CentOS7.4安裝部署openstack [Liberty版] （一）

一、OpenStack簡介

OpenStack是一個由NASA（美國國家航空航天局）和Rackspace合作研發並發起的，以Apache許可證授權的自由軟件和開放源代碼項目。

OpenStack是一個開源的雲計算管理平台項目，由幾個主要的組件組合起來完成具體工作。OpenStack支持幾乎所有類型的雲環境，項目目標是提供實施簡單、可大規模擴展、豐富、標准統一的雲計算管理平台。OpenStack通過各種互補的服務提供了基礎設施即服務（IaaS）的解決方案，每個服務提供API以進行集成。

OpenStack是一個旨在為公共及私有雲的建設與管理提供軟件的開源項目。它的社區擁有超過130家企業及1350位開發者，這些機構與個人都將OpenStack作為基礎設施即服務（IaaS）資源的通用前端。OpenStack項目的首要任務是簡化雲的部署過程並為其帶來良好的可擴展性。本文希望通過提供必要的指導信息，幫助大家利用OpenStack前端來設置及管理自己的公共雲或私有雲。

OpenStack雲計算平台，幫助服務商和企業內部實現類似於 Amazon EC2 和 S3 的雲基礎架構服務(Infrastructure as a Service, IaaS)。OpenStack 包含兩個主要模塊：Nova 和 Swift，前者是 NASA 開發的虛擬服務器部署和業務計算模塊；后者是 Rackspace開發的分布式雲存儲模塊，兩者可以一起用，也可以分開單獨用。OpenStack除了有 Rackspace 和 NASA 的大力支持外，還有包括 Dell、Citrix、 Cisco、 Canonical等重量級公司的貢獻和支持，發展速度非常快，有取代另一個業界領先開源雲平台 Eucalyptus 的態勢。

openstack 各個服務名稱對應

 

二、部署環境

1.主機信息

各角色描述及需求：

控制器：

控制節點運行身份認證服務，鏡像服務，管理部分計算和網絡服務，不同的網絡代理和儀表盤。同樣包括像SQL數據庫，消息隊列及 NTP這樣的支撐服務。 可選的：可以在控制節點允許塊存儲，對象存儲，Orchestration和Telemetry服務。 控制節點需要最少兩塊網卡。

計算：

計算節點運行操作實例的 :hypervisor計算部分。默認情況下使用 KVM 作為hypervisor。計算節點同樣運行網絡服務代理，用來連接實例到虛擬網絡，通過:security groups 為實例提供防火牆服務。 這個服務可以部署超過1個計算節點。每個節點要求最少兩個網絡接口。

塊設備存儲：

該可選的塊存儲節點包含磁盤，塊存儲服務會向實例提供這些磁盤。 簡單起見，計算節點和這個節點間的服務流量使用管理網絡。生產環境中應該實施單獨的存儲網絡以增強性能和安全。 這個服務可以部署超過一個塊存儲節點。每個節點要求至少一個網卡接口。

對象存儲：

該可選的對象存儲節點包含磁盤，對象存儲服務用來存儲賬號，容器和對象。 簡單起見，計算節點和這個節點間的服務流量使用管理網絡。生產環境中應該實施單獨的存儲網絡以增強性能和安全。 這個服務要求兩個節點。每個節點要求最少一個網絡接口。你可以部署超過兩個對象存儲節點。

網絡：

從下面虛擬網絡選項中選擇一種。 網絡選項1：提供者網絡 提供者網絡選項以最簡單的方式部署OpenStack網絡服務，可能包括二層服務(橋/交換機)服務、VLAN網絡分段。本質上，它建立虛擬網絡到物理網絡的橋，
依靠物理網絡基礎設施提供三層服務(路由)。使用DHCP為實例提供IP地址信息。 注：這個選項不支持自服務私有網絡，3層(路由)服務和高級服務比如 LBaaS 和 FWaaS。如果您希望有這些特性，考慮自服務網絡選項。  網絡選項2：自服務網絡 自服務網絡選項擴展提供者網絡選項，三層網絡服務啟用 self-service`網絡使用疊加分段方法，比如 VXLAN。本質上，它使用NAT路由虛擬網絡到路由物理網絡。
額外地，這個選項提供高級服務的基礎，比如LBaas和FWaaS。

2.域名解析和關閉防火牆 （所有機器上）

/etc/hosts #主機名稱設置后不可用修改 192.168.1.101 controller 192.168.1.102 compute1 192.168.1.103 block1 192.168.1.104 object1 192.168.1.105 object2 關閉 selinux sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux setenforce 0 關閉 iptables systemctl start firewalld.service systemctl stop firewalld.service systemctl disable firewalld.service

3.密碼、時間同步及yum+epel源

密碼：安裝過程中涉及很多服務的密碼，為了方便記憶統一為"123456"，生產環境請勿設置 時間：參考文檔 http://www.cnblogs.com/panwenbin-logs/p/8384340.html yum+epel源：建議使用國內的163或阿里yum源 OpenStack源： cat /etc/yum.repos.d/CentOS-OpenStack-liberty.repo [centos-openstack-liberty] name=CentOS-7 - OpenStack liberty baseurl=http://vault.centos.org/centos/7.3.1611/cloud/x86_64/openstack-liberty/ gpgcheck=0 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Centos-7

4.升級安裝包

yum upgrade reboot #重啟

5.安裝 OpenStack 客戶端

yum install -y python-openstackclient yum install -y openstack-selinux  #如果啟用了 SELinux ，安裝 openstack-selinux 包實現對OpenStack服務的安全策略進行自動管理

三、安裝配置數據庫服務(MySQL)

[root@controller ~]# yum install -y mariadb mariadb-server MySQL-python [root@controller ~]# cp /usr/share/mariadb/my-medium.cnf /etc/my.cnf  #或者是/usr/share/mysql/my-medium.cnf [root@controller ~]# vim /etc/my.cnf [mysqld] bind-address = 192.168.1.101 default-storage-engine = innodb innodb_file_per_table collation-server = utf8_general_ci init-connect = 'SET NAMES utf8' character-set-server = utf8 max_connections=1000 [root@controller ~]# systemctl enable mariadb.service && systemctl start mariadb.service  #啟動數據庫服務，並將其配置為開機自啟 [root@controller ~]# mysql_secure_installation #密碼 123456，一路 y 回車

四、安裝配置消息隊列服務(rabbitmq)

[root@controller ~]# yum install -y rabbitmq-server root@controller ~]# systemctl enable rabbitmq-server.service && systemctl start rabbitmq-server.service [root@controller ~]# rabbitmqctl add_user openstack 123456 #添加 openstack 用戶，密碼123456 [root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"  #給openstack用戶配置寫和讀權限
[root@controller ~]# rabbitmq-plugins list  #查看支持的插件
[root@controller ~]# rabbitmq-plugins enable rabbitmq_management #使用此插件實現 web 管理
[root@linux-node1 ~]# systemctl restart rabbitmq-server.service
[root@controller ~]# netstat -tnlp|grep beam
tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 997/beam  #管理端口  
tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 997/beam  #server間內部通信口 
tcp6 0 0 :::5672 :::* LISTEN 997/beam  #client端通信口

訪問RabbitMQ,訪問地址是http://192.168.1.101:15672/,默認用戶名密碼都是guest

退出guest用戶，測試使用openstack用戶登錄是否成功

 五、安裝和配置OpenStack身份認證服務(代碼名稱keystone。出於性能原因，這個配置部署Apache HTTP服務處理查詢並使用Memcached存儲tokens而不用SQL數據庫。)

1.服務簡述

 

OpenStack:Identity service為認證管理，授權管理和服務目錄服務管理提供單點整合。其它OpenStack服務將身份認證服務當做通用統一API來使用。此外，提供用戶信息但是不在OpenStack項目中的服務（如LDAP服務）可被整合進先前存在的基礎設施中。 為了從identity服務中獲益，其他的OpenStack服務需要與它合作。當某個OpenStack服務收到來自用戶的請求時，該服務詢問Identity服務，驗證該用戶是否有權限進行此次請求 身份服務包含這些組件： 服務器 　　一個中心化的服務器使用RESTful 接口來提供認證和授權服務。 驅動 　　驅動或服務后端被整合進集中式服務器中。它們被用來訪問OpenStack外部倉庫的身份信息, 並且它們可能已經存在於OpenStack被部署在的基礎設施（例如，SQL數據庫或LDAP服務器）中。 模塊 　　中間件模塊運行於使用身份認證服務的OpenStack組件的地址空間中。這些模塊攔截服務請求，取出用戶憑據，並將它們送入中央是服務器尋求授權。中間件模塊和OpenStack組件間的整合使用Python Web服務器網關接口。 當安裝OpenStack身份服務，用戶必須將之注冊到其OpenStack安裝環境的每個服務。身份服務才可以追蹤那些OpenStack服務已經安裝，以及在網絡中定位它們。

 

2.服務需求：在配置 OpenStack 身份認證服務前，必須創建一個數據庫及權限授權。

[root@controller ~]# mysql -u root -p123456 MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec)
 MariaDB [(none)]> show databases; #查看數據庫是否創建成功 +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ MariaDB [(none)]> select User,Password,Host from mysql.user where User like "keystone"; #查看授權 +----------+-------------------------------------------+-----------+ | User | Password | Host | +----------+-------------------------------------------+-----------+ | keystone | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | % | | keystone | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 | localhost | +----------+-------------------------------------------+-----------+ MariaDB [(none)]> \q Bye

