1.CentOS7部署openstack_M版
OpenStack环境配置与Keystone认证服务安装指南 本文详细介绍了OpenStack环境的基础配置步骤,包括: 配置本地yum源 安装时间同步服务chrony 安装数据库(MariaDB)和消息队列(RabbitMQ)服务 安装Memcached缓存服务 重点讲解了Keystone认证服务的安装流程: 创建数据库并授权 安装Keystone相关软件包 修改配置文件(手动或使用openst
openstack
参考官方文档:https://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/keystone-openrc.html
配置yum源
上传repo文件到所有节点的/opt目录后解压
vim /etc/yum.repos.d/local.repo
[openstack]
name=openstack
baseurl=file:///opt/repo
gpgcheck=0
yum makecache
基础服务安装
配置时间服务器
控制节点上
vim /etc/chrony.conf
systemctl restart chronyd
计算节点上
vim /etc/chrony.conf
systemctl restart chronyd
让节点的时间同步即可
在所有节点执行 yum install python-openstackclient openstack-selinux -y
控制节点执行(数据库安装)
yum install mariadb mariadb-server python2-PyMySQL -y
vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 10.10.15.27
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
数据库安全初始化
mysql_secure_installation
回车
n
y
y
y
y
控制节点安装消息队列
#安装
yum install rabbitmq-server -y
#启动
systemctl start rabbitmq-server.service
systemctl enable rabbitmq-server.service
#验证
netstat -lntup|grep 5672
#创建用户并授权
rabbitmqctl add_user openstack RABBIT_PASS
rabbitmqctl set_permissions openstack ".*" ".*" ".*"
5672端口客户端使用
25672做集群间数据同步时使用
启用管理插件,后期用于监控rabbitmq-plugins enable rabbitmq_management
访问测试
控制节点安装memcache缓存
#控制节点
#安装
yum install memcached python-memcached -y
#配置
vim /etc/sysconfig/memcached
OPTIONS="-l 10.10.15.27"
#启动
systemctl start memcached.service
systemctl enable memcached.service
验证:
SOA 架构:拆业务,把每个功能都拆成独立的web服务,每一个独立的web服务,都至少有一个集群
openstack 就是SOA架构
openstack服务的安装通用步骤
1:创建数据库,授权
2:在keystone创建服务用户,并关联角色
3:在keystone上创建服务、注册api
4.安装服务相关的软件包
5.修改配置文件
5.1数据库的连接
5.2keystone认证授权信息
5.3rabbitmq连接信息
5.4其他配置
6:同步数据库,创建表
7:启动服务
8.验证
安装这些服务的前提是已安装keystone
服务安装在控制节点执行
安装认证服务keystone
功能:账户密码认证管理、授权管理、服务目录
1.创建数据库
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
2.安装keystone软件包
yum install openstack-keystone httpd mod_wsgi -y
3.修改配置文件
去除掉空行和注释后的内容写入新文件grep -Ev '^$|#' /etc/keystone/keystone.conf >/etc/keystone/keystone.conf.bak
手动修改
/etc/keystone/keystone.conf
在[DEFAULT]部分,定义初始管理令牌的值:
[DEFAULT]
admin_token = ADMIN_TOKEN
在[database]部分,配置数据库访问:
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
在[token]部分,配置Fernet UUID令牌的提供者。
[token]
provider = fernet
或者通过安装openstack配置文件自动修改工具修改(二选一)yum install openstack-utils -y
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
手动自动修改效果一样
4.同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
mysql keystone -e 'show tables;'
5.初始化fernet
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6.配置apache httpdecho "ServerName controller" >>/etc/httpd/conf/httpd.conf
用下面的内容创建文件 /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
启动 Apache HTTP 服务并配置其随系统启动:
systemctl enable httpd.service
systemctl start httpd.service
7.创建服务和注册API
执行环境变量
export OS_TOKEN=ADMIN_TOKEN
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
创建服务实体和身份认证服务:
openstack service create \
--name keystone --description "OpenStack Identity" identity
