这篇文章是我在2020年初学OpenStack时,亲手整理的纯手搓部署文档。尽管如今已经涌现出许多更为稳定且简便的部署方法,但这份文档对我而言依然具有特殊的意义。它不仅是我学习OpenStack的见证,也记录了我初涉云计算领域的见证。
这个过程并非一帆风顺。我遇到了许多预料之外的挑战和困难。有时候是配置问题让我焦头烂额,有时候是网络设置让我百思不得其解。但正是这些挫折,让我更加深入地了解了OpenStack的架构和工作原理,也让我逐渐掌握了一些解决问题的技巧和方法。
通过不断的摸索和实践,我终于成功地搭建了一个基本的OpenStack环境。这个过程中,我记录下了每一个步骤和细节,形成了这份部署文档。这份文档不仅是我的学习笔记,也是我对OpenStack技术的一次全面梳理和总结。
系统环境初始化
systemctl stop firewalld && systemctl disable firewalld
systemctl disable NetworkManager && systemctl stop NetworkManager
selinux=0 && setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
echo "192.168.124.10 openstack" >> /etc/hosts
hostnamectl set-hostname openstack && bash
常用软件包安装
yum -y install curl wget vim chrony
chrony时间同步
vim /etc/chrony.conf
server ntp.aliyun.com
systemctl enable --now chronyd
chronyc sources -v
启用 OpenStack 存储库
yum install centos-release-openstack-train
yum upgrade
yum install -y python-openstackclient \
openstack-selinux
数据库
yum install mariadb mariadb-server python2-PyMySQL -y
add /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = host_ip
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
systemctl enable --now mariadb
[root@localhost ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] n #不设置root密码!!!
... skipping.
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n]
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
消息队列
yum -y install rabbitmq-server
systemctl enable --now rabbitmq-server
rabbitmqctl add_user openstack RABBIT_PASS #create rabbitmq user
允许用户进行配置、写入和读取访问 openstack:
rabbitmqctl set_permissions openstack ".*" ".*" ".*" #允许用户进行配置、写入和读取访问 openstack:
memcached
yum install memcached python-memcached
edit /etc/sysconfig/memcached
add
OPTIONS="-l 127.0.0.1,::1,openstack" -y
systemctl enable --now memcached
etcd
yum install etcd -y
edit /etc/etcd/etcd.conf
#[Member]
#ETCD_CORS=""
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_WAL_DIR=""
ETCD_LISTEN_PEER_URLS="http://192.168.124.10:2380"
ETCD_LISTEN_CLIENT_URLS="http://192.168.124.10:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
ETCD_NAME="openstack"
#ETCD_SNAPSHOT_COUNT="100000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
#ETCD_QUOTA_BACKEND_BYTES="0"
#ETCD_MAX_REQUEST_BYTES="1572864"
#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"
#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"
#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
#
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.124.10:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.124.10:2379"
#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
#ETCD_DISCOVERY_SRV=""
ETCD_INITIAL_CLUSTER="openstack=http://192.168.124.10:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01"
ETCD_INITIAL_CLUSTER_STATE="new
systemctl enable --now etcd
keystone认证服务
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
yum install openstack-keystone httpd mod_wsgi -y
edit /etc/keystone/keystone.conf
[database]</span></span><br /><span role="presentation">connection <span class="cm-operator">=</span> mysql<span class="cm-operator">+</span>pymysql://keystone:KEYSTONE_DBPASS@openstack/keystone<span class="cm-quote">
[token]
provider = fernet
填充数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化 Fernet 密钥存储库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
引导身份服务
keystone-manage bootstrap --bootstrap-password openstack \
--bootstrap-admin-url http://openstack:5000/v3/ \
--bootstrap-internal-url http://openstack:5000/v3/ \
--bootstrap-public-url http://openstack:5000/v3/ \
--bootstrap-region-id RegionOne
替换ADMIN_PASS为适合管理用户的密码。
httpd
vim +95 /etc/httpd/conf/httpd.conf
ServerName openstack
创建/usr/share/keystone/wsgi-keystone.conf文件的链接
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
systemctl enable --now httpd
通过设置适当的环境变量来配置管理帐户
vim admin-source.sh
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://openstack:5000/v3
export OS_IDENTITY_API_VERSION=3
创建域、项目、用户和角色
[root@openstack ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 3b6ac73e417c473cb0319bc66b172f36 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
[root@openstack ~]# openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 4cb1886cb3ec4fcda2825c2a141095d5 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
验证
-
取消设置临时变量
OS_AUTH_URL和OS_PASSWORD环境变量:unset OS_AUTH_URL OS_PASSWORD -
作为
admin用户,请求一个身份验证令牌:$ openstack --os-auth-url http://openstack:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+此命令使用
admin用户的密码。
Glance镜像服务
CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \
IDENTIFIED BY 'GLANCE_DBPASS';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \
IDENTIFIED BY 'GLANCE_DBPASS';
创建glance用户
openstack user create --domain default --password-prompt glance
User Password: #与配置文件中的密码同步!!!