3.服務安裝

[root@controller ~]#yum install openstack-keystone httpd mod_wsgi memcached python-memcached -y [root@controller ~]#systemctl enable memcached.service && systemctl start memcached.service [root@controller ~]# netstat -tnlp|grep memcached tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 18914/memcached tcp6 0 0 ::1:11211 :::* LISTEN 18914/memcached [root@controller ~]# openssl rand -hex 10 #創建管理員令牌 c5a232c9b4bba9eea176 [root@controller ~]# grep "^[a-z]" -B 1 /etc/keystone/keystone.conf [DEFAULT] admin_token = db771afcb68c09caee6d  #與上面生成的管理員令牌一致 [database] connection = mysql://keystone:123456@controller/keystone #配置數據庫訪問地址 [memcache] servers = localhost:11211 #配置Memcached服務訪問地址 [revoke] driver = sql  #配置SQL 回滾驅動 [token] provider = uuid #配置 UUID token provider 和Memcached 驅動 driver = memcache [root@controller ~]#su -s /bin/sh -c "keystone-manage db_sync" keystone #初始化身份認證服務的數據庫 [root@controller ~]# tail /var/log/keystone/keystone.log #查看日志是否有錯誤， 2018-02-03 21:41:08.343 18981 INFO migrate.versioning.api [-] 2 -> 3... 2018-02-03 21:41:08.406 18981 INFO migrate.versioning.api [-] done 2018-02-03 21:41:08.407 18981 INFO migrate.versioning.api [-] 3 -> 4... 2018-02-03 21:41:08.565 18981 INFO migrate.versioning.api [-] done 2018-02-03 21:41:08.565 18981 INFO migrate.versioning.api [-] 4 -> 5... 2018-02-03 21:41:08.600 18981 INFO migrate.versioning.api [-] done 2018-02-03 21:41:08.620 18981 INFO migrate.versioning.api [-] 0 -> 1... 2018-02-03 21:41:08.667 18981 INFO migrate.versioning.api [-] done 2018-02-03 21:41:08.667 18981 INFO migrate.versioning.api [-] 1 -> 2... 2018-02-03 21:41:08.813 18981 INFO migrate.versioning.api [-] done

配置 Apache HTTP 服務器

[root@controller ~]# grep -n "^ServerName" /etc/httpd/conf/httpd.conf #配置 ServerName 選項為控制節點 96:ServerName controller [root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> [root@controller ~]# systemctl enable httpd.service && systemctl start httpd.service #啟動 Apache HTTP 服務並配置其隨系統啟動 [root@controller ~]# netstat -tnlp|grep httpd tcp6 0 0 :::80 :::* LISTEN 19148/httpd tcp6 0 0 :::35357 :::* LISTEN 19148/httpd #用於管理， 只有admin_role可以使用  
tcp6 0 0 :::5000 :::* LISTEN 19148/httpd  #用於業務，普通用戶使用

創建服務實體和API端點

[root@controller ~]# export OS_URL=http://controller:35357/v3 #配置端點URL [root@controller ~]# export OS_IDENTITY_API_VERSION=3 #配置認證 API 版本 [root@controller ~]# export OS_TOKEN=db771afcb68c09caee6d #配置認證令牌 [root@controller ~]# env|grep ^OS #查看設置是否生效 OS_IDENTITY_API_VERSION=3 OS_TOKEN=db771afcb68c09caee6d OS_URL=http://controller:35357/v3  在Openstack環境中，認證服務管理服務目錄。服務使用這個目錄來決定您的環境中可用的服務。 [root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity #為身份認證服務創建服務實體 +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 351c5f4d5174430eacb38b16a6403d40 | | name | keystone | | type | identity | +-------------+----------------------------------+ 身份認證服務管理了一個與環境相關的 API 端點的目錄。服務使用這個目錄來決定如何與您環境中的其他服務進行通信。 OpenStack使用三個API端點變種代表每種服務：admin，internal和public。默認情況下，管理API端點允許修改用戶和租戶而公共和內部APIs不允許這些操作。
在生產環境中，處於安全原因，變種為了服務不同類型的用戶可能駐留在單獨的網絡上。對實例而言，公共API網絡為了讓顧客管理他們自己的雲在互聯網上是可見的。
管理API網絡在管理雲基礎設施的組織中操作也是有所限制的。內部API網絡可能會被限制在包含OpenStack服務的主機上。此外，OpenStack支持可伸縮性的多區域。
[root@controller ~]# openstack endpoint create --region RegionOne identity public http://controller:5000/v2.0 #創建認證服務的 API 端點 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 1ee55eac378f4d179bacb4ea3d1850d1 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 351c5f4d5174430eacb38b16a6403d40 | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v2.0 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity internal http://controller:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 00da46788e874f529f67046226c7b0c9 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 351c5f4d5174430eacb38b16a6403d40 | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v2.0 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity admin http://controller:35357/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | fab8917d632a4a8c8ccb4290cbd382c6 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 351c5f4d5174430eacb38b16a6403d40 | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v2.0 | +--------------+----------------------------------+ 注：每個添加到OpenStack環境中的服務要求一個或多個服務實體和三個認證服務中的API 端點變種。  為進行管理操作，創建管理的項目、用戶和角色 [root@controller ~]# openstack project create --domain default --description "Admin Project" admin  #創建 admin 項目 +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | default | | enabled | True | | id | 839cdfc946e1491c8004e3b732d17f9a | | is_domain | False | | name | admin | | parent_id | None | +-------------+----------------------------------+ [root@controller ~]# openstack user create --domain default --password-prompt admin  #創建 admin 用戶 User Password:  #密碼設置為123456 Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | d4f0c9b24be84306960e29a7961d22a3 | | name | admin | +-----------+----------------------------------+ [root@controller ~]# openstack role create admin  #創建 admin 角色 +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | ebab14b851254fe69abb49132f3b76a2 | | name | admin | +-------+----------------------------------+ [root@controller ~]# openstack role add --project admin --user admin admin #添加 admin 角色到 admin 項目和用戶上，這個命令執行后沒有輸出 每個服務包含獨有用戶的service 項目。創建``service``項目 [root@controller ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | cfbdca3af1a043d8ace0f47724312e60 | | is_domain | False | | name | service | | parent_id | None | +-------------+----------------------------------+ 常規任務應該使用無特權的項目和用戶，作為示例，創建一個demo項目和用戶 [root@controller ~]# openstack project create --domain default --description "Demo Project" demo #創建demo 項目，當為這個項目創建額外用戶時，不要重復這一步。 +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 2003811a2ad548e7b686f06a55fe9ce9 | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+ [root@controller ~]# openstack user create --domain default --password-prompt demo #創建 demo 用戶 User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | d4ffbeefe72d412187047a79e3a51d00 | | name | demo | +-----------+----------------------------------+ [root@controller ~]# openstack role create user  #創建 user 角色 +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | a1b9a999563544daa808e5ee1e0edaf0 | | name | user | +-------+----------------------------------+ [root@controller ~]# openstack role add --project demo --user demo user #添加 user 角色到 demo 項目和用戶 ，你可以重復此過程來創建額外的項目和用戶。

驗證操作

[root@controller ~]# vim /usr/share/keystone/keystone-dist-paste.ini#因為安全性的原因，關閉臨時認證令牌機制，刪除 以下三個段中 admin_token_auth字段 [pipeline:public_api] [pipeline:admin_api] [pipeline:api_v3] [root@controller ~]# unset OS_TOKEN OS_URL #重置OS_TOKEN和OS_URL環境變量 [root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue  #使用 admin 用戶，請求認證令牌，密碼為123456 Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2018-02-03T15:25:41.805097Z | | id | ed30245e370648a185539a970e6c9e19 | | project_id | 839cdfc946e1491c8004e3b732d17f9a | | user_id | d4f0c9b24be84306960e29a7961d22a3 | +------------+----------------------------------+ [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name demo --os-username demo --os-auth-type password token issue #使用 demo 用戶，請求認證令牌 Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2018-02-03T15:25:58.135574Z | | id | a9c52f8f92804a81b7d0c6b5496a8ee3 | | project_id | 2003811a2ad548e7b686f06a55fe9ce9 | | user_id | d4ffbeefe72d412187047a79e3a51d00 | +------------+----------------------------------+ 前面我們使用環境變量和命令選項的組合通過openstack客戶端與身份認證服務交互。為了提升客戶端操作的效率，OpenStack支持簡單的客戶端環境變量腳本即OpenRC 文件 創建 admin 和 ``demo``項目和用戶創建客戶端環境變量腳本，為客戶端操作加載合適的的憑證。 [root@controller ~]# cat admin-openrc.sh #編輯文件 admin-openrc.sh 並添加如下內容 export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 [root@controller ~]# cat demo-openrc.sh  #編輯文件 demo-openrc.sh 並添加如下內容 export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=demo export OS_TENANT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 [root@controller ~]# source admin-openrc.sh #加載admin-openrc.sh文件來身份認證服務的環境變量位置和admin項目和用戶證書 [root@controller ~]# openstack token issue #請求認證令牌信息 +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2018-02-03T15:30:58.249772Z | | id | 48602913c79046f69d4db4ce7645b61b | | project_id | 839cdfc946e1491c8004e3b732d17f9a | | user_id | d4f0c9b24be84306960e29a7961d22a3 | +------------+----------------------------------+ [root@controller ~]# source demo-openrc.sh #同上 [root@controller ~]# openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2018-02-03T15:31:09.666144Z | | id | 9f3a4ff3239f418c8c000e712b42b216 | | project_id | 2003811a2ad548e7b686f06a55fe9ce9 | | user_id | d4ffbeefe72d412187047a79e3a51d00 | +------------+----------------------------------+

 

六、添加鏡像服務

OpenStack 的鏡像服務 (glance) 允許用戶發現、注冊和恢復虛擬機鏡像。它提供了一個 REST API，允許您查詢虛擬機鏡像的 metadata 並恢復一個實際的鏡像。您可以存儲虛擬機鏡像通過不同位置的鏡像服務使其可用，就像 OpenStack 對象存儲那樣從簡單的文件系統到對象存儲系統。