创建认证服务的 API :
openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3
8.创建地域、项目、用户和角色
创建域default:openstack domain create --description "Default Domain" default
创建 admin 项目:
openstack project create --domain default \
--description "Admin Project" admin
创建 admin 用户
openstack user create --domain default \
--password-prompt admin
创建 admin 角色openstack role create admin
关联项目、用户、角色
在admin项目上给admin用户赋予admin角色openstack role add --project admin --user admin admin
创建service项目
service项目是给openstack的服务使用的,里面存放着系统服务的账号例如:glance、nova等服务账号
openstack project create --domain default \
--description "Service Project" service
9.验证操作
因为安全性的原因,关闭临时认证令牌机制:
编辑/etc/keystone/keystone-paste.ini文件,从[pipeline:public_api],[pipeline:admin_api]和[pipeline:api_v3]部分删除admin_token_auth 。
重置OS_TOKEN和OS_URL 环境变量
unset OS_TOKEN OS_URL
作为 admin 用户,请求认证令牌:
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
此处输入前面设置的admin密码
10.创建 OpenStack 客户端环境脚本
编辑文件 admin-openrcvim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=改为你的admin密码
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
加载admin-openrc文件来身份认证服务的环境变量位置和admin项目和用户证书:
``. admin-openrc``或``source admin-openrc``
避免每次登录都加载,将命令写在.bashrc
vim .bashrc
11.验证keystone服务是否正常
openstack token issue
openstack user list
安装镜像服务glance
glance服务允许用户上传下载镜像,查看镜像列表
OpenStack镜像服务包括以下组件:
glance-api
接收镜像API的调用,诸如镜像发现、恢复、存储。
glance-registry
存储、处理和恢复镜像的元数据,元数据包括项诸如大小和类型。
1.创建数据库,授权
创建 glance 数据库:
CREATE DATABASE glance;
对glance数据库授予恰当的权限:
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \
IDENTIFIED BY 'GLANCE_DBPASS';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \
IDENTIFIED BY 'GLANCE_DBPASS';
exit
2.在keystone上创建glance用户并关联角色
创建 glance 用户openstack user create --domain default --password GLANCE_PASS glance
添加 admin 角色到 glance 用户和 service 项目上
openstack role add --project service --user glance admin
3.在keystone上创建服务,注册api访问地址
创建glance服务
openstack service create --name glance \
--description "OpenStack Image" image
创建镜像服务的 API
openstack endpoint create --region RegionOne \
image public http://controller:9292
openstack endpoint create --region RegionOne \
image internal http://controller:9292
openstack endpoint create --region RegionOne \
image admin http://controller:9292
4.安装glance包yum install openstack-glance -y
5.修改配置文件
修改glance-api配置文件vim /etc/glance/glance-api.conf
在 [database] 部分,配置数据库访问
在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问
在 [glance_store] 部分,配置本地文件系统存储和镜像文件存储位置
[database]
...
connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = GLANCE_PASS
[paste_deploy]
...
flavor = keystone
[glance_store]
...
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
修改glance-registry配置文件vim /etc/glance/glance-registry.conf
在 [database] 部分,配置数据库访问
在 [keystone_authtoken] 和 [paste_deploy] 部分,配置认证服务访问
[database]
...
connection = mysql+pymysql://glance:GLANCE_DBPASS@controller/glance
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = glance
password = GLANCE_PASS
[paste_deploy]
...