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | daea02884bfb467fbda13bca8eba5ef9 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
将admin角色添加到glance用户和 service项目
openstack role add --project service --user glance admin
-
-
创建
glance服务实体:[root@openstack ~]# openstack service create --name glance \
--description "OpenStack Image" image
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Image |
| enabled | True |
| id | 30b84633ef5f49f39af25eb3082a2318 |
| name | glance |
| type | image |
+-------------+----------------------------------+
-
-
创建图像服务 API 端点:
[root@openstack ~]# openstack endpoint create --region RegionOne \
image public http://openstack:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7a2a247254a14f12b1911685e323f259 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 30b84633ef5f49f39af25eb3082a2318 |
| service_name | glance |
| service_type | image |
| url | http://openstack:9292 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne \
image internal http://openstack:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | ae8be25f54b445c59069b11d34a03449 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 30b84633ef5f49f39af25eb3082a2318 |
| service_name | glance |
| service_type | image |
| url | http://openstack:9292 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne \
image admin http://openstack:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 0e45a455f45748e180a3f2d170483ae3 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 30b84633ef5f49f39af25eb3082a2318 |
| service_name | glance |
| service_type | image |
| url | http://openstack:9292 |
+--------------+----------------------------------+
安装 配置组件
-
安装软件包:
# yum install openstack-glance -
编辑
/etc/glance/glance-api.conf文件并完成以下操作:-
在该
[database]部分中,配置数据库访问:[database]
# ...
connection = mysql+pymysql://glance:GLANCE_DBPASS@openstack/glance替换
GLANCE_DBPASS为您为镜像服务数据库选择的密码。 -
在
[keystone_authtoken]和[paste_deploy]部分中,配置身份服务访问:[keystone_authtoken]
# ...
www_authenticate_uri = http://openstack:5000
auth_url = http://openstack:5000
memcached_servers = openstack:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = glance
password = GLANCE_PASS
[paste_deploy]
# ...
flavor = keystone替换为您在身份服务中
GLANCE_PASS为用户选择的密码 。glance注释掉或删除该
[keystone_authtoken]部分中的任何其他选项。 -
在该
[glance_store]部分中,配置本地文件系统存储和图像文件的位置:[glance_store]
# ...
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
-
-
填充Glance服务数据库:
su -s /bin/sh -c "glance-manage db_sync" glance
完成安装
-
启动映像服务并将它们配置为在系统启动时启动:
systemctl enable openstack-glance-api.service --now
验证
获取admin凭据以访问仅限管理员的 CLI 命令:
source admin-openrc
使用QCOW2磁盘格式、将镜像上传到glance服务器 ,以便所有项目都可以访问
glance image-create --name "cirros" \
--file cirros-0.3.4-x86_64-disk.img \
--disk-format qcow2 --container-format bare \
--visibility public
Placement安置服务
CREATE DATABASE placement;
GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'localhost' \
IDENTIFIED BY 'PLACEMENT_DBPASS';
GRANT ALL PRIVILEGES ON placement.* TO 'placement'@'%' \
IDENTIFIED BY 'PLACEMENT_DBPASS';
[root@openstack ~]# openstack user create --domain default --password-prompt placement
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 1647efa3e88f4b8fa4d32b34575d5213 |
| name | placement |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
openstack role add --project service --user placement admin #此命令无输出
[root@openstack ~]# openstack service create --name placement \
--description "Placement API" placement
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Placement API |
| enabled | True |
| id | 1c79ed218cce43fc97e496eb60de4d0d |
| name | placement |
| type | placement |
+-------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne \
placement public http://openstack:8778
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 19563dd7a3fa45f2beee74f82dc126da |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 1c79ed218cce43fc97e496eb60de4d0d |
| service_name | placement |
| service_type | placement |
| url | http://openstack:8778 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne \
placement internal http://openstack:8778
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | f84a74a60b31420cad71f660852f1431 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 1c79ed218cce43fc97e496eb60de4d0d |
| service_name | placement |
| service_type | placement |
| url | http://openstack:8778 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne \
placement admin http://openstack:8778
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 6dddbd1cef434cfcb21d7f4d9aaf9677 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 1c79ed218cce43fc97e496eb60de4d0d |
| service_name | placement |
| service_type | placement |
| url | http://openstack:8778 |
+--------------+----------------------------------+
yum install openstack-placement-api -y
vim /etc/placement/placement.conf
[placement_database]
connection = mysql+pymysql://placement:PLACEMENT_DBPASS@openstack/placement
# PLACEMENT_DBPASS 为 placement 服务的数据库账户密码
[api]