1.服務簡述

 

鏡像服務 (glance) 允許用戶發現、注冊和獲取虛擬機鏡像。它提供了一個 REST API，允許您查詢虛擬機鏡像的 metadata 並獲取一個現存的鏡像。您可以將虛擬機鏡像存儲到各種位置，從簡單的文件系統到對象存儲系統—-例如 OpenStack 對象存儲, 並通過鏡像服務使用。 OpenStack鏡像服務是IaaS的核心服務。它接受磁盤鏡像或服務器鏡像API請求，和來自終端用戶或OpenStack計算組件的元數據定義。它也支持包括OpenStack對象存儲在內的多種類型倉庫上的磁盤鏡像或服務器鏡像存儲。 大量周期性進程運行於OpenStack鏡像服務上以支持緩存。同步復制（Replication）服務保證集群中的一致性和可用性。其它周期性進程包括auditors, updaters, 和 reapers。 OpenStack鏡像服務包括以下組件： glance-api 　　接收鏡像API的調用，諸如鏡像發現、恢復、存儲。 glance-registry 　　存儲、處理和恢復鏡像的元數據，元數據包括項諸如大小和類型。 　　glance-registry是私有內部服務，用於服務OpenStack Image服務。不要向用戶暴露該服務 數據庫 　　存放鏡像元數據，用戶是可以依據個人喜好選擇數據庫的，多數的部署使用MySQL或SQLite。 鏡像文件的存儲倉庫 　　支持多種類型的倉庫，它們有普通文件系統、對象存儲、RADOS塊設備、HTTP、以及亞馬遜S3。記住，其中一些倉庫僅支持只讀方式使用。 元數據定義服務 　　通用的API，是用於為廠商，管理員，服務，以及用戶自定義元數據。這種元數據可用於不同的資源，例如鏡像，工件，卷，配額以及集合。一個定義包括了新屬性的鍵，描述，約束以及可以與之關聯的資源的類型。

 

2.部署需求：安裝和配置鏡像服務之前，必須創建創建一個數據庫、服務憑證和API端點。

[root@controller ~]# mysql -u root -p123456  #創建數據並授權 MariaDB [(none)]> CREATE DATABASE glance; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> \q Bye

[root@controller ~]# source admin-openrc.sh  #獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限
[root@controller ~]# openstack user create --domain default --password-prompt glance #創建 glance 用戶
User Password:      #密碼為123456
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | default                          |
| enabled   | True                             |
| id        | 87a0389545e54e6697db202744c736b6 |
| name      | glance                           |
+-----------+----------------------------------+
[root@controller ~]# openstack role add --project service --user glance admin #添加 admin 角色到 glance 用戶和 service 項目上，命令沒有輸出
[root@controller ~]# openstack service create --name glance  --description "OpenStack Image service" image #創建glance服務實體
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Image service          |
| enabled     | True                             |
| id          | b4c7005fde9b4c0085e2fc5874f02f34 |
| name        | glance                           |
| type        | image                            |
+-------------+----------------------------------+

創建鏡像服務的 API 端點
[root@controller ~]# openstack endpoint create --region RegionOne image public http://controller:9292 
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 589466fdddf447b9b7e273954c2b7987 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | b4c7005fde9b4c0085e2fc5874f02f34 |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne image internal http://controller:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | f67a5c559caf4580aee84304d1a2f37d |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | b4c7005fde9b4c0085e2fc5874f02f34 |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+
[root@controller ~]#  openstack endpoint create --region RegionOne  image admin http://controller:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | fb54cd8ff23b4ea0872f1a5db7182d8e |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | b4c7005fde9b4c0085e2fc5874f02f34 |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller:9292           |
+--------------+----------------------------------+

3.服務安裝

[root@controller ~]# yum install -y openstack-glance python-glance python-glanceclient [root@controller neutron]# grep "^[a-z]" -B 1 /etc/glance/glance-api.conf #編輯/etc/glance/glance-api.conf [DEFAULT] notification_driver = noop #配置 noop 禁用通知，因為他們只適合與可選的Telemetry 服務 verbose = True [database] connection = mysql://glance:123456@controller/glance  #配置數據庫訪問地址 [glance_store] default_store = file  #配置本地文件系統存儲和鏡像文件位置 filesystem_store_datadir = /var/lib/glance/images/ [keystone_authtoken] #配置認證服務訪問信息，在 [keystone_authtoken] 中注釋或者刪除其他選項 auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = glance password = 123456 [paste_deploy] flavor = keystone #配置認證服務訪問 [root@controller neutron]# grep "^[a-z]" -B 1 /etc/glance/glance-registry.conf #編輯/etc/glance/glance-registry.conf [DEFAULT] notification_driver = noop #配置 noop 禁用通知，因為他們只適合與可選的Telemetry 服務 verbose = True [database] connection = mysql://glance:123456@controller/glance [keystone_authtoken] #配置認證服務訪問信息，在 [keystone_authtoken] 中注釋或者刪除其他選項 auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = glance password = 123456 [paste_deploy] flavor = keystone #配置認證服務訪問 [root@controller ~]# su -s /bin/sh -c "glance-manage db_sync" glance #將配置寫入鏡像服務數據庫 [root@controller yum.repos.d]# tail /var/log/glance/api.log 2018-02-04 19:42:34.439 20807 INFO migrate.versioning.api [-] 40 -> 41... 2018-02-04 19:42:34.468 20807 INFO glance.db.sqlalchemy.migrate_repo.schema [-] creating table artifacts 2018-02-04 19:42:34.567 20807 INFO glance.db.sqlalchemy.migrate_repo.schema [-] creating table artifact_tags 2018-02-04 19:42:34.978 20807 INFO glance.db.sqlalchemy.migrate_repo.schema [-] creating table artifact_properties 2018-02-04 19:42:35.054 20807 INFO glance.db.sqlalchemy.migrate_repo.schema [-] creating table artifact_blobs 2018-02-04 19:42:35.211 20807 INFO glance.db.sqlalchemy.migrate_repo.schema [-] creating table artifact_blob_locations 2018-02-04 19:42:35.339 20807 INFO glance.db.sqlalchemy.migrate_repo.schema [-] creating table artifact_dependencies 2018-02-04 19:42:35.542 20807 INFO migrate.versioning.api [-] done 2018-02-04 19:42:35.542 20807 INFO migrate.versioning.api [-] 41 -> 42... 2018-02-04 19:42:36.271 20807 INFO migrate.versioning.api [-] done [root@controller yum.repos.d]# systemctl enable openstack-glance-api.service openstack-glance-registry.service #啟動鏡像服務、配置他們隨機啟動 [root@controller yum.repos.d]# systemctl start openstack-glance-api.service openstack-glance-registry.service [root@controller ~]# netstat -tnlp|grep python tcp 0 0 0.0.0.0:9292 0.0.0.0:* LISTEN 20858/python2 #glance-api tcp 0 0 0.0.0.0:9191 0.0.0.0:* LISTEN 20859/python2 #glance-registry 驗證操作 [root@controller ~]# echo "export OS_IMAGE_API_VERSION=2" | tee -a admin-openrc.sh demo-openrc.sh #在每個客戶端腳本中，配置鏡像服務客戶端使用2.0的API export OS_IMAGE_API_VERSION=2 [root@controller ~]# source admin-openrc.sh #獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限 [root@controller ~]# wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img #下載測試源鏡像 [root@controller ~]# glance image-create --name "cirros" --file cirros-0.3.4-x86_64-disk.img --disk-format qcow2 --container-format bare --visibility public --progress
 #使用 QCOW2 磁盤格式， bare 容器格式上傳鏡像到鏡像服務並設置公共可見，這樣所有的項目都可以訪問它 [=============================>] 100% +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | ee1eca47dc88f4879d8a229cc70a07c6 | | container_format | bare | | created_at | 2018-02-04T11:50:48Z | | disk_format | qcow2 | | id | 936bce27-085b-4d79-8cce-68cff70d7abd | | min_disk | 0 | | min_ram | 0 | | name | cirros | | owner | 839cdfc946e1491c8004e3b732d17f9a | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2018-02-04T11:50:49Z | | virtual_size | None | | visibility | public | +------------------+--------------------------------------+ [root@controller ~]# glance image-list #確認鏡像的上傳並驗證屬性 +--------------------------------------+--------+ | ID | Name | +--------------------------------------+--------+ | 936bce27-085b-4d79-8cce-68cff70d7abd | cirros | +--------------------------------------+--------+

七、安裝和配置 Compute 服務，即 nova

1.服務簡述

 

