一、openstack环境准备
image.png
- 5台主机都是最小化安装系统
-
最小化安装重命名网卡
传递内核参数 net.ifnames=0 biosdevname=0,以更改网卡名称为eth0,ethX:
出现安装界面时使用键盘上下键移动到第一行即Install Centos Linux 7,然后按tab键,即可出现传递参数界面
image.png 最小化安装系统初始化
yum install vim iotop bc gcc gcc-c++ glibc glibc-devel pcre \
pcre-devel openssl openssl-devel zip unzip zlib-devel net-tools \
lrzsz tree ntpdate telnet lsof tcpdump wget libevent libevent-devel \
bc systemd-devel bash-completion traceroute net-tools -y
- NetworkManager关闭,设置开机不启动
- 关闭防火墙firewalld,并且设置开机不启动
- selinux关闭,修改配置文件
- 内核替换文件:优化
a. sysctl.conf内核参数 /etc/sysctl.conf
b. limit.conf限制参 /etc/security/limits.conf
如果要做网卡绑定的话,需要安装bridge-utils包,这个包给物理机使用的
-
在5台主机配置文件/etc/hostname定义主机名:
image.png
注:计算节点主机名一定要不一样,否则后面报错
- 搭建负载均衡haproxy和keepalived
root@lb1:~# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 50
#nopreempt
priority 100
advert_int 1
virtual_ipaddress {
172.20.6.248 dev eth0 label eth0:0
}
}
root@lb1:~# cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
#chroot /usr/local/haproxy
#stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
uid 99
gid 99
daemon
nbproc 4
cpu-map 1 0
cpu-map 2 1
cpu-map 3 2
cpu-map 4 3
#pidfile /usr/local/haproxy/run/haproxy.pid
log 127.0.0.1 local3 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
listen stats
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth haadmin:q1w2e3r4ys
root@lb1:~# systemctl enable keepalived && systemctl start keepalived
systemctl enable haproxy && systemctl start haproxy
- 所有服务时间同步
所有服务器执行下面的命令,或者直接写入crontab -e里面
echo "*/2 * * * * /usr/sbin/ntpdate 172.20.0.1 && /usr/sbin/hwclock -w" > /var/spool/mail/root
- 启用OpenStack库
所有服务器上安装
yum install centos-release-openstack-ocata
- 控制端(管理端)和计算节点安装
yum install python-openstackclient -y
- 如果装有selinux,需要在所有节点上安装
8. 如果控制端和
RHEL和 CentOS 默认启用 [SELinux](https://docs.openstack.org/ocata/zh_CN/install-guide-rdo/common/glossary.html#term-selinux) 。安装 `openstack-selinux` 包实现对OpenStack服务的安全策略进行自动管理:
所有控制节点和计算节点安装
# yum install openstack-selinux
- 安全并配置组件
控制端安装
如果控制端和mysql服务不是在同一台服务器,控制端就需要安装下面2个包
# yum install mariadb python2-PyMySQL
mysql服务器安装
注:本实验RabbitMQ、Memcache、mysql安装在同一台服务器
# yum install mariadb mariadb-server
创建并编辑 /etc/my.cnf.d/openstack.cnf
[root@mysql ~]# vim /etc/my.cnf.d/openstack.cnf
bind-address = 172.20.6.103 注:监听地址改为本机地址
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
启动服务并设置开机启动
[root@mysql ~]# systemctl enable mariadb.service && systemctl start mariadb.service
安全初始化
[root@mysql ~]# mysql_secure_installation
测试本机是否能进入数据库
[root@mysql ~]# mysql -uroot -p123456
- 消息队列RabbitMQ
安全并配置组件
- 安装包
[root@mysql ~]# yum install rabbitmq-server
- 启动消息队列服务并将其配置为随系统启动
[root@mysql ~]# systemctl start rabbitmq-server.service && systemctl enable rabbitmq-server.service
启动之后开启了2个端口
25672:集群通信使用的
5672:客户端使用的
- 添加 openstack 用户:
[root@mysql ~]# rabbitmqctl add_user openstack 123456
- 给
openstack用户配置写和读权限
rabbitmqctl set_permissions openstack ".*" ".*" ".*"
- 打开rabbitMQ的web插件
[root@mysql ~]# rabbitmq-plugins enable rabbitmq_management
此时多出了一个15672端口
此时可以web界面打开RabbitMQ的web界面
登录账户和密码默认都为guest
image.png
- 缓存服务Memcached
安全并配置组件
- 控制端安装包
[root@controller1 ~]# yum -y install python-memcached
如果控制端和Memcached在同一台服务器,无需安装 python-memcached此包
- 安装包
[root@mysql ~]# yum install memcached -y
修改配置文件
[root@mysql ~]# vim /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="4096"
CACHESIZE="128" 注:此处生产中可以设置大点1g或者更大,此处单位为M
OPTIONS="-l 0.0.0.0,::1" 监听地址可以是本机地址,也可以写成0.0.0.0本机所有地址
- 启动Memcached服务,并且配置它随机启动。
root@mysql ~]# systemctl start memcached.service && systemctl enable memcached.service
- 验证端口
# ss -tnl
- 将上面的几个服务端口添加到haproxy的配置文件中
root@lb1:~# vim /etc/haproxy/haproxy.cfg
...
listen opnestack_mysql_port_3306
bind 172.20.6.248:3306
mode tcp
log global
server 172.20.6.103 172.20.6.103:3306 check inter 3000 fall 2 rise 5
listen opnestack_mysql_port_5672
bind 172.20.6.248:5672
mode tcp
log global
server 172.20.6.103 172.20.6.103:5672 check inter 3000 fall 2 rise 5
listen opnestack_mysql_port_11211
bind 172.20.6.248:11211
mode tcp
log global
server 172.20.6.103 172.20.6.103:11211 check inter 3000 fall 2 rise 5
root@lb1:~# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 172.20.6.248:5672 0.0.0.0:*
LISTEN 0 128 172.20.6.248:3306 0.0.0.0:*
LISTEN 0 128 172.20.6.248:11211 0.0.0.0:*
LISTEN 0 128 0.0.0.0:9999 0.0.0.0:*
- 在控制节点测试测试
能否通过vip172.20.6.248转发到后端服务器
[root@controller1 ~]# telnet 172.20.6.248 3306
Trying 172.20.6.248...
Connected to 172.20.6.248.
Escape character is '^]'.
[root@controller1 ~]# telnet 172.20.6.248 5672
Trying 172.20.6.248...
Connected to 172.20.6.248.
Escape character is '^]'.
Connection closed by foreign host.
[root@controller1 ~]# telnet 172.20.6.248 11211
Trying 172.20.6.248...
Connected to 172.20.6.248.
Escape character is '^]'.