# ...
auth_strategy = keystone
[keystone_authtoken]
# ...
auth_url = http://openstack:5000/v3
memcached_servers = openstack:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = placement
password = PLACEMENT_PASS
# PLACEMENT_PASS 为 placement 服务的密码
填充数据库
su -s /bin/sh -c "placement-manage db sync" placement
systemctl restart httpd
nove控制节点
CREATE DATABASE nova_api;
CREATE DATABASE nova;
CREATE DATABASE nova_cell0;
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' \
IDENTIFIED BY 'NOVA_DBPASS';
GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' \
IDENTIFIED BY 'NOVA_DBPASS';
创建nova用户
openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 9dc745aeea174c28b88f5a1a77b25e62 |
| name | nova |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
将admin角色添加到nova用户
openstack role add --project service --user nova admin #此命令无任何输出
创建nova服务实体
openstack service create --name nova \
--description "OpenStack Compute" compute
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Compute |
| enabled | True |
| id | fd108017d2164951b91c16380e5bca11 |
| name | nova |
| type | compute |
+-------------+----------------------------------+
创建计算 API 服务端点
openstack endpoint create --region RegionOne \
compute public http://openstack:8774/v2.1
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b1a382248eff4bc09ea2a00ca7ac7ce0 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fd108017d2164951b91c16380e5bca11 |
| service_name | nova |
| service_type | compute |
| url | http://openstack:8774/v2.1 |
+--------------+----------------------------------+
openstack endpoint create --region RegionOne \
compute internal http://openstack:8774/v2.1
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 79d4fec9f9f34fe58329ead607d6f10f |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fd108017d2164951b91c16380e5bca11 |
| service_name | nova |
| service_type | compute |
| url | http://openstack:8774/v2.1 |
+--------------+----------------------------------+
openstack endpoint create --region RegionOne \
compute admin http://openstack:8774/v2.1
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 206937f7bf424363a036e9475f2d4d26 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fd108017d2164951b91c16380e5bca11 |
| service_name | nova |
| service_type | compute |
| url | http://openstack:8774/v2.1 |
+--------------+----------------------------------+
安装配置组件
yum -y install openstack-nova-api openstack-nova-conductor \
openstack-nova-novncproxy openstack-nova-scheduler
编辑/etc/nova/nova.conf文件并完成以下操作:
在该[DEFAULT]部分中,仅启用计算和元数据 API
[DEFAULT]
# ...
enabled_apis = osapi_compute,metadata
在[api_database]和[database]部分中,配置数据库访问
[api_database]
# ...
connection = mysql+pymysql://nova:NOVA_DBPASS@openstack/nova_api
[database]
# ...
connection = mysql+pymysql://nova:NOVA_DBPASS@openstack/nova
# 替换NOVA_DBPASS为您为计算数据库选择的密码。
[DEFAULT]中配置消息队列
transport_url = rabbit://openstack:RABBIT_PASS@openstack:5672/
在[api]和[keystone_authtoken]部分中,配置身份服务访问
[api]
# ...
auth_strategy = keystone
[keystone_authtoken]
# ...
www_authenticate_uri = http://openstack:5000/
auth_url = http://openstack:5000/
memcached_servers = openstack:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = openstack
注释掉或删除该[keystone_authtoken] 部分中的任何其他选项。
替换为您在身份服务中NOVA_PASS为用户选择的密码。nova
在[DEFAULT]部分中,配置my_ip选项以使用控制器节点的管理接口 IP 地址.
