【说明】
本指南参考自OpenStack官方文档:OpenStack Docs: Train Installation Guides
以及openEuler文档:Openstack Train
本文档部署的OpenStack云平台为Train发行版,该发行版是一个稳定的且长期维护的版本。其它版本的部署可参考官方文档。
本文档是真实部署的详细记录,并检测有效,希望对大家有所帮助。
1 部署环境
1.1 硬件配置
本次部署采用5台华为私有云服务器ECS,也可以使用VMware Workstation虚拟机软件部署,主机系统均用openEuler(5.10.0-106.18.0.68.oe2209.x86_64),节点硬件配置情况如下图所示。
1.2 网络布局
节点网络布局如下图所示。
利用VMware Workstation虚拟机软件部署时,所有节点的第1块网卡的连接模式均设置为NAT,并通过NAT连接到Internet,控制节点和计算节点的第2块网卡的连接模式均设置为桥接,将其连接到提供商网络(网络地址因人而异,本示例为WIFI网络,地址为192.168.0.0/24)
其中各节点主机名称和IP地址如下表所示。
节点名称 | 管理网络接口IP地址 | 角色 |
xgk-ctl | 192.168.18.200/24 | 控制节点 |
xgk-cpt | 192.168.18.201/24 | 计算节点 |
xgk-blkn1 | 192.168.18.202/24 | 块存储节点 |
xgk-objn1 | 192.168.18.203/24 | 对象存储节点1 |
xgk-objn2 | 192.168.18.204/24 | 对象存储节点2 |
1.3 节点环境配置
1.3.1 配置控制节点环境
1、修改主机名和/etc/hosts文件
[root@localhost ~]# hostnamectl hostname xgk-ctl
[root@localhost ~]# exit
[root@xgk-ctl ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
#增加以下内容
192.168.18.200 xgk-ctl
192.168.18.201 xgk-cpt
192.168.18.202 xgk-blkn1
192.168.18.203 xgk-objn1
192.168.18.204 xgk-objn2
2、配置管理IP地址
控制节点有两张网络适配器,其设备名称可通过命令【ip a】查看,这里指定接口enp4s3连接OpenStack平台管理网络,IP地址设定为192.168.18.200/24。另一个接口enp4s4连接提供商网络,不指定IP地址。
(1)接口enp4s3的配置内容如下
[root@xgk-ctl ~]# vi /etc/sysconfig/network-scripts/ifcfg-enp4s3
TYPE=Ethernet
BOOTPROTO=static
NAME=enp4s3
DEVICE=enp4s3
ONBOOT=yes
IPADDR=192.168.18.200
NETMASK=255.255.255.0
GATEWAY=192.168.18.254
DNS1=114.114.114.114
DNS2=8.8.8.8
(2)接口enp4s4的配置内容如下:
[root@xgk-ctl ~]# vi /etc/sysconfig/network-scripts/ifcfg-enp4s4
TYPE=Ethernet
BOOTPROTO=none
NAME=enp4s4
DEVICE=enp4s4
ONBOOT=yes
(3)激活网络连接
[root@xgk-ctl ~]# nmcli connection reload
[root@xgk-ctl ~]# nmcli connection up enp4s3
3、测试网络并安装基础软件包
完成上述配置后,可测试能否ping通外网,若能,则安装以下基础软件包。
[root@xgk-ctl ~]# ping -c4 www.baidu.com
PING www.a.shifen.com (14.215.177.39) 56(84) 字节的数据。
64 字节,来自 14.215.177.39 (14.215.177.39): icmp_seq=1 ttl=51 时间=14.9 毫秒
64 字节,来自 14.215.177.39 (14.215.177.39): icmp_seq=2 ttl=51 时间=14.7 毫秒
64 字节,来自 14.215.177.39 (14.215.177.39): icmp_seq=3 ttl=51 时间=14.6 毫秒
64 字节,来自 14.215.177.39 (14.215.177.39): icmp_seq=4 ttl=51 时间=14.7 毫秒
--- www.a.shifen.com ping 统计 ---
已发送 4 个包, 已接收 4 个包, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 14.605/14.713/14.943/0.134 ms
[root@xgk-ctl ~]# dnf -y install vim bash-completion net-tools
注:安装时有可能会出现错误提示,在确定网络没有问题的情况下,多尝试几次即可。
4、关闭SELinux
修改SELinux配置文件,将其中的SELINUX设置为disabled或者permissive。
[root@xgk-ctl ~]# setenforce 0
[root@xgk-ctl ~]# vim /etc/sysconfig/selinux
……此处省略文件原有内容……
SELINUX=disabled
5、关闭防火墙
[root@xgk-ctl ~]# systemctl stop firewalld.service && systemctl disable firewalld.service
6、配置NTP服务
openEuler2209默认已安装chrony服务,故只需修改该服务配置文件,在该配置文件中,将allow所在行改为管理网络网段。
