網(wǎng)絡(luò)環(huán)境:
image.png
M: managerment Network E: External Network I: instance Tunnels Network
準(zhǔn)備四個(gè)節(jié)點(diǎn): 控制節(jié)點(diǎn) 網(wǎng)絡(luò)節(jié)點(diǎn) 計(jì)算節(jié)點(diǎn) 存儲(chǔ)節(jié)點(diǎn)
controller:(hostname controller)
M: 10.10.10.154
I : 172.10.0.10
資源:8U 8GB 2N 80GB
compute:(hostname compute)
M: 10.10.10.182
I : 172.10.0.11
資源:8U 8GB 2N 80GB
環(huán)境截圖:
image.png
image.png
之前基于NAT模式下我設(shè)置了四臺(tái)服務(wù)器,但是這次只需要兩臺(tái)即可。(理論上我認(rèn)為一臺(tái)也足以解決問(wèn)題)
虛擬路由配置:
image.png
保證網(wǎng)絡(luò)互通:
image.png
- 注意:
建議關(guān)閉DHCP服務(wù)啸盏,有可能增加網(wǎng)卡沒(méi)有對(duì)應(yīng)文件奠骄,將相應(yīng)的文件復(fù)制過(guò)來(lái)即可晴股,并通過(guò)ip addr 查看device對(duì)應(yīng)的設(shè)備铺纽,
配置完成即可
先決條件(所有機(jī)器):
# 1氛濒、關(guān)閉防火墻 和 NetworkManager
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl stop NetworkManager
systemctl disable NetworkManager
#2部服、關(guān)閉SeLinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
grep -n 'SELINUX=' /etc/selinux/config
#3唆姐、設(shè)置主機(jī)名
echo 'xxxxxx' > /etc/hostname
hostnamectl set-hostname xxxxxx
#4、配置dns
vi /etc/resolv.conf
nameserver 114.114.114.114
nameserver 8.8.8.8
#5廓八、啟用OpenStack庫(kù)
yum -y install yum-plugin-priorities
yum install -y centos-release-openstack-stein
yum upgrade -y
yum -y install openstack-selinux
yum install -y python-openstackclient
#6奉芦、hosts的IP對(duì)應(yīng)關(guān)系
vi /etc/hosts
10.10.10.154 controller
10.10.10.182 compute
#7、安裝時(shí)間同步
# 1瘫想、安裝軟件包
yum install -y chrony
# 2仗阅、允許其他節(jié)點(diǎn)可以連接到控制節(jié)點(diǎn)的 chrony 后臺(tái)進(jìn)程
echo 'allow 10.10.10.0/24' >> /etc/chrony.conf
替換掉原始服務(wù)器配置:
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server ntp3.aliyun.com iburst
server ntp4.aliyun.com iburst
# 3、啟動(dòng) NTP 服務(wù)并將其配置為隨系統(tǒng)啟動(dòng)
systemctl enable chronyd.service
systemctl start chronyd.service
# 4国夜、設(shè)置時(shí)區(qū)
timedatectl set-timezone Asia/Shanghai
# 5减噪、查詢時(shí)間
timedatectl status
-
修改為阿里云時(shí)間服務(wù)器配置
image.png
- 安裝OpenStack庫(kù) 及 OpenStack 客戶端
yum install -y centos-release-openstack-stein
yum install -y python-openstackclient
yum upgrade -y
- 注:此處最好備份快照
KeyStone (controller節(jié)點(diǎn))
認(rèn)證過(guò)程
image.png
各個(gè)服務(wù)之間認(rèn)證機(jī)制
image.png
角色綁定
image.png
controller 節(jié)點(diǎn)預(yù)裝的內(nèi)容
1、安裝MariaDB
# 1车吹、安裝軟件包
yum install -y mariadb mariadb-server MySQL-python
# 2筹裕、配置
vim /etc/my.cnf.d/mariadb-server.cnf #在mysqld模塊下放入一下幾行
default-storage-engine = innodb
innodb_file_per_table = on
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
# 3、啟動(dòng)數(shù)據(jù)庫(kù)服務(wù)窄驹,并將其配置為開(kāi)機(jī)自啟
systemctl start mariadb.service
systemctl enable mariadb.service
# 4朝卒、對(duì)數(shù)據(jù)庫(kù)進(jìn)行安全加固(設(shè)置root用戶密碼)
mysql_secure_installation
mysql的默認(rèn)密碼設(shè)置為123456
2、安裝Memcache
# 1乐埠、安裝軟件包
yum install -y memcached python-memcached
# 2抗斤、修改監(jiān)聽(tīng)ip
sed -i 's/127.0.0.1/0.0.0.0/' /etc/sysconfig/memcached
# 3、啟動(dòng)并加入開(kāi)機(jī)自啟
systemctl start memcached.service
systemctl enable memcached.service
#4丈咐、測(cè)試
printf "set foo 0 0 3\r\nbar\r\n"|nc controller 11211 # 添加數(shù)據(jù) 需要 yum install -y nc
printf "get foo\r\n"|nc controller 11211 # 獲取數(shù)據(jù),在計(jì)算節(jié)點(diǎn)上也測(cè)試下
3瑞眼、安裝消息隊(duì)列
# 1、安裝
yum install -y rabbitmq-server
# 2棵逊、啟動(dòng)
systemctl enable rabbitmq-server.service
