OpenStack Dalmatian : Swift 設定 (Proxy ノード)2024/10/15

OpenStack Object Storage（Swift）を設定します。

当例では以下のような環境を例に Swift サービスを設定します。

------------+--------------------------+------------
            |                          |
        eth0|10.0.0.30             eth0|10.0.0.50
+-----------+-----------+  +-----------+-----------+
|   [ dlp.srv.world ]   |  | [ network.srv.world ] |
|     (Control Node)    |  |      (Proxy Node)     |
|                       |  |                       |
|  MariaDB    RabbitMQ  |  |      Swift Proxy      |
|  Memcached  Nginx     |  |         Nginx         |
|  Keystone   httpd     |  |                       |
+-----------------------+  +-----------------------+

------------+--------------------------+--------------------------+-----------
        eth0|10.0.0.71             eth0|10.0.0.72             eth0|10.0.0.73
+-----------+-----------+  +-----------+-----------+  +-----------+-----------+
|  [snode01.srv.world]  |  |  [snode02.srv.world]  |  |  [snode03.srv.world]  |
|    (Storage Node#1)   |  |    (Storage Node#2)   |  |    (Storage Node#3)   |
|                       |  |                       |  |                       |
|     Swift-Account     |  |     Swift-Account     |  |     Swift-Account     |
|    Swift-Container    |  |    Swift-Container    |  |    Swift-Container    |
|     Swift-Object      |  |     Swift-Object      |  |     Swift-Object      |
+-----------------------+  +-----------------------+  +-----------------------+

[1]	Proxy ノードに Swift-Proxy をインストールします。

# Dalmatian, EPEL, CRB からインストール

[root@network ~]#

dnf --enablerepo=centos-openstack-dalmatian,epel,crb -y install openstack-swift-proxy python3-memcached openssh-clients nginx nginx-mod-stream

[2]	Swift-Proxy を設定します。

[root@network ~]#

mv /etc/swift/proxy-server.conf /etc/swift/proxy-server.conf.org

[root@network ~]#

vi /etc/swift/proxy-server.conf

# 新規作成

[DEFAULT]
bind_ip = 127.0.0.1
bind_port = 8080
keep_idle = 600
bind_timeout = 30
backlog = 4096
swift_dir = /etc/swift
user = swift

[pipeline:main]
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache listing_formats container_sync bulk ratelimit copy container-quotas account-quotas slo dlo versioned_writes symlink proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:s3api]
use = egg:swift#s3api

[filter:s3token]
use = egg:swift#s3token
reseller_prefix = AUTH_
delay_auth_decision = False
# Keystone 認証情報
auth_uri = https://dlp.srv.world:5000/v3
http_timeout = 10.0
auth_url = https://dlp.srv.world:5000
auth_type = password
project_domain_name = Default
project_domain_id = default
user_domain_name = Default
project_name = service
username = swift
password = servicepassword

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
# Memcached サーバーを指定
memcache_servers = dlp.srv.world:11211

[filter:ratelimit]
use = egg:swift#ratelimit

[filter:read_only]
use = egg:swift#read_only

[filter:domain_remap]
use = egg:swift#domain_remap

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:cname_lookup]
use = egg:swift#cname_lookup

[filter:staticweb]
use = egg:swift#staticweb

[filter:formpost]
use = egg:swift#formpost

[filter:name_check]
use = egg:swift#name_check

[filter:etag-quoter]
use = egg:swift#etag_quoter

[filter:list-endpoints]
use = egg:swift#list_endpoints

[filter:proxy-logging]
use = egg:swift#proxy_logging

[filter:bulk]
use = egg:swift#bulk

[filter:slo]
use = egg:swift#slo

[filter:dlo]
use = egg:swift#dlo

[filter:container-quotas]
use = egg:swift#container_quotas

[filter:account-quotas]
use = egg:swift#account_quotas

[filter:gatekeeper]
use = egg:swift#gatekeeper

[filter:container_sync]
use = egg:swift#container_sync

[filter:xprofile]
use = egg:swift#xprofile

[filter:versioned_writes]
use = egg:swift#versioned_writes

[filter:copy]
use = egg:swift#copy

[filter:keymaster]
use = egg:swift#keymaster
meta_version_to_write = 2
encryption_root_secret = my_root_secret

[filter:kms_keymaster]
use = egg:swift#kms_keymaster

[filter:kmip_keymaster]
use = egg:swift#kmip_keymaster

[filter:encryption]
use = egg:swift#encryption

[filter:listing_formats]
use = egg:swift#listing_formats

[filter:symlink]
use = egg:swift#symlink

[root@network ~]#

vi /etc/swift/swift.conf

# 9,10行目 : 変更 (Swift ノード間でシェアする値 - 適当な文字列で OK)

swift_hash_path_suffix =

swift_shared_path

swift_hash_path_prefix =

swift_shared_path

[3]	SELinux を有効にしている場合は、ポリシーの変更が必要です。

[root@network ~]#

vi swift-proxy.te

# create new

module swift-proxy 1.0;

require {
        type gpg_exec_t;
        type keepalived_exec_t;
        type container_runtime_exec_t;
        type hostname_exec_t;
        type swift_t;
        type crontab_exec_t;
        type sudo_exec_t;
        class file getattr;
}

