一、Manlia服务设置
重启服务
[root@controller ~]# systemctl restart lvm2-lvmetad target openstack-manila-share nfs-server
# 重启lvm2-lvmetad,targer,openstack-manila-share,nfs-server
(1) 使用共享服务
1.1 创建文件共享服务
使用Manila命令创建default_share_type共享类型,命令如下:
[root@controller ~]# manila type-create default_share_type False
+----------------------+--------------------------------------+
| Property | Value |
+----------------------+--------------------------------------+
| required_extra_specs | driver_handles_share_servers : False |
| Name | default_share_type |
| Visibility | public |
| is_default | YES |
| ID | 23106364-83ba-4507-a13c-7cae69520db0 |
| optional_extra_specs | |
| Description | None |
+----------------------+--------------------------------------+
[root@controller ~]#
使用manila type-list命令查看类型列表信息:
[root@controller ~]# manila type-list
+--------------------------------------+--------------------+------------+------------+
--------------------------------------+----------------------+-------------+
| ID | Name | visibility | is_default |
required_extra_specs | optional_extra_specs | Description |
+--------------------------------------+--------------------+------------+------------+
--------------------------------------+----------------------+-------------+
| 23106364-83ba-4507-a13c-7cae69520db0 | default_share_type | public | YES |
driver_handles_share_servers : False | | None |
+--------------------------------------+--------------------+------------+------------+
--------------------------------------+----------------------+-------------+
1.2 创建共享文件目录
使用Manila命令创建目录大小为2G的共享目录share,命令如下:
[root@controller ~]# manila create NFS 2 --name share
[root@controller ~]# manila list
1.3 挂载共享目录
使用Manila命令开放share目录对openstack管理网段使用权限,命令如下:
[root@controller ~]# manila access-allow share ip 127.0.0.0/24 --access-level rw
+--------------+--------------------------------------+
| Property | Value |
+--------------+--------------------------------------+
| access_key | None |
| share_id | 8a341fb1-f16d-4855-9a3a-4b93982ba659 |
| created_at | 2023-12-23T06:28:50.000000 |
| updated_at | None |
| access_type | ip |
| access_to | 127.0.0.0/24 |
| access_level | rw |
| state | queued_to_apply |
| id | 5db785c6-7c1a-4a55-b46e-048acf26ff16 |
| metadata | {} |
+--------------+--------------------------------------+
[root@controller ~]#
查看share目录共享目录权限以及开放网段,命令如下:
[root@controller ~]# manila access-list share
+--------------------------------------+-------------+--------------+--------------+---
-----+------------+----------------------------+------------+
| id | access_type | access_to | access_level | st
ate | access_key | created_at | updated_at |
+--------------------------------------+-------------+--------------+--------------+---
-----+------------+----------------------------+------------+
| 5db785c6-7c1a-4a55-b46e-048acf26ff16 | ip | 127.0.0.0/24 | rw | ac
tive | None | 2023-12-23T06:28:50.000000 | None |
+--------------------------------------+-------------+--------------+--------------+---
-----+------------+----------------------------+------------+
[root@controller ~]#
查看share共享文件目录的访问路径,命令如下:
[root@controller ~]# manila show share | grep path | cut -d'|' -f3
path = 127.0.0.1:/var/lib/manila/mnt/share-cd085bcf-a237-4211-bb7a-5433ca9bdc34
在openstack控制节点将share共享目录挂载至/mnt目录下,命令如下:
[root@controller ~]# mount -t nfs 127.0.0.1:/var/lib/manila/mnt/share-cd085bcf-a237-421
1-bb7a-5433ca9bdc34 /mnt
[root@controller ~]#
在控制节点查询挂载信息,可以看到share共享路径挂载至/mnt目录下:
[root@controller ~]# df -Th
Filesystem Type Size
Used Avail Use% Mounted on
devtmpfs devtmpfs 5.8G
0 5.8G 0% /dev
tmpfs tmpfs 5.8G
4.0K 5.8G 1% /dev/shm
tmpfs tmpfs 5.8G
17M 5.8G 1% /run
tmpfs tmpfs 5.8G
0 5.8G 0% /sys/fs/cgroup
/dev/vda1 xfs 50G
3.7G 47G 8% /
/dev/loop0 xfs 10G
33M 10G 1% /swift/node/vda6
tmpfs tmpfs 1.2G
0 1.2G 0% /run/user/0
/dev/dm-3 ext4 2.0G
6.0M 1.8G 1% /var/lib/manila/mnt/share-cd085bcf-a237-4211-bb7a-5433ca9bdc34