systemctl start rabbitmq-server.service
# 3伤疙、創(chuàng)建用戶
rabbitmqctl add_user openstack openstack
# 4、授權(quán)
rabbitmqctl set_permissions openstack ".*" ".*" ".*"
# 5辆影、啟用web管理界面
rabbitmq-plugins list # 查看rabbitmq有哪些插件
rabbitmq-plugins enable rabbitmq_management # 啟用web管理界面
# 6徒像、瀏覽器上登錄
# 在瀏覽器上輸入http://192.168.1.5:15672/
# 用戶名、密碼均為:guest(第一次登錄必須使用該用戶密碼)
# 7蛙讥、在瀏覽器上為剛創(chuàng)建的openstack更新Tags為:administrator
# 點(diǎn)擊Admin -> 點(diǎn)擊Users列表中的openstack ->在Update this user中輸入兩次openstack作為密碼(密碼必須寫锯蛀,因此我們寫原密碼),Tags設(shè)置為administrator -> 點(diǎn)擊Update user
#rabbitmq的openstack用戶賬號(hào)密碼設(shè)置為openstack
KEYSTONE安裝 (controller 節(jié)點(diǎn))
所有服務(wù)對(duì)mysql的用戶名和密碼為 服務(wù)名_user 服務(wù)名_pass键菱,例如 keystone_user keystone_user
1谬墙、數(shù)據(jù)庫(kù)配置
# 為keystone創(chuàng)建數(shù)據(jù)庫(kù)并授權(quán)
-- 1今布、登錄數(shù)據(jù)庫(kù)管理系統(tǒng)
mysql -uroot -p
-- 2、創(chuàng)建數(shù)據(jù)庫(kù)
create database keystone;
-- 3拭抬、創(chuàng)建用戶并授權(quán)
grant all privileges on keystone.* to keystone_user@controller identified by 'keystone_pass';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone_user'@'localhost' IDENTIFIED BY 'keystone_pass';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone_user'@'%' IDENTIFIED BY 'keystone_pass';
# 此處主要是為了解決訪問(wèn)mysql的權(quán)限問(wèn)題部默,其實(shí)只需要運(yùn)行最后兩行即可,根據(jù)需求使用
-- 4造虎、刷新權(quán)限
flush privileges;
-- 5傅蹂、退出該session
quit;
2、安裝軟件包
yum install -y openstack-keystone httpd mod_wsgi
3算凿、修改配置文件
# 1份蝴、備份原文件
sed -i.default -e '/^#/d' -e '/^$/d' /etc/keystone/keystone.conf
# 2、修改模塊如下氓轰,vim /etc/keystone/keystone.conf
[database]
connection = mysql+pymysql://keystone_user:keystone_pass@controller/keystone
[token]
provider = fernet
#keystone提供三種令牌模式 UUID 婚夫、 PKI and PKIZ、Fernet署鸡。
參考 https://docs.openstack.org/ocata/config-reference/identity/token-provider.html
4案糙、同步數(shù)據(jù)庫(kù)
su -s /bin/sh -c "keystone-manage db_sync" keystone
5、初始化Fernet密鑰存儲(chǔ)庫(kù)
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
6靴庆、創(chuàng)建keystone管理員
keystone-manage bootstrap --bootstrap-password admin_pass \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
7时捌、配置并啟動(dòng)Apache HTTP server
# 1、配置ServerName
sed -i '/#ServerName/aServerName controller:80' /etc/httpd/conf/httpd.conf
# 2炉抒、連接keystone配置文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
# 3奢讨、啟動(dòng)并加入開(kāi)機(jī)自啟動(dòng)
systemctl start httpd.service
systemctl enable httpd.service
# 4、配置管理員賬號(hào)環(huán)境變量
export OS_USERNAME=admin
export OS_PASSWORD=admin_pass
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
創(chuàng)建域焰薄、項(xiàng)目拿诸、用戶和角色
1 創(chuàng)建新域。
openstack domain create --description "An Example Domain" example
image.png
2 創(chuàng)建Service項(xiàng)目塞茅。
openstack project create --domain default --description "Service Project" service
image.png
3 創(chuàng)建常規(guī)(非管理員)任務(wù)應(yīng)使用無(wú)特權(quán)的項(xiàng)目和用戶
# 1佳镜、創(chuàng)建項(xiàng)目
openstack project create --domain default --description "Demo Project" myproject
image.png
# 2、創(chuàng)建用戶
openstack user create --domain default --password myuser_pass myuser
image.png
# 3、創(chuàng)建角色
openstack role create myrole
image.png
# 4毛秘、把用戶和角色添加到項(xiàng)目
openstack role add --project myproject --user myuser myrole
image.png
