当前位置 博文首页 > DoloresOOO的博客:万字长文手把手带你部署 Train版OpenStack
hostname | system | host resource | IP |
---|---|---|---|
controller | centos7 | 4G内存、4核 | 192.168.100.10 10.10.128.10 |
compute | centos7 | 2G内存、2核 | 192.168.100.20 10.10.128.20 |
本次实验管理网络192.168.100.0/24
能够连接互联网
provider网络10.10.128.0/24
[root@localhost ~]# hostnamectl set-hostname controller
[root@controller ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.10 controller
192.168.100.20 compute
[root@localhost ~]# hostnamectl set-hostname compute
[root@compute ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.10 controller
192.168.100.20 compute
controller节点访问互联网测试
[root@controller ~]# ping -c 4 g.cn
PING g.cn (203.208.40.79) 56(84) bytes of data.
64 bytes from 203.208.40.79: icmp_seq=1 ttl=128 time=40.1 ms
64 bytes from 203.208.40.79: icmp_seq=2 ttl=128 time=38.5 ms
64 bytes from 203.208.40.79: icmp_seq=3 ttl=128 time=37.7 ms
64 bytes from 203.208.40.79: icmp_seq=4 ttl=128 time=34.9 ms
--- g.cn ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 16259ms
rtt min/avg/max/mdev = 34.985/37.850/40.110/1.867 ms
controller节点与compute节点通信测试
[root@controller ~]# ping -c 4 compute
PING compute (192.168.100.20) 56(84) bytes of data.
64 bytes from compute (192.168.100.20): icmp_seq=1 ttl=64 time=0.601 ms
64 bytes from compute (192.168.100.20): icmp_seq=2 ttl=64 time=0.270 ms
64 bytes from compute (192.168.100.20): icmp_seq=3 ttl=64 time=0.330 ms
64 bytes from compute (192.168.100.20): icmp_seq=4 ttl=64 time=0.302 ms
--- compute ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.270/0.375/0.601/0.133 ms
compute节点访问互联网测试
[root@compute ~]# ping -c 4 g.cn
PING g.cn (203.208.40.79) 56(84) bytes of data.
64 bytes from 203.208.40.79: icmp_seq=1 ttl=128 time=35.6 ms
64 bytes from 203.208.40.79: icmp_seq=2 ttl=128 time=36.2 ms
64 bytes from 203.208.40.79: icmp_seq=3 ttl=128 time=38.7 ms
64 bytes from 203.208.40.79: icmp_seq=4 ttl=128 time=40.1 ms
--- g.cn ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 35.671/37.697/40.113/1.832 ms
compute节点与controller节点通信测试
[root@compute ~]# ping -c 4 controller
PING controller (192.168.100.10) 56(84) bytes of data.
64 bytes from controller (192.168.100.10): icmp_seq=1 ttl=64 time=0.429 ms
64 bytes from controller (192.168.100.10): icmp_seq=2 ttl=64 time=0.293 ms
64 bytes from controller (192.168.100.10): icmp_seq=3 ttl=64 time=0.307 ms
64 bytes from controller (192.168.100.10): icmp_seq=4 ttl=64 time=0.223 ms
--- controller ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.223/0.313/0.429/0.074 ms
controller节点
要在节点之间正确同步服务,可以安装Chrony,这是NTP的实现。2个节点都同步阿里ntp服务器time1.aliyun.com
[root@controller ~]# yum install chrony -y
编辑/etc/chrony.conf
文件,删除:
server NTP_SERVER iburst
实际为
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
添加:
server time1.aliyun.com iburst
启动服务并添加开机自启:
[root@controller ~]# mkdir /var/run/chrony
[root@controller ~]# systemctl status chronyd
[root@controller ~]# systemctl enable chronyd
compute节点
[root@compute ~]# yum install chrony -y
删除或注释:
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
添加:
server time1.aliyun.com iburst
启动服务并添加开机自启:
[root@compute ~]# mkdir /var/run/chrony
[root@compute ~]# systemctl start chronyd.service
[root@compute ~]# systemctl enable chronyd.service
controller节点与compute
现在openstack最新版是ussuri
,要求centos是8。我的是centos7做之前没注意,所以本次安装版本为train
版
[root@controller ~]# yum install centos-release-openstack-train -y
[root@controller ~]# yum upgrade -y
安装一个适宜的openstack 客户端
[root@controller ~]# yum install python-openstackclient -y
由于centos默认开启了selinux,安装openstack-selinux
包自动管理openstack 服务安全策略
[root@controller ~]# yum install openstack-selinux -y
[root@compute ~]# yum install openstack-selinux -y
大多数OpenStack服务都使用SQL数据库来存储信息。数据库一般运行在controller节点上,本次使用mariadb。
[root@controller ~]# yum install mariadb mariadb-server python2-PyMySQL -y
创建/etc/my.cnf.d/openstack.cnf
文件,并添加如下内容
[root@controller ~]# touch /etc/my.cnf.d/openstack.cnf
[root@controller ~]# vi /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.100.10 #此地址为controller节点ip
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
启动并设置开机自启
[root@controller ~]# systemctl start mariadb
[root@controller ~]# systemctl enable mariadb
执行mysql_secure_installation
安全脚本。
[root@controller ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): #直接回车
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y #是否设置root密码 y
New password: #输入密码
Re-enter new password: #再次确认
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y #移除匿名用户 y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n #拒绝root远程登陆 n
... skipping.
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y #移除测试数据库(数据库发行前开发测试用的没啥用)
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y #重新加载权限表 y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
OpenStack使用消息队列来协调服务之间的操作和状态信息。 消息队列服务通常在controller点上运行。 本次使用RabbitMQ消息队列
安装配置
[root@controller ~]# yum install rabbitmq-server -y
[root@controller ~]# systemctl start rabbitmq-server
[root@controller ~]# systemctl enable rabbitmq-server
000000
[root@controller ~]# rabbitmqctl add_user openstack 000000
Creating user "openstack"
[root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/"
服务的身份服务身份验证机制使用Memcached来缓存令牌。 memcached服务通常在controller节点上运行。
[root@controller ~]# yum install memcached python-memcached -y
/etc/sysconfig/memcached
添加如下内容OPTIONS="-l 127.0.0.1,::1,controller"
[root@controller ~]# systemctl start memcached
[root@controller ~]# systemctl enable memcached
OpenStack Identity Service提供了一个集成点,用于管理身份验证,授权和服务目录。
身份服务通常是用户与之交互的第一项服务。身份验证后,最终用户可以使用其身份访问其他OpenStack服务。同样,其他OpenStack服务也利用身份服务来确保用户是他们所说的人,并发现其他服务在部署中的位置。身份服务还可以与某些外部用户管理系统(例如LDAP)集成。
用户和服务可以使用由身份服务管理的服务目录来查找其他服务。服务目录是OpenStack部署中可用服务的集合。每个服务可以具有一个或多个端点(endpoints
),并且每个端点可以是以下三种类型之一:admin
,internal
或public
。在生产环境中,出于安全原因,不同的endpoints
类型可能驻留在暴露给不同类型用户的单独网络上。
例如:公共API网络可能在Internet上可见,因此客户可以管理它们自己的cloud。 admin API网络可能仅限于管理云基础架构的组织内的运营商。内部API网络可能仅限于包含OpenStack服务的主机。此外,OpenStack支持多个区域以实现可伸缩性。为简单起见,本次将管理网络用于所有端点类型和默认的RegionOne区域。身份服务中创建的区域,服务和端点共同构成了部署的服务目录。部署中的每个OpenStack服务都需要一个服务条目,并在Identity服务中存储相应的端点。
keystone服务包含以下组件:
Server:
使用RESTful服务接口提供集中式的身份验证和授权服务。
Drivers:
Drivers或服务后端集成到集中式Server。用于访问OpenStack外部存储库中的身份信息,并且可能已经存在于部署OpenStack的基础架构中。
Modules:
中间件Modules在使用身份服务的OpenStack组件的地址空间中运行。 这些模块拦截服务请求,提取用户凭证,并将其发送到集中式服务器进行授权。 中间件模块和OpenStack组件之间的集成使用Python Web服务器网关接口。
[root@controller ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.001 sec)
GRANT ALL PRIVILEGES ON [数据库名].[表名] to '[用户名]@localhost/%' IDENTIFIED BY '[密码]';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.005 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.000 sec)
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
编辑/etc/keystone/keystone.conf
在[database]部分添加如下内容:
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[KEYSTON_DBPASS]修改为数据库中设置的密码
connection = mysql+pymysql://keystone:000000@controller/keystone
在[token]部分添加如下内容
provider = fernet
然后执行如下命令
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet密钥仓库:
–keystone-user和–keystone-group标志用于指定将用于运行keystone的操作系统的用户/组。这些参数是为了允许在另一个操作系统用户/组下运行keystone。
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 \
> --bootstrap-admin-url http://controller:5000/v3/ \
> --bootstrap-internal-url http://controller:5000/v3/ \
> --bootstrap-public-url http://controller:5000/v3/ \
> --bootstrap-region-id RegionOne
/etc/httpd/conf/httpd.conf
文件的ServerName 为controllerServerName controller
/usr/share/keystone/wsgi-keystone.conf
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller ~]# systemctl start httpd
[root@controller ~]# systemctl enable httpd
[root@controller ~]# vi openstack-admin.sh
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
必要时通过source openstack-admin.sh 来生效配置
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | e7a4ef4e82d54dd48d42c4e21373613f |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 16ca1d55269d4f16a79662611bd70df3 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller ~]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 51f50c3a2a68454a8f2122f90bdad89d |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建myuser的用户
[root@controller ~]# openstack user create --domain default --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 15042e2377d24be2bd831a03842aa775 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
创建myrole的角色
[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 52fd6fcf572d4534a36ea4a640d6e6ea |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
将myrole角色添加到myproject项目和myuser用户:
[root@controller ~]# openstack role add --project myproject --user myuser myrole
myuser用户请求认证token
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-06-28T09:54:31+0000 |
| id | gAAAAABe-FrHunkJlroXcSVjq1zrJ1JCu4oDAGzr7JutjmMgYg3CcUp2kyu-MCyebTu48i0E0ZRSHDLjAOhR7buPHfmlhXjsxgadRZoM_OBhFBUEw1dAaSYterixSDqYGOY2bGf8ovhHapJ4rc3QetifjhzUEd1fOW_pVBfS_qwOYS53f9BLgdE |
| project_id | 51f50c3a2a68454a8f2122f90bdad89d |
| user_id | 15042e2377d24be2bd831a03842aa775 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
前面的部分使用了环境变量和命令选项的组合,以通过openstack客户端与Identity Service进行交互。 为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。 这些脚本通常包含所有客户端的通用选项,也支持唯一选项。
创建admin-openrc
[root@controller ~]# vi admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
创建demo-openrc
[root@controller ~]# vi demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
