LEVEL" iniset $MAGNUM_CONF oslo_messaging_rabbit rabbit_userid $RABBIT_USERID iniset $MAGNUM_CONF oslo_messaging_rabbit rabbit_password $RABBIT_PASSWORD iniset $MAGNUM_CONF oslo_messaging_rabbit rabbit_host $RABBIT_HOST iniset $MAGNUM_CONF database connection `database_connection_url magnum` iniset $MAGNUM_CONF api host "$MAGNUM_SERVICE_HOST" iniset $MAGNUM_CONF api port "$MAGNUM_SERVICE_PORT" |
magnum可以选择多个底层OS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
function magnum_register_image { local magnum_image_property="--property os_distro=" local atomic="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io 'atomic' || true;)" if [ ! -z "$atomic" ]; then magnum_image_property=$magnum_image_property"fedora-atomic" fi local ubuntu="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io "ubuntu" || true;)" if [ ! -z "$ubuntu" ]; then magnum_image_property=$magnum_image_property"ubuntu" fi local coreos="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io "coreos" || true;)" if [ ! -z "$coreos" ]; then magnum_image_property=$magnum_image_property"coreos" fi openstack --os-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT --os-image-api-version 1 image set $(basename "$MAGNUM_GUEST_IMAGE_URL" ".qcow2") $magnum_image_property } |
安装magnum客户端
1 2 3 4 5 6 |
function install_magnumclient { if use_library_from_git "python-magnumclient"; then git_clone_by_name "python-magnumclient" setup_dev_lib "python-magnumclient" fi } |
启动magnum服务,传递port,protocol,tls等信息。进程直接通信需要tls安全传输层协议
1 2 3 4 5 6 7 8 |
function start_magnum_api { # Get right service port for testing local service_port=$MAGNUM_SERVICE_PORT local service_protocol=$MAGNUM_SERVICE_PROTOCOL if is_service_enabled tls-proxy; then service_port=$MAGNUM_SERVICE_PORT_INT service_protocol="http" fi |
为了满足进程之间通信。还需要对iptables进行配置。对keystone和magnum的通信进行accept
1 2 3 4 5 6 7 8 9 10 |
function configure_iptables { if [ "$MAGNUM_CONFIGURE_IPTABLES" != "False" ]; then ROUTE_TO_INTERNET=$(ip route get 8.8.8.8) OBOUND_DEV=$(echo ${ROUTE_TO_INTERNET#*dev} | awk '{print $1}') sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE # bay nodes will access magnum-api (port $MAGNUM_SERVICE_PORT) to get CA certificate. sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true fi } |
在plugin.sh中如果magnum的api和conduct服务启动,那么将会安装magnum和magnum-client,以及获取magnum_image等操作。
另外对keystone的配置文件进行修改,创建magnum的account
1 2 3 4 5 6 7 8 9 10 |
elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then echo_summary "Configuring magnum" configure_magnum # Hack a large timeout for now iniset /etc/keystone/keystone.conf token expiration 7200 if is_service_enabled key; then create_magnum_accounts fi |
在settings中则为一系列配置参数。用于服务的开启和关闭
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# Enable Neutron which is required by Magnum and disable nova-network. disable_service n-net enable_service q-svc enable_service q-agt enable_service q-dhcp enable_service q-l3 enable_service q-meta # Note: Default template uses LBaaS. enable_service q-lbaas enable_service neutron # Enable Heat services enable_service h-eng enable_service h-api enable_service h-api-cfn enable_service h-api-cw |
devstack的代码只是一小部分。不过也能从这里看出magnum是如何运行的,在OpenStack的峰会上容器越来越火,看好Kolla,magnum以及Murano。
作者简介:
蒋暕青@上海宽带技术及应用工程研究中心:SDN技术实践者,大四北上思博伦实习半年,现工作地点上海
--------------华丽的分割线------------------
本文系《SDNLAB原创文章奖励计划》投稿文章,该计划旨在鼓励广大从业人员在SDN/NFV/Cloud网络领域创新技术、开源项目、产业动态等方面进行经验和成果的文字传播、分享、交流。有意向投稿的同学请通过官方唯一指定投稿通道进行文章投递,投稿细则请参考《SDNLAB原创文章奖励计划》