驗(yàn)證Keystone
1嫂侍、刪除臨時(shí)環(huán)境變量OS_AUTH_URL、OS_PASSWORD
unset OS_AUTH_URL OS_PASSWORD
2 驗(yàn)證myuser ,密碼為:myuser_pass
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue
image.png
3 驗(yàn)證myuser捡絮,密碼為:myuser_pass
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue
image.png
創(chuàng)建客戶端環(huán)境變量腳本
1 創(chuàng)建腳本
# 1、進(jìn)入家目錄
cd ~
# 2、創(chuàng)建admin用戶的OpenStack客戶端環(huán)境變量腳本
cat >admin-openrc<<EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin_pass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
# 3衰猛、創(chuàng)建myuser用戶的OpenStack客戶端環(huán)境變量腳本
cat >demo-openrc<<EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=myuser_pass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
2 驗(yàn)證腳本
# 1、加載環(huán)境變量
cd ~
. admin-openrc
# 2刹孔、請(qǐng)求驗(yàn)證token
openstack token issue
image.png
GLANCE (控制節(jié)點(diǎn))
工作流程
image.png
創(chuàng)建Glance數(shù)據(jù)庫(kù)
1 進(jìn)入數(shù)據(jù)庫(kù)啡省。
mysql -u root -p
2 創(chuàng)建glance數(shù)據(jù)庫(kù)。
CREATE DATABASE glance;
3 授權(quán),允許本地及遠(yuǎn)程服務(wù)器訪問(wèn)mysql卦睹,'<PASSWORD>'為數(shù)據(jù)庫(kù)用戶root的密碼畦戒。
GRANT ALL PRIVILEGES ON glance.* TO 'glance_user'@'localhost' IDENTIFIED BY 'glance_pass';
GRANT ALL PRIVILEGES ON glance.* TO 'glance_user'@'%' IDENTIFIED BY 'glance_pass';
grant all privileges on glance.* to glance_user@controller identified by 'glance_pass';
flush privileges;
quit;
創(chuàng)建角色和用戶
獲取keystone管理員憑據(jù)
. admin-openrc
創(chuàng)建Glance服務(wù)憑證
# 1、 創(chuàng)建glance用戶
openstack user create --domain default --password glance_pass glance
# 2结序、將glance用戶加入到service項(xiàng)目并授予admin(管理員)角色
openstack role add --project service --user glance admin
# 3障斋、創(chuàng)建glance服務(wù)實(shí)體
openstack service create --name glance --description "OpenStack Image" image
創(chuàng)建Glance服務(wù)API端點(diǎn)
# 1、創(chuàng)建共有Glance服務(wù)API端點(diǎn)
openstack endpoint create --region RegionOne image public http://controller:9292
# 2徐鹤、創(chuàng)建私有Glance服務(wù)API端點(diǎn)
openstack endpoint create --region RegionOne image internal http://controller:9292
# 3垃环、創(chuàng)建管理Glance服務(wù)API端點(diǎn)
openstack endpoint create --region RegionOne image admin http://controller:9292
安裝及配置
安裝軟件包
yum install -y openstack-glance
修改glance-api.conf配置文件
# 1、備份原文件
sed -i.default -e '/^#/d' -e '/^$/d' /etc/glance/glance-api.conf
# 2返敬、修改模板如下遂庄,vim /etc/glance/glance-api.conf
[database]
connection = mysql+pymysql://glance_user:glance_pass@controller/glance
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance_pass
[paste_deploy]
flavor = keystone
修改glance-registry.conf配置文件
# 1、備份原文件
sed -i.default -e '/^#/d' -e '/^$/d' /etc/glance/glance-registry.conf
# 2劲赠、修改模塊如下涛目,vim /etc/glance/glance-registry.conf
[database]
connection = mysql+pymysql://glance_user:glance_pass@controller/glance
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = glance_pass
[paste_deploy]
flavor = keystone
同步數(shù)據(jù)
su -s /bin/sh -c "glance-manage db_sync" glance
啟動(dòng)并加入開(kāi)啟自啟
systemctl start openstack-glance-api.service openstack-glance-registry.service
systemctl enable openstack-glance-api.service openstack-glance-registry.service
驗(yàn)證Glance
cd ~
. admin-openrc
下載鏡像。
進(jìn)入 “/var/lib/glance/images”
wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img
