OpenStack Dalmatian : Swift 設定 (Proxy ノード)2024/10/15 |
OpenStack Object Storage(Swift)を設定します。 当例では以下のような環境を例に Swift サービスを設定します。 ------------+--------------------------+------------ | | eth0|10.0.0.30 eth0|10.0.0.50 +-----------+-----------+ +-----------+-----------+ | [ dlp.srv.world ] | | [ network.srv.world ] | | (Control Node) | | (Proxy Node) | | | | | | MariaDB RabbitMQ | | Swift Proxy | | Memcached Nginx | | Nginx | | Keystone httpd | | | +-----------------------+ +-----------------------+ ------------+--------------------------+--------------------------+----------- eth0|10.0.0.71 eth0|10.0.0.72 eth0|10.0.0.73 +-----------+-----------+ +-----------+-----------+ +-----------+-----------+ | [snode01.srv.world] | | [snode02.srv.world] | | [snode03.srv.world] | | (Storage Node#1) | | (Storage Node#2) | | (Storage Node#3) | | | | | | | | Swift-Account | | Swift-Account | | Swift-Account | | Swift-Container | | Swift-Container | | Swift-Container | | Swift-Object | | Swift-Object | | Swift-Object | +-----------------------+ +-----------------------+ +-----------------------+ |
[1] | Proxy ノードに Swift-Proxy をインストールします。 |
[root@network ~]# dnf --enablerepo=centos-openstack-dalmatian,epel,crb -y install openstack-swift-proxy python3-memcached openssh-clients nginx nginx-mod-stream
|
[2] | Swift-Proxy を設定します。 |
[root@network ~]#
mv /etc/swift/proxy-server.conf /etc/swift/proxy-server.conf.org [root@network ~]# vi /etc/swift/proxy-server.conf # 新規作成 [DEFAULT] bind_ip = 127.0.0.1 bind_port = 8080 keep_idle = 600 bind_timeout = 30 backlog = 4096 swift_dir = /etc/swift user = swift [pipeline:main] pipeline = catch_errors gatekeeper healthcheck proxy-logging cache listing_formats container_sync bulk ratelimit copy container-quotas account-quotas slo dlo versioned_writes symlink proxy-logging proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true account_autocreate = true [filter:s3api] use = egg:swift#s3api [filter:s3token] use = egg:swift#s3token reseller_prefix = AUTH_ delay_auth_decision = False # Keystone 認証情報 auth_uri = https://dlp.srv.world:5000/v3 http_timeout = 10.0 auth_url = https://dlp.srv.world:5000 auth_type = password project_domain_name = Default project_domain_id = default user_domain_name = Default project_name = service username = swift password = servicepassword [filter:healthcheck] use = egg:swift#healthcheck [filter:cache] use = egg:swift#memcache # Memcached サーバーを指定 memcache_servers = dlp.srv.world:11211 [filter:ratelimit] use = egg:swift#ratelimit [filter:read_only] use = egg:swift#read_only [filter:domain_remap] use = egg:swift#domain_remap [filter:catch_errors] use = egg:swift#catch_errors [filter:cname_lookup] use = egg:swift#cname_lookup [filter:staticweb] use = egg:swift#staticweb [filter:formpost] use = egg:swift#formpost [filter:name_check] use = egg:swift#name_check [filter:etag-quoter] use = egg:swift#etag_quoter [filter:list-endpoints] use = egg:swift#list_endpoints [filter:proxy-logging] use = egg:swift#proxy_logging [filter:bulk] use = egg:swift#bulk [filter:slo] use = egg:swift#slo [filter:dlo] use = egg:swift#dlo [filter:container-quotas] use = egg:swift#container_quotas [filter:account-quotas] use = egg:swift#account_quotas [filter:gatekeeper] use = egg:swift#gatekeeper [filter:container_sync] use = egg:swift#container_sync [filter:xprofile] use = egg:swift#xprofile [filter:versioned_writes] use = egg:swift#versioned_writes [filter:copy] use = egg:swift#copy [filter:keymaster] use = egg:swift#keymaster meta_version_to_write = 2 encryption_root_secret = my_root_secret [filter:kms_keymaster] use = egg:swift#kms_keymaster [filter:kmip_keymaster] use = egg:swift#kmip_keymaster [filter:encryption] use = egg:swift#encryption [filter:listing_formats] use = egg:swift#listing_formats [filter:symlink] use = egg:swift#symlink
[root@network ~]#
vi /etc/swift/swift.conf # 9,10行目 : 変更 (Swift ノード間でシェアする値 - 適当な文字列で OK) swift_hash_path_suffix = swift_shared_path swift_hash_path_prefix = swift_shared_path
|
[3] | SELinux を有効にしている場合は、ポリシーの変更が必要です。 |