二、认证服务keystone
- 安装和配置
1.1 先决条件
在数据库服务器操作
用数据库连接客户端以 root 用户连接到数据库服务器
[root@mysql ~]# mysql -uroot -p123456
创建 keystone 数据库:
MariaDB [(none)]> CREATE DATABASE keystone;
对``keystone``数据库授予恰当的权限:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone123';
1.2测试
root@controller1 ~]# mysql -ukeystone -pkeystone123 -h172.20.6.103 直连测试
[root@controller1 ~]# mysql -ukeystone -pkeystone123 -h172.20.6.248 通过vip转发连接
1.3 安全并配置组件
- 在控制端运行以下命令来安装包。
[root@controller1 ~]# yum install openstack-keystone httpd mod_wsgi -y
[root@controller1 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.20.6.248 openstack-linux36-vip.magedu.net 通过域名节点vip
- 编辑文件 /etc/keystone/keystone.conf 并完成如下动作
[root@controller1 ~]# openssl rand -hex 10 #生成临时token
b4187ef9694d7313e5a7
按以下配置文件配置
cat /etc/keystone/keystone.conf
1:[DEFAULT]
17:17:admin_token = b4187ef9694d7313e5a7
686:[database]
714:connection = mysql+pymysql://keystone:keystone123@openstack-linux36-vip.magedu.net/keystone
1494:[memcache]
2791:[token]
2833:provider = fernet
- 初始化并验证数据库
注:会在数据库创建默认表等操作
[root@controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@mysql ~]# mysql -uroot -p123456
Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential
- keystone日志文件:
[root@controller1 ~]# ll /var/log/keystone/keystone.log
-rw-rw---- 1 root keystone 12884 Jun 24 18:31 /var/log/keystone/keystone.log
- 初始化证书并验证
[root@controller1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@controller1 ~]# ll /etc/keystone/fernet-keys/
total 8
-rw------- 1 keystone keystone 44 Jun 24 18:36 0
-rw------- 1 keystone keystone 44 Jun 24 18:36 1
1.4 配置 Apache HTTP 服务器
注:配置keystone,通过apache代理python
- 编辑apache配置文件
[root@controller1 ~]# vim /etc/httpd/conf/httpd.conf
...
ServerName 172.20.6.101:80
- 软连接配置文件
[root@controller1 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
- 启动apache:
[root@controller1 ~]# systemctl start httpd && systemctl enable httpd
-
验证端口
image.png
- 创建域、项目、用户和角色
2.1 通过admin的token设置环境变量进行操作:
[root@controller1 ~]# export OS_TOKEN=b4187ef9694d7313e5a7
[root@controller1 ~]# export OS_URL=http://172.20.6.101:35357/v3
[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3
2.2 创建默认域
#一定要在上一步设置完成环境变量的前提下方可操作成功,否则会提示未认证。
#命令格式为:openstack domain create --description "描述信息" 域名
[root@controller1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| name | default |
+-------------+----------------------------------+
You have new mail in /var/spool/mail/root
2.3 创建一个admin的项目:
#命令格式为openstack project --domain 域 --description "描述" 项目名
[root@controller1 ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | 2c101bf8498c42a484c9ff26b1a5d802 |
| is_domain | False |
| name | admin |
| parent_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
+-------------+----------------------------------+
You have new mail in /var/spool/mail/root
2.4 创建admin用户并设置密码为admin:
[root@controller1 ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | a165b86a52164af2bf6852d297e9e911 |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
2.5 创建admin角色:
一个项目里面可以有多个角色,目前角色只能创建在/etc/keystone/policy.json文件中定义好的角色
[root@controller1 ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | a30e5cd6ab904309a0b09627a95aba11 |
| name | admin |
+-----------+----------------------------------+
2.6 给admin用户授权
将admin用户授予admin项目的admin角色,即给admin项目添加一个用户叫admin,并将其添加至admin角色,角色是权限的一种集合
[root@controller1 ~]# openstack role add --project admin --user admin admin
2.7. 创建demo项目
该项目可用于演示和测试等
- 创建demo项目
[root@controller1 ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | a43d0e07295546f0a4c2c5987073863b |
| is_domain | False |
| name | demo |
| parent_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
+-------------+----------------------------------+
- 创建demo用户并设置密码为demo
[root@controller1 ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | d7ef16d7501f4398810bdd4247bb191f |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
- 创建一个user角色
角色目前有user和admin
[root@controller1 ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | e58072c986194689b06dd3a82edc7cb3 |
| name | user |
+-----------+----------------------------------+
- 把demo用户添加到demo项目:
然后赋予user权限
[root@controller1 ~]# openstack role add --project demo --user demo user
2.8 创建一个service项目
各服务之间与keystone进行访问和认证,service用于给服务创建用户
- 创建service项目
[root@controller1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | 8c8d21a33b3e47f48ff4421ae713e8c1 |
| is_domain | False |
| name | service |
| parent_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
+-------------+----------------------------------+
- 服务注册
将keystone服务地址注册到openstack
3.1 创建一个keystone认证服务
[root@controller1 ~]# openstack service list #查看当前的服务
[root@controller1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | aa979de4d541421e8c9312270ca21515 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[root@controller1 ~]# openstack service list #验证服务创建成功
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| aa979de4d541421e8c9312270ca21515 | keystone | identity |
+----------------------------------+----------+----------+
3.2 创建endpoint
如果创建错误或多创建了,就要全部删除再重新注册,因为你不知道哪一个是对的哪一个是错的,所以只能全部删除然后重新注册,注册的IP地址写keepalived的VIP,稍后配置haproxy:
#公共端点
[root@controller1 ~]# openstack endpoint create --region RegionOne identity public http://openstack-linux36-vip.magedu.net:5000/v3
+--------------+-------------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------------+
| enabled | True |
| id | 343a5a2993ba45fd8d09e53c0553c0d2 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa979de4d541421e8c9312270ca21515 |
| service_name | keystone |
| service_type | identity |
| url | http://openstack-linux36-vip.magedu.net:5000/v3 |
+--------------+-------------------------------------------------+
You have new mail in /var/spool/mail/root
#私有端点
[root@controller1 ~]# openstack endpoint create --region RegionOne identity internal http://openstack-linux36-vip.magedu.net:5000/v3
+--------------+-------------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------------+
| enabled | True |
| id | 986b99b5c1bf4654addb6d4063513629 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa979de4d541421e8c9312270ca21515 |
| service_name | keystone |
| service_type | identity |
| url | http://openstack-linux36-vip.magedu.net:5000/v3 |
+--------------+-------------------------------------------------+
#管理端点
[root@controller1 ~]# openstack endpoint create --region RegionOne identity admin http://openstack-linux36-vip.magedu.net:35357/v3
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | edbd39d70a7c4656a7c63ca579f78e73 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa979de4d541421e8c9312270ca21515 |
| service_name | keystone |
| service_type | identity |
| url | http://openstack-linux36-vip.magedu.net:35357/v3 |
+--------------+--------------------------------------------------+
[root@controller1 ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
| 343a5a2993ba45fd8d09e53c0553c0d2 | RegionOne | keystone | identity | True | public | http://openstack-linux36-vip.magedu.net:5000/v3 |
| 986b99b5c1bf4654addb6d4063513629 | RegionOne | keystone | identity | True | internal | http://openstack-linux36-vip.magedu.net:5000/v3 |
| edbd39d70a7c4656a7c63ca579f78e73 | RegionOne | keystone | identity | True | admin | http://openstack-linux36-vip.magedu.net:35357/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
3.3 配置haproxy
root@lb1:~# vim /etc/haproxy/haproxy.cfg
...
listen opnestack_keystone_port_5000
bind 172.20.6.248:5000
mode tcp
log global
server 172.20.6.101 172.20.6.101:5000 check inter 3000 fall 2 rise 5
listen opnestack_mysql_port_35357
bind 172.20.6.248:35357
mode tcp
log global
server 172.20.6.101 172.20.6.101:35357 check inter 3000 fall 2 rise 5
root@lb1:~# systemctl restart haproxy
image.png
3.4 测试重启并验证服务
[root@controller1 ~]# telnet 172.20.6.248 5000
Trying 172.20.6.248...
