OpenStack Queens版本部署安装详解

一、部署软件环境

硬件需求

操作系统：

Centos7

内核版本：

[root@controller ~]# uname -m
x86_64
[root@controller ~]# uname -r
3.10.0-862.3.2.el7.x86_64

说明：此次部署搭建采用三台物理节点手搭建社区openstack Queens环境。

二.OpenStack概述

OpenStack项目是一个开源云计算平台，支持所有类型的云环境。该项目旨在实现简单，大规模的可扩展性和丰富的功能。

OpenStack通过各种补充服务提供基础架构即服务（IaaS）解决方案。每项服务都提供了一个应用程序编程接口（API），以促进这种集成。

本文涵盖了使用适用于具有足够Linux经验的OpenStack新用户的功能性示例体系结构，逐步部署主要OpenStack服务。只用于学习OpenStack最小化环境。

三、OpenStack架构总览

1.概念性架构
下图显示了OpenStack服务之间的关系：

2.逻辑体系结构
下图显示了OpenStack云中最常见但不是唯一可能的体系结构：

对于设计，部署和配置OpenStack，学习者必须了解逻辑体系结构。
如概念架构所示，OpenStack由几个独立的部分组成，称为OpenStack服务。所有服务都通过keystone服务进行身份验证。

各个服务通过公共API相互交互，除非需要特权管理员命令。

在内部，OpenStack服务由多个进程组成。所有服务都至少有一个API进程，它监听API请求，预处理它们并将它们传递给服务的其他部分。除身份服务外，实际工作由不同的流程完成。
对于一个服务的进程之间的通信，使用AMQP消息代理。该服务的状态存储在数据库中。部署和配置OpenStack云时，您可以选择多种消息代理和数据库解决方案，例如RabbitMQ，MySQL，MariaDB和SQLite。

用户可以通过Horizon Dashboard实现的基于Web的用户界面，通过命令行客户端以及通过浏览器插件或curl等工具发布API请求来访问OpenStack。对于应用程序，有几个SDK可用。最终，所有这些访问方法都会对各种OpenStack服务发出REST API调用。

四.OpenStack组件服务部署

部署前置条件（以下命令在所有节点执行）

1.虚拟机

controller   4c+8g+100g 172.16.14.224 可以nat上网
compute      2c+4g+100g 172.16.14.225 可以nat上网
cinder     2c+4g+100g 172.16.14.226 可以nat上网

2.设置主机名，配置域名解析，编辑编辑/etc/hosts文件，加入如下配置

vi /etc/hosts172.16.14.224 controller openstack-controller.com172.16.14.225 compute openstack-compute.com172.16.14.226 neutron openstack-cinder.com

3.关闭防火墙和selinux

关闭防火墙和SELinux

[root@controller ~]# vi /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@controller ~]# systemctl disable firewalld 

4.验证网络连通性
在控制节点执行

root@controller ~]# ping openstack.org

在计算节点执行

[root@compute ~]# ping openstack.org
[root@compute ~]# ping controller

5.配置阿里yum源

备份

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup

下载

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

或者

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

6.安装NTP时钟服务（所有节点）

##controller节点##
安装软件包

yum install chrony -y

编辑/etc/chrony.conf文件，配置时钟源同步服务端

server time.windows.com iburst  ##所有节点向controller节点同步时间
allow 172.16.14.0/24         ##设置时间同步网段