[root@network ~]#
vi swift-proxy.te # create new module swift-proxy 1.0; require { type gpg_exec_t; type keepalived_exec_t; type container_runtime_exec_t; type hostname_exec_t; type swift_t; type crontab_exec_t; type sudo_exec_t; class file getattr; } #============= swift_t ============== allow swift_t container_runtime_exec_t:file getattr; allow swift_t crontab_exec_t:file getattr; allow swift_t gpg_exec_t:file getattr; allow swift_t hostname_exec_t:file getattr; allow swift_t keepalived_exec_t:file getattr; allow swift_t sudo_exec_t:file getattr; checkmodule -m -M -o swift-proxy.mod swift-proxy.te [root@network ~]# semodule_package --outfile swift-proxy.pp --module swift-proxy.mod [root@network ~]# semodule -i swift-proxy.pp |
[4] | Firewalld を有効にしている場合は、サービスポートの許可が必要です。 |
[root@network ~]# firewall-cmd --add-port=8080/tcp success [root@network ~]# firewall-cmd --runtime-to-permanent success |
[5] | Swift Ring ファイルの設定です。 |
[root@network ~]#
swift-ring-builder /etc/swift/account.builder create 12 3 1 [root@network ~]# swift-ring-builder /etc/swift/container.builder create 12 3 1 [root@network ~]# swift-ring-builder /etc/swift/object.builder create 12 3 1
[root@network ~]#
swift-ring-builder /etc/swift/account.builder add r0z0-10.0.0.71:6202/device 100 Device d0r0z0-10.0.0.71:6202R10.0.0.71:6202/device_"" with 100.0 weight got id 0 [root@network ~]# swift-ring-builder /etc/swift/container.builder add r0z0-10.0.0.71:6201/device 100 Device d0r0z0-10.0.0.71:6201R10.0.0.71:6201/device_"" with 100.0 weight got id 0 [root@network ~]# swift-ring-builder /etc/swift/object.builder add r0z0-10.0.0.71:6200/device 100 Device d0r0z0-10.0.0.71:6200R10.0.0.71:6200/device_"" with 100.0 weight got id 0
[root@network ~]#
swift-ring-builder /etc/swift/account.builder add r1z1-10.0.0.72:6202/device 100 Device d1r1z1-10.0.0.72:6202R10.0.0.72:6202/device_"" with 100.0 weight got id 1 [root@network ~]# swift-ring-builder /etc/swift/container.builder add r1z1-10.0.0.72:6201/device 100 Device d1r1z1-10.0.0.72:6201R10.0.0.72:6201/device_"" with 100.0 weight got id 1 [root@network ~]# swift-ring-builder /etc/swift/object.builder add r1z1-10.0.0.72:6200/device 100 Device d1r1z1-10.0.0.72:6200R10.0.0.72:6200/device_"" with 100.0 weight got id 1
[root@network ~]#
swift-ring-builder /etc/swift/account.builder add r2z2-10.0.0.73:6202/device 100 Device d2r2z2-10.0.0.73:6202R10.0.0.73:6202/device_"" with 100.0 weight got id 2 [root@network ~]# swift-ring-builder /etc/swift/container.builder add r2z2-10.0.0.73:6201/device 100 Device d2r2z2-10.0.0.73:6201R10.0.0.73:6201/device_"" with 100.0 weight got id 2 [root@network ~]# swift-ring-builder /etc/swift/object.builder add r2z2-10.0.0.73:6200/device 100 Device d2r2z2-10.0.0.73:6200R10.0.0.73:6200/device_"" with 100.0 weight got id 2
[root@network ~]#
[root@network ~]# swift-ring-builder /etc/swift/account.builder rebalance Reassigned 12288 (300.00%) partitions. Balance is now 0.00. Dispersion is now 0.00 [root@network ~]# swift-ring-builder /etc/swift/container.builder rebalance Reassigned 12288 (300.00%) partitions. Balance is now 0.00. Dispersion is now 0.00 [root@network ~]# swift-ring-builder /etc/swift/object.builder rebalance Reassigned 12288 (300.00%) partitions. Balance is now 0.00. Dispersion is now 0.00 chown swift:swift /etc/swift/*.gz [root@network ~]# systemctl enable --now openstack-swift-proxy |
[6] | ネットワークノード用の SSL/TLS 証明書を取得 または 自己署名の証明書を作成して、Nginx にプロキシの設定をします。 |
[root@network ~]# mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.org
[root@network ~]#
vi /etc/nginx/nginx.conf # 新規作成 user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; include /etc/nginx/conf.d/*.conf; } stream { upstream swift-proxy { server 127.0.0.1:8080; } server { listen 10.0.0.50:8080 ssl; proxy_pass swift-proxy; } ssl_certificate "/etc/letsencrypt/live/network.srv.world/fullchain.pem"; ssl_certificate_key "/etc/letsencrypt/live/network.srv.world/privkey.pem"; } systemctl enable --now nginx |
Sponsored Link |
|