Connected to 172.20.6.248.
Escape character is '^]'.
^C
Connection closed by foreign host.
[root@controller1 ~]# telnet 172.20.6.248 35357
Trying 172.20.6.248...
Connected to 172.20.6.248.
Escape character is '^]'.
^C
Connection closed by foreign host.
3.5 测试keystone是否可以做用户验证
验证admin用户,密码admin,新打开一个窗口并进行以下操作
[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3
[root@controller1 ~]# openstack --os-auth-url http://172.20.6.101:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------+
| expires | 2019-06-24T13:19:04+0000 |
| id | gAAAAABdEL-4RSHd89iS8b7VtR3YpRcQFSrZZyej9lEwjqyY38El2l0oIApBc4zqNHhkpwPjxklb7FTzBwXcTuQ |
| | FvGwSizhOjVooZtpc9u3jvMaxgATVlj95LjxOxpkclLl3m9XYySKdcaE0oABxTBVbge8Y- |
| | 2lnt4NVP8YQGG_HKohuVUKjV2w |
| project_id | 2c101bf8498c42a484c9ff26b1a5d802 |
| user_id | a165b86a52164af2bf6852d297e9e911 |
+------------+-----------------------------------------------------------------------------------------+
You have new mail in /var/spool/mail/root
3.6 验证demo用户,密码为demo
[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3
[root@controller1 ~]# openstack --os-auth-url http://172.20.6.101:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------+
| expires | 2019-06-24T13:20:51+0000 |
| id | gAAAAABdEMAjaXGvx2Yp-bbPKttqhquc5WcHeV4siK8mrZOorqqjWg2IdIV1hJnXHF0 |
| | -ufSDNRt8tnT66HClC0e2rsKnQO-Jy1gs68rhl7cQL0PpxexhcuY_4zJl1aMFetk9vPrUj1DxB0rjMZ_70Re9bc |
| | BcJorEimWAhlvL3AkM7cdCScZNfN4 |
| project_id | a43d0e07295546f0a4c2c5987073863b |
| user_id | d7ef16d7501f4398810bdd4247bb191f |
+------------+-----------------------------------------------------------------------------------------+
- 创建 OpenStack 客户端环境脚本
4.1 使用脚本设置环境变量:
创建admin和 demo项目和用户创建客户端环境变量脚本。本指南的接下来的部分会引用这些脚本,为客户端操作加载合适的的凭证
[root@controller1 ~]# mkdir script
[root@controller1 ~]# cd script/
[root@controller1 script]# vim admin.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://172.20.6.101:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
Demo用户脚本内容
[root@controller1 script]# vim demo.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://172.20.6.101:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
4.2 测试脚本是否可以正常使用
Admin用户脚本测试
[root@controller1 script]# source admin.sh
[root@controller1 script]# openstack --os-auth-url http://172.20.6.101:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
+------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------+
| expires | 2019-06-24T13:27:22+0000 |
| id | gAAAAABdEMGqGNgr-jgeFAw4_9DekpzIlCM_23mSTpxC3OekQOmyTnx-fzlR5YWy2rqY6uLPZIl3e31dIuVaU41 |
| | 3WyDoZwv_RGRqTQeZO1EHmfAcPxFQFjjGFvomDpD6WkaF1aDUwgUJ07RTc7JFiPmkMxeHi1NLCi9lcLDsOqBPhu |
| | EF8d9a5eE |
| project_id | 2c101bf8498c42a484c9ff26b1a5d802 |
| user_id | a165b86a52164af2bf6852d297e9e911 |
+------------+-----------------------------------------------------------------------------------------+
You have new mail in /var/spool/mail/root
[root@controller1 script]# source demo.sh
[root@controller1 script]# openstack --os-auth-url http://172.20.6.101:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
+------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------+
| expires | 2019-06-24T13:36:20+0000 |
| id | gAAAAABdEMPEwprvGRmzZA9zHmmXUX-q6kfodnMDAS09yQ9Lka-EmfR6vvaN-YaHIKl6skJEU5lJK6sdhm3qaqt |
| | R24HDDzoDxO3KYltekEYXtKjbuy2tghJvWglN2lc2YA6L8mjG8L6QgupN2veiyg2B- |
| | jX7WNNWKFcAO6Urj0242zTx6OGCHpY |
| project_id | a43d0e07295546f0a4c2c5987073863b |
| user_id | d7ef16d7501f4398810bdd4247bb191f |
+------------+-----------------------------------------------------------------------------------------+
注:表明无需密码就可以进行用户验证
4.3 将admin.sh和demo.sh的ip地址改为vip,解决控制端的单点问题
root@controller1 script]# vim demo.sh
[root@controller1 script]# cat admin.sh demo.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://172.20.6.248:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://172.20.6.248:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
root@lb1:~# tail -11 /etc/haproxy/haproxy.cfg
listen opnestack_keystone_port_5000
bind 172.20.6.248:5000
mode tcp
log global
server 172.20.6.101 172.20.6.101:5000 check inter 3000 fall 2 rise 5
listen opnestack_mysql_port_35357
bind 172.20.6.248:35357
mode tcp
log global
server 172.20.6.101 172.20.6.101:35357 check inter 3000 fall 2 rise 5
测试
[root@controller1 script]# source admin.sh
[root@controller1 script]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| aa979de4d541421e8c9312270ca21515 | keystone | identity |
+----------------------------------+----------+----------+
三、镜像服务glance
- 控制端安装glance
[root@controller1 script]# yum install -y openstack-glance
- 创建并初始化数据库
2.1 在mysql服务器创建glance数据库并授权
[root@mysql ~]# mysql -uroot -p123456
2.2 创建 glance 数据库
MariaDB [(none)]> create database glance;
2.3 对glance数据库授予恰当的权限:
MariaDB [(none)]> grant all on glance.* to 'glance'@'%' identified by 'glance123';
2.4 在控制端验证glance用户远程连接VIP:
[root@controller1 script]# mysql -uglance -pglance123 -h172.20.6.248
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 38
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
- 要创建服务证书,完成这些步骤:
3.1 创建 glance 用户:
[root@controller1 script]# source admin.sh
[root@controller1 script]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | 327c52357a5243d0abf868fff4022220 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
You have new mail in /var/spool/mail/root
3.2 添加 admin 角色到 glance 用户和 service 项目上
[root@controller1 script]# openstack role add --project service --user glance admin
3.3 创建glance服务实体:
[root@controller1 script]# openstack service create --name glance --description "OpenStack Image" image
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Image |
| enabled | True |
| id | 0a76822b396b474c80afecc820c5b531 |
| name | glance |
| type | image |
+-------------+----------------------------------+
3.4 glance服务注册(创建镜像服务的 API 端点:)
#创建公有endpoint