[root@xgk-ctl ~]# vim /etc/chrony.conf
……省略文件原有内容……
allow 192.168.18.0/24
然后重启chronyd服务
[root@xgk-ctl ~]# systemctl restart chronyd.service
1.3.3 配置计算节点环境
计算节点的环境配置与控制节点相似,仅主机名和IP地址不同,可参考前面表格中的主机名称和IP地址进行配置,这里就不重复了。
另外,在NTP服务配置部分,计算节点的配置如下:
(1)修改/etc/chrony.conf文件,将pool所在行注释掉,然后将控制节点设置为时间同步服务器。
[root@xgk-cpt ~]# vim /etc/chrony.conf
……
#pool pool.ntp.org iburst
server 192.168.18.200 iburst
然后重启chronyd服务
[root@xgk-cpt ~]# systemctl restart chronyd.service
稍等片刻执行命令【chronyc sources】验证是否同步成功。
[root@xgk-cpt ~]# chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* xgk-ctl 2 6 17 12 -1991us[-3083us] +/- 33ms
1.3.3 配置其它节点环境
其它各节点环境的配置与计算节点相似,这里不重复,要注意的是块存储和对象存储节点只有一个网络接口。
1.4 安装SQL数据库
大多数OpenStack服务使用SQL数据库来存储信息,数据库通常在控制节点上运行。
1.4.1 安装软件包
由于openEuler2209默认已配置好yum源,因此可直接开始安装软件包。
[root@xgk-ctl ~]# dnf -y install mariadb mariadb-server python3-PyMySQL
这里的python3-PyMySQL用于openstack的控制端连接mysql所需要的模块,如果不安装,则无法连接数据库。
1.4.2 配置/etc/my.cnf.d/openstack.cnf
该配置文件默认不存在,直接新建并添加以下内容,其中的IP地址为控制节点的管理IP地址。
[root@xgk-ctl ~]# vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.18.200
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
1.4.3 启动mariadb服务,并将其设置为开机自启动
[root@xgk-ctl ~]# systemctl start mariadb.service
[root@xgk-ctl ~]# systemctl enable mariadb.service
1.4.4 增强数据库安全
默认情况下,数据库用户root的密码为空,显然存在安全隐患,可执行mysql_secure_installation命令重置root密码,同时移除匿名用户和测试数据库。
[root@xgk-ctl ~]# mysql_secure_installation
Enter current password for root (enter for none): #初始密码为空,此处直按按回车
Switch to unix_socket authentication [Y/n] n #此处输入n
Change the root password? [Y/n] y #输入y,修改数据库账号root的密码
New password: #设置新密码,请牢记该密码
Re-enter new password: #再次输入密码
Remove anonymous users? [Y/n] y #此处输入y删除匿名用户
Disallow root login remotely? [Y/n] n #此处输入n,允许root账户远程登录
Remove test database and access to it? [Y/n] y #此处输入y,移除test测试数据库
Reload privilege tables now? [Y/n] y #此处输入y,刷新权限表
1.5 安装和配置RabbitMQ
OpenStack使用消息队列来协调服务之间的操作和状态信息。消息队列服务通常在控制节点上运行,这里采用RabbitMQ消息队列服务。
1.5.1 安装和启动RabbitMQ
[root@xgk-ctl ~]# dnf -y install rabbitmq-server
[root@xgk-ctl ~]# systemctl enable rabbitmq-server.service && systemctl start rabbitmq-server.service
1.5.2 添加openstack用户
[root@xgk-ctl ~]# rabbitmqctl add_user openstack RABBIT_PASS
Adding user "openstack" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.
1.5.3 配置openstack用户的操作权限
配置openstack用户的操作权限,允许openstack用户进行配置、写入和读取访问
[root@xgk-ctl ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/" ...
1.5.4 开启RabbitMQ的web管理界面插件
[root@xgk-ctl ~]# rabbitmq-plugins enable rabbitmq_management
Enabling plugins on node rabbit@xgk-ctl:
rabbitmq_management
The following plugins have been configured:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
Applying plugin configuration to rabbit@xgk-ctl...