上傳鏡像到glance经磅。
openstack image create "cirros" --file cirros-0.4.0-x86_64-disk.img --disk-format qcow2 --container-format bare --public
確認(rèn)上傳的鏡像和屬性泌绣。
openstack image list
Placement(控制節(jié)點(diǎn))
之前計(jì)算系統(tǒng)資源的任務(wù)主要是在nova中進(jìn)行計(jì)算,在newton版本之后將openstack中將所有資源監(jiān)控的功能拋離出來(lái)作為Placement項(xiàng)目存在
創(chuàng)建Placement數(shù)據(jù)庫(kù)
mysql -u root -p
create database placement;
grant all privileges on placement.* to 'placement_user'@'controller' identified by 'placement_pass';
GRANT ALL PRIVILEGES ON placement.* TO 'placement_user'@'localhost' IDENTIFIED BY 'placement_pass';
GRANT ALL PRIVILEGES ON placement.* TO 'placement_user'@'%' IDENTIFIED BY 'placement_pass';
flush privileges;
quit;
獲取Keystone管理員憑據(jù)
cd ~
. admin-openrc
創(chuàng)建Placement服務(wù)憑證
# 1预厌、 創(chuàng)建placement用戶,密碼設(shè)置為:placement_pass
openstack user create --domain default --password placement_pass placement
# 2阿迈、將管理員角色添加都placement用戶和service項(xiàng)目中
openstack role add --project service --user placement admin
# 3、創(chuàng)建placement服務(wù)實(shí)體
openstack service create --name placement --description "Placement API" placement
創(chuàng)建Placement服務(wù)API端點(diǎn)
openstack endpoint create --region RegionOne placement public http://controller:8778
openstack endpoint create --region RegionOne placement internal http://controller:8778
openstack endpoint create --region RegionOne placement admin http://controller:8778
安裝及配置
安裝軟件包
yum install -y openstack-placement-api
修改placement.conf配置文件
# 1轧叽、備份原文件
sed -i.default -e '/^#/d' -e '/^$/d' /etc/placement/placement.conf
# 2苗沧、修改模塊如下,vim /etc/placement/placement.conf
[api]
auth_strategy = keystone
[keystone_authtoken]
auth_url = http://controller:5000/v3
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = placement
password = placement_pass
[placement_database]
connection = mysql+pymysql://placement_user:placement_pass@controller/placement
同步數(shù)據(jù)庫(kù)
su -s /bin/sh -c "placement-manage db sync" placement
允許其他組件訪問(wèn)Placement API
# 1炭晒、修改Apache HTTP server配置
cat >>/etc/httpd/conf.d/00-placement-api.conf<<EOF
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
EOF
# 2待逞、重啟Apache HTTP server使之生效
systemctl restart httpd
檢查Placement安裝結(jié)果
placement-status upgrade check
image.png
安裝pip
yum install -y epel-release
yum install -y python-pip
rm -rf /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel-testing.repo
針對(duì)展示位置API運(yùn)行以下命令:
1. 安裝osc-placement插件。
pip install osc-placement
2. 列出可用的資源類和特征网严。
openstack --os-placement-api-version 1.2 resource class list --sort-column name
openstack --os-placement-api-version 1.6 trait list --sort-column name
image.png
Nova
執(zhí)行流程
image.png
內(nèi)部溝通機(jī)制
image.png
與其他組件交互
image.png
啟動(dòng)虛擬機(jī)流程
image.png
控制節(jié)點(diǎn)步驟
注:這塊部署我參考的華為的部署文檔识樱、openstack的官方部署文檔還有網(wǎng)上一些部署文檔,華為增加了QEMU和libvirt的安裝震束,但是在其他版本部署我均未看到怜庸,因此我不做安裝,有需要的可以自行查看https://support.huaweicloud.com/dpmg-kunpengcpfs/kunpengopenstackstein_04_0010.html
- 創(chuàng)建Nova數(shù)據(jù)庫(kù)
# 1垢村、建庫(kù)
create database nova_api;
create database nova;
create database nova_cell0;
# 2割疾、授權(quán)
grant all privileges on nova_api.* to 'nova_user'@'controller' identified by 'nova_pass';
grant all privileges on nova.* to 'nova_user'@'controller' identified by 'nova_pass';