flavor = keystone
6.同步数据库
su -s /bin/sh -c "glance-manage db_sync" glance
7.启动镜像服务、配置开机启动
systemctl enable openstack-glance-api.service \
openstack-glance-registry.service
systemctl start openstack-glance-api.service \
openstack-glance-registry.service
下载测试镜像wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
8.上传镜像
使用 QCOW2 磁盘格式, bare 容器格式上传镜像到镜像服务并设置公共可见
openstack image create "cirros" \
--file cirros-0.3.4-x86_64-disk.img \
--disk-format qcow2 --container-format bare \
--public
9.验证镜像openstack image list
安装nova计算服务
在控制节点执行以下操作
1.创建 nova_api 和 nova 数据库
CREATE DATABASE nova_api;
CREATE DATABASE nova;
2.对数据库进行正确的授权
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \
IDENTIFIED BY 'NOVA_DBPASS';
3.在keystone上创建服务用户并关联角色
openstack user create --domain default --password NOVA_PASS nova
openstack role add --project service --user nova admin
4.创建 nova 服务实体注册api
openstack service create --name nova \
--description "OpenStack Compute" compute
openstack endpoint create --region RegionOne \
compute public http://controller:8774/v2.1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
compute internal http://controller:8774/v2.1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
compute admin http://controller:8774/v2.1/%\(tenant_id\)s
5.安装软件包
yum install openstack-nova-api openstack-nova-conductor \
openstack-nova-console openstack-nova-novncproxy \
openstack-nova-scheduler -y
6.修改nova配置文件
vim /etc/nova/nova.conf
在[DEFAULT]部分,只启用计算和元数据API:
[DEFAULT]
...
enabled_apis = osapi_compute,metadata
在[api_database]和[database]部分,配置数据库的连接:
[api_database]
...
connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova_api
[database]
...
connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova
在[DEFAULT]和[oslo_messaging_rabbit]部分,配置 “RabbitMQ” 消息队列访问:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
在 [DEFAULT]和 [keystone_authtoken]部分,配置认证服务授权
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = NOVA_PASS
在 [DEFAULT]部分,配置``my_ip`` 来使用控制节点的管理接口的IP 地址
[DEFAULT]
...
my_ip = 控制节点IP
在 [DEFAULT] 部分,启用Networking 服务
[DEFAULT]
...
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
在[vnc]部分,配置VNC代理使用控制节点的管理接口IP地址
[vnc]
...
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip
在 [glance] 区域,配置镜像服务 API 的位置:
[glance]
...
api_servers = http://controller:9292
在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency]
...
lock_path = /var/lib/nova/tmp
grep -Ev "^$|#" /etc/nova/nova.conf
[DEFAULT]
enabled_apis = osapi_compute,metadata
rpc_backend = rabbit
auth_strategy = keystone
my_ip = 控制节点IP地址
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
[api_database]
connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova_api
[barbican]
[cache]
[cells]
[cinder]
[conductor]
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova
[ephemeral_storage_encryption]
[glance]
api_servers = http://controller:9292
[guestfs]
[hyperv]
[image_file_url]
[ironic]
[keymgr]
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = NOVA_PASS
[libvirt]
[matchmaker_redis]
[metrics]
[neutron]
[osapi_v21]
[oslo_concurrency]
lock_path = /var/lib/nova/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
[oslo_middleware]
[oslo_policy]
[rdp]
[serial_console]
[spice]
[ssl]
[trusted_computing]
[upgrade_levels]
[vmware]
[vnc]
vncserver_listen = $my_ip
vncserver_proxyclient_address = $my_ip
[workarounds]
[xenserver]
7.同步数据库
su -s /bin/sh -c "nova-manage api_db sync" nova
su -s /bin/sh -c "nova-manage db sync" nova
8.启动服务
systemctl enable openstack-nova-api.service \
openstack-nova-consoleauth.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service
systemctl start openstack-nova-api.service \
openstack-nova-consoleauth.service openstack-nova-scheduler.service \
openstack-nova-conductor.service openstack-nova-novncproxy.service
验证nova service-list
novncproxy服务
在计算节点执行以下操作
1.安装软件包yum install openstack-nova-compute -y
2.编辑/etc/nova/nova.conf配置文件
在[DEFAULT]和 [oslo_messaging_rabbit]部分,配置``RabbitMQ``消息队列的连接:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
在 “[DEFAULT]” 和 “[keystone_authtoken]” 部分,配置认证服务访问授权
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = NOVA_PASS
在 [DEFAULT] 部分,配置 my_ip 选项:
[DEFAULT]
...
my_ip = 计算节点IP地址
在 [DEFAULT] 部分,启用 Networking 服务
[DEFAULT]
...
use_neutron = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver
在[vnc]部分,启用并配置远程控制台访问:
[vnc]
...