127.0.0.1:/var/lib/manila/mnt/share-cd085bcf-a237-4211-bb7a-5433ca9bdc34 nfs4 2.0G
6.0M 1.8G 1% /mnt
至此,Manila共享文件服务安装完成。在生产环境中Manila共享文件服务所能提供的存储空间足够满足用户使用,这里因是实验环境,只创建一个2G共享空间用于演示。Manila给用户和服务提供一个共享文件存储空间,与Cinder和Swift服务并不一样。
二、openstack计费服务
(1) 使用CloudKitty服务
1.1 类型规格费用
创建云主机服务instance test,通过命令创建Service服务命令代码如下所示
[root@controller ~]# openstack rating hashmap service create instance_test
+---------------+--------------------------------------+
| Name | Service ID |
+---------------+--------------------------------------+
| instance_test | 4f2f57ba-060d-4d92-8af8-63f972280ada |
+---------------+--------------------------------------+
[root@controller ~]#
并对其创建名为flavor_name的fields,使用命令代码如下所示:
[root@controller ~]# openstack rating hashmap service list
+---------------+--------------------------------------+
| Name | Service ID |
+---------------+--------------------------------------+
| instance_test | 4f2f57ba-060d-4d92-8af8-63f972280ada |
+---------------+--------------------------------------+
[root@controller ~]# openstack rating hashmap field create 4f2f57ba-060d-4d92-8af8-63f972280ada flavor_name
+-------------+--------------------------------------+---------------------------------
-----+
| Name | Field ID | Service ID
|
+-------------+--------------------------------------+---------------------------------
-----+
| flavor_name | 4a3b7b98-7777-4276-9aac-b70b0b827b6f | 4f2f57ba-060d-4d92-8af8-63f97228
0ada |
+-------------+--------------------------------------+---------------------------------
-----+
[root@controller ~]#
并设置规格为m1.small的云主机单价为1元,使用命令如下所示:
[root@controller ~]# openstack rating hashmap mapping create --field-id 4a3b7b98-7777-4
276-9aac-b70b0b827b6f -t flat --value m1.small 1
+--------------------------------------+----------+------------+------+----------------
----------------------+------------+----------+------------+
| Mapping ID | Value | Cost | Type | Field ID
| Service ID | Group ID | Project ID |
+--------------------------------------+----------+------------+------+----------------
----------------------+------------+----------+------------+
| 5ee3847e-63d4-4b29-a1ad-71d477c1f4c2 | m1.small | 1.00000000 | flat | 4a3b7b98-7777-4
276-9aac-b70b0b827b6f | None | None | None |
+--------------------------------------+----------+------------+------+----------------
----------------------+------------+----------+------------+
[root@controller ~]#
1.2 创建镜像服务
创建镜像收费服务image_size_test,命令如下:
[root@controller ~]# openstack rating hashmap service create image_size_test
+-----------------+--------------------------------------+
| Name | Service ID |
+-----------------+--------------------------------------+
| image_size_test | 414f9219-895c-41cd-838f-9e416cf72862 |
+-----------------+--------------------------------------+
[root@controller ~]#
并为该服务单价设置为0.8元,命令如下:
[root@controller ~]# openstack rating hashmap mapping create -s 414f9219-895c-41cd-838f
-9e416cf72862 -t flat 0.8
+--------------------------------------+-------+------------+------+----------+--------
------------------------------+----------+------------+
| Mapping ID | Value | Cost | Type | Field ID | Service
ID | Group ID | Project ID |
+--------------------------------------+-------+------------+------+----------+--------
------------------------------+----------+------------+
| 1d75e50e-478f-48cb-9be3-adb5d8e47cde | None | 0.80000000 | flat | None | 414f921
9-895c-41cd-838f-9e416cf72862 | None | None |
+--------------------------------------+-------+------------+------+----------+--------
------------------------------+----------+------------+
[root@controller ~]#
1.3 创建优惠服务
创建名为dis_tests服务,命令如下:
[root@controller ~]# openstack rating hashmap service create dis_tests
+-----------+--------------------------------------+
| Name | Service ID |
+-----------+--------------------------------------+
| dis_tests | d4ee1de1-2ab2-419d-a4ba-82ba06742535 |
+-----------+--------------------------------------+
为 dis_tests服务设置单价为0.8元,命令如下:
[root@controller ~]# openstack rating hashmap mapping create -s d4ee1de1-2ab2-419d-a4ba
-82ba06742535 -t flat 0.8
+--------------------------------------+-------+------------+------+----------+--------
------------------------------+----------+------------+
| Mapping ID | Value | Cost | Type | Field ID | Service
ID | Group ID | Project ID |
+--------------------------------------+-------+------------+------+----------+--------
------------------------------+----------+------------+
| 2c134e62-28af-41fb-a21b-0a0031113637 | None | 0.80000000 | flat | None | d4ee1de
1-2ab2-419d-a4ba-82ba06742535 | None | None |
+--------------------------------------+-------+------------+------+----------+--------
------------------------------+----------+------------+
[root@controller ~]#
并设置dis_tests服务使用量超过10000时提供8折优惠,命令代码如下所示:
[root@controller ~]# openstack rating hashmap threshold create -s d4ee1de1-2ab2-419d-a4ba-82ba06742535 -t rate 10000 0.8
+--------------------------------------+----------------+------------+------+----------
+--------------------------------------+----------+------------+
| Threshold ID | Level | Cost | Type | Field ID
| Service ID | Group ID | Project ID |
+--------------------------------------+----------------+------------+------+----------
+--------------------------------------+----------+------------+
| 70557127-d1fa-4c07-99ee-ba1b96b21428 | 10000.00000000 | 0.80000000 | rate | None
| d4ee1de1-2ab2-419d-a4ba-82ba06742535 | None | None |
+--------------------------------------+----------------+------------+------+----------
+--------------------------------------+----------+------------+
[root@controller ~]#
cloudkitty计费服务安装完成,在上述实验中,只对应熟悉cloudkitty计费服务所使用的环境操作。
三、openstack密钥管理器服务
(1) 使用Barbican服务
使用openstack命令创建一个名为cecret01的secret,命令代码如下:
[root@controller ~]# source /etc/keystone/admin-openrc.sh
[root@controller ~]# openstack secret store --name secret01 --payload secretkey
+---------------+----------------------------------------------------------------------
--+
| Field | Value
|
+---------------+----------------------------------------------------------------------
--+
| Secret href | http://controller:9311/v1/secrets/d8404bef-337b-456e-a77b-def732a1eae
f |
| Name | secret01
|
| Created | None
|
| Status | None
|
| Content types | None
|
| Algorithm | aes
|
| Bit length | 256
|
| Secret type | opaque
|
| Mode | cbc
|
| Expiration | None
|
+---------------+----------------------------------------------------------------------
--+
[root@controller ~]#
查询secret列表信息,命令代码如下所示:
[root@controller ~]# openstack secret list
+------------------------------------------------------------------------+----------+--
-------------------------+--------+-----------------------------+-----------+----------
--+-------------+------+------------+
| Secret href | Name | C
reated | Status | Content types | Algorithm | Bit lengt
h | Secret type | Mode | Expiration |
+------------------------------------------------------------------------+----------+--
-------------------------+--------+-----------------------------+-----------+----------
--+-------------+------+------------+
| http://controller:9311/v1/secrets/d8404bef-337b-456e-a77b-def732a1eaef | secret01 | 2
023-12-23T09:15:14+00:00 | ACTIVE | {u'default': u'text/plain'} | aes | 25
6 | opaque | cbc | None |
+------------------------------------------------------------------------+----------+--
-------------------------+--------+-----------------------------+-----------+----------
--+-------------+------+------------+
[root@controller ~]#
使用命令获取secret01密钥的元数据,命令代码如下所示:
[root@controller ~]# openstack secret get http://controller:9311/v1/secrets/d8404bef-33
7b-456e-a77b-def732a1eaef
+---------------+----------------------------------------------------------------------
--+
| Field | Value
|
+---------------+----------------------------------------------------------------------
--+
| Secret href | http://controller:9311/v1/secrets/d8404bef-337b-456e-a77b-def732a1eae