grant all privileges on nova_cell0.* to 'nova_user'@'controller' identified by 'nova_pass';
# 3、刷新權(quán)限
flush privileges;
- 創(chuàng)建Nova服務(wù)憑證
cd ~
. admin-openrc
# 1嘉栓、 創(chuàng)建nova用戶
openstack user create --domain default --password nova_pass nova
# 2宏榕、將管理員角色添加都nova用戶和service項(xiàng)目中
openstack role add --project service --user nova admin
# 3拓诸、創(chuàng)建nova服務(wù)實(shí)體
openstack service create --name nova --description "OpenStack Compute" compute
#4、創(chuàng)建Nova服務(wù)API端點(diǎn)
openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1
openstack endpoint create --region RegionOne compute internal http://controller:8774/v2.1
openstack endpoint create --region RegionOne compute admin http://controller:8774/v2.1
- 安裝nova
yum install -y openstack-nova-api openstack-nova-conductor openstack-nova-novncproxy openstack-nova-scheduler
- 編輯nova.conf配置文件
# 1麻昼、備份原文件
sed -i.default -e '/^#/d' -e '/^$/d' /etc/nova/nova.conf
# 2奠支、修改模塊如下,vim /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:openstack@controller
my_ip = 10.10.10.154
use_neutron = true
firewall_driver = nova.virt.firewall.NoopFirewallDriver
rpc_backend=rabbit
[api]
auth_strategy = keystone
[api_database]
connection = mysql+pymysql://nova_user:nova_pass@controller/nova_api
[database]
connection = mysql+pymysql://nova_user:nova_pass@controller/nova
[glance]
api_servers = http://controller:9292
[keystone_authtoken]
auth_url = http://controller:5000/v3
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = nova_pass
[placement]
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:5000/v3
username = placement
password = placement_pass
[vnc]
enabled = true
server_listen = $my_ip
server_proxyclient_address = $my_ip
- 同步nova-api數(shù)據(jù)庫(kù)
su -s /bin/sh -c "nova-manage api_db sync" nova
- 注冊(cè)cell0數(shù)據(jù)庫(kù)
su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova
- 創(chuàng)建cell1原件
su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova
- 同步nova數(shù)據(jù)庫(kù)
su -s /bin/sh -c "nova-manage db sync" nova
- 驗(yàn)證novacell0和cell1注冊(cè)情況
su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova
- 啟動(dòng)并加入開(kāi)機(jī)自啟
systemctl start openstack-nova-api.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service
systemctl enable openstack-nova-api.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service
計(jì)算節(jié)點(diǎn)步驟
- 檢查是否支持虛擬化
egrep -c '(vmx|svm)' /proc/cpuinfo # 結(jié)果大于等于1,支持
- 安裝軟件包
yum install -y openstack-nova-compute
- 編輯nova.conf配置文件
# 1涌献、備份原文件
sed -i.default -e '/^#/d' -e '/^$/d' /etc/nova/nova.conf
# 2胚宦、修改模塊如下,vim /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
transport_url = rabbit://openstack:openstack@controller
my_ip = 10.10.10.182
use_neutron = true
firewall_driver = nova.virt.firewall.NoopFirewallDriver
[api]
auth_strategy = keystone
[keystone_authtoken]
auth_url = http://controller:5000/v3
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = nova_pass
[vnc]
enabled = true
server_listen = 0.0.0.0
server_proxyclient_address = $my_ip
novncproxy_base_url = http://controller:6080/vnc_auto.html
vncserver_proxyclient_address = $my_ip
[glance]
api_servers = http://controller:9292
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