#============= swift_t ==============
allow swift_t container_runtime_exec_t:file getattr;
allow swift_t crontab_exec_t:file getattr;
allow swift_t gpg_exec_t:file getattr;
allow swift_t hostname_exec_t:file getattr;
allow swift_t keepalived_exec_t:file getattr;
allow swift_t sudo_exec_t:file getattr;

[root@network ~]#

checkmodule -m -M -o swift-proxy.mod swift-proxy.te

[root@network ~]#

semodule_package --outfile swift-proxy.pp --module swift-proxy.mod

[root@network ~]#

semodule -i swift-proxy.pp

[4]	Firewalld を有効にしている場合は、サービスポートの許可が必要です。

[root@network ~]#

firewall-cmd --add-port=8080/tcp

success
[root@network ~]#

firewall-cmd --runtime-to-permanent

success

[5]	Swift Ring ファイルの設定です。

[root@network ~]#

swift-ring-builder /etc/swift/account.builder create 12 3 1

[root@network ~]#

swift-ring-builder /etc/swift/container.builder create 12 3 1

[root@network ~]#

swift-ring-builder /etc/swift/object.builder create 12 3 1

[root@network ~]#

swift-ring-builder /etc/swift/account.builder add r0z0-10.0.0.71:6202/device 100

Device d0r0z0-10.0.0.71:6202R10.0.0.71:6202/device_"" with 100.0 weight got id 0
[root@network ~]#

swift-ring-builder /etc/swift/container.builder add r0z0-10.0.0.71:6201/device 100

Device d0r0z0-10.0.0.71:6201R10.0.0.71:6201/device_"" with 100.0 weight got id 0
[root@network ~]#

swift-ring-builder /etc/swift/object.builder add r0z0-10.0.0.71:6200/device 100

Device d0r0z0-10.0.0.71:6200R10.0.0.71:6200/device_"" with 100.0 weight got id 0

[root@network ~]#

swift-ring-builder /etc/swift/account.builder add r1z1-10.0.0.72:6202/device 100

Device d1r1z1-10.0.0.72:6202R10.0.0.72:6202/device_"" with 100.0 weight got id 1
[root@network ~]#

swift-ring-builder /etc/swift/container.builder add r1z1-10.0.0.72:6201/device 100

Device d1r1z1-10.0.0.72:6201R10.0.0.72:6201/device_"" with 100.0 weight got id 1
[root@network ~]#

swift-ring-builder /etc/swift/object.builder add r1z1-10.0.0.72:6200/device 100

Device d1r1z1-10.0.0.72:6200R10.0.0.72:6200/device_"" with 100.0 weight got id 1

[root@network ~]#

swift-ring-builder /etc/swift/account.builder add r2z2-10.0.0.73:6202/device 100

Device d2r2z2-10.0.0.73:6202R10.0.0.73:6202/device_"" with 100.0 weight got id 2
[root@network ~]#

swift-ring-builder /etc/swift/container.builder add r2z2-10.0.0.73:6201/device 100

Device d2r2z2-10.0.0.73:6201R10.0.0.73:6201/device_"" with 100.0 weight got id 2
[root@network ~]#

swift-ring-builder /etc/swift/object.builder add r2z2-10.0.0.73:6200/device 100

Device d2r2z2-10.0.0.73:6200R10.0.0.73:6200/device_"" with 100.0 weight got id 2

[root@network ~]#

swift-ring-builder /etc/swift/account.builder rebalance

Reassigned 12288 (300.00%) partitions. Balance is now 0.00. Dispersion is now 0.00
[root@network ~]#

swift-ring-builder /etc/swift/container.builder rebalance

Reassigned 12288 (300.00%) partitions. Balance is now 0.00. Dispersion is now 0.00
[root@network ~]#

swift-ring-builder /etc/swift/object.builder rebalance

Reassigned 12288 (300.00%) partitions. Balance is now 0.00. Dispersion is now 0.00

[root@network ~]#

chown swift:swift /etc/swift/*.gz

[root@network ~]#

systemctl enable --now openstack-swift-proxy

[6]	ネットワークノード用の SSL/TLS 証明書を取得または自己署名の証明書を作成して、Nginx にプロキシの設定をします。

[root@network ~]#

mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.org

[root@network ~]#

vi /etc/nginx/nginx.conf

# 新規作成

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
}

stream {
    upstream swift-proxy {
        server 127.0.0.1:8080;
    }
    server {
        listen 10.0.0.50:8080 ssl;
        proxy_pass swift-proxy;
    }
    ssl_certificate "/etc/letsencrypt/live/network.srv.world/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/network.srv.world/privkey.pem";
}

[root@network ~]#

systemctl enable --now nginx