enabled = True
vncserver_listen = 0.0.0.0
vncserver_proxyclient_address = $my_ip
novncproxy_base_url = http://controller:6080/vnc_auto.html
在 [glance] 区域,配置镜像服务 API 的位置:
[glance]
...
api_servers = http://controller:9292
在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency]
...
lock_path = /var/lib/nova/tmp
查看计算节点是否支持虚拟机的硬件加速egrep -c '(vmx|svm)' /proc/cpuinfo
返回1或者其他数支持
返回0不支持
返回0的话需在 /etc/nova/nova.conf 文件的 [libvirt] 区域做出如下配置:
[libvirt]
...
virt_type = qemu
启动计算服务及其依赖,并将其配置为随系统自动启动:
systemctl enable libvirtd.service openstack-nova-compute.service
systemctl start libvirtd.service openstack-nova-compute.service
启动后在控制节点进行验证
新加的计算节点会自动注册加入
nova service-list
安装网络服务neutron
控制节点配置
1:创建数据库,授权
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY 'NEUTRON_DBPASS';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY 'NEUTRON_DBPASS';
2:在keystone创建服务用户,并关联角色openstack user create --domain default --password NEUTRON_PASS neutron
添加admin 角色到neutron 用户openstack role add --project service --user neutron admin
3:在keystone上注册api访问地址
创建neutron服务实体
openstack service create --name neutron \ --description "OpenStack Networking" network
openstack endpoint create --region RegionOne \
network public http://controller:9696
openstack endpoint create --region RegionOne \
network internal http://controller:9696
openstack endpoint create --region RegionOne \
network admin http://controller:9696
官方文档安装时选网络选项1
4.安装软件包
yum install openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables
5.修改配置文件
5.1.修改neutron配置文件
vim /etc/neutron/neutron.conf
在 [database] 部分,配置数据库访问:
[database]
...
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron
在``[DEFAULT]``部分,启用ML2插件并禁用其他插件:
[DEFAULT]
...
core_plugin = ml2
service_plugins =
在 “[DEFAULT]” 和 “[oslo_messaging_rabbit]”部分,配置 “RabbitMQ” 消息队列的连接:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
在 “[DEFAULT]” 和 “[keystone_authtoken]” 部分,配置认证服务访问:
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
在``[DEFAULT]``和``[nova]``部分,配置网络服务来通知计算节点的网络拓扑变化:
[DEFAULT]
...
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
[nova]
...
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = NOVA_PASS
在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
grep -Ev '^$|#' /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins =
rpc_backend = rabbit
auth_strategy = keystone
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
[agent]
[cors]
[cors.subdomain]
[database]
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
[matchmaker_redis]
[nova]
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = NOVA_PASS
[oslo_concurrency]
lock_path = /var/lib/neutron/tmp
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
[oslo_policy]
[qos]
[quotas]
[ssl]
5.2.修改(ML2) 插件配置文件
vim /etc/neutron/plugins/ml2/ml2_conf.ini
在``[ml2]``部分,启用flat和VLAN网络:
[ml2]
...
type_drivers = flat,vlan
在``[ml2]``部分,禁用私有网络:
[ml2]
...
tenant_network_types =
在``[ml2]``部分,启用Linuxbridge机制:
[ml2]
...
mechanism_drivers = linuxbridge
在``[ml2]`` 部分,启用端口安全扩展驱动:
[ml2]
...
extension_drivers = port_security
在``[ml2_type_flat]``部分,配置公共虚拟网络为flat网络
[ml2_type_flat]
...
flat_networks = provider
在 ``[securitygroup]``部分,启用 ipset 增加安全组规则的高效性:
[securitygroup]
...