#華為的文檔有placement的配置在計(jì)算節(jié)點(diǎn)燕垃,但是官網(wǎng)并未給出
[placement]
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:5000/v3
username = placement
password = placement_pass
[libvirt]
virt_type = qemu #這塊也可以用kvm或者qemu 在沒(méi)有虛擬化
- 啟動(dòng)并加入開(kāi)機(jī)自啟
systemctl start libvirtd.service openstack-nova-compute.service
systemctl enable libvirtd.service openstack-nova-compute.service
在控制節(jié)點(diǎn)上添加計(jì)算節(jié)點(diǎn)
- 取得keystone管理員憑據(jù)
cd ~
. admin-openrc
- 添加計(jì)算節(jié)點(diǎn)到cell 數(shù)據(jù)庫(kù)
openstack compute service list --service nova-compute
image.png
- 發(fā)現(xiàn)計(jì)算節(jié)點(diǎn)
# 手動(dòng)發(fā)現(xiàn)
su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova
# 定期主動(dòng)發(fā)現(xiàn)
# 1枢劝、修改/etc/nova/nova.conf配置文件
[scheduler]
discover_hosts_in_cells_interval=300
# 2、重啟nova服務(wù)
systemctl restart openstack-nova-api.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service
Neutron
執(zhí)行流程
image.png
Neutron和nova的配合機(jī)制
image.png
Neutron組件集合
image.png
Layer3 網(wǎng)絡(luò)結(jié)構(gòu)
image.png
主控部署步驟
- 建庫(kù)并授權(quán)
mysql -u root -p
create database neutron;
grant all privileges on neutron.* to 'neutron_user'@'controller' identified by 'neutron_pass';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron_user'@'localhost' IDENTIFIED BY 'neutron_pass';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron_user'@'%' IDENTIFIED BY 'neutron_pass';
flush privileges;
quit;
- 獲取Keystone管理員憑證
cd ~
. admin-openrc
- 創(chuàng)建Neutron服務(wù)憑證
openstack user create --domain default --password neutron_pass neutron
openstack role add --project service --user neutron admin
openstack service create --name neutron --description "OpenStack Networking" network
- 創(chuàng)建Neutron服務(wù)API端點(diǎn)
openstack endpoint create --region RegionOne network public http://controller:9696
openstack endpoint create --region RegionOne network internal http://controller:9696
openstack endpoint create --region RegionOne network admin http://controller:9696
- 安裝及配置
yum install -y openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge ebtables
- 編輯neutron.conf配置文件
# 1卜壕、備份原文件并刪除注釋
sed -i.default -e '/^#/d' -e '/^$/d' /etc/neutron/neutron.conf
# 2您旁、修改模塊如下,vim /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = true
transport_url = rabbit://openstack:openstack@controller
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[database]
connection = mysql+pymysql://neutron_user:neutron_pass@controller/neutron
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers =controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron_pass
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[nova]
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = nova_pass
- 配置模塊化第2層(ML2)插件
# 1轴捎、備份原文件并刪除注釋
sed -i.default -e '/^#/d' -e '/^$/d' /etc/neutron/plugins/ml2/ml2_conf.ini
# 2鹤盒、修改模塊如下,vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = true
- 配置Linux橋代理
# 1侦副、備份原文件并刪除注釋
sed -i.default -e '/^#/d' -e '/^$/d' /etc/neutron/plugins/ml2/linuxbridge_agent.ini
# 2侦锯、修改模塊如下,vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = provider:ens224 #內(nèi)部的組網(wǎng)網(wǎng)卡
[vxlan]
enable_vxlan = false
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
注:ens37是實(shí)例網(wǎng)絡(luò)的網(wǎng)卡秦驯,而非管理網(wǎng)絡(luò)網(wǎng)卡
