基础知识整理来自openstack官方中文文档,openstack搭建参考官方文档!
OpenStack是一个开源的云计算管理平台项目,提供了一个部署云的操作平台或工具集,由几个主要的组件组合起来完成具体工作。
服务:
Dashboard:提供了一个基于web的自服务门户,与OpenStack底层服务交互,诸如启动一个实例,分配IP地址以及配置访问控制。
Compute:在OpenStack环境中计算实例的生命周期管理。按需响应包括生成、调度、回收虚拟机等操作。
Networking:确保为其它OpenStack服务提供网络连接即服务,比如OpenStack计算。为用户提供API定义网络和使用。基于插件的架构其支持众多的网络提供商和技术。
存储:
Object Storage:通过一个 RESTful,基于HTTP的应用程序接口存储和任意检索的非结构化数据对象。它拥有高容错机制,基于数据复制和可扩展架构。它的实现并像是一个文件服务器需要挂载目录。在此种方式下,它写入对象和文件到多个硬盘中,以确保数据是在集群内跨服务器的多份复制。
Block Storage:为运行实例而提供的持久性块存储。它的可插拔驱动架构的功能有助于创建和管理块存储设备。
共享服务:
Identity service:为其他OpenStack服务提供认证和授权服务,为所有的OpenStack服务提供一个端点目录。
Image service:存储和检索虚拟机磁盘镜像,OpenStack计算会在实例部署时使用此服务
Telemetry服务:为OpenStack云的计费、基准、扩展性以及统计等目的提供监测和计量。
高层次服务:
Orchestration服务:Orchestration服务支持多样化的综合的云应用,通过调用OpenStack-native REST API和CloudFormation-compatible Query API,支持:term:HOT <Heat Orchestration Template (HOT)>
格式模板或者AWS CloudFormation格式模板
实验环境:
操作系统为:redhat7.2 , 防火墙和selinux状态为关闭
172.25.60.20 controller 4G运行内存 1 处理器
172.25.60.21 compute1 2G运行内存 1 处理器
openstack环境
虚拟主机的环境配置:
1.关闭Networkmanage管理系统:
[root@controller ~]# systemctl disable NetworkManager
[root@controller ~]# systemctl status NetworkManager
● Networkmanager.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
2.controller虚拟主机配置两块虚拟网卡:
如果虚拟机的网卡不是以eth0,eth1显示,在配置文件参数,重启网络以该方式显示:
[root@controller ~]# vim /boot/grub2/grub.cfg
linux16 /vmlinuz-3.10.0-327.el7.x86_64 root=UUID=0771ce76-7981- 48ae-bcb4-7ad29f2a2e22 ro crashkernel=auto rhgb quiet LANG=en_US.UTF-8 net.ifnames=0
[root@controller ~]# systemctl restart network
[root@controller ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:87:5d:fb brd ff:ff:ff:ff:ff:ff
inet 172.25.60.20/24 brd 172.25.60.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe87:5dfb/64 scope link
valid_lft forever preferred_lft forever
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:88:27:52 brd ff:ff:ff:ff:ff:ff
3.注意两个虚拟机配置本地解析
[root@controller ~]# vim /etc/hosts
172.25.60.20 controller
172.25.60.21 compute1
虚拟机两块网卡配置文件如下:
[root@controller network-scripts]# cat ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=172.25.60.20
PREFIX=24
[root@controller network-scripts]# cat ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=none
NAME=eth1
DEVICE=eth1
ONBOOT=yes
4.清除iptables所有规则
[root@controller network-scripts]# iptables -F
[root@controller network-scripts]# iptables -L
6.yum源配置
[root@server20 yum.repos.d]# cat yum.repo
[rhel7.2]
name=rhel7.2
baseurl=http://172.25.60.250/rhel7.2
gpgcheck=0
[dvd]
name=openstac
baseurl=http://172.25.60.250/mitaka
gpgcheck=0
yum源配置好以后显示openstack包:
repo id repo name status
dvd openstac 279
rhel7.2 rhel7.2 4,620
repolist: 4,899
网络时间协议
同步宿主机和虚拟机的时间,openstack当节点多的话,对时间要求较高
实验时我们宿主机同步老师宿主机,然后虚拟机同步宿主机时间;
[kiosk@foundation60 html]$ yum install -y chrony
[root@foundation60 html]# vim /etc/chrony.conf
7 server 172.25.254.250 iburst
22 allow 172.25/16
[root@foundation60 html]# chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* content.example.com 3 6 17 4 +4203ns[ +172us] +/- 51ms
两个虚拟机开始同步宿主机时间:
(controller同compute同样操作)
[root@compute1 ~]# vim /etc/chrony.conf
7 server 172.25.60.250 iburst
22 allow 172.25/16
[root@compute1 ~]# systemctl restart chronyd
[root@compute1 ~]# chronyc sources -v
210 Number of sources = 1
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 172.25.60.250 4 6 17 8 +115ns[ +187us] +/- 55ms
openstack包安装
compute1操作:
[root@compute1 yum.repos.d]# yum upgrade ##升级yum源
[root@compute1 ~]# yum install -y python-openstackclient ##安装openstack客户端
controller操作(以下操作都在controller上)
[root@controller yum.repos.d]# yum upgrade
[root@controller ~]# yum install -y python-openstackclient
sql数据库部署
[root@server20 yum.repos.d]# yum install -y mariadb mariadb-server python2-PyMySQL
[root@server20 ~]# vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 172.25.60.20
###控制节点的管理网络IP地址以使得其它节点可以通过管理网络访问数据苦
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
[root@server20 ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@server20 ~]# systemctl start mariadb.service
[root@server20 ~]# mysql_secure_installation
消息队列
消息队列服务一般运行在控制节点上。OpenStack支持好几种消息队列服务包括RabbitMQ, Qpid,和ZeroMQ,安装 RabbitMQ 消息队列服务:
[root@server20 ~]# yum install -y rabbitmq-server
[root@server20 ~]# systemctl enable rabbitmq-server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
[root@server20 ~]# systemctl start rabbitmq-server.service
添加 openstack 用户:
[root@server20 ~]# rabbitmqctl add_user openstack openstack
Creating user "openstack" ...