[root@controller1 script]# openstack endpoint create --region RegionOne image public http://openstack-linux36-vip.magedu.net:9292
+--------------+----------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------+
| enabled | True |
| id | b79b887989bd4aad9fc55279c54f894a |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 0a76822b396b474c80afecc820c5b531 |
| service_name | glance |
| service_type | image |
| url | http://openstack-linux36-vip.magedu.net:9292 |
+--------------+----------------------------------------------+
#创建私有endpoint:
You have new mail in /var/spool/mail/root
[root@controller1 script]# openstack endpoint create --region RegionOne image internal http://openstack-linux36-vip.magedu.net:9292
+--------------+----------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------+
| enabled | True |
| id | 12935010e2c7496197f550b17fcc8677 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 0a76822b396b474c80afecc820c5b531 |
| service_name | glance |
| service_type | image |
| url | http://openstack-linux36-vip.magedu.net:9292 |
+--------------+----------------------------------------------+
#创建管理endpoint:
[root@controller1 script]# openstack endpoint create --region RegionOne image admin http://openstack-linux36-vip.magedu.net:9292
+--------------+----------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------+
| enabled | True |
| id | 2bd9252a93884989931096910cb7109d |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 0a76822b396b474c80afecc820c5b531 |
| service_name | glance |
| service_type | image |
| url | http://openstack-linux36-vip.magedu.net:9292 |
+--------------+----------------------------------------------+
[root@controller1 script]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
| 12935010e2c7496197f550b17fcc8677 | RegionOne | glance | image | True | internal | http://openstack-linux36-vip.magedu.net:9292 |
| 2bd9252a93884989931096910cb7109d | RegionOne | glance | image | True | admin | http://openstack-linux36-vip.magedu.net:9292 |
| 343a5a2993ba45fd8d09e53c0553c0d2 | RegionOne | keystone | identity | True | public | http://openstack-linux36-vip.magedu.net:5000/v3 |
| 986b99b5c1bf4654addb6d4063513629 | RegionOne | keystone | identity | True | internal | http://openstack-linux36-vip.magedu.net:5000/v3 |
| b79b887989bd4aad9fc55279c54f894a | RegionOne | glance | image | True | public | http://openstack-linux36-vip.magedu.net:9292 |
| edbd39d70a7c4656a7c63ca579f78e73 | RegionOne | keystone | identity | True | admin | http://openstack-linux36-vip.magedu.net:35357/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| glance |
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]> use glance;
Database changed
MariaDB [glance]> show tables;
Empty set (0.00 sec)
- 安全并配置组件
4.1 控制端安装软件包
[root@controller1 script]# yum install openstack-glance
4.2 编辑文件 /etc/glance/glance-api.conf 并完成如下动作
#在 [database] 部分,配置数据库访问:
[database]
connection = mysql+pymysql://glance:glance123@openstack-linux36-vip.magedu.net/glance
#在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问:
[keystone_authtoken]
auth_uri = http://openstack-linux36-vip.magedu.net:5000
auth_url = http://openstack-linux36-vip.magedu.net:35357
memcached_servers = openstack-linux36-vip.magedu.net:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance
[paste_deploy]
flavor = keystone
#在 [glance_store] 部分,配置本地文件系统存储和镜像文件位置:
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
4.3 编辑文件/etc/glance/glance-registry.conf并完成如下动作:
#在 [database] 部分,配置数据库访问
[database]
connection = mysql+pymysql://glance:glance123@openstack-linux36-vip.magedu.net/glance
在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问
[keystone_authtoken]
auth_uri = http://openstack-linux36-vip.magedu.net:5000
auth_url = http://openstack-linux36-vip.magedu.net:35357
memcached_servers = openstack-linux36-vip.magedu.net:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance
[paste_deploy]
flavor = keystone
4.4 写入镜像服务数据库:
[root@controller1 script]# su -s /bin/sh -c "glance-manage db_sync" glance
Option "verbose" from group "DEFAULT" is deprecated for removal. Its value may be silently ignored in the future.
/usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/enginefacade.py:1241: OsloDBDeprecationWarning: EngineFacade is deprecated; please use oslo_db.sqlalchemy.enginefacade
expire_on_commit=expire_on_commit, _conf=conf)
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
INFO [alembic.runtime.migration] Running upgrade -> liberty, liberty initial
INFO [alembic.runtime.migration] Running upgrade liberty -> mitaka01, add index on created_at and updated_at columns of 'images' table
INFO [alembic.runtime.migration] Running upgrade mitaka01 -> mitaka02, update metadef os_nova_server
INFO [alembic.runtime.migration] Running upgrade mitaka02 -> ocata01, add visibility to and remove is_public from images
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
Upgraded database to: ocata01, current revision(s): ocata01
You have new mail in /var/spool/mail/root
MariaDB [glance]> show tables;
+----------------------------------+
| Tables_in_glance |
+----------------------------------+
| alembic_version |
| artifact_blob_locations |
| artifact_blobs |
| artifact_dependencies |
| artifact_properties |
| artifact_tags |
4.5 启动镜像服务并将其配置为随机启动
[root@controller1 script]# systemctl enable openstack-glance-api.service openstack-glance-registry.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-api.service to /usr/lib/systemd/system/openstack-glance-api.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-glance-registry.service to /usr/lib/systemd/system/openstack-glance-registry.service.
[root@controller1 script]# systemctl start openstack-glance-api.service openstack-glance-registry.service
image.png
4.6 配置haproxy代理glance
root@lb1:~# vim /etc/haproxy/haproxy.cfg
...