- 確保Linux操作系統(tǒng)內(nèi)核支持網(wǎng)橋過(guò)濾器
#在“/etc/sysctl.conf”中添加如下配置后尺碰,保存并退出:
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
#運(yùn)行以下命令,添加網(wǎng)橋過(guò)濾器:
modprobe br_netfilter
sysctl -p
sed -i '$amodprobe br_netfilter' /etc/rc.local
- 配置layer-3代理(openstack官方提供)
sed -i.default -e '/^#/d' -e '/^$/d' /etc/neutron/l3_agent.ini
#編輯``/etc/neutron/l3_agent.ini``译隘,在``[DEFAULT]``部分亲桥,配置Linuxbridge接口驅(qū)動(dòng)和外部網(wǎng)絡(luò)網(wǎng)橋:
[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
external_network_bridge =
- 配置DHCP代理
# 1、備份原文件并刪除注釋
sed -i.default -e '/^#/d' -e '/^$/d' /etc/neutron/dhcp_agent.ini
# 2固耘、修改模塊如下题篷,vim /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
- 配置元數(shù)據(jù)代理
# 1、備份原文件并刪除注釋
sed -i.default -e '/^#/d' -e '/^$/d' /etc/neutron/metadata_agent.ini
# 2厅目、修改模塊如下番枚,vim /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_host = controller
metadata_proxy_shared_secret = metadata_secret
- 配置/etc/nova/nova.conf文件neutron模塊
[neutron]
url = http://controller:9696
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron_pass
service_metadata_proxy = true
metadata_proxy_shared_secret = metadata_secret
- 創(chuàng)建網(wǎng)絡(luò)服務(wù)初始化腳本需要的軟連接
ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
- 同步數(shù)據(jù)庫(kù)
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
- 重啟Compute API服務(wù)
systemctl restart openstack-nova-api.service
- 啟動(dòng)網(wǎng)絡(luò)服務(wù)并開(kāi)啟自啟
systemctl start neutron-server.service \
neutron-linuxbridge-agent.service \
neutron-dhcp-agent.service \
neutron-metadata-agent.service
systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service \
neutron-dhcp-agent.service \
neutron-metadata-agent.service
計(jì)算節(jié)點(diǎn)安裝Neutron(所有計(jì)算節(jié)點(diǎn)均一樣)
- 安裝軟件
yum install -y openstack-neutron-linuxbridge ebtables ipset
- 編輯neutron.conf配置文件
# 1、備份原文件并刪除注釋
sed -i.default -e '/^#/d' -e '/^$/d' /etc/neutron/neutron.conf
# 2损敷、修改模塊如下户辫,vim /etc/neutron/neutron.conf
[DEFAULT]
transport_url = rabbit://openstack:openstack@controller
auth_strategy = keystone
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers =controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = neutron_pass
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
- 配置Linux橋代理
# 1、備份原文件并刪除注釋
sed -i.bak -e '/^#/d' -e '/^$/d' /etc/neutron/plugins/ml2/linuxbridge_agent.ini
# 2嗤锉、修改模塊如下,vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = provider:eno33554984
[vxlan]
enable_vxlan = false
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
- 確保您的Linux操作系統(tǒng)內(nèi)核支持網(wǎng)橋過(guò)濾器
# 1墓塌、添加配置
cat >>/etc/sysctl.conf<<EOF
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
# 2瘟忱、啟用
modprobe br_netfilter
# 3奥额、生效
sysctl -p
- 編輯/etc/nova/nova.conf文件
# 1、備份原文件并刪除注釋
sed -i.default -e '/^#/d' -e '/^$/d' /etc/nova/nova.conf
# 2访诱、修改模塊如下垫挨,vim /etc/nova/nova.conf
[neutron]
url = http://controller:9696
auth_url = http://controller:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = neutron_pass
- 重啟服務(wù)
systemctl restart openstack-nova-compute.service
systemctl enable neutron-linuxbridge-agent.service
systemctl start neutron-linuxbridge-agent.service
openstack extension list --network
openstack network agent list # 注意:一共4個(gè),其中兩個(gè)是Linux bridge agent說(shuō)明成功