给``openstack``用户配置写和读权限:
[root@server20 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
###三个.*表示可读写执行权限,后面会在相关插件中展示
[root@server20 ~]# netstat -antp ###查看启动端口
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN
rabbitmq-plugins
rabbitmq-plugins 用于启用(enable)、禁用(disable)和浏览(browse)插件。这些操作必须要由具有对RabbitMQ 配置目录可写权限的用户执,rabbitmq-plugins 遍历这些依赖关系并且启用所有必需的插件}
[root@server20 ~]# rabbitmq-plugins list#显示所有插件
[root@server20 ~]# rabbitmq-plugins enable rabbitmq_management
###启用插件rabbitmq_management以及依赖相关插件
The following plugins have been enabled:
mochiweb
webmachine
rabbitmq_web_dispatch
amqp_client
rabbitmq_management_agent
rabbitmq_management
[root@server20 ~]# netstat -antp
Applying plugin configuration to rabbit@server20... started 6 plugins.
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 20046/beam
浏览器测试:输入172.25.60.20:15672
默认用户名和密码为:guest guest
在图片上可以看到授权的读写执行权限
Memcached安装
认证服务认证缓存使用Memcached缓存令牌。缓存服务memecached运行在控制节点。
[root@server20 ~]# yum install -y memcached python-memcached.noarch
[root@server20 ~]# vim /etc/sysconfig/memcached
#OPTIONS="-l 127.0.0.1,::1"
[root@server20 ~]# systemctl enable memcached
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@server20 ~]# systemctl start memcached
[root@server20 ~]# netstat -antp | grep :11211
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 20977/memcached
tcp6 0 0 :::11211 :::* LISTEN 20977/memcached
认证服务
OpenStack:term:Identity service
为认证管理,授权管理和服务目录服务管理提供单点整合。其它OpenStack服务将身份认证服务当做通用统一API来使用。
为了从identity服务中获益,其他的OpenStack服务需要与它合作。当某个OpenStack服务收到来自用户的请求时,该服务询问Identity服务,验证该用户是否有权限进行此次请求;
身份服务包含这些组件:
服务器:一个中心化的服务器使用RESTful 接口来提供认证和授权服务。
驱动:驱动或服务后端被整合进集中式服务器中。它们被用来访问OpenStack外部仓库的身份信息, 并且它们可能已经存在于OpenStack被部署在的基础设施(例如,SQL数据库或LDAP服务器)中。
模块:中间件模块运行于使用身份认证服务的OpenStack组件的地址空间中。这些模块拦截服务请求,取出用户凭据,并将它们送入中央是服务器寻求授权。中间件模块和OpenStack组件间的整合使用Python Web服务器网关接口。
安装和配置
OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌!
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
###创建keystone数据库
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
###进行相关授权
生成一个随机值在初始的配置中作为管理员的令牌:
[root@server20 ~]# openssl rand -hex 10
7b345d18876548ae5769
安装相关组件以及安全配置:
[root@server20 ~]# yum install -y openstack-keystone httpd mod_wsgi
[root@controller ~]# cd /etc/keystone/
[root@controller keystone]# vim keystone.conf
[DEFAULT]
admin_token = 7b345d18876548ae5769
###定义初始管理令牌的值为上一步生成的
[database]
配置数据库访问:
connection = mysql+pymysql://keystone:keystone@controller/keystone
mysql+pymysql:redhat7.2默认使用mysql数据库以及python-mysql相关插件
controller/keystone:当前controller主机的keystone数据库
keystone:keystone:登陆当前主机数据库以keystone的身份,密码为keystone
[token]
provider = fernet ###配置Fernet UUID令牌的提供者。
初始化身份认证服务的数据库:命令执行后不出现报错,其他命令可以忽略
[root@controller keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
###数据库查看同步数据
MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
37 rows in set (0.00 sec)
初始化Fernet keys:
[root@controller keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller keystone]# pwd
/etc/keystone
[root@controller keystone]# cd fernet-keys/
[root@controller fernet-keys]# ll ##生成文件
total 8
-rw------- 1 keystone keystone 44 Jul 26 14:52 0
-rw------- 1 keystone keystone 44 Jul 26 14:52 1
配置 HTTP 服务器
[root@controller fernet-keys]# vim /etc/httpd/conf/httpd.conf
95 #ServerName www.example.com:80
96 ServerName controller
创建该文件比进行如下编辑:
[root@controller fernet-keys]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
[root@controller fernet-keys]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller fernet-keys]# systemctl start httpd
[root@controller ~]# netstat -antp
##查看配置文件相关端口是否启动
tcp6 0 0 :::5000 :::* LISTEN 22673/httpd
tcp6 0 0 :::80 :::* LISTEN 22673/httpd
tcp6 0 0 :::35357 :::* LISTEN 22673/httpd
创建服务实体和API端点
身份认证服务提供服务的目录和他们的位置。每个你添加到OpenStack环境中的服务在目录中需要一个 service 实体和一些 API endpoints 。
默认情况下,身份认证服务数据库不包含支持传统认证和目录服务的信息。你必须使用:doc:keystone-install 章节中为身份认证服务创建的临时身份验证令牌用来初始化的服务实体和API端点。
配置认证令牌:
[root@controller ~]# export OS_TOKEN=7b345d18876548ae5769 ##该值为前面生成的密码
配置端点URL:
[root@controller ~]# export OS_URL=http://controller:35357/v3
配置认证 API 版本:
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
创建服务实体和身份认证服务:
[root@controller ~]# openstack service create \
> --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | d3405c1803c24fbb93cc3364dc1a7868 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
身份认证服务管理了一个与您环境相关的 API 端点的目录。服务使用这个目录来决定如何与您环境中的其他服务进行通信。
OpenStack使用三个API端点变种代表每种服务:admin,internal和public!