设置NTP服务开机启动

systemctl enable chronyd.service
systemctl start chronyd.service

其他节点
安装软件包

yum install chrony -y

配置所有节点指向controller同步时间

vi /etc/chrony.conf
server  controlelr  iburst

重启NTP服务

验证时钟同步服务

在controller节点执行

MS列中的内容应该指明* NTP服务当前同步的服务器。

在其他节点执行

注意：日常运维中经常遇见时钟飘逸问题，导致集群服务脑裂

openstack服务安装、配置

说明：无特殊说明，以下操作在所有节点上执行
1.下载安装openstack软件仓库（queens版本）

yum install centos-release-openstack-queens -y

2.更新所有节点软件包

yum upgrade

3.安装openstack client端

yum install python-openstackclient -y

4.安装openstack-selinux

yum install openstack-selinux -y

安装数据库（controller节点执行）

大多数OpenStack服务使用SQL数据库来存储信息，数据库通常在控制器节点上运行。 本文主要使用MariaDB或MySQL。

安装软件包

yum install mariadb mariadb-server python2-PyMySQL -y

编辑/etc/my.cnf.d/mariadb-server.cnf并完成以下操作

[root@controller ~]# vi /etc/my.cnf.d/mariadb-server.cnf

#
# These groups are read by MariaDB server.
# Use it for options that only the server (but not clients) should see
#
# See the examples of server my.cnf files in /usr/share/mysql/
#

# this is read by the standalone daemon and embedded servers
[server]

# this is only for the mysqld standalone daemon
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mysqld/mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
bind-address = 172.16.14.224
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8

说明：bind-address使用controller节点的管理IP

设置服务开机启动

systemctl enable mariadb.service
systemctl start mariadb.service

通过运行mysql_secure_installation脚本来保护数据库服务。

[root@controller ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] 
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

在controller节点安装、配置RabbitMQ

1.安装配置消息队列组件

yum install rabbitmq-server -y

2.设置服务开机启动

systemctl enable rabbitmq-server.service;systemctl start rabbitmq-server.service

3.添加openstack 用户
rabbitmqctl add_user openstack openstack

4.openstack用户的权限配置

rabbitmqctl set_permissions openstack ".*" ".*" ".*"

web界面登陆测试：
http://172.16.14.224:15672 使用openstack/openstack登陆即可

安装缓存数据库Memcached（controller节点）

说明：服务的身份认证服务使用Memcached缓存令牌。 memcached服务通常在控制器节点上运行。 对于生产部署，我们建议启用防火墙，身份验证和加密的组合来保护它。

1.安装配置组件

yum install memcached python-memcached -y

2.编辑/etc/sysconfig/memcached

vi /etc/sysconfig/memcached

OPTIONS="-l 172.16.14.224,::1,controller"

3.设置服务开机启动

systemctl enable memcached.service;systemctl start memcached.service

检查一下memcache端口：
[root@openstack-controller ~]# netstat -anltp|grep memcache
tcp 0 0 172.16.14.224:11211 0.0.0.0: LISTEN 14940/memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0: LISTEN 14940/memcached
tcp6 0 0 ::1:11211 :::* LISTEN 14940/memcached

Etcd服务安装（controller）

1.安装服务

yum install etcd -y 

2.编辑/etc/etcd/etcd.conf文件

vi /etc/etcd/etcd.conf

ETCD_INITIAL_CLUSTER
ETCD_INITIAL_ADVERTISE_PEER_URLS
ETCD_ADVERTISE_CLIENT_URLS
ETCD_LISTEN_CLIENT_URLS
#[Member]
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://172.16.14.224:2380"
ETCD_LISTEN_CLIENT_URLS="http://172.16.14.224:2379"
ETCD_NAME="controller"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://172.16.14.224:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://172.16.14.224:2379"
ETCD_INITIAL_CLUSTER="controller=http://172.16.14.224:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01"
ETCD_INITIAL_CLUSTER_STATE="new"

3.设置服务开机启动

systemctl enable etcd;systemctl start etcd

安装keystone组件（controller）

生成一个随机值在初始的配置中作为管理员的令牌。

openssl rand -hex 10

admin_token = 8e79c25cae896e43449b

1.创建keystone数据库并授权

mysql -uroot -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';

2.安装、配置组件

yum install openstack-keystone httpd mod_wsgi -y

3.编辑 /etc/keystone/keystone.conf

修改keystone的配置文件 /etc/keystone/keystone.conf：

在``[DEFAULT]``部分，定义初始管理令牌的值：

[DEFAULT]

...

admin_token = ADMIN_TOKEN

使用前面步骤生成的随机数替换``ADMIN_TOKEN``值。

[database]

connection = mysql+pymysql://keystone:123456@controller/keystone

[token]

provider = fernet

4.同步keystone数据库

su -s /bin/sh -c "keystone-manage db_sync" keystone

5.数据库初始化

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

6.引导身份认证服务

keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

配置apache http服务

1.编辑/etc/httpd/conf/httpd.conf，配置ServerName参数

ServerName controller

2.创建 /usr/share/keystone/wsgi-keystone.conf链接文件

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

3.设置服务开机启动

systemctl enable httpd.service;systemctl start httpd.service

4.配置环境变量

export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

创建 domain, projects, users, roles

1.创建域

openstack domain create --description "Domain" example
[root@controller ~]# openstack domain create --description "Domain" example
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Domain                           |
| enabled     | True                             |
| id          | 199658b1d0234c3cb8785c944aa05780 |
| name        | example                          |
| tags        | []                               |
+-------------+----------------------------------+

2. 创建服务项目

   openstack project create --domain default   --description "Service Project" service
   [root@controller ~]# openstack project create --domain default   --description "Service Project" service
   +-------------+----------------------------------+
   | Field       | Value                            |
   +-------------+----------------------------------+
   | description | Service Project                  |
   | domain_id   | default                          |
   | enabled     | True                             |
   | id          | 03e700ff43e44b29b97365bac6c7d723 |
   | is_domain   | False                            |
   | name        | service                          |
   | parent_id   | default                          |
   | tags        | []                               |
   +-------------+----------------------------------+

   3.创建平台demo项目

   openstack project create --domain default --description "Demo Project" demo
   [root@controller ~]# openstack project create --domain default --description "Demo Project" demo
   +-------------+----------------------------------+
   | Field       | Value                            |
   +-------------+----------------------------------+
   | description | Demo Project                     |
   | domain_id   | default                          |
   | enabled     | True                             |
   | id          | 61f8c9005ca84477b5bdbf485be1a546 |
   | is_domain   | False                            |
   | name        | demo                             |
   | parent_id   | default                          |
   | tags        | []                               |
   +-------------+----------------------------------+

4.创建demo用户

openstack user create --domain default  --password-prompt demo
[root@controller ~]# openstack user create --domain default  --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | fa794c034a53472c827a94e6a6ad12c1 |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

5.创建用户角色

openstack role create user
[root@controller ~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 15ea413279a74770b79630b75932a596 |
| name      | user                             |
+-----------+----------------------------------+

6.添加用户角色到demo项目和用户

openstack role add --project demo --user demo user

说明:此条命令执行成功后不返回参数

验证操作

1.取消环境变量

unset OS_AUTH_URL OS_PASSWORD

2.admin用户返回的认证token

[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
[root@controller ~]#  openstack --os-auth-url http://controller:35357/v3 \
>   --os-project-domain-name Default --os-user-domain-name Default \
>   --os-project-name admin --os-username admin token issue
Password: 
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-06-25T07:45:18+0000                                                                                                                                                                |
| id         | gAAAAABawH_-ke3POs9LLzpEEH3Wziuk6VlQmNZCtxlDovLaSmg_-dOOUSDWsF-gw9we4QvcHzdO5Ahc3eEdDl6sIztZ60QQTG3x5Kbt_75EbWCZsBa2HkybZ-nJYuN4o3tQugse2BDcs8HF7bT1pAtoW0UM29RQNlCMdvx9jfcIT4EBit1SMKM |
| project_id | 4205b649750d4ea68ff5bea73de0faae                                                                                                                                                        |
| user_id    | 475b31138acc4cc5bb42ca64af418963                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

3.demo用户返回的认证token

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
>   --os-project-domain-na