f |
| Name | secret01
|
| Created | 2023-12-23T09:15:14+00:00
|
| Status | ACTIVE
|
| Content types | {u'default': u'text/plain'}
|
| Algorithm | aes
|
| Bit length | 256
|
| Secret type | opaque
|
| Mode | cbc
|
| Expiration | None
|
+---------------+----------------------------------------------------------------------
--+
[root@controller ~]#
通过命令获取secret01密钥的数据,命令代码如下所示:
[root@controller ~]# openstack secret get http://controller:9311/v1/secrets/d8404bef-33
7b-456e-a77b-def732a1eaef --payload
+---------+-----------+
| Field | Value |
+---------+-----------+
| Payload | secretkey |
+---------+-----------+
[root@controller ~]#
使用OpenStack命令生成并存储密钥,命令代码如下所示:
[root@controller ~]# openstack secret order create --name sercret02 --algorithm aes --b
it-length 256 --mode cbc --payload-content-type application/octet-stream key
+----------------+---------------------------------------------------------------------
--+
| Field | Value
|
+----------------+---------------------------------------------------------------------
--+
| Order href | http://controller:9311/v1/orders/2321a54c-9634-4857-bb7a-fa5e5d27d21
4 |
| Type | Key
|
| Container href | N/A
|
| Secret href | None
|
| Created | None
|
| Status | None
|
| Error code | None
|
| Error message | None
|
+----------------+---------------------------------------------------------------------
--+
[root@controller ~]#
通过命令显示生成的密钥列表,命令代码如下所示:
[root@controller ~]# openstack secret order list
+-----------------------------------------------------------------------+------+-------
---------+------------------------------------------------------------------------+----
-----------------------+--------+------------+---------------+
| Order href | Type | Contai
ner href | Secret href | Cre
ated | Status | Error code | Error message |
+-----------------------------------------------------------------------+------+-------
---------+------------------------------------------------------------------------+----
-----------------------+--------+------------+---------------+
| http://controller:9311/v1/orders/2321a54c-9634-4857-bb7a-fa5e5d27d214 | Key | N/A
| http://controller:9311/v1/secrets/4b71627d-2337-4d6d-8941-b90c4797f233 | 202
3-12-23T09:21:35+00:00 | ACTIVE | None | None |
+-----------------------------------------------------------------------+------+-------
---------+------------------------------------------------------------------------+----
-----------------------+--------+------------+---------------+
[root@controller ~]#
使用命令显示生成的密钥,命令代码如下所示:
[root@controller ~]# openstack secret order get http://controller:9311/v1/orders/2321a5
4c-9634-4857-bb7a-fa5e5d27d214
+----------------+---------------------------------------------------------------------
---+
| Field | Value
|
+----------------+---------------------------------------------------------------------
---+
| Order href | http://controller:9311/v1/orders/2321a54c-9634-4857-bb7a-fa5e5d27d21
4 |
| Type | Key
|
| Container href | N/A
|
| Secret href | http://controller:9311/v1/secrets/4b71627d-2337-4d6d-8941-b90c4797f2
33 |
| Created | 2023-12-23T09:21:35+00:00
|
| Status | ACTIVE
|
| Error code | None
|
| Error message | None
|
+----------------+---------------------------------------------------------------------
---+
[root@controller ~]#
显示生成的密钥的元数据,命令代码如下所示:
[root@controller ~]# openstack secret get http://controller:9311/v1/secrets/4b71627d-23
37-4d6d-8941-b90c4797f233
+---------------+----------------------------------------------------------------------
--+
| Field | Value
|
+---------------+----------------------------------------------------------------------
--+
| Secret href | http://controller:9311/v1/secrets/4b71627d-2337-4d6d-8941-b90c4797f23
3 |
| Name | sercret02
|
| Created | 2023-12-23T09:21:35+00:00
|
| Status | ACTIVE
|
| Content types | {u'default': u'application/octet-stream'}
|
| Algorithm | aes
|
| Bit length | 256
|