创建认证服务的 API 端点:
<每个添加到OpenStack环境中的服务要求一个或多个服务实体和三个认证服务中的API 端点变种。>
[root@controller ~]# openstack endpoint create --region RegionOne \
> identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | df995b48d82e49b0a26050f24efe94e8 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | d3405c1803c24fbb93cc3364dc1a7868 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | be842020c6cb4c70b8a169ef1af2f368 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | d3405c1803c24fbb93cc3364dc1a7868 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 41bd76bd44bd401583da51b0b1b23b41 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | d3405c1803c24fbb93cc3364dc1a7868 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:35357/v3 |
+--------------+----------------------------------+
创建域、项目、用户和角色
创建域default:
[root@controller ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | e3959720d1a9466097bbf3b5fa526256 |
| name | default |
+-------------+----------------------------------+
为进行管理操作,创建管理的项目、用户和角色:
[root@controller ~]# openstack project create --domain default \
> --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | e3959720d1a9466097bbf3b5fa526256 |
| enabled | True |
| id | 96f0b60f88694d90a0edf4ae8fd548bd |
| is_domain | False |
| name | admin |
| parent_id | e3959720d1a9466097bbf3b5fa526256 |
+-------------+----------------------------------+
[root@controller ~]# openstack user create --domain default \
> --password admin admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | e3959720d1a9466097bbf3b5fa526256 |
| enabled | True |
| id | c7c947f41aa44c71aaed7ab2949d9978 |
| name | admin |
+-----------+----------------------------------+
[root@controller ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 958b3bcaa44e462cbc18d2999b7f1aa2 |
| name | admin |
+-----------+----------------------------------+
添加admin角色到 admin 项目和用户上:
[root@controller ~]# openstack role add --project admin --user admin admin
创建service项目:
[root@controller ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | e3959720d1a9466097bbf3b5fa526256 |
| enabled | True |
| id | 95be273a55df4650a8b875552a30035b |
| is_domain | False |
| name | service |
| parent_id | e3959720d1a9466097bbf3b5fa526256 |
+-------------+----------------------------------+
常规(非管理)任务应该使用无特权的项目和用户!
创建demo项目:
[root@controller ~]# openstack project create --domain default \
> --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | e3959720d1a9466097bbf3b5fa526256 |
| enabled | True |
| id | db03f41af5004c8ebf0d0e8106d5490d |
| is_domain | False |
| name | demo |
| parent_id | e3959720d1a9466097bbf3b5fa526256 |
+-------------+----------------------------------+
创建demo用户:
[root@controller ~]# openstack user create --domain default \
> --password demo demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | e3959720d1a9466097bbf3b5fa526256 |
| enabled | True |
| id | 959ce4199b074bc986ccf3bb12b2a5a2 |
| name | demo |
+-----------+----------------------------------+
创建user角色:
[root@controller ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | acf0f798578e4fcdbe5dd4021715eeea |
| name | user |
+-----------+----------------------------------+
添加user角色到demo项目和用户:
[root@controller ~]# openstack role add --project demo --user demo user
验证操作
在安装其他服务之前确认身份认证服务的操作
重置OS_TOKEN和OS_URL环境变量:
[root@controller ~]# unset OS_TOKEN OS_URL
作为admin用户,请求认证令牌:
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2018-07-26T08:15:46.160746Z |
| id | 1719a9c80fe6425d8090f65e1220836c |
| project_id | 96f0b60f88694d90a0edf4ae8fd548bd |
| user_id | c7c947f41aa44c71aaed7ab2949d9978 |
+------------+----------------------------------+
作为demo用户,请求认证令牌:
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2018-07-26T08:16:04.939485Z |
| id | 3f64bfeafb0947849e4652b03930e039 |
| project_id | db03f41af5004c8ebf0d0e8106d5490d |
| user_id | 959ce4199b074bc986ccf3bb12b2a5a2 |
+------------+----------------------------------+
创建 OpenStack 客户端环境脚本
创建 admin 和 demo用户客户端环境变量脚本: ##注意相关密码
[root@controller ~]# vim admin-openrc
[root@controller ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller ~]# vim demo-openrc
[root@controller ~]# cat demo-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
使用脚本进行相关测试:
加载admin-openrc文件来身份认证服务的环境变量位置和admin项目和用户证书:
[root@controller ~]# source admin-openrc
[root@controller ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2018-07-26T08:18:49.302645Z |
| id | 1f2f8af124cc42448f8a7ee8810b145e |
| project_id | 96f0b60f88694d90a0edf4ae8fd548bd |
| user_id | c7c947f41aa44c71aaed7ab2949d9978 |
+------------+----------------------------------+
[root@controller ~]# openstack user list
###admin用户可以查看用户列表,角色相当于root权限!