使用OpenStack計算服務來托管和管理雲計算系統。OpenStack計算服務是基礎設施即服務(IaaS)系統的主要部分，模塊主要由Python實現。 OpenStack計算組件請求OpenStack Identity服務進行認證；請求OpenStack Image服務提供磁盤鏡像；為OpenStack dashboard提供用戶與管理員接口。磁盤鏡像訪問限制在項目與用戶上；配額以每個項目進行設定（例如，每個項目下可以創建多少實例）。OpenStack組件可以在標准硬件上水平大規模擴展，並且下載磁盤鏡像啟動虛擬機實例。 OpenStack計算服務由下列組件所構成： nova-api 服務 　　接收和響應來自最終用戶的計算API請求。此服務支持OpenStack計算服務API，Amazon EC2 API，以及特殊的管理API用於賦予用戶做一些管理的操作。它會強制實施一些規則，發起多數的編排活動，例如運行一個實例。 nova-api-metadata 服務 　　接受來自虛擬機發送的元數據請求。``nova-api-metadata``服務一般在安裝``nova-network``服務的多主機模式下使用。更詳細的信息，請參考OpenStack管理員手冊中的鏈接`Metadata service <http://docs.openstack.org/admin-guide/compute-networking-nova.html#metadata-service>`__ in the OpenStack Administrator Guide。 nova-compute服務 　　一個持續工作的守護進程，通過Hypervior的API來創建和銷毀虛擬機實例。例如： 　　1.XenServer/XCP 的 XenAPI 　　2.KVM 或 QEMU 的 libvirt 　　3.VMware 的 VMwareAPI 　　過程是蠻復雜的。最為基本的，守護進程同意了來自隊列的動作請求，轉換為一系列的系統命令如啟動一個KVM實例，然后，到數據庫中更新它的狀態。 nova-scheduler服務 　　拿到一個來自隊列請求虛擬機實例，然后決定那台計算服務器主機來運行它。 nova-conductor模塊 　　媒介作用於``nova-compute``服務與數據庫之間。它排除了由``nova-compute``服務對雲數據庫的直接訪問。nova-conductor模塊可以水平擴展。但是，不要將它部署在運行nova-compute服務的主機節點上。參考Configuration Reference Guide <http://docs.openstack.org/mitaka/config-reference/compute/conductor.html>`__。 nova-cert模塊 　　服務器守護進程向Nova Cert服務提供X509證書。用來為euca-bundle-image生成證書。僅僅是在EC2 API的請求中使用 nova-network worker 守護進程 　　與nova-comput`服務類似，從隊列中接受網絡任務，並且操作網絡。執行任務例如創建橋接的接口或者改變IPtables的規則。 nova-consoleauth 守護進程 　　授權控制台代理所提供的用戶令牌。詳情可查看nova-novncproxy和 nova-xvpvncproxy。該服務必須為控制台代理運行才可奏效。在集群配置中你可以運行二者中任一代理服務而非僅運行一個nova-consoleauth服務。更多關於nova-consoleauth的信息，請查看`About nova-consoleauth <http://docs.openstack.org/admin-guide/compute-remote-console-access.html#about-nova-consoleauth>`__。 nova-novncproxy 守護進程 　　提供一個代理，用於訪問正在運行的實例，通過VNC協議，支持基於瀏覽器的novnc客戶端。 nova-spicehtml5proxy 守護進程 　　提供一個代理，用於訪問正在運行的實例，通過 SPICE 協議，支持基於瀏覽器的 HTML5 客戶端。 nova-xvpvncproxy 守護進程 　　提供一個代理，用於訪問正在運行的實例，通過VNC協議，支持OpenStack特定的Java客戶端。 nova-cert 守護進程 　　X509 證書。 nova客戶端 　　用於用戶作為租戶管理員或最終用戶來提交命令。 隊列 　　一個在守護進程間傳遞消息的中央集線器。常見實現有RabbitMQ 及Zero MQ 等AMQP消息隊列。 SQL數據庫 　　存儲構建時和運行時的狀態，為雲基礎設施，包括有： 　　1.可用實例類型 　　2.使用中的實例 　　3.可用網絡 　　4.項目
 理論上，OpenStack計算可以支持任何和SQL-Alchemy所支持的后端數據庫，通常使用SQLite3來做測試可開發工作，MySQL和PostgreSQL 作生產環境。

 

2.部署需求：創建Nova服務所需數據庫及相關授權、服務憑證和API端點

controller端(控制端)：

[root@controller ~]# mysql -u root -p123456 MariaDB [(none)]> CREATE DATABASE nova;  #創建 nova 數據庫 Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY '123456';  #對nova數據庫授予恰當的訪問權限 Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> \q Bye [root@controller ~]# source admin-openrc.sh #獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限 創建服務證書 [root@controller ~]# openstack user create --domain default --password-prompt nova  #創建 nova 用戶 User Password:  #密碼為123456 Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | 00a917a5ba494d13b3c48bb51d47384c | | name | nova | +-----------+----------------------------------+ [root@controller ~]# openstack role add --project service --user nova admin #添加admin 角色到 nova 用戶，命令沒有輸出 [root@controller ~]# openstack service create --name nova --description "OpenStack Compute" compute #創建nova 服務實體 +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Compute | | enabled | True | | id | 9ced96bbfda44296aba0311fbc52f68e | | name | nova | | type | compute | +-------------+----------------------------------+ 創建計算服務API端點 [root@controller ~]# openstack endpoint create --region RegionOne compute public http://controller:8774/v2/%\(tenant_id\)s +--------------+-----------------------------------------+ | Field | Value | +--------------+-----------------------------------------+ | enabled | True | | id | 02b501d9270345fe887165c35c9ee9b2 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 9ced96bbfda44296aba0311fbc52f68e | | service_name | nova | | service_type | compute | | url | http://controller:8774/v2/%(tenant_id)s | +--------------+-----------------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne compute internal http://controller:8774/v2/%\(tenant_id\)s +--------------+-----------------------------------------+ | Field | Value | +--------------+-----------------------------------------+ | enabled | True | | id | 886844dc06d84b838e623f6d3939818c | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 9ced96bbfda44296aba0311fbc52f68e | | service_name | nova | | service_type | compute | | url | http://controller:8774/v2/%(tenant_id)s | +--------------+-----------------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne compute admin http://controller:8774/v2/%\(tenant_id\)s +--------------+-----------------------------------------+ | Field | Value | +--------------+-----------------------------------------+ | enabled | True | | id | b72dc761e3004e398277d90441ee2cc3 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 9ced96bbfda44296aba0311fbc52f68e | | service_name | nova | | service_type | compute | | url | http://controller:8774/v2/%(tenant_id)s | +--------------+-----------------------------------------+

3.安裝服務

[root@controller ~]# yum install -y openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler python-novaclient  #安裝軟件包 root@controller neutron]# grep "^[a-z]" -B 1 /etc/nova/nova.conf #編輯/etc/nova/nova.conf文件 [DEFAULT] rpc_backend = rabbit # #配置 RabbitMQ消息隊列訪問 auth_strategy = keystone # #配置認證服務訪問 my_ip = 192.168.1.101 #配置 my_ip使用控制節點的管理接口的IP地址 network_api_class = nova.network.neutronv2.api.API  #啟用網絡服務支持 security_group_api = neutron linuxnet_interface_driver = nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver enabled_apis=osapi_compute,metadata #禁用EC2 API verbose = True [database] connection = mysql://nova:123456@controller/nova #配置數據庫訪問 [glance] host = controller #配置鏡像服務的位置,域名如果無法解析也可以IP地址 [keystone_authtoken] #配置認證服務訪問 auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = nova password = 123456 [neutron]  #配置計算使用網絡訪問參數，啟用元數據代理和配置secret url = http://controller:9696 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = neutron password = 123456 service_metadata_proxy = True  #啟用元數據代理和配置元數據共享密碼 metadata_proxy_shared_secret = 123456 #自定義，與/etc/neutron/metadata_agent.ini文件中一致即可 [oslo_concurrency] lock_path = /var/lib/nova/tmp  #配置鎖路徑 [oslo_messaging_rabbit] #配置 RabbitMQ消息隊列訪問 rabbit_host = controller rabbit_userid = openstack rabbit_password = 123456 [vnc] #配置VNC代理使用控制節點的管理IP地址 vncserver_listen = $my_ip vncserver_proxyclient_address = $my_ip [root@controller ~]# su -s /bin/sh -c "nova-manage db sync" nova #同步Compute 數據庫，忽略告警信息 [root@controller yum.repos.d]# tail /var/log/nova/nova-manage.log 2018-02-04 20:26:52.552 21752 INFO migrate.versioning.api [-] 297 -> 298... 2018-02-04 20:26:52.663 21752 INFO migrate.versioning.api [-] done 2018-02-04 20:26:52.664 21752 INFO migrate.versioning.api [-] 298 -> 299... 2018-02-04 20:26:52.740 21752 INFO migrate.versioning.api [-] done 2018-02-04 20:26:52.740 21752 INFO migrate.versioning.api [-] 299 -> 300... 2018-02-04 20:26:52.931 21752 INFO migrate.versioning.api [-] done 2018-02-04 20:26:52.931 21752 INFO migrate.versioning.api [-] 300 -> 301... 2018-02-04 20:26:53.217 21752 INFO migrate.versioning.api [-] done 2018-02-04 20:26:53.218 21752 INFO migrate.versioning.api [-] 301 -> 302... 2018-02-04 20:26:53.230 21752 INFO migrate.versioning.api [-] done [root@controller ~]# systemctl enable openstack-nova-api.service openstack-nova-cert.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service #啟動 Compute 服務並將其設置為隨系統啟動 [root@controller ~]# systemctl start openstack-nova-api.service openstack-nova-cert.service openstack-nova-consoleauth.service openstack-nova-scheduler.service openstack-nova-conductor.service openstack-nova-novncproxy.service

compute1(計算節點)安裝並配置Nova服務：

[root@compute1 ~]# yum install -y openstack-nova-compute sysfsutils [root@compute1 ~]# egrep -c '(vmx|svm)' /proc/cpuinfo #確定計算節點是否支持虛擬機的硬件加速 。如果這個命令返回 1或者更大的值，說明計算節點支持硬件加速，一般不需要進行額外的配置。 如果這個命令返回``0``，則計算節點不支持硬件加速，必須配置 libvirt使用QEMU而不是使用KVM。 1 [root@compute1 neutron]# grep "^[a-z]" -B 1 /etc/nova/nova.conf #編輯/etc/nova/nova.conf文件 [DEFAULT] rpc_backend = rabbit #配置RabbitMQ消息隊列 auth_strategy = keystone #配置認證服務訪問 my_ip = 192.168.1.102 #計算節點上的管理網絡接口的IP 地址 network_api_class = nova.network.neutronv2.api.API  #啟用網絡服務支持 security_group_api = neutron linuxnet_interface_driver = nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver #網絡包括防火牆服務，你必須使用nova.virt.firewall.NoopFirewallDriver驅動程序禁用計算機防火牆服務 verbose = True [glance] host = controller  #配置鏡像服務的位置 [keystone_authtoken]  #配置認證服務訪問 auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = nova password = 123456 [libvirt] virt_type = kvm [neutron] #配置計算使用網絡訪問參數 url = http://controller:9696 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = neutron password = 123456 [oslo_concurrency] lock_path = /var/lib/nova/tmp  #配置鎖路徑 [oslo_messaging_rabbit]  #配置RabbitMQ消息隊列 rabbit_host = controller rabbit_userid = openstack rabbit_password = 123456 [vnc] #啟用並配置遠程控制台訪問 enabled = True vncserver_listen = 0.0.0.0 vncserver_proxyclient_address = $my_ip novncproxy_base_url = http://controller:6080/vnc_auto.html #如果主機無法解析controller主機名，你可以將 controller替換為你控制節點管理網絡的IP地址。  [root@compute1 ~]# systemctl enable libvirtd.service openstack-nova-compute.service #啟動計算服務及其依賴，並將其配置為隨系統自動啟動 [root@compute1 ~]# systemctl start libvirtd.service openstack-nova-compute.service