| Secret type | symmetric
|
| Mode | cbc
|
| Expiration | None
|
+---------------+----------------------------------------------------------------------
--+
[root@controller ~]#
至此,Barbican密钥管理器服务安装完成,上述实验中,只对应熟悉Barbican密钥服务所使用的环境操作。
四、OpenStack VPNaaS服务
(1) OpenStack VPNaaS服务安装
配置centos跟iaas的yum源,这里不做赘述,配置完执行脚本
[root@controller ~]# iaas-install-fwaas-and-vpnaas.sh
(2) OpenStack VPNaaS服务使用
2.1 VPNaaS服务网络拓扑
我们可以在单个集群中的不同租户(admin和demo租户)内,分别创建内部网络net1和net2,并分别给网络net1和net2添加到路由route1和route2中,通过一个共享的外网网络ext-net来完成VPNaas的隧道构建,使处于不同租户网络的实例网络可以互通 验证网络拓扑如下所示
(100.0.1.0/24 – admin租户)
|
| 100.0.1.1
[route1]
| 100.0.0.11
|
[ext-net]
|-------------------VPNaas服务
[ext-net]
|
| 100.0.0.22
[ route2]
| 10.2.0.1
|
(100.0.2.0/24 demo租户)
2.2 创建路由网络
在控制节点/root/目录下编写路由网络创建脚本route-net-build.sh,脚本内容如下所示:
[root@controller ~]# cat route-net-build.sh
#/bin/bash
# admin租户创建路由网络
source /etc/keystone/admin-openrc.sh
# 创建vxlan外网网络
openstack network create --external --share ext-net
openstack subnet create --subnet-range 100.0.0.0/24 --gateway 100.0.0.1 --network ext-net ext-subnet
# 创建vxlan内网网络net1
openstack network create net1
openstack subnet create --subnet-range 100.0.1.0/24 --gateway 100.0.1.1 --network net1 net1
# 创建路由route1,网关100.0.0.11,添加内外net1
openstack router create route1
openstack router set --external-gateway ext-net --fixed-ip subnet=ext-subnet,ip-address=100.0.0.11 route1
openstack router add subnet route1 net1
# demo租户创建路由网络
source /etc/keystone/demo-openrc.sh
# 创建vxlan内网网络net2
openstack network create net2
openstack subnet create --subnet-range 100.0.2.0/24 --gateway 100.0.2.1 --network net2 net2
# 创建route2,网关100.0.0.22,添加内网net2
openstack router create route2
source /etc/keystone/admin-openrc.sh
openstack router add subnet route2 net2
openstack router set --external-gateway ext-net --fixed-ip subnet=ext-subnet,ip-address=100.0.0.22 route2
[root@controller ~]#
赋予脚本route-net-build.sh执行权限。命令如下:
[root@controller ~]# chmod +x route-net-build.sh
执行脚本route-net-build.sh,完成路由网络的创建。命令如下:
[root@controller ~]# ./route-net-build.sh
2.3 构建VPN连接
在admin租户创建vpn连接,-peer-address为demo租户的路由route2网关地址100.0.0.22。命令如下。
[root@controller ~]# source /etc/keystone/admin-openrc.sh
[root@controller ~]# openstack vpn ike policy create ikepolicy1
+-------------------------------+----------------------------------------+
| Field | Value |
+-------------------------------+----------------------------------------+
| Authentication Algorithm | sha1 |
| Description | |
| Encryption Algorithm | aes-128 |
| ID | 2a6e1c1f-a5c9-49f6-9d5d-c8dba4a42081 |
| IKE Version | v1 |
| Lifetime | {u'units': u'seconds', u'value': 3600} |
| Name | ikepolicy1 |
| Perfect Forward Secrecy (PFS) | group5 |
| Phase1 Negotiation Mode | main |
| Project | 0b6f2d0be1d342e09edc31dc841db7a5 |
| project_id | 0b6f2d0be1d342e09edc31dc841db7a5 |
+-------------------------------+----------------------------------------+
[root@controller ~]#[root@controller ~]# openstack vpn ipsec policy create ipsecpolicy1
+-------------------------------+----------------------------------------+
| Field | Value |
+-------------------------------+----------------------------------------+
| Authentication Algorithm | sha1 |
| Description | |
| Encapsulation Mode | tunnel |
| Encryption Algorithm | aes-128 |
| ID | 3049e3bb-f196-45f5-b381-c0f6d9725b5f |
| Lifetime | {u'units': u'seconds', u'value': 3600} |
| Name | ipsecpolicy1 |
| Perfect Forward Secrecy (PFS) | group5 |
| Project | 0b6f2d0be1d342e09edc31dc841db7a5 |
| Transform Protocol | esp |
| project_id | 0b6f2d0be1d342e09edc31dc841db7a5 |
+-------------------------------+----------------------------------------+
[root@controller ~]# openstack vpn service create --router route1 --subnet net1 vpn1
[root@controller ~]# openstack vpn ipsec site connection create vpnconnectiona --vpnservice vpn1 --ikepolicy ikepolicy1 --ipsecpolicy ipsecpolicy1 --peer-address 100.0.0.22 --peer-id 100.0.0.22 --peer-cidr 100.0.2.0/24 --psk secret