openstack是一个云操作系统,它控制整个数据中心的计算、储存和网络资源的大型池,所有这些都通过身份验证机制的api进行管理和配置。
还提供了一个仪表板,允许管理员控制,同时允许用户通过web界面提供资源。
除了标准的基础设施即服务功能外,其他组件还提供编排、故障管理和服务管理等服务,以确保用户应用程序的高可用。
环境搭建
注:有条件的把包提前下好,自己搭建一个yum仓库进行使用,没条件的找找科学上网的方法,包下的太他马慢了,这里使用的openstack版本为queens。
环境设置:(最小设置)
控制节点: 1 处理器, 4 GB 内存, 及5 GB 存储
两个网卡
计算节点: 1 处理器, 2 GB 内存, 及10 GB 存储
cpu设置穿透 两个网卡
设置主机名 控制节点controller
计算节点compute1
设置解析
192.168.223.11 controller
192.168.223.12 compute1
192.168.223.13 block1
将第二块网卡设置为
[root@controller network-scripts]# vim ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=none
DEVICE=eth1
ONBOOT=yes
[root@compute1 network-scripts]# vim ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=none
DEVICE=eth1
ONBOOT=yes
将网卡进行激活
[root@controller network-scripts]# ifup eth1 ##两个机器都需要进行激活
最后成这个样子就激活完成了
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ee:cd:1a brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:feee:cd1a/64 scope link
valid_lft forever preferred_lft forever
设置网络时间协议
[root@controller ~]# yum install chrony
[root@controller ~]# vim /etc/chrony.conf
server 192.168.223.131 iburst ##宿主机ip
[root@controller ~]# systemctl enable --now chronyd ##开机自启
所有机器做同样的事,设置时间同步
启用OpenStack库
在centos中只用直接安装即可,因为在CentOS中, extras
仓库提供用于启用 OpenStack 仓库的RPM包。
[root@controller ~]# yum install centos-release-openstack-queens
而如果使用红帽的系统则先需要下载仓库信息
[root@controller ~]yum install https://rdoproject.org/repos/rdo-release.rpm
将仓库下载完成后再进行启用。
在主机上升级包:
[root@controller ~]# yum upgrade
[root@compute1 ~]# yum upgrade
[root@controller ~]# yum install python-openstackclient##安装openstack的客户端
安装完成后就可以进入下一步,安装数据库
sql数据库
大多数 OpenStack 服务使用 SQL 数据库来存储信息。数据库运行在控制节点上
[root@controller ~]# yum install mariadb mariadb-server python2-PyMySQL -y
[root@controller ~]# vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.223.11 ##控制节点的管理网络IP地址以使得其它节点可以通过管理网络访问数据库:
default-storage-engine = innodb ##innode引擎
innodb_file_per_table = on
max_connections = 4096 ##最大连接数
collation-server = utf8_general_ci ##utf8字符集
character-set-server = utf8
[root@controller ~]# systemctl enable --now mariadb.service ##开启数据库并设置开机启动
[root@controller ~]# mysql_secure_installation ##初始化
消息队列
[root@controller ~]# yum install rabbitmq-server -y
[root@controller ~]# systemctl enable rabbitmq-server.service
[root@controller ~]# systemctl start rabbitmq-server.service
[root@controller ~]# rabbitmqctl add_user openstack openstack ##创建用户和密码
##在生产环境中如果用户创建太多,应该创建一个密码表进行保存
[root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" ##给权限
##这三个.*的意义我们使用图形化来查看
开启服务后会开启5672端口
[root@controller ~]# netstat -antlp
tcp6 0 0 :::5672 :::* LISTEN 9898/beam.smp
开启图形化界面
[root@controller ~]# rabbitmq-plugins enable rabbitmq_management ##开启一个插件
将图形化界面开启后会再开启一个15672端口
[root@controller ~]# netstat -antlp
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 9898/beam.smp
在网页上登陆15672端口,一开始上来会让登陆,用户名和密码都是guest
在图形化界面中找到openstack可以看到.*的含义是配置权限,读权限和写权限。
Memcached
用于存放token,使用缓存特性,以及设置时间用于免维护
[root@controller ~]# yum install memcached python-memcached -y ##安装
[root@controller ~]# systemctl enable --now memcached.service ##安装完成后设置开机启动以及服务启动
查看端口是否监听外部
[root@controller ~]# netstat -antlp |grep :11211
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 11852/memcached
这里监听的是本机,所以要进行设置
[root@controller ~]# vim /etc/sysconfig/memcached
#OPTIONS="-l 127.0.0.1,::1" ##将这里注释掉
[root@controller ~]# systemctl restart memcached.service ##重启服务使监听外部端口
[root@controller ~]# netstat -antlp |grep :11211
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 12000/memcached
认证服务
认证主要提供两大功能:授权管理和服务目录
先觉条件
[root@controller ~]# mysql -uroot -p ##创建数据库
MariaDB [(none)]> CREATE DATABASE keystone;
##进行授权可以从本机访问也可以让任何地方访问
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
安转安全配置组建
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi
[root@controller ~]# vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = bc335514fdc8e3d0b346
[database]
connection = mysql+pymysql://keystone:keystone@controller/keystone ##使用mysql引擎和python使用keystone用户登陆连接keystone数据库
[token] ##uuid的令牌
provider = fernet
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone ##初始化数据库
初始化完成可以进行查看
[root@controller ~]# mysql -p keystone
MariaDB [keystone]> show tables;