驗證操作：
controller端(控制端)：

[root@controller ~]# source admin-openrc.sh #獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限 [root@controller ~]# nova service-list #列出服務組件，以驗證是否成功啟動並注冊了每個進程 該輸出應該顯示四個服務組件在控制節點上啟用，一個服務組件在計算節點上啟用 +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ | Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason | +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ | 1 | nova-scheduler | controller | internal | enabled | up | 2018-02-04T12:44:55.000000 | - | | 2 | nova-conductor | controller | internal | enabled | up | 2018-02-04T12:44:55.000000 | - | | 3 | nova-consoleauth | controller | internal | enabled | up | 2018-02-04T12:44:55.000000 | - | | 4 | nova-cert | controller | internal | enabled | up | 2018-02-04T12:44:55.000000 | - | | 5 | nova-compute | compute1 | nova | enabled | up | 2018-02-04T12:44:49.000000 | - | +----+------------------+------------+----------+---------+-------+----------------------------+-----------------+ [root@controller ~]# nova endpoints #列出身份認證服務中的 API 端點來驗證身份認證服務的連通性 WARNING: keystone has no endpoint in ! Available endpoints for this service: #忽略輸出的警告 +-----------+----------------------------------+ | keystone | Value | +-----------+----------------------------------+ | id | 00da46788e874f529f67046226c7b0c9 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | url | http://controller:5000/v2.0 | +-----------+----------------------------------+ +-----------+----------------------------------+ | keystone | Value | +-----------+----------------------------------+ | id | 1ee55eac378f4d179bacb4ea3d1850d1 | | interface | public | | region | RegionOne | | region_id | RegionOne | | url | http://controller:5000/v2.0 | +-----------+----------------------------------+ +-----------+----------------------------------+ | keystone | Value | +-----------+----------------------------------+ | id | fab8917d632a4a8c8ccb4290cbd382c6 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | url | http://controller:35357/v2.0 | +-----------+----------------------------------+ WARNING: nova has no endpoint in ! Available endpoints for this service: +-----------+------------------------------------------------------------+ | nova | Value | +-----------+------------------------------------------------------------+ | id | 02b501d9270345fe887165c35c9ee9b2 | | interface | public | | region | RegionOne | | region_id | RegionOne | | url | http://controller:8774/v2/839cdfc946e1491c8004e3b732d17f9a | +-----------+------------------------------------------------------------+ +-----------+------------------------------------------------------------+ | nova | Value | +-----------+------------------------------------------------------------+ | id | 886844dc06d84b838e623f6d3939818c | | interface | internal | | region | RegionOne | | region_id | RegionOne | | url | http://controller:8774/v2/839cdfc946e1491c8004e3b732d17f9a | +-----------+------------------------------------------------------------+ +-----------+------------------------------------------------------------+ | nova | Value | +-----------+------------------------------------------------------------+ | id | b72dc761e3004e398277d90441ee2cc3 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | url | http://controller:8774/v2/839cdfc946e1491c8004e3b732d17f9a | +-----------+------------------------------------------------------------+ WARNING: glance has no endpoint in ! Available endpoints for this service: +-----------+----------------------------------+ | glance | Value | +-----------+----------------------------------+ | id | 589466fdddf447b9b7e273954c2b7987 | | interface | public | | region | RegionOne | | region_id | RegionOne | | url | http://controller:9292 | +-----------+----------------------------------+ +-----------+----------------------------------+ | glance | Value | +-----------+----------------------------------+ | id | f67a5c559caf4580aee84304d1a2f37d | | interface | internal | | region | RegionOne | | region_id | RegionOne | | url | http://controller:9292 | +-----------+----------------------------------+ +-----------+----------------------------------+ | glance | Value | +-----------+----------------------------------+ | id | fb54cd8ff23b4ea0872f1a5db7182d8e | | interface | admin | | region | RegionOne | | region_id | RegionOne | | url | http://controller:9292 | +-----------+----------------------------------+ [root@controller ~]# nova image-list  #列出鏡像服務目錄的鏡像，驗證鏡像服務的連通性 +--------------------------------------+--------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+--------+--------+--------+ | 936bce27-085b-4d79-8cce-68cff70d7abd | cirros | ACTIVE | | +--------------------------------------+--------+--------+--------+

八、安裝和配置網絡服務（neutron）

OpenStack網絡（neutron）管理您OpenStack環境中虛擬網絡基礎設施（VNI）所有網絡方面和物理網絡基礎設施（PNI）的接入層方面。OpenStack網絡允許租戶創建包括像 firewall，load balancer和 virtual private network (VPN)等這樣服務的高級網絡虛擬拓撲。

1.服務簡述

 

OpenStack Networking（neutron），允許創建、插入接口設備，這些設備由其他的OpenStack服務管理。插件式的實現可以容納不同的網絡設備和軟件，為OpenStack架構與部署提供了靈活性。 它包含下列組件： neutron-server 　　接收和路由API請求到合適的OpenStack網絡插件，以達到預想的目的。 OpenStack網絡插件和代理 　　插拔端口，創建網絡和子網，以及提供IP地址，這些插件和代理依賴於供應商和技術而不同，OpenStack網絡基於插件和代理為Cisco 虛擬和物理交換機、NEC OpenFlow產品，Open vSwitch,Linux bridging以及VMware NSX 產品穿線搭橋。 　　常見的代理L3(3層)，DHCP(動態主機IP地址)，以及插件代理。 消息隊列 　　大多數的OpenStack Networking安裝都會用到，用於在neutron-server和各種各樣的代理進程間路由信息。也為某些特定的插件扮演數據庫的角色，以存儲網絡狀態 OpenStack網絡主要和OpenStack計算交互，以提供網絡連接到它的實例。

 

2.部署需求：創建neutron服務數據庫，服務憑證和API端點

[root@controller ~]# mysql -u root -p123456 MariaDB [(none)]> CREATE DATABASE neutron; #創建neutron數據庫 Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY '123456'; #對neutron數據庫授予恰當的訪問權限 Query OK, 0 rows affected (0.03 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> \q Bye [root@controller ~]# source admin-openrc.sh #獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限  創建服務證書 [root@controller ~]# openstack user create --domain default --password-prompt neutron #創建neutron用戶 User Password: #密碼為123456 Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | c704bcba775b43b4b9b12a06f60af725 | | name | neutron | +-----------+----------------------------------+ [root@controller ~]# openstack role add --project service --user neutron admin  #添加admin 角色到neutron 用戶 [root@controller ~]# openstack service create --name neutron --description "OpenStack Networking" network  #創建neutron服務實體 +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Networking | | enabled | True | | id | 71ddd68d6f6c463f8656274270650d68 | | name | neutron | | type | network | +-------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne network public http://controller:9696 #創建網絡服務API端點 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 7761b18170534542af7a614f53025110 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 71ddd68d6f6c463f8656274270650d68 | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne network internal http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 1e92ad2a17854c678d37079dd9a9e297 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 71ddd68d6f6c463f8656274270650d68 | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne network admin http://controller:9696 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 077b1b1213a84699b6c5fda239db148d | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 71ddd68d6f6c463f8656274270650d68 | | service_name | neutron | | service_type | network | | url | http://controller:9696 | +--------------+----------------------------------+

3.配置服務（這里使用網絡服務選項2）

controller端(控制端)：

[root@controller ~]#yum install openstack-neutron openstack-neutron-ml2 openstack-neutron-linuxbridge python-neutronclient ebtables ipset