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 959ce4199b074bc986ccf3bb12b2a5a2 | demo |
| c7c947f41aa44c71aaed7ab2949d9978 | admin |
+----------------------------------+-------+
[root@controller ~]# source demo-openrc
[root@controller ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2018-07-26T08:19:14.465608Z |
| id | 6b776d17109f44cf8d6a45f628228aa7 |
| project_id | db03f41af5004c8ebf0d0e8106d5490d |
| user_id | 959ce4199b074bc986ccf3bb12b2a5a2 |
+------------+----------------------------------+
[root@controller ~]# openstack user list
###demo用户不能查看用户权限,角色相当于普通用户
You are not authorized to perform the requested action: identity:list_users (HTTP 403) (Request-ID: req-978d782b-de09-492b-86c2-dd1d2aa4e963)
镜像服务
安全并配置组件
创建一个数据库、服务凭证和API端点
用数据库连接客户端以 root 用户连接到数据库服务器:
MariaDB [(none)]> CREATE DATABASE glance;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \
-> IDENTIFIED BY 'glance';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
Query OK, 0 rows affected (0.00 sec)
获得 admin 凭证来获取只有管理员能执行的命令的访问权限:
[root@controller ~]# source admin-openrc
创建 glance 用户:
[root@controller ~]# openstack user create --domain default --password-prompt glance
User Password: ###密码glance
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | e3959720d1a9466097bbf3b5fa526256 |
| enabled | True |
| id | a3b83f5901ae4b7cb1eabf4ffacb9a8c |
| name | glance |
+-----------+----------------------------------+
添加 admin 角色到 glance 用户和 service 项目上
[root@controller ~]# openstack role add --project service --user glance admin
创建glance服务实体
[root@controller ~]# openstack service create --name glance \
> --description "OpenStack Image" image
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Image |
| enabled | True |
| id | 68b5ba913e1343e9ba35fb0f96bf2fac |
| name | glance |
| type | image |
+-------------+----------------------------------+
创建镜像服务的 API 端点:
[root@controller ~]# openstack endpoint create --region RegionOne \
> image public http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | ad0703305c8a465e933d92e368a8b588 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 68b5ba913e1343e9ba35fb0f96bf2fac |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> image internal http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 12bfc68c51a54fe38239e2ef2cd37db4 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 68b5ba913e1343e9ba35fb0f96bf2fac |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> image admin http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7060672e785f4f2ab74308ecfd00ff59 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 68b5ba913e1343e9ba35fb0f96bf2fac |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+
安装相关组建以及进行安全配置:
[root@controller ~]# yum install openstack-glance
[root@controller ~]# vim /etc/glance/glance-api.conf
配置数据库访问:
618 [database]
619 connection = mysql+pymysql://glance:glance@controller/glance
配置认证服务访问:
1111 [keystone_authtoken]
1112 auth_uri = http://controller:5000
1113 auth_url = http://controller:35357
1114 memcached_servers = controller:11211
1115 auth_type = password
1116 project_domain_name = default
1117 user_domain_name = default
1118 project_name = service
1119 username = glance
1120 password = glance
1684 [paste_deploy]
1685 flavor = keystone
配置本地文件系统存储和镜像文件位置:
733 [glance_store]
734 tores = file,http
735 default_store = file
736 filesystem_store_datadir = /var/lib/glance/images/
[root@controller ~]# vim /etc/glance/glance-registry.conf
359 [database]
360 connection = mysql+pymysql://glance:glance@controller/glance
836 [keystone_authtoken]
837 auth_uri = http://controller:5000
838 auth_url = http://controller:35357
839 memcached_servers = controller:11211
840 auth_type = password
841 project_domain_name = default
842 user_domain_name = default
843 project_name = service
844 username = glance
845 password = glance
1391 [paste_deploy]
1392 flavor = keystone
写入镜像服务数据库:只要不出现报错,其他命令可以忽略!同步时间可能稍微长需要耐心等待!
[root@controller ~]# su -s /bin/sh -c "glance-manage db_sync" glance
Option "verbose" from group "DEFAULT" is deprecated for removal. Its value may be silently ignored in the future.
/usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py:1056: OsloDBDeprecationWarning: EngineFacade is deprecated; please use oslo_db.sqlalchemy.enginefacade
expire_on_commit=expire_on_commit, _conf=conf)
/usr/lib/python2.7/site-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `ix_image_properties_image_id_name`. This is deprecated and will be disallowed in a future release.')
result = self._query(query)
启动镜像服务、配置他们开机启动:
[root@controller ~]# systemctl enable openstack-glance-api.service \
> openstack-glance-registry.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-api.service to /usr/lib/systemd/system/openstack-glance-api.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-registry.service to /usr/lib/systemd/system/openstack-glance-registry.service.
[root@controller ~]# systemctl start openstack-glance-api.service \
> openstack-glance-registry.service
验证操作
CirrOS是一个小型的Linux镜像可以用来帮助你进行 OpenStack部署测试。
官方下载地址:cirros-0.3.4-x86_64-disk.img
[root@controller ~]# ls
admin-openrc anaconda-ks.cfg cirros-0.3.4-x86_64-disk.img demo-openrc
使用 QCOW2 磁盘格式, bare 容器格式上传镜像到镜像服务并设置公共可见:
[root@controller ~]# openstack image create "cirros" \
> --file cirros-0.3.4-x86_64-disk.img \
> --disk-format qcow2 --container-format bare \
> --public
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2018-07-26T07:51:06Z |
| disk_format | qcow2 |
| file | /v2/images/3ceb5858-6454-46e4-b278-bf5fc164ba47/file |
| id | 3ceb5858-6454-46e4-b278-bf5fc164ba47 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | 96f0b60f88694d90a0edf4ae8fd548bd |
| protected | False |
| schema | /v2/schemas/image |
| size | 13287936 |
| status | active |
| tags | |
| updated_at | 2018-07-26T07:51:07Z |
| virtual_size | None |
| visibility | public |
+------------------+------------------------------------------------------+
确认镜像的上传并验证属性:
[root@controller ~]# openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 3ceb5858-6454-46e4-b278-bf5fc164ba47 | cirros | active |
+--------------------------------------+--------+--------+
报错查看相关日志:
[root@controller ~]# cd /var/log/
[root@controller log]# ls
anaconda cron keystone ppp tallylog
audit dmesg lastlog rabbitmq tuned
boot.log dmesg.old maillog rhsm wpa_supplicant.log
btmp glance mariadb secure wtmp