listen opnestack_glance_port_9191
bind 172.20.6.248:9191
mode tcp
log global
server 172.20.6.101 172.20.6.101:9191 check inter 3000 fall 2 rise 5
listen opnestack_glance_port_9292
bind 172.20.6.248:9292
mode tcp
log global
server 172.20.6.101 172.20.6.101:9292 check inter 3000 fall 2 rise 5
root@lb1:~# systemctl restart haproxy
image.png
4.7 验证glance服务
[root@controller1 script]# glance image-list
+----+------+
| ID | Name |
+----+------+
+----+------+
You have new mail in /var/spool/mail/root
[root@controller1 script]# openstack image list
注:没有输出是因为glance目前木有镜像,是正常的
4.8 安装nfs服务器(本时候,nfs服务安装在mysql服务器上)
在后端安装一个nfs存储服务器(后期控制端有N个的时候,共用一个目录存放镜像文件)
[root@controller1 script]# ll /var/lib/glance/images/
total 0
- 安装包
[root@mysql ~]# yum -y install nfs-utils
[root@mysql ~]# vim /etc/exports
/openstack/glance *(rw,no_root_squash)
[root@mysql ~]# mkdir /openstack/glance -p
[root@mysql ~]# vim /etc/exports
[root@mysql ~]# systemctl start nfs && systemctl enable nfs
- 在控制端查看共享目录
[root@controller1 script]# showmount -e 172.20.6.103
Export list for 172.20.6.103:
/openstack/glance *
- 挂载
[root@mysql ~]# systemctl stop nfs
[root@controller1 script]# vim /etc/fstab
#
# /etc/fstab
# Created by anaconda on Wed Jun 19 22:48:58 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=4f0e5814-d14a-4c60-acad-7551e0df4440 / xfs defaults 0 0
UUID=f1c90e3e-4e7c-41e7-aaef-549fb1a7366c /boot xfs defaults 0 0
UUID=9f9b9602-2e6c-4e78-b98c-ec3e54456681 swap swap defaults 0 0
172.20.6.103:/openstack/glance /var/lib/glance/images/ nfs defaults,_netdev 0 0
[root@mysql ~]# systemctl start nfs
[root@controller1 script]# mount -a
[root@controller1 script]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 104280324 1564544 102715780 2% /
devtmpfs 1666220 0 1666220 0% /dev
tmpfs 1675424 0 1675424 0% /dev/shm
tmpfs 1675424 8860 1666564 1% /run
tmpfs 1675424 0 1675424 0% /sys/fs/cgroup
/dev/sda1 520876 119540 401336 23% /boot
tmpfs 335088 0 335088 0% /run/user/0
172.20.6.103:/openstack/glance 104280448 1555968 102724480 2% /var/lib/glance/images
4.9 验证操作
CirrOS是一个小型的Linux镜像可以用来帮助你进行 OpenStack部署测试。
测试glance上传镜像
- 在glance下载一个0.3.4版本的测试镜像
[root@controller1 ~]# wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
#使用磁盘格式,bare容器格式上传镜像到镜像服务并设置公共可见,这样所有的项目都可以访问它:
[root@controller1 ~]# openstack image create "cirros-0.3.4" \
> --file cirros-0.3.4-x86_64-disk.img \
> --disk-format qcow2 --container-format bare \
> --public
503 Service Unavailable
Insufficient permissions on image storage media: Permission to write image storage media denied.
(HTTP 503)
注:表明对挂载目录没有写权限,修改目录属性
[root@controller1 ~]# id glance
uid=161(glance) gid=161(glance) groups=161(glance)
存储服务器
[root@mysql ~]# cd /openstack/
[root@mysql openstack]# ls
glance
[root@mysql openstack]# ll
total 0
drwxr-xr-x 2 root root 6 Jun 24 21:55 glance
[root@mysql openstack]# chown 161.161 glance
[root@mysql openstack]# ll
total 0
drwxr-xr-x 2 161 161 6 Jun 24 21:55 glance
You have new mail in /var/spool/mail/root
- 再次上传镜像文件到镜像服务
[root@controller1 ~]# openstack image create "cirros-0.3.4" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --public
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2019-06-24T14:15:09Z |
| disk_format | qcow2 |
| file | /v2/images/de7350ff-5090-4cda-a950-2817cee72384/file |
| id | de7350ff-5090-4cda-a950-2817cee72384 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.3.4 |
| owner | 2c101bf8498c42a484c9ff26b1a5d802 |
| protected | False |
| schema | /v2/schemas/image |
| size | 13287936 |
| status | active |
| tags | |
| updated_at | 2019-06-24T14:15:09Z |
| virtual_size | None |
| visibility | public |
+------------------+------------------------------------------------------+
You have new mail in /var/spool/mail/root
- 确认镜像的上传并验证属性:
[root@controller1 ~]# glance image-list
+--------------------------------------+--------------+
| ID | Name |
+--------------------------------------+--------------+
| de7350ff-5090-4cda-a950-2817cee72384 | cirros-0.3.4 |
+--------------------------------------+--------------+
[root@controller1 ~]# openstack image list
+--------------------------------------+--------------+--------+
| ID | Name | Status |
+--------------------------------------+--------------+--------+
| de7350ff-5090-4cda-a950-2817cee72384 | cirros-0.3.4 | active |
+--------------------------------------+--------------+--------+
[root@controller1 ~]# ll /var/lib/glance/images/
total 12980
-rw-r----- 1 glance glance 13287936 Jun 24 22:15 de7350ff-5090-4cda-a950-2817cee72384
- 查看指定镜像信息
[root@controller1 ~]# openstack image show cirros-0.3.4
+------------------+------------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2019-06-24T14:15:09Z |
| disk_format | qcow2 |
| file | /v2/images/de7350ff-5090-4cda-a950-2817cee72384/file |
| id | de7350ff-5090-4cda-a950-2817cee72384 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros-0.3.4 |
| owner | 2c101bf8498c42a484c9ff26b1a5d802 |
| protected | False |
| schema | /v2/schemas/image |
| size | 13287936 |
| status | active |
| tags | |
| updated_at | 2019-06-24T14:15:09Z |
| virtual_size | None |
| visibility | public |
+------------------+------------------------------------------------------+
四、计算服务nova(部署nova控制节点与计算节点)
在安装和配置 Compute 服务前,你必须创建数据库服务的凭据以及 API endpoints。
- 为了创建数据库,必须完成这些步骤:
# 用数据库连接客户端以 root 用户连接到数据库服务器
[root@mysql openstack]# mysql -uroot -p123456
#Create the nova_api, nova, and nova_cell0 databases:
MariaDB [(none)]> CREATE DATABASE nova_api;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> CREATE DATABASE nova;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> CREATE DATABASE nova_cell0;
Query OK, 1 row affected (0.00 sec)
#对数据库进行正确的授权:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova123';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova123';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY 'nova123';
Query OK, 0 rows affected (0.00 sec)
- 验证用户能否通过vip远程登陆数据库
[root@controller1 ~]# mysql -unova -pnova123 -h172.20.6.103
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 68
Server version: 10.1.20-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| nova |
| nova_api |
| nova_cell0 |
+--------------------+
4 rows in set (0.01 sec)
- 创建nova服务并注册:
2.1 创建nova用户并授权
#获得 admin 凭证来获取只有管理员能执行的命令的访问权限
[root@controller1 ~]# source script/admin.sh
[root@controller1 ~]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | 3a492162680e40ea98e32949aeaf8ade |
| name | nova |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#给 nova 用户添加 admin 角色
[root@controller1 ~]# openstack role add --project service --user nova admin
2.2 创建nova服务并注册
#创建 nova 服务实体
[root@controller1 ~]# openstack service create --name nova --description "OpenStack Compute" compute
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Compute |
| enabled | True |
| id | cb6d1f71a8f24aa58b9012edba7b32c4 |
| name | nova |
| type | compute |
+-------------+----------------------------------+
#创建公共端点
[root@controller1 ~]# openstack endpoint create --region RegionOne compute public http://openstack-linux36-vip.magedu.net:8774/v2.1
+--------------+---------------------------------------------------+
| Field | Value |
+--------------+---------------------------------------------------+
| enabled | True |
| id | cabb52a4f8ce4555969aa245cb269390 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | cb6d1f71a8f24aa58b9012edba7b32c4 |
| service_name | nova |
| service_type | compute |