[root@controller ~]# grep "^[a-z]" -B 1 /etc/neutron/neutron.conf #編輯/etc/neutron/neutron.conf文件 [DEFAULT] core_plugin = ml2 #啟用Layer 2 (ML2)插件模塊，路由服務和重疊的IP地址 service_plugins = router allow_overlapping_ips = True rpc_backend = rabbit #配置 "RabbitMQ" 消息隊列訪問 auth_strategy = keystone #配置認證服務訪問 notify_nova_on_port_status_changes = True #配置網絡以能夠反映計算網絡拓撲變化 notify_nova_on_port_data_changes = True nova_url = http://controller:8774/v2 verbose = True #啟用詳細日志 [keystone_authtoken] #配置認證服務訪問,在 [keystone_authtoken] 中注釋或者刪除其他選項。 uth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = 123456 [database] connection = mysql://neutron:123456@controller/neutron #配置數據庫訪問 [nova] #配置網絡以能夠反映計算網絡拓撲變化 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default region_name = RegionOne project_name = service username = nova password = 123456 [oslo_concurrency] lock_path = /var/lib/neutron/tmp #配置鎖路徑 [oslo_messaging_rabbit] #配置 "RabbitMQ"消息隊列訪問 rabbit_host = controller rabbit_userid = openstack rabbit_password = 123456 [root@controller ~]# grep "^[a-z]" -B 1 /etc/neutron/plugins/ml2/ml2_conf.ini #編輯/etc/neutron/plugins/ml2/ml2_conf.ini文件 [ml2] type_drivers = flat,vlan,vxlan #啟用flat，VLAN和VXLAN網絡 tenant_network_types = vxlan #啟用VXLAN項目（私有）網絡 Linux橋接代理只支持VXLAN網絡。 mechanism_drivers = linuxbridge,l2population #啟用Linux 橋接和layer-2 population mechanisms extension_drivers = port_security #啟用端口安全擴展驅動 [ml2_type_flat] flat_networks = public #配置公共flat提供網絡 [ml2_type_vxlan] vni_ranges = 1:1000 #配置VXLAN網絡標識范圍與私有網絡不同 [securitygroup] enable_ipset = True #啟用 ipset 增加安全組的方便性 [root@controller ~]# grep "^[a-z]" -B 1 /etc/neutron/plugins/ml2/linuxbridge_agent.ini #編輯/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件 [linux_bridge] physical_interface_mappings = public:ens32 #映射公共虛擬網絡到公共物理網絡接口 [vxlan] #啟用VXLAN覆蓋網絡，配置處理覆蓋網絡和啟用layer-2 的物理網絡接口的IP地址 enable_vxlan = True local_ip = 192.168.1.101 l2_population = True [agent] prevent_arp_spoofing = True #啟用ARP欺騙防護 [securitygroup]  #啟用安全組並配置 Linux 橋接 iptables 防火牆驅動 enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver [root@controller ~]# grep "^[a-z]" -B 1 /etc/neutron/l3_agent.ini  #編輯/etc/neutron/l3_agent.ini 文件 [DEFAULT] #配置Linux橋接網絡驅動和外部網絡橋接 interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver external_network_bridge =  #故意缺少值，這樣就可以在一個代理上啟用多個外部網絡 verbose = True #啟用詳細日志 [root@controller ~]# grep "^[a-z]" -B 1 /etc/neutron/dhcp_agent.ini  #編輯/etc/neutron/dhcp_agent.ini 文件 [DEFAULT]  #配置Linux橋接網卡驅動，Dnsmasq DHCP驅動並啟用隔離元數據，這樣在公共網絡上的實例就可以通過網絡訪問元數據 interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq enable_isolated_metadata = True verbose = True dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf  #啟用 dnsmasq 配置文件 [root@controller ~]# grep "^[a-z]" -B 1 /etc/neutron/dnsmasq-neutron.conf  #編輯創建並/etc/neutron/dnsmasq-neutron.conf 文件 dhcp-option-force=26,1450 [root@controller ~]# grep "^[a-z]" -B 1 /etc/neutron/metadata_agent.ini [DEFAULT] #配置訪問參數 auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_region = RegionOne auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = 123456 nova_metadata_ip = controller #配置元數據主機 metadata_proxy_shared_secret = 123456 #配置元數據代理共享密碼，自定義 verbose = True admin_tenant_name = %SERVICE_TENANT_NAME% admin_user = %SERVICE_USER% admin_password = %SERVICE_PASSWORD% [root@controller ~]#ln -s /etc/neutron/plugins/ml2/ml2_conf.ini /etc/neutron/plugin.ini #網絡服務初始化腳本需要一個超鏈接 /etc/neutron/plugin.ini指向ML2插件配置文件/etc/neutron/plugins/ml2/ml2_conf.ini。 [root@controller ~]#su -s /bin/sh -c "neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head" neutron #同步數據庫 INFO [alembic.runtime.migration] Context impl MySQLImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. Running upgrade for neutron ... INFO [alembic.runtime.migration] Context impl MySQLImpl. INFO [alembic.runtime.migration] Will assume non-transactional DDL. INFO [alembic.runtime.migration] Running upgrade -> juno, juno_initial INFO [alembic.runtime.migration] Running upgrade juno -> 44621190bc02, add_uniqueconstraint_ipavailability_ranges INFO [alembic.runtime.migration] Running upgrade 44621190bc02 -> 1f71e54a85e7, ml2_network_segments models change for multi-segment network. INFO [alembic.runtime.migration] Running upgrade 1f71e54a85e7 -> 408cfbf6923c, remove ryu plugin INFO [alembic.runtime.migration] Running upgrade 408cfbf6923c -> 28c0ffb8ebbd, remove mlnx plugin INFO [alembic.runtime.migration] Running upgrade 28c0ffb8ebbd -> 57086602ca0a, scrap_nsx_adv_svcs_models INFO [alembic.runtime.migration] Running upgrade 57086602ca0a -> 38495dc99731, ml2_tunnel_endpoints_table INFO [alembic.runtime.migration] Running upgrade 38495dc99731 -> 4dbe243cd84d, nsxv INFO [alembic.runtime.migration] Running upgrade 4dbe243cd84d -> 41662e32bce2, L3 DVR SNAT mapping INFO [alembic.runtime.migration] Running upgrade 41662e32bce2 -> 2a1ee2fb59e0, Add mac_address unique constraint INFO [alembic.runtime.migration] Running upgrade 2a1ee2fb59e0 -> 26b54cf9024d, Add index on allocated INFO [alembic.runtime.migration] Running upgrade 26b54cf9024d -> 14be42f3d0a5, Add default security group table INFO [alembic.runtime.migration] Running upgrade 14be42f3d0a5 -> 16cdf118d31d, extra_dhcp_options IPv6 support INFO [alembic.runtime.migration] Running upgrade 16cdf118d31d -> 43763a9618fd, add mtu attributes to network INFO [alembic.runtime.migration] Running upgrade 43763a9618fd -> bebba223288, Add vlan transparent property to network INFO [alembic.runtime.migration] Running upgrade bebba223288 -> 4119216b7365, Add index on tenant_id column INFO [alembic.runtime.migration] Running upgrade 4119216b7365 -> 2d2a8a565438, ML2 hierarchical binding INFO [alembic.runtime.migration] Running upgrade 2d2a8a565438 -> 2b801560a332, Remove Hyper-V Neutron Plugin INFO [alembic.runtime.migration] Running upgrade 2b801560a332 -> 57dd745253a6, nuage_kilo_migrate INFO [alembic.runtime.migration] Running upgrade 57dd745253a6 -> f15b1fb526dd, Cascade Floating IP Floating Port deletion INFO [alembic.runtime.migration] Running upgrade f15b1fb526dd -> 341ee8a4ccb5, sync with cisco repo INFO [alembic.runtime.migration] Running upgrade 341ee8a4ccb5 -> 35a0f3365720, add port-security in ml2 INFO [alembic.runtime.migration] Running upgrade 35a0f3365720 -> 1955efc66455, weight_scheduler INFO [alembic.runtime.migration] Running upgrade 1955efc66455 -> 51c54792158e, Initial operations for subnetpools INFO [alembic.runtime.migration] Running upgrade 51c54792158e -> 589f9237ca0e, Cisco N1kv ML2 driver tables INFO [alembic.runtime.migration] Running upgrade 589f9237ca0e -> 20b99fd19d4f, Cisco UCS Manager Mechanism Driver INFO [alembic.runtime.migration] Running upgrade 20b99fd19d4f -> 034883111f, Remove allow_overlap from subnetpools INFO [alembic.runtime.migration] Running upgrade 034883111f -> 268fb5e99aa2, Initial operations in support of subnet allocation from a pool INFO [alembic.runtime.migration] Running upgrade 268fb5e99aa2 -> 28a09af858a8, Initial operations to support basic quotas on prefix space in a subnet pool INFO [alembic.runtime.migration] Running upgrade 28a09af858a8 -> 20c469a5f920, add index for port INFO [alembic.runtime.migration] Running upgrade 20c469a5f920 -> kilo, kilo INFO [alembic.runtime.migration] Running upgrade kilo -> 354db87e3225, nsxv_vdr_metadata.py INFO [alembic.runtime.migration] Running upgrade 354db87e3225 -> 599c6a226151, neutrodb_ipam INFO [alembic.runtime.migration] Running upgrade 599c6a226151 -> 52c5312f6baf, Initial operations in support of address scopes INFO [alembic.runtime.migration] Running upgrade 52c5312f6baf -> 313373c0ffee, Flavor framework INFO [alembic.runtime.migration] Running upgrade 313373c0ffee -> 8675309a5c4f, network_rbac INFO [alembic.runtime.migration] Running upgrade kilo -> 30018084ec99, Initial no-op Liberty contract rule. INFO [alembic.runtime.migration] Running upgrade 30018084ec99 -> 4ffceebfada, network_rbac INFO [alembic.runtime.migration] Running upgrade 4ffceebfada -> 5498d17be016, Drop legacy OVS and LB plugin tables INFO [alembic.runtime.migration] Running upgrade 5498d17be016 -> 2a16083502f3, Metaplugin removal INFO [alembic.runtime.migration] Running upgrade 2a16083502f3 -> 2e5352a0ad4d, Add missing foreign keys INFO [alembic.runtime.migration] Running upgrade 2e5352a0ad4d -> 11926bcfe72d, add geneve ml2 type driver INFO [alembic.runtime.migration] Running upgrade 11926bcfe72d -> 4af11ca47297, Drop cisco monolithic tables INFO [alembic.runtime.migration] Running upgrade 8675309a5c4f -> 45f955889773, quota_usage INFO [alembic.runtime.migration] Running upgrade 45f955889773 -> 26c371498592, subnetpool hash INFO [alembic.runtime.migration] Running upgrade 26c371498592 -> 1c844d1677f7, add order to dnsnameservers INFO [alembic.runtime.migration] Running upgrade 1c844d1677f7 -> 1b4c6e320f79, address scope support in subnetpool INFO [alembic.runtime.migration] Running upgrade 1b4c6e320f79 -> 48153cb5f051, qos db changes INFO [alembic.runtime.migration] Running upgrade 48153cb5f051 -> 9859ac9c136, quota_reservations INFO [alembic.runtime.migration] Running upgrade 9859ac9c136 -> 34af2b5c5a59, Add dns_name to Port OK [root@controller ~]#systemctl restart openstack-nova-api.service #重啟計算API 服務 #啟動網絡服務並配置他們開機自啟動(對所有網絡選項) [root@controller ~]#systemctl enable neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service [root@controller ~]#systemctl start neutron-server.service neutron-linuxbridge-agent.service neutron-dhcp-agent.service neutron-metadata-agent.service neutron-l3-agent.service 對網絡選項2，同樣也啟用並啟動layer-3服務： [root@controller ~]#systemctl enable neutron-l3-agent.service [root@controller ~]#systemctl start neutron-l3-agent.service 