The following plugins have been enabled:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
started 3 plugins.
RabbitMQ的web管理界面插件端口为15672,打开浏览器,访问http://192.168.18.200:15672,
可打开如下图所示界面。
默认管理账号/密码为: guest/guest,也可以用前面新建的openstack/RABBIT_PASS登录。
1.6 安装和配置memcached
OpenStack的各种服务的身份服务认证机制使用Memcached缓存令牌。memcached服务通常在控制节点上运行。
1.6.1 安装memcached
[root@xgk-ctl ~]# dnf -y install memcached python3-memcached
1.6.2 修改/etc/sysconfig/memcached文件
在文件最后一行的OPTIONS中,添加控制节点的主机名
[root@xgk-ctl ~]# vim /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1,xgk-ctl"
1.6.3 启动memcached服务,并将其设置为开机自启动
[root@xgk-ctl ~]# systemctl enable memcached.service
Created symlink /etc/systemd/system/multi-user.target.wants/memcached.service → /usr/lib/systemd/system/memcached.service.
[root@xgk-ctl ~]# systemctl start memcached.service
完成此步后,可查看11211端口是否处于监听状态
[root@xgk-ctl ~]# netstat -nautp | grep 11211
tcp 0 0 192.168.18.200:11211 0.0.0.0:* LISTEN 12461/memcached
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 12461/memcached
tcp6 0 0 ::1:11211 :::* LISTEN 12461/memcached
1.7 安装和配置Etcd服务
OpenStack服务可以使用Etcd,这是一个分布式可靠的密钥值存储库,用于分布式密钥锁定、存储配置、跟踪服务的实时性和其他场景。
1.7.1 安装Etcd服务
[root@xgk-ctl ~]# dnf -y install etcd
1.7.2 编辑/etc/etcd/etcd.conf文件
将该文件中的原有内容全部删除,然后复制以下内容
[root@xgk-ctl ~]# vim /etc/etcd/etcd.conf
#[Member]
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://192.168.18.200:2380"
ETCD_LISTEN_CLIENT_URLS="http://192.168.18.200:2379"
ETCD_NAME="controller"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.18.200:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.18.200:2379"
ETCD_INITIAL_CLUSTER="controller=http://192.168.18.200:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01"
ETCD_INITIAL_CLUSTER_STATE="new"
注:要将其中的IP地址替换为控制节点的管理IP地址。
1.7.3 启动Etcd服务,并将其设置为开机自启动
[root@xgk-ctl ~]# systemctl enable etcd.service
Created symlink /etc/systemd/system/multi-user.target.wants/etcd.service → /usr/lib/systemd/system/etcd.service.
[root@xgk-ctl ~]# systemctl start etcd.service
成功完成该步骤后,可查看TCP2379和2380端口的监听状态
[root@xgk-ctl ~]# netstat -anutp | grep 2379
tcp 0 0 192.168.18.200:2379 0.0.0.0:* LISTEN 490985/etcd
tcp 0 0 192.168.18.200:44582 192.168.18.200:2379 ESTABLISHED 490985/etcd
tcp 0 0 192.168.18.200:2379 192.168.18.200:44582 ESTABLISHED 490985/etcd
[root@xgk-ctl ~]# netstat -anutp | grep 2380
tcp 0 0 192.168.18.200:2380 0.0.0.0:* LISTEN 490985/etcd
1.8 验证各节点的网络连通性
1.8.1 测试各节点能否访问Internet
示例如下:
[root@xgk-ctl ~]# ping -c4 www.baidu.com
PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=1 ttl=128 time=63.4 ms
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=2 ttl=128 time=29.4 ms
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=3 ttl=128 time=62.5 ms
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=4 ttl=128 time=32.9 ms
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 15443ms
rtt min/avg/max/mdev = 29.374/47.059/63.429/15.973 ms
1.8.2 测试各节点之间能否相互ping,包括ping主机名
示例如下:
[root@xgk-ctl ~]# ping -c4 xgk-cpt
PING xgk-cpt (192.168.18.201) 56(84) bytes of data.