| url | http://openstack-linux36-vip.magedu.net:8774/v2.1 |
+--------------+---------------------------------------------------+
#创建私有端点
[root@controller1 ~]# openstack endpoint create --region RegionOne compute internal http://openstack-linux36-vip.magedu.net:8774/v2.1
+--------------+---------------------------------------------------+
| Field | Value |
+--------------+---------------------------------------------------+
| enabled | True |
| id | e1a234b7b1064a40aa7929b3d5a7e9b6 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | cb6d1f71a8f24aa58b9012edba7b32c4 |
| service_name | nova |
| service_type | compute |
| url | http://openstack-linux36-vip.magedu.net:8774/v2.1 |
+--------------+---------------------------------------------------+
#创建管理端点
[root@controller1 ~]# openstack endpoint create --region RegionOne compute admin http://openstack-linux36-vip.magedu.net:8774/v2.1
+--------------+---------------------------------------------------+
| Field | Value |
+--------------+---------------------------------------------------+
| enabled | True |
| id | 6a605f1595c54ce4bb3aaa7b55343940 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | cb6d1f71a8f24aa58b9012edba7b32c4 |
| service_name | nova |
| service_type | compute |
| url | http://openstack-linux36-vip.magedu.net:8774/v2.1 |
+--------------+---------------------------------------------------+
2.3 创建placement用户并授权
# Placement用户密码设置为placement
[root@controller1 ~]# openstack user create --domain default --password-prompt placement
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | cbdbfa70fb1c4b0d9b0d37650f848599 |
| enabled | True |
| id | d20223e2d3fb40279d2e4f9622027226 |
| name | placement |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller1 ~]# openstack role add --project service --user placement admin
2.4 创建placement API并注册
[root@controller1 ~]# openstack service create --name placement --description "Placement API" placement
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Placement API |
| enabled | True |
| id | 3a9a076760c0404ea41bf7fb6163ea2f |
| name | placement |
| type | placement |
+-------------+----------------------------------+
[root@controller1 ~]# openstack endpoint create --region RegionOne placement public http://openstack-linux36-vip.magedu.net:8778
+--------------+----------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------+
| enabled | True |
| id | 27994f9a8bfa44f49cd7a19a8fe81ea2 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 3a9a076760c0404ea41bf7fb6163ea2f |
| service_name | placement |
| service_type | placement |
| url | http://openstack-linux36-vip.magedu.net:8778 |
+--------------+----------------------------------------------+
[root@controller1 ~]# openstack endpoint create --region RegionOne placement internal http://openstack-linux36-vip.magedu.net:8778
+--------------+----------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------+
| enabled | True |
| id | a63ff379f80243b8aa56b5699b2e24a8 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 3a9a076760c0404ea41bf7fb6163ea2f |
| service_name | placement |
| service_type | placement |
| url | http://openstack-linux36-vip.magedu.net:8778 |
[root@controller1 ~]# openstack endpoint create --region RegionOne placement admin http://openstack-linux36-vip.magedu.net:8778
+--------------+----------------------------------------------+
| Field | Value |
+--------------+----------------------------------------------+
| enabled | True |
| id | d8ddf8133fe3452db1b55ec25dd5f741 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 3a9a076760c0404ea41bf7fb6163ea2f |
| service_name | placement |
| service_type | placement |
| url | http://openstack-linux36-vip.magedu.net:8778 |
+--------------+----------------------------------------------+
[root@controller1 ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------------+
| 12935010e2c7496197f550b17fcc8677 | RegionOne | glance | image | True | internal | http://openstack-linux36-vip.magedu.net:9292 |
| 27994f9a8bfa44f49cd7a19a8fe81ea2 | RegionOne | placement | placement | True | public | http://openstack-linux36-vip.magedu.net:8778 |
| 2bd9252a93884989931096910cb7109d | RegionOne | glance | image | True | admin | http://openstack-linux36-vip.magedu.net:9292 |
| 343a5a2993ba45fd8d09e53c0553c0d2 | RegionOne | keystone | identity | True | public | http://openstack-linux36-vip.magedu.net:5000/v3 |
| 6a605f1595c54ce4bb3aaa7b55343940 | RegionOne | nova | compute | True | admin | http://openstack-linux36-vip.magedu.net:8774/v2.1 |
| 986b99b5c1bf4654addb6d4063513629 | RegionOne | keystone | identity | True | internal | http://openstack-linux36-vip.magedu.net:5000/v3 |
| a63ff379f80243b8aa56b5699b2e24a8 | RegionOne | placement | placement | True | internal | http://openstack-linux36-vip.magedu.net:8778 |
| b79b887989bd4aad9fc55279c54f894a | RegionOne | glance | image | True | public | http://openstack-linux36-vip.magedu.net:9292 |
| cabb52a4f8ce4555969aa245cb269390 | RegionOne | nova | compute | True | public | http://openstack-linux36-vip.magedu.net:8774/v2.1 |
| d8ddf8133fe3452db1b55ec25dd5f741 | RegionOne | placement | placement | True | admin | http://openstack-linux36-vip.magedu.net:8778 |
| e1a234b7b1064a40aa7929b3d5a7e9b6 | RegionOne | nova | compute | True | internal | http://openstack-linux36-vip.magedu.net:8774/v2.1 |
| edbd39d70a7c4656a7c63ca579f78e73 | RegionOne | keystone | identity | True | admin | http://openstack-linux36-vip.magedu.net:35357/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------------------------+
- 配置haproxy
root@lb1:~# vim /etc/haproxy/haproxy.cfg
...
listen opnestack_nova_port_8774
bind 172.20.6.248:8774
mode tcp
log global
server 172.20.6.101 172.20.6.101:8774 check inter 3000 fall 2 rise 5
listen opnestack_nova_port_8778
bind 172.20.6.248:8778
mode tcp
log global
server 172.20.6.101 172.20.6.101:8778 check inter 3000 fall 2 rise 5
root@lb1:~# systemctl restart haproxy
image.png
- nova安全并配置组件
4.1 安装软件包
[root@controller1 ~]# yum -y install openstack-nova-api openstack-nova-conductor \
> openstack-nova-console openstack-nova-novncproxy \
> openstack-nova-scheduler openstack-nova-placement-api
4.2 编辑/etc/nova/nova.conf文件并完成下面的操作
[root@controller1 ~]# vim /etc/nova/nova.conf
...
[DEFAULT]
enabled_apis = osapi_compute,metadata
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
transport_url = rabbit://openstack:123456@openstack-linux36-vip.magedu.net
[api]
auth_strategy = keystone
[api_database]
connection = mysql+pymysql://nova:nova123@openstack-linux36-vip.magedu.net/nova_api
[database]
connection = mysql+pymysql://nova:nova123@openstack-linux36-vip.magedu.net/nova
[glance]
api_servers = http://openstack-linux36-vip.magedu.net:9292
[keystone_authtoken]
auth_uri = http://openstack-linux36-vip.magedu.net:5000
auth_url = http://openstack-linux36-vip.magedu.net:35357
memcached_servers = openstack-linux36-vip.magedu.net:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = nova
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
[placement]
os_region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://openstack-linux36-vip.magedu.net:35357/v3
username = placement
password = placement
[vnc]
enabled = True
vncserver_listen = 172.20.6.101
vncserver_proxyclient_address = 172.20.6.101
4.3 配置apache允许访问placement API,/etc/httpd/conf.d/00-nova-placement-api.conf
[root@controller1 ~]# vim /etc/httpd/conf.d/00-nova-placement-api.conf
...