　compute1(計算節點)：

[root@compute1 ~]# yum install openstack-neutron openstack-neutron-linuxbridge ebtables ipset -y  配置Networking通用組件,Networking 通用組件的配置包括認證機制、消息隊列和插件。 [root@compute1 ]# grep "^[a-z]" -B 1 /etc/neutron/neutron.conf [DEFAULT] rpc_backend = rabbit #配置RabbitMQ消息隊列訪問 auth_strategy = keystone #配置認證服務訪問 在 [keystone_authtoken] 中注釋或者刪除其他選項。 verbose = True [keystone_authtoken] #配置認證服務訪問 auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = neutron password = 123456 [oslo_concurrency] lock_path = /var/lib/neutron/tmp #配置鎖路徑 [oslo_messaging_rabbit] # #配置RabbitMQ消息隊列訪問 rabbit_host = controller rabbit_userid = openstack rabbit_password = 123456 配置Linux 橋接代理 [root@compute1 ]# grep "^[a-z]" -B 1 /etc/neutron/plugins/ml2/linuxbridge_agent.ini [linux_bridge] physical_interface_mappings = public:eth0  #映射公共虛擬網絡到公共物理網絡接口 [vxlan]  #啟用VXLAN覆蓋網絡，配置處理覆蓋網絡和啟用layer-2 的物理網絡接口的IP地址 enable_vxlan = True local_ip = 192.168.1.102 l2_population = True [agent] prevent_arp_spoofing = True #啟用ARP欺騙防護 [securitygroup] #啟用安全組並配置 Linux 橋接 iptables 防火牆驅動 enable_security_group = True firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver [root@compute1 ~]#systemctl restart openstack-nova-compute.service # 重啟計算服務 [root@compute1 ~]#systemctl enable neutron-linuxbridge-agent.service #啟動Linux橋接代理並配置它開機自啟動 [root@compute1 ~]#systemctl start neutron-linuxbridge-agent.service

驗證操作：
controller端(控制端)：

[root@controller ~]# source admin-openrc.sh #獲得 admin 憑證來獲取只有管理員能執行命令的訪問權限 [root@controller ~]# neutron ext-list  #列出加載的擴展，對neutron-server進程是否啟動正常進行驗證 +-----------------------+-----------------------------------------------+ | alias | name | +-----------------------+-----------------------------------------------+ | dns-integration | DNS Integration | | ext-gw-mode | Neutron L3 Configurable external gateway mode | | binding | Port Binding | | agent | agent | | subnet_allocation | Subnet Allocation | | l3_agent_scheduler | L3 Agent Scheduler | | external-net | Neutron external network | | flavors | Neutron Service Flavors | | net-mtu | Network MTU | | quotas | Quota management support | | l3-ha | HA Router extension | | provider | Provider Network | | multi-provider | Multi Provider Network | | extraroute | Neutron Extra Route | | router | Neutron L3 Router | | extra_dhcp_opt | Neutron Extra DHCP opts | | security-group | security-group | | dhcp_agent_scheduler | DHCP Agent Scheduler | | rbac-policies | RBAC Policies | | port-security | Port Security | | allowed-address-pairs | Allowed Address Pairs | | dvr | Distributed Virtual Router | +-----------------------+-----------------------------------------------+ [root@controller ~]# neutron agent-list  #列出代理以驗證啟動 neutron 代理是否成功 ,該輸出應該顯示在控制節點上有四個代理，在每個計算節點上有一個代理 +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ | id | agent_type | host | alive | admin_state_up | binary | +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+ | 186d2121-3fe5-49b6-b462-fe404afb159e | Linux bridge agent | controller | :-) | True | neutron-linuxbridge-agent | | 73aa6284-ac78-4859-80df-2334bcd71736 | Metadata agent | controller | :-) | True | neutron-metadata-agent | | 7424c397-481e-49c8-a8df-71d68e7c3b29 | L3 agent | controller | :-) | True | neutron-l3-agent | | 8d555ed3-5612-4af2-8119-7e53145a9b03 | DHCP agent | controller | :-) | True | neutron-dhcp-agent | | d6f66209-5155-4303-87e7-275dec0e792a | Linux bridge agent | compute1 | :-) | True | neutron-linuxbridge-agent | +--------------------------------------+--------------------+------------+-------+----------------+---------------------------+

九、啟動一個實例

創建虛擬網絡

在創建私有項目網絡前，必須創建創建公共網絡(在啟動實例前，必須創建必要的虛擬網絡設施。對網絡選擇1，實例通過layer-2（橋接/交換）使用連接到物理網絡設施的公共提供虛擬網絡。這個網絡包括一個為實例提供IP地址的DHCP服務。admin或者其他權限用戶必須創建這個網絡，因為它直接連接到物理網絡設施。)

創建公共網絡 [root@controller ~]# source admin-openrc.sh #加載 admin 憑證來獲取管理員能執行的命令訪問權限 [root@controller ~]# neutron net-create public --shared --provider:physical_network public --provider:network_type flat  #創建網絡 Created a new network: +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | 5fc60cce-0943-4844-b9e2-c768af2ea302 | | mtu | 0 | | name | public | | port_security_enabled | True | | provider:network_type | flat | | provider:physical_network | public | | provider:segmentation_id | | | router:external | False | | shared | True | | status | ACTIVE | | subnets | | | tenant_id | e5f65d198e594c9f8a8db29a6a9d01a7 | +---------------------------+--------------------------------------+ [root@controller ~]# neutron subnet-create public 192.168.1.0/24 --name public --allocation-pool start=192.168.1.220,end=192.168.1.250 --dns-nameserver 114.114.114.114 --gateway 192.168.1.1 #在網絡上創建一個子網 Created a new subnet: +-------------------+----------------------------------------------------+ | Field | Value | +-------------------+----------------------------------------------------+ | allocation_pools | {"start": "192.168.1.220", "end": "192.168.1.250"} | | cidr | 192.168.1.0/24 | | dns_nameservers | 192.168.1.1 | | enable_dhcp | True | | gateway_ip | 192.168.1.1 | | host_routes | | | id | ac92ba15-daef-4bc3-a353-ed1325c85844 | | ip_version | 4 | | ipv6_address_mode | | | ipv6_ra_mode | | | name | public | | network_id | 5fc60cce-0943-4844-b9e2-c768af2ea302 | | subnetpool_id | | | tenant_id | e5f65d198e594c9f8a8db29a6a9d01a7 | +-------------------+----------------------------------------------------+ 創建私有項目網絡 [root@controller ~]# source demo-openrc.sh #加載 demo 憑證來獲取管理員能執行的命令訪問權限 [root@controller ~]# neutron net-create private #創建網絡 非特權用戶一般不能在這個命令制定更多參數 Created a new network: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | id | ce8a6c38-5a84-47c0-b058-9bdd8b67e179 | | mtu | 0 | | name | private | | port_security_enabled | True | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | a152b2b891a147dfa3068d66311ad0c3 | +-----------------------+--------------------------------------+ [root@controller ~]# neutron subnet-create private172.16.1.0/24 --name private --dns-nameserver 114.114.114.114 --gateway 172.16.1.1 #在網絡上創建一個子網 Created a new subnet: +-------------------+------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------+ | allocation_pools | {"start": "172.16.1.2", "end": "172.16.1.254"} | | cidr | 172.16.1.0/24 | | dns_nameservers | 114.114.114.114 | | enable_dhcp | True | | gateway_ip | 172.16.1.1 | | host_routes | | | id | 91f26704-6ead-4d73-870e-115dd8377998 | | ip_version | 4 | | ipv6_address_mode | | | ipv6_ra_mode | | | name | private | | network_id | ce8a6c38-5a84-47c0-b058-9bdd8b67e179 | | subnetpool_id | | | tenant_id | a152b2b891a147dfa3068d66311ad0c3 | +-------------------+------------------------------------------------+ 創建路由器 [root@controller ~]# source admin-openrc.sh #獲得 admin 憑證來獲取只有管理員能執行的命令的訪問權限 [root@controller ~]# neutron net-update public --router:external #添加router: external到 public 網絡 Updated network: public [root@controller ~]# source demo-openrc.sh  #加載 demo 憑證獲得用戶能執行的命令訪問權限 [root@controller ~]# neutron router-create router #創建路由 Created a new router: +-----------------------+--------------------------------------+ | Field | Value | +-----------------------+--------------------------------------+ | admin_state_up | True | | external_gateway_info | | | id | 649c8cfc-e117-4105-b55d-cd9214792ae3 | | name | router | | routes | | | status | ACTIVE | | tenant_id | a152b2b891a147dfa3068d66311ad0c3 | +-----------------------+--------------------------------------+ [root@controller ~]# neutron router-interface-add router private #在路由器添加一個私網子網接口 Added interface65404353-b387-4243-81b8-a2cbeb5b6b4d to router router. [root@controller ~]# neutron router-gateway-set router public #在路由器上設置公共網絡的網關 Set gateway for router router