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone ##初始化令牌
[root@controller keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@controller keystone]# ll ##注意这两个文件的权限
总用量 140
drwx------ 2 keystone keystone 24 4月 5 22:39 credential-keys
drwx------ 2 keystone keystone 24 4月 5 22:38 fernet-keys
[root@controller keystone]# keystone-manage bootstrap --bootstrap-password keystone \
> --bootstrap-admin-url http://controller:5000/v3/ \
> --bootstrap-internal-url http://controller:5000/v3/ \
> --bootstrap-public-url http://controller:5000/v3/ \
> --bootstrap-region-id RegionOne
配置 Apache HTTP 服务器
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller ##填写自己主机名
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ ##创建一个软链接
##wsgi文件默认启动两个端口5000和35357
配置完成启动httpd
[root@controller ~]# systemctl enable --now httpd.service
创建服务实体和API端点
设置环境变量
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=keystone
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
创建新域
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | d6bdadbed0174b11aa1e23917fc9dc2b |
| name | example |
| tags | [] |
+-------------+----------------------------------+
创建服务项目
[root@controller ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 3a8c98dd31a14b58a5a7977a6d386498 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建平台demo项目
[root@controller ~]# openstack project create --domain default \
> --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 2938e7d1a06545c6986973bb89129ff1 |
| is_domain | False |
| name | demo |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建demo用户
[root@controller ~]# openstack user create --domain default \
> --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | a9452ab645084952a8543c1ab45757e3 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
创建用户角色
[root@controller ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 2dc3c63640984f34a0df1be62bdff9ea |
| name | user |
+-----------+----------------------------------+
添加用户角色到demo项目和用户
[root@controller ~]# openstack role add --project demo --user demo user
验证操作
取消环境变量
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
admin用户返回的认证token
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-04-06T02:17:06+0000 |
| id | gAAAAABeioMS-YHcmABbGAbo_py88RmgJUuDGeZ7wP6lqYb6MqIlsk0K1N5sah47uib95HqHwlfcBg6o-LEm_VPhaTy-cV0x-2AcCB_m4sn47fVH98XzgBRnnwNt_HCxfK7X95E4Sr6YGPAZiad9d13FSW5hjR6WBYZrwoKhCvok1_FLNBPU3gY |
| project_id | 066f4557a52a4a1f94a3813f3a4ba5dc |
| user_id | 461e58800a3c4f3c869bb146370a9f27 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
demo用户返回的认证token
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-04-06T02:19:12+0000 |
| id | gAAAAABeioOQpxb06o-s56YrP1AzT8qV85ze_uXnHrMNHy1dncfXXaXlUy11mZXb38raFbp07jxxze-ITO7G0RLasPD9G90yQazOV7gaAhj2znQKjWCdgEGdnjr8Aogq_P5DUOGEhmGvBBIC5cc3IukqYfj5KYbnxD_fYAXFtqSuEQWtDZXEGDs |
| project_id | 2938e7d1a06545c6986973bb89129ff1 |
| user_id | a9452ab645084952a8543c1ab45757e3 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
创建openstack 客户端环境脚本
创建admin-openrc脚本
[root@controller ~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=keystone ##密码是admin的密码
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
创建demo-openrc脚本
[root@controller ~]# vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=keystone ##这里是demo密码
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
创建这些脚本的意义在于不用每次都输入环境变量,比如
[root@controller ~]# openstack user list
Missing value auth-url required for auth plugin password ##告诉我们少参数
我们使用脚本
[root@controller ~]# source admin-openrc
[root@controller ~]# openstack user list ##这样就能直接列出
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 461e58800a3c4f3c869bb146370a9f27 | admin |
| a9452ab645084952a8543c1ab45757e3 | demo |
+----------------------------------+-------+
镜像服务
OpenStack镜像服务是IaaS的核心服务,如同 :ref:get_started_conceptual_architecture
所示。它接受磁盘镜像或服务器镜像API请求,和来自终端用户或OpenStack计算组件的元数据定义。它也支持包括OpenStack对象存储在内的多种类型仓库上的磁盘镜像或服务器镜像存储。
大量周期性进程运行于OpenStack镜像服务上以支持缓存。同步复制(Replication)服务保证集群中的一致性和可用性。其它周期性进程包括auditors, updaters, 和 reapers。
OpenStack镜像服务包括以下组件:
glance-api
接收镜像API的调用,诸如镜像发现、恢复、存储。
glance-registry
存储、处理和恢复镜像的元数据,元数据包括项诸如大小和类型。
数据库
存放镜像元数据,用户是可以依据个人喜好选择数据库的,多数的部署使用MySQL或SQLite。
