简介
OpenStack是什么?
云计算:形象化的说法,云计算是一种按使用量付费的模式,这种模式提供可用的、便捷的、按需的网络访问
云计算的分类:
公有云:公有云通常指第三方提供商为用户提供的能够使用的云,公有云一般可通过 Internet 使用,可能是免费或成本低廉的,公有云的核心属性是共享资源服务。私有云:私有云是为一个客户单独使用而构建的,因而提供对数据、安全性和服务质量的最有效控制。该公司拥有基础设施,并可以控制在此基础设施上部署应用程序的方式。私有云可部署在企业数据中心的防火墙内,也可以将它们部署在一个安全的主机托管场所,私有云的核心属性是专有资源。混合云:混合云融合了公有云和私有云,是近年来云计算的主要模式和发展方向。我们已经知道私有云主要是面向企业用户,出于安全考虑,企业更愿意将数据存放在私有云中,但是同时又希望可以获得公有云的计算资源,在这种情况下混合云被越来越多的采用,它将公有云和私有云进行混合和匹配,以获得最佳的效果,这种个性化的解决方案,达到了既省钱又安全的目的。
云计算的服务形式:
Iaas:基础架构即服务。提供云主机(各种物理资源)
Paas:平台即服务。提供中间件,服务组件
Saas:软件即服务。提供软件
OpenStack是一种Iaas的解决方案
OpenStack是一个开源的云计算管理平台项目,由几个主要的组件组合起来完成具体工作。OpenStack支持几乎所有类型的云环境,项目目标是提供实施简单、可大规模扩展、丰富、标准统一的云计算管理平台。OpenStack通过各种互补的服务提供了基础设施即服务(IaaS)的解决方案,每个服务提供API以进行集成。
OpenStack和RHV有什么区别
RHV是采用虚拟化资源统一集中的管理的方式,资源由管理员统一分配,类似于计划经济;而OpenStack属于自助管理,需要什么就买什么,按需付费,类似于市场经济。
OpenStack解决了什么问题
OpenStack是一个旨在为公有云以及私有云的建设与管理提供软件的开源项目。它的社区拥有超过130家企业及1350位开发者,这些机构与个人都将OpenStack作为基础设施即服务(IaaS)资源的通用前端。OpenStack项目的首要任务是简化云的部署过程并为其带来良好的可扩展性。本文希望通过提供必要的指导信息,帮助大家利用OpenStack前端来设置及管理自己的公共云或私有云。
OpenStack 中有哪些项目?
keystone:认证服务。Keystone 认证所有 OpenStack 服务并对其进行授权。同时,它也是所有服务的端点目录。glance:镜像服务。Glance 可存储和检索多个位置的虚拟机磁盘镜像。nova:计算服务。是一个完整的 OpenStack 计算资源管理和访问工具,负责处理规划、创建和删除操作。neutron:网络服务。Neutron 能够连接其他 OpenStack 服务并连接网络。dashboard:web管理界面Swift: 是一种高度容错的对象存储服务,使用 RESTful API 来存储和检索非结构数据对象。Cinder :块存储服务。通过自助服务 API 访问持久块存储。Ceilometer:监控服务。计费Heat:集群服务。编排
从官网入手学习:/mitaka/zh_CN/install-guide-rdo/environment.html
openstack的部署对计算机的要求是比较高的,我们只部署控制结点,计算结点,存储结点
控制结点负责调度(跑一些核心应用),计算结点负责运行云主机,存储结点负责存储数据。
环境
安全
OpenStack 服务支持各种各样的安全方式,包括密码 password、policy 和 encryption,支持的服务包括数据库服务器,且消息 broker 至少支持 password 的安全方式。
由于密码比较多,我们可以用表格来记录密码。
还可以用openssl来生成密码:
[root@server1 ~]# openssl rand -hex 109275b356d387e3b78215
网络
控制结点需要两个网卡:
[root@server1 network-scripts]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 52:54:00:8b:de:3d brd ff:ff:ff:ff:ff:ffinet 172.25.254.1/24 brd 172.25.254.255 scope global ens3valid_lft forever preferred_lft foreverinet6 fe80::5054:ff:fe8b:de3d/64 scope link valid_lft forever preferred_lft forever3: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state D[root@server1 network-scripts]# cat ifcfg-eth0 BOOTPROTO=noneDEVICE=eth0ONBOOT=yeseth0 是我新加进来的网.[root@server1 network-scripts]# ifup eth0/激活这个设备[root@server1 network-scripts]# ip addr show eth03: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 52:54:00:b2:b9:4e brd ff:ff:ff:ff:ff:ffinet6 fe80::5054:ff:feb2:b94e/64 scope link valid_lft forever preferred_lft forever
配置域名解析:
[root@server1 ~]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6172.25.254.67 rhel7host172.25.254.1controller172.25.254.2compute1172.25.254.3block1[root@server1 ~]# hostnamectl set-hostname controller
时间同步
安装Chrony,保证openstack集群时间同步:
宿主机上:
[root@rhel7host redhat]# systemctl status chronyd● chronyd.service - NTP client/serverLoaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)Active: active (running) since Wed -07-15 11:47:17 CST; 8h agoProcess: 825 ExecStartPost=/usr/libexec/chrony-helper update-daemon (code=exited, status=0/SUCCESS)Process: 761 ExecStart=/usr/sbin/chronyd $OPTIONS (code=exited, status=0/SUCCESS)Main PID: 779 (chronyd)CGroup: /system.slice/chronyd.service└─779 /usr/sbin/chronyd[root@rhel7host redhat]# vim /etc/chrony.confserver iburstserver iburst/使用阿里云的时间同步服务器server iburst。。# Allow NTP client access from local network.allow 172.25/16/允许172.25这个网段的主机同步我的时间
控制结点上;
[root@server1 network-scripts]# yum install chrony -y[root@server1 network-scripts]# vim /etc/chrony.conf server 172.25.254.67 iburst从宿主机上同步时间[root@server1 network-scripts]# systemctl enable --now chronyd/设置开机自启[root@server1 network-scripts]# chronyc sources -v210 Number of sources = 1.-- Source mode '^' = server, '=' = peer, '#' = local clock./ .- Source state '*' = current synced, '+' = combined , '-' = not combined,| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.|| .- xxxx [ yyyy ] +/- zzzz||Reachability register (octal) -. | xxxx = adjusted offset,||Log2(Polling interval) --.|| yyyy = measured offset,|| \|| zzzz = estimated error.|| | | \MS Name/IP address Stratum Poll Reach LastRx Last sample===============================================================================^* rhel7host 3 6 17 31 -2665ns[-5183ns] +/- 41ms
除过控制结点,起他的结点也是同样的配置,这只是一种方式,可以根据采用不同的选择,比如只在openstack集群中同步即可
安装openstack包
我们使用的是openstack的mitaka版本:
[root@rhel7host mitaka]# pwd/var/ftp/pub/openstack/mitaka/放在宿主机的这个路径下
在server1中配置yum源
[root@server1 yum.repos.d]# cat openstack.repo [openstack]name=mitakabaseurl=ftp://172.25.254.67/pub/openstack/mitakagpgcheck=0[root@server1 yum.repos.d]# yum repolist Loaded plugins: product-id, search-disabled-repos, subscription-managerThis system is not registered with an entitlement server. You can use subscription-manager to register.openstack | 2.9 kB 00:00:00openstack/primary_db | 141 kB 00:00:00repo id repo name statusopenstackmitaka 279westos westos5,152repolist: 5,431
我们先更新一下系统:
[root@server1 ~]# yum upgrade
安装 OpenStack 客户端(命令行):
yum install python-openstackclient
关闭SELinux
[root@server1 ~]# getenforce Disabled
SQL数据库
安装软件包:yum install mariadb mariadb-server python2-PyMySQL
创建并编辑 /etc/f.d/f
[root@server1 ~]# vim /etc/f.d/f[root@server1 ~]# cat /etc/f.d/f[mysqld]bind-address = 172.25.254.1/绑定控制结点地址default-storage-engine = innodb/存储引擎innodb_file_per_table/独占表空间max_connections = 4096/最大连接数collation-server = utf8_general_cicharacter-set-server = utf8/字符集[root@server1 ~]# systemctl enable --now mariadb/设置开机自启Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.[root@server1 ~]# mysql_secure_installation Set root password? [Y/n] yNew password: caoaoyuanRe-enter new password: caoaoyuanRemove anonymous users? [Y/n] yDisallow root login remotely? [Y/n] yRemove test database and access to it? [Y/n] yReload privilege tables now? [Y/n] y
消息队列
安装包:[root@server1 ~]# yum install rabbitmq-server -y启动消息队列服务并将其配置为随系统启动:[root@server1 ~]# systemctl enable --now rabbitmq-server.service Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.添加 openstack 用户:[root@server1 ~]# rabbitmqctl add_user openstack openstack/我这里设置密码和用户名相同,后面的是密码Creating user "openstack" ...给openstack 用户配置写和读权限:[root@server1 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"Setting permissions for user "openstack" in vhost "/" ...