[DEFAULT]
# ...
my_ip = 192.168.124.10
在[DEFAULT]部分中,启用对网络服务的支持:
[DEFAULT]
# ...
use_neutron = true
firewall_driver = nova.virt.firewall.NoopFirewallDriver
默认情况下,Compute 使用内部防火墙驱动程序。由于网络服务包含防火墙驱动程序,因此您必须使用防火墙驱动程序禁用计算防火墙驱动
nova.virt.firewall.NoopFirewallDriver程序。
配置/etc/nova/nova.conf[neutron]的部分
在该[vnc]部分中,将 VNC 代理配置为使用控制器节点的管理接口 IP 地址
[vnc]
enabled = true
# ...
server_listen = $my_ip
server_proxyclient_address = $my_ip
在[glance]部分中,配置图像服务 API 的位置:
[glance]
# ...
api_servers = http://openstack:9292
在该[oslo_concurrency]部分中,配置锁定路径
[oslo_concurrency]
# ...
lock_path = /var/lib/nova/tmp
在[placement]部分中,配置对 Placement 服务的访问:
[placement]
# ...
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://openstack:5000/v3
username = placement
password = openstack #替换为您为安装 PlacementPLACEMENT_PASS时创建的服务用户选择的密码
填充数据库
填充nova-api数据库 #忽略此输出中的任何弃用消息。
su -s /bin/sh -c "nova-manage api_db sync" nova
注册cell0数据库
su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova
创建cell1单元格
su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova
同步
su -s /bin/sh -c "nova-manage db sync" nova
验证 nova cell0 和 cell1 是否正确注册
su -s /bin/sh -c "nova-manage cell_v2 list_cells" nova
+-------+--------------------------------------+-----------------------------------------+------------------------------------------------+----------+
| Name | UUID | Transport URL | Database Connection | Disabled |
+-------+--------------------------------------+-----------------------------------------+------------------------------------------------+----------+
| cell0 | 00000000-0000-0000-0000-000000000000 | none:/ | mysql+pymysql://nova:****@openstack/nova_cell0 | False |
| cell1 | 4c4e7626-a63b-4915-b5da-112d59ac912a | rabbit://openstack:****@openstack:5672/ | mysql+pymysql://nova:****@openstack/nova | False |
+-------+--------------------------------------+-----------------------------------------+------------------------------------------------+----------+
完成安装
启动计算服务并将它们配置为在系统启动时启动:
systemctl enable --now \
openstack-nova-api.service \
openstack-nova-scheduler.service \
openstack-nova-conductor.service \
openstack-nova-novncproxy.service
systemctl status \
openstack-nova-api.service \
openstack-nova-scheduler.service \
openstack-nova-conductor.service \
openstack-nova-novncproxy.service
nova 计算节点安装
安装配置组件
-
安装软件包:
yum install openstack-nova-compute -y -
编辑
/etc/nova/nova.conf文件并完成以下操作:-
在该
[DEFAULT]部分中,仅启用计算和元数据 API:[DEFAULT]
# ...
enabled_apis = osapi_compute,metadata -
在该
[DEFAULT]部分中,配置RabbitMQ消息队列访问(单节点PASS)[DEFAULT]
# ...
transport_url = rabbit://openstack:RABBIT_PASS@openstack替换为您在 中为 帐户
RABBIT_PASS选择的密码。openstack``RabbitMQ -
在
[api]和[keystone_authtoken]部分中,配置身份服务访问 (单节点PASS)[api]
# ...
auth_strategy = keystone
[keystone_authtoken]
# ...
www_authenticate_uri = http://controller:5000/
auth_url = http://controller:5000/
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = nova
password = NOVA_PASS替换为您在身份服务中
NOVA_PASS为用户选择的密码。nova注释掉或删除该
[keystone_authtoken]部分中的任何其他选项。 -
在该
[DEFAULT]部分中,配置my_ip选项 (单节点PASS)[DEFAULT]
# ...
my_ip = MANAGEMENT_INTERFACE_IP_ADDRESS替换为计算节点上管理网络接口的 IP 地址,对于
MANAGEMENT_INTERFACE_IP_ADDRESS中的第一个节点,通常为 10.0.0.31 。 -
在该
[DEFAULT]部分中,启用对网络服务的支持 (单节点PASS)[DEFAULT]
