Keystone 高可靠性部署与性能测试

<span style="font-family:Courier New;">global
    daemon
    log 127.0.0.1 local3
 
defaults
    maxconn 4000
    log     global
    timeout server 10s
    timeout connect 10s
    timeout client 10s
    mode http
    option forwardfor
    option http-server-close
    log global
 
listen stats
    mode http
    bind public_ip:8000
    stats enable
    stats hide-version
    stats uri     /
    stats realm   Haproxy\ Statistics
    stats auth    lecloud:openstack
    stats admin if TRUE
 
frontend keystone_frontend
    bind </span><span style="font-family: 'Courier New';">public_ip</span><span style="font-family:Courier New;">:443 ssl crt /etc/haproxy/keystone_https.pem
    reqadd X-Forwarded-Proto:\ https
    acl admin_path path_beg  /admin
    acl main_path  path_beg  /main
    use_backend admin_backend if admin_path
    use_backend main_backend if main_path
 
backend admin_backend
    balance roundrobin
    redirect scheme https if !{ ssl_fc }
    server keystone-server-01 internal_ip01:35357 check inter 10s
    server keystone-server-02 internal_ip02:35357 check inter 10s
 
backend main_backend
    balance roundrobin
    redirect scheme https if !{ ssl_fc }
    server keystone-server-01 internal_ip01:5000 check inter 10s
    server keystone-server-02 internal_ip02:5000 check inter 10s</span>

<span style="font-family:Courier New;"><span style="color:#333333;">vrrp_script haproxy-check {
    script "killall -0 haproxy"
    interval 2
    weight 10
}
 
vrrp_instance openstack-vip {
    state MASTER               </span><span style="color:#ff0000;"># 注：keystone01 为 MASTER, keystone02 为 BACKUP</span><span style="color:#333333;">
    priority 102
    interface eth0
    virtual_router_id 108
    advert_int 3
    virtual_ipaddress {
        public_ip
    }
    track_script {
        haproxy-check
    }
}</span></span>

# mkdir   /var/www/cgi-bin/keystone/
# cp   /usr/share/keystone/keystone.wsgi   /var/www/cgi-bin/keystone/
# ln   -s   /var/www/cgi-bin/keystone/keystone.wsgi   /var/www/cgi-bin/keystone/admin
# ln   -s   /var/www/cgi-bin/keystone/keystone.wsgi   /var/www/cgi-bin/keystone/main
# service   httpd   start
# chkconfig   httpd   on
# keystone-manage   ssl_setup   --keystone-user   keystone   --keystone-group   keystone                     注：keystone01
# cat  /etc/keystone/ssl/certs/keystone.pem   /etc/keystone/ssl/private/keystonekey.pem   >   /etc/haproxy/keystone_https.pem              注：keystone01，同时把 keystone_https.pem 拷贝至 keystone02 /etc/haproxy/ 目录下

# (crontab   -l   -u   keystone   2>&1 | grep   -q   token_flush)   ||   echo ‘@dayly   /usr/bin/keystone-manage   token_flush >/var/log/keystone/keystone-tokenflush.log   2>&1‘   >>   /var/spool/cron/keystone
# echo   "net.ipv4.ip_nonlocal_bind = 1"   >>   /etc/sysctl.conf
# sysctl   -p
# service   haproxy   start
# chkconfig   haproxy   on
# service   keepalived   start
# chkconfig   keepalived   on

Benchmark

Configure Rally

关于 Rally，详情请参见  Openstack 性能测试 http://blog.csdn.net/wsfdl/article/details/41654373

# git   clone   https://git.openstack.org/stackforge/rally   &&   cd   rally
# ./rally/install_rally.sh   -v
# source   /opt/rally/bin/activate
#  rally   deployment   create   --filename=existing.json   --name=existing
#  rally   -v   task   start   create-user.json

<span style="font-family:Courier New;">(rally)[root@controller rally]# cat existing.json
{
    "type": "ExistingCloud",
    "auth_url": "https://keystone-server/admin/v2.0",
    "admin": {
        "username": "test",
        "password": "test",
        "tenant_name": "test"
    }
}</span>

<span style="font-family:Courier New;"><span style="color:#333333;">[default]
# Use SSL for all OpenStack API interfaces
https_insecure=False      </span><span style="color:#ff0000;">#Rally 对 HTTPS 测试的支持有个 Bug，已被小弟修复合入社区</span><span style="color:#333333;">
# Path to CA server cetrificate for SSL
https_cacert=/etc/ca.pem</span></span>

Result

注：以创建用户为例，一个并发数(Concurrency)，包含两个 HTTPS 请求（一个为申请 token，另一个为创建用户）。此处仅给出 mysql(单点) 数据库下keystone server 的并发性能。