这里的 .* 的意思是:
[root@server1 ~]# rabbitmq-plugins list/查看插件[root@server1 ~]# rabbitmq-plugins enable rabbitmq_management /打开管理器,回启动响应插件
账户密码都是 guest。
可以看到我们刚才设置的权限。
Memcached
接下来的认证服务认证缓存使用Memcached缓存令牌。缓存服务memecached运行在控制节点。在生产部署中,我们推荐联合启用防火墙、认证和加密保证它的安全。以前使用的是mysql,但是会造成压力且需要定期回收,memcache可以设置最长存储时间,来解决这个问题。
安装软件包:[root@server1 ~]# yum install memcached python-memcached -y[root@server1 ~]# vim /etc/sysconfig/memcached PORT="11211"USER="memcached"MAXCONN="1024"CACHESIZE="64"#OPTIONS="-l 127.0.0.1,::1"/注释掉这里,让他监听本机所有的接口,保证远程连接可以成功启动Memcached服务,并且配置它随机启动。[root@server1 ~]# systemctl enable --now memcached.service Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.[root@server1 ~]# netstat -tnlp |grep 11211tcp 00 0.0.0.0:11211 0.0.0.0:*LISTEN5320/memcachedtcp6 00 :::11211:::*LISTEN5320/memcached
认证服务keystone
认证服务的主要作用就是提供认证和授权服务,颁布令牌,它还有一个目录专门用于存放各个api的端点,当不同的组件进行通信时,就可以通过 api 进行访问。
在你配置 OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌。所有的数据都存放在数据库当中,美创建一个组件,就要创建相应的数据库。
[root@server1 ~]# mysql -uroot -pcaoaoyuan/创建 keystone 数据库:MariaDB [(none)]> CREATE DATABASE keystone;Query OK, 1 row affected (0.00 sec)/对``keystone``数据库授予恰当的权限:MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';% 让外部也可以连接/生成一个随机值在初始的配置中作为管理员的令牌。[root@controller ~]# openssl rand -hex 10f8eea09f945c8d29431b
安全并配置组件
[root@controller ~]# vim /etc/keystone/keystone.conf[DEFAULT]admin_token = f8eea09f945c8d29431b/定义初始管理令牌的值,和上面生成的一致,仅在初始化是使用[database]connection = mysql+pymysql://keystone:keystone@controller/keystone用户密码要访问的数据库[token]provider = fernet/选择token的提供者
以keystone初始化身份认证服务的数据库:[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone[root@controller ~]# mysql -pMariaDB [(none)]> use keystone;MariaDB [keystone]> show tables;+------------------------+| Tables_in_keystone|+------------------------+| access_token |.......| service_provider || token || trust || trust_role || user |/表已经生成了| user_group_membership || whitelisted_config|+------------------------+
初始化Fernet keys:[root@controller ~]# cd /etc/keystone/[root@controller keystone]# lsdefault_catalog.templates keystone.conf keystone-paste.ini logging.conf policy.json sso_callback_template.html[root@controller keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone[root@controller keystone]# lsdefault_catalog.templates fernet-keys keystone.conf keystone-paste.ini logging.conf policy.json sso_callback_template.html生成了 fernet-keys 这个目录
配置 Apache HTTP 服务器
[root@controller keystone]# vim /etc/httpd/conf/httpd.conf#ServerName :80ServerName controller/配置``ServerName`` 选项为控制节点[root@controller conf.d]# vim /etc/httpd/conf.d/wsgi-keystone.confListen 5000Listen 35357/监听两个端口<VirtualHost *:5000>WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-publicWSGIScriptAlias / /usr/bin/keystone-wsgi-public/用于外部访问WSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization OnErrorLogFormat "%{cu}t %M"ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin>Require all granted</Directory></VirtualHost><VirtualHost *:35357>WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-adminWSGIScriptAlias / /usr/bin/keystone-wsgi-admin/用于内部控制WSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization OnErrorLogFormat "%{cu}t %M"ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin>Require all granted</Directory></VirtualHost>[root@controller conf.d]# systemctl enable --now httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.[root@controller conf.d]# netstat -tnlp | grep 5000tcp6 00 :::5000 :::*LISTEN16119/httpd [root@controller conf.d]# netstat -tnlp | grep 35357tcp6 00 :::35357:::*LISTEN16119/httpd
创建服务实体和API端点
先决条件
[root@controller conf.d]# export OS_TOKEN=f8eea09f945c8d29431b/配置认证令牌[root@controller conf.d]# export OS_URL=http://controller:35357/v3/配置端点URL[root@controller conf.d]# export OS_IDENTITY_API_VERSION=3/配置认证 API 版本
在你的Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务。
创建服务实体和身份认证服务:
[root@controller conf.d]# openstack service create --name keystone --description "OpenStack Identity" identity+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity|| enabled| True || id| eb2a914b7f0d4752868784b47a31a703 || name | keystone|| type | identity|[root@controller conf.d]# openstack service list+----------------------------------+----------+----------+| ID | Name| Type|+----------------------------------+----------+----------+| eb2a914b7f0d4752868784b47a31a703 | keystone | identity |+----------------------------------+----------+----------+
创建认证服务的 API 端点:
[root@controller conf.d]# openstack endpoint create --region RegionOne identity public http://controller:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 7be3b4c7194344dcb883a3fa63123467 || interface | public |/外部使用的端点| region | RegionOne || region_id | RegionOne || service_id | eb2a914b7f0d4752868784b47a31a703 || service_name | keystone|| service_type | identity|| url| http://controller:5000/v3 |+--------------+----------------------------------+[root@controller conf.d]# openstack endpoint create --region RegionOne \> identity internal http://controller:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 6bdd28b8ece7497181ca3f97347caa37 || interface | internal|| region | RegionOne |/内部使用的端点| region_id | RegionOne || service_id | eb2a914b7f0d4752868784b47a31a703 || service_name | keystone|| service_type | identity|| url| http://controller:5000/v3 |+--------------+----------------------------------+[root@controller conf.d]# openstack endpoint create --region RegionOne \> identity admin http://controller:35357/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | cd6130854ba143f0bdfd6c9603fa6e95 || interface | admin || region | RegionOne |/管理员使用的端点| region_id | RegionOne || service_id | eb2a914b7f0d4752868784b47a31a703 || service_name | keystone|| service_type | identity|| url| http://controller:35357/v3 |+--------------+----------------------------------+[root@controller conf.d]# openstack endpoint list+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+| ID | Region | Service Name | Service Type | Enabled | Interface | URL |+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+| 6bdd28b8ece7497181ca3f97347caa37 | RegionOne | keystone| identity| True | internal | http://controller:5000/v3 || 7be3b4c7194344dcb883a3fa63123467 | RegionOne | keystone| identity| True | public | http://controller:5000/v3 || cd6130854ba143f0bdfd6c9603fa6e95 | RegionOne | keystone| identity| True | admin| http://controller:35357/v3 |+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
创建域、项目、用户和角色
[root@controller conf.d]# openstack domain list/当前没有域[root@controller conf.d]#