镜像文件的存储仓库
支持多种类型的仓库,它们有普通文件系统、对象存储、RADOS块设备、HTTP、以及亚马逊S3。记住,其中一些仓库仅支持只读方式使用。
元数据定义服务
通用的API,是用于为厂商,管理员,服务,以及用户自定义元数据。这种元数据可用于不同的资源,例如镜像,工件,卷,配额以及集合。一个定义包括了新属性的键,描述,约束以及可以与之关联的资源的类型。
安装Glance服务
创建glance数据库并授权
MariaDB [(none)]> CREATE DATABASE glance;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \
-> IDENTIFIED BY 'glance';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
获取admin用户的环境变量,并创建服务认证
[root@controller ~]# . admin-openrc
[root@controller ~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 4f199e1bca3f4b25bb7744938c835311 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
##创建的这两个user有不同的功能,一个是授权了数据库的用户,另一个是授权了服务的用户
把admin用户添加到glance用户和项目中
[root@controller ~]# openstack role add --project service --user glance admin
创建glance服务的实体以及连接端点
[root@controller ~]# openstack service create --name glance \
> --description "OpenStack Image" image ##服务实体
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Image |
| enabled | True |
| id | fec6b17ab348473588045630e9a9ce1f |
| name | glance |
| type | image |
+-------------+----------------------------------+
##下面三个是连接api端口 9292
[root@controller ~]# openstack endpoint create --region RegionOne \
> image public http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1eaa6539f3b647569cbbae5231dd0e64 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fec6b17ab348473588045630e9a9ce1f |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> image internal http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | cf5995a92bdc466495f6f93889610533 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fec6b17ab348473588045630e9a9ce1f |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne \
> image admin http://controller:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b780685b775c462e8be821df888cdb91 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fec6b17ab348473588045630e9a9ce1f |
| service_name | glance |
| service_type | image |
| url | http://controller:9292 |
+--------------+----------------------------------+
安装和配置组件
安装软件包
[root@controller ~]# yum install openstack-glance -y
安装完成编辑文件
[root@controller ~]# vim /etc/glance/glance-api.conf
[database]
connection = mysql+pymysql://glance:glance@controller/glance ##数据库文件信息,用于初始化
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance ##这个是openstack创建的user
password = glance
[paste_deploy]
flavor = keystone ##keystone的认证方式
[glance_store] ##本地文件系统存储和镜像文件位置
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
再编辑数据库相关文件,和上一个api文件配置差不多
[root@controller ~]# vim /etc/glance/glance-registry.conf
[database]
connection = mysql+pymysql://glance:glance@controller/glance
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance
[paste_deploy]
flavor = keystone
同步数据库
[root@controller ~]# su -s /bin/sh -c "glance-manage db_sync" glance
设置开机自启
[root@controller ~]# systemctl enable openstack-glance-api.service \
> openstack-glance-registry.service
[root@controller ~]# systemctl start openstack-glance-api.service \
> openstack-glance-registry.service
验证操作
获取admin用户的环境变量,且下载镜像
[root@controller ~]# . admin-openrc
[root@controller ~]# wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
[root@controller ~]# openstack image create "cirros" \
--file cirros-0.3.4-x86_64-disk.img \
--disk-format qcow2 --container-format bare \
--public ##使用QCOW2磁盘格式,裸容器格式和公开可见性将图像上传到Image服务,以便所有项目都可以访问它:
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2020-04-06T03:18:51Z |
| disk_format | qcow2 |
| file | /v2/images/a2c6edde-71f3-4171-a366-cf2bf26d1131/file |
| id | a2c6edde-71f3-4171-a366-cf2bf26d1131 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | 066f4557a52a4a1f94a3813f3a4ba5dc |
| protected | False |
| schema | /v2/schemas/image |
| size | 13287936 |
| status | active |
| tags | |
| updated_at | 2020-04-06T03:18:51Z |
| virtual_size | None |
| visibility | public |
+------------------+------------------------------------------------------+
[root@controller ~]# openstack image list ##查看镜像状态 状态是active的就可以用
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| a2c6edde-71f3-4171-a366-cf2bf26d1131 | cirros | active |
+--------------------------------------+--------+--------+