# ...
use_neutron = true
firewall_driver = nova.virt.firewall.NoopFirewallDriver默认情况下,Compute 使用内部防火墙服务。由于网络包括防火墙服务,您必须使用
nova.virt.firewall.NoopFirewallDriver防火墙驱动程序禁用计算防火墙服务。 -
配置/etc/nova/nova.conf
[neutron]的部分。有关详细信息,请参阅 。 -
在该
[vnc]部分中,启用和配置远程控制台访问[vnc]
# ...
enabled = true
server_listen = 0.0.0.0
server_proxyclient_address = $my_ip
novncproxy_base_url = http://controller:6080/vnc_auto.html服务器组件侦听所有 IP 地址,代理组件仅侦听计算节点的管理接口 IP 地址。基本 URL 指示您可以使用 Web 浏览器访问此计算节点上实例的远程控制台的位置。
如果访问远程控制台的 Web 浏览器位于无法解析主机名的
controller主机上,则必须替换controller为控制器节点的管理接口 IP 地址。 -
在该
[glance]部分中,配置图像服务 API 的位置 (单节点PASS)[glance]
# ...
api_servers = http://controller:9292 -
在该
[oslo_concurrency]部分中,配置锁定路径 (单节点PASS)[oslo_concurrency]
# ...
lock_path = /var/lib/nova/tmp -
在该
[placement]部分中,配置 Placement API (单节点PASS)[placement]
# ...
region_name = RegionOne
project_domain_name = Default
project_name = service
auth_type = password
user_domain_name = Default
auth_url = http://controller:5000/v3
username = placement
password = PLACEMENT_PASS替换为您在身份服务中
PLACEMENT_PASS为用户选择的密码 。placement注释掉该[placement]部分中的任何其他选项。
-
启动 Compute 服务及其依赖项,并将它们配置为在系统启动时自动启动
systemctl enable libvirtd.service openstack-nova-compute.service
systemctl start libvirtd.service openstack-nova-compute.service
将计算节点添加到单元数据库
在控制节点运行(单机PASS)
-
获取管理员凭据以启用仅限管理员的 CLI 命令,然后确认数据库中有计算主机:
openstack compute service list --service nova-compute
+----+--------------+-----------+------+---------+-------+----------------------------+
| ID | Binary | Host | Zone | Status | State | Updated At |
+----+--------------+-----------+------+---------+-------+----------------------------+
| 10 | nova-compute | openstack | nova | enabled | up | 2022-09-25T12:11:57.000000 |
+----+--------------+-----------+------+---------+-------+----------------------------+ -
发现计算主机:
su -s /bin/sh -c "nova-manage cell_v2 discover_hosts --verbose" nova
Found 2 cell mappings.
Skipping cell0 since it does not contain hosts.
Getting computes from cell 'cell1': 4c4e7626-a63b-4915-b5da-112d59ac912a
Checking host mapping for compute host 'openstack': c028c3f5-e9a5-4849-b80c-f9208de4fb27
Creating host mapping for compute host 'openstack': c028c3f5-e9a5-4849-b80c-f9208de4fb27
Found 1 unmapped computes in cell: 4c4e7626-a63b-4915-b5da-112d59ac912a添加新计算节点时,必须在控制器节点上运行以注册这些新计算节点。或者设置适当的间隔
nova-manage cell_v2 discover_hosts
`/etc/nova/nova.conf[scheduler]
discover_hosts_in_cells_interval = 300
元数据代理(neutron安装完成之后)
neutron服务安装
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY 'NEUTRON_DBPASS';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY 'NEUTRON_DBPASS';
创建neutron用户
openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 85a841da6cb044a78b5a7c3698b5727f |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
将admin角色添加到neutron用户
openstack role add --project service --user neutron admin #无任何输出
创建neutron服务实体
openstack service create --name neutron \
--description "OpenStack Networking" network
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Networking |
| enabled | True |
| id | 550bd3fee5df48bd8c57f522f21e79bb |
| name | neutron |
| type | network |
+-------------+----------------------------------+
创建网络服务 API 端点
openstack endpoint create --region RegionOne \
network public http://openstack:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | aaa3ee5071874f7f9909b51421e1d383 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 550bd3fee5df48bd8c57f522f21e79bb |
| service_name | neutron |
| service_type | network |
| url | http://openstack:9696 |
+--------------+----------------------------------+
openstack endpoint create --region RegionOne \
network internal http://openstack:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | efa0ee77718f4b77aae5c9bad7218d74 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 550bd3fee5df48bd8c57f522f21e79bb |
| service_name | neutron |
| service_type | network |
| url | http://openstack:9696 |
+--------------+----------------------------------+
openstack endpoint create --region RegionOne \
network admin http://openstack:9696
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 60d8a437910d4bf9bdaf6fb7a0da6d2b |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 550bd3fee5df48bd8c57f522f21e79bb |
| service_name | neutron |
| service_type | network |
| url | http://openstack:9696 |
+--------------+----------------------------------+
自助服务网络配置
安装配置组件
yum install -y openstack-neutron openstack-neutron-ml2 \
openstack-neutron-linuxbridge ebtables
编辑/etc/neutron/neutron.conf文件并完成以下操作:
在[database]部分中,配置数据库访问
[database]