chrony httpd messages spooler yum.log
计算服务
这个部分将描述如何在控制节点上安装和配置 Compute 服务,即 nova。
安装并配置控制节点(contronal操作:)
在安装和配置 Compute 服务前,你必须创建数据库服务的凭据以及 API endpoints。
用数据库连接客户端以 root 用户连接到数据库服务器:
master操作:
MariaDB [(none)]> CREATE DATABASE nova_api;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> CREATE DATABASE nova;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \
-> IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \
-> IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \
-> IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \
-> IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)
要创建服务证书步骤:
创建 nova 用户:
[root@controller ~]# openstack user create --domain default \
> --password nova nova
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | e3959720d1a9466097bbf3b5fa526256 |
| enabled | True |
| id | 28d3ff25397a499a9519a6341bd8d10b |
| name | nova |
+-----------+----------------------------------+
给nova用户添加admin角色:
[root@controller ~]# openstack role add --project service --user nova admin
创建 nova 服务实体:
[root@controller ~]# openstack service create --name nova \
> --description "OpenStack Compute" compute
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Compute |
| enabled | True |
| id | c434af7ec571408e96126287a19e19eb |
| name | nova |
| type | compute |
+-------------+----------------------------------+
创建 Compute 服务 API 端点 :
[root@controller ~]# openstack endpoint create --region RegionOne \
> compute public http://controller:8774/v2.1/%\(tenant_id\)s
+--------------+-------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------+
| enabled | True |
| id | 18a1b0f35efb4e00b6622aa27a2509c8 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c434af7ec571408e96126287a19e19eb |
| service_name | nova |
| service_type | compute |
| url | http://controller:8774/v2.1/%(tenant_id)s |
+--------------+-------------------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> compute internal http://controller:8774/v2.1/%\(tenant_id\)s
+--------------+-------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------+
| enabled | True |
| id | 863f783155604a9fa79b555014771ccf |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c434af7ec571408e96126287a19e19eb |
| service_name | nova |
| service_type | compute |
| url | http://controller:8774/v2.1/%(tenant_id)s |
+--------------+-------------------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> compute admin http://controller:8774/v2.1/%\(tenant_id\)s
+--------------+-------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------+
| enabled | True |
| id | 892bd3384a2649e5a97c5303cab3a3c7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c434af7ec571408e96126287a19e19eb |
| service_name | nova |
| service_type | compute |
| url | http://controller:8774/v2.1/%(tenant_id)s |
+--------------+-------------------------------------------+
安装相关组件以及安全配置:
[root@controller ~]# yum install openstack-nova-api openstack-nova-conductor \
> openstack-nova-console openstack-nova-novncproxy \
> openstack-nova-scheduler
[root@controller ~]# vim /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata #只启用计算和元数据API:
rpc_backend = rabbit
auth_strategy = keystone
my_ip = 172.25.60.20#配置my_ip来使用控制节点的管理接口的IP 地址
使能Networking服务:
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
2161 [api_database]
2162 connection = mysql+pymysql://nova:nova@controller/nova_api
[api_database]和[database]配置数据库的连接:
3106 [database]
3107 connection = mysql+pymysql://nova:nova@controller/nova
配置 “RabbitMQ” 消息队列访问:
4395 [oslo_messaging_rabbit]
4396 rabbit_host = controller
4397 rabbit_userid = openstack
4398 rabbit_password = openstack
配置认证服务访问:
3525 [keystone_authtoken]
3526 auth_uri = http://controller:5000
3527 auth_url = http://controller:35357
3528 memcached_servers = controller:11211
3529 auth_type = password
3530 project_domain_name = default
3531 user_domain_name = default
3532 project_name = service
3533 username = nova
3534 password = nova
配置VNC代理使用控制节点的管理接口IP地址:
5366 [vnc]
5367 vncserver_listen = $my_ip
5368 vncserver_proxyclient_address = $my_ip
配置镜像服务 API 的位置:
3330 [glance]
3331 api_servers = http://controller:9292
配置锁路径:
4299 [oslo_concurrency]
4300 lock_path = /var/lib/nova/tmp
同步Compute 数据库:
[root@controller ~]# su -s /bin/sh -c "nova-manage api_db sync" nova
[root@controller ~]# su -s /bin/sh -c "nova-manage db sync" nova
启动 Compute 服务并将其设置开机自启动:
[root@controller ~]# systemctl enable openstack-nova-api.service \
> openstack-nova-consoleauth.service openstack-nova-scheduler.service \
> openstack-nova-conductor.service openstack-nova-novncproxy.service
[root@controller ~]# systemctl start openstack-nova-api.service \
> openstack-nova-consoleauth.service openstack-nova-scheduler.service \
> openstack-nova-conductor.service openstack-nova-novncproxy.service
[root@controller ~]#systemctl enable openstack-nova-api.service \
openstack-nova-consoleauth.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service
[root@controller ~]# systemctl start openstack-nova-api.service \
openstack-nova-consoleauth.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service
安装和配置计算节点(compute1操作:)
[root@compute1 ~]# yum install -y openstack-nova-compute
1 [DEFAULT]
2 rpc_backend = rabbit #配置RabbitMQ消息队列的连接
3 auth_strategy = keystone
4 my_ip = 172.25.60.21 ##设置为本机ip
5 use_neutron = True
6 firewall_driver = nova.virt.firewall.NoopFirewallDriver
4394 [oslo_messaging_rabbit]
4395 rabbit_host = controller
4396 rabbit_userid = openstack
4397 rabbit_password = openstack
3524 [keystone_authtoken]
3525 uth_uri = http://controller:5000
3526 auth_url = http://controller:35357
3527 memcached_servers = controller:11211
3528 auth_type = password
3529 project_domain_name = default
3530 user_domain_name = default
3531 project_name = service
3532 username = nova
3533 password = nova
5362 [vnc] ###启用并配置远程控制台访问
5363 enabled = True
5364 vncserver_listen = 0.0.0.0
5365 vncserver_proxyclient_address = $my_ip
5366 novncproxy_base_url = http://controller:6080/vnc_auto.html
3326 [glance] ###配置镜像服务 API 的位置
3327 api_servers = http://controller:9292
4295 [oslo_concurrency]
4296 lock_path = /var/lib/nova/tmp
3668 [libvirt]
3669 virt_type = qemu
启动计算服务及其依赖,并将其配置开机自动启动:
[root@compute1 ~]# systemctl enable libvirtd.service openstack-nova-compute.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-compute.service to /usr/lib/systemd/system/openstack-nova-compute.service.