要将客户端作为特定项目和用户运行,可以在运行它们之前简单地加载关联的客户端环境脚本
加载admin-openrc文件以使用Identity服务的位置以及admin项目和用户凭据填充环境变量
[root@controller ~]# . admin-openrc
请求认证token
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-06-28T10:00:02+0000 |
| id | gAAAAABe-FwSX8Yi3y4NsHe0B5CujrMvR5L0Ff7oPolybfVouJsSJIvZGiJ1e4Qo2E4jYAVQ0RRoZGh_0yPtQrENnNv-FUwYJVTbDoRwEtp_i6MJ4J4ZDf9GMKkfy4TbB7Jv8FIswiFk0l0NvKPz0YMqp2yZWarQu58qtQ-QELUFl9c_IIl3qGU |
| project_id | 86fc1bb169a443f98fdaf8e2fb25f9cd |
| user_id | d0451d8b9a7245c09d47b85197ccc80c |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Keystone在一个或多个endpoints上公开的一组内部服务。前端将这些服务结合使用。例如,一个身份验证将使用Identity Service验证用户/项目凭据,并在成功后使用令牌服务创建并返回令牌。
Identity service提供身份验证凭证以及有关用户和组的数据。一般情况下,这些数据由Identity service管理,进行相关的CRUD(增删改查)操作。在复杂的情况下,这些数据也可以由后端进行管理。例如,Identity service作为LDAP的前端。LDAP服务器进行认证,Identity service的作用是准确地传递该信息。
User代表单个API使用者。 User本身必须由特定domain拥有,因此所有用户名不是全局唯一的,而仅是其domain唯一的。
Groups使User的集合。Group本身必须由特定domain拥有,因此所有group名称不是全局唯一的,而仅是其domain唯一的。
Resource Service提供了有关project和domain的数据。
Project代表OpenStack所有权的基本单位,因为OpenStack中的所有Resource均应由特定Project拥有。 一个Project本身必须由一个特定的domain拥有,因此所有的Project名称都不是全局唯一的,而是对其domain唯一的。 如果未指定Project的domain,则将其添加到default domain。
domain包含Projects、Users和groups,每一个domain是唯一的。每个domain都定义一个存在API可见名称属性的名称空间。 Keystone提供了一个默认domain,名为“Default”。
在Identity v3 API中,属性的唯一性如下:
domain名。 在所有域中都是唯一的。
role名称。 在所属域中唯一。
user名。 在所属域中唯一。
Project名称。 在所属域中唯一。
group名字。 在所属域中唯一。
Assignment service提供了有关user和role的分配
Role决定了最终user可以获得的授权级别。 可以在domain或Project级别授予Role。 可以在单个User或group级别分配Role。 Role名称在所属domain中是唯一的。
具有Role、 Resource 和Identity的三元组.
一旦验证了用户的证书,Token服务便会验证和管理用于认证请求的token。
Catalog service 用于提供通过endponit发现的endpoint注册表
Keystone是一些服务的HTTP前端。 像其他OpenStack应用程序一样,使用python WSGI接口完成,并且使用Paste一起配置了应用程序。 该应用程序的HTTP端点由WSGI中间件的管道组成,例如:
[pipeline:api_v3]
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension_v3 s3_extension service_v3
这些依次使用keystone.common.wsgi.ComposedRouter的子类将URL链接到控制器(keystone.common.wsgi.Application的子类)。 在每个控制器中,将加载一个或多个管理器,这些管理器是精简包装类,它们根据keystone配置加载适当的服务驱动程序。
keystone.assignment.controllers.GrantAssignmentV3
keystone.assignment.controllers.ImpliedRolesV3
keystone.assignment.controllers.ProjectAssignmentV3
keystone.assignment.controllers.TenantAssignment
keystone.assignment.controllers.RoleAssignmentV3
keystone.assignment.controllers.RoleV3
keystone.auth.controllers.Auth
keystone.catalog.controllers.EndpointFilterV3Controller
keystone.catalog.controllers.EndpointGroupV3Controller
keystone.catalog.controllers.EndpointV3
keystone.catalog.controllers.ProjectEndpointGroupV3Controller
keystone.catalog.controllers.RegionV3
keystone.catalog.controllers.ServiceV3
keystone.contrib.ec2.controllers.Ec2ControllerV3
keystone.credential.controllers.CredentialV3
keystone.federation.controllers.IdentityProvider
keystone.federation.controllers.FederationProtocol
keystone.federation.controllers.MappingController
keystone.federation.controllers.Auth
keystone.federation.controllers.DomainV3
keystone.federation.controllers.ProjectAssignmentV3
keystone.federation.controllers.ServiceProvider
keystone.federation.controllers.SAMLMetadataV3