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
- 重启http
[root@controller1 ~]# systemctl restart httpd
4.4 初始化数据库:
- nova_api数据库
[root@controller1 ~]# su -s /bin/sh -c "nova-manage api_db sync" nova
- nova cell0数据库
[root@controller1 ~]# su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova
- nova cell1数据库
[root@controller1 ~]# su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova
bbdadb52-b644-4946-88e4-532cd8b3e649
- nova数据库
[root@controller1 ~]# su -s /bin/sh -c "nova-manage db sync" nova
/usr/lib/python2.7/site-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `block_device_mapping_instance_uuid_virtual_name_device_name_idx`. This is deprecated and will be disallowed in a future release.')
result = self._query(query)
/usr/lib/python2.7/site-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `uniq_instances0uuid`. This is deprecated and will be disallowed in a future release.')
result = self._query(query)
- 验证nova cell0和nova cell1是否正常注册
[root@controller1 ~]# nova-manage cell_v2 list_cells
+-------+--------------------------------------+
| Name | UUID |
+-------+--------------------------------------+
| cell0 | 00000000-0000-0000-0000-000000000000 |
| cell1 | bbdadb52-b644-4946-88e4-532cd8b3e649 |
+-------+--------------------------------------+
4.5 启动并将nova服务设置为开机启动
root@controller1 ~]# systemctl start openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service
[root@controller1 ~]# systemctl enable openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service
image.png
4.6 配置haproxy配置文件
...
注前面已经配置了8774和8778,所以这里仅配置6080端口转发
listen opnestack_nova_port_6080
bind 172.20.6.248:6080
mode tcp
log global
server 172.20.6.101 172.20.6.101:6080 check inter 3000 fall 2 rise 5
root@lb1:~# systemctl restart haproxy
image.png
4.7 重启nova控制端脚本
由于启动的服务较多,便于后期重启,将nova启动服务携程一个脚本
[root@controller1 ~]# vim script/nova-restart.sh
#!/bin/bash
systemctl restart openstack-nova-api.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service
[root@controller1 ~]# tail -f /var/log/nova/*.log
==> /var/log/nova/nova-novncproxy.log <==
2019-06-25 10:06:57.672 16846 WARNING oslo_reports.guru_meditation_report [-] Guru meditation now registers SIGUSR1 and SIGUSR2 by default for backward compatibility. SIGUSR1 will no longer be registered in a future release, so please use SIGUSR2 to generate reports.
2019-06-25 10:06:57.673 16846 INFO nova.console.websocketproxy [-] WebSocket server settings:
2019-06-25 10:06:57.673 16846 INFO nova.console.websocketproxy [-] - Listen on 0.0.0.0:6080
2019-06-25 10:06:57.674 16846 INFO nova.console.websocketproxy [-] - Flash security policy server
2019-06-25 10:06:57.674 16846 INFO nova.console.websocketproxy [-] - Web server (no directory listings). Web root: /usr/share/novnc
2019-06-25 10:06:57.675 16846 INFO nova.console.websocketproxy [-] - No SSL/TLS support (no cert file)
2019-06-25 10:06:57.675 16846 INFO nova.console.websocketproxy [-] - proxying from 0.0.0.0:6080 to None:None
4.8 查看rabbitMQ连接
image.png
4.9 验证nova控制端
root@controller1 ~]# nova service-list
+----+------------------+------------------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
+----+------------------+------------------------+----------+---------+-------+----------------------------+-----------------+
| 1 | nova-consoleauth | controller1.magedu.net | internal | enabled | up | 2019-06-25T02:20:35.000000 | - |
| 2 | nova-scheduler | controller1.magedu.net | internal | enabled | up | 2019-06-25T02:20:36.000000 | - |
| 3 | nova-conductor | controller1.magedu.net | internal | enabled | up | 2019-06-25T02:20:37.000000 | - |
+----+------------------+------------------------+----------+---------+-------+----------------------------+-----------------+
- 部署nova计算节点
在计算节点服务器部署
5.1 安装软件包
+ 所有计算节点都安装该软件包
[root@computer1 ~]# yum install openstack-nova-compute -y
[root@computer2 ~]# yum install openstack-nova-compute -y
- 计算节点/etc/nova/nova.conf配置好的最终配置文件
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:123456@openstack-linux36-vip.magedu.net
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
[api]
auth_strategy = keystone
[glance]
api_servers = http://openstack-linux36-vip.magedu.net:9292
[keystone_authtoken]
auth_uri = http://openstack-linux36-vip.magedu.net:5000
auth_url = http://openstack-linux36-vip.magedu.net:35357
memcached_servers = openstack-linux36-vip.magedu.net:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = nova
[libvirt]
virt_type = qemu
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
[placement]
os_region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://openstack-linux36-vip.magedu.net:35357/v3
username = placement
password = placement
[vnc]
enabled = True
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = 172.20.6.104
novncproxy_base_url = http://openstack-linux36-vip.magedu.net:6080/vnc_auto.html
- 确认计算节点是否支持硬件加速
[root@computer1 ~]# egrep -c '(vmx|svm)' /proc/cpuinfo
2
注:非0代表支持硬件加速
- 将域名解析ip地址写入/etc/hosts文件
[root@computer1 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.20.6.248 openstack-linux36-vip.magedu.net
- 启动nova 计算服务并设置为开机启动
[root@computer1 ~]# systemctl start libvirtd.service openstack-nova-compute.service
root@computer1 ~]# systemctl enable libvirtd.service openstack-nova-compute.service
- 在控制节点添加计算节点到cell 数据库
[root@controller1 ~]# source script/admin.sh
[root@controller1 ~]# openstack hypervisor list
+----+----------------------+-----------------+--------------+-------+
| ID | Hypervisor Hostname | Hypervisor Type | Host IP | State |
+----+----------------------+-----------------+--------------+-------+
| 1 | computer1.magedu.net | QEMU | 172.20.6.104 | up |
+----+----------------------+-----------------+--------------+-------+
- 主动发现计算节点
#使用命令发现
[root@controller1 ~]# su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova
Found 2 cell mappings.
Skipping cell0 since it does not contain hosts.
Getting compute nodes from cell 'cell1': bbdadb52-b644-4946-88e4-532cd8b3e649
Found 1 computes in cell: bbdadb52-b644-4946-88e4-532cd8b3e649
Checking host mapping for compute host 'computer1.magedu.net': f228eb43-8f31-47e2-bf2b-561bc5c5e0c9
Creating host mapping for compute host 'computer1.magedu.net': f228eb43-8f31-47e2-bf2b-561bc5c5e0c9
#定期主动发现
[root@controller1 ~]# vim /etc/nova/nova.conf
discover_hosts_in_cells_interval=300
[root@controller1 ~]# bash script/admin.sh
5.2 第二个计算节点服务器部署
- 第一个计算节点配置完成之后,后面的计算节点就方便了,直接将第一个计算节点的nova配置文件拷贝过来,稍作修改,就可以启动服务
[root@computer2 ~]# yum install openstack-nova-compute -y
[root@computer1 ~]# cd /etc/nova/
[root@computer1 nova]# ls
api-paste.ini nova.conf policy.json release rootwrap.conf
[root@computer1 nova]# tar czvf nova-computer.tar.gz ./*
./api-paste.ini
./nova.conf
./policy.json
./release
./rootwrap.conf
[root@computer1 nova]# ls
api-paste.ini nova-computer.tar.gz nova.conf policy.json release rootwrap.conf
[root@computer1 nova]# scp nova-computer.tar.gz 172.20.6.105:/etc/nova/
- 配置文件稍作修改
[root@computer2 ~]# cd /etc/nova/
You have new mail in /var/spool/mail/root
[root@computer2 nova]# ls
api-paste.ini nova-computer.tar.gz nova.conf policy.json release rootwrap.conf
[root@computer2 nova]# tar xf nova-computer.tar.gz
[root@computer2 nova]# vim nova.conf
...
