在搭建Openstack高可用集群过程中,具体方法步骤参考博客,查阅haproxy和keystone部分:
https://www.cnblogs.com/netonline/p/9201049.html
配置haproxy没有问题,但是在之后进行keystone认证的时候出现了错误,查看
/var/log/httpd/error_log
以及通过
systemctl status httpd -l
仔细分析后发现,因为keystone引导用到35357和5000这两个端口(在openstack rocky版后,只使用5000端口),因此我们修改了httpd文件
/etc/httpd/conf.d/wsgi-keystone.conf,添加修改监听5000和35357端口的配置,但是由于之前在haproxy的配置文件中有如下配置:
listen keystone_public_cluster
bind 192.168.1.139:5000
balance source
option tcpka
option httpchk
option tcplog
server controller1 192.168.1.73:5000 check inter 2000 rise 2 fall 5
server controller2 192.168.1.140:5000 check inter 2000 rise 2 fall 5
server controller3 192.168.1.143:5000 check inter 2000 rise 2 fall 5
listen keystone_admin_cluster
bind 192.168.1.139:35357
balance source
option tcpka
option httpchk
option tcplog
server controller1 192.168.1.73:35357 check inter 2000 rise 2 fall 5
server controller2 192.168.1.140:35357 check inter 2000 rise 2 fall 5
server controller3 192.168.1.143:35357 check inter 2000 rise 2 fall 5
listen dashboard_cluster
bind 192.168.1.139:80
balance source
option tcpka
option httpchk
option tcplog
server controller1 192.168.1.73:80 check inter 2000 rise 2 fall 5
server controller2 192.168.1.140:80 check inter 2000 rise 2 fall 5
server controller3 192.168.1.143:80 check inter 2000 rise 2 fall 5
导致这两个端口冲突。httpd服务无法正常监听这两个端口。
此时利用netstat查看haproxy:
[root@controller3 ~]# netstat -ntpl | grep haproxy
tcp 0 0 192.168.1.139:5000 0.0.0.0:* LISTEN 35498/haproxy
tcp 0 0 192.168.1.139:35357 0.0.0.0:* LISTEN 35498/haproxy
tcp 0 0 192.168.1.139:80 0.0.0.0:* LISTEN 35498/haproxy
以下这条查看httpd的命令却没有输出
[root@controller3 ~]# netstat -ntpl | grep httpd
考虑后修改haproxy的配置文件。更改为:(5000端口改为5001,35357端口改为35358,80端口改为8080)
[root@controller3 ~]# vi /etc/haproxy/haproxy.cfg
listen keystone_public_cluster
bind 192.168.1.139:5001
balance source
option tcpka
option httpchk
option tcplog
server controller1 192.168.1.73:5000 check inter 2000 rise 2 fall 5
server controller2 192.168.1.140:5000 check inter 2000 rise 2 fall 5
server controller3 192.168.1.143:5000 check inter 2000 rise 2 fall 5
listen keystone_admin_cluster
bind 192.168.1.139:35358
balance source
option tcpka
option httpchk
option tcplog
server controller1 192.168.1.73:35357 check inter 2000 rise 2 fall 5
server controller2 192.168.1.140:35357 check inter 2000 rise 2 fall 5
server controller3 192.168.1.143:35357 check inter 2000 rise 2 fall 5
listen dashboard_cluster
bind 192.168.1.139:8080
balance source
option tcpka
option httpchk
option tcplog
server controller1 192.168.1.73:80 check inter 2000 rise 2 fall 5
server controller2 192.168.1.140:80 check inter 2000 rise 2 fall 5
server controller3 192.168.1.143:80 check inter 2000 rise 2 fall 5
重启服务,再次查看netstat
[root@controller3 ~]# systemctl restart haproxy
[root@controller3 ~]# netstat -ntpl | grep haproxy
tcp 0 0 192.168.1.139:5001 0.0.0.0:* LISTEN 40193/haproxy
tcp 0 0 192.168.1.139:8080 0.0.0.0:* LISTEN 40193/haproxy
tcp 0 0 192.168.1.139:35358 0.0.0.0:* LISTEN 40193/haproxy
[root@controller3 ~]# systemctl restart httpd
[root@controller3 ~]# netstat -ntpl | grep http
tcp 0 0 192.168.1.143:5000 0.0.0.0:* LISTEN 40270/httpd
tcp 0 0 192.168.1.143:80 0.0.0.0:* LISTEN 40270/httpd
tcp 0 0 192.168.1.143:35357 0.0.0.0:* LISTEN 40270/httpd
tcp6 0 0 :::443 ::? LISTEN 40270/httpd
可以看到httpd监听端口正常,之后可以正常进行keystone引导和认证请求了。