[root@compute1 ~]# systemctl start libvirtd.service openstack-nova-compute.service
##mcontroller列出服务组件,以验证是否成功启动并注册了每个进程:
[root@controller ~]# openstack compute service list
+----+-------------+------------+----------+---------+-------+---------------+
| Id | Binary | Host | Zone | Status | State | Updated At |
+----+-------------+------------+----------+---------+-------+---------------+
| 1 | nova- | controller | internal | enabled | up | 2018-07-26T09 |
| | conductor | | | | | :00:07.000000 |
| 2 | nova- | controller | internal | enabled | up | 2018-07-26T09 |
| | scheduler | | | | | :00:07.000000 |
| 3 | nova- | controller | internal | enabled | up | 2018-07-26T09 |
| | consoleauth | | | | | :00:07.000000 |
| 6 | nova- | compute1 | nova | enabled | up | 2018-07-26T09 |
| | compute | | | | | :00:07.000000 |
+----+-------------+------------+----------+---------+-------+---------------+
该输出应该显示三个服务组件在控制节点上启用,一个服务组件在计算节点上启用,需要确保服务状态为up
安装过程出现报错此查看日志:
[root@compute1 log]# cd nova/
[root@compute1 nova]# ls
nova-compute.log
网络服务配置:
安装并配置控制节点(controller操作):
配置OpenStack服务之前,为其创建一个数据库,服务凭证和API端点;
创建数据库以及相关授权:
[root@controller ~]# mysql -u root -p
MariaDB [(none)]> CREATE DATABASE neutron;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
-> IDENTIFIED BY 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
Query OK, 0 rows affected (0.00 sec)
创建服务证书,创建neutron用户:
[root@controller ~]# openstack user create --domain default --password neutron neutron
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 0394fe1fdb604099ae1b25027212fe8f |
| enabled | True |
| id | 9f1c4fbde140443281370bd3ac9a4fb0 |
| name | neutron |
+-----------+----------------------------------+
添加admin角色到neutron用户
[root@controller ~]# openstack role add --project service --user neutron admin
创建neutron服务实体:
[root@controller ~]# openstack service create --name neutron \
> --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | 34d779c2fb5f4a56940531767a666737 |
| name | neutron |
| type | network |
+-------------+----------------------------------+
创建网络服务API端点:
[root@controller ~]# openstack endpoint create --region RegionOne \
> network public http://controller:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | ea768854c6ce446b84639065567f8704 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 34d779c2fb5f4a56940531767a666737 |
| service_name | neutron |
| service_type | network |
| url | http://controller:9696 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> network internal http://controller:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 31a48fdda60c40efafe366d2def8d8fa |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 34d779c2fb5f4a56940531767a666737 |
| service_name | neutron |
| service_type | network |
| url | http://controller:9696 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> network admin http://controller:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 5e66635ef095449aab8a32c1076f7fbb |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 34d779c2fb5f4a56940531767a666737 |
| service_name | neutron |
| service_type | network |
| url | http://controller:9696 |
+--------------+----------------------------------+
配置网络选项:公共网络配置
安装组件:
[root@controller ~]# yum install openstack-neutron openstack-neutron-ml2 \
> openstack-neutron-linuxbridge ebtables -y
配置服务组件:
网络服务器组件的配置包括数据库、认证机制、消息队列、拓扑变化通知和插件。
[root@controller ~]# vim /etc/neutron/neutron.conf
[DEFAULT]
启用ML2插件并禁用其他插件:
core_plugin = ml2
service_plugins =
配置 “RabbitMQ” 消息队列的连接:
rpc_backend = rabbit
配置认证服务访问:
auth_strategy = keystone
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
[database]
配置数据库访问:
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron
[oslo_messaging_rabbit]
配置 “RabbitMQ” 消息队列的连接:
rabbit_host = controller
配置网络服务来通知计算节点的网络拓扑变化:
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
[keystone_authtoken]
配置认证服务访问:
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
[nova]
配置网络服务来通知计算节点的网络拓扑变化:
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = NOVA_PASS
[oslo_concurrency]
配置锁路径:
lock_path = /var/lib/neutron/tmp
{{配置 Modular Layer 2 (ML2) 插件}}
[root@controller ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan ###启用flat和VLAN网络
tenant_network_types = ###禁用私有网络
mechanism_drivers = linuxbridge ###启用Linuxbridge机制
extension_drivers = port_security ###启用端口安全扩展驱动
[ml2_type_flat]
配置公共虚拟网络为flat网络:
flat_networks = provider
[securitygroup]
启用 ipset 增加安全组规则的高效性:
enable_ipset = True
{{配置Linuxbridge代理}}
[root@controller ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
将公共虚拟网络和公共物理网络接口对应起来:
physical_interface_mappings = provider:eth1
[vxlan]
enable_vxlan = False ###禁止VXLAN覆盖网络
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
{{配置DHCP代理}}
[root@controller ~]# vim /etc/neutron/dhcp_agent.ini
配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据:
[DEFAULT]
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
{{配置元数据代理}}
[root@controller ~]# vim /etc/neutron/metadata_agent.ini
[DEFAULT]
配置元数据主机以及共享密码:
va_metadata_ip = controller
metadata_proxy_shared_secret = westos
{{为计算节点配置网络服务}}
[root@controller ~]# vim /etc/nova/nova.conf
[neutron]
启用元数据代理并设置密码:
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
service_metadata_proxy = True
metadata_proxy_shared_secret = westos
重启计算API 服务:
[root@controller ~]# systemctl restart openstack-nova-api.service
启动Networking 服务并配置开机自启:
[root@controller ~]# systemctl enable neutron-server.service \
> neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
> neutron-metadata-agent.service
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-server.service to /usr/lib/systemd/system/neutron-server.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-dhcp-agent.service to /usr/lib/systemd/system/neutron-dhcp-agent.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-metadata-agent.service to /usr/lib/systemd/system/neutron-metadata-agent.service.