[vnc]
enabled = True
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = 172.20.6.105 注:仅该此处ip地址为本机ip地址
novncproxy_base_url = http://openstack-linux36-vip.magedu.net:6080/vnc_auto.html
[root@computer2 nova]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.20.6.248 openstack-linux36-vip.magedu.net
- 启动nova 计算服务并设置为开机启动
[root@computer2 nova]# systemctl start libvirtd.service openstack-nova-compute.service
[root@computer2 nova]# systemctl enable libvirtd.service openstack-nova-compute.service
- 添加计算节点到cell 数据库
[root@controller1 ~]# openstack hypervisor list
+----+----------------------+-----------------+--------------+-------+
| ID | Hypervisor Hostname | Hypervisor Type | Host IP | State |
+----+----------------------+-----------------+--------------+-------+
| 1 | computer1.magedu.net | QEMU | 172.20.6.104 | up |
| 2 | computer2.magedu.net | QEMU | 172.20.6.105 | up |
+----+----------------------+-----------------+--------------+-------+
- 验证计算节点
[root@controller1 ~]# nova host-list
+------------------------+-------------+----------+
| host_name | service | zone |
+------------------------+-------------+----------+
| controller1.magedu.net | consoleauth | internal |
| controller1.magedu.net | scheduler | internal |
| controller1.magedu.net | conductor | internal |
| computer1.magedu.net | compute | nova |
| computer2.magedu.net | compute | nova |
+------------------------+-------------+----------+
[root@controller1 ~]# nova service-list
+----+------------------+------------------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
+----+------------------+------------------------+----------+---------+-------+----------------------------+-----------------+
| 1 | nova-consoleauth | controller1.magedu.net | internal | enabled | up | 2019-06-25T03:27:57.000000 | - |
| 2 | nova-scheduler | controller1.magedu.net | internal | enabled | up | 2019-06-25T03:27:58.000000 | - |
| 3 | nova-conductor | controller1.magedu.net | internal | enabled | up | 2019-06-25T03:27:58.000000 | - |
| 6 | nova-compute | computer1.magedu.net | nova | enabled | up | 2019-06-25T03:28:01.000000 | - |
| 7 | nova-compute | computer2.magedu.net | nova | enabled | up | 2019-06-25T03:27:55.000000 | - |
+----+------------------+------------------------+----------+---------+-------+----------------------------+-----------------+
[root@controller1 ~]# nova image-list
WARNING: Command image-list is deprecated and will be removed after Nova 15.0.0 is released. Use python-glanceclient or openstackclient instead
+--------------------------------------+--------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+--------------+--------+--------+
| de7350ff-5090-4cda-a950-2817cee72384 | cirros-0.3.4 | ACTIVE | |
+--------------------------------------+--------------+--------+--------+
[root@controller1 ~]# openstack image list
+--------------------------------------+--------------+--------+
| ID | Name | Status |
+--------------------------------------+--------------+--------+
| de7350ff-5090-4cda-a950-2817cee72384 | cirros-0.3.4 | active |
+--------------------------------------+--------------+--------+
- 列出服务组件是否成功注册
[root@controller1 ~]# openstack compute service list
+----+----------------+----------------+----------+---------+-------+----------------+
| ID | Binary | Host | Zone | Status | State | Updated At |
+----+----------------+----------------+----------+---------+-------+----------------+
| 1 | nova- | controller1.ma | internal | enabled | up | 2019-06-25T03: |
| | consoleauth | gedu.net | | | | 31:07.000000 |
| 2 | nova-scheduler | controller1.ma | internal | enabled | up | 2019-06-25T03: |
| | | gedu.net | | | | 30:58.000000 |
| 3 | nova-conductor | controller1.ma | internal | enabled | up | 2019-06-25T03: |
| | | gedu.net | | | | 30:58.000000 |
| 6 | nova-compute | computer1.mage | nova | enabled | up | 2019-06-25T03: |
| | | du.net | | | | 31:01.000000 |
| 7 | nova-compute | computer2.mage | nova | enabled | up | 2019-06-25T03: |
| | | du.net | | | | 31:05.000000 |
+----+----------------+----------------+----------+---------+-------+----------------+
- 检查cells 和placement API是否工作正常
[root@controller1 ~]# nova-status upgrade check
+---------------------------+
| Upgrade Check Results |
+---------------------------+
| Check: Cells v2 |
| Result: Success |
| Details: None |
+---------------------------+
| Check: Placement API |
| Result: Success |
| Details: None |
+---------------------------+
| Check: Resource Providers |
| Result: Success |
| Details: None |
- 列出keystone服务中的端点,以验证keystone的连通性
[root@controller1 ~]# openstack catalog list
+-----------+-----------+------------------------------------------------------------+
| Name | Type | Endpoints |
+-----------+-----------+------------------------------------------------------------+
| glance | image | RegionOne |
| | | internal: http://openstack-linux36-vip.magedu.net:9292 |
| | | RegionOne |
| | | admin: http://openstack-linux36-vip.magedu.net:9292 |
| | | RegionOne |
| | | public: http://openstack-linux36-vip.magedu.net:9292 |
| | | |
| placement | placement | RegionOne |
| | | public: http://openstack-linux36-vip.magedu.net:8778 |
| | | RegionOne |
| | | internal: http://openstack-linux36-vip.magedu.net:8778 |
| | | RegionOne |
| | | admin: http://openstack-linux36-vip.magedu.net:8778 |
| | | |
| keystone | identity | RegionOne |
| | | public: http://openstack-linux36-vip.magedu.net:5000/v3 |
| | | RegionOne |
| | | internal: http://openstack- |
| | | linux36-vip.magedu.net:5000/v3 |
| | | RegionOne |
| | | admin: http://openstack-linux36-vip.magedu.net:35357/v3 |
| | | |
| nova | compute | RegionOne |
| | | admin: http://openstack-linux36-vip.magedu.net:8774/v2.1 |
| | | RegionOne |
| | | public: http://openstack- |
| | | linux36-vip.magedu.net:8774/v2.1 |
| | | RegionOne |
| | | internal: http://openstack- |
| | | linux36-vip.magedu.net:8774/v2.1 |
| | | |
+-----------+-----------+------------------------------------------------------------
五、部署网络服务neutron
搭建简单的openstack服务之二