# ...
connection = mysql+pymysql://neutron:NEUTRON_DBPASS@openstack/neutron
在[DEFAULT]部分中,启用模块化第 2 层 (ML2) 插件、路由器服务和重叠 IP 地址
[DEFAULT]
# ...
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = true
在[DEFAULT]部分中,配置RabbitMQ 消息队列访问
transport_url = rabbit://openstack:RABBIT_PASS@openstack
在[DEFAULT]和[keystone_authtoken]部分中,配置身份服务访问
[DEFAULT]
# ...
auth_strategy = keystone
[keystone_authtoken]
# ...
www_authenticate_uri = http://openstack:5000
auth_url = http://openstack:5000
memcached_servers = openstack:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = neutron
password = openstack
在[DEFAULT]和[nova]部分中,配置 Networking 以通知 Compute 网络拓扑更改
[DEFAULT]
# ...
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
[nova]
# ...
auth_url = http://openstack:5000
auth_type = password
project_domain_name = default
user_domain_name = default
region_name = RegionOne
project_name = service
username = nova
password = openstack
在该[oslo_concurrency]部分中,配置锁定路径
[oslo_concurrency]
# ...
lock_path = /var/lib/neutron/tmp
配置 Modular Layer 2 (ML2) 插件
ML2 插件使用 Linux 桥接机制为实例构建第 2 层(桥接和交换)虚拟网络基础架构。
编辑/etc/neutron/plugins/ml2/ml2_conf.ini文件并完成以下操作:
-
在该
[ml2]部分中,启用平面、VLAN 和 VXLAN 网络:[ml2]
# ...
type_drivers = flat,vlan,vxlan -
在该
[ml2]部分中,启用 VXLAN 自助服务网络:[ml2]
# ...
tenant_network_types = vxlan -
在该
[ml2]部分中,启用 Linux 桥接和第 2 层填充机制:[ml2]
# ...
mechanism_drivers = linuxbridge,l2population配置 ML2 插件后,删除
type_drivers选项中的值可能会导致数据库不一致。Linux 网桥代理仅支持 VXLAN 覆盖网络。
-
在该
[ml2]部分中,启用端口安全扩展驱动程序:[ml2]
# ...
extension_drivers = port_security -
在该
[ml2_type_flat]部分中,将提供者虚拟网络配置为平面网络:[ml2_type_flat]
# ...
flat_networks = provider -
在该
[ml2_type_vxlan]部分中,为自助服务网络配置 VXLAN 网络标识符范围:[ml2_type_vxlan]
# ...
vni_ranges = 1:1000 -
在该
[securitygroup]部分中,启用 ipset 以提高安全组规则的效率:[securitygroup]
# ...
enable_ipset = true
配置 Linux 网桥代理
Linux 桥接代理为实例构建第 2 层(桥接和交换)虚拟网络基础架构并处理安全组。
-
编辑
/etc/neutron/plugins/ml2/linuxbridge_agent.ini文件并完成以下操作:-
在该
[linux_bridge]部分中,将提供者虚拟网络映射到提供者物理网络接口:[linux_bridge]
physical_interface_mappings = provider:PROVIDER_INTERFACE_NAME替换
PROVIDER_INTERFACE_NAME为底层提供者物理网络接口的名称。有关详细信息,请参阅 。 -
在该
[vxlan]部分中,启用 VXLAN 覆盖网络,配置处理覆盖网络的物理网络接口的 IP 地址,并启用第 2 层填充:[vxlan]
enable_vxlan = true
local_ip = OVERLAY_INTERFACE_IP_ADDRESS
l2_population = true替换
OVERLAY_INTERFACE_IP_ADDRESS为处理覆盖网络的底层物理网络接口的 IP 地址。示例架构使用管理接口将流量通过隧道传输到其他节点。因此,替换OVERLAY_INTERFACE_IP_ADDRESS为控制器节点的管理IP地址。有关详细信息,请参阅 。 -
在该
[securitygroup]部分中,启用安全组并配置 Linux 网桥 iptables 防火墙驱动程序:[securitygroup]