[root@controller ~]# systemctl start neutron-server.service \
> neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
> neutron-metadata-agent.service
安装和配置计算节点(compute1操作):
安装组件配置通用组件
安装组件:
[root@compute1 ~]# yum install openstack-neutron-linuxbridge ebtables ipset -y
配置通用组件:
[root@compute1 ~]# vim /etc/neutron/neutron.conf
[DEFAULT]
配置 “RabbitMQ” 消息队列的连接:
rpc_backend = rabbit
配置认证服务访问:
auth_strategy = keystone
[oslo_messaging_rabbit]
配置 “RabbitMQ” 消息队列的连接:
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = openstack
[keystone_authtoken]
配置认证服务访问:
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron
[oslo_concurrency]
配置锁路径:
lock_path = /var/lib/neutron/tmp
配置网络选项:公共网络配置
配置Linuxbridge代理:
[root@compute1 ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
将公共虚拟网络和公共物理网络接口对应起来
physical_interface_mappings = provider:eth1
[vxlan]
禁止VXLAN覆盖网络
enable_vxlan = False
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
{{为计算节点配置网络服务}}
[root@compute1 ~]# vim /etc/nova/nova.conf
[neutron]
配置访问参数
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron
重启计算服务:
[root@compute1 ~]# systemctl restart openstack-nova-compute.service
启动Linuxbridge代理并配置开机自启动:
[root@compute1 ~]# systemctl enable neutron-linuxbridge-agent.service
Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service.
[root@compute1 ~]# systemctl start neutron-linuxbridge-agent.service
验证操作(需要在controleer操作):
[root@controller ~]# . admin-openrc
列出加载的扩展来验证neutron-server进程是否正常启动:
[root@controller ~]# neutron ext-list
+---------------------------+-----------------------------------------------+
| alias | name |
+---------------------------+-----------------------------------------------+
| default-subnetpools | Default Subnetpools |
| availability_zone | Availability Zone |
| network_availability_zone | Network Availability Zone |
| auto-allocated-topology | Auto Allocated Topology Services |
| binding | Port Binding |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| dhcp_agent_scheduler | DHCP Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| net-mtu | Network MTU |
| network-ip-availability | Network IP Availability |
| quotas | Quota management support |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| timestamp_core | Time Stamp Fields addition for core resources |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| security-group | security-group |
| rbac-policies | RBAC Policies |
| standard-attr-description | standard-attr-description |
| port-security | Port Security |
| allowed-address-pairs | Allowed Address Pairs |
+---------------------------+-----------------------------------------------+
网络部分的验证,查看部署是否正确:
[root@controller ~]# neutron agent-list
+----------+------------+----------+-------------------+-------+----------------+--------------+
| id | agent_type | host | availability_zone | alive | admin_state_up | binary |
+----------+------------+----------+-------------------+-------+----------------+--------------+
| 25b7086f | DHCP agent | controll | nova | :-) | True | neutron- |
| -0a61 | | er | | | | dhcp-agent |
| -42fe- | | | | | | |
| b1af-ce8 | | | | | | |
| 32ba0d96 | | | | | | |
| d | | | | | | |
| 6361497c | Linux | compute1 | | :-) | True | neutron- |
| -71d0-4a | bridge | | | | | linuxbridge- |
| 69-9d4b- | agent | | | | | agent |
| c00768e6 | | | | | | |
| 3add | | | | | | |
| 9b17a063 | Linux | controll | | :-) | True | neutron- |
| -60da- | bridge | er | | | | linuxbridge- |
| 49bf- | agent | | | | | agent |
| a62d-9fe | | | | | | |
| 91c4dceb | | | | | | |
| 0 | | | | | | |
| f0aa1f83 | Metadata | controll | | :-) | True | neutron- |
| -a2cd- | agent | er | | | | metadata- |
| 471b-bd8 | | | | | | agent |
| 5-d61025 | | | | | | |
| 51e773 | | | | | | |
+----------+------------+----------+-------------------+-------+----------------+--------------+
启动一个实例:
创建虚拟网络:创建提供者网络:
[root@controller ~]# . admin-openrc
创建网络:
[root@controller ~]# neutron net-create --shared --provider:physical_network provider \
> --provider:network_type flat provider(虚拟网络名字,自己可以设置)
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2018-07-29T05:36:00 |
| description | |
| id | d860aabb-51aa-44b1-a829-51e7de41e53a |
| ipv4_address_scope | |
| ipv6_address_scope | |
| mtu | 1500 |
| name | provider |
| port_security_enabled | True |
| provider:network_type | flat |
| provider:physical_network | provider |
| provider:segmentation_id | |
| router:external | False |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | |
| tenant_id | 6ac9026fee614a39b9f45eab2d9c5282 |
| updated_at | 2018-07-29T05:36:00 |
+---------------------------+--------------------------------------+
在网络上创建一个子网:
[root@controller ~]# neutron subnet-create --name provider --allocation-pool start=172.25.60.201,end=172.25.60.220 --dns-nameserver 114.114.114.114 --gateway 172.25.60.250 provider 172.25.60.0/24
start和end使用你想分配给实例的子网网段的第一个和最后一个IP地址。这个范围不能包括任何已经使用的IP地址。
Created a new subnet:
+-------------------+----------------------------------------------------+
| Field | Value |
+-------------------+----------------------------------------------------+
| allocation_pools | {"start": "172.25.60.201", "end": "172.25.60.220"} |
| cidr | 172.25.60.0/24 |
| created_at | 2018-07-29T05:38:53 |
| description | |
| dns_nameservers | 114.114.114.114 |
| enable_dhcp | True |
| gateway_ip | 172.25.60.250 |
| host_routes | |
| id | 4e1a56db-5e5d-40d5-94e0-db63a8db720d |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | provider |
| network_id | d860aabb-51aa-44b1-a829-51e7de41e53a |
| subnetpool_id | |
| tenant_id | 6ac9026fee614a39b9f45eab2d9c5282 |
| updated_at | 2018-07-29T05:38:53 |
+-------------------+----------------------------------------------------+
官网建议:为了测试的目的,请使用m1.nano规格的主机来加载CirrOS镜像