enable_ipset = True
grep -Ev '^$|#' /etc/neutron/plugins/ml2/ml2_conf.ini
[DEFAULT]
[ml2]
type_drivers = flat,vlan
tenant_network_types =
mechanism_drivers = linuxbridge
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
[securitygroup]
enable_ipset = True
5.3.修改Linuxbridge配置文件
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
在``[linux_bridge]``部分,将公共虚拟网络和公共物理网络接口对应起来:
[linux_bridge]
physical_interface_mappings = provider:网卡名称(eth0)
在``[vxlan]``部分,禁止VXLAN覆盖网络:
[vxlan]
enable_vxlan = False
在 ``[securitygroup]``部分,启用安全组并配置 Linuxbridge iptables firewall driver:
[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
grep -Ev '^$|#' /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[DEFAULT]
[agent]
[linux_bridge]
physical_interface_mappings = provider:eth0
[securitygroup]
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = False
5.4.修改DHCP配置文件
vim /etc/neutron/dhcp_agent.ini
在``[DEFAULT]``部分,配置Linuxbridge驱动接口
[DEFAULT]
...
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
grep -Ev '^$|#' /etc/neutron/dhcp_agent.ini
[DEFAULT]
interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = True
[AGENT]
5.5.修改metadata-agent配置文件
vim /etc/neutron/metadata_agent.ini
在``[DEFAULT]`` 部分,配置元数据主机以及共享密码
[DEFAULT]
...
nova_metadata_ip = controller
metadata_proxy_shared_secret = METADATA_SECRET
grep -Ev '^$|#' /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_ip = controller
metadata_proxy_shared_secret = METADATA_SECRET
[AGENT]
5.6.修改nova.conf配置文件
为控制节点的计算服务配置网络服务
vim /etc/nova/nova.conf
在[neutron]部分,配置访问参数,启用元数据代理并设置密码:
[neutron]
...
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
service_metadata_proxy = True
metadata_proxy_shared_secret = METADATA_SECRET
网络服务初始化脚本需要一个超链接 /etc/neutron/plugin.ini指向ML2插件配置文ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini
6.同步数据库:
su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron
7.启动服务
重启nova-api 服务systemctl restart openstack-nova-api.service
systemctl enable neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
systemctl start neutron-server.service \
neutron-linuxbridge-agent.service neutron-dhcp-agent.service \
neutron-metadata-agent.service
验证:neutron agent-list
配置计算节点
1.安装软件包yum install openstack-neutron-linuxbridge ebtables ipset -y
2.修改neutron配置文件
vim /etc/neutron/neutron.conf
在 “[DEFAULT]” 和 “[oslo_messaging_rabbit]”部分,配置 “RabbitMQ” 消息队列的连接:
[DEFAULT]
...
rpc_backend = rabbit
[oslo_messaging_rabbit]
...
rabbit_host = controller
rabbit_userid = openstack
rabbit_password = RABBIT_PASS
在 “[DEFAULT]” 和 “[keystone_authtoken]” 部分,配置认证服务访问:
[DEFAULT]
...
auth_strategy = keystone
[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = NEUTRON_PASS
在 [oslo_concurrency] 部分,配置锁路径:
[oslo_concurrency]
...
lock_path = /var/lib/neutron/tmp
计算节点也配置网络选项1
3.修改Linuxbridge配置文件
vim /etc/neutron/plugins/ml2/linuxbridge_agent.ini
在``[linux_bridge]``部分,将公共虚拟网络和公共物理网络接口对应起来:
[linux_bridge]
physical_interface_mappings = provider:eth0
在``[vxlan]``部分,禁止VXLAN覆盖网络:
[vxlan]
enable_vxlan = False
在 ``[securitygroup]``部分,启用安全组并配置 Linuxbridge iptables firewall driver:
[securitygroup]
...
enable_security_group = True
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
4.为计算节点配置网络服务
vim /etc/nova/nova.conf
在[neutron]部分,配置访问参数:
[neutron]
...