[root@controller conf.d]# openstack domain create --description "Default Domain" default+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Default Domain || enabled| True |/创建域``default``| id| c80fd98d2b4b4946839e90c6a4eea979 || name | default|+-------------+----------------------------------+[root@controller conf.d]# openstack project create --domain default \> --description "Admin Project" admin+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+/创建 admin 项目:| description | Admin Project|| domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled| True || id| 5bd822f5700d4153bc85403de17b35db || is_domain | False || name | admin || parent_id | c80fd98d2b4b4946839e90c6a4eea979 |+-------------+----------------------------------+[root@controller conf.d]# openstack user create --domain default \> --password admin admin+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled | True || id | 7d45ebaf9a974ce69b8f6197c7f8719f || name| admin |/创建 admin 用户:+-----------+----------------------------------+[root@controller conf.d]# openstack role create admin+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | None || id | c08749bee57d4d2ead99fb744da4bd00 || name| admin |/创建 admin 角色:+-----------+----------------------------------+[root@controller conf.d]# openstack role add --project admin --user admin admin/添加``admin`` 角色到 admin 项目和用户上:
[root@controller conf.d]# openstack project create --domain default \> --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled| True || id| 1785606c122c413c9a134bf92e6f5374 || is_domain | False || name | service|/创建``service``项目:| parent_id | c80fd98d2b4b4946839e90c6a4eea979 |+-------------+----------------------------------+[root@controller conf.d]# openstack project create --domain default \> --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled| True || id| cdc49f2f64d24621b0f54bcc72b6b5df || is_domain | False || name | demo |/创建``demo`` 项目:无特权的项目和用户| parent_id | c80fd98d2b4b4946839e90c6a4eea979 |+-------------+----------------------------------+[root@controller conf.d]# openstack user create --domain default \> --password demo demo+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled | True || id | aa9345f4858145ca8a4e295f63a44647 || name| demo |/创建``demo`` 用户+-----------+----------------------------------+[root@controller conf.d]# openstack role create user+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | None || id | bd16a57f93ba41a9b1a1bf16af4b5dd2 || name| user |/创建 user 角色+-----------+----------------------------------+[root@controller conf.d]# openstack role add --project demo --user demo user/添加 user``角色到 ``demo 项目和用户
验证操作
重置``OS_TOKEN``和``OS_URL`` 环境变量:[root@controller conf.d]# unset OS_TOKEN OS_URL作为 admin 用户,连接keystone请求认证令牌:[root@controller conf.d]# openstack --os-auth-url http://controller:35357/v3 \> --os-project-domain-name default --os-user-domain-name default \> --os-project-name admin --os-username admin token issuePassword: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field| Value |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | -07-16T04:52:21.551634Z || id | gAAAAABfD871WyI80v9BBl7Kykt3JMvSJa_VOs7Mr1qx-IdCJm4Q_RzXELO4JRdEXnUEkRgm9xDwKu6Hafi3wftADCQ48_gbTKxOwoqwDPGkccv5bnc7ydWf-Awoqg-Y0oLlNjwc4v8e1XVrus3Y6QZLY1r5qKU7vwDwR_WuRU8rV654x9vHIak || project_id | 5bd822f5700d4153bc85403de17b35db || user_id | 7d45ebaf9a974ce69b8f6197c7f8719f |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+默认存放在memcache中作为``demo`` 用户,请求认证令牌:[root@controller conf.d]# openstack --os-auth-url http://controller:5000/v3 \> --os-project-domain-name default --os-user-domain-name default \> --os-project-name demo --os-username demo token issuePassword: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field| Value |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | -07-16T04:53:10.651151Z || id | gAAAAABfD88m_PHLeX07fQc9rVtznPrOGJcZjx4bGNj42V5lTj6U7XQQTpgINUgNVSRYvaiP1TRg-Z5KjJDvs3FPICMbONMoqCvt2Pypt8U9u5-8hTMJJniN0_EUAflfilI3ZCGoVWbQ5qmJBGQ8ze6LjPXZgaYItj4KfTwmaQWei5XAnA3LaJE || project_id | cdc49f2f64d24621b0f54bcc72b6b5df || user_id | aa9345f4858145ca8a4e295f63a44647 |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+列出用户:[root@controller conf.d]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin user listPassword: +----------------------------------+-------+| ID | Name |+----------------------------------+-------+| 7d45ebaf9a974ce69b8f6197c7f8719f | admin || aa9345f4858145ca8a4e295f63a44647 | demo |+----------------------------------+-------+
每次连接openstack都使用这种方式是比较麻烦的,所以官方让我们创建脚本,放到环境变量中:
创建 OpenStack 客户端环境脚本
[root@controller ~]# cat admin-openrc /管理员脚本export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://controller:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2[root@controller ~]# vim demo-openrc /demo用户脚本export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2[root@controller ~]# source admin-openrc /切换到管理员的脚本[root@controller ~]# openstack user list+----------------------------------+-------+| ID | Name |+----------------------------------+-------+| 7d45ebaf9a974ce69b8f6197c7f8719f | admin || aa9345f4858145ca8a4e295f63a44647 | demo |/就可以直接列出了+----------------------------------+-------+[root@controller ~]# source demo-openrc [root@controller ~]# openstack user list/切换到普通用户就不行了。You are not authorized to perform the requested action: identity:list_users (HTTP 403) (Request-ID: req-3c904770-943e-49a9-9b92-d35ac7749b17)[root@controller ~]# source admin-openrc [root@controller ~]# openstack project list+----------------------------------+---------+| ID | Name |+----------------------------------+---------+| 1785606c122c413c9a134bf92e6f5374 | service || 5bd822f5700d4153bc85403de17b35db | admin || cdc49f2f64d24621b0f54bcc72b6b5df | demo |+----------------------------------+---------+
Glance镜像服务
OpenStack镜像服务包括以下组件:
glance-api
接收镜像API的调用,诸如镜像发现、恢复、存储。
glance-registry
存储、处理和恢复镜像的元数据,元数据包括项诸如大小和类型。
数据库
存放镜像元数据,用户是可以依据个人喜好选择数据库的,多数的部署使用MySQL或SQLite。
镜像文件的存储仓库
支持多种类型的仓库,它们有普通文件系统、对象存储、RADOS块设备、HTTP、以及亚马逊S3。记住,其中一些仓库仅支持只读方式使用。
元数据定义服务
通用的API,是用于为厂商,管理员,服务,以及用户自定义元数据。这种元数据可用于不同的资源,例如镜像,工件,卷,配额以及集合。一个定义包括了新属性的键,描述,约束以及可以与之关联的资源的类型。
安装和配置
创建glance数据库
(openstack) [root@controller ~]# mysql -u root -pEnter password: MariaDB [(none)]> CREATE DATABASE glance;Query OK, 1 row affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> Ctrl-C -- exit!Aborted[root@controller ~]# mysql -uglance -pglanceMariaDB [(none)]>/测试可以登陆即可
创建服务证书
[root@controller ~]# source admin-openrc [root@controller ~]# openstack user create --domain default --password glance glance+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled | True || id | 12b1ebac364f42d3b499347824d4f13a || name| glance |/创建 glance 用户+-----------+----------------------------------+[root@controller ~]# openstack role add --project service --user glance admin/添加 admin 角色到 glance 用户和 service 项目上[root@controller ~]# openstack service create --name glance \> --description "OpenStack Image" image/创建``glance``服务实体+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Image || enabled| True || id| 0783cb66f29049fcb4a2c9c0789aeb14 || name | glance || type | image |+-------------+----------------------------------+
创建镜像服务的 API 端点
[root@controller ~]# openstack endpoint create --region RegionOne \> image public http://controller:9292+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 40b0c5637a20483b97e91907a966021a || interface | public || region | RegionOne || region_id | RegionOne || service_id | 0783cb66f29049fcb4a2c9c0789aeb14 || service_name | glance || service_type | image || url| http://controller:9292 |+--------------+----------------------------------+[root@controller ~]# openstack endpoint create --region RegionOne \> image internal http://controller:9292+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 36a2e7acde264897983487c2efaf6b6f || interface | internal|| region | RegionOne || region_id | RegionOne || service_id | 0783cb66f29049fcb4a2c9c0789aeb14 || service_name | glance || service_type | image || url| http://controller:9292 |+--------------+----------------------------------+[root@controller ~]# openstack endpoint create --region RegionOne \> image admin http://controller:9292+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | d18ac764e04d4b1d973b83e85349c63b || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 0783cb66f29049fcb4a2c9c0789aeb14 || service_name | glance || service_type | image || url| http://controller:9292 |+--------------+----------------------------------+
[root@controller ~]# yum install openstack-glance -y[root@controller ~]# vim /etc/glance/glance-api.conf [DEFAULT]connection = mysql+pymysql://glance:glance@controller/glance/连接数据库[keystone_authtoken]/连接keystone,进行认证授权auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance[paste_deploy]flavor = keystone[glance_store]stores = file,http/在 [glance_store] 部分,配置本地文件系统存储和镜像文件位置default_store = filefilesystem_store_datadir = /var/lib/glance/images/
[DEFAULT]connection = mysql+pymysql://glance:glance@controller/glance[keystone_authtoken]auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = glancepassword = glance[paste_deploy]flavor = keystone[root@controller ~]# su -s /bin/sh -c "glance-manage db_sync" glance/以glance身份同步数据库
[root@controller ~]# systemctl enable --now openstack-glance-api.service openstack-glance-registry.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-api.service to /usr/lib/systemd/system/openstack-glance-api.service.Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-registry.service to /usr/lib/systemd/system/openstack-glance-registry.service.[root@controller ~]# netstat -tnlp|grep 9292tcp 00 0.0.0.0:9292 0.0.0.0:*LISTEN17924/python2
验证操作
下载源镜像:wget http://download.cirros-/0.3.4/cirros-0.3.4-x86_64-disk.img上传:[root@controller ~]# openstack image create "cirros" \> --file cirros-0.3.4-x86_64-disk.img \> --disk-format qcow2 --container-format bare \公共可见> --public+------------------+------------------------------------------------------+| Field | Value |+------------------+------------------------------------------------------+| checksum | ee1eca47dc88f4879d8a229cc70a07c6 || container_format | bare || created_at | -07-16T05:52:49Z || disk_format| qcow2 || file | /v2/images/5b9aae7b-761b-4551-8a5d-e569b63fc070/file || id| 5b9aae7b-761b-4551-8a5d-e569b63fc070 || min_disk | 0 || min_ram| 0 || name | cirros || owner | 5bd822f5700d4153bc85403de17b35db || protected | False || schema | /v2/schemas/image|| size | 13287936|| status | active || tags | || updated_at | -07-16T05:52:49Z || virtual_size| None || visibility | public |+------------------+------------------------------------------------------+[root@controller ~]# cd /var/lib/glance/images/[root@controller images]# ls5b9aae7b-761b-4551-8a5d-e569b63fc070[root@controller images]# openstack image list+--------------------------------------+--------+--------+| ID| Name | Status |+--------------------------------------+--------+--------+| 5b9aae7b-761b-4551-8a5d-e569b63fc070 | cirros | active |+--------------------------------------+--------+--------+
就成功了。
nova计算服务
OpenStack计算服务由下列组件所构成:
nova-api 服务
接收和响应来自最终用户的计算API请求。此服务支持OpenStack计算服务API,Amazon EC2 API,以及特殊的管理API用于赋予用户做一些管理的操作。它会强制实施一些规则,发起多数的编排活动,例如运行一个实例。
nova-api-metadata 服务
接受来自虚拟机发送的元数据请求。
。。。。。。
安装并配置控制节点
先决条件
[root@controller ~]# mysql -uroot -pEnter password: MariaDB [(none)]> CREATE DATABASE nova_api;Query OK, 1 row affected (0.00 sec)MariaDB [(none)]> CREATE DATABASE nova;Query OK, 1 row affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \-> IDENTIFIED BY 'nova';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \-> IDENTIFIED BY 'nova';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \-> IDENTIFIED BY 'nova';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';Query OK, 0 rows affected (0.00 sec)[root@controller ~]# mysql -unova -p novaEnter password: MariaDB [nova]> [root@controller ~]# mysql -unova -p nova_apiEnter password: MariaDB [nova_api]> /能登录进去即可
创建服务证书:
[root@controller ~]# openstack user create --domain default \> --password nova nova/创建 nova 用户+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled | True || id | e9821d5458e241fc8c7938a8999f6176 || name| nova |+-----------+----------------------------------+[root@controller ~]# openstack role add --project service --user nova admin/给 nova 用户添加 admin 角色[root@controller ~]# openstack service create --name nova \:> --description "OpenStack Compute" compute/创建 nova 服务实体+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Compute|| enabled| True || id| 93792920eb764f3c8515e2532e5ab48e || name | nova || type | compute|+-------------+----------------------------------+创建 Compute 服务 API 端点:[root@controller ~]# openstack endpoint create --region RegionOne \> compute public http://controller:8774/v2.1/%\(tenant_id\)s+--------------+-------------------------------------------+| Field | Value |+--------------+-------------------------------------------+| enabled| True || id | ef90b4491aa9434b9ffd50f1c6b23fee|| interface | public|| region | RegionOne || region_id | RegionOne || service_id | 93792920eb764f3c8515e2532e5ab48e|| service_name | nova || service_type | compute|| url| http://controller:8774/v2.1/%(tenant_id)s |+--------------+-------------------------------------------+[root@controller ~]# openstack endpoint create --region RegionOne \> compute internal http://controller:8774/v2.1/%\(tenant_id\)s+--------------+-------------------------------------------+| Field | Value |+--------------+-------------------------------------------+| enabled| True || id | 36adfeaaf2454ee39977af8e70db4368|| interface | internal || region | RegionOne || region_id | RegionOne || service_id | 93792920eb764f3c8515e2532e5ab48e|| service_name | nova || service_type | compute|| url| http://controller:8774/v2.1/%(tenant_id)s |+--------------+-------------------------------------------+[root@controller ~]# openstack endpoint create --region RegionOne \> compute admin http://controller:8774/v2.1/%\(tenant_id\)s+--------------+-------------------------------------------+| Field | Value |+--------------+-------------------------------------------+| enabled| True || id | 1886fea1ccdc47e6898f1c98ea2640e0|| interface | admin || region | RegionOne || region_id | RegionOne || service_id | 93792920eb764f3c8515e2532e5ab48e|| service_name | nova || service_type | compute|| url| http://controller:8774/v2.1/%(tenant_id)s |+--------------+-------------------------------------------+
安全并配置组件
[root@controller ~]# yum install openstack-nova-api openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler -y[root@controller ~]# vim /etc/nova/nova.conf[DEFAULT]enabled_apis = osapi_compute,metadata/只启用计算和元数据APIrpc_backend = rabbitauth_strategy = keystonemy_ip = 172.25.254.1use_neutron = Truefirewall_driver = nova.virt.firewall.NoopFirewallDriver/使能 Networking 服务[api_database]connection = mysql+pymysql://nova:nova@controller/nova_api[database]/配置数据库的连接:connection = mysql+pymysql://nova:nova@controller/nova[oslo_messaging_rabbit]rabbit_host = controllerrabbit_userid = openstack/配置 “RabbitMQ” 消息队列访问rabbit_password = openstack[keystone_authtoken]...auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = service/配置认证服务访问username = novapassword = nova[vnc]/配置VNC代理使用控制节点的管理接口IP地址vncserver_listen = $my_ipvncserver_proxyclient_address = $my_ip[glance]/配置镜像服务 API 的位置api_servers = http://controller:9292配置锁路径:[oslo_concurrency]lock_path = /var/lib/nova/tmp
使用nova同步Compute 数据库,授权:
[root@controller ~]# su -s /bin/sh -c "nova-manage api_db sync" nova[root@controller ~]# su -s /bin/sh -c "nova-manage db sync" nova
[root@controller ~]# systemctl enable openstack-nova-api.service \> openstack-nova-consoleauth.service openstack-nova-scheduler.service \> openstack-nova-conductor.service openstack-nova-novncproxy.service[root@controller ~]# systemctl start openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service[root@controller ~]# openstack compute service list+----+------------------+------------+----------+---------+-------+----------------------------+| Id | Binary | Host | Zone| Status | State | Updated At |+----+------------------+------------+----------+---------+-------+----------------------------+| 1 | nova-consoleauth | controller | internal | enabled | up | -07-16T07:17:52.000000 || 2 | nova-conductor | controller | internal | enabled | up | -07-16T07:17:52.000000 || 3 | nova-scheduler | controller | internal | enabled | up | -07-16T07:17:52.000000 |+----+------------------+------------+----------+---------+-------+----------------------------+
计算服务正常。
安装和配置计算节点
我们在开启一台虚拟机作为计算结点,注意它的CPU模式要设置为host-passthrough模式。不然等会就要设置nova 为 qemu 的方式。
[root@compute1 ~]# vim /etc/hosts[root@compute1 ~]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6172.25.254.67 rhel7host172.25.254.1controller172.25.254.2compute1172.25.254.3block1/做好本地解析[root@controller ~]# scp /etc/yum.repos.d/openstack.repo compute1:/etc/yum.repos.d/ 配置yum源[root@compute1 ~]# yum upgrade[root@compute1 ~]# yum install chrony -y[root@compute1 ~]# vim /etc/chrony.conf server 172.25.254.67 iburst[root@compute1 ~]# systemctl restart chronyd
安全并配置组件:
[root@compute1 ~]# yum install openstack-nova-compute -y[root@compute1 ~]# vim /etc/nova/nova.conf[DEFAULT]backend = rabbitauth_strategy = keystonemy_ip = 172.25.254.2use_neutron = Truefirewall_driver = nova.virt.firewall.NoopFirewallDriver[oslo_messaging_rabbit]rabbit_host = controllerrabbit_userid = openstackrabbit_password = openstack[keystone_authtoken]auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = novapassword = nova[vnc]enabled = Truevncserver_listen = 0.0.0.0vncserver_proxyclient_address = $my_ipnovncproxy_base_url = http://controller:6080/vnc_auto.html[glance]api_servers = http://controller:9292[oslo_concurrency]lock_path = /var/lib/nova/tmp
完成安装:
[root@compute1 ~]# egrep -c '(vmx|svm)' /proc/cpuinfo2/确定您的计算节点是否支持虚拟机的硬件加速,我们有两个cpu[root@compute1 ~]# vim /etc/nova/nova.conf[libvirt]virt_type=kvm/告诉他们使用kvm虚拟化,如果cpu不是host-passthrough,则这里使用qemu的方式[root@compute1 ~]# systemctl enable --now libvirtd.service openstack-nova-compute.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/openstack-nova-compute.service to /usr/lib/systemd/system/openstack-nova-compute.service.libvirtd.service 提供一个虚拟化接口,便于我们的管理。[root@compute1 ~]# yum install -y libvirt-client/安装客户端,可以看后面创建的云主机。[root@compute1 ~]# virsh listId Name State----------------------------------------------------/当前没有主机
[root@controller ~]# openstack compute service list+----+------------------+------------+----------+---------+-------+----------------------------+| Id | Binary | Host | Zone| Status | State | Updated At |+----+------------------+------------+----------+---------+-------+----------------------------+| 1 | nova-consoleauth | controller | internal | enabled | up | -07-16T08:42:54.000000 || 2 | nova-conductor | controller | internal | enabled | up | -07-16T08:42:54.000000 || 3 | nova-scheduler | controller | internal | enabled | up | -07-16T08:42:54.000000 || 6 | nova-compute| compute1 | nova| enabled | up | -07-16T08:42:58.000000 |+----+------------------+------------+----------+---------+-------+----------------------------+
创建成功。
Networking 服务
它包含下列组件:
neutron-server
接收和路由API请求到合适的OpenStack网络插件,以达到预想的目的。
OpenStack网络插件和代理
插拔端口,创建网络和子网,以及提供IP地址,这些插件和代理依赖于供应商和技术而不同,OpenStack网络基于插件和代理为Cisco 虚拟和物理交换机、NEC OpenFlow产品,Open vSwitch,Linux bridging以及VMware NSX 产品穿线搭桥。常见的代理L3(3层),DHCP(动态主机IP地址),以及插件代理。
消息队列
大多数的OpenStack Networking安装都会用到,用于在neutron-server和各种各样的代理进程间路由信息。也为某些特定的插件扮演数据库的角色,以存储网络状态
OpenStack网络主要和OpenStack计算交互,以提供网络连接到它的实例。
安装并配置控制节点
创建数据库:
[root@controller ~]# mysql -u root -pEnter password: MariaDB [(none)]> CREATE DATABASE neutron;Query OK, 1 row affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \-> IDENTIFIED BY 'neutron';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \-> IDENTIFIED BY 'neutron';Query OK, 0 rows affected (0.00 sec)MariaDB [(none)]> Ctrl-C -- exit!Aborted[root@controller ~]# mysql -u neutron -p neutronEnter password: MariaDB [neutron]>/可以查看即可
创建服务证书:
[root@controller ~]# openstack user create --domain default --password neutron neutron+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | c80fd98d2b4b4946839e90c6a4eea979 || enabled | True || id | 9ae043c57c6e4cef9b01960fe349db53 || name| neutron|+-----------+----------------------------------+[root@controller ~]# openstack role add --project service --user neutron admin/添加``admin`` 角色到``neutron`` 用户创建``neutron``服务实体:[root@controller ~]# openstack service create --name neutron \> --description "OpenStack Networking" network+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Networking || enabled| True || id| 0a299286098c497fb753d989c3534377 || name | neutron|| type | network|+-------------+----------------------------------+网络服务API端点:[root@controller ~]# openstack endpoint create --region RegionOne \> network public http://controller:9696+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | db64468bf6ac448ba1f22ac183ff393e || interface | public || region | RegionOne || region_id | RegionOne || service_id | 0a299286098c497fb753d989c3534377 || service_name | neutron|| service_type | network|| url| http://controller:9696 |+--------------+----------------------------------+[root@controller ~]# openstack endpoint create --region RegionOne \> network internal http://controller:9696+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 0e1d98aa999d41a49f4c2cf12bc9881b || interface | internal|| region | RegionOne || region_id | RegionOne || service_id | 0a299286098c497fb753d989c3534377 || service_name | neutron|| service_type | network|| url| http://controller:9696 |+--------------+----------------------------------+[root@controller ~]# openstack endpoint create --region RegionOne \> network admin http://controller:9696+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | fe1f53ef8e3b4c1bad3d2a5f426b78cf || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 0a299286098c497fb753d989c3534377 || service_name | neutron|| service_type | network|| url| http://controller:9696 |+--------------+----------------------------------+
然后我们创建公共网络,将所有的云主机放到同一个网段:
[root@controller ~]# yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables -y[root@controller ~]# vim /etc/neutron/neutron.conf[DEFAULT]core_plugin = ml2service_plugins =/启用ML2插件并禁用其他插件rpc_backend = rabbitauth_strategy = keystonenotify_nova_on_port_status_changes = Truenotify_nova_on_port_data_changes = True[database]connection = mysql+pymysql://neutron:neutron@controller/neutron/配置数据库访问[oslo_messaging_rabbit]rabbit_host = controller/配置 “RabbitMQ” 消息队列的连接rabbit_userid = openstackrabbit_password = openstack[keystone_authtoken]/配置认证服务访问auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = neutronpassword = neutron[nova]auth_url = http://controller:35357auth_type = password/配置网络服务来通知计算节点的网络拓扑变化project_domain_name = defaultuser_domain_name = defaultregion_name = RegionOneproject_name = serviceusername = novapassword = nova[oslo_concurrency]lock_path = /var/lib/neutron/tmp/配置锁路径
配置 Modular Layer 2 (ML2) 插件:
[root@controller ~]# vim /etc/neutron/plugins/ml2/ml2_conf.ini[ml2]type_drivers = flat,vlan/启用flat和VLAN网络tenant_network_types =/禁用私有网络mechanism_drivers = linuxbridge/启用Linuxbridge机制extension_drivers = port_security/启用端口安全扩展驱动[ml2_type_flat]flat_networks = provider/配置公共虚拟网络为flat网络[securitygroup]enable_ipset = True/启用 ipset 增加安全组规则的高效性,让我们的第二块网卡(无IP)映射过来用于虚拟机的网络访问
配置Linuxbridge代理:
[root@controller ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini[linux_bridge]physical_interface_mappings = provider:eth0 /将公共虚拟网络和公共物理网络接口对应起来[securitygroup]/启用安全组并配置 Linuxbridge iptables firewall driverenable_security_group = Truefirewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver[vxlan]enable_vxlan = False/禁止VXLAN覆盖网络
配置DHCP代理,用于给云主机动态分配IP:
[root@controller ~]# vim /etc/neutron/dhcp_agent.ini[DEFAULT]interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriverdhcp_driver = neutron.agent.linux.dhcp.Dnsmasqenable_isolated_metadata = True配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据
配置元数据代理:
[root@controller ~]# vim /etc/neutron/metadata_agent.ini[DEFAULT]nova_metadata_ip = controllermetadata_proxy_shared_secret = westos/配置访问参数,启用元数据代理并设置密码
为计算节点配置网络服务,配置访问参数,启用元数据代理并设置密码:
[root@controller ~]# vim /etc/nova/nova.conf[neutron]url = http://controller:9696auth_url = http://controller:35357auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultregion_name = RegionOneproject_name = serviceusername = neutronpassword = neutronservice_metadata_proxy = Truemetadata_proxy_shared_secret = westos
网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini。如果超链接不存在,使用下面的命令创建它:
[root@controller ~]# ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
同步数据库:
[root@controller ~]# su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \> --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
由于更改了配置文件,所以要:
[root@controller ~]# systemctl restart openstack-nova-api.service
[root@controller ~]# systemctl enable neutron-server.service \> neutron-linuxbridge-agent.service neutron-dhcp-agent.service \> neutron-metadata-agent.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/neutron-server.service to /usr/lib/systemd/system/neutron-server.service.Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service.Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-dhcp-agent.service to /usr/lib/systemd/system/neutron-dhcp-agent.service.Created symlink from /etc/systemd/system/multi-user.target.wants/neutron-metadata-agent.service to /usr/lib/systemd/system/neutron-metadata-agent.service.[root@controller ~]# systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service[root@controller ~]# neutron agent-list+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+| id| agent_type | host | availability_zone | alive | admin_state_up | binary|+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+| 05dadf42-2c97-41ab-b33c-727919d7e7f7 | Metadata agent| controller | | :-) | True | neutron-metadata-agent || d0837e5a-0351-408c-9bb8-1b808beb0e73 | DHCP agent | controller | nova | :-) | True | neutron-dhcp-agent || d2a9b415-d227-4815-b449-a43e1d39b9fe | Linux bridge agent | controller | | :-) | True | neutron-linuxbridge-agent |+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
正常启动
安装和配置计算节点