[root@controller ~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
+----------------------------+---------+
| Field | Value |
+----------------------------+---------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 1 |
| id | 0 |
| name | m1.nano |
| os-flavor-access:is_public | True |
| ram | 64 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+---------+
生成一个键值对:
[root@controller ~]# . demo-openrc
生成和添加秘钥对:
[root@controller ~]# ssh-keygen -q -N ""
Enter file in which to save the key (/root/.ssh/id_rsa):
[root@controller ~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
+-------------+-------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------+
| fingerprint | 47:a8:a8:4a:f9:f9:3e:15:c8:23:dc:f5:a6:a7:98:99 |
| name | mykey |
| user_id | b6d9c5c2ddb54fedb3df5bdaa7c86352 |
+-------------+-------------------------------------------------+
验证公钥的添加:
[root@controller ~]# openstack keypair list
+-------+-------------------------------------------------+
| Name | Fingerprint |
+-------+-------------------------------------------------+
| mykey | 47:a8:a8:4a:f9:f9:3e:15:c8:23:dc:f5:a6:a7:98:99 |
+-------+-------------------------------------------------+
增加安全组规则:
允许 ICMP (ping):
[root@controller ~]# openstack security group rule create --proto icmp default
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| id | 1dbdf765-1f71-4674-8982-b0a968333957 |
| ip_protocol | icmp |
| ip_range | 0.0.0.0/0 |
| parent_group_id | 24abe6f9-70e2-4441-a24a-af74958c16bc |
| port_range | |
| remote_security_group | |
+-----------------------+--------------------------------------+
允许安全 shell (SSH) 的访问:
[root@controller ~]# openstack security group rule create --proto tcp --dst-port 22 default
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| id | eb07d8c3-4413-4bc6-a702-2049642f84c7 |
| ip_protocol | tcp |
| ip_range | 0.0.0.0/0 |
| parent_group_id | 24abe6f9-70e2-4441-a24a-af74958c16bc |
| port_range | 22:22 |
| remote_security_group | |
+-----------------------+--------------------------------------+
启动一个实例,在公有网络上创建实例:
[root@controller ~]# . demo-openrc
列出可用类型:
[root@controller ~]# openstack flavor list
+----+-----------+-------+------+-----------+-------+-----------+
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+-----------+-------+------+-----------+-------+-----------+
| 0 | m1.nano | 64 | 1 | 0 | 1 | True |
| 1 | m1.tiny | 512 | 1 | 0 | 1 | True |
| 2 | m1.small | 2048 | 20 | 0 | 1 | True |
| 3 | m1.medium | 4096 | 40 | 0 | 2 | True |
| 4 | m1.large | 8192 | 80 | 0 | 4 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | 8 | True |
+----+-----------+-------+------+-----------+-------+-----------+
列出可用镜像:
[root@controller ~]# openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| ccb3910b-5759-4ace-9ec9-f19be68458ab | cirros | active |
+--------------------------------------+--------+--------+
列出可用网络:
[root@controller ~]# openstack network list
+--------------------------------+----------+---------------------------------+
| ID | Name | Subnets |
+--------------------------------+----------+---------------------------------+
| d860aabb-51aa- | provider | 4e1a56db-5e5d- |
| 44b1-a829-51e7de41e53a | | 40d5-94e0-db63a8db720d |
+--------------------------------+----------+---------------------------------+
列出可用的安全组:
[root@controller ~]# openstack security group list
+---------------------+---------+---------------------+-----------------------+
| ID | Name | Description | Project |
+---------------------+---------+---------------------+-----------------------+
| 24abe6f9-70e2-4441 | default | Default security | 7d887d9bc3a44f35b2c8c |
| -a24a-af74958c16bc | | group | 858bd28e16c |
+---------------------+---------+---------------------+-----------------------+
创建实例:
[root@controller ~]# openstack server create --flavor m1.nano --image cirros --nic net-id=d860aabb-51aa-44b1-a829-51e7de41e53a --security-group default --key-name mykey qq
+--------------------------------------+--------------------------------------+
| Field | Value |
+--------------------------------------+--------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | xXZT7KsCbry2 |
| config_drive | |
| created | 2018-07-29T05:43:18Z |
| flavor | m1.nano (0) |
| hostId | |
| id | 095c6d01-fa4c-4948-812d-1f9737f9d871 |
| image | cirros (ccb3910b-5759-4ace- |
| | 9ec9-f19be68458ab) |
| key_name | mykey |
| name | qq |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| project_id | 7d887d9bc3a44f35b2c8c858bd28e16c |
| properties | |
| security_groups | [{u'name': u'default'}] |
| status | BUILD |
| updated | 2018-07-29T05:43:19Z |
| user_id | b6d9c5c2ddb54fedb3df5bdaa7c86352 |
+--------------------------------------+--------------------------------------+
检查实例的状态:
[root@controller ~]# openstack server list
+------------------------------+------+--------+------------------------+
| ID | Name | Status | Networks |
+------------------------------+------+--------+------------------------+
| 095c6d01-fa4c-4948-812d- | qq | ACTIVE | provider=172.25.60.202 |
| 1f9737f9d871 | | | |
+------------------------------+------+--------+------------------------+
获取实例的 Virtual Network Computing (VNC) 会话URL并从web浏览器访问它:
[root@controller ~]# openstack console url show qq
+-------+---------------------------------------------------------------------+
| Field | Value |
+-------+---------------------------------------------------------------------+
| type | novnc |
| url | http://controller:6080/vnc_auto.html?token=0f9e85f5-6eea-4548-891e- |
| | cf8aab23f71e ###浏览器访问地址 |
+-------+---------------------------------------------------------------------+
用户密码上面都有默认的:
查看是否含有ip地址和检查是否能ping通宿主机:
云主机关闭和虚拟主机的关闭方法:
[root@controller ~]# openstack server stop qq
查看云主机是否关闭: