OpenStack介绍
openstack是一个云平台管理项目,我们可以使用openstack来管理我们的资源池,在这个资源池中包含了很多的子项目。openstack是有多个不同的模块组成,不同的功能有相对应得不同模块负责。openstack三大核心分别是 计算、网络、存储。通过调用不同模块的API来对外提供交互。
openstack 的版本发布很快,从最初的A版到现在的N版,官方一般会每隔六个月发布一个新的版本。
openstack每个服务都有对应的项目名称,不同的项目就相当于一个提供单独服务的模块,具体的对应关系如下:
-
Horizon (Dashboard): Openstack的web管理服务。
-
Nova (Compute): 通虚拟化技术,提供的计算资源池。
-
Neutron (Networking): 虚拟机的网络资源管理。
存储服务(Storage):
-
Swift (Object Storage): 对象存储,适合于 “一次写入,多次读取”。
-
Cinder (Block Storage): 块存储,提供存储资源池。
共享服务(Share Service):
-
Keystone (Identify service):认证管理。
-
Glance (Image service): 提供虚拟镜像的注册和存储管理。
-
Ceilometer (Telemetry): 提供监控和数据采集、计量服务。
高层服务 (Higher-level service):
-
Heat (Orchestration): 自动化部署的组件。
-
Trove(Database Service): 提供数据库应用服务。
基础服务配置安装
准备工作:
两台CentOS7的机器,分别命名为node1和node2,如果没有内部DNS需要绑定hosts.
CS7修改主机名示例:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># hostnamectl set-hostname node1</span>
<span style="color:slategray"># hostnamectl status</span>
<span style="color:slategray"># cat /etc/hostname </span>
node1</code></span></span>
安装yum源:
<span style="color:#333333"><span style="color:black"><code class="language-bash">rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm</code></span></span>
安装openstack仓库:
yum install -y centos-release-openstack-mitaka
安装管理包和客户端:
yum install -y python-openstackclient
yum install -y openstack-selinux
控制节点上安装以下服务:
yum install -y mariadb mariadb-server python2-PyMySQL
yum install -y rabbitmq-server
yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
yum install -y openstack-glance
yum install -y openstack-nova-api openstack-nova-cert \
openstack-nova-conductor openstack-nova-console \
openstack-nova-novncproxy openstack-nova-scheduler
yum install -y openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables
计算节点安装nova和neutron:
yum install -y openstack-nova-compute sysfsutils
yum install -y openstack-neutron openstack-neutron-linuxbridge ebtables
除了Horizon,openstack的其他组件都需要连接数据库。
除了Horizon和keystone,其他组件都需要连接RabbitMQ(消息队列,通信枢纽).
OpenStack数据库配置
创建/etc/my.cnf.d/openstack.cnf,并添加如下配置:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>mysqld<span style="color:#999999">]</span>
bind-address <span style="color:#9a6e3a">=</span> 172.16.10.50
default-storage-engine <span style="color:#9a6e3a">=</span> innodb
innodb_file_per_table <span style="color:slategray">#独享表空间</span>
max_connections <span style="color:#9a6e3a">=</span> 4096
collation-server <span style="color:#9a6e3a">=</span> utf8_general_ci
character-set-server <span style="color:#9a6e3a">=</span> utf8</code></span></span>
启动数据库:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># systemctl enable mariadb.service</span>
<span style="color:slategray"># systemctl start mariadb.service</span></code></span></span>
为了保证数据库服务的安全性,运行``mysql_secure_installation``脚本。特别需要说明的是,为数据库的root用户设置一个适当的密码。
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># mysql_secure_installation</span></code></span></span>
创建库,并授权:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#9a6e3a">></span> create database keystone<span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on keystone.* to <span style="color:#669900">'keystone'</span>@<span style="color:#669900">'localhost'</span> identified by <span style="color:#669900">'keystone'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on keystone.* to <span style="color:#669900">'keystone'</span>@<span style="color:#669900">'%'</span> identified by <span style="color:#669900">'keystone'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> create database glance<span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on glance.* to <span style="color:#669900">'glance'</span>@<span style="color:#669900">'localhost'</span> identified by <span style="color:#669900">'glance'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on glance.* to <span style="color:#669900">'glance'</span>@<span style="color:#669900">'%'</span> identified by <span style="color:#669900">'glance'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> create database nova<span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on nova.* to <span style="color:#669900">'nova'</span>@<span style="color:#669900">'localhost'</span> identified by <span style="color:#669900">'nova'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on nova.* to <span style="color:#669900">'nova'</span>@<span style="color:#669900">'%'</span> identified by <span style="color:#669900">'nova'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> create database nova_api<span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on nova_api.* to <span style="color:#669900">'nova'</span>@<span style="color:#669900">'localhost'</span> identified by <span style="color:#669900">'nova'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on nova_api.* to <span style="color:#669900">'nova'</span>@<span style="color:#669900">'%'</span> identified by <span style="color:#669900">'nova'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> create database neutron<span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on neutron.* to <span style="color:#669900">'neutron'</span>@<span style="color:#669900">'localhost'</span> identified by <span style="color:#669900">'neutron'</span><span style="color:#999999">;</span>
<span style="color:#9a6e3a">></span> grant all on neutron.* to <span style="color:#669900">'neutron'</span>@<span style="color:#669900">'%'</span> identified by <span style="color:#669900">'neutron'</span><span style="color:#999999">;</span></code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash">MariaDB <span style="color:#999999">[</span><span style="color:#999999">(</span>none<span style="color:#999999">)</span><span style="color:#999999">]</span><span style="color:#9a6e3a">></span> show databases<span style="color:#999999">;</span>
+--------------------+
<span style="color:#9a6e3a">|</span> Database <span style="color:#9a6e3a">|</span>
+--------------------+
<span style="color:#9a6e3a">|</span> glance <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> information_schema <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> keystone <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> mysql <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> neutron <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> nova <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> nova_api <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> performance_schema <span style="color:#9a6e3a">|</span>
+--------------------+
8 rows <span style="color:#0077aa">in</span> <span style="color:#0077aa">set</span> <span style="color:#999999">(</span>0.00 sec<span style="color:#999999">)</span></code></span></span>
控制节点安装RabbitMQ,并授权用户:
<span style="color:#333333"><span style="color:black"><code class="language-bash"> yum <span style="color:#dd4a68">install</span> -y rabbitmq-server
systemctl <span style="color:#dd4a68">enable</span> rabbitmq-server.service
systemctl start rabbitmq-server.service
rabbitmqctl add_user openstack openstack
rabbitmqctl set_permissions openstack <span style="color:#669900">".*"</span> <span style="color:#669900">".*"</span> <span style="color:#669900">".*"</span></code></span></span>
打开监控插件:
<span style="color:#333333"><span style="color:black"><code class="language-bash">rabbitmq-plugins <span style="color:#dd4a68">enable</span> rabbitmq_management</code></span></span>
此时可以查看RabbitMQ的服务端口是否开启:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># netstat -lntup|grep 15672</span>
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 30174/beam</code></span></span>
可以直接访问web界面进行查看:http://localhost_ip:15672/
RabbitMQ的服务是5672端口:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># netstat -lntup|grep 5672</span>
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 30174/beam
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 30174/beam
tcp6 0 0 :::5672 :::* LISTEN 30174/beam</code></span></span>
所有主机同步时间
<span style="color:#333333"><span style="color:black"><code class="language-bash">yum <span style="color:#dd4a68">install</span> ntpdate -y
ntpdate time1.aliyun.com
timedatectl set-timezone Asia/Shanghai</code></span></span>
在生产环境中,一定要保证服务器时间一致,否则会出现创建不了虚拟机的情况,在同步过程中也会出现各种问题。
OpenStack认证管理-Keystone
Keystone主要提供用户认证和服务目录的功能。openstack的服务授权都需要在keystone上完成,keystone通过给授权的用户提供一个具有时间有效期的token,在用户token过期之后需要重新授权。服务目录则包含了所有服务项和与之相关的API端点。
用户认证:User, Project,Token,Role.
这里的Role就类似一个具有相同权限的用户组,Keystone通过这些机制来进行认证授权操作。
服务目录:service,endpoint.
service 服务,如 Nova, Glance,Swift. 一个服务可以确认当前用户是否具有访问资源的权限。
endpoint其实是一个url,每个url都对应一个服务的实例的访问地址,并且具有public、private和admin这三种权限。public url可以被全局访问,private url只能被局域网访问,admin url被从常规的访问中分离。
Keystone的部署
Keystone使用memcatch来管理认证的token,之所以选择使用memcache而不是使用mysql的原因是存放在memcache中的token可以设置过期时间,到期之后会自动清理,防止在mysql中因为长期使用而出现表过大难以维护的问题。
生成一个token随机值
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openssl rand -hex 10</span>
48d263aed5f11b0bc02f</code></span></span>
修改keystone的配置文件
在/etc/keystone/keystone.conf文件中配置以下各项
在[DEFAULT]部分,定义初始管理令牌的值
使用前面步骤生成的随机数替换``ADMIN_TOKEN`` 值。
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># grep "admin_token" /etc/keystone/keystone.conf</span>
admin_token <span style="color:#9a6e3a">=</span> 48d263aed5f11b0bc02f</code></span></span>
在 [database] 部分,配置数据库访问:
<span style="color:#333333"><span style="color:black"><code class="language-bash">connection <span style="color:#9a6e3a">=</span> mysql+pymysql://keystone:keystone@172.16.10.50/keystone</code></span></span>
在``[token]``部分,配置Fernet UUID令牌的提供者,并修改token的存储方式为memcache。
<span style="color:#333333"><span style="color:black"><code class="language-bash">provider <span style="color:#9a6e3a">=</span> fernet
driver <span style="color:#9a6e3a">=</span> memcache</code></span></span>
在[memcache]部分,修改提供memcache服务的主机ip:
<span style="color:#333333"><span style="color:black"><code class="language-bash">servers <span style="color:#9a6e3a">=</span> 172.16.10.50:11211</code></span></span>
修改完成后,keystone的配置就完成了。
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>root@node1 ~<span style="color:#999999">]</span><span style="color:slategray"># grep '^[a-z]' /etc/keystone/keystone.conf</span>
admin_token <span style="color:#9a6e3a">=</span> 48d263aed5f11b0bc02f
connection <span style="color:#9a6e3a">=</span> mysql+pymysql://keystone:keystone@172.16.10.50/keystone
servers <span style="color:#9a6e3a">=</span> 172.16.10.50:11211
provider <span style="color:#9a6e3a">=</span> fernet
driver <span style="color:#9a6e3a">=</span> memcache</code></span></span>
初始化身份认证服务的数据库,进行数据库同步:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># su -s /bin/sh -c "keystone-manage db_sync" keystone</span></code></span></span>
验证是否同步成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># mysql -h 172.16.10.50 -ukeystone -pkeystone -e "use keystone; show tables;"</span></code></span></span>
初始化Fernet keys,此命令执行后会在/etc/keystone下创建一个fernet-keys目录:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone</span></code></span></span>
启动memcached:
<span style="color:#333333"><span style="color:black"><code class="language-bash">systemctl <span style="color:#dd4a68">enable</span> memcached
systemctl start memcached</code></span></span>
配置Apache HTTP服务器
编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点:
<span style="color:#333333"><span style="color:black"><code class="language-bash">ServerName 172.16.10.50:80</code></span></span>
用下面的内容创建文件 /etc/httpd/conf.d/wsgi-keystone.conf
<span style="color:#333333"><span style="color:black"><code class="language-bash">Listen 5000
Listen 35357
<span style="color:#9a6e3a"><</span>VirtualHost *:5000<span style="color:#9a6e3a">></span>
WSGIDaemonProcess keystone-public processes<span style="color:#9a6e3a">=</span>5 threads<span style="color:#9a6e3a">=</span>1 user<span style="color:#9a6e3a">=</span>keystone group<span style="color:#9a6e3a">=</span>keystone display-name<span style="color:#9a6e3a">=</span>%<span style="color:#999999">{</span>GROUP<span style="color:#999999">}</span>
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %<span style="color:#999999">{</span>GLOBAL<span style="color:#999999">}</span>
WSGIPassAuthorization On
ErrorLogFormat <span style="color:#669900">"%{cu}t %M"</span>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<span style="color:#9a6e3a"><</span>Directory /usr/bin<span style="color:#9a6e3a">></span>
Require all granted
<span style="color:#9a6e3a"><</span>/Directory<span style="color:#9a6e3a">></span>
<span style="color:#9a6e3a"><</span>/VirtualHost<span style="color:#9a6e3a">></span>
<span style="color:#9a6e3a"><</span>VirtualHost *:35357<span style="color:#9a6e3a">></span>
WSGIDaemonProcess keystone-admin processes<span style="color:#9a6e3a">=</span>5 threads<span style="color:#9a6e3a">=</span>1 user<span style="color:#9a6e3a">=</span>keystone group<span style="color:#9a6e3a">=</span>keystone display-name<span style="color:#9a6e3a">=</span>%<span style="color:#999999">{</span>GROUP<span style="color:#999999">}</span>
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %<span style="color:#999999">{</span>GLOBAL<span style="color:#999999">}</span>
WSGIPassAuthorization On
ErrorLogFormat <span style="color:#669900">"%{cu}t %M"</span>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<span style="color:#9a6e3a"><</span>Directory /usr/bin<span style="color:#9a6e3a">></span>
Require all granted
<span style="color:#9a6e3a"><</span>/Directory<span style="color:#9a6e3a">></span>
<span style="color:#9a6e3a"><</span>/VirtualHost<span style="color:#9a6e3a">></span></code></span></span>
启动Apache :
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># systemctl enable httpd.service</span>
<span style="color:slategray"># systemctl start httpd.service</span></code></span></span>
查看对应的5000端口和35357端口是否启用。
同时查看/var/log/keystone/keystone.log 是否有报错信息,如果有报错信息需要开启keystone的debug模式进行排错:
<span style="color:#333333"><span style="color:black"><code class="language-bash"> vim /etc/keystone/keystone.conf
<span style="color:slategray">#debug = false #将此项改为true,再查看日志。</span></code></span></span>
设置认证
配置认证令牌,直接在命令行执行:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">export</span> OS_TOKEN<span style="color:#9a6e3a">=</span>48d263aed5f11b0bc02f</code></span></span>
配置端点URL:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">export</span> OS_URL<span style="color:#9a6e3a">=</span>http://172.16.10.50:35357/v3</code></span></span>
配置认证 API 版本:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">export</span> OS_IDENTITY_API_VERSION<span style="color:#9a6e3a">=</span>3</code></span></span>
创建域、项目、用户和角色
创建域``default``:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack domain create --description "Default Domain" default</span>
+-------------+----------------------------------+
<span style="color:#9a6e3a">|</span> Field <span style="color:#9a6e3a">|</span> Value <span style="color:#9a6e3a">|</span>
+-------------+----------------------------------+
<span style="color:#9a6e3a">|</span> description <span style="color:#9a6e3a">|</span> Default Domain <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> enabled <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> <span style="color:#dd4a68">id</span> <span style="color:#9a6e3a">|</span> 5ab6cfb424ee4c99b0fea0cbec19e3b3 <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> name <span style="color:#9a6e3a">|</span> default <span style="color:#9a6e3a">|</span>
+-------------+----------------------------------+</code></span></span>
在环境中,为进行管理操作,创建管理的项目、用户和角色:
创建 admin 项目:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack project create --domain default \
--description <span style="color:#669900">"Admin Project"</span> admin</code></span></span>
创建 admin 用户,并设置密码:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack user create --domain default \
--password-prompt admin</code></span></span>
创建 admin 角色:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack role create admin</code></span></span>
添加``admin`` 角色到 admin 项目和用户上:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack role add --project admin --user admin admin</code></span></span>
上面命令的含义为:将admin用户添加到admin的项目,并授权为admin角色
创建一个demo的项目:
创建``demo`` 项目:(当为这个项目创建额外用户时,不要重复这一步。)
<span style="color:#333333"><span style="color:black"><code class="language-bash"> openstack project create --domain default \
--description <span style="color:#669900">"Demo Project"</span> demo</code></span></span>
创建``demo`` 用户并设置密码:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack user create --domain default \
--password-prompt demo</code></span></span>
创建 user 角色:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack role create user</code></span></span>
添加 user``角色到 ``demo 项目和用户角色:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack role add --project demo --user demo user</code></span></span>
创建service项目
使用一个你添加到你的环境中每个服务包含独有用户的service 项目。
创建``service``项目:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack project create --domain default \
--description <span style="color:#669900">"Service Project"</span> <span style="color:#dd4a68">service</span></code></span></span>
创建glance用户:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack user create --domain default --password-prompt glance</code></span></span>
添加glance 用户到 service 项目和admin角色:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack role add --project <span style="color:#dd4a68">service</span> --user glance admin</code></span></span>
创建nova用户:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack user create --domain default --password-prompt nova</code></span></span>
添加nova用户到service项目和admin角色:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack role add --project <span style="color:#dd4a68">service</span> --user nova admin</code></span></span>
创建neutron用户:
openstack user create --domain default --password-prompt neutron
添加neutron用户到service项目和admin角色:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack role add --project <span style="color:#dd4a68">service</span> --user neutron admin</code></span></span>
服务注册
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack <span style="color:#dd4a68">service</span> create --name keystone --description <span style="color:#669900">"OpenStack Identity"</span> identity</code></span></span>
创建public的endpoint,并指定url, 注意IP和端口:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack endpoint create --region RegionOne identity public http://172.16.10.50:5000/v3</code></span></span>
创建internal类型的endpoint:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack endpoint create --region RegionOne identity internal http://172.16.10.50:5000/v3</code></span></span>
创建admin类型的endpoint,指定admin的管理端口:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack endpoint create --region RegionOne identity admin http://172.16.10.50:35357/v3</code></span></span>
提示:由于内部是相互对应的,如果某一条创建错误,需要将对应的三条全部删除,重新创建。
删除方式:(service、user、project等都可以用这种方式删除)
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack endpoint list <span style="color:slategray">#查看对应的记录ID号</span>
openstack endpoint delete ab66752a92334e31a08aa65d6fb5fdfc <span style="color:slategray">#删除ID</span></code></span></span>
这些记录实质上都在mysql的keystone.endpoint表中,也可以直接修改表。
验证操作
在安装其它服务前,要先对之前的操作进行验证。
先重置``OS_TOKEN``和``OS_URL`` 环境变量:
<span style="color:#333333"><span style="color:black"><code class="language-bash">unset OS_TOKEN OS_URL</code></span></span>
使用 admin 用户,请求认证令牌进行测试:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack --os-auth-url http://172.16.10.50:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue</code></span></span>
使用demo项目的demo用户,请求认证令牌测试:
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack --os-auth-url http://172.16.10.50:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue</code></span></span>
如果出现 (HTTP 401)则说明是密码输入错误。
创建环境变量脚本
在上面的测试中,使用了指定参数的方式来进行连接的验证,但是输入内容比较长,在实际的生产操作中我们可以定义一个环境变量的脚本,来省去指定参数的操作。
创建 admin 和 ``demo``项目和用户创建客户端环境变量脚本。接下来的部分会引用这些脚本,为客户端操作加载合适的的凭证。
编辑文件 admin-openstack.sh 并添加如下内容(注意指定密码和URL):
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">export</span> OS_PROJECT_DOMAIN_NAME<span style="color:#9a6e3a">=</span>default
<span style="color:#dd4a68">export</span> OS_USER_DOMAIN_NAME<span style="color:#9a6e3a">=</span>default
<span style="color:#dd4a68">export</span> OS_PROJECT_NAME<span style="color:#9a6e3a">=</span>admin
<span style="color:#dd4a68">export</span> OS_USERNAME<span style="color:#9a6e3a">=</span>admin
<span style="color:#dd4a68">export</span> OS_PASSWORD<span style="color:#9a6e3a">=</span>admin
<span style="color:#dd4a68">export</span> OS_AUTH_URL<span style="color:#9a6e3a">=</span>http://172.16.10.50:35357/v3
<span style="color:#dd4a68">export</span> OS_IDENTITY_API_VERSION<span style="color:#9a6e3a">=</span>3
<span style="color:#dd4a68">export</span> OS_IMAGE_API_VERSION<span style="color:#9a6e3a">=</span>2</code></span></span>
同理,添加demo的环境配置文件demo-openstack.sh:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">export</span> OS_PROJECT_DOMAIN_NAME<span style="color:#9a6e3a">=</span>default
<span style="color:#dd4a68">export</span> OS_USER_DOMAIN_NAME<span style="color:#9a6e3a">=</span>default
<span style="color:#dd4a68">export</span> OS_PROJECT_NAME<span style="color:#9a6e3a">=</span>demo
<span style="color:#dd4a68">export</span> OS_USERNAME<span style="color:#9a6e3a">=</span>demo
<span style="color:#dd4a68">export</span> OS_PASSWORD<span style="color:#9a6e3a">=</span>demo
<span style="color:#dd4a68">export</span> OS_AUTH_URL<span style="color:#9a6e3a">=</span>http://172.16.10.50:5000/v3
<span style="color:#dd4a68">export</span> OS_IDENTITY_API_VERSION<span style="color:#9a6e3a">=</span>3
<span style="color:#dd4a68">export</span> OS_IMAGE_API_VERSION<span style="color:#9a6e3a">=</span>2</code></span></span>
对脚本添加执行权限后,每次执行openstack相关的命令一定要先source执行此脚本,否则会不成功。
对环境变量脚本进行验证:
<span style="color:#333333"><span style="color:black"><code class="language-bash"> <span style="color:#dd4a68">source</span> admin-openstack.sh</code></span></span>
尝试直接获取token,看是否成功
<span style="color:#333333"><span style="color:black"><code class="language-bash">openstack token issue</code></span></span>
Openstack镜像管理-Glance
Glance由Glance-api和Glance-Registry以及image Storage三个组件组成。
Glance-api: 接受云系统镜像的创建、删除和读取请求。通过接收REST API的请求,调用其他模块来完成镜像的查找,获取、上传、删除等操作。默认的监听端口为9292.
Glance-Registry:云镜像的注册服务。与mysql进行数据交互,用于存储和获取镜像的元数据。Glance数据库中有两张表,一张是image表,另一张是image property表。image表保存了镜像格式、大小等信息,image property表则主要保存镜像的定制化信息。glance-registry监听的端口为9191.
Image storage: 是一个存储的接口层,严格来说它并不是属于glance,只是给glance提供调用的一个接口。通过这个接口,glance可以获取镜像。image storage支持的存储有Amazon的S3、Openstack本身的Swift,还有如 ceph,sheepdog,GlusterFS等分布式存储,image storage是镜像保存和获取的接口,由于仅仅是一个接口层,具体的实现需要外部存储的支持。
Glance的部署
http://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/glance-install.html#prerequisites
安装glance服务并配置数据库
前面已经对数据库进行了相关操作,这里需要编辑配置文件/etc/glance/glance-api.conf 并完成如下动作:
在 [database] 部分,配置数据库访问:(第二个glance为密码)
<span style="color:#333333"><span style="color:black"><code class="language-bash">connection <span style="color:#9a6e3a">=</span> mysql+pymysql://glance:glance@172.16.10.50/glance</code></span></span>
在/etc/glance/glance-registry.conf 的配置文件中[database] 也配置上此参数
<span style="color:#333333"><span style="color:black"><code class="language-bash">connection <span style="color:#9a6e3a">=</span> mysql+pymysql://glance:glance@172.16.10.50/glance</code></span></span>
同步数据库,此处会有一个警告:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">su</span> -s /bin/sh -c <span style="color:#669900">"glance-manage db_sync"</span> glance</code></span></span>
验证数据库是否同步成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># mysql -h 172.16.10.50 -uglance -pglance -e "use glance;show tables;"</span></code></span></span>
设置keystone
在/etc/glance/glance-api.conf中设置keystone的配置,分别在下面的两个模块中
添加如下配置信息:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>keystone_authtoken<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
auth_uri <span style="color:#9a6e3a">=</span> http://172.16.10.50:5000
auth_url <span style="color:#9a6e3a">=</span> http://172.16.10.50:35357
memcached_servers <span style="color:#9a6e3a">=</span> 172.16.10.50:11211
auth_type <span style="color:#9a6e3a">=</span> password
project_domain_name <span style="color:#9a6e3a">=</span> default
user_domain_name <span style="color:#9a6e3a">=</span> default
project_name <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">service</span>
username <span style="color:#9a6e3a">=</span> glance
password <span style="color:#9a6e3a">=</span> glance
<span style="color:#999999">[</span>paste_deploy<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
flavor <span style="color:#9a6e3a">=</span> keystone</code></span></span>
在/etc/glance/glance-registry.conf 中设置相同的配置:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>keystone_authtoken<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
auth_uri <span style="color:#9a6e3a">=</span> http://172.16.10.50:5000
auth_url <span style="color:#9a6e3a">=</span> http://172.16.10.50:35357
memcached_servers <span style="color:#9a6e3a">=</span> 172.16.10.50:11211
auth_type <span style="color:#9a6e3a">=</span> password
project_domain_name <span style="color:#9a6e3a">=</span> default
user_domain_name <span style="color:#9a6e3a">=</span> default
project_name <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">service</span>
username <span style="color:#9a6e3a">=</span> glance
password <span style="color:#9a6e3a">=</span> glance
<span style="color:#999999">[</span>paste_deploy<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
flavor <span style="color:#9a6e3a">=</span> keystone</code></span></span>
配置镜像存储
修改/etc/glance/glance-api.conf的配置:
在 [glance_store] 部分,配置本地文件系统存储和镜像文件位置:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>glance_store<span style="color:#999999">]</span>
stores <span style="color:#9a6e3a">=</span> file,http
default_store <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">file</span>
filesystem_store_datadir <span style="color:#9a6e3a">=</span> /var/lib/glance/images</code></span></span>
启动服务:
systemctl enable openstack-glance-api.service openstack-glance-registry.service
systemctl start openstack-glance-api.service openstack-glance-registry.service
查看启动后9292和9191端口是否开启。
在keystone上做服务注册
创建glance服务实体,首先加载admin环境变量
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># source admin-openstack.sh</span></code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack service create --name glance \</span>
--description <span style="color:#669900">"OpenStack Image"</span> image</code></span></span>
创建镜像服务的 API 端点:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack endpoint create --region RegionOne \</span>
image public http://172.16.10.50:9292</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack endpoint create --region RegionOne \</span>
image internal http://172.16.10.50:9292</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack endpoint create --region RegionOne \</span>
image admin http://172.16.10.50:9292</code></span></span>
验证配置是否成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># glance image-list </span>
+----+------+
<span style="color:#9a6e3a">|</span> ID <span style="color:#9a6e3a">|</span> Name <span style="color:#9a6e3a">|</span>
+----+------+
+----+------+</code></span></span>
验证操作
获得 admin 凭证来获取只有管理员能执行的命令的访问权限:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># source admin-openstack.sh</span></code></span></span>
下载源镜像:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img</span></code></span></span>
上传镜像到镜像服务并设置公共可见,这样所有的项目都可以访问它:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack image create "cirros" --file cirros-0.3.4-x86_64-disk.img \</span>
--disk-format qcow2 --container-format bare --public</code></span></span>
验证是否上传成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack image list</span>
+--------------------------------------+--------+--------+
<span style="color:#9a6e3a">|</span> ID <span style="color:#9a6e3a">|</span> Name <span style="color:#9a6e3a">|</span> Status <span style="color:#9a6e3a">|</span>
+--------------------------------------+--------+--------+
<span style="color:#9a6e3a">|</span> 82c3ba8f-4930-4e32-bd1b-34881f5eb4cd <span style="color:#9a6e3a">|</span> cirros <span style="color:#9a6e3a">|</span> active <span style="color:#9a6e3a">|</span>
+--------------------------------------+--------+--------+</code></span></span>
上传成功后在/var/lib/glance/images/下可以看到这个镜像,以镜像ID命名:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>root@node1 ~<span style="color:#999999">]</span><span style="color:slategray"># cd /var/lib/glance/images/</span>
<span style="color:#999999">[</span>root@node1 images<span style="color:#999999">]</span><span style="color:slategray"># ll</span>
total 12980
-rw-r-----. 1 glance glance 13287936 Oct 26 16:00 82c3ba8f-4930-4e32-bd1b-34881f5eb4cd</code></span></span>
OpenStack计算服务-Nova
http://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/nova-controller-install.html
在openstack的创建中,我们一般将Nova的计算节点组件放在需要创建虚拟机的主机上,而除了计算节点之外的其他Nova组件安装在控制节点上,计算节点只负责创建虚拟机。
Nova的服务组件:
API:负责接收和响应外部请求。API接收的请求将会放到消息队列(rabbitMQ)中。是外部访问nova的唯一途径。
Cert:负责身份认证EC2.
Scheduler:用于云主机调度。决策虚拟机创建在哪个主机(计算节点)上
Conductor: 计算节点访问数据库的中间件。
Consoleauth:用于控制台的授权验证
Novncproxy: VNC代理
配置数据库
编辑``/etc/nova/nova.conf``文件并完成下面的操作:
在``[api_database]``和``[database]``部分,配置数据库的连接:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>api_database<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
connection <span style="color:#9a6e3a">=</span> mysql+pymysql://nova:nova@172.16.10.50/nova_api
<span style="color:#999999">[</span>database<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
connection <span style="color:#9a6e3a">=</span> mysql+pymysql://nova:nova@172.16.10.50/nova</code></span></span>
同步Compute 数据库:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">su</span> -s /bin/sh -c <span style="color:#669900">"nova-manage api_db sync"</span> nova
<span style="color:#dd4a68">su</span> -s /bin/sh -c <span style="color:#669900">"nova-manage db sync"</span> nova</code></span></span>
查看数据库同步是否成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash">mysql -h 172.16.10.50 -unova -pnova -e <span style="color:#669900">"use nova;show tables;"</span>
mysql -h 172.16.10.50 -unova -pnova -e <span style="color:#669900">"use nova_api;show tables;"</span></code></span></span>
配置keystone
编辑``/etc/nova/nova.conf``文件并完成下面的操作:
编辑“[keystone_authtoken]” 部分,添加如下内容:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>keystone_authtoken<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
auth_uri <span style="color:#9a6e3a">=</span> http://172.16.10.50:5000
auth_url <span style="color:#9a6e3a">=</span> http://172.16.10.50:35357
memcached_servers <span style="color:#9a6e3a">=</span> 172.16.10.50:11211
auth_type <span style="color:#9a6e3a">=</span> password
project_domain_name <span style="color:#9a6e3a">=</span> default
user_domain_name <span style="color:#9a6e3a">=</span> default
project_name <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">service</span>
username <span style="color:#9a6e3a">=</span> nova
password <span style="color:#9a6e3a">=</span> nova</code></span></span>
在[DEFAULT]中打开注释:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>DEFAULT<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
auth_strategy <span style="color:#9a6e3a">=</span> keystone</code></span></span>
配置RabbitMQ
修改nova.conf文件:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>DEFAULT<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
rpc_backend<span style="color:#9a6e3a">=</span>rabbit
rabbit_host<span style="color:#9a6e3a">=</span>172.16.10.50
rabbit_port<span style="color:#9a6e3a">=</span>5672
rabbit_userid<span style="color:#9a6e3a">=</span>openstack
rabbit_password<span style="color:#9a6e3a">=</span>openstack</code></span></span>
配置nova服务参数
编辑``/etc/nova/nova.conf``文件
在``[DEFAULT]``部分,只启用计算和元数据API:
<span style="color:#333333"><span style="color:black"><code class="language-bash">enabled_apis<span style="color:#9a6e3a">=</span>osapi_compute,metadata</code></span></span>
在 [DEFAULT] 部分,使能 Networking 服务:(此处的设置需要修改默认参数Noop)
<span style="color:#333333"><span style="color:black"><code class="language-bash">use_neutron <span style="color:#9a6e3a">=</span> True
firewall_driver <span style="color:#9a6e3a">=</span> nova.virt.firewall.NoopFirewallDriver</code></span></span>
在``[vnc]``部分,配置VNC代理使用控制节点的管理接口IP地址 :
<span style="color:#333333"><span style="color:black"><code class="language-bash">vncserver_listen<span style="color:#9a6e3a">=</span>172.16.10.50
vncserver_proxyclient_address<span style="color:#9a6e3a">=</span>172.16.10.50</code></span></span>
在 [glance] 区域,配置镜像服务 API 的位置:
<span style="color:#333333"><span style="color:black"><code class="language-bash">api_servers<span style="color:#9a6e3a">=</span> http://172.16.10.50:9292</code></span></span>
在 [oslo_concurrency] 部分,配置锁路径:
<span style="color:#333333"><span style="color:black"><code class="language-bash">lock_path<span style="color:#9a6e3a">=</span>/var/lib/nova/tmp</code></span></span>
启动 Compute 服务并将其设置为随系统启动:
<span style="color:#333333"><span style="color:black"><code class="language-bash">systemctl <span style="color:#dd4a68">enable</span> openstack-nova-api.service \
openstack-nova-consoleauth.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash">systemctl start openstack-nova-api.service \
openstack-nova-consoleauth.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service</code></span></span>
注册nova服务
创建 nova 服务实体:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># source admin-openstack.sh </span>
<span style="color:slategray"># openstack service create --name nova \</span>
--description <span style="color:#669900">"OpenStack Compute"</span> compute</code></span></span>
创建 Compute 服务 API 端点,nova api的端口为8774 :
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack endpoint create --region RegionOne \</span>
compute public http://172.16.10.50:8774/v2.1/%\<span style="color:#999999">(</span>tenant_id\<span style="color:#999999">)</span>s</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack endpoint create --region RegionOne \</span>
compute internal http://172.16.10.50:8774/v2.1/%\<span style="color:#999999">(</span>tenant_id\<span style="color:#999999">)</span>s</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack endpoint create --region RegionOne \</span>
compute admin http://172.16.10.50:8774/v2.1/%\<span style="color:#999999">(</span>tenant_id\<span style="color:#999999">)</span>s</code></span></span>
查看注册是否成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># openstack host list</span>
+-----------+-------------+----------+
<span style="color:#9a6e3a">|</span> Host Name <span style="color:#9a6e3a">|</span> Service <span style="color:#9a6e3a">|</span> Zone <span style="color:#9a6e3a">|</span>
+-----------+-------------+----------+
<span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> conductor <span style="color:#9a6e3a">|</span> internal <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> consoleauth <span style="color:#9a6e3a">|</span> internal <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> scheduler <span style="color:#9a6e3a">|</span> internal <span style="color:#9a6e3a">|</span>
+-----------+-------------+----------+</code></span></span>
Nova计算节点的部署
http://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/nova-compute-install.html
计算节点是真正运行虚拟机的节点,其硬件配置决定了可以运行多少虚拟机。并且这些节点需要支持CPU虚拟化。
确定CPU是否支持虚拟机的硬件加速:(结果不为0,表示支持)
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#dd4a68">egrep</span> -c <span style="color:#669900">'(vmx|svm)'</span> /proc/cpuinfo</code></span></span>
此处的计算节点已经在前面安装了对应的服务。
修改计算节点nova配置:(由于和控制节点的大部分配置类似,直接从控制节点scp配置文件到本地修改,并修改用户权限)
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># scp 172.16.10.50:/etc/nova/nova.conf ./nova1.conf</span>
<span style="color:slategray"># chown root:nova nova1.conf </span>
<span style="color:slategray"># mv nova.conf nova.conf-bak</span>
<span style="color:slategray"># mv nova1.conf nova.conf</span></code></span></span>
修改配置文件:
删除[database]中connection的配置参数。
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray">#connection = mysql+pymysql://nova:nova@172.16.10.50/nova</span>
<span style="color:slategray">#connection = mysql+pymysql://nova:nova@172.16.10.50/nova_api</span></code></span></span>
在``[vnc]``部分,启用并配置远程控制台访问:
打开注释:
<span style="color:#333333"><span style="color:black"><code class="language-bash">enabled<span style="color:#9a6e3a">=</span>true
novncproxy_base_url<span style="color:#9a6e3a">=</span>http://172.16.10.50:6080/vnc_auto.html
vncserver_listen<span style="color:#9a6e3a">=</span>0.0.0.0
vncserver_proxyclient_address<span style="color:#9a6e3a">=</span>172.16.10.51 <span style="color:slategray">#修改为本地主机ip</span></code></span></span>
打开默认的KVM虚拟化:
<span style="color:#333333"><span style="color:black"><code class="language-bash">virt_type<span style="color:#9a6e3a">=</span>kvm</code></span></span>
启动计算服务及其依赖,并将其配置为随系统自动启动:
<span style="color:#333333"><span style="color:black"><code class="language-bash">systemctl <span style="color:#dd4a68">enable</span> libvirtd.service openstack-nova-compute.service
systemctl start libvirtd.service openstack-nova-compute.service</code></span></span>
验证操作是否正常:
在控制节点查看:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># source admin-openstack.sh </span>
<span style="color:slategray"># openstack host list</span>
+-----------+-------------+----------+
<span style="color:#9a6e3a">|</span> Host Name <span style="color:#9a6e3a">|</span> Service <span style="color:#9a6e3a">|</span> Zone <span style="color:#9a6e3a">|</span>
+-----------+-------------+----------+
<span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> conductor <span style="color:#9a6e3a">|</span> internal <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> consoleauth <span style="color:#9a6e3a">|</span> internal <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> scheduler <span style="color:#9a6e3a">|</span> internal <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> node2 <span style="color:#9a6e3a">|</span> compute <span style="color:#9a6e3a">|</span> nova <span style="color:#9a6e3a">|</span>
+-----------+-------------+----------+
<span style="color:slategray"># nova image-list</span>
+--------------------------------------+--------+--------+--------+
<span style="color:#9a6e3a">|</span> ID <span style="color:#9a6e3a">|</span> Name <span style="color:#9a6e3a">|</span> Status <span style="color:#9a6e3a">|</span> Server <span style="color:#9a6e3a">|</span>
+--------------------------------------+--------+--------+--------+
<span style="color:#9a6e3a">|</span> 82c3ba8f-4930-4e32-bd1b-34881f5eb4cd <span style="color:#9a6e3a">|</span> cirros <span style="color:#9a6e3a">|</span> ACTIVE <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span>
+--------------------------------------+--------+--------+--------+</code></span></span>
出现上面的结果,证明计算节点的安装正常。
OpenStack网络服务-Neutron
Neutron由一个Neutron Server提供服务,主要包含一些二层的插件,如Linux Bridge,openvSwitch,DHCP-Agent, L3-Agent ,LBAAS-Agent 和其他组件等。模拟了实际物理网络中的服务和协议。
安装部署
http://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/neutron-controller-install-option1.html
Neutron有两种网络架构,单一扁平网络和负杂的多网段网络,这里以单一扁平网络为例。
安装部署需要在控制节点和计算节点上安装对应的服务,之前已经安装,此处跳过此步骤。
数据库配置
编辑``/etc/neutron/neutron.conf`` 文件并在控制节点完成如下操作:
在 [database] 部分,配置数据库访问:
<span style="color:#333333"><span style="color:black"><code class="language-bash">connection <span style="color:#9a6e3a">=</span> mysql+pymysql://neutron:neutron@172.16.10.50/neutron</code></span></span>
配置Keystone
在 “[DEFAULT]” 和 “[keystone_authtoken]” 部分,配置认证服务访问:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>DEFAULT<span style="color:#999999">]</span>
auth_strategy <span style="color:#9a6e3a">=</span> keystone</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>keystone_authtoken<span style="color:#999999">]</span>
auth_uri <span style="color:#9a6e3a">=</span> http://172.16.10.50:5000
auth_url <span style="color:#9a6e3a">=</span> http://172.16.10.50:35357
memcached_servers <span style="color:#9a6e3a">=</span> 172.16.10.50:11211
auth_type <span style="color:#9a6e3a">=</span> password
project_domain_name <span style="color:#9a6e3a">=</span> default
user_domain_name <span style="color:#9a6e3a">=</span> default
project_name <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">service</span>
username <span style="color:#9a6e3a">=</span> neutron
password <span style="color:#9a6e3a">=</span> neutron</code></span></span>
配置RabbitMQ
在 “[DEFAULT]” 和 “[oslo_messaging_rabbit]”部分,配置 “RabbitMQ” 消息队列的连接:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>DEFAULT<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
rpc_backend <span style="color:#9a6e3a">=</span> rabbit</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># 修改注释</span>
<span style="color:#999999">[</span>oslo_messaging_rabbit<span style="color:#999999">]</span>
rabbit_host <span style="color:#9a6e3a">=</span> 172.16.10.50
rabbit_userid <span style="color:#9a6e3a">=</span> openstack
rabbit_password <span style="color:#9a6e3a">=</span> openstack</code></span></span>
neutron的其他配置
在``[DEFAULT]``部分,启用ML2插件并禁用其他插件:
<span style="color:#333333"><span style="color:black"><code class="language-bash">core_plugin <span style="color:#9a6e3a">=</span> ml2
service_plugins <span style="color:#9a6e3a">=</span></code></span></span>
配置nova
在``[DEFAULT]``和``[nova]``部分,配置网络服务来通知计算节点的网络拓扑变化:
<span style="color:#333333"><span style="color:black"><code class="language-bash">notify_nova_on_port_status_changes <span style="color:#9a6e3a">=</span> <span style="color:#990055">true</span>
notify_nova_on_port_data_changes <span style="color:#9a6e3a">=</span> <span style="color:#990055">true</span></code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>nova<span style="color:#999999">]</span>
auth_url <span style="color:#9a6e3a">=</span> http://172.16.10.50:35357
auth_type <span style="color:#9a6e3a">=</span> password
project_domain_name <span style="color:#9a6e3a">=</span> default
user_domain_name <span style="color:#9a6e3a">=</span> default
region_name <span style="color:#9a6e3a">=</span> RegionOne
project_name <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">service</span>
username <span style="color:#9a6e3a">=</span> nova
password <span style="color:#9a6e3a">=</span> nova</code></span></span>
在 [oslo_concurrency] 部分,配置锁路径:
<span style="color:#333333"><span style="color:black"><code class="language-bash">lock_path <span style="color:#9a6e3a">=</span> /var/lib/neutron/tmp</code></span></span>
配置 Modular Layer 2 (ML2) 插件
ML2插件使用Linuxbridge机制来为实例创建layer-2虚拟网络基础设施.
编辑``/etc/neutron/plugins/ml2/ml2_conf.ini``文件并完成以下操作:
在``[ml2]``部分,启用flat和VLAN网络:
<span style="color:#333333"><span style="color:black"><code class="language-bash">type_drivers <span style="color:#9a6e3a">=</span> flat,vlan,gre,vxlan,geneve</code></span></span>
在``[ml2]``部分,禁用私有网络:
<span style="color:#333333"><span style="color:black"><code class="language-bash">tenant_network_types <span style="color:#9a6e3a">=</span></code></span></span>
在``[ml2]``部分,启用Linuxbridge机制:
<span style="color:#333333"><span style="color:black"><code class="language-bash">mechanism_drivers <span style="color:#9a6e3a">=</span> linuxbridge,openvswitch</code></span></span>
在``[ml2]`` 部分,启用端口安全扩展驱动:
<span style="color:#333333"><span style="color:black"><code class="language-bash">extension_drivers <span style="color:#9a6e3a">=</span> port_security</code></span></span>
在``[ml2_type_flat]``部分,配置公共虚拟网络为flat网络
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>ml2_type_flat<span style="color:#999999">]</span>
flat_networks <span style="color:#9a6e3a">=</span> public</code></span></span>
在 ``[securitygroup]``部分,启用 ipset 增加安全组规则的高效性:
<span style="color:#333333"><span style="color:black"><code class="language-bash">enable_ipset <span style="color:#9a6e3a">=</span> <span style="color:#990055">true</span></code></span></span>
配置Linuxbridge代理
Linuxbridge代理为实例建立layer-2虚拟网络并且处理安全组规则。
编辑``/etc/neutron/plugins/ml2/linuxbridge_agent.ini``文件并且完成以下操作:
在``[linux_bridge]``部分,将公共虚拟网络和公共物理网络接口对应起来:
<span style="color:#333333"><span style="color:black"><code class="language-bash">physical_interface_mappings <span style="color:#9a6e3a">=</span> public:eth0</code></span></span>
在``[vxlan]``部分,禁止VXLAN覆盖网络:
<span style="color:#333333"><span style="color:black"><code class="language-bash">enable_vxlan <span style="color:#9a6e3a">=</span> False</code></span></span>
在 ``[securitygroup]``部分,启用安全组并配置 Linuxbridge iptables firewall driver:
<span style="color:#333333"><span style="color:black"><code class="language-bash">enable_security_group <span style="color:#9a6e3a">=</span> <span style="color:#990055">true</span>
firewall_driver <span style="color:#9a6e3a">=</span> neutron.agent.linux.iptables_firewall.IptablesFirewallDriver</code></span></span>
配置DHCP代理
编辑``/etc/neutron/dhcp_agent.ini``文件并完成下面的操作:
在``[DEFAULT]``部分,配置Linuxbridge驱动接口,DHCP驱动并启用隔离元数据,这样在公共网络上的实例就可以通过网络来访问元数据:
<span style="color:#333333"><span style="color:black"><code class="language-bash">interface_driver <span style="color:#9a6e3a">=</span> neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver <span style="color:#9a6e3a">=</span> neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata <span style="color:#9a6e3a">=</span> True</code></span></span>
配置元数据代理
编辑``/etc/neutron/metadata_agent.ini``文件并完成以下操作:
在``[DEFAULT]`` 部分,配置元数据主机以及共享密码:
<span style="color:#333333"><span style="color:black"><code class="language-bash">nova_metadata_ip <span style="color:#9a6e3a">=</span> 172.16.10.50
metadata_proxy_shared_secret <span style="color:#9a6e3a">=</span> trying</code></span></span>
为nova配置网络服务
编辑``/etc/nova/nova.conf``文件并完成以下操作:
在``[neutron]``部分,配置访问参数,启用元数据代理并设置密码:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>neutron<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
url <span style="color:#9a6e3a">=</span> http://172.16.10.50:9696
auth_url <span style="color:#9a6e3a">=</span> http://172.16.10.50:35357
auth_type <span style="color:#9a6e3a">=</span> password
project_domain_name <span style="color:#9a6e3a">=</span> default
user_domain_name <span style="color:#9a6e3a">=</span> default
region_name <span style="color:#9a6e3a">=</span> RegionOne
project_name <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">service</span>
username <span style="color:#9a6e3a">=</span> neutron
password <span style="color:#9a6e3a">=</span> neutron</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash">service_metadata_proxy<span style="color:#9a6e3a">=</span>true
metadata_proxy_shared_secret <span style="color:#9a6e3a">=</span> trying</code></span></span>
完成安装
网络服务初始化脚本需要一个软链接 /etc/neutron/plugin.ini``指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini``。
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini</span></code></span></span>
同步数据库:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \</span>
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron</code></span></span>
重启计算API 服务:
<span style="color:#333333"><span style="color:black"><code class="language-bash">systemctl restart openstack-nova-api.service</code></span></span>
当系统启动时,启动 Networking 服务并配置它启动
<span style="color:#333333"><span style="color:black"><code class="language-bash">systemctl <span style="color:#dd4a68">enable</span> neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service</code></span></span>
<span style="color:#333333"><span style="color:black"><code class="language-bash">systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service</code></span></span>
在keystone上完成注册
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># source admin-openstack.sh </span>
<span style="color:slategray"># openstack service create --name neutron --description "OpenStack Networking" network</span>
<span style="color:slategray"># openstack endpoint create --region RegionOne \ </span>
network public http://172.16.10.50:9696
<span style="color:slategray"># openstack endpoint create --region RegionOne \ </span>
network internal http://172.16.10.50:9696
<span style="color:slategray"># openstack endpoint create --region RegionOne \ </span>
network admin http://172.16.10.50:9696</code></span></span>
验证neutron是否验证成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># neutron agent-list</span>
+------------------+------------------+-------+-------------------+-------+----------------+-------------------+
<span style="color:#9a6e3a">|</span> <span style="color:#dd4a68">id</span> <span style="color:#9a6e3a">|</span> agent_type <span style="color:#9a6e3a">|</span> host <span style="color:#9a6e3a">|</span> availability_zone <span style="color:#9a6e3a">|</span> alive <span style="color:#9a6e3a">|</span> admin_state_up <span style="color:#9a6e3a">|</span> binary <span style="color:#9a6e3a">|</span>
+------------------+------------------+-------+-------------------+-------+----------------+-------------------+
<span style="color:#9a6e3a">|</span> 172afad4-755b-47 <span style="color:#9a6e3a">|</span> Linux bridge <span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> :-<span style="color:#999999">)</span> <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span> neutron- <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> a1-81e8-d38056e2 <span style="color:#9a6e3a">|</span> agent <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> linuxbridge-agent <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> 441e <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> 7f568fdf-192f-45 <span style="color:#9a6e3a">|</span> Metadata agent <span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> :-<span style="color:#999999">)</span> <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span> neutron-metadata- <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> bd-8436-b48ecb5d <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> agent <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> 7480 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> fda9f554-952a-4b <span style="color:#9a6e3a">|</span> DHCP agent <span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> nova <span style="color:#9a6e3a">|</span> :-<span style="color:#999999">)</span> <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span> neutron-dhcp- <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> 7e-8509-f2641a65 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> agent <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> 95c9 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span>
+------------------+------------------+-------+-------------------+-------+----------------+-------------------+</code></span></span>
在计算节点上安装Neutron
计算节点的配置和控制节点的配置文件是类似的,我们可以将控制节点的文件直接复制到计算节点进行修改。
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># scp /etc/neutron/neutron.conf 172.16.10.51:/etc/neutron/ </span>
<span style="color:slategray"># scp /etc/neutron/plugins/ml2/linuxbridge_agent.ini </span>
172.16.10.51:/etc/neutron/plugins/ml2/
<span style="color:slategray"># chown root.neutron /etc/neutron/plugins/ml2/linuxbridge_agent.ini #scp后的文件</span></code></span></span>
删除neutron.conf上[database]的配置部分,删除所有``connection`` 项,因为计算节点不直接访问数据库。
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># connection = mysql+pymysql://neutron:neutron@172.16.10.50/neutron</span></code></span></span>
同时删除[nova]部分的配置:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>nova<span style="color:#999999">]</span>
<span style="color:#999999">..</span>.
<span style="color:slategray">#auth_url = http://172.16.10.50:35357</span>
<span style="color:slategray">#auth_type = password</span>
<span style="color:slategray">#project_domain_name = default</span>
<span style="color:slategray">#user_domain_name = default</span>
<span style="color:slategray">#region_name = RegionOne</span>
<span style="color:slategray">#project_name = service</span>
<span style="color:slategray">#username = nova</span>
<span style="color:slategray">#password = nova</span></code></span></span>
注释掉核心plugin的选项:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray">#core_plugin = ml2</span>
<span style="color:slategray">#service_plugins =</span></code></span></span>
注释掉nova端口通知的选项:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray">#notify_nova_on_port_status_changes = true</span>
<span style="color:slategray">#notify_nova_on_port_data_changes = true</span></code></span></span>
查看计算节点/etc/neutron/plugins/ml2/linuxbridge_agent.ini的配置信息:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>root@node2 ~<span style="color:#999999">]</span><span style="color:slategray"># grep '^[a-z]' /etc/neutron/plugins/ml2/linuxbridge_agent.ini </span>
physical_interface_mappings <span style="color:#9a6e3a">=</span> public:eth0
firewall_driver <span style="color:#9a6e3a">=</span> neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
enable_security_group <span style="color:#9a6e3a">=</span> True
enable_vxlan <span style="color:#9a6e3a">=</span> False</code></span></span>
修改计算节点上nova的配置文件/etc/nova/nova.conf,和控制节点的一致:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>neutron<span style="color:#999999">]</span>
url <span style="color:#9a6e3a">=</span> http://172.16.10.50:9696
auth_url <span style="color:#9a6e3a">=</span> http://172.16.10.50:35357
auth_type <span style="color:#9a6e3a">=</span> password
project_domain_name <span style="color:#9a6e3a">=</span> default
user_domain_name <span style="color:#9a6e3a">=</span> default
region_name <span style="color:#9a6e3a">=</span> RegionOne
project_name <span style="color:#9a6e3a">=</span> <span style="color:#dd4a68">service</span>
username <span style="color:#9a6e3a">=</span> neutron
password <span style="color:#9a6e3a">=</span> neutron</code></span></span>
重启计算节点Nova-compute
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># systemctl restart openstack-nova-compute</span></code></span></span>
启动neutron-linuxbridge-agent:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:slategray"># systemctl enable neutron-linuxbridge-agent.service</span>
<span style="color:slategray"># systemctl start neutron-linuxbridge-agent.service</span></code></span></span>
在控制节点上验证是否成功:
<span style="color:#333333"><span style="color:black"><code class="language-bash"><span style="color:#999999">[</span>root@node1 ~<span style="color:#999999">]</span><span style="color:slategray"># neutron agent-list</span>
+--------------------------------------+--------------------+-------+-------------------+-------+----------------+---------------------------+
<span style="color:#9a6e3a">|</span> <span style="color:#dd4a68">id</span> <span style="color:#9a6e3a">|</span> agent_type <span style="color:#9a6e3a">|</span> host <span style="color:#9a6e3a">|</span> availability_zone <span style="color:#9a6e3a">|</span> alive <span style="color:#9a6e3a">|</span> admin_state_up <span style="color:#9a6e3a">|</span> binary <span style="color:#9a6e3a">|</span>
+--------------------------------------+--------------------+-------+-------------------+-------+----------------+---------------------------+
<span style="color:#9a6e3a">|</span> 172afad4-755b-47a1-81e8-d38056e2441e <span style="color:#9a6e3a">|</span> Linux bridge agent <span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> :-<span style="color:#999999">)</span> <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span> neutron-linuxbridge-agent <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> 7f568fdf-192f-45bd-8436-b48ecb5d7480 <span style="color:#9a6e3a">|</span> Metadata agent <span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> :-<span style="color:#999999">)</span> <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span> neutron-metadata-agent <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> cb3f16cf-c8dd-4a6b-b9e8-71622cde1774 <span style="color:#9a6e3a">|</span> Linux bridge agent <span style="color:#9a6e3a">|</span> node2 <span style="color:#9a6e3a">|</span> <span style="color:#9a6e3a">|</span> :-<span style="color:#999999">)</span> <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span> neutron-linuxbridge-agent <span style="color:#9a6e3a">|</span>
<span style="color:#9a6e3a">|</span> fda9f554-952a-4b7e-8509-f2641a6595c9 <span style="color:#9a6e3a">|</span> DHCP agent <span style="color:#9a6e3a">|</span> node1 <span style="color:#9a6e3a">|</span> nova <span style="color:#9a6e3a">|</span> :-<span style="color:#999999">)</span> <span style="color:#9a6e3a">|</span> True <span style="color:#9a6e3a">|</span> neutron-dhcp-agent <span style="color:#9a6e3a">|</span>
+--------------------------------------+--------------------+-------+-------------------+-------+----------------+---------------------------+</code></span></span>
node2已经添加进来,说明配置成功。
提示:如果此过程无法正常获取node2的状态,检查配置文件neutron权限,防火墙和selinux的设置。