# ...
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver -
sysctl通过验证以下所有值都设置为,确保您的 Linux 操作系统内核支持网桥过滤器1:要启用网络桥接支持,通常br_netfilter需要加载内核模块。 -
modprobe br_netfilter
cat >>/etc/rc.sysinit<<EOF
for file in /etc/sysconfig/modules/*.modules ; do
[ -x $file ] && $file
done
EOF
echo "modprobe br_netfilter" >/etc/sysconfig/modules/br_netfilter.modules
chmod 755 /etc/sysconfig/modules/br_netfilter.modules
sysctl -a | grep net.bridge.bridge-nf-call
# net.bridge.bridge-nf-call-arptables = 1
# net.bridge.bridge-nf-call-ip6tables = 1
# net.bridge.bridge-nf-call-iptables = 1
-
配置第三层代理
第 3 层 (L3) 代理为自助服务虚拟网络提供路由和 NAT 服务。
-
编辑
/etc/neutron/l3_agent.ini文件并完成以下操作:-
在该
[DEFAULT]部分中,配置 Linux 桥接接口驱动程序:[DEFAULT]
# ...
interface_driver = linuxbridge
-
配置 DHCP 代理
DHCP 代理为虚拟网络提供 DHCP 服务。
-
编辑
/etc/neutron/dhcp_agent.ini文件并完成以下操作:-
在该
[DEFAULT]部分中,配置 Linux 网桥接口驱动程序、Dnsmasq DHCP 驱动程序,并启用隔离元数据,以便提供商网络上的实例可以通过网络访问元数据:[DEFAULT]
# ...
interface_driver = linuxbridge
dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
enable_isolated_metadata = true
-
返回网络控制器节点配置。
OpenStack-Dashboard安装
-
安装软件包:
yum install openstack-dashboard -
编辑
/etc/openstack-dashboard/local_settings文件并完成以下操作:-
controller配置仪表板以在节点上使用 OpenStack 服务 :OPENSTACK_HOST = "openstack" -
允许您的主机访问仪表板:
ALLOWED_HOSTS = ['*'] #允许所有ALLOWED_HOSTS 也可以是 [‘*’] 以接受所有主机。这可能对开发工作有用,但可能不安全,不应在生产中使用。有关详细信息,请参阅 https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts 。
-
配置
memcached会话存储服务:SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'openstack:11211',
}
}注释掉任何其他会话存储配置。
-
启用身份 API 版本 3:
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST -
启用对域的支持:(没有则添加)
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True -
配置 API 版本:(没有则添加)
OPENSTACK_API_VERSIONS = {
"identity": 3,
"image": 2,
"volume": 3,
} -
配置
Default为您通过仪表板创建的用户的默认域:OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default" -
配置
user为您通过仪表板创建的用户的默认角色:OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user" -
如果您选择网络选项 1,请禁用对第 3 层网络服务的支持:
OPENSTACK_NEUTRON_NETWORK = {
...
'enable_router': False,
'enable_quotas': False,
'enable_distributed_router': False,
'enable_ha_router': False,
'enable_lb': False,
'enable_firewall': False,
'enable_vpn': False,
'enable_fip_topology_check': False,
} -
(可选)配置时区:
TIME_ZONE = "TIME_ZONE"替换
TIME_ZONE为适当的时区标识符。有关详细信息,请参阅。
-
-
/etc/httpd/conf.d/openstack-dashboard.conf如果不包括,则添加以下行 。WSGIApplicationGroup %{GLOBAL}
完成安装
-
重启 Web 服务器和会话存储服务:
# systemctl restart httpd.service memcached.service
原创文章,作者:geeklinux.cn,如若转载,请注明出处:https://www.geeklinux.cn/cloud-compute/openstack/1272.html