驗證操作

[root@controller ~]# source admin-openrc.sh #加載 admin 憑證來獲取管理員能執行的命令訪問權限 [root@controller ~]# ip netns #列出網絡命名空間。你應該可以看到一個qrouter命名空間和兩個qdhcp命名空間。 qrouter-649c8cfc-e117-4105-b55d-cd9214792ae3 (id: 2) qdhcp-ce8a6c38-5a84-47c0-b058-9bdd8b67e179 (id: 1) qdhcp-5fc60cce-0943-4844-b9e2-c768af2ea302 (id: 0) [root@controller ~]# neutron router-port-list router #列出路由器上的端口來確定公網的網關IP 地址 +--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+ | id | name | mac_address | fixed_ips | +--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+ | 65404353-b387-4243-81b8-a2cbeb5b6b4d | | fa:16:3e:a2:c5:29 | {"subnet_id": "91f26704-6ead-4d73-870e-115dd8377998", "ip_address": "172.16.1.1"} | | d3d1023b-5cfc-473b-ace9-84e25a6cfdba | | fa:16:3e:15:19:d1 | {"subnet_id": "ac92ba15-daef-4bc3-a353-ed1325c85844", "ip_address": "192.168.1.201"} | +--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+ [root@controller ~]# ping -c 4 192.168.1.221 #從控制節點或任意公共物理網絡上的主機Ping這個IP地址 PING 192.168.1.201 (192.168.1.221) 56(84) bytes of data. 64 bytes from 192.168.1.221: icmp_seq=1 ttl=64 time=0.293 ms 64 bytes from 192.168.1.221: icmp_seq=2 ttl=64 time=0.066 ms 64 bytes from 192.168.1.221: icmp_seq=3 ttl=64 time=0.120 ms 64 bytes from 192.168.1.221: icmp_seq=4 ttl=64 time=0.065 ms --- 192.168.1.221 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.065/0.136/0.293/0.093 ms  生成一個密鑰對 [root@controller ~]# source demo-openrc.sh [root@controller ~]# ssh-keygen -q -N "" #可以跳過執行 ssh-keygen 命令而使用已存在的公鑰 Enter file in which to save the key (/root/.ssh/id_rsa): [root@controller ~]# nova keypair-add --pub-key ~/.ssh/id_rsa.pub mykey #生成和添加秘鑰對 [root@controller ~]# nova keypair-list #驗證公鑰的添加 +-------+-------------------------------------------------+ | Name | Fingerprint | +-------+-------------------------------------------------+ | mykey | 18:29:30:72:2d:e3:02:e5:a0:79:ea:09:8e:1b:a8:ae | +-------+-------------------------------------------------+ 添加安全組規則(默認情況下， default安全組適用於所有實例並且包括拒絕遠程訪問實例的防火牆規則。推薦至少允許ICMP (ping) 和安全shell(SSH)) [root@controller ~]# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 #允許 ICMP (ping) +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ [root@controller ~]# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 #允許安全 shell (SSH) 的訪問 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ 

#一個實例指定了虛擬機資源的大致分配，包括處理器、內存和存儲
[root@controller ~]# source demo-openrc.sh
[root@controller ~]# nova flavor-list #列出可用類型,實驗使用m1.tiny方案。

+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ | 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True | | 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True | | 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | | 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True | | 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+ [root@controller ~]# nova image-list
+--------------------------------------+--------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+--------+--------+--------+ | 2df37e06-ed46-4399-b5d0-f643640b6a52 | cirros | ACTIVE | | +--------------------------------------+--------+--------+--------+ [root@controller ~]# neutron net-list
+--------------------------------------+---------+-----------------------------------------------------+ | id | name | subnets | +--------------------------------------+---------+-----------------------------------------------------+ | 5fc60cce-0943-4844-b9e2-c768af2ea302 | public | ac92ba15-daef-4bc3-a353-ed1325c85844 192.168.1.0/24 | | ce8a6c38-5a84-47c0-b058-9bdd8b67e179 | private | 91f26704-6ead-4d73-870e-115dd8377998 172.16.1.0/24 | +--------------------------------------+---------+-----------------------------------------------------+ [root@controller ~]# nova secgroup-lsit 
+--------------------------------------+---------+------------------------+ | Id | Name | Description | +--------------------------------------+---------+------------------------+ | 0771996c-9673-4ce0-b6c6-8a890a326295 | default | Default security group | +--------------------------------------+---------+------------------------+ [root@controller ~]# nova boot --flavor m1.tiny --image cirros --nic net-id=ce8a6c38-5a84-47c0-b058-9bdd8b67e179 --security-group default --key-name mykey private-instance #啟動實例 +--------------------------------------+-----------------------------------------------+ | Property | Value | +--------------------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | - | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | adminPass | VLYaSAvPAE54 | | config_drive | | | created | 2018-02-05T12:43:27Z | | flavor | m1.tiny (1) | | hostId | | | id | de88100a-47f1-4be5-b54d-e14d828e1150 | | image | cirros (2df37e06-ed46-4399-b5d0-f643640b6a52) | | key_name | mykey | | metadata | {} | | name | private-instance | | os-extended-volumes:volumes_attached | [] | | progress | 0 | | security_groups | default | | status | BUILD | | tenant_id | a152b2b891a147dfa3068d66311ad0c3 | | updated | 2018-02-05T12:43:27Z | | user_id | 182ee839b7584748aedb1cbda6d55ce2 | +--------------------------------------+-----------------------------------------------+ [root@controller ~]#nova list #檢查實例的狀態
+--------------------------------------+------------------+--------+------------+-------------+--------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+------------------+--------+------------+-------------+--------------------+ | de88100a-47f1-4be5-b54d-e14d828e1150 | private-instance | ACTIVE | - | Running | private=172.16.1.3 | +--------------------------------------+------------------+--------+------------+-------------+--------------------+ [root@controller ~]# nova get-vnc-console private-instance novnc #獲取實例的 Virtual Network Computing (VNC) 會話URL並從web瀏覽器訪問它
+-------+---------------------------------------------------------------------------------+ | Type | Url | +-------+---------------------------------------------------------------------------------+ | novnc | http://controller:6080/vnc_auto.html?token=ffec3792-a83a-4c2e-a138-bac3f8c7595d | +-------+---------------------------------------------------------------------------------+

訪問url：http://controller:6080/vnc_auto.html?token=ffec3792-a83a-4c2e-a138-bac3f8c7595d  #瀏覽器需要可以解析域名或者直接輸入IP

#默認密碼是 cirros用戶是cubswin:)

十、添加儀表盤（dashboard）

OpenStack Dashboard為人所知是一個web接口，使得雲管理員和用戶可以管理不同的OpenStack資源和服務。儀表盤使得通過OpenStack API與OpenStack計算雲控制器進行基於web的交互成為可能。Horizon 允許自定義儀表板的商標。Horizon 提供了一套內核類和可重復使用的模板及工具。

安裝和配置

[root@controller ~]# yum install openstack-dashboard -y [root@controller ~]# vim /etc/openstack-dashboard/local_settings #編輯文件 /etc/openstack-dashboard/local_settings OPENSTACK_HOST = "controller" #在 controller 節點上配置儀表盤以使用 OpenStack 服務 ALLOWED_HOSTS = ['*', ]  #允許所有主機訪問儀表板 CACHES = { #配置 memcached 會話存儲服務，並將其他的會話存儲服務配置注釋。 'default': { 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION': 'controller:11211', } } OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user" #為通過儀表盤創建的用戶配置默認的 user 角色 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True  #啟用multi-domain model OPENSTACK_API_VERSIONS = { #配置服務API版本，這樣你就可以通過Keystone V3 API來登錄dashboard "identity": 3, "volume": 2, } TIME_ZONE = "Asia/Shanghai" #配置時區

=================================================== 如果選擇網絡選項1，禁用支持3層網絡服務，網絡選項2默認即可： OPENSTACK_NEUTRON_NETWORK = { ... 'enable_router': False, 'enable_quotas': False, 'enable_distributed_router': False, 'enable_ha_router': False, 'enable_lb': False, 'enable_firewall': False, 'enable_vpn': False, 'enable_fip_topology_check': False, }
===================================================== [root@controller ~]# systemctl enable httpd.service memcached.service #啟動web 服務器和會話存儲服務，並配置它們隨系統啟動 [root@controller ~]# systemctl restart httpd.service memcached.service

在瀏覽器中輸入 http://controller/dashboard 訪問儀表盤(需要瀏覽器可以解析)

使用"admin"或"demo"用戶登錄，密碼：123456

登錄后：

#如果訪問網站報500錯誤，錯誤日志中報如下錯誤

解決方法如下：

[root@controller ~]# grep "WSGIApplicationGroup"  -B 1 /etc/httpd/conf.d/openstack-dashboard.conf  #在WSGISocketPrefix run/wsgi下方添加一行內容 "WSGIApplicationGroup %{GLOBAL}" WSGISocketPrefix run/wsgi WSGIApplicationGroup %{GLOBAL}

由於篇幅有限，后續內容見 CentOS7.4安裝部署openstack [Liberty版] （二）博客