url = http://controller:9696
auth_url = http://controller:35357
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = neutron
password = NEUTRON_PASS
5.启动服务
重启计算服务:
systemctl restart openstack-nova-compute.service
启动Linuxbridge-agent并配置它开机自启动:
systemctl enable neutron-linuxbridge-agent.service
systemctl start neutron-linuxbridge-agent.service
验证
可以看到有一个Linuxbridge-agent来自计算节点
neutron agent-list
安装web界面horizon
1.安装软件包
此处我安装在了计算节点yum install openstack-dashboard
2.修改配置文件vim /etc/openstack-dashboard/local_settings
在 controller 节点上配置仪表盘以使用 OpenStack 服务:
OPENSTACK_HOST = "controller"
允许所有主机访问仪表板:
ALLOWED_HOSTS = ['*', ]
配置 memcached 会话存储服务:
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'controller:11211',
}
}
启用第3版认证API:
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
启用对域的支持
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
配置API版本:
OPENSTACK_API_VERSIONS = {
"identity": 3,
"image": 2,
"volume": 2,
}
通过仪表盘创建用户时的默认域配置为 default :
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "default"
通过仪表盘创建的用户默认角色配置为 user :
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
如果您选择网络参数1,禁用支持3层网络服务:
OPENSTACK_NEUTRON_NETWORK = {
...
'enable_router': False,
'enable_quotas': False,
'enable_distributed_router': False,
'enable_ha_router': False,
'enable_lb': False,
'enable_firewall': False,
'enable_vpn': False,
'enable_fip_topology_check': False,
}
可以选择性地配置时区:
TIME_ZONE = "Asia/Shanghai"
启动web服务器
systemctl start httpd
systemctl enable httpd
验证
http://controller/dashboard
遇到问题:
修改配置文件
vim /etc/httpd/conf.d/openstack-dashboard.conf
添加WSGIApplicationGroup %{GLOBAL}
查看关键目录的权限和所有者ls -ld /usr/share/openstack-dashboard/openstack_dashboard/local/
OpenStack Dashboard 运行的用户通常是 apache,需要给该用户赋予目录的读写权限:
chown -R apache:apache /usr/share/openstack-dashboard/openstack_dashboard/local/
chmod -R 755 /usr/share/openstack-dashboard/openstack_dashboard/local/
创建一个实例
1.创建网络
neutron net-create --shared --provider:physical_network provider \
--provider:network_type flat provider(可以将provider换成你想起的名称)
2.在网络上创建一个子网
neutron subnet-create --name provider \
--allocation-pool start=10.77.77.100,end=10.77.77.150 \
--dns-nameserver 114.114.114.114 --gateway 10.77.77.254 \
provider 10.77.77.0/24
3.创建云主机的硬件配置方案openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
4.创建密钥对ssh-keygen -q -N "" -f ~/.ssh/id_rsa
添加密钥对openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
5.创建安全组规则
允许 ICMP (ping):
openstack security group rule create --proto icmp default
允许安全 shell (SSH) 的访问:
openstack security group rule create --proto tcp --dst-port 22 default
6.启动实例
需要用到net id 先查一下
查看网络IDneutron net-list
openstack server create --flavor m1.nano --image cirros \
--nic net-id=5b782ad0-e6c2-4ffa-bdde-23b5e90882dd --security-group default \
--key-name mykey test1
实例的存放路径
7.检查实例的状态:openstack server list
列出可用类型:
openstack flavor list
列出可用镜像:
openstack image list
列出可用网络:
openstack network list
列出可用的安全组:
openstack security group list
初步搭建完成
web端问题解决1:
控制台访问虚拟机时提示Booting from Hard Disk ... GRUB _
在计算节点
vim /etc/nova/nova.conf
[libvirt]
cpu_mode = none
virt_type = qemu
systemctl restart openstack-nova-compute.service
web端问题解决2:
web端的控制台无法正常访问虚拟机提示Something went wrong, connection is closed
解决办法:
编辑vim /usr/share/novnc/vnc_auto.html文件
大约在 157 行 附近,在 url += ‘/’ + path; 和 rfb = new RFB(…) 之间,加上下面这 4 行提取和拼接 token 的代码:
const token = readQueryVariable('token');
if (token) {
url += '?token=' + token;
}
然后重启相关服务systemctl restart openstack-nova-consoleauth openstack-nova-novncproxy
然后控制台就可以正常操控实例
开源鸿蒙跨平台开发社区汇聚开发者与厂商,共建“一次开发,多端部署”的开源生态,致力于降低跨端开发门槛,推动万物智联创新。
更多推荐
12
0- 0
已为社区贡献1条内容
所有评论(0)