[root@compute1 ~]# yum install openstack-neutron-linuxbridge ebtables ipset -y
[root@compute1 ~]# vim /etc/neutron/neutron.conf[DEFAULT]...rpc_backend = rabbitauth_strategy = keystone[oslo_messaging_rabbit]rabbit_host = controllerrabbit_userid = openstackrabbit_password = openstack[keystone_authtoken]auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = neutronpassword = neutron[oslo_concurrency]lock_path = /var/lib/neutron/tmp
配置共有网络:
配置Linuxbridge代理:[root@compute1 ~]# vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini[linux_bridge]physical_interface_mappings = provider:eth0[vxlan]enable_vxlan = False[securitygroup]enable_security_group = Truefirewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
为计算节点配置网络服务:
[root@compute1 ~]# vim /etc/nova/nova.conf[neutron]url = http://controller:9696auth_url = http://controller:35357auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultregion_name = RegionOneproject_name = serviceusername = neutronpassword = neutron[root@compute1 ~]# systemctl restart openstack-nova-compute.service[root@compute1 ~]# systemctl enable --now neutron-linuxbridge-agent.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/neutron-linuxbridge-agent.service to /usr/lib/systemd/system/neutron-linuxbridge-agent.service.[root@controller ~]# neutron agent-list+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+| id| agent_type | host | availability_zone | alive | admin_state_up | binary|+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+| 05dadf42-2c97-41ab-b33c-727919d7e7f7 | Metadata agent| controller | | :-) | True | neutron-metadata-agent || 753f0cca-82ee-44f5-a77e-856924003134 | Linux bridge agent | compute1 | | :-) | True | neutron-linuxbridge-agent || d0837e5a-0351-408c-9bb8-1b808beb0e73 | DHCP agent | controller | nova | :-) | True | neutron-dhcp-agent || d2a9b415-d227-4815-b449-a43e1d39b9fe | Linux bridge agent | controller | | :-) | True | neutron-linuxbridge-agent |+--------------------------------------+--------------------+------------+-------------------+-------+----------------+---------------------------+
计算结点也找到了代理,现在你的 OpenStack 环境包含了启动一个基本实例所必须的核心组件。接下来我们就可以启动云主机了。
启动一个实例
创建虚拟网络
我们一直是创建共有网络,所以我们现在创建提供者网络,而不是私有网络。
[root@controller ~]# neutron net-create --shared --provider:physical_network provider \> --provider:network_type flat providerCreated a new network:/创建网络+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True || availability_zone_hints | || availability_zones | || created_at| -07-16T09:54:53 || description| || id | 411727ab-294b-4e20-89ce-de39122f2cf6 || ipv4_address_scope | || ipv6_address_scope | || mtu | 1500 || name | provider || port_security_enabled| True || provider:network_type| flat || provider:physical_network | provider || provider:segmentation_id | || router:external | False || shared| True || status| ACTIVE || subnets | || tags | || tenant_id | 5bd822f5700d4153bc85403de17b35db|| updated_at| -07-16T09:54:53 |+---------------------------+--------------------------------------+
在网络上创建一个子网:
[root@controller ~]# neutron subnet-create --name provider \> --allocation-pool start=172.25.254.100,end=172.25.254.200 \> --dns-nameserver 114.114.114.114 --gateway 172.25.254.67 \> provider 172.25.254.0/24Created a new subnet:+-------------------+------------------------------------------------------+| Field | Value |+-------------------+------------------------------------------------------+| allocation_pools | {"start": "172.25.254.100", "end": "172.25.254.200"} || cidr | 172.25.254.0/24 || created_at | -07-16T09:58:35 || description | || dns_nameservers | 114.114.114.114 || enable_dhcp | True || gateway_ip | 172.25.254.67|| host_routes | || id| 8121a48b-406d-4eac-8955-36d53b30e8c7 || ip_version | 4 || ipv6_address_mode | || ipv6_ra_mode| || name | provider|| network_id | 411727ab-294b-4e20-89ce-de39122f2cf6 || subnetpool_id| || tenant_id | 5bd822f5700d4153bc85403de17b35db || updated_at | -07-16T09:58:35 |+-------------------+------------------------------------------------------+
创建m1.nano规格的主机
默认的最小规格的主机需要512 MB内存。对于环境中计算节点内存不足4 GB的,我们推荐创建只需要64 MB的m1.nano规格的主机。若单纯为了测试的目的,请使用m1.nano规格的主机来加载CirrOS镜像:
[root@controller ~]# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano+----------------------------+---------+| Field | Value |+----------------------------+---------+| OS-FLV-DISABLED:disabled | False || OS-FLV-EXT-DATA:ephemeral | 0 || disk | 1 || id| 0 || name | m1.nano || os-flavor-access:is_public | True || ram | 64|| rxtx_factor| 1.0|| swap | || vcpus | 1 |+----------------------------+---------+
生成一个键值对
大部分云镜像支持公共密钥认证而不是传统的密码认证。在启动实例前,你必须添加一个公共密钥到计算服务。
[root@controller ~]# source demo-openrc [root@controller ~]# ssh-keygen -q -N ""Enter file in which to save the key (/root/.ssh/id_rsa): ^C[root@controller ~]# ssh-keygen -q -N ""Enter file in which to save the key (/root/.ssh/id_rsa): [root@controller ~]# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey+-------------+-------------------------------------------------+| Field | Value |+-------------+-------------------------------------------------+| fingerprint | e0:c6:84:35:88:b2:08:c4:3a:84:85:09:4c:d6:62:a5 || name | mykey || user_id| aa9345f4858145ca8a4e295f63a44647|+-------------+-------------------------------------------------+[root@controller ~]# openstack keypair list+-------+-------------------------------------------------+| Name | Fingerprint |+-------+-------------------------------------------------+| mykey | e0:c6:84:35:88:b2:08:c4:3a:84:85:09:4c:d6:62:a5 |+-------+-------------------------------------------------+
生成一个公钥,把公要上传到openstack中,叫做mykey。来实现云主机的免密访问。
增加安全组规则
让外部可以允许 ICMP (ping):的方式访问云主机
[root@controller ~]# openstack security group rule create --proto icmp default+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| id| 6c3c4512-ac1f-4474-8b7d-9c76162f6b0d || ip_protocol | icmp || ip_range | 0.0.0.0/0 || parent_group_id | e079876a-a035-48b2-8681-7a6e8afd9c5b || port_range | || remote_security_group | |+-----------------------+--------------------------------------+
允许安全 shell (SSH) 的访问:
[root@controller ~]# openstack security group rule create --proto tcp --dst-port 22 default+-----------------------+--------------------------------------+| Field | Value |+-----------------------+--------------------------------------+| id| 8cbdd408-d1e1-4df1-a4ea-20f8a87a104f || ip_protocol | tcp || ip_range | 0.0.0.0/0 || parent_group_id | e079876a-a035-48b2-8681-7a6e8afd9c5b || port_range | 22:22 || remote_security_group | |+-----------------------+--------------------------------------+
启动一个实例