創(chuàng)建網(wǎng)絡(luò)(控制節(jié)點(diǎn))
- 獲取keystone管理員憑證
cd ~
. admin-openrc
- 創(chuàng)建網(wǎng)絡(luò)
openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type flat provider
openstack network list # 查看
- 創(chuàng)建子網(wǎng)
openstack subnet create --network provider \
--allocation-pool start=172.16.0.100,end=172.16.0.200 \
--dns-nameserver 172.16.0.2 --gateway 172.16.0.11\
--subnet-range 172.16.0.0/24 provider-sub
openstack subnet list
- 創(chuàng)建主機(jī)規(guī)格
openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
# openstack flavor create 創(chuàng)建主機(jī)
# --id 主機(jī)ID
# --vcpus cpu數(shù)量
# --ram 64(默認(rèn)是MB触菜,可以寫成G)
# --disk 磁盤(默認(rèn)單位是G)
創(chuàng)建一個(gè)實(shí)例
- 獲取demo用戶權(quán)限憑證
cd ~
. demo-openrc
- 生成秘鑰對(duì)
ssh-keygen -q -N ""
- 將密鑰放在openstack上
openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
- 驗(yàn)證密碼是否創(chuàng)建成功
nova keypair-list
- 添加安全組規(guī)則
# 允許ICMP(ping
openstack security group rule create --proto icmp default
# 允許安全shell(SSH)訪問(wèn)
openstack security group rule create --proto tcp --dst-port 22 default
- 查看創(chuàng)建實(shí)例需要的相關(guān)信息
openstack flavor list
openstack image list
openstack network list
openstack security group list
openstack keypair list
- 創(chuàng)建并啟動(dòng)實(shí)例
openstack server create --flavor m1.nano --image cirros \
--nic net-id=9e07c3d5-9a9e-496c-90b6-ba294f8b0699 \
--security-group default \
--key-name mykey hello-instance
# –flavor: 類型名稱
# –image: 鏡像名稱
# --nic: 指定網(wǎng)絡(luò)ID九榔,根據(jù)剛剛openstack network list查到的網(wǎng)絡(luò)ID填寫,不是子網(wǎng)哦
# –security-group:安全組名
- 查看實(shí)例狀態(tài)
[root@controller ~]# openstack server list
+--------------------------------------+----------------+--------+---------------------+--------+---------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+----------------+--------+---------------------+--------+---------+
| 0d94ce6d-ae08-4ace-a183-3ecd44ccba56 | hello-instance | ACTIVE | provider=10.0.0.138 | cirros | m1.nano |
+--------------------------------------+----------------+--------+---------------------+--------+---------+
dashboard (控制節(jié)點(diǎn))
- 安裝
yum install -y openstack-dashboard
- 編輯 /etc/openstack-dashboard/local_settings
sed -i.bak -e '/^#/d' -e '/^$/d' /etc/openstack-dashboard/local_settings
#在 controller 節(jié)點(diǎn)上配置儀表盤以使用 OpenStack 服務(wù)
OPENSTACK_HOST = "controller"
#允許所有主機(jī)訪問(wèn)儀表板:
ALLOWED_HOSTS = ['*', ]
#配置 memcached 會(huì)話存儲(chǔ)服務(wù)
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'controller:11211',
}
}
#啟用第3版認(rèn)證API
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
#啟用對(duì)域的支持
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
#配置API版本:
OPENSTACK_API_VERSIONS = {
"identity": 3,
"image": 2,
"volume": 2,
}
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "default"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
OPENSTACK_NEUTRON_NETWORK = {
'enable_router': False,
'enable_quotas': False,
'enable_distributed_router': False,
'enable_ha_router': False,
'enable_lb': False,
'enable_firewall': False,
'enable_vpn': False,
'enable_fip_topology_check': False,
}
TIME_ZONE = "Asia/Shanghai"
- 重啟服務(wù)
systemctl restart httpd.service memcached.service
訪問(wèn)地址 http://10.10.10.154/dashboard/ 域 default 賬戶 admin admin_pass