64 bytes from xgk-cpt (192.168.18.201): icmp_seq=1 ttl=64 time=0.664 ms
64 bytes from xgk-cpt (192.168.18.201): icmp_seq=2 ttl=64 time=0.594 ms
64 bytes from xgk-cpt (192.168.18.201): icmp_seq=3 ttl=64 time=0.279 ms
64 bytes from xgk-cpt (192.168.18.201): icmp_seq=4 ttl=64 time=0.584 ms
--- xgk-cpt ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3049ms
rtt min/avg/max/mdev = 0.279/0.530/0.664/0.148 ms
1.9 本文档涉及的密码
在部署过程中,主要涉及的密码如下表所示。
Password name | Description |
ADMIN_PASS | Password of user admin |
CINDER_DBPASS | Database password for the Block Storage service |
CINDER_PASS | Password of Block Storage service user cinder |
DASH_DBPASS | Database password for the Dashboard |
DEMO_PASS | Password of user demo |
GLANCE_DBPASS | Database password for Image service |
GLANCE_PASS | Password of Image service user glance |
KEYSTONE_DBPASS | Database password of Identity service |
METADATA_SECRET | Secret for the metadata proxy |
NEUTRON_DBPASS | Database password for the Networking service |
NEUTRON_PASS | Password of Networking service user neutron |
NOVA_DBPASS | Database password for Compute service |
NOVA_PASS | Password of Compute service user nova |
PLACEMENT_PASS | Password of the Placement service user placement |
RABBIT_PASS | Password of RabbitMQ user openstack |
1.10 默认服务端口
如果不想关闭firewalld防火墙服务,则需要放行OpenStack服务流量,下表列出了每个OpenStack服务使用的默认端口:
OpenStack service | Default ports |
---|---|
Application Catalog ( | 8082 |
Backup Service ( | 9090 |
Big Data Processing Framework ( | 8386 |
Block Storage ( | 8776 |
Clustering ( | 8777 |
Compute ( | 8774 |
Compute ports for access to virtual machine consoles | 5900-5999 |
Compute VNC proxy for browsers (openstack-nova-novncproxy) | 6080 |
Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy) | 6081 |
Container Infrastructure Management ( | 9511 |
Container Service ( | 9517 |
Data processing service ( | 8386 |
Database service ( | 8779 |
DNS service ( | 9001 |
High Availability Service ( | 15868 |
Identity service ( | 5000 |
Image service ( | 9292 |
Key Manager service ( | 9311 |
Loadbalancer service ( | 9876 |
Networking ( | 9696 |
NFV Orchestration service ( | 9890 |
Object Storage ( | 6000, 6001, 6002 |
Orchestration ( | 8004 |
Orchestration AWS CloudFormation-compatible API ( | 8000 |
Orchestration AWS CloudWatch-compatible API ( | 8778 |
Placement API ( | 8003 |
Proxy port for HTML5 console used by Compute service | 6082 |
Rating service ( | 8889 |
Registration service ( | 5050 |
Resource Reservation service ( | 1234 |
Root Cause Analysis service ( | 8999 |
Shared File Systems service ( | 8786 |
Telemetry alarming service ( | 8042 |
Telemetry event service ( | 8977 |
Workflow service ( | 8989 |
另外,还有一些与OpenStack组件相关的辅助服务使用的默认端口,如下表所示。
Service | Default port | Used by |
---|---|---|
HTTP | 80 | OpenStack dashboard ( |
HTTP alternate | 8080 | OpenStack Object Storage ( |
HTTPS | 443 | Any OpenStack service that is enabled for SSL, especially secure-access dashboard. |
rsync | 873 | OpenStack Object Storage. Required. |
iSCSI target | 3260 | OpenStack Block Storage. Required. |
MySQL database service | 3306 | Most OpenStack components. |
Message Broker (AMQP traffic) | 5672 | OpenStack Block Storage, Networking, Orchestration, and Compute. |
1.11 配置控制节点无密SSH登录其它节点、
1.11.1 生成密钥
[root@controller ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:VBzvJmZTGhSzRMbZK1ZzP9F2f09MT5kgXydf9IumdRI root@controller
The key's randomart image is:
+---[RSA 3072]----+
| +X* .ooB|
| =++* o*X|
| . o.oE *B|
| . o=. o.O|
| S.*.o= ++|
| o ++ o .|
| . |
| |
| |
+----[SHA256]-----+
1.11.2 上传公钥至其它各节点
以下以上传至对象存储节点1为例,其它节点作相同处理即可。
[root@controller ~]# ssh-copy-id root@192.168.18.203
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.18.203 (192.168.18.203)' can't be established.
ED25519 key fingerprint is SHA256:wtcZmmLytR7WZfrnHHo10ne9RLjmExtEYRAsVeoZdUg.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Authorized users only. All activities may be monitored and reported.
root@192.168.18.203's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.18.203'"
and check to make sure that only the key(s) you wanted were added.