一个实例指定了虚拟机资源的大致分配,包括处理器、内存和存储。
列出可用类型:[root@controller ~]# openstack flavor list+----+-----------+-------+------+-----------+-------+-----------+| ID | Name| RAM | Disk | Ephemeral | VCPUs | Is Public |+----+-----------+-------+------+-----------+-------+-----------+| 0 | m1.nano | 64 | 1 | 0 |1 | True|/我们定义的| 1 | m1.tiny | 512 | 1 | 0 |1 | True|| 2 | m1.small | 2048 | 20 | 0 |1 | True|| 3 | m1.medium | 4096 | 40 | 0 |2 | True|| 4 | m1.large | 8192 | 80 | 0 |4 | True|| 5 | m1.xlarge | 16384 | 160 | 0 |8 | True|+----+-----------+-------+------+-----------+-------+-----------+列出可用镜像:[root@controller ~]# openstack image list+--------------------------------------+--------+--------+| ID| Name | Status |+--------------------------------------+--------+--------+| 5b9aae7b-761b-4551-8a5d-e569b63fc070 | cirros | active |+--------------------------------------+--------+--------+列出可用网络:[root@controller ~]# openstack network list+--------------------------------------+----------+--------------------------------------+| ID| Name| Subnets|+--------------------------------------+----------+--------------------------------------+| 411727ab-294b-4e20-89ce-de39122f2cf6 | provider | 8121a48b-406d-4eac-8955-36d53b30e8c7 |+--------------------------------------+----------+--------------------------------------+列出可用安全组[root@controller ~]# openstack security group list+--------------------------------------+---------+------------------------+----------------------------------+| ID| Name | Description | Project|+--------------------------------------+---------+------------------------+----------------------------------+| e079876a-a035-48b2-8681-7a6e8afd9c5b | default | Default security group | cdc49f2f64d24621b0f54bcc72b6b5df |+--------------------------------------+---------+------------------------+----------------------------------+
创建实例
[root@controller ~]# openstack server create --flavor m1.nano --image cirros \> --nic net-id=411727ab-294b-4e20-89ce-de39122f2cf6 --security-group default \> --key-name mykey provider-instance+--------------------------------------+-----------------------------------------------+| Field | Value |+--------------------------------------+-----------------------------------------------+| OS-DCF:diskConfig| MANUAL|| OS-EXT-AZ:availability_zone| || OS-EXT-STS:power_state| 0|| OS-EXT-STS:task_state| scheduling|| OS-EXT-STS:vm_state | building || OS-SRV-USG:launched_at| None || OS-SRV-USG:terminated_at | None || accessIPv4 | || accessIPv6 | || addresses | || adminPass | G2dqfrhJEC87 || config_drive| || created| -07-16T10:13:40Z|| flavor | m1.nano (0)|| hostId | || id| 9face239-809c-4852-994c-04440a6fb699|| image | cirros (5b9aae7b-761b-4551-8a5d-e569b63fc070) || key_name | mykey || name | provider-instance || os-extended-volumes:volumes_attached | [] || progress | 0|| project_id | cdc49f2f64d24621b0f54bcc72b6b5df || properties | || security_groups | [{u'name': u'default'}] || status | BUILD || updated| -07-16T10:13:40Z|| user_id| aa9345f4858145ca8a4e295f63a44647 |+--------------------------------------+-----------------------------------------------+
openstack server create --flavor m1.nano /使用nao类型--image cirros /使用cirros镜像--nic net-id=411727ab-294b-4e20-89ce-de39122f2cf6 /网络--security-group default \/安全组--key-name mykey/keyprovider-instance/云主机名
[root@controller ~]# openstack server list/查看实例状态+--------------------------------------+-------------------+--------+-------------------------+| ID| Name | Status | Networks|+--------------------------------------+-------------------+--------+-------------------------+| 9face239-809c-4852-994c-04440a6fb699 | provider-instance | ACTIVE | provider=172.25.254.101 |+--------------------------------------+-------------------+--------+-------------------------+[root@controller ~]# openstack console url show provider-instance/获取实例url+-------+---------------------------------------------------------------------------------+| Field | Value|+-------+---------------------------------------------------------------------------------+| type | novnc|| url | http://controller:6080/vnc_auto.html?token=575f8909-b1af-4bb0-8307-a08ea732128d |+-------+---------------------------------------------------------------------------------+
[root@rhel7host Downloads]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6172.25.254.1 server1 controller/在物理主机做好解析
访问刚才的url地址:
这就是我们的云主机啦,它把用户和密码都打在了上面。
它获得的ip时172.25.254.101,100被连接接口占用了。
[root@controller ~]# ping 172.25.254.101/可以ping 通PING 172.25.254.101 (172.25.254.101) 56(84) bytes of data.64 bytes from 172.25.254.101: icmp_seq=1 ttl=64 time=0.574 ms[root@controller ~]# ssh root@172.25.254.101The authenticity of host '172.25.254.101 (172.25.254.101)' can't be established.RSA key fingerprint is SHA256:Y8kKCEqRI7dE/w0kvj+IxaEUyD18KbITuCPHkINMaSg.RSA key fingerprint is MD5:1f:f4:8b:b4:76:48:9c:6f:3c:cc:ea:74:95:c5:9f:0c.Are you sure you want to continue connecting (yes/no)? yes^[[3~Warning: Permanently added '172.25.254.101' (RSA) to the list of known hosts.Please login as 'cirros' user, not as root/不允许通过root连接^CConnection to 172.25.254.101 closed.[root@controller ~]# ssh cirros@172.25.254.101$ ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000link/ether fa:16:3e:20:55:e5 brd ff:ff:ff:ff:ff:ffinet 172.25.254.101/24 brd 172.25.254.255 scope global eth0inet6 fe80::f816:3eff:fe20:55e5/64 scope link valid_lft forever preferred_lft forever$ poweroffpoweroff: Operation not permitted$ sudo poweroff/超级用户可以关机[root@controller ~]# source demo-openrc /新开的shell需要切换到demo用户环境[root@controller ~]# openstack server list+--------------------------------------+-------------------+---------+-------------------------+| ID| Name | Status | Networks|+--------------------------------------+-------------------+---------+-------------------------+| 9face239-809c-4852-994c-04440a6fb699 | provider-instance | SHUTOFF | provider=172.25.254.101 |+--------------------------------------+-------------------+---------+-------------------------+[root@controller ~]# openstack server start provider-instance[root@controller ~]# openstack server list+--------------------------------------+-------------------+--------+-------------------------+| ID| Name | Status | Networks|+--------------------------------------+-------------------+--------+-------------------------+| 9face239-809c-4852-994c-04440a6fb699 | provider-instance | ACTIVE | provider=172.25.254.101 |它运行在compute1 主机上:[root@compute1 ~]# virsh listId Name State----------------------------------------------------2instance-00000001 running其实就是一个虚拟机。